Commit b9ddcd7a authored by Matt Caswell's avatar Matt Caswell
Browse files

Add a test for CVE-2017-3737 



Test reading/writing to an SSL object after a fatal error has been
detected. This CVE only affected 1.0.2, but we should add it to other
branches for completeness.

Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
parent e502cc86

test/build.info

+6 −1
Original line number Diff line number Diff line
@@ -16,7 +16,8 @@ IF[{- !$disabled{tests} -}] 
          packettest asynctest secmemtest srptest memleaktest \

          dtlsv1listentest ct_test threadstest afalgtest d2i_test \

          ssl_test_ctx_test ssl_test x509aux cipherlist_test asynciotest \

          bioprinttest sslapitest dtlstest sslcorrupttest bio_enc_test

          bioprinttest sslapitest dtlstest sslcorrupttest bio_enc_test \

          fatalerrtest



  SOURCE[aborttest]=aborttest.c

  INCLUDE[aborttest]=../include
@@ -146,6 +147,10 @@ IF[{- !$disabled{tests} -}] 
  INCLUDE[rsa_test]=.. ../include

  DEPEND[rsa_test]=../libcrypto



  SOURCE[fatalerrtest]=fatalerrtest.c ssltestlib.c testutil.c

  INCLUDE[fatalerrtest]=../include ..

  DEPEND[fatalerrtest]=../libcrypto ../libssl



  SOURCE[evp_test]=evp_test.c

  INCLUDE[evp_test]=../include

  DEPEND[evp_test]=../libcrypto

test/fatalerrtest.c

0 → 100644
+124 −0
Original line number Diff line number Diff line 
/*

 * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.

 *

 * Licensed under the OpenSSL license (the "License").  You may not use

 * this file except in compliance with the License.  You can obtain a copy

 * in the file LICENSE in the source distribution or at

 * https://www.openssl.org/source/license.html

 */



#include <openssl/ssl.h>

#include <openssl/err.h>

#include "ssltestlib.h"

#include "testutil.h"

#include <string.h>



static char *cert = NULL;

static char *privkey = NULL;



static int test_fatalerr(void)

{

    SSL_CTX *sctx = NULL, *cctx = NULL;

    SSL *sssl = NULL, *cssl = NULL;

    const char *msg = "Dummy";

    BIO *wbio = NULL;

    int ret = 0, len;

    char buf[80];

    unsigned char dummyrec[] = {

        0x17, 0x03, 0x03, 0x00, 0x05, 'D', 'u', 'm', 'm', 'y'

    };



    if (!create_ssl_ctx_pair(SSLv23_method(), SSLv23_method(), &sctx, &cctx,

                             cert, privkey)) {

        printf("Failed to create SSL_CTX pair\n");

        goto err;

    }



    /*

     * Deliberately set the cipher lists for client and server to be different

     * to force a handshake failure.

     */

    if (!SSL_CTX_set_cipher_list(sctx, "AES128-SHA")

            || !SSL_CTX_set_cipher_list(cctx, "AES256-SHA")) {

        printf("Failed to set cipher lists\n");

        goto err;

    }



    if (!create_ssl_objects(sctx, cctx, &sssl, &cssl, NULL, NULL)) {

        printf("Failed to create SSL objectx\n");

        goto err;

    }



    wbio = SSL_get_wbio(cssl);

    if (wbio == NULL) {

        printf("Unexpected NULL bio received\n");

        goto err;

    }



    if (create_ssl_connection(sssl, cssl)) {

        printf("Unexpected success creating a connection\n");

        goto err;

    }



    ERR_clear_error();



    /* Inject a plaintext record from client to server */

    if (BIO_write(wbio, dummyrec, sizeof(dummyrec)) <= 0) {

        printf("Unexpected failure injecting dummy record\n");

        goto err;

    }



    /* SSL_read()/SSL_write should fail because of a previous fatal error */

    if ((len = SSL_read(sssl, buf, sizeof(buf - 1))) > 0) {

        buf[len] = '\0';

        printf("Unexpected success reading data: %s\n", buf);

        goto err;

    }

    if (SSL_write(sssl, msg, strlen(msg)) > 0) {

        printf("Unexpected success writing data\n");

        goto err;

    }



    ret = 1;

 err:

    SSL_free(sssl);

    SSL_free(cssl);

    SSL_CTX_free(sctx);

    SSL_CTX_free(cctx);



    return ret;

}



int main(int argc, char *argv[])

{

    BIO *err = NULL;

    int testresult = 1;



    if (argc != 3) {

        printf("Invalid argument count\n");

        return 1;

    }



    cert = argv[1];

    privkey = argv[2];



    err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT);



    CRYPTO_set_mem_debug(1);

    CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);



    ADD_TEST(test_fatalerr);



    testresult = run_tests(argv[0]);



#ifndef OPENSSL_NO_CRYPTO_MDEBUG

    if (CRYPTO_mem_leaks(err) <= 0)

        testresult = 1;

#endif

    BIO_free(err);



    if (!testresult)

        printf("PASS\n");



    return testresult;

}

test/recipes/90-test_fatalerr.t

0 → 100644
+21 −0
Original line number Diff line number Diff line 
#! /usr/bin/env perl

# Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.

#

# Licensed under the OpenSSL license (the "License").  You may not use

# this file except in compliance with the License.  You can obtain a copy

# in the file LICENSE in the source distribution or at

# https://www.openssl.org/source/license.html





use OpenSSL::Test::Utils;

use OpenSSL::Test qw/:DEFAULT srctop_file/;



setup("test_fatalerr");



plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build"

    if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls"));



plan tests => 1;



ok(run(test(["fatalerrtest", srctop_file("apps", "server.pem"),

             srctop_file("apps", "server.pem")])), "running fatalerrtest");