blob: 0a96028f6dac144891cdfcc0476c82b62e8093c6 [file] [log] [blame]
Philippe Antoine72333522018-05-03 16:40:24 +02001#include "mbedtls/ssl.h"
2#include "mbedtls/entropy.h"
3#include "mbedtls/ctr_drbg.h"
4#include "mbedtls/certs.h"
5#include "mbedtls/ssl_ticket.h"
Philippe Antoine08633822019-06-04 14:03:06 +02006#include "common.h"
Philippe Antoine72333522018-05-03 16:40:24 +02007#include <string.h>
8#include <stdlib.h>
9#include <stdbool.h>
10#include <stdint.h>
11
12
13const char *pers = "fuzz_server";
14static bool initialized = 0;
15#if defined(MBEDTLS_X509_CRT_PARSE_C)
16static mbedtls_x509_crt srvcert;
17static mbedtls_pk_context pkey;
18#endif
19const char *alpn_list[3];
20
21#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
22const unsigned char psk[] = {
23 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
24 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
25};
26const char psk_id[] = "Client_identity";
27#endif
28
29
30typedef struct fuzzBufferOffset
31{
32 const uint8_t *Data;
33 size_t Size;
34 size_t Offset;
35} fuzzBufferOffset_t;
36
37
38static int dummy_send( void *ctx, const unsigned char *buf, size_t len )
39{
40 //silence warning about unused parameter
41 (void) ctx;
42 (void) buf;
43
44 //pretends we wrote everything ok
45 return( len );
46}
47
48static int fuzz_recv( void *ctx, unsigned char *buf, size_t len )
49{
50 //reads from the buffer from fuzzer
51 fuzzBufferOffset_t * biomemfuzz = (fuzzBufferOffset_t *) ctx;
52
53 if (biomemfuzz->Offset == biomemfuzz->Size) {
54 //EOF
55 return (0);
56 }
57 if (len + biomemfuzz->Offset > biomemfuzz->Size) {
58 //do not overflow
59 len = biomemfuzz->Size - biomemfuzz->Offset;
60 }
61 memcpy(buf, biomemfuzz->Data + biomemfuzz->Offset, len);
62 biomemfuzz->Offset += len;
63 return( len );
64}
65
66static int dummy_random( void *p_rng, unsigned char *output, size_t output_len )
67{
68 int ret;
69 size_t i;
70
71 //use mbedtls_ctr_drbg_random to find bugs in it
72 ret = mbedtls_ctr_drbg_random(p_rng, output, output_len);
73 for (i=0; i<output_len; i++) {
74 //replace result with pseudo random
Philippe Antoine2b7c9a22019-06-04 12:05:36 +020075 output[i] = (unsigned char) rand();
Philippe Antoine72333522018-05-03 16:40:24 +020076 }
77 return( ret );
78}
79
80static int dummy_entropy( void *data, unsigned char *output, size_t len )
81{
Philippe Antoine72333522018-05-03 16:40:24 +020082 size_t i;
Philippe Antoinef0493042019-06-04 12:01:51 +020083 (void) data;
Philippe Antoine72333522018-05-03 16:40:24 +020084
85 //use mbedtls_entropy_func to find bugs in it
Philippe Antoine9c7b6982018-05-29 17:00:39 +020086 //test performance impact of entropy
87 //ret = mbedtls_entropy_func(data, output, len);
Philippe Antoine72333522018-05-03 16:40:24 +020088 for (i=0; i<len; i++) {
89 //replace result with pseudo random
Philippe Antoine2b7c9a22019-06-04 12:05:36 +020090 output[i] = (unsigned char) rand();
Philippe Antoine72333522018-05-03 16:40:24 +020091 }
Philippe Antoine9c7b6982018-05-29 17:00:39 +020092 return( 0 );
Philippe Antoine72333522018-05-03 16:40:24 +020093}
94
95
96int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
97 int ret;
98 size_t len;
99 mbedtls_ssl_context ssl;
100 mbedtls_ssl_config conf;
101 mbedtls_ctr_drbg_context ctr_drbg;
102 mbedtls_entropy_context entropy;
103#if defined(MBEDTLS_SSL_SESSION_TICKETS)
104 mbedtls_ssl_ticket_context ticket_ctx;
105#endif
106 unsigned char buf[4096];
107 fuzzBufferOffset_t biomemfuzz;
108 uint8_t options;
109
110 //we take 1 byte as options input
111 if (Size < 1) {
112 return 0;
113 }
114 options = Data[Size - 1];
115
116 if (initialized == 0) {
117#if defined(MBEDTLS_X509_CRT_PARSE_C)
118 mbedtls_x509_crt_init( &srvcert );
119 mbedtls_pk_init( &pkey );
120 if (mbedtls_x509_crt_parse( &srvcert, (const unsigned char *) mbedtls_test_srv_crt,
121 mbedtls_test_srv_crt_len ) != 0)
122 return 1;
123 if (mbedtls_x509_crt_parse( &srvcert, (const unsigned char *) mbedtls_test_cas_pem,
124 mbedtls_test_cas_pem_len ) != 0)
125 return 1;
126 if (mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_srv_key,
127 mbedtls_test_srv_key_len, NULL, 0 ) != 0)
128 return 1;
129#endif
130
131 alpn_list[0] = "HTTP";
132 alpn_list[1] = "fuzzalpn";
133 alpn_list[2] = NULL;
134
Philippe Antoine08633822019-06-04 14:03:06 +0200135 dummy_init();
136
Philippe Antoine72333522018-05-03 16:40:24 +0200137 initialized = 1;
138 }
139 mbedtls_ssl_init( &ssl );
140 mbedtls_ssl_config_init( &conf );
141 mbedtls_ctr_drbg_init( &ctr_drbg );
142 mbedtls_entropy_init( &entropy );
143#if defined(MBEDTLS_SSL_SESSION_TICKETS)
144 mbedtls_ssl_ticket_init( &ticket_ctx );
145#endif
146
147 if( mbedtls_ctr_drbg_seed( &ctr_drbg, dummy_entropy, &entropy,
148 (const unsigned char *) pers, strlen( pers ) ) != 0 )
149 goto exit;
150
151
152 if( mbedtls_ssl_config_defaults( &conf,
153 MBEDTLS_SSL_IS_SERVER,
154 MBEDTLS_SSL_TRANSPORT_STREAM,
155 MBEDTLS_SSL_PRESET_DEFAULT ) != 0 )
156 goto exit;
157
Philippe Antoine2b7c9a22019-06-04 12:05:36 +0200158 srand(1);
Philippe Antoine72333522018-05-03 16:40:24 +0200159 mbedtls_ssl_conf_rng( &conf, dummy_random, &ctr_drbg );
160
161#if defined(MBEDTLS_X509_CRT_PARSE_C)
162 mbedtls_ssl_conf_ca_chain( &conf, srvcert.next, NULL );
163 if( mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) != 0 )
164 goto exit;
165#endif
166
167 mbedtls_ssl_conf_cert_req_ca_list( &conf, (options & 0x1) ? MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED : MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED );
168#if defined(MBEDTLS_SSL_ALPN)
169 if (options & 0x2) {
170 mbedtls_ssl_conf_alpn_protocols( &conf, alpn_list );
171 }
172#endif
173#if defined(MBEDTLS_SSL_SESSION_TICKETS)
174 if( options & 0x4 )
175 {
176 if( mbedtls_ssl_ticket_setup( &ticket_ctx,
177 dummy_random, &ctr_drbg,
178 MBEDTLS_CIPHER_AES_256_GCM,
179 86400 ) != 0 )
180 goto exit;
181
182 mbedtls_ssl_conf_session_tickets_cb( &conf,
183 mbedtls_ssl_ticket_write,
184 mbedtls_ssl_ticket_parse,
185 &ticket_ctx );
186 }
187#endif
188#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
189 mbedtls_ssl_conf_truncated_hmac( &conf, (options & 0x8) ? MBEDTLS_SSL_TRUNC_HMAC_ENABLED : MBEDTLS_SSL_TRUNC_HMAC_DISABLED);
190#endif
191#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
192 mbedtls_ssl_conf_extended_master_secret( &conf, (options & 0x10) ? MBEDTLS_SSL_EXTENDED_MS_DISABLED : MBEDTLS_SSL_EXTENDED_MS_ENABLED);
193#endif
194#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
195 mbedtls_ssl_conf_encrypt_then_mac( &conf, (options & 0x20) ? MBEDTLS_SSL_ETM_ENABLED : MBEDTLS_SSL_ETM_DISABLED);
196#endif
197#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
198 if (options & 0x40) {
199 mbedtls_ssl_conf_psk( &conf, psk, sizeof( psk ),
200 (const unsigned char *) psk_id, sizeof( psk_id ) - 1 );
201 }
202#endif
203#if defined(MBEDTLS_SSL_RENEGOTIATION)
204 mbedtls_ssl_conf_renegotiation( &conf, (options & 0x80) ? MBEDTLS_SSL_RENEGOTIATION_ENABLED : MBEDTLS_SSL_RENEGOTIATION_DISABLED );
205#endif
206
207 if( mbedtls_ssl_setup( &ssl, &conf ) != 0 )
208 goto exit;
209
210 biomemfuzz.Data = Data;
211 biomemfuzz.Size = Size-1;
212 biomemfuzz.Offset = 0;
213 mbedtls_ssl_set_bio( &ssl, &biomemfuzz, dummy_send, fuzz_recv, NULL );
214
215 mbedtls_ssl_session_reset( &ssl );
216 ret = mbedtls_ssl_handshake( &ssl );
217 if( ret == 0 )
218 {
219 //keep reading data from server until the end
220 do
221 {
222 len = sizeof( buf ) - 1;
223 ret = mbedtls_ssl_read( &ssl, buf, len );
224
225 if( ret == MBEDTLS_ERR_SSL_WANT_READ )
226 continue;
227 else if( ret <= 0 )
228 //EOF or error
229 break;
230 }
231 while( 1 );
232 }
233
234exit:
235#if defined(MBEDTLS_SSL_SESSION_TICKETS)
236 mbedtls_ssl_ticket_free( &ticket_ctx );
237#endif
238 mbedtls_entropy_free( &entropy );
239 mbedtls_ctr_drbg_free( &ctr_drbg );
240 mbedtls_ssl_config_free( &conf );
241 mbedtls_ssl_free( &ssl );
242
243 return 0;
244}