Move fuzz directory to programs
diff --git a/programs/CMakeLists.txt b/programs/CMakeLists.txt
index 4cdae78..2350a2e 100644
--- a/programs/CMakeLists.txt
+++ b/programs/CMakeLists.txt
@@ -6,3 +6,4 @@
add_subdirectory(test)
add_subdirectory(x509)
add_subdirectory(util)
+add_subdirectory(fuzz)
diff --git a/programs/Makefile b/programs/Makefile
index 2cb7366..228a60e 100644
--- a/programs/Makefile
+++ b/programs/Makefile
@@ -90,9 +90,12 @@
.SILENT:
-.PHONY: all clean list
+.PHONY: all clean list fuzz
-all: $(APPS)
+all: $(APPS) fuzz
+
+fuzz:
+ $(MAKE) -C fuzz
$(DEP):
$(MAKE) -C ../library
@@ -305,6 +308,7 @@
else
del /S /Q /F *.o *.exe
endif
+ $(MAKE) -C fuzz clean
list:
echo $(APPS)
diff --git a/programs/fuzz/.gitignore b/programs/fuzz/.gitignore
new file mode 100644
index 0000000..6fcc004
--- /dev/null
+++ b/programs/fuzz/.gitignore
@@ -0,0 +1,10 @@
+*.o
+fuzz_client
+fuzz_dtlsclient
+fuzz_dtlsserver
+fuzz_privkey
+fuzz_pubkey
+fuzz_server
+fuzz_x509crl
+fuzz_x509crt
+fuzz_x509csr
diff --git a/programs/fuzz/CMakeLists.txt b/programs/fuzz/CMakeLists.txt
new file mode 100644
index 0000000..17ec3f6
--- /dev/null
+++ b/programs/fuzz/CMakeLists.txt
@@ -0,0 +1,80 @@
+set(libs
+ mbedtls
+)
+
+if(USE_PKCS11_HELPER_LIBRARY)
+ set(libs ${libs} pkcs11-helper)
+endif(USE_PKCS11_HELPER_LIBRARY)
+
+if(ENABLE_ZLIB_SUPPORT)
+ set(libs ${libs} ${ZLIB_LIBRARIES})
+endif(ENABLE_ZLIB_SUPPORT)
+
+find_library(FUZZINGENGINE_LIB FuzzingEngine)
+
+if(NOT FUZZINGENGINE_LIB)
+ add_executable(fuzz_x509csr fuzz_x509csr.c onefile.c)
+ target_link_libraries(fuzz_x509csr ${libs})
+
+ add_executable(fuzz_x509crl fuzz_x509crl.c onefile.c)
+ target_link_libraries(fuzz_x509crl ${libs})
+
+ add_executable(fuzz_x509crt fuzz_x509crt.c onefile.c)
+ target_link_libraries(fuzz_x509crt ${libs})
+
+ add_executable(fuzz_privkey fuzz_privkey.c onefile.c)
+ target_link_libraries(fuzz_privkey ${libs})
+
+ add_executable(fuzz_pubkey fuzz_pubkey.c onefile.c)
+ target_link_libraries(fuzz_pubkey ${libs})
+
+ add_executable(fuzz_client fuzz_client.c common.c onefile.c)
+ target_link_libraries(fuzz_client ${libs})
+
+ add_executable(fuzz_server fuzz_server.c common.c onefile.c)
+ target_link_libraries(fuzz_server ${libs})
+
+ add_executable(fuzz_dtlsclient fuzz_dtlsclient.c common.c onefile.c)
+ target_link_libraries(fuzz_dtlsclient ${libs})
+
+ add_executable(fuzz_dtlsserver fuzz_dtlsserver.c common.c onefile.c)
+ target_link_libraries(fuzz_dtlsserver ${libs})
+else()
+ project(fuzz CXX)
+
+ add_executable(fuzz_x509csr fuzz_x509csr.c)
+ target_link_libraries(fuzz_x509csr ${libs} FuzzingEngine)
+ SET_TARGET_PROPERTIES(fuzz_x509csr PROPERTIES LINKER_LANGUAGE CXX)
+
+ add_executable(fuzz_x509crl fuzz_x509crl.c)
+ target_link_libraries(fuzz_x509crl ${libs} FuzzingEngine)
+ SET_TARGET_PROPERTIES(fuzz_x509crl PROPERTIES LINKER_LANGUAGE CXX)
+
+ add_executable(fuzz_x509crt fuzz_x509crt.c)
+ target_link_libraries(fuzz_x509crt ${libs} FuzzingEngine)
+ SET_TARGET_PROPERTIES(fuzz_x509crt PROPERTIES LINKER_LANGUAGE CXX)
+
+ add_executable(fuzz_privkey fuzz_privkey.c)
+ target_link_libraries(fuzz_privkey ${libs} FuzzingEngine)
+ SET_TARGET_PROPERTIES(fuzz_privkey PROPERTIES LINKER_LANGUAGE CXX)
+
+ add_executable(fuzz_pubkey fuzz_pubkey.c)
+ target_link_libraries(fuzz_pubkey ${libs} FuzzingEngine)
+ SET_TARGET_PROPERTIES(fuzz_pubkey PROPERTIES LINKER_LANGUAGE CXX)
+
+ add_executable(fuzz_client fuzz_client.c common.c)
+ target_link_libraries(fuzz_client ${libs} FuzzingEngine)
+ SET_TARGET_PROPERTIES(fuzz_client PROPERTIES LINKER_LANGUAGE CXX)
+
+ add_executable(fuzz_server fuzz_server.c common.c)
+ target_link_libraries(fuzz_server ${libs} FuzzingEngine)
+ SET_TARGET_PROPERTIES(fuzz_server PROPERTIES LINKER_LANGUAGE CXX)
+
+ add_executable(fuzz_dtlsclient fuzz_dtlsclient.c common.c)
+ target_link_libraries(fuzz_dtlsclient ${libs} FuzzingEngine)
+ SET_TARGET_PROPERTIES(fuzz_dtlsclient PROPERTIES LINKER_LANGUAGE CXX)
+
+ add_executable(fuzz_dtlsserver fuzz_dtlsserver.c common.c)
+ target_link_libraries(fuzz_dtlsserver ${libs} FuzzingEngine)
+ SET_TARGET_PROPERTIES(fuzz_dtlsserver PROPERTIES LINKER_LANGUAGE CXX)
+endif()
diff --git a/programs/fuzz/Makefile b/programs/fuzz/Makefile
new file mode 100644
index 0000000..f2195d1
--- /dev/null
+++ b/programs/fuzz/Makefile
@@ -0,0 +1,72 @@
+
+LOCAL_CFLAGS = -I../../include -D_FILE_OFFSET_BITS=64
+LOCAL_LDFLAGS = -L../../library \
+ -lmbedtls$(SHARED_SUFFIX) \
+ -lmbedx509$(SHARED_SUFFIX) \
+ -lmbedcrypto$(SHARED_SUFFIX)
+
+LOCAL_LDFLAGS += -L../../crypto/library
+LOCAL_CFLAGS += -I../../crypto/include
+CRYPTO := ../../crypto/library/
+
+ifndef SHARED
+DEP=$(CRYPTO)libmbedcrypto.a ../../library/libmbedx509.a ../../library/libmbedtls.a
+else
+DEP=$(CRYPTO)libmbedcrypto.$(DLEXT) ../../library/libmbedx509.$(DLEXT) ../../library/libmbedtls.$(DLEXT)
+endif
+
+
+DLEXT ?= so
+EXEXT=
+SHARED_SUFFIX=
+# python2 for POSIX since FreeBSD has only python2 as default.
+PYTHON ?= python2
+
+# Zlib shared library extensions:
+ifdef ZLIB
+LOCAL_LDFLAGS += -lz
+endif
+
+ifdef FUZZINGENGINE
+LOCAL_LDFLAGS += -lFuzzingEngine
+endif
+
+# A test application is built for each suites/test_suite_*.data file.
+# Application name is same as .data file's base name and can be
+# constructed by stripping path 'suites/' and extension .data.
+APPS = $(basename $(wildcard fuzz_*.c))
+
+# Construct executable name by adding OS specific suffix $(EXEXT).
+BINARIES := $(addsuffix $(EXEXT),$(APPS))
+
+.SILENT:
+
+.PHONY: all check test clean
+
+all: $(BINARIES)
+
+$(DEP):
+ $(MAKE) -C ../../library
+
+C_FILES := $(addsuffix .c,$(APPS))
+
+%.o: %.c
+ $(CC) $(LOCAL_CFLAGS) $(CFLAGS) -c $< -o $@
+
+
+ifdef FUZZINGENGINE
+$(BINARIES): %$(EXEXT): %.o common.o $(DEP)
+ echo " $(CC) common.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@"
+ $(CXX) common.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+else
+$(BINARIES): %$(EXEXT): %.o common.o onefile.o $(DEP)
+ echo " $(CC) common.o onefile.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@"
+ $(CC) common.o onefile.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
+endif
+
+clean:
+ifndef WINDOWS
+ rm -rf $(BINARIES) *.o
+else
+ del /Q /F *.o *.exe
+endif
diff --git a/programs/fuzz/README.md b/programs/fuzz/README.md
new file mode 100644
index 0000000..8b24908
--- /dev/null
+++ b/programs/fuzz/README.md
@@ -0,0 +1,68 @@
+What is it?
+------
+
+This directory contains fuzz targets.
+Fuzz targets are simple codes using the library.
+They are used with a so-called fuzz driver, which will generate inputs, try to process them with the fuzz target, and alert in case of an unwanted behavior (such as a buffer overflow for instance).
+
+These targets were meant to be used with oss-fuzz but can be used in other contexts.
+
+This code was contributed by Philippe Antoine ( Catena cyber ).
+
+How to run?
+------
+
+To run the fuzz targets like oss-fuzz:
+```
+git clone https://github.com/google/oss-fuzz
+cd oss-fuzz
+python infra/helper.py build_image mbedtls
+python infra/helper.py build_fuzzers --sanitizer address mbedtls
+python infra/helper.py run_fuzzer mbedtls fuzz_client
+```
+You can use `undefined` sanitizer as well as `address` sanitizer.
+And you can run any of the fuzz targets like `fuzz_client`.
+
+To run the fuzz targets without oss-fuzz, you first need to install one libFuzzingEngine (libFuzzer for instance).
+Then you need to compile the code with the compiler flags of the wished sanitizer.
+```
+perl scripts/config.pl set MBEDTLS_PLATFORM_TIME_ALT
+mkdir build
+cd build
+cmake ..
+make
+```
+Finally, you can run the targets like `./test/fuzz/fuzz_client`.
+
+
+Corpus generation for network trafic targets
+------
+
+These targets use network trafic as inputs :
+* client : simulates a client against (fuzzed) server traffic
+* server : simulates a server against (fuzzed) client traffic
+* dtls_client
+* dtls_server
+
+They also use the last bytes as configuration options.
+
+To generate corpus for these targets, you can do the following, not fully automated steps :
+* Build mbedtls programs ssl_server2 and ssl_client2
+* Run them one against the other with `reproducible` option turned on while capturing trafic into test.pcap
+* Extract tcp payloads, for instance with tshark : `tshark -Tfields -e tcp.dstport -e tcp.payload -r test.pcap > test.txt`
+* Run a dummy python script to output either client or server corpus file like `python dummy.py test.txt > test.cor`
+* Finally, you can add the options by appending the last bytes to the file test.cor
+
+Here is an example of dummy.py for extracting payload from client to server (if we used `tcp.dstport` in tshark command)
+```
+import sys
+import binascii
+
+f = open(sys.argv[1])
+for l in f.readlines():
+ portAndPl=l.split()
+ if len(portAndPl) == 2:
+ # determine client or server based on port
+ if portAndPl[0] == "4433":
+ print(binascii.unhexlify(portAndPl[1].replace(":","")))
+```
diff --git a/programs/fuzz/common.c b/programs/fuzz/common.c
new file mode 100644
index 0000000..a9d3d3b
--- /dev/null
+++ b/programs/fuzz/common.c
@@ -0,0 +1,85 @@
+#include "common.h"
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include "mbedtls/ctr_drbg.h"
+
+mbedtls_time_t dummy_constant_time( mbedtls_time_t* time )
+{
+ (void) time;
+ return 0x5af2a056;
+}
+
+void dummy_init()
+{
+#if defined(MBEDTLS_PLATFORM_TIME_ALT)
+ mbedtls_platform_set_time( dummy_constant_time );
+#else
+ fprintf(stderr, "Warning: fuzzing without constant time\n");
+#endif
+}
+
+int dummy_send( void *ctx, const unsigned char *buf, size_t len )
+{
+ //silence warning about unused parameter
+ (void) ctx;
+ (void) buf;
+
+ //pretends we wrote everything ok
+ return( len );
+}
+
+int fuzz_recv( void *ctx, unsigned char *buf, size_t len )
+{
+ //reads from the buffer from fuzzer
+ fuzzBufferOffset_t * biomemfuzz = (fuzzBufferOffset_t *) ctx;
+
+ if (biomemfuzz->Offset == biomemfuzz->Size) {
+ //EOF
+ return (0);
+ }
+ if (len + biomemfuzz->Offset > biomemfuzz->Size) {
+ //do not overflow
+ len = biomemfuzz->Size - biomemfuzz->Offset;
+ }
+ memcpy(buf, biomemfuzz->Data + biomemfuzz->Offset, len);
+ biomemfuzz->Offset += len;
+ return( len );
+}
+
+int dummy_random( void *p_rng, unsigned char *output, size_t output_len )
+{
+ int ret;
+ size_t i;
+
+ //use mbedtls_ctr_drbg_random to find bugs in it
+ ret = mbedtls_ctr_drbg_random(p_rng, output, output_len);
+ for (i=0; i<output_len; i++) {
+ //replace result with pseudo random
+ output[i] = (unsigned char) rand();
+ }
+ return( ret );
+}
+
+int dummy_entropy( void *data, unsigned char *output, size_t len )
+{
+ size_t i;
+ (void) data;
+
+ //use mbedtls_entropy_func to find bugs in it
+ //test performance impact of entropy
+ //ret = mbedtls_entropy_func(data, output, len);
+ for (i=0; i<len; i++) {
+ //replace result with pseudo random
+ output[i] = (unsigned char) rand();
+ }
+ return( 0 );
+}
+
+int fuzz_recv_timeout( void *ctx, unsigned char *buf, size_t len,
+ uint32_t timeout )
+{
+ (void) timeout;
+
+ return fuzz_recv(ctx, buf, len);
+}
diff --git a/programs/fuzz/common.h b/programs/fuzz/common.h
new file mode 100644
index 0000000..5586c06
--- /dev/null
+++ b/programs/fuzz/common.h
@@ -0,0 +1,19 @@
+#include "mbedtls/platform_time.h"
+#include <stdint.h>
+
+typedef struct fuzzBufferOffset
+{
+ const uint8_t *Data;
+ size_t Size;
+ size_t Offset;
+} fuzzBufferOffset_t;
+
+mbedtls_time_t dummy_constant_time( mbedtls_time_t* time );
+void dummy_init();
+
+int dummy_send( void *ctx, const unsigned char *buf, size_t len );
+int fuzz_recv( void *ctx, unsigned char *buf, size_t len );
+int dummy_random( void *p_rng, unsigned char *output, size_t output_len );
+int dummy_entropy( void *data, unsigned char *output, size_t len );
+int fuzz_recv_timeout( void *ctx, unsigned char *buf, size_t len,
+ uint32_t timeout );
diff --git a/programs/fuzz/corpuses/client b/programs/fuzz/corpuses/client
new file mode 100644
index 0000000..48d0a67
--- /dev/null
+++ b/programs/fuzz/corpuses/client
Binary files differ
diff --git a/programs/fuzz/corpuses/dtlsclient b/programs/fuzz/corpuses/dtlsclient
new file mode 100644
index 0000000..87c3ca3
--- /dev/null
+++ b/programs/fuzz/corpuses/dtlsclient
Binary files differ
diff --git a/programs/fuzz/corpuses/dtlsserver b/programs/fuzz/corpuses/dtlsserver
new file mode 100644
index 0000000..7a7a117
--- /dev/null
+++ b/programs/fuzz/corpuses/dtlsserver
Binary files differ
diff --git a/programs/fuzz/corpuses/server b/programs/fuzz/corpuses/server
new file mode 100644
index 0000000..fbeb019
--- /dev/null
+++ b/programs/fuzz/corpuses/server
Binary files differ
diff --git a/programs/fuzz/fuzz_client.c b/programs/fuzz/fuzz_client.c
new file mode 100644
index 0000000..38ad2fd
--- /dev/null
+++ b/programs/fuzz/fuzz_client.c
@@ -0,0 +1,174 @@
+#include "mbedtls/ssl.h"
+#include "mbedtls/entropy.h"
+#include "mbedtls/ctr_drbg.h"
+#include "mbedtls/certs.h"
+#include "common.h"
+#include <string.h>
+#include <stdlib.h>
+#include <stdbool.h>
+#include <stdint.h>
+
+
+#ifdef MBEDTLS_SSL_CLI_C
+static bool initialized = 0;
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+static mbedtls_x509_crt cacert;
+#endif
+const char *alpn_list[3];
+
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+const unsigned char psk[] = {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
+};
+const char psk_id[] = "Client_identity";
+#endif
+
+const char *pers = "fuzz_client";
+#endif //MBEDTLS_SSL_CLI_C
+
+
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+#ifdef MBEDTLS_SSL_CLI_C
+ int ret;
+ size_t len;
+ mbedtls_ssl_context ssl;
+ mbedtls_ssl_config conf;
+ mbedtls_ctr_drbg_context ctr_drbg;
+ mbedtls_entropy_context entropy;
+ unsigned char buf[4096];
+ fuzzBufferOffset_t biomemfuzz;
+ uint16_t options;
+
+ if (initialized == 0) {
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+ mbedtls_x509_crt_init( &cacert );
+ if (mbedtls_x509_crt_parse( &cacert, (const unsigned char *) mbedtls_test_cas_pem,
+ mbedtls_test_cas_pem_len ) != 0)
+ return 1;
+#endif
+
+ alpn_list[0] = "HTTP";
+ alpn_list[1] = "fuzzalpn";
+ alpn_list[2] = NULL;
+
+ dummy_init();
+
+ initialized = 1;
+ }
+
+ //we take 1 byte as options input
+ if (Size < 2) {
+ return 0;
+ }
+ options = (Data[Size - 2] << 8) | Data[Size - 1];
+ //Avoid warnings if compile options imply no options
+ (void) options;
+
+ mbedtls_ssl_init( &ssl );
+ mbedtls_ssl_config_init( &conf );
+ mbedtls_ctr_drbg_init( &ctr_drbg );
+ mbedtls_entropy_init( &entropy );
+
+ if( mbedtls_ctr_drbg_seed( &ctr_drbg, dummy_entropy, &entropy,
+ (const unsigned char *) pers, strlen( pers ) ) != 0 )
+ goto exit;
+
+ if( mbedtls_ssl_config_defaults( &conf,
+ MBEDTLS_SSL_IS_CLIENT,
+ MBEDTLS_SSL_TRANSPORT_STREAM,
+ MBEDTLS_SSL_PRESET_DEFAULT ) != 0 )
+ goto exit;
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+ if (options & 2) {
+ mbedtls_ssl_conf_psk( &conf, psk, sizeof( psk ),
+ (const unsigned char *) psk_id, sizeof( psk_id ) - 1 );
+ }
+#endif
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+ if (options & 4) {
+ mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
+ mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_REQUIRED );
+ } else
+#endif
+ {
+ mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_NONE );
+ }
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+ mbedtls_ssl_conf_truncated_hmac( &conf, (options & 8) ? MBEDTLS_SSL_TRUNC_HMAC_ENABLED : MBEDTLS_SSL_TRUNC_HMAC_DISABLED);
+#endif
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+ mbedtls_ssl_conf_extended_master_secret( &conf, (options & 0x10) ? MBEDTLS_SSL_EXTENDED_MS_DISABLED : MBEDTLS_SSL_EXTENDED_MS_ENABLED);
+#endif
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+ mbedtls_ssl_conf_encrypt_then_mac( &conf, (options & 0x20) ? MBEDTLS_SSL_ETM_DISABLED : MBEDTLS_SSL_ETM_ENABLED);
+#endif
+#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
+ mbedtls_ssl_conf_cbc_record_splitting( &conf, (options & 0x40) ? MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED : MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED );
+#endif
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+ mbedtls_ssl_conf_renegotiation( &conf, (options & 0x80) ? MBEDTLS_SSL_RENEGOTIATION_ENABLED : MBEDTLS_SSL_RENEGOTIATION_DISABLED );
+#endif
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+ mbedtls_ssl_conf_session_tickets( &conf, (options & 0x100) ? MBEDTLS_SSL_SESSION_TICKETS_DISABLED : MBEDTLS_SSL_SESSION_TICKETS_ENABLED );
+#endif
+#if defined(MBEDTLS_SSL_ALPN)
+ if (options & 0x200) {
+ mbedtls_ssl_conf_alpn_protocols( &conf, alpn_list );
+ }
+#endif
+ //There may be other options to add :
+ // mbedtls_ssl_conf_cert_profile, mbedtls_ssl_conf_sig_hashes
+
+ srand(1);
+ mbedtls_ssl_conf_rng( &conf, dummy_random, &ctr_drbg );
+
+ if( mbedtls_ssl_setup( &ssl, &conf ) != 0 )
+ goto exit;
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+ if ((options & 1) == 0) {
+ if( mbedtls_ssl_set_hostname( &ssl, "localhost" ) != 0 )
+ goto exit;
+ }
+#endif
+
+ biomemfuzz.Data = Data;
+ biomemfuzz.Size = Size-2;
+ biomemfuzz.Offset = 0;
+ mbedtls_ssl_set_bio( &ssl, &biomemfuzz, dummy_send, fuzz_recv, NULL );
+
+ ret = mbedtls_ssl_handshake( &ssl );
+ if( ret == 0 )
+ {
+ //keep reading data from server until the end
+ do
+ {
+ len = sizeof( buf ) - 1;
+ ret = mbedtls_ssl_read( &ssl, buf, len );
+
+ if( ret == MBEDTLS_ERR_SSL_WANT_READ )
+ continue;
+ else if( ret <= 0 )
+ //EOF or error
+ break;
+ }
+ while( 1 );
+ }
+
+exit:
+ mbedtls_entropy_free( &entropy );
+ mbedtls_ctr_drbg_free( &ctr_drbg );
+ mbedtls_ssl_config_free( &conf );
+ mbedtls_ssl_free( &ssl );
+
+#else
+ (void) Data;
+ (void) Size;
+#endif //MBEDTLS_SSL_CLI_C
+
+ return 0;
+}
diff --git a/programs/fuzz/fuzz_client.options b/programs/fuzz/fuzz_client.options
new file mode 100644
index 0000000..4d7340f
--- /dev/null
+++ b/programs/fuzz/fuzz_client.options
@@ -0,0 +1,2 @@
+[libfuzzer]
+max_len = 1048575
diff --git a/programs/fuzz/fuzz_dtlsclient.c b/programs/fuzz/fuzz_dtlsclient.c
new file mode 100644
index 0000000..fb872ef
--- /dev/null
+++ b/programs/fuzz/fuzz_dtlsclient.c
@@ -0,0 +1,117 @@
+#include <string.h>
+#include <stdlib.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include "common.h"
+#include "mbedtls/ssl.h"
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+#include "mbedtls/entropy.h"
+#include "mbedtls/ctr_drbg.h"
+#include "mbedtls/certs.h"
+#include "mbedtls/timing.h"
+
+
+#ifdef MBEDTLS_SSL_CLI_C
+static bool initialized = 0;
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+static mbedtls_x509_crt cacert;
+#endif
+
+const char *pers = "fuzz_dtlsclient";
+#endif // MBEDTLS_SSL_CLI_C
+#endif // MBEDTLS_SSL_PROTO_DTLS
+
+
+
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+#if defined(MBEDTLS_SSL_PROTO_DTLS) && defined(MBEDTLS_SSL_CLI_C)
+ int ret;
+ size_t len;
+ mbedtls_ssl_context ssl;
+ mbedtls_ssl_config conf;
+ mbedtls_ctr_drbg_context ctr_drbg;
+ mbedtls_entropy_context entropy;
+ mbedtls_timing_delay_context timer;
+ unsigned char buf[4096];
+ fuzzBufferOffset_t biomemfuzz;
+
+ if (initialized == 0) {
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+ mbedtls_x509_crt_init( &cacert );
+ if (mbedtls_x509_crt_parse( &cacert, (const unsigned char *) mbedtls_test_cas_pem,
+ mbedtls_test_cas_pem_len ) != 0)
+ return 1;
+#endif
+ dummy_init();
+
+ initialized = 1;
+ }
+
+ mbedtls_ssl_init( &ssl );
+ mbedtls_ssl_config_init( &conf );
+ mbedtls_ctr_drbg_init( &ctr_drbg );
+ mbedtls_entropy_init( &entropy );
+
+ srand(1);
+ if( mbedtls_ctr_drbg_seed( &ctr_drbg, dummy_entropy, &entropy,
+ (const unsigned char *) pers, strlen( pers ) ) != 0 )
+ goto exit;
+
+ if( mbedtls_ssl_config_defaults( &conf,
+ MBEDTLS_SSL_IS_CLIENT,
+ MBEDTLS_SSL_TRANSPORT_DATAGRAM,
+ MBEDTLS_SSL_PRESET_DEFAULT ) != 0 )
+ goto exit;
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+ mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
+#endif
+ mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_NONE );
+ mbedtls_ssl_conf_rng( &conf, dummy_random, &ctr_drbg );
+
+ if( mbedtls_ssl_setup( &ssl, &conf ) != 0 )
+ goto exit;
+
+ mbedtls_ssl_set_timer_cb( &ssl, &timer, mbedtls_timing_set_delay,
+ mbedtls_timing_get_delay );
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+ if( mbedtls_ssl_set_hostname( &ssl, "localhost" ) != 0 )
+ goto exit;
+#endif
+
+ biomemfuzz.Data = Data;
+ biomemfuzz.Size = Size;
+ biomemfuzz.Offset = 0;
+ mbedtls_ssl_set_bio( &ssl, &biomemfuzz, dummy_send, fuzz_recv, fuzz_recv_timeout );
+
+ ret = mbedtls_ssl_handshake( &ssl );
+ if( ret == 0 )
+ {
+ //keep reading data from server until the end
+ do
+ {
+ len = sizeof( buf ) - 1;
+ ret = mbedtls_ssl_read( &ssl, buf, len );
+
+ if( ret == MBEDTLS_ERR_SSL_WANT_READ )
+ continue;
+ else if( ret <= 0 )
+ //EOF or error
+ break;
+ }
+ while( 1 );
+ }
+
+exit:
+ mbedtls_entropy_free( &entropy );
+ mbedtls_ctr_drbg_free( &ctr_drbg );
+ mbedtls_ssl_config_free( &conf );
+ mbedtls_ssl_free( &ssl );
+
+#else
+ (void) Data;
+ (void) Size;
+#endif
+ return 0;
+}
diff --git a/programs/fuzz/fuzz_dtlsclient.options b/programs/fuzz/fuzz_dtlsclient.options
new file mode 100644
index 0000000..4d7340f
--- /dev/null
+++ b/programs/fuzz/fuzz_dtlsclient.options
@@ -0,0 +1,2 @@
+[libfuzzer]
+max_len = 1048575
diff --git a/programs/fuzz/fuzz_dtlsserver.c b/programs/fuzz/fuzz_dtlsserver.c
new file mode 100644
index 0000000..ff9a60b
--- /dev/null
+++ b/programs/fuzz/fuzz_dtlsserver.c
@@ -0,0 +1,142 @@
+#include <string.h>
+#include <stdlib.h>
+#include <stdbool.h>
+#include <stdint.h>
+#include "common.h"
+#include "mbedtls/ssl.h"
+#if defined(MBEDTLS_SSL_PROTO_DTLS)
+#include "mbedtls/entropy.h"
+#include "mbedtls/ctr_drbg.h"
+#include "mbedtls/certs.h"
+#include "mbedtls/timing.h"
+#include "mbedtls/ssl_cookie.h"
+
+
+#ifdef MBEDTLS_SSL_SRV_C
+const char *pers = "fuzz_dtlsserver";
+const unsigned char client_ip[4] = {0x7F, 0, 0, 1};
+static bool initialized = 0;
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+static mbedtls_x509_crt srvcert;
+static mbedtls_pk_context pkey;
+#endif
+#endif // MBEDTLS_SSL_SRV_C
+#endif // MBEDTLS_SSL_PROTO_DTLS
+
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+#if defined(MBEDTLS_SSL_PROTO_DTLS) && defined(MBEDTLS_SSL_SRV_C)
+ int ret;
+ size_t len;
+ mbedtls_ssl_context ssl;
+ mbedtls_ssl_config conf;
+ mbedtls_ctr_drbg_context ctr_drbg;
+ mbedtls_entropy_context entropy;
+ mbedtls_timing_delay_context timer;
+ mbedtls_ssl_cookie_ctx cookie_ctx;
+ unsigned char buf[4096];
+ fuzzBufferOffset_t biomemfuzz;
+
+ if (initialized == 0) {
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+ mbedtls_x509_crt_init( &srvcert );
+ mbedtls_pk_init( &pkey );
+ if (mbedtls_x509_crt_parse( &srvcert, (const unsigned char *) mbedtls_test_srv_crt,
+ mbedtls_test_srv_crt_len ) != 0)
+ return 1;
+ if (mbedtls_x509_crt_parse( &srvcert, (const unsigned char *) mbedtls_test_cas_pem,
+ mbedtls_test_cas_pem_len ) != 0)
+ return 1;
+ if (mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_srv_key,
+ mbedtls_test_srv_key_len, NULL, 0 ) != 0)
+ return 1;
+#endif
+ dummy_init();
+
+ initialized = 1;
+ }
+ mbedtls_ssl_init( &ssl );
+ mbedtls_ssl_config_init( &conf );
+ mbedtls_ctr_drbg_init( &ctr_drbg );
+ mbedtls_entropy_init( &entropy );
+ mbedtls_ssl_cookie_init( &cookie_ctx );
+
+ if( mbedtls_ctr_drbg_seed( &ctr_drbg, dummy_entropy, &entropy,
+ (const unsigned char *) pers, strlen( pers ) ) != 0 )
+ goto exit;
+
+
+ if( mbedtls_ssl_config_defaults( &conf,
+ MBEDTLS_SSL_IS_SERVER,
+ MBEDTLS_SSL_TRANSPORT_DATAGRAM,
+ MBEDTLS_SSL_PRESET_DEFAULT ) != 0 )
+ goto exit;
+
+
+ srand(1);
+ mbedtls_ssl_conf_rng( &conf, dummy_random, &ctr_drbg );
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+ mbedtls_ssl_conf_ca_chain( &conf, srvcert.next, NULL );
+ if( mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) != 0 )
+ goto exit;
+#endif
+
+ if( mbedtls_ssl_cookie_setup( &cookie_ctx, dummy_random, &ctr_drbg ) != 0 )
+ goto exit;
+
+ mbedtls_ssl_conf_dtls_cookies( &conf, mbedtls_ssl_cookie_write, mbedtls_ssl_cookie_check, &cookie_ctx );
+
+ if( mbedtls_ssl_setup( &ssl, &conf ) != 0 )
+ goto exit;
+
+ mbedtls_ssl_set_timer_cb( &ssl, &timer, mbedtls_timing_set_delay,
+ mbedtls_timing_get_delay );
+
+ biomemfuzz.Data = Data;
+ biomemfuzz.Size = Size;
+ biomemfuzz.Offset = 0;
+ mbedtls_ssl_set_bio( &ssl, &biomemfuzz, dummy_send, fuzz_recv, fuzz_recv_timeout );
+ if( mbedtls_ssl_set_client_transport_id( &ssl, client_ip, sizeof(client_ip) ) != 0 )
+ goto exit;
+
+ ret = mbedtls_ssl_handshake( &ssl );
+
+ if (ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED) {
+ biomemfuzz.Offset = ssl.next_record_offset;
+ mbedtls_ssl_session_reset( &ssl );
+ mbedtls_ssl_set_bio( &ssl, &biomemfuzz, dummy_send, fuzz_recv, fuzz_recv_timeout );
+ if( mbedtls_ssl_set_client_transport_id( &ssl, client_ip, sizeof(client_ip) ) != 0 )
+ goto exit;
+
+ ret = mbedtls_ssl_handshake( &ssl );
+
+ if( ret == 0 )
+ {
+ //keep reading data from server until the end
+ do
+ {
+ len = sizeof( buf ) - 1;
+ ret = mbedtls_ssl_read( &ssl, buf, len );
+ if( ret == MBEDTLS_ERR_SSL_WANT_READ )
+ continue;
+ else if( ret <= 0 )
+ //EOF or error
+ break;
+ }
+ while( 1 );
+ }
+ }
+
+exit:
+ mbedtls_ssl_cookie_free( &cookie_ctx );
+ mbedtls_entropy_free( &entropy );
+ mbedtls_ctr_drbg_free( &ctr_drbg );
+ mbedtls_ssl_config_free( &conf );
+ mbedtls_ssl_free( &ssl );
+
+#else
+ (void) Data;
+ (void) Size;
+#endif
+ return 0;
+}
diff --git a/programs/fuzz/fuzz_dtlsserver.options b/programs/fuzz/fuzz_dtlsserver.options
new file mode 100644
index 0000000..4d7340f
--- /dev/null
+++ b/programs/fuzz/fuzz_dtlsserver.options
@@ -0,0 +1,2 @@
+[libfuzzer]
+max_len = 1048575
diff --git a/programs/fuzz/fuzz_privkey.c b/programs/fuzz/fuzz_privkey.c
new file mode 100644
index 0000000..533a647
--- /dev/null
+++ b/programs/fuzz/fuzz_privkey.c
@@ -0,0 +1,64 @@
+#include <stdint.h>
+#include "mbedtls/pk.h"
+
+//4 Kb should be enough for every bug ;-)
+#define MAX_LEN 0x1000
+
+
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+#ifdef MBEDTLS_PK_PARSE_C
+ int ret;
+ mbedtls_pk_context pk;
+
+ if (Size > MAX_LEN) {
+ //only work on small inputs
+ Size = MAX_LEN;
+ }
+
+ mbedtls_pk_init( &pk );
+ ret = mbedtls_pk_parse_key( &pk, Data, Size, NULL, 0 );
+ if (ret == 0) {
+#if defined(MBEDTLS_RSA_C)
+ if( mbedtls_pk_get_type( &pk ) == MBEDTLS_PK_RSA )
+ {
+ mbedtls_mpi N, P, Q, D, E, DP, DQ, QP;
+ mbedtls_rsa_context *rsa;
+
+ mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P ); mbedtls_mpi_init( &Q );
+ mbedtls_mpi_init( &D ); mbedtls_mpi_init( &E ); mbedtls_mpi_init( &DP );
+ mbedtls_mpi_init( &DQ ); mbedtls_mpi_init( &QP );
+
+ rsa = mbedtls_pk_rsa( pk );
+ mbedtls_rsa_export( rsa, &N, &P, &Q, &D, &E );
+ mbedtls_rsa_export_crt( rsa, &DP, &DQ, &QP );
+
+ mbedtls_mpi_free( &N ); mbedtls_mpi_free( &P ); mbedtls_mpi_free( &Q );
+ mbedtls_mpi_free( &D ); mbedtls_mpi_free( &E ); mbedtls_mpi_free( &DP );
+ mbedtls_mpi_free( &DQ ); mbedtls_mpi_free( &QP );
+ }
+ else
+#endif
+#if defined(MBEDTLS_ECP_C)
+ if( mbedtls_pk_get_type( &pk ) == MBEDTLS_PK_ECKEY )
+ {
+ mbedtls_ecp_keypair *ecp;
+
+ ecp = mbedtls_pk_ec( pk );
+ if (ecp) {
+ ret = 0;
+ }
+ }
+ else
+#endif
+ {
+ ret = 0;
+ }
+ }
+ mbedtls_pk_free( &pk );
+#else
+ (void) Data;
+ (void) Size;
+#endif //MBEDTLS_PK_PARSE_C
+
+ return 0;
+}
diff --git a/programs/fuzz/fuzz_privkey.options b/programs/fuzz/fuzz_privkey.options
new file mode 100644
index 0000000..0824b19
--- /dev/null
+++ b/programs/fuzz/fuzz_privkey.options
@@ -0,0 +1,2 @@
+[libfuzzer]
+max_len = 65535
diff --git a/programs/fuzz/fuzz_pubkey.c b/programs/fuzz/fuzz_pubkey.c
new file mode 100644
index 0000000..df42f7d
--- /dev/null
+++ b/programs/fuzz/fuzz_pubkey.c
@@ -0,0 +1,57 @@
+#include <stdint.h>
+#include "mbedtls/pk.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+#ifdef MBEDTLS_PK_PARSE_C
+ int ret;
+ mbedtls_pk_context pk;
+
+ mbedtls_pk_init( &pk );
+ ret = mbedtls_pk_parse_public_key( &pk, Data, Size );
+ if (ret == 0) {
+#if defined(MBEDTLS_RSA_C)
+ if( mbedtls_pk_get_type( &pk ) == MBEDTLS_PK_RSA )
+ {
+ mbedtls_mpi N, P, Q, D, E, DP, DQ, QP;
+ mbedtls_rsa_context *rsa;
+
+ mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P ); mbedtls_mpi_init( &Q );
+ mbedtls_mpi_init( &D ); mbedtls_mpi_init( &E ); mbedtls_mpi_init( &DP );
+ mbedtls_mpi_init( &DQ ); mbedtls_mpi_init( &QP );
+
+ rsa = mbedtls_pk_rsa( pk );
+ ret = mbedtls_rsa_export( rsa, &N, &P, &Q, &D, &E );
+ ret = mbedtls_rsa_export_crt( rsa, &DP, &DQ, &QP );
+
+ mbedtls_mpi_free( &N ); mbedtls_mpi_free( &P ); mbedtls_mpi_free( &Q );
+ mbedtls_mpi_free( &D ); mbedtls_mpi_free( &E ); mbedtls_mpi_free( &DP );
+ mbedtls_mpi_free( &DQ ); mbedtls_mpi_free( &QP );
+
+ }
+ else
+#endif
+#if defined(MBEDTLS_ECP_C)
+ if( mbedtls_pk_get_type( &pk ) == MBEDTLS_PK_ECKEY )
+ {
+ mbedtls_ecp_keypair *ecp;
+
+ ecp = mbedtls_pk_ec( pk );
+ //dummy use of value
+ if (ecp) {
+ ret = 0;
+ }
+ }
+ else
+#endif
+ {
+ ret = 0;
+ }
+ }
+ mbedtls_pk_free( &pk );
+#else
+ (void) Data;
+ (void) Size;
+#endif //MBEDTLS_PK_PARSE_C
+
+ return 0;
+}
diff --git a/programs/fuzz/fuzz_pubkey.options b/programs/fuzz/fuzz_pubkey.options
new file mode 100644
index 0000000..0824b19
--- /dev/null
+++ b/programs/fuzz/fuzz_pubkey.options
@@ -0,0 +1,2 @@
+[libfuzzer]
+max_len = 65535
diff --git a/programs/fuzz/fuzz_server.c b/programs/fuzz/fuzz_server.c
new file mode 100644
index 0000000..d751a71
--- /dev/null
+++ b/programs/fuzz/fuzz_server.c
@@ -0,0 +1,186 @@
+#include "mbedtls/ssl.h"
+#include "mbedtls/entropy.h"
+#include "mbedtls/ctr_drbg.h"
+#include "mbedtls/certs.h"
+#include "mbedtls/ssl_ticket.h"
+#include "common.h"
+#include <string.h>
+#include <stdlib.h>
+#include <stdbool.h>
+#include <stdint.h>
+
+
+#ifdef MBEDTLS_SSL_SRV_C
+const char *pers = "fuzz_server";
+static bool initialized = 0;
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+static mbedtls_x509_crt srvcert;
+static mbedtls_pk_context pkey;
+#endif
+const char *alpn_list[3];
+
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+const unsigned char psk[] = {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
+};
+const char psk_id[] = "Client_identity";
+#endif
+#endif // MBEDTLS_SSL_SRV_C
+
+
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+#ifdef MBEDTLS_SSL_SRV_C
+ int ret;
+ size_t len;
+ mbedtls_ssl_context ssl;
+ mbedtls_ssl_config conf;
+ mbedtls_ctr_drbg_context ctr_drbg;
+ mbedtls_entropy_context entropy;
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+ mbedtls_ssl_ticket_context ticket_ctx;
+#endif
+ unsigned char buf[4096];
+ fuzzBufferOffset_t biomemfuzz;
+ uint8_t options;
+
+ //we take 1 byte as options input
+ if (Size < 1) {
+ return 0;
+ }
+ options = Data[Size - 1];
+
+ if (initialized == 0) {
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+ mbedtls_x509_crt_init( &srvcert );
+ mbedtls_pk_init( &pkey );
+ if (mbedtls_x509_crt_parse( &srvcert, (const unsigned char *) mbedtls_test_srv_crt,
+ mbedtls_test_srv_crt_len ) != 0)
+ return 1;
+ if (mbedtls_x509_crt_parse( &srvcert, (const unsigned char *) mbedtls_test_cas_pem,
+ mbedtls_test_cas_pem_len ) != 0)
+ return 1;
+ if (mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_srv_key,
+ mbedtls_test_srv_key_len, NULL, 0 ) != 0)
+ return 1;
+#endif
+
+ alpn_list[0] = "HTTP";
+ alpn_list[1] = "fuzzalpn";
+ alpn_list[2] = NULL;
+
+ dummy_init();
+
+ initialized = 1;
+ }
+ mbedtls_ssl_init( &ssl );
+ mbedtls_ssl_config_init( &conf );
+ mbedtls_ctr_drbg_init( &ctr_drbg );
+ mbedtls_entropy_init( &entropy );
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+ mbedtls_ssl_ticket_init( &ticket_ctx );
+#endif
+
+ if( mbedtls_ctr_drbg_seed( &ctr_drbg, dummy_entropy, &entropy,
+ (const unsigned char *) pers, strlen( pers ) ) != 0 )
+ goto exit;
+
+
+ if( mbedtls_ssl_config_defaults( &conf,
+ MBEDTLS_SSL_IS_SERVER,
+ MBEDTLS_SSL_TRANSPORT_STREAM,
+ MBEDTLS_SSL_PRESET_DEFAULT ) != 0 )
+ goto exit;
+
+ srand(1);
+ mbedtls_ssl_conf_rng( &conf, dummy_random, &ctr_drbg );
+
+#if defined(MBEDTLS_X509_CRT_PARSE_C)
+ mbedtls_ssl_conf_ca_chain( &conf, srvcert.next, NULL );
+ if( mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) != 0 )
+ goto exit;
+#endif
+
+ mbedtls_ssl_conf_cert_req_ca_list( &conf, (options & 0x1) ? MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED : MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED );
+#if defined(MBEDTLS_SSL_ALPN)
+ if (options & 0x2) {
+ mbedtls_ssl_conf_alpn_protocols( &conf, alpn_list );
+ }
+#endif
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+ if( options & 0x4 )
+ {
+ if( mbedtls_ssl_ticket_setup( &ticket_ctx,
+ dummy_random, &ctr_drbg,
+ MBEDTLS_CIPHER_AES_256_GCM,
+ 86400 ) != 0 )
+ goto exit;
+
+ mbedtls_ssl_conf_session_tickets_cb( &conf,
+ mbedtls_ssl_ticket_write,
+ mbedtls_ssl_ticket_parse,
+ &ticket_ctx );
+ }
+#endif
+#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
+ mbedtls_ssl_conf_truncated_hmac( &conf, (options & 0x8) ? MBEDTLS_SSL_TRUNC_HMAC_ENABLED : MBEDTLS_SSL_TRUNC_HMAC_DISABLED);
+#endif
+#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
+ mbedtls_ssl_conf_extended_master_secret( &conf, (options & 0x10) ? MBEDTLS_SSL_EXTENDED_MS_DISABLED : MBEDTLS_SSL_EXTENDED_MS_ENABLED);
+#endif
+#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
+ mbedtls_ssl_conf_encrypt_then_mac( &conf, (options & 0x20) ? MBEDTLS_SSL_ETM_ENABLED : MBEDTLS_SSL_ETM_DISABLED);
+#endif
+#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
+ if (options & 0x40) {
+ mbedtls_ssl_conf_psk( &conf, psk, sizeof( psk ),
+ (const unsigned char *) psk_id, sizeof( psk_id ) - 1 );
+ }
+#endif
+#if defined(MBEDTLS_SSL_RENEGOTIATION)
+ mbedtls_ssl_conf_renegotiation( &conf, (options & 0x80) ? MBEDTLS_SSL_RENEGOTIATION_ENABLED : MBEDTLS_SSL_RENEGOTIATION_DISABLED );
+#endif
+
+ if( mbedtls_ssl_setup( &ssl, &conf ) != 0 )
+ goto exit;
+
+ biomemfuzz.Data = Data;
+ biomemfuzz.Size = Size-1;
+ biomemfuzz.Offset = 0;
+ mbedtls_ssl_set_bio( &ssl, &biomemfuzz, dummy_send, fuzz_recv, NULL );
+
+ mbedtls_ssl_session_reset( &ssl );
+ ret = mbedtls_ssl_handshake( &ssl );
+ if( ret == 0 )
+ {
+ //keep reading data from server until the end
+ do
+ {
+ len = sizeof( buf ) - 1;
+ ret = mbedtls_ssl_read( &ssl, buf, len );
+
+ if( ret == MBEDTLS_ERR_SSL_WANT_READ )
+ continue;
+ else if( ret <= 0 )
+ //EOF or error
+ break;
+ }
+ while( 1 );
+ }
+
+exit:
+#if defined(MBEDTLS_SSL_SESSION_TICKETS)
+ mbedtls_ssl_ticket_free( &ticket_ctx );
+#endif
+ mbedtls_entropy_free( &entropy );
+ mbedtls_ctr_drbg_free( &ctr_drbg );
+ mbedtls_ssl_config_free( &conf );
+ mbedtls_ssl_free( &ssl );
+
+#else
+ (void) Data;
+ (void) Size;
+#endif //MBEDTLS_SSL_SRV_C
+
+ return 0;
+}
diff --git a/programs/fuzz/fuzz_server.options b/programs/fuzz/fuzz_server.options
new file mode 100644
index 0000000..4d7340f
--- /dev/null
+++ b/programs/fuzz/fuzz_server.options
@@ -0,0 +1,2 @@
+[libfuzzer]
+max_len = 1048575
diff --git a/programs/fuzz/fuzz_x509crl.c b/programs/fuzz/fuzz_x509crl.c
new file mode 100644
index 0000000..02f521c
--- /dev/null
+++ b/programs/fuzz/fuzz_x509crl.c
@@ -0,0 +1,22 @@
+#include <stdint.h>
+#include "mbedtls/x509_crl.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+#ifdef MBEDTLS_X509_CRL_PARSE_C
+ int ret;
+ mbedtls_x509_crl crl;
+ unsigned char buf[4096];
+
+ mbedtls_x509_crl_init( &crl );
+ ret = mbedtls_x509_crl_parse( &crl, Data, Size );
+ if (ret == 0) {
+ ret = mbedtls_x509_crl_info( (char *) buf, sizeof( buf ) - 1, " ", &crl );
+ }
+ mbedtls_x509_crl_free( &crl );
+#else
+ (void) Data;
+ (void) Size;
+#endif
+
+ return 0;
+}
diff --git a/programs/fuzz/fuzz_x509crl.options b/programs/fuzz/fuzz_x509crl.options
new file mode 100644
index 0000000..0824b19
--- /dev/null
+++ b/programs/fuzz/fuzz_x509crl.options
@@ -0,0 +1,2 @@
+[libfuzzer]
+max_len = 65535
diff --git a/programs/fuzz/fuzz_x509crt.c b/programs/fuzz/fuzz_x509crt.c
new file mode 100644
index 0000000..8f593a1
--- /dev/null
+++ b/programs/fuzz/fuzz_x509crt.c
@@ -0,0 +1,22 @@
+#include <stdint.h>
+#include "mbedtls/x509_crt.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+#ifdef MBEDTLS_X509_CRT_PARSE_C
+ int ret;
+ mbedtls_x509_crt crt;
+ unsigned char buf[4096];
+
+ mbedtls_x509_crt_init( &crt );
+ ret = mbedtls_x509_crt_parse( &crt, Data, Size );
+ if (ret == 0) {
+ ret = mbedtls_x509_crt_info( (char *) buf, sizeof( buf ) - 1, " ", &crt );
+ }
+ mbedtls_x509_crt_free( &crt );
+#else
+ (void) Data;
+ (void) Size;
+#endif
+
+ return 0;
+}
diff --git a/programs/fuzz/fuzz_x509crt.options b/programs/fuzz/fuzz_x509crt.options
new file mode 100644
index 0000000..0824b19
--- /dev/null
+++ b/programs/fuzz/fuzz_x509crt.options
@@ -0,0 +1,2 @@
+[libfuzzer]
+max_len = 65535
diff --git a/programs/fuzz/fuzz_x509csr.c b/programs/fuzz/fuzz_x509csr.c
new file mode 100644
index 0000000..3cf28a6
--- /dev/null
+++ b/programs/fuzz/fuzz_x509csr.c
@@ -0,0 +1,22 @@
+#include <stdint.h>
+#include "mbedtls/x509_csr.h"
+
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+#ifdef MBEDTLS_X509_CSR_PARSE_C
+ int ret;
+ mbedtls_x509_csr csr;
+ unsigned char buf[4096];
+
+ mbedtls_x509_csr_init( &csr );
+ ret = mbedtls_x509_csr_parse( &csr, Data, Size );
+ if (ret == 0) {
+ ret = mbedtls_x509_csr_info( (char *) buf, sizeof( buf ) - 1, " ", &csr );
+ }
+ mbedtls_x509_csr_free( &csr );
+#else
+ (void) Data;
+ (void) Size;
+#endif
+
+ return 0;
+}
diff --git a/programs/fuzz/fuzz_x509csr.options b/programs/fuzz/fuzz_x509csr.options
new file mode 100644
index 0000000..0824b19
--- /dev/null
+++ b/programs/fuzz/fuzz_x509csr.options
@@ -0,0 +1,2 @@
+[libfuzzer]
+max_len = 65535
diff --git a/programs/fuzz/onefile.c b/programs/fuzz/onefile.c
new file mode 100644
index 0000000..45c3282
--- /dev/null
+++ b/programs/fuzz/onefile.c
@@ -0,0 +1,52 @@
+#include <stdint.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdio.h>
+
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
+
+int main(int argc, char** argv)
+{
+ FILE * fp;
+ uint8_t *Data;
+ size_t Size;
+
+ if (argc != 2) {
+ return 1;
+ }
+ //opens the file, get its size, and reads it into a buffer
+ fp = fopen(argv[1], "rb");
+ if (fp == NULL) {
+ return 2;
+ }
+ if (fseek(fp, 0L, SEEK_END) != 0) {
+ fclose(fp);
+ return 2;
+ }
+ Size = ftell(fp);
+ if (Size == (size_t) -1) {
+ fclose(fp);
+ return 2;
+ }
+ if (fseek(fp, 0L, SEEK_SET) != 0) {
+ fclose(fp);
+ return 2;
+ }
+ Data = malloc(Size);
+ if (Data == NULL) {
+ fclose(fp);
+ return 2;
+ }
+ if (fread(Data, Size, 1, fp) != 1) {
+ free(Data);
+ fclose(fp);
+ return 2;
+ }
+
+ //lauch fuzzer
+ LLVMFuzzerTestOneInput(Data, Size);
+ free(Data);
+ fclose(fp);
+ return 0;
+}
+