Blame - tests/fuzz/fuzz_client.c - mirror/mbed-tls

blob: aee9946d9b6618c79bf2e211d599d3f5801de8cc [file] [log] [blame]

Philippe Antoine	7233352	2018-05-03 16:40:24 +0200	[diff] [blame^]	1	#include "mbedtls/ssl.h"
				2	#include "mbedtls/entropy.h"
				3	#include "mbedtls/ctr_drbg.h"
				4	#include "mbedtls/certs.h"
				5	#include <string.h>
				6	#include <stdlib.h>
				7	#include <stdbool.h>
				8	#include <stdint.h>
				9
				10
				11	static bool initialized = 0;
				12	#if defined(MBEDTLS_X509_CRT_PARSE_C)
				13	static mbedtls_x509_crt cacert;
				14	#endif
				15	const char *alpn_list[3];
				16
				17
				18	#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
				19	const unsigned char psk[] = {
				20	0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
				21	0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
				22	};
				23	const char psk_id[] = "Client_identity";
				24	#endif
				25
				26	const char *pers = "fuzz_client";
				27
				28
				29	typedef struct fuzzBufferOffset
				30	{
				31	const uint8_t *Data;
				32	size_t Size;
				33	size_t Offset;
				34	} fuzzBufferOffset_t;
				35
				36	static int dummy_send( void ctx, const unsigned char buf, size_t len )
				37	{
				38	//silence warning about unused parameter
				39	(void) ctx;
				40	(void) buf;
				41
				42	//pretends we wrote everything ok
				43	return( len );
				44	}
				45
				46	static int fuzz_recv( void ctx, unsigned char buf, size_t len )
				47	{
				48	//reads from the buffer from fuzzer
				49	fuzzBufferOffset_t * biomemfuzz = (fuzzBufferOffset_t *) ctx;
				50
				51	if (biomemfuzz->Offset == biomemfuzz->Size) {
				52	//EOF
				53	return (0);
				54	}
				55	if (len + biomemfuzz->Offset > biomemfuzz->Size) {
				56	//do not overflow
				57	len = biomemfuzz->Size - biomemfuzz->Offset;
				58	}
				59	memcpy(buf, biomemfuzz->Data + biomemfuzz->Offset, len);
				60	biomemfuzz->Offset += len;
				61	return( len );
				62	}
				63
				64	static int dummy_random( void p_rng, unsigned char output, size_t output_len )
				65	{
				66	int ret;
				67	size_t i;
				68
				69	//use mbedtls_ctr_drbg_random to find bugs in it
				70	ret = mbedtls_ctr_drbg_random(p_rng, output, output_len);
				71	for (i=0; i<output_len; i++) {
				72	//replace result with pseudo random
				73	output[i] = (unsigned char) random();
				74	}
				75	return( ret );
				76	}
				77
				78	static int dummy_entropy( void data, unsigned char output, size_t len )
				79	{
				80	int ret;
				81	size_t i;
				82
				83	//use mbedtls_entropy_func to find bugs in it
				84	ret = mbedtls_entropy_func(data, output, len);
				85	for (i=0; i<len; i++) {
				86	//replace result with pseudo random
				87	output[i] = (unsigned char) random();
				88	}
				89	return( ret );
				90	}
				91
				92
				93	int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
				94	int ret;
				95	size_t len;
				96	mbedtls_ssl_context ssl;
				97	mbedtls_ssl_config conf;
				98	mbedtls_ctr_drbg_context ctr_drbg;
				99	mbedtls_entropy_context entropy;
				100	unsigned char buf[4096];
				101	fuzzBufferOffset_t biomemfuzz;
				102	uint16_t options;
				103
				104	if (initialized == 0) {
				105	#if defined(MBEDTLS_X509_CRT_PARSE_C)
				106	mbedtls_x509_crt_init( &cacert );
				107	if (mbedtls_x509_crt_parse( &cacert, (const unsigned char *) mbedtls_test_cas_pem,
				108	mbedtls_test_cas_pem_len ) != 0)
				109	return 1;
				110	#endif
				111
				112	alpn_list[0] = "HTTP";
				113	alpn_list[1] = "fuzzalpn";
				114	alpn_list[2] = NULL;
				115
				116	initialized = 1;
				117	}
				118
				119	//we take 1 byte as options input
				120	if (Size < 2) {
				121	return 0;
				122	}
				123	options = (Data[Size - 2] << 8) \| Data[Size - 1];
				124	//Avoid warnings if compile options imply no options
				125	(void) options;
				126
				127	mbedtls_ssl_init( &ssl );
				128	mbedtls_ssl_config_init( &conf );
				129	mbedtls_ctr_drbg_init( &ctr_drbg );
				130	mbedtls_entropy_init( &entropy );
				131
				132	if( mbedtls_ctr_drbg_seed( &ctr_drbg, dummy_entropy, &entropy,
				133	(const unsigned char *) pers, strlen( pers ) ) != 0 )
				134	goto exit;
				135
				136	if( mbedtls_ssl_config_defaults( &conf,
				137	MBEDTLS_SSL_IS_CLIENT,
				138	MBEDTLS_SSL_TRANSPORT_STREAM,
				139	MBEDTLS_SSL_PRESET_DEFAULT ) != 0 )
				140	goto exit;
				141
				142	#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
				143	if (options & 2) {
				144	mbedtls_ssl_conf_psk( &conf, psk, sizeof( psk ),
				145	(const unsigned char *) psk_id, sizeof( psk_id ) - 1 );
				146	}
				147	#endif
				148
				149	#if defined(MBEDTLS_X509_CRT_PARSE_C)
				150	if (options & 4) {
				151	mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
				152	mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_REQUIRED );
				153	} else
				154	#endif
				155	{
				156	mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_NONE );
				157	}
				158	#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
				159	mbedtls_ssl_conf_truncated_hmac( &conf, (options & 8) ? MBEDTLS_SSL_TRUNC_HMAC_ENABLED : MBEDTLS_SSL_TRUNC_HMAC_DISABLED);
				160	#endif
				161	#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
				162	mbedtls_ssl_conf_extended_master_secret( &conf, (options & 0x10) ? MBEDTLS_SSL_EXTENDED_MS_DISABLED : MBEDTLS_SSL_EXTENDED_MS_ENABLED);
				163	#endif
				164	#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
				165	mbedtls_ssl_conf_encrypt_then_mac( &conf, (options & 0x20) ? MBEDTLS_SSL_ETM_DISABLED : MBEDTLS_SSL_ETM_ENABLED);
				166	#endif
				167	#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
				168	mbedtls_ssl_conf_cbc_record_splitting( &conf, (options & 0x40) ? MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED : MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED );
				169	#endif
				170	#if defined(MBEDTLS_SSL_RENEGOTIATION)
				171	mbedtls_ssl_conf_renegotiation( &conf, (options & 0x80) ? MBEDTLS_SSL_RENEGOTIATION_ENABLED : MBEDTLS_SSL_RENEGOTIATION_DISABLED );
				172	#endif
				173	#if defined(MBEDTLS_SSL_SESSION_TICKETS)
				174	mbedtls_ssl_conf_session_tickets( &conf, (options & 0x100) ? MBEDTLS_SSL_SESSION_TICKETS_DISABLED : MBEDTLS_SSL_SESSION_TICKETS_ENABLED );
				175	#endif
				176	#if defined(MBEDTLS_SSL_ALPN)
				177	if (options & 0x200) {
				178	mbedtls_ssl_conf_alpn_protocols( &conf, alpn_list );
				179	}
				180	#endif
				181	//There may be other options to add :
				182	// mbedtls_ssl_conf_cert_profile, mbedtls_ssl_conf_sig_hashes
				183
				184	srandom(1);
				185	mbedtls_ssl_conf_rng( &conf, dummy_random, &ctr_drbg );
				186
				187	if( mbedtls_ssl_setup( &ssl, &conf ) != 0 )
				188	goto exit;
				189
				190	#if defined(MBEDTLS_X509_CRT_PARSE_C)
				191	if ((options & 1) == 0) {
				192	if( mbedtls_ssl_set_hostname( &ssl, "localhost" ) != 0 )
				193	goto exit;
				194	}
				195	#endif
				196
				197	biomemfuzz.Data = Data;
				198	biomemfuzz.Size = Size-2;
				199	biomemfuzz.Offset = 0;
				200	mbedtls_ssl_set_bio( &ssl, &biomemfuzz, dummy_send, fuzz_recv, NULL );
				201
				202	ret = mbedtls_ssl_handshake( &ssl );
				203	if( ret == 0 )
				204	{
				205	//keep reading data from server until the end
				206	do
				207	{
				208	len = sizeof( buf ) - 1;
				209	ret = mbedtls_ssl_read( &ssl, buf, len );
				210
				211	if( ret == MBEDTLS_ERR_SSL_WANT_READ )
				212	continue;
				213	else if( ret <= 0 )
				214	//EOF or error
				215	break;
				216	}
				217	while( 1 );
				218	}
				219
				220	exit:
				221	mbedtls_entropy_free( &entropy );
				222	mbedtls_ctr_drbg_free( &ctr_drbg );
				223	mbedtls_ssl_config_free( &conf );
				224	mbedtls_ssl_free( &ssl );
				225
				226	return 0;
				227	}