TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / dbc0db9449de1661917ce68d1debe73314131757 / . / tests / fuzz / fuzz_client.c
blob: b9cdddd0ee4d62ddb3640fa2692f0677ae2a9f27 [file] [log] [blame]
Philippe Antoine72333522018-05-03 16:40:24 +0200[diff] [blame]1#include "mbedtls/ssl.h"
2#include "mbedtls/entropy.h"
3#include "mbedtls/ctr_drbg.h"
4#include "mbedtls/certs.h"
5#include <string.h>
6#include <stdlib.h>
7#include <stdbool.h>
8#include <stdint.h>
9
10
11static bool initialized = 0;
12#if defined(MBEDTLS_X509_CRT_PARSE_C)
13static mbedtls_x509_crt cacert;
14#endif
15const char *alpn_list[3];
16
17
18#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
19const unsigned char psk[] = {
20 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
21 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
22};
23const char psk_id[] = "Client_identity";
24#endif
25
26const char *pers = "fuzz_client";
27
28
29typedef struct fuzzBufferOffset
30{
31 const uint8_t *Data;
32 size_t Size;
33 size_t Offset;
34} fuzzBufferOffset_t;
35
36static int dummy_send( void *ctx, const unsigned char *buf, size_t len )
37{
38 //silence warning about unused parameter
39 (void) ctx;
40 (void) buf;
41
42 //pretends we wrote everything ok
43 return( len );
44}
45
46static int fuzz_recv( void *ctx, unsigned char *buf, size_t len )
47{
48 //reads from the buffer from fuzzer
49 fuzzBufferOffset_t * biomemfuzz = (fuzzBufferOffset_t *) ctx;
50
51 if (biomemfuzz->Offset == biomemfuzz->Size) {
52 //EOF
53 return (0);
54 }
55 if (len + biomemfuzz->Offset > biomemfuzz->Size) {
56 //do not overflow
57 len = biomemfuzz->Size - biomemfuzz->Offset;
58 }
59 memcpy(buf, biomemfuzz->Data + biomemfuzz->Offset, len);
60 biomemfuzz->Offset += len;
61 return( len );
62}
63
64static int dummy_random( void *p_rng, unsigned char *output, size_t output_len )
65{
66 int ret;
67 size_t i;
68
69 //use mbedtls_ctr_drbg_random to find bugs in it
70 ret = mbedtls_ctr_drbg_random(p_rng, output, output_len);
71 for (i=0; i<output_len; i++) {
72 //replace result with pseudo random
Philippe Antoine2b7c9a22019-06-04 12:05:36 +0200[diff] [blame]73 output[i] = (unsigned char) rand();
Philippe Antoine72333522018-05-03 16:40:24 +0200[diff] [blame]74 }
75 return( ret );
76}
77
78static int dummy_entropy( void *data, unsigned char *output, size_t len )
79{
Philippe Antoine72333522018-05-03 16:40:24 +0200[diff] [blame]80 size_t i;
Philippe Antoinef0493042019-06-04 12:01:51 +0200[diff] [blame]81 (void) data;
Philippe Antoine72333522018-05-03 16:40:24 +0200[diff] [blame]82
83 //use mbedtls_entropy_func to find bugs in it
Philippe Antoine9c7b6982018-05-29 17:00:39 +0200[diff] [blame]84 //test performance impact of entropy
85 //ret = mbedtls_entropy_func(data, output, len);
Philippe Antoine72333522018-05-03 16:40:24 +0200[diff] [blame]86 for (i=0; i<len; i++) {
87 //replace result with pseudo random
Philippe Antoine2b7c9a22019-06-04 12:05:36 +0200[diff] [blame]88 output[i] = (unsigned char) rand();
Philippe Antoine72333522018-05-03 16:40:24 +0200[diff] [blame]89 }
Philippe Antoine9c7b6982018-05-29 17:00:39 +0200[diff] [blame]90 return( 0 );
Philippe Antoine72333522018-05-03 16:40:24 +0200[diff] [blame]91}
92
93
94int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
95 int ret;
96 size_t len;
97 mbedtls_ssl_context ssl;
98 mbedtls_ssl_config conf;
99 mbedtls_ctr_drbg_context ctr_drbg;
100 mbedtls_entropy_context entropy;
101 unsigned char buf[4096];
102 fuzzBufferOffset_t biomemfuzz;
103 uint16_t options;
104
105 if (initialized == 0) {
106#if defined(MBEDTLS_X509_CRT_PARSE_C)
107 mbedtls_x509_crt_init( &cacert );
108 if (mbedtls_x509_crt_parse( &cacert, (const unsigned char *) mbedtls_test_cas_pem,
109 mbedtls_test_cas_pem_len ) != 0)
110 return 1;
111#endif
112
113 alpn_list[0] = "HTTP";
114 alpn_list[1] = "fuzzalpn";
115 alpn_list[2] = NULL;
116
117 initialized = 1;
118 }
119
120 //we take 1 byte as options input
121 if (Size < 2) {
122 return 0;
123 }
124 options = (Data[Size - 2] << 8) | Data[Size - 1];
125 //Avoid warnings if compile options imply no options
126 (void) options;
127
128 mbedtls_ssl_init( &ssl );
129 mbedtls_ssl_config_init( &conf );
130 mbedtls_ctr_drbg_init( &ctr_drbg );
131 mbedtls_entropy_init( &entropy );
132
133 if( mbedtls_ctr_drbg_seed( &ctr_drbg, dummy_entropy, &entropy,
134 (const unsigned char *) pers, strlen( pers ) ) != 0 )
135 goto exit;
136
137 if( mbedtls_ssl_config_defaults( &conf,
138 MBEDTLS_SSL_IS_CLIENT,
139 MBEDTLS_SSL_TRANSPORT_STREAM,
140 MBEDTLS_SSL_PRESET_DEFAULT ) != 0 )
141 goto exit;
142
143#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
144 if (options & 2) {
145 mbedtls_ssl_conf_psk( &conf, psk, sizeof( psk ),
146 (const unsigned char *) psk_id, sizeof( psk_id ) - 1 );
147 }
148#endif
149
150#if defined(MBEDTLS_X509_CRT_PARSE_C)
151 if (options & 4) {
152 mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
153 mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_REQUIRED );
154 } else
155#endif
156 {
157 mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_NONE );
158 }
159#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
160 mbedtls_ssl_conf_truncated_hmac( &conf, (options & 8) ? MBEDTLS_SSL_TRUNC_HMAC_ENABLED : MBEDTLS_SSL_TRUNC_HMAC_DISABLED);
161#endif
162#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
163 mbedtls_ssl_conf_extended_master_secret( &conf, (options & 0x10) ? MBEDTLS_SSL_EXTENDED_MS_DISABLED : MBEDTLS_SSL_EXTENDED_MS_ENABLED);
164#endif
165#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
166 mbedtls_ssl_conf_encrypt_then_mac( &conf, (options & 0x20) ? MBEDTLS_SSL_ETM_DISABLED : MBEDTLS_SSL_ETM_ENABLED);
167#endif
168#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
169 mbedtls_ssl_conf_cbc_record_splitting( &conf, (options & 0x40) ? MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED : MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED );
170#endif
171#if defined(MBEDTLS_SSL_RENEGOTIATION)
172 mbedtls_ssl_conf_renegotiation( &conf, (options & 0x80) ? MBEDTLS_SSL_RENEGOTIATION_ENABLED : MBEDTLS_SSL_RENEGOTIATION_DISABLED );
173#endif
174#if defined(MBEDTLS_SSL_SESSION_TICKETS)
175 mbedtls_ssl_conf_session_tickets( &conf, (options & 0x100) ? MBEDTLS_SSL_SESSION_TICKETS_DISABLED : MBEDTLS_SSL_SESSION_TICKETS_ENABLED );
176#endif
177#if defined(MBEDTLS_SSL_ALPN)
178 if (options & 0x200) {
179 mbedtls_ssl_conf_alpn_protocols( &conf, alpn_list );
180 }
181#endif
182 //There may be other options to add :
183 // mbedtls_ssl_conf_cert_profile, mbedtls_ssl_conf_sig_hashes
184
Philippe Antoine2b7c9a22019-06-04 12:05:36 +0200[diff] [blame]185 srand(1);
Philippe Antoine72333522018-05-03 16:40:24 +0200[diff] [blame]186 mbedtls_ssl_conf_rng( &conf, dummy_random, &ctr_drbg );
187
188 if( mbedtls_ssl_setup( &ssl, &conf ) != 0 )
189 goto exit;
190
191#if defined(MBEDTLS_X509_CRT_PARSE_C)
192 if ((options & 1) == 0) {
193 if( mbedtls_ssl_set_hostname( &ssl, "localhost" ) != 0 )
194 goto exit;
195 }
196#endif
197
198 biomemfuzz.Data = Data;
199 biomemfuzz.Size = Size-2;
200 biomemfuzz.Offset = 0;
201 mbedtls_ssl_set_bio( &ssl, &biomemfuzz, dummy_send, fuzz_recv, NULL );
202
203 ret = mbedtls_ssl_handshake( &ssl );
204 if( ret == 0 )
205 {
206 //keep reading data from server until the end
207 do
208 {
209 len = sizeof( buf ) - 1;
210 ret = mbedtls_ssl_read( &ssl, buf, len );
211
212 if( ret == MBEDTLS_ERR_SSL_WANT_READ )
213 continue;
214 else if( ret <= 0 )
215 //EOF or error
216 break;
217 }
218 while( 1 );
219 }
220
221exit:
222 mbedtls_entropy_free( &entropy );
223 mbedtls_ctr_drbg_free( &ctr_drbg );
224 mbedtls_ssl_config_free( &conf );
225 mbedtls_ssl_free( &ssl );
226
227 return 0;
228}