Merge remote-tracking branch 'origin/pr/1622' into development
* origin/pr/1622: (29 commits) Do not build fuzz on windows No booleans and import config Removing space before opening parenthesis Style corrections Syntax fix Fixes warnings from MSVC Add a linker flag to enable gcov in basic-build-test.sh checks MBEDTLS_PEM_PARSE_C Restore programs/fuzz/Makefile after in-tree cmake Move fuzz directory to programs Documentation for corpus generation Restore tests/fuzz/Makefile after in-tree cmake Adding ifdefs to avoid warnings for unused globals Adds LDFLAGS fsanitize=address Ignore compiled object files and executables Also clean the fuzz subdirectory copyediting README.md Protecting client/server fuzz targts with ifdefs Makefile support 1 Fuzz README and direct compilation ...
This commit is contained in:
commit
072959f5c2
@ -128,6 +128,8 @@ Changes
|
||||
* Add `reproducible` option to `ssl_client2` and `ssl_server2` to enable
|
||||
test runs without variability. Contributed by Philippe Antoine (Catena
|
||||
cyber) in #2681.
|
||||
* Adds fuzz targets, especially for continuous fuzzing with OSS-Fuzz.
|
||||
Contributed by Philippe Antoine (Catena cyber).
|
||||
|
||||
= mbed TLS 2.17.0 branch released 2019-03-19
|
||||
|
||||
|
@ -32,6 +32,7 @@
|
||||
|
||||
#include "x509.h"
|
||||
#include "x509_crl.h"
|
||||
#include "bignum.h"
|
||||
|
||||
/**
|
||||
* \addtogroup x509_module
|
||||
|
@ -6,3 +6,6 @@ add_subdirectory(ssl)
|
||||
add_subdirectory(test)
|
||||
add_subdirectory(x509)
|
||||
add_subdirectory(util)
|
||||
if (NOT WIN32)
|
||||
add_subdirectory(fuzz)
|
||||
endif()
|
||||
|
@ -90,9 +90,18 @@ endif
|
||||
|
||||
.SILENT:
|
||||
|
||||
.PHONY: all clean list
|
||||
.PHONY: all clean list fuzz
|
||||
|
||||
all: $(APPS)
|
||||
ifndef WINDOWS
|
||||
# APPS doesn't include the fuzzing programs, which aren't "normal"
|
||||
# sample or test programs, and don't build with MSVC which is
|
||||
# warning about fopen
|
||||
all: fuzz
|
||||
endif
|
||||
|
||||
fuzz:
|
||||
$(MAKE) -C fuzz
|
||||
|
||||
$(DEP):
|
||||
$(MAKE) -C ../library
|
||||
@ -305,6 +314,7 @@ ifndef WINDOWS
|
||||
else
|
||||
del /S /Q /F *.o *.exe
|
||||
endif
|
||||
$(MAKE) -C fuzz clean
|
||||
|
||||
list:
|
||||
echo $(APPS)
|
||||
|
10
programs/fuzz/.gitignore
vendored
Normal file
10
programs/fuzz/.gitignore
vendored
Normal file
@ -0,0 +1,10 @@
|
||||
*.o
|
||||
fuzz_client
|
||||
fuzz_dtlsclient
|
||||
fuzz_dtlsserver
|
||||
fuzz_privkey
|
||||
fuzz_pubkey
|
||||
fuzz_server
|
||||
fuzz_x509crl
|
||||
fuzz_x509crt
|
||||
fuzz_x509csr
|
80
programs/fuzz/CMakeLists.txt
Normal file
80
programs/fuzz/CMakeLists.txt
Normal file
@ -0,0 +1,80 @@
|
||||
set(libs
|
||||
mbedtls
|
||||
)
|
||||
|
||||
if(USE_PKCS11_HELPER_LIBRARY)
|
||||
set(libs ${libs} pkcs11-helper)
|
||||
endif(USE_PKCS11_HELPER_LIBRARY)
|
||||
|
||||
if(ENABLE_ZLIB_SUPPORT)
|
||||
set(libs ${libs} ${ZLIB_LIBRARIES})
|
||||
endif(ENABLE_ZLIB_SUPPORT)
|
||||
|
||||
find_library(FUZZINGENGINE_LIB FuzzingEngine)
|
||||
|
||||
if(NOT FUZZINGENGINE_LIB)
|
||||
add_executable(fuzz_x509csr fuzz_x509csr.c onefile.c)
|
||||
target_link_libraries(fuzz_x509csr ${libs})
|
||||
|
||||
add_executable(fuzz_x509crl fuzz_x509crl.c onefile.c)
|
||||
target_link_libraries(fuzz_x509crl ${libs})
|
||||
|
||||
add_executable(fuzz_x509crt fuzz_x509crt.c onefile.c)
|
||||
target_link_libraries(fuzz_x509crt ${libs})
|
||||
|
||||
add_executable(fuzz_privkey fuzz_privkey.c onefile.c)
|
||||
target_link_libraries(fuzz_privkey ${libs})
|
||||
|
||||
add_executable(fuzz_pubkey fuzz_pubkey.c onefile.c)
|
||||
target_link_libraries(fuzz_pubkey ${libs})
|
||||
|
||||
add_executable(fuzz_client fuzz_client.c common.c onefile.c)
|
||||
target_link_libraries(fuzz_client ${libs})
|
||||
|
||||
add_executable(fuzz_server fuzz_server.c common.c onefile.c)
|
||||
target_link_libraries(fuzz_server ${libs})
|
||||
|
||||
add_executable(fuzz_dtlsclient fuzz_dtlsclient.c common.c onefile.c)
|
||||
target_link_libraries(fuzz_dtlsclient ${libs})
|
||||
|
||||
add_executable(fuzz_dtlsserver fuzz_dtlsserver.c common.c onefile.c)
|
||||
target_link_libraries(fuzz_dtlsserver ${libs})
|
||||
else()
|
||||
project(fuzz CXX)
|
||||
|
||||
add_executable(fuzz_x509csr fuzz_x509csr.c)
|
||||
target_link_libraries(fuzz_x509csr ${libs} FuzzingEngine)
|
||||
SET_TARGET_PROPERTIES(fuzz_x509csr PROPERTIES LINKER_LANGUAGE CXX)
|
||||
|
||||
add_executable(fuzz_x509crl fuzz_x509crl.c)
|
||||
target_link_libraries(fuzz_x509crl ${libs} FuzzingEngine)
|
||||
SET_TARGET_PROPERTIES(fuzz_x509crl PROPERTIES LINKER_LANGUAGE CXX)
|
||||
|
||||
add_executable(fuzz_x509crt fuzz_x509crt.c)
|
||||
target_link_libraries(fuzz_x509crt ${libs} FuzzingEngine)
|
||||
SET_TARGET_PROPERTIES(fuzz_x509crt PROPERTIES LINKER_LANGUAGE CXX)
|
||||
|
||||
add_executable(fuzz_privkey fuzz_privkey.c)
|
||||
target_link_libraries(fuzz_privkey ${libs} FuzzingEngine)
|
||||
SET_TARGET_PROPERTIES(fuzz_privkey PROPERTIES LINKER_LANGUAGE CXX)
|
||||
|
||||
add_executable(fuzz_pubkey fuzz_pubkey.c)
|
||||
target_link_libraries(fuzz_pubkey ${libs} FuzzingEngine)
|
||||
SET_TARGET_PROPERTIES(fuzz_pubkey PROPERTIES LINKER_LANGUAGE CXX)
|
||||
|
||||
add_executable(fuzz_client fuzz_client.c common.c)
|
||||
target_link_libraries(fuzz_client ${libs} FuzzingEngine)
|
||||
SET_TARGET_PROPERTIES(fuzz_client PROPERTIES LINKER_LANGUAGE CXX)
|
||||
|
||||
add_executable(fuzz_server fuzz_server.c common.c)
|
||||
target_link_libraries(fuzz_server ${libs} FuzzingEngine)
|
||||
SET_TARGET_PROPERTIES(fuzz_server PROPERTIES LINKER_LANGUAGE CXX)
|
||||
|
||||
add_executable(fuzz_dtlsclient fuzz_dtlsclient.c common.c)
|
||||
target_link_libraries(fuzz_dtlsclient ${libs} FuzzingEngine)
|
||||
SET_TARGET_PROPERTIES(fuzz_dtlsclient PROPERTIES LINKER_LANGUAGE CXX)
|
||||
|
||||
add_executable(fuzz_dtlsserver fuzz_dtlsserver.c common.c)
|
||||
target_link_libraries(fuzz_dtlsserver ${libs} FuzzingEngine)
|
||||
SET_TARGET_PROPERTIES(fuzz_dtlsserver PROPERTIES LINKER_LANGUAGE CXX)
|
||||
endif()
|
72
programs/fuzz/Makefile
Normal file
72
programs/fuzz/Makefile
Normal file
@ -0,0 +1,72 @@
|
||||
|
||||
LOCAL_CFLAGS = -I../../include -D_FILE_OFFSET_BITS=64
|
||||
LOCAL_LDFLAGS = -L../../library \
|
||||
-lmbedtls$(SHARED_SUFFIX) \
|
||||
-lmbedx509$(SHARED_SUFFIX) \
|
||||
-lmbedcrypto$(SHARED_SUFFIX)
|
||||
|
||||
LOCAL_LDFLAGS += -L../../crypto/library
|
||||
LOCAL_CFLAGS += -I../../crypto/include
|
||||
CRYPTO := ../../crypto/library/
|
||||
|
||||
ifndef SHARED
|
||||
DEP=$(CRYPTO)libmbedcrypto.a ../../library/libmbedx509.a ../../library/libmbedtls.a
|
||||
else
|
||||
DEP=$(CRYPTO)libmbedcrypto.$(DLEXT) ../../library/libmbedx509.$(DLEXT) ../../library/libmbedtls.$(DLEXT)
|
||||
endif
|
||||
|
||||
|
||||
DLEXT ?= so
|
||||
EXEXT=
|
||||
SHARED_SUFFIX=
|
||||
# python2 for POSIX since FreeBSD has only python2 as default.
|
||||
PYTHON ?= python2
|
||||
|
||||
# Zlib shared library extensions:
|
||||
ifdef ZLIB
|
||||
LOCAL_LDFLAGS += -lz
|
||||
endif
|
||||
|
||||
ifdef FUZZINGENGINE
|
||||
LOCAL_LDFLAGS += -lFuzzingEngine
|
||||
endif
|
||||
|
||||
# A test application is built for each suites/test_suite_*.data file.
|
||||
# Application name is same as .data file's base name and can be
|
||||
# constructed by stripping path 'suites/' and extension .data.
|
||||
APPS = $(basename $(wildcard fuzz_*.c))
|
||||
|
||||
# Construct executable name by adding OS specific suffix $(EXEXT).
|
||||
BINARIES := $(addsuffix $(EXEXT),$(APPS))
|
||||
|
||||
.SILENT:
|
||||
|
||||
.PHONY: all check test clean
|
||||
|
||||
all: $(BINARIES)
|
||||
|
||||
$(DEP):
|
||||
$(MAKE) -C ../../library
|
||||
|
||||
C_FILES := $(addsuffix .c,$(APPS))
|
||||
|
||||
%.o: %.c
|
||||
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) -c $< -o $@
|
||||
|
||||
|
||||
ifdef FUZZINGENGINE
|
||||
$(BINARIES): %$(EXEXT): %.o common.o $(DEP)
|
||||
echo " $(CC) common.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@"
|
||||
$(CXX) common.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
|
||||
else
|
||||
$(BINARIES): %$(EXEXT): %.o common.o onefile.o $(DEP)
|
||||
echo " $(CC) common.o onefile.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@"
|
||||
$(CC) common.o onefile.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
|
||||
endif
|
||||
|
||||
clean:
|
||||
ifndef WINDOWS
|
||||
rm -rf $(BINARIES) *.o
|
||||
else
|
||||
del /Q /F *.o *.exe
|
||||
endif
|
68
programs/fuzz/README.md
Normal file
68
programs/fuzz/README.md
Normal file
@ -0,0 +1,68 @@
|
||||
What is it?
|
||||
------
|
||||
|
||||
This directory contains fuzz targets.
|
||||
Fuzz targets are simple codes using the library.
|
||||
They are used with a so-called fuzz driver, which will generate inputs, try to process them with the fuzz target, and alert in case of an unwanted behavior (such as a buffer overflow for instance).
|
||||
|
||||
These targets were meant to be used with oss-fuzz but can be used in other contexts.
|
||||
|
||||
This code was contributed by Philippe Antoine ( Catena cyber ).
|
||||
|
||||
How to run?
|
||||
------
|
||||
|
||||
To run the fuzz targets like oss-fuzz:
|
||||
```
|
||||
git clone https://github.com/google/oss-fuzz
|
||||
cd oss-fuzz
|
||||
python infra/helper.py build_image mbedtls
|
||||
python infra/helper.py build_fuzzers --sanitizer address mbedtls
|
||||
python infra/helper.py run_fuzzer mbedtls fuzz_client
|
||||
```
|
||||
You can use `undefined` sanitizer as well as `address` sanitizer.
|
||||
And you can run any of the fuzz targets like `fuzz_client`.
|
||||
|
||||
To run the fuzz targets without oss-fuzz, you first need to install one libFuzzingEngine (libFuzzer for instance).
|
||||
Then you need to compile the code with the compiler flags of the wished sanitizer.
|
||||
```
|
||||
perl scripts/config.pl set MBEDTLS_PLATFORM_TIME_ALT
|
||||
mkdir build
|
||||
cd build
|
||||
cmake ..
|
||||
make
|
||||
```
|
||||
Finally, you can run the targets like `./test/fuzz/fuzz_client`.
|
||||
|
||||
|
||||
Corpus generation for network trafic targets
|
||||
------
|
||||
|
||||
These targets use network trafic as inputs :
|
||||
* client : simulates a client against (fuzzed) server traffic
|
||||
* server : simulates a server against (fuzzed) client traffic
|
||||
* dtls_client
|
||||
* dtls_server
|
||||
|
||||
They also use the last bytes as configuration options.
|
||||
|
||||
To generate corpus for these targets, you can do the following, not fully automated steps :
|
||||
* Build mbedtls programs ssl_server2 and ssl_client2
|
||||
* Run them one against the other with `reproducible` option turned on while capturing trafic into test.pcap
|
||||
* Extract tcp payloads, for instance with tshark : `tshark -Tfields -e tcp.dstport -e tcp.payload -r test.pcap > test.txt`
|
||||
* Run a dummy python script to output either client or server corpus file like `python dummy.py test.txt > test.cor`
|
||||
* Finally, you can add the options by appending the last bytes to the file test.cor
|
||||
|
||||
Here is an example of dummy.py for extracting payload from client to server (if we used `tcp.dstport` in tshark command)
|
||||
```
|
||||
import sys
|
||||
import binascii
|
||||
|
||||
f = open(sys.argv[1])
|
||||
for l in f.readlines():
|
||||
portAndPl=l.split()
|
||||
if len(portAndPl) == 2:
|
||||
# determine client or server based on port
|
||||
if portAndPl[0] == "4433":
|
||||
print(binascii.unhexlify(portAndPl[1].replace(":","")))
|
||||
```
|
91
programs/fuzz/common.c
Normal file
91
programs/fuzz/common.c
Normal file
@ -0,0 +1,91 @@
|
||||
#include "common.h"
|
||||
#include <stdio.h>
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
||||
#include "mbedtls/ctr_drbg.h"
|
||||
|
||||
mbedtls_time_t dummy_constant_time( mbedtls_time_t* time )
|
||||
{
|
||||
(void) time;
|
||||
return 0x5af2a056;
|
||||
}
|
||||
|
||||
void dummy_init()
|
||||
{
|
||||
#if defined(MBEDTLS_PLATFORM_TIME_ALT)
|
||||
mbedtls_platform_set_time( dummy_constant_time );
|
||||
#else
|
||||
fprintf(stderr, "Warning: fuzzing without constant time\n");
|
||||
#endif
|
||||
}
|
||||
|
||||
int dummy_send( void *ctx, const unsigned char *buf, size_t len )
|
||||
{
|
||||
//silence warning about unused parameter
|
||||
(void) ctx;
|
||||
(void) buf;
|
||||
|
||||
//pretends we wrote everything ok
|
||||
if( len > INT_MAX ) {
|
||||
return( -1 );
|
||||
}
|
||||
return( (int) len );
|
||||
}
|
||||
|
||||
int fuzz_recv( void *ctx, unsigned char *buf, size_t len )
|
||||
{
|
||||
//reads from the buffer from fuzzer
|
||||
fuzzBufferOffset_t * biomemfuzz = (fuzzBufferOffset_t *) ctx;
|
||||
|
||||
if(biomemfuzz->Offset == biomemfuzz->Size) {
|
||||
//EOF
|
||||
return( 0 );
|
||||
}
|
||||
if( len > INT_MAX ) {
|
||||
return( -1 );
|
||||
}
|
||||
if( len + biomemfuzz->Offset > biomemfuzz->Size ) {
|
||||
//do not overflow
|
||||
len = biomemfuzz->Size - biomemfuzz->Offset;
|
||||
}
|
||||
memcpy(buf, biomemfuzz->Data + biomemfuzz->Offset, len);
|
||||
biomemfuzz->Offset += len;
|
||||
return( (int) len );
|
||||
}
|
||||
|
||||
int dummy_random( void *p_rng, unsigned char *output, size_t output_len )
|
||||
{
|
||||
int ret;
|
||||
size_t i;
|
||||
|
||||
//use mbedtls_ctr_drbg_random to find bugs in it
|
||||
ret = mbedtls_ctr_drbg_random(p_rng, output, output_len);
|
||||
for (i=0; i<output_len; i++) {
|
||||
//replace result with pseudo random
|
||||
output[i] = (unsigned char) rand();
|
||||
}
|
||||
return( ret );
|
||||
}
|
||||
|
||||
int dummy_entropy( void *data, unsigned char *output, size_t len )
|
||||
{
|
||||
size_t i;
|
||||
(void) data;
|
||||
|
||||
//use mbedtls_entropy_func to find bugs in it
|
||||
//test performance impact of entropy
|
||||
//ret = mbedtls_entropy_func(data, output, len);
|
||||
for (i=0; i<len; i++) {
|
||||
//replace result with pseudo random
|
||||
output[i] = (unsigned char) rand();
|
||||
}
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
int fuzz_recv_timeout( void *ctx, unsigned char *buf, size_t len,
|
||||
uint32_t timeout )
|
||||
{
|
||||
(void) timeout;
|
||||
|
||||
return fuzz_recv(ctx, buf, len);
|
||||
}
|
19
programs/fuzz/common.h
Normal file
19
programs/fuzz/common.h
Normal file
@ -0,0 +1,19 @@
|
||||
#include "mbedtls/platform_time.h"
|
||||
#include <stdint.h>
|
||||
|
||||
typedef struct fuzzBufferOffset
|
||||
{
|
||||
const uint8_t *Data;
|
||||
size_t Size;
|
||||
size_t Offset;
|
||||
} fuzzBufferOffset_t;
|
||||
|
||||
mbedtls_time_t dummy_constant_time( mbedtls_time_t* time );
|
||||
void dummy_init();
|
||||
|
||||
int dummy_send( void *ctx, const unsigned char *buf, size_t len );
|
||||
int fuzz_recv( void *ctx, unsigned char *buf, size_t len );
|
||||
int dummy_random( void *p_rng, unsigned char *output, size_t output_len );
|
||||
int dummy_entropy( void *data, unsigned char *output, size_t len );
|
||||
int fuzz_recv_timeout( void *ctx, unsigned char *buf, size_t len,
|
||||
uint32_t timeout );
|
BIN
programs/fuzz/corpuses/client
Normal file
BIN
programs/fuzz/corpuses/client
Normal file
Binary file not shown.
BIN
programs/fuzz/corpuses/dtlsclient
Normal file
BIN
programs/fuzz/corpuses/dtlsclient
Normal file
Binary file not shown.
BIN
programs/fuzz/corpuses/dtlsserver
Normal file
BIN
programs/fuzz/corpuses/dtlsserver
Normal file
Binary file not shown.
BIN
programs/fuzz/corpuses/server
Normal file
BIN
programs/fuzz/corpuses/server
Normal file
Binary file not shown.
173
programs/fuzz/fuzz_client.c
Normal file
173
programs/fuzz/fuzz_client.c
Normal file
@ -0,0 +1,173 @@
|
||||
#include "mbedtls/ssl.h"
|
||||
#include "mbedtls/entropy.h"
|
||||
#include "mbedtls/ctr_drbg.h"
|
||||
#include "mbedtls/certs.h"
|
||||
#include "common.h"
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
||||
#include <stdint.h>
|
||||
|
||||
|
||||
#ifdef MBEDTLS_SSL_CLI_C
|
||||
static int initialized = 0;
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
|
||||
static mbedtls_x509_crt cacert;
|
||||
#endif
|
||||
const char *alpn_list[3];
|
||||
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
|
||||
const unsigned char psk[] = {
|
||||
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
|
||||
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
|
||||
};
|
||||
const char psk_id[] = "Client_identity";
|
||||
#endif
|
||||
|
||||
const char *pers = "fuzz_client";
|
||||
#endif //MBEDTLS_SSL_CLI_C
|
||||
|
||||
|
||||
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
|
||||
#ifdef MBEDTLS_SSL_CLI_C
|
||||
int ret;
|
||||
size_t len;
|
||||
mbedtls_ssl_context ssl;
|
||||
mbedtls_ssl_config conf;
|
||||
mbedtls_ctr_drbg_context ctr_drbg;
|
||||
mbedtls_entropy_context entropy;
|
||||
unsigned char buf[4096];
|
||||
fuzzBufferOffset_t biomemfuzz;
|
||||
uint16_t options;
|
||||
|
||||
if (initialized == 0) {
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
|
||||
mbedtls_x509_crt_init( &cacert );
|
||||
if (mbedtls_x509_crt_parse( &cacert, (const unsigned char *) mbedtls_test_cas_pem,
|
||||
mbedtls_test_cas_pem_len ) != 0)
|
||||
return 1;
|
||||
#endif
|
||||
|
||||
alpn_list[0] = "HTTP";
|
||||
alpn_list[1] = "fuzzalpn";
|
||||
alpn_list[2] = NULL;
|
||||
|
||||
dummy_init();
|
||||
|
||||
initialized = 1;
|
||||
}
|
||||
|
||||
//we take 1 byte as options input
|
||||
if (Size < 2) {
|
||||
return 0;
|
||||
}
|
||||
options = (Data[Size - 2] << 8) | Data[Size - 1];
|
||||
//Avoid warnings if compile options imply no options
|
||||
(void) options;
|
||||
|
||||
mbedtls_ssl_init( &ssl );
|
||||
mbedtls_ssl_config_init( &conf );
|
||||
mbedtls_ctr_drbg_init( &ctr_drbg );
|
||||
mbedtls_entropy_init( &entropy );
|
||||
|
||||
if( mbedtls_ctr_drbg_seed( &ctr_drbg, dummy_entropy, &entropy,
|
||||
(const unsigned char *) pers, strlen( pers ) ) != 0 )
|
||||
goto exit;
|
||||
|
||||
if( mbedtls_ssl_config_defaults( &conf,
|
||||
MBEDTLS_SSL_IS_CLIENT,
|
||||
MBEDTLS_SSL_TRANSPORT_STREAM,
|
||||
MBEDTLS_SSL_PRESET_DEFAULT ) != 0 )
|
||||
goto exit;
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
|
||||
if (options & 2) {
|
||||
mbedtls_ssl_conf_psk( &conf, psk, sizeof( psk ),
|
||||
(const unsigned char *) psk_id, sizeof( psk_id ) - 1 );
|
||||
}
|
||||
#endif
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
|
||||
if (options & 4) {
|
||||
mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
|
||||
mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_REQUIRED );
|
||||
} else
|
||||
#endif
|
||||
{
|
||||
mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_NONE );
|
||||
}
|
||||
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
||||
mbedtls_ssl_conf_truncated_hmac( &conf, (options & 8) ? MBEDTLS_SSL_TRUNC_HMAC_ENABLED : MBEDTLS_SSL_TRUNC_HMAC_DISABLED);
|
||||
#endif
|
||||
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
||||
mbedtls_ssl_conf_extended_master_secret( &conf, (options & 0x10) ? MBEDTLS_SSL_EXTENDED_MS_DISABLED : MBEDTLS_SSL_EXTENDED_MS_ENABLED);
|
||||
#endif
|
||||
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
|
||||
mbedtls_ssl_conf_encrypt_then_mac( &conf, (options & 0x20) ? MBEDTLS_SSL_ETM_DISABLED : MBEDTLS_SSL_ETM_ENABLED);
|
||||
#endif
|
||||
#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
|
||||
mbedtls_ssl_conf_cbc_record_splitting( &conf, (options & 0x40) ? MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED : MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED );
|
||||
#endif
|
||||
#if defined(MBEDTLS_SSL_RENEGOTIATION)
|
||||
mbedtls_ssl_conf_renegotiation( &conf, (options & 0x80) ? MBEDTLS_SSL_RENEGOTIATION_ENABLED : MBEDTLS_SSL_RENEGOTIATION_DISABLED );
|
||||
#endif
|
||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
||||
mbedtls_ssl_conf_session_tickets( &conf, (options & 0x100) ? MBEDTLS_SSL_SESSION_TICKETS_DISABLED : MBEDTLS_SSL_SESSION_TICKETS_ENABLED );
|
||||
#endif
|
||||
#if defined(MBEDTLS_SSL_ALPN)
|
||||
if (options & 0x200) {
|
||||
mbedtls_ssl_conf_alpn_protocols( &conf, alpn_list );
|
||||
}
|
||||
#endif
|
||||
//There may be other options to add :
|
||||
// mbedtls_ssl_conf_cert_profile, mbedtls_ssl_conf_sig_hashes
|
||||
|
||||
srand(1);
|
||||
mbedtls_ssl_conf_rng( &conf, dummy_random, &ctr_drbg );
|
||||
|
||||
if( mbedtls_ssl_setup( &ssl, &conf ) != 0 )
|
||||
goto exit;
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
|
||||
if ((options & 1) == 0) {
|
||||
if( mbedtls_ssl_set_hostname( &ssl, "localhost" ) != 0 )
|
||||
goto exit;
|
||||
}
|
||||
#endif
|
||||
|
||||
biomemfuzz.Data = Data;
|
||||
biomemfuzz.Size = Size-2;
|
||||
biomemfuzz.Offset = 0;
|
||||
mbedtls_ssl_set_bio( &ssl, &biomemfuzz, dummy_send, fuzz_recv, NULL );
|
||||
|
||||
ret = mbedtls_ssl_handshake( &ssl );
|
||||
if( ret == 0 )
|
||||
{
|
||||
//keep reading data from server until the end
|
||||
do
|
||||
{
|
||||
len = sizeof( buf ) - 1;
|
||||
ret = mbedtls_ssl_read( &ssl, buf, len );
|
||||
|
||||
if( ret == MBEDTLS_ERR_SSL_WANT_READ )
|
||||
continue;
|
||||
else if( ret <= 0 )
|
||||
//EOF or error
|
||||
break;
|
||||
}
|
||||
while( 1 );
|
||||
}
|
||||
|
||||
exit:
|
||||
mbedtls_entropy_free( &entropy );
|
||||
mbedtls_ctr_drbg_free( &ctr_drbg );
|
||||
mbedtls_ssl_config_free( &conf );
|
||||
mbedtls_ssl_free( &ssl );
|
||||
|
||||
#else
|
||||
(void) Data;
|
||||
(void) Size;
|
||||
#endif //MBEDTLS_SSL_CLI_C
|
||||
|
||||
return 0;
|
||||
}
|
2
programs/fuzz/fuzz_client.options
Normal file
2
programs/fuzz/fuzz_client.options
Normal file
@ -0,0 +1,2 @@
|
||||
[libfuzzer]
|
||||
max_len = 1048575
|
116
programs/fuzz/fuzz_dtlsclient.c
Normal file
116
programs/fuzz/fuzz_dtlsclient.c
Normal file
@ -0,0 +1,116 @@
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
||||
#include <stdint.h>
|
||||
#include "common.h"
|
||||
#include "mbedtls/ssl.h"
|
||||
#if defined(MBEDTLS_SSL_PROTO_DTLS)
|
||||
#include "mbedtls/entropy.h"
|
||||
#include "mbedtls/ctr_drbg.h"
|
||||
#include "mbedtls/certs.h"
|
||||
#include "mbedtls/timing.h"
|
||||
|
||||
|
||||
#ifdef MBEDTLS_SSL_CLI_C
|
||||
static int initialized = 0;
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
|
||||
static mbedtls_x509_crt cacert;
|
||||
#endif
|
||||
|
||||
const char *pers = "fuzz_dtlsclient";
|
||||
#endif // MBEDTLS_SSL_CLI_C
|
||||
#endif // MBEDTLS_SSL_PROTO_DTLS
|
||||
|
||||
|
||||
|
||||
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
|
||||
#if defined(MBEDTLS_SSL_PROTO_DTLS) && defined(MBEDTLS_SSL_CLI_C)
|
||||
int ret;
|
||||
size_t len;
|
||||
mbedtls_ssl_context ssl;
|
||||
mbedtls_ssl_config conf;
|
||||
mbedtls_ctr_drbg_context ctr_drbg;
|
||||
mbedtls_entropy_context entropy;
|
||||
mbedtls_timing_delay_context timer;
|
||||
unsigned char buf[4096];
|
||||
fuzzBufferOffset_t biomemfuzz;
|
||||
|
||||
if (initialized == 0) {
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
|
||||
mbedtls_x509_crt_init( &cacert );
|
||||
if (mbedtls_x509_crt_parse( &cacert, (const unsigned char *) mbedtls_test_cas_pem,
|
||||
mbedtls_test_cas_pem_len ) != 0)
|
||||
return 1;
|
||||
#endif
|
||||
dummy_init();
|
||||
|
||||
initialized = 1;
|
||||
}
|
||||
|
||||
mbedtls_ssl_init( &ssl );
|
||||
mbedtls_ssl_config_init( &conf );
|
||||
mbedtls_ctr_drbg_init( &ctr_drbg );
|
||||
mbedtls_entropy_init( &entropy );
|
||||
|
||||
srand(1);
|
||||
if( mbedtls_ctr_drbg_seed( &ctr_drbg, dummy_entropy, &entropy,
|
||||
(const unsigned char *) pers, strlen( pers ) ) != 0 )
|
||||
goto exit;
|
||||
|
||||
if( mbedtls_ssl_config_defaults( &conf,
|
||||
MBEDTLS_SSL_IS_CLIENT,
|
||||
MBEDTLS_SSL_TRANSPORT_DATAGRAM,
|
||||
MBEDTLS_SSL_PRESET_DEFAULT ) != 0 )
|
||||
goto exit;
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
|
||||
mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
|
||||
#endif
|
||||
mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_NONE );
|
||||
mbedtls_ssl_conf_rng( &conf, dummy_random, &ctr_drbg );
|
||||
|
||||
if( mbedtls_ssl_setup( &ssl, &conf ) != 0 )
|
||||
goto exit;
|
||||
|
||||
mbedtls_ssl_set_timer_cb( &ssl, &timer, mbedtls_timing_set_delay,
|
||||
mbedtls_timing_get_delay );
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
|
||||
if( mbedtls_ssl_set_hostname( &ssl, "localhost" ) != 0 )
|
||||
goto exit;
|
||||
#endif
|
||||
|
||||
biomemfuzz.Data = Data;
|
||||
biomemfuzz.Size = Size;
|
||||
biomemfuzz.Offset = 0;
|
||||
mbedtls_ssl_set_bio( &ssl, &biomemfuzz, dummy_send, fuzz_recv, fuzz_recv_timeout );
|
||||
|
||||
ret = mbedtls_ssl_handshake( &ssl );
|
||||
if( ret == 0 )
|
||||
{
|
||||
//keep reading data from server until the end
|
||||
do
|
||||
{
|
||||
len = sizeof( buf ) - 1;
|
||||
ret = mbedtls_ssl_read( &ssl, buf, len );
|
||||
|
||||
if( ret == MBEDTLS_ERR_SSL_WANT_READ )
|
||||
continue;
|
||||
else if( ret <= 0 )
|
||||
//EOF or error
|
||||
break;
|
||||
}
|
||||
while( 1 );
|
||||
}
|
||||
|
||||
exit:
|
||||
mbedtls_entropy_free( &entropy );
|
||||
mbedtls_ctr_drbg_free( &ctr_drbg );
|
||||
mbedtls_ssl_config_free( &conf );
|
||||
mbedtls_ssl_free( &ssl );
|
||||
|
||||
#else
|
||||
(void) Data;
|
||||
(void) Size;
|
||||
#endif
|
||||
return 0;
|
||||
}
|
2
programs/fuzz/fuzz_dtlsclient.options
Normal file
2
programs/fuzz/fuzz_dtlsclient.options
Normal file
@ -0,0 +1,2 @@
|
||||
[libfuzzer]
|
||||
max_len = 1048575
|
141
programs/fuzz/fuzz_dtlsserver.c
Normal file
141
programs/fuzz/fuzz_dtlsserver.c
Normal file
@ -0,0 +1,141 @@
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
||||
#include <stdint.h>
|
||||
#include "common.h"
|
||||
#include "mbedtls/ssl.h"
|
||||
#if defined(MBEDTLS_SSL_PROTO_DTLS)
|
||||
#include "mbedtls/entropy.h"
|
||||
#include "mbedtls/ctr_drbg.h"
|
||||
#include "mbedtls/certs.h"
|
||||
#include "mbedtls/timing.h"
|
||||
#include "mbedtls/ssl_cookie.h"
|
||||
|
||||
|
||||
#ifdef MBEDTLS_SSL_SRV_C
|
||||
const char *pers = "fuzz_dtlsserver";
|
||||
const unsigned char client_ip[4] = {0x7F, 0, 0, 1};
|
||||
static int initialized = 0;
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
|
||||
static mbedtls_x509_crt srvcert;
|
||||
static mbedtls_pk_context pkey;
|
||||
#endif
|
||||
#endif // MBEDTLS_SSL_SRV_C
|
||||
#endif // MBEDTLS_SSL_PROTO_DTLS
|
||||
|
||||
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
|
||||
#if defined(MBEDTLS_SSL_PROTO_DTLS) && defined(MBEDTLS_SSL_SRV_C)
|
||||
int ret;
|
||||
size_t len;
|
||||
mbedtls_ssl_context ssl;
|
||||
mbedtls_ssl_config conf;
|
||||
mbedtls_ctr_drbg_context ctr_drbg;
|
||||
mbedtls_entropy_context entropy;
|
||||
mbedtls_timing_delay_context timer;
|
||||
mbedtls_ssl_cookie_ctx cookie_ctx;
|
||||
unsigned char buf[4096];
|
||||
fuzzBufferOffset_t biomemfuzz;
|
||||
|
||||
if (initialized == 0) {
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
|
||||
mbedtls_x509_crt_init( &srvcert );
|
||||
mbedtls_pk_init( &pkey );
|
||||
if (mbedtls_x509_crt_parse( &srvcert, (const unsigned char *) mbedtls_test_srv_crt,
|
||||
mbedtls_test_srv_crt_len ) != 0)
|
||||
return 1;
|
||||
if (mbedtls_x509_crt_parse( &srvcert, (const unsigned char *) mbedtls_test_cas_pem,
|
||||
mbedtls_test_cas_pem_len ) != 0)
|
||||
return 1;
|
||||
if (mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_srv_key,
|
||||
mbedtls_test_srv_key_len, NULL, 0 ) != 0)
|
||||
return 1;
|
||||
#endif
|
||||
dummy_init();
|
||||
|
||||
initialized = 1;
|
||||
}
|
||||
mbedtls_ssl_init( &ssl );
|
||||
mbedtls_ssl_config_init( &conf );
|
||||
mbedtls_ctr_drbg_init( &ctr_drbg );
|
||||
mbedtls_entropy_init( &entropy );
|
||||
mbedtls_ssl_cookie_init( &cookie_ctx );
|
||||
|
||||
if( mbedtls_ctr_drbg_seed( &ctr_drbg, dummy_entropy, &entropy,
|
||||
(const unsigned char *) pers, strlen( pers ) ) != 0 )
|
||||
goto exit;
|
||||
|
||||
|
||||
if( mbedtls_ssl_config_defaults( &conf,
|
||||
MBEDTLS_SSL_IS_SERVER,
|
||||
MBEDTLS_SSL_TRANSPORT_DATAGRAM,
|
||||
MBEDTLS_SSL_PRESET_DEFAULT ) != 0 )
|
||||
goto exit;
|
||||
|
||||
|
||||
srand(1);
|
||||
mbedtls_ssl_conf_rng( &conf, dummy_random, &ctr_drbg );
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
|
||||
mbedtls_ssl_conf_ca_chain( &conf, srvcert.next, NULL );
|
||||
if( mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) != 0 )
|
||||
goto exit;
|
||||
#endif
|
||||
|
||||
if( mbedtls_ssl_cookie_setup( &cookie_ctx, dummy_random, &ctr_drbg ) != 0 )
|
||||
goto exit;
|
||||
|
||||
mbedtls_ssl_conf_dtls_cookies( &conf, mbedtls_ssl_cookie_write, mbedtls_ssl_cookie_check, &cookie_ctx );
|
||||
|
||||
if( mbedtls_ssl_setup( &ssl, &conf ) != 0 )
|
||||
goto exit;
|
||||
|
||||
mbedtls_ssl_set_timer_cb( &ssl, &timer, mbedtls_timing_set_delay,
|
||||
mbedtls_timing_get_delay );
|
||||
|
||||
biomemfuzz.Data = Data;
|
||||
biomemfuzz.Size = Size;
|
||||
biomemfuzz.Offset = 0;
|
||||
mbedtls_ssl_set_bio( &ssl, &biomemfuzz, dummy_send, fuzz_recv, fuzz_recv_timeout );
|
||||
if( mbedtls_ssl_set_client_transport_id( &ssl, client_ip, sizeof(client_ip) ) != 0 )
|
||||
goto exit;
|
||||
|
||||
ret = mbedtls_ssl_handshake( &ssl );
|
||||
|
||||
if (ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED) {
|
||||
biomemfuzz.Offset = ssl.next_record_offset;
|
||||
mbedtls_ssl_session_reset( &ssl );
|
||||
mbedtls_ssl_set_bio( &ssl, &biomemfuzz, dummy_send, fuzz_recv, fuzz_recv_timeout );
|
||||
if( mbedtls_ssl_set_client_transport_id( &ssl, client_ip, sizeof(client_ip) ) != 0 )
|
||||
goto exit;
|
||||
|
||||
ret = mbedtls_ssl_handshake( &ssl );
|
||||
|
||||
if( ret == 0 )
|
||||
{
|
||||
//keep reading data from server until the end
|
||||
do
|
||||
{
|
||||
len = sizeof( buf ) - 1;
|
||||
ret = mbedtls_ssl_read( &ssl, buf, len );
|
||||
if( ret == MBEDTLS_ERR_SSL_WANT_READ )
|
||||
continue;
|
||||
else if( ret <= 0 )
|
||||
//EOF or error
|
||||
break;
|
||||
}
|
||||
while( 1 );
|
||||
}
|
||||
}
|
||||
|
||||
exit:
|
||||
mbedtls_ssl_cookie_free( &cookie_ctx );
|
||||
mbedtls_entropy_free( &entropy );
|
||||
mbedtls_ctr_drbg_free( &ctr_drbg );
|
||||
mbedtls_ssl_config_free( &conf );
|
||||
mbedtls_ssl_free( &ssl );
|
||||
|
||||
#else
|
||||
(void) Data;
|
||||
(void) Size;
|
||||
#endif
|
||||
return 0;
|
||||
}
|
2
programs/fuzz/fuzz_dtlsserver.options
Normal file
2
programs/fuzz/fuzz_dtlsserver.options
Normal file
@ -0,0 +1,2 @@
|
||||
[libfuzzer]
|
||||
max_len = 1048575
|
64
programs/fuzz/fuzz_privkey.c
Normal file
64
programs/fuzz/fuzz_privkey.c
Normal file
@ -0,0 +1,64 @@
|
||||
#include <stdint.h>
|
||||
#include "mbedtls/pk.h"
|
||||
|
||||
//4 Kb should be enough for every bug ;-)
|
||||
#define MAX_LEN 0x1000
|
||||
|
||||
|
||||
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
|
||||
#ifdef MBEDTLS_PK_PARSE_C
|
||||
int ret;
|
||||
mbedtls_pk_context pk;
|
||||
|
||||
if (Size > MAX_LEN) {
|
||||
//only work on small inputs
|
||||
Size = MAX_LEN;
|
||||
}
|
||||
|
||||
mbedtls_pk_init( &pk );
|
||||
ret = mbedtls_pk_parse_key( &pk, Data, Size, NULL, 0 );
|
||||
if (ret == 0) {
|
||||
#if defined(MBEDTLS_RSA_C)
|
||||
if( mbedtls_pk_get_type( &pk ) == MBEDTLS_PK_RSA )
|
||||
{
|
||||
mbedtls_mpi N, P, Q, D, E, DP, DQ, QP;
|
||||
mbedtls_rsa_context *rsa;
|
||||
|
||||
mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P ); mbedtls_mpi_init( &Q );
|
||||
mbedtls_mpi_init( &D ); mbedtls_mpi_init( &E ); mbedtls_mpi_init( &DP );
|
||||
mbedtls_mpi_init( &DQ ); mbedtls_mpi_init( &QP );
|
||||
|
||||
rsa = mbedtls_pk_rsa( pk );
|
||||
mbedtls_rsa_export( rsa, &N, &P, &Q, &D, &E );
|
||||
mbedtls_rsa_export_crt( rsa, &DP, &DQ, &QP );
|
||||
|
||||
mbedtls_mpi_free( &N ); mbedtls_mpi_free( &P ); mbedtls_mpi_free( &Q );
|
||||
mbedtls_mpi_free( &D ); mbedtls_mpi_free( &E ); mbedtls_mpi_free( &DP );
|
||||
mbedtls_mpi_free( &DQ ); mbedtls_mpi_free( &QP );
|
||||
}
|
||||
else
|
||||
#endif
|
||||
#if defined(MBEDTLS_ECP_C)
|
||||
if( mbedtls_pk_get_type( &pk ) == MBEDTLS_PK_ECKEY )
|
||||
{
|
||||
mbedtls_ecp_keypair *ecp;
|
||||
|
||||
ecp = mbedtls_pk_ec( pk );
|
||||
if (ecp) {
|
||||
ret = 0;
|
||||
}
|
||||
}
|
||||
else
|
||||
#endif
|
||||
{
|
||||
ret = 0;
|
||||
}
|
||||
}
|
||||
mbedtls_pk_free( &pk );
|
||||
#else
|
||||
(void) Data;
|
||||
(void) Size;
|
||||
#endif //MBEDTLS_PK_PARSE_C
|
||||
|
||||
return 0;
|
||||
}
|
2
programs/fuzz/fuzz_privkey.options
Normal file
2
programs/fuzz/fuzz_privkey.options
Normal file
@ -0,0 +1,2 @@
|
||||
[libfuzzer]
|
||||
max_len = 65535
|
57
programs/fuzz/fuzz_pubkey.c
Normal file
57
programs/fuzz/fuzz_pubkey.c
Normal file
@ -0,0 +1,57 @@
|
||||
#include <stdint.h>
|
||||
#include "mbedtls/pk.h"
|
||||
|
||||
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
|
||||
#ifdef MBEDTLS_PK_PARSE_C
|
||||
int ret;
|
||||
mbedtls_pk_context pk;
|
||||
|
||||
mbedtls_pk_init( &pk );
|
||||
ret = mbedtls_pk_parse_public_key( &pk, Data, Size );
|
||||
if (ret == 0) {
|
||||
#if defined(MBEDTLS_RSA_C)
|
||||
if( mbedtls_pk_get_type( &pk ) == MBEDTLS_PK_RSA )
|
||||
{
|
||||
mbedtls_mpi N, P, Q, D, E, DP, DQ, QP;
|
||||
mbedtls_rsa_context *rsa;
|
||||
|
||||
mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P ); mbedtls_mpi_init( &Q );
|
||||
mbedtls_mpi_init( &D ); mbedtls_mpi_init( &E ); mbedtls_mpi_init( &DP );
|
||||
mbedtls_mpi_init( &DQ ); mbedtls_mpi_init( &QP );
|
||||
|
||||
rsa = mbedtls_pk_rsa( pk );
|
||||
ret = mbedtls_rsa_export( rsa, &N, &P, &Q, &D, &E );
|
||||
ret = mbedtls_rsa_export_crt( rsa, &DP, &DQ, &QP );
|
||||
|
||||
mbedtls_mpi_free( &N ); mbedtls_mpi_free( &P ); mbedtls_mpi_free( &Q );
|
||||
mbedtls_mpi_free( &D ); mbedtls_mpi_free( &E ); mbedtls_mpi_free( &DP );
|
||||
mbedtls_mpi_free( &DQ ); mbedtls_mpi_free( &QP );
|
||||
|
||||
}
|
||||
else
|
||||
#endif
|
||||
#if defined(MBEDTLS_ECP_C)
|
||||
if( mbedtls_pk_get_type( &pk ) == MBEDTLS_PK_ECKEY )
|
||||
{
|
||||
mbedtls_ecp_keypair *ecp;
|
||||
|
||||
ecp = mbedtls_pk_ec( pk );
|
||||
//dummy use of value
|
||||
if (ecp) {
|
||||
ret = 0;
|
||||
}
|
||||
}
|
||||
else
|
||||
#endif
|
||||
{
|
||||
ret = 0;
|
||||
}
|
||||
}
|
||||
mbedtls_pk_free( &pk );
|
||||
#else
|
||||
(void) Data;
|
||||
(void) Size;
|
||||
#endif //MBEDTLS_PK_PARSE_C
|
||||
|
||||
return 0;
|
||||
}
|
2
programs/fuzz/fuzz_pubkey.options
Normal file
2
programs/fuzz/fuzz_pubkey.options
Normal file
@ -0,0 +1,2 @@
|
||||
[libfuzzer]
|
||||
max_len = 65535
|
185
programs/fuzz/fuzz_server.c
Normal file
185
programs/fuzz/fuzz_server.c
Normal file
@ -0,0 +1,185 @@
|
||||
#include "mbedtls/ssl.h"
|
||||
#include "mbedtls/entropy.h"
|
||||
#include "mbedtls/ctr_drbg.h"
|
||||
#include "mbedtls/certs.h"
|
||||
#include "mbedtls/ssl_ticket.h"
|
||||
#include "common.h"
|
||||
#include <string.h>
|
||||
#include <stdlib.h>
|
||||
#include <stdint.h>
|
||||
|
||||
|
||||
#ifdef MBEDTLS_SSL_SRV_C
|
||||
const char *pers = "fuzz_server";
|
||||
static int initialized = 0;
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
|
||||
static mbedtls_x509_crt srvcert;
|
||||
static mbedtls_pk_context pkey;
|
||||
#endif
|
||||
const char *alpn_list[3];
|
||||
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
|
||||
const unsigned char psk[] = {
|
||||
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
|
||||
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
|
||||
};
|
||||
const char psk_id[] = "Client_identity";
|
||||
#endif
|
||||
#endif // MBEDTLS_SSL_SRV_C
|
||||
|
||||
|
||||
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
|
||||
#ifdef MBEDTLS_SSL_SRV_C
|
||||
int ret;
|
||||
size_t len;
|
||||
mbedtls_ssl_context ssl;
|
||||
mbedtls_ssl_config conf;
|
||||
mbedtls_ctr_drbg_context ctr_drbg;
|
||||
mbedtls_entropy_context entropy;
|
||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
||||
mbedtls_ssl_ticket_context ticket_ctx;
|
||||
#endif
|
||||
unsigned char buf[4096];
|
||||
fuzzBufferOffset_t biomemfuzz;
|
||||
uint8_t options;
|
||||
|
||||
//we take 1 byte as options input
|
||||
if (Size < 1) {
|
||||
return 0;
|
||||
}
|
||||
options = Data[Size - 1];
|
||||
|
||||
if (initialized == 0) {
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
|
||||
mbedtls_x509_crt_init( &srvcert );
|
||||
mbedtls_pk_init( &pkey );
|
||||
if (mbedtls_x509_crt_parse( &srvcert, (const unsigned char *) mbedtls_test_srv_crt,
|
||||
mbedtls_test_srv_crt_len ) != 0)
|
||||
return 1;
|
||||
if (mbedtls_x509_crt_parse( &srvcert, (const unsigned char *) mbedtls_test_cas_pem,
|
||||
mbedtls_test_cas_pem_len ) != 0)
|
||||
return 1;
|
||||
if (mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_srv_key,
|
||||
mbedtls_test_srv_key_len, NULL, 0 ) != 0)
|
||||
return 1;
|
||||
#endif
|
||||
|
||||
alpn_list[0] = "HTTP";
|
||||
alpn_list[1] = "fuzzalpn";
|
||||
alpn_list[2] = NULL;
|
||||
|
||||
dummy_init();
|
||||
|
||||
initialized = 1;
|
||||
}
|
||||
mbedtls_ssl_init( &ssl );
|
||||
mbedtls_ssl_config_init( &conf );
|
||||
mbedtls_ctr_drbg_init( &ctr_drbg );
|
||||
mbedtls_entropy_init( &entropy );
|
||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
||||
mbedtls_ssl_ticket_init( &ticket_ctx );
|
||||
#endif
|
||||
|
||||
if( mbedtls_ctr_drbg_seed( &ctr_drbg, dummy_entropy, &entropy,
|
||||
(const unsigned char *) pers, strlen( pers ) ) != 0 )
|
||||
goto exit;
|
||||
|
||||
|
||||
if( mbedtls_ssl_config_defaults( &conf,
|
||||
MBEDTLS_SSL_IS_SERVER,
|
||||
MBEDTLS_SSL_TRANSPORT_STREAM,
|
||||
MBEDTLS_SSL_PRESET_DEFAULT ) != 0 )
|
||||
goto exit;
|
||||
|
||||
srand(1);
|
||||
mbedtls_ssl_conf_rng( &conf, dummy_random, &ctr_drbg );
|
||||
|
||||
#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
|
||||
mbedtls_ssl_conf_ca_chain( &conf, srvcert.next, NULL );
|
||||
if( mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) != 0 )
|
||||
goto exit;
|
||||
#endif
|
||||
|
||||
mbedtls_ssl_conf_cert_req_ca_list( &conf, (options & 0x1) ? MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED : MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED );
|
||||
#if defined(MBEDTLS_SSL_ALPN)
|
||||
if (options & 0x2) {
|
||||
mbedtls_ssl_conf_alpn_protocols( &conf, alpn_list );
|
||||
}
|
||||
#endif
|
||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
||||
if( options & 0x4 )
|
||||
{
|
||||
if( mbedtls_ssl_ticket_setup( &ticket_ctx,
|
||||
dummy_random, &ctr_drbg,
|
||||
MBEDTLS_CIPHER_AES_256_GCM,
|
||||
86400 ) != 0 )
|
||||
goto exit;
|
||||
|
||||
mbedtls_ssl_conf_session_tickets_cb( &conf,
|
||||
mbedtls_ssl_ticket_write,
|
||||
mbedtls_ssl_ticket_parse,
|
||||
&ticket_ctx );
|
||||
}
|
||||
#endif
|
||||
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
|
||||
mbedtls_ssl_conf_truncated_hmac( &conf, (options & 0x8) ? MBEDTLS_SSL_TRUNC_HMAC_ENABLED : MBEDTLS_SSL_TRUNC_HMAC_DISABLED);
|
||||
#endif
|
||||
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
|
||||
mbedtls_ssl_conf_extended_master_secret( &conf, (options & 0x10) ? MBEDTLS_SSL_EXTENDED_MS_DISABLED : MBEDTLS_SSL_EXTENDED_MS_ENABLED);
|
||||
#endif
|
||||
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
|
||||
mbedtls_ssl_conf_encrypt_then_mac( &conf, (options & 0x20) ? MBEDTLS_SSL_ETM_ENABLED : MBEDTLS_SSL_ETM_DISABLED);
|
||||
#endif
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
|
||||
if (options & 0x40) {
|
||||
mbedtls_ssl_conf_psk( &conf, psk, sizeof( psk ),
|
||||
(const unsigned char *) psk_id, sizeof( psk_id ) - 1 );
|
||||
}
|
||||
#endif
|
||||
#if defined(MBEDTLS_SSL_RENEGOTIATION)
|
||||
mbedtls_ssl_conf_renegotiation( &conf, (options & 0x80) ? MBEDTLS_SSL_RENEGOTIATION_ENABLED : MBEDTLS_SSL_RENEGOTIATION_DISABLED );
|
||||
#endif
|
||||
|
||||
if( mbedtls_ssl_setup( &ssl, &conf ) != 0 )
|
||||
goto exit;
|
||||
|
||||
biomemfuzz.Data = Data;
|
||||
biomemfuzz.Size = Size-1;
|
||||
biomemfuzz.Offset = 0;
|
||||
mbedtls_ssl_set_bio( &ssl, &biomemfuzz, dummy_send, fuzz_recv, NULL );
|
||||
|
||||
mbedtls_ssl_session_reset( &ssl );
|
||||
ret = mbedtls_ssl_handshake( &ssl );
|
||||
if( ret == 0 )
|
||||
{
|
||||
//keep reading data from server until the end
|
||||
do
|
||||
{
|
||||
len = sizeof( buf ) - 1;
|
||||
ret = mbedtls_ssl_read( &ssl, buf, len );
|
||||
|
||||
if( ret == MBEDTLS_ERR_SSL_WANT_READ )
|
||||
continue;
|
||||
else if( ret <= 0 )
|
||||
//EOF or error
|
||||
break;
|
||||
}
|
||||
while( 1 );
|
||||
}
|
||||
|
||||
exit:
|
||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
||||
mbedtls_ssl_ticket_free( &ticket_ctx );
|
||||
#endif
|
||||
mbedtls_entropy_free( &entropy );
|
||||
mbedtls_ctr_drbg_free( &ctr_drbg );
|
||||
mbedtls_ssl_config_free( &conf );
|
||||
mbedtls_ssl_free( &ssl );
|
||||
|
||||
#else
|
||||
(void) Data;
|
||||
(void) Size;
|
||||
#endif //MBEDTLS_SSL_SRV_C
|
||||
|
||||
return 0;
|
||||
}
|
2
programs/fuzz/fuzz_server.options
Normal file
2
programs/fuzz/fuzz_server.options
Normal file
@ -0,0 +1,2 @@
|
||||
[libfuzzer]
|
||||
max_len = 1048575
|
22
programs/fuzz/fuzz_x509crl.c
Normal file
22
programs/fuzz/fuzz_x509crl.c
Normal file
@ -0,0 +1,22 @@
|
||||
#include <stdint.h>
|
||||
#include "mbedtls/x509_crl.h"
|
||||
|
||||
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
|
||||
#ifdef MBEDTLS_X509_CRL_PARSE_C
|
||||
int ret;
|
||||
mbedtls_x509_crl crl;
|
||||
unsigned char buf[4096];
|
||||
|
||||
mbedtls_x509_crl_init( &crl );
|
||||
ret = mbedtls_x509_crl_parse( &crl, Data, Size );
|
||||
if (ret == 0) {
|
||||
ret = mbedtls_x509_crl_info( (char *) buf, sizeof( buf ) - 1, " ", &crl );
|
||||
}
|
||||
mbedtls_x509_crl_free( &crl );
|
||||
#else
|
||||
(void) Data;
|
||||
(void) Size;
|
||||
#endif
|
||||
|
||||
return 0;
|
||||
}
|
2
programs/fuzz/fuzz_x509crl.options
Normal file
2
programs/fuzz/fuzz_x509crl.options
Normal file
@ -0,0 +1,2 @@
|
||||
[libfuzzer]
|
||||
max_len = 65535
|
22
programs/fuzz/fuzz_x509crt.c
Normal file
22
programs/fuzz/fuzz_x509crt.c
Normal file
@ -0,0 +1,22 @@
|
||||
#include <stdint.h>
|
||||
#include "mbedtls/x509_crt.h"
|
||||
|
||||
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
|
||||
#ifdef MBEDTLS_X509_CRT_PARSE_C
|
||||
int ret;
|
||||
mbedtls_x509_crt crt;
|
||||
unsigned char buf[4096];
|
||||
|
||||
mbedtls_x509_crt_init( &crt );
|
||||
ret = mbedtls_x509_crt_parse( &crt, Data, Size );
|
||||
if (ret == 0) {
|
||||
ret = mbedtls_x509_crt_info( (char *) buf, sizeof( buf ) - 1, " ", &crt );
|
||||
}
|
||||
mbedtls_x509_crt_free( &crt );
|
||||
#else
|
||||
(void) Data;
|
||||
(void) Size;
|
||||
#endif
|
||||
|
||||
return 0;
|
||||
}
|
2
programs/fuzz/fuzz_x509crt.options
Normal file
2
programs/fuzz/fuzz_x509crt.options
Normal file
@ -0,0 +1,2 @@
|
||||
[libfuzzer]
|
||||
max_len = 65535
|
22
programs/fuzz/fuzz_x509csr.c
Normal file
22
programs/fuzz/fuzz_x509csr.c
Normal file
@ -0,0 +1,22 @@
|
||||
#include <stdint.h>
|
||||
#include "mbedtls/x509_csr.h"
|
||||
|
||||
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
|
||||
#ifdef MBEDTLS_X509_CSR_PARSE_C
|
||||
int ret;
|
||||
mbedtls_x509_csr csr;
|
||||
unsigned char buf[4096];
|
||||
|
||||
mbedtls_x509_csr_init( &csr );
|
||||
ret = mbedtls_x509_csr_parse( &csr, Data, Size );
|
||||
if (ret == 0) {
|
||||
ret = mbedtls_x509_csr_info( (char *) buf, sizeof( buf ) - 1, " ", &csr );
|
||||
}
|
||||
mbedtls_x509_csr_free( &csr );
|
||||
#else
|
||||
(void) Data;
|
||||
(void) Size;
|
||||
#endif
|
||||
|
||||
return 0;
|
||||
}
|
2
programs/fuzz/fuzz_x509csr.options
Normal file
2
programs/fuzz/fuzz_x509csr.options
Normal file
@ -0,0 +1,2 @@
|
||||
[libfuzzer]
|
||||
max_len = 65535
|
53
programs/fuzz/onefile.c
Normal file
53
programs/fuzz/onefile.c
Normal file
@ -0,0 +1,53 @@
|
||||
#include <stdint.h>
|
||||
#include <stdlib.h>
|
||||
#include <stdio.h>
|
||||
// Get platform-specific definition
|
||||
#include "mbedtls/config.h"
|
||||
|
||||
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
|
||||
|
||||
int main(int argc, char** argv)
|
||||
{
|
||||
FILE * fp;
|
||||
uint8_t *Data;
|
||||
size_t Size;
|
||||
|
||||
if (argc != 2) {
|
||||
return 1;
|
||||
}
|
||||
//opens the file, get its size, and reads it into a buffer
|
||||
fp = fopen(argv[1], "rb");
|
||||
if (fp == NULL) {
|
||||
return 2;
|
||||
}
|
||||
if (fseek(fp, 0L, SEEK_END) != 0) {
|
||||
fclose(fp);
|
||||
return 2;
|
||||
}
|
||||
Size = ftell(fp);
|
||||
if (Size == (size_t) -1) {
|
||||
fclose(fp);
|
||||
return 2;
|
||||
}
|
||||
if (fseek(fp, 0L, SEEK_SET) != 0) {
|
||||
fclose(fp);
|
||||
return 2;
|
||||
}
|
||||
Data = malloc(Size);
|
||||
if (Data == NULL) {
|
||||
fclose(fp);
|
||||
return 2;
|
||||
}
|
||||
if (fread(Data, Size, 1, fp) != 1) {
|
||||
free(Data);
|
||||
fclose(fp);
|
||||
return 2;
|
||||
}
|
||||
|
||||
//lauch fuzzer
|
||||
LLVMFuzzerTestOneInput(Data, Size);
|
||||
free(Data);
|
||||
fclose(fp);
|
||||
return 0;
|
||||
}
|
||||
|
@ -24,7 +24,8 @@
|
||||
# configurations, and can and will arbitrarily change the current CMake
|
||||
# configuration. The following files must be committed into git:
|
||||
# * include/mbedtls/config.h
|
||||
# * Makefile, library/Makefile, programs/Makefile, tests/Makefile
|
||||
# * Makefile, library/Makefile, programs/Makefile, tests/Makefile,
|
||||
# programs/fuzz/Makefile
|
||||
# After running this script, the CMake cache will be lost and CMake
|
||||
# will no longer be initialised.
|
||||
#
|
||||
@ -75,9 +76,9 @@
|
||||
# * Run `make clean`.
|
||||
# * Restore `include/mbedtks/config.h` from a backup made before running
|
||||
# the component.
|
||||
# * Check out `Makefile`, `library/Makefile`, `programs/Makefile` and
|
||||
# `tests/Makefile` from git. This cleans up after an in-tree use of
|
||||
# CMake.
|
||||
# * Check out `Makefile`, `library/Makefile`, `programs/Makefile`,
|
||||
# `tests/Makefile` and `programs/fuzz/Makefile` from git.
|
||||
# This cleans up after an in-tree use of CMake.
|
||||
#
|
||||
# Any command that is expected to fail must be protected so that the
|
||||
# script keeps running in --keep-going mode despite `set -e`. In keep-going
|
||||
@ -234,8 +235,8 @@ cleanup()
|
||||
-iname CMakeCache.txt \) -exec rm {} \+
|
||||
# Recover files overwritten by in-tree CMake builds
|
||||
rm -f include/Makefile include/mbedtls/Makefile programs/*/Makefile
|
||||
git update-index --no-skip-worktree Makefile library/Makefile programs/Makefile tests/Makefile
|
||||
git checkout -- Makefile library/Makefile programs/Makefile tests/Makefile
|
||||
git update-index --no-skip-worktree Makefile library/Makefile programs/Makefile tests/Makefile programs/fuzz/Makefile
|
||||
git checkout -- Makefile library/Makefile programs/Makefile tests/Makefile programs/fuzz/Makefile
|
||||
cd crypto
|
||||
rm -f include/Makefile include/mbedtls/Makefile programs/*/Makefile
|
||||
git update-index --no-skip-worktree Makefile library/Makefile programs/Makefile tests/Makefile
|
||||
@ -1035,7 +1036,7 @@ component_test_m32_o0 () {
|
||||
# Build once with -O0, to compile out the i386 specific inline assembly
|
||||
msg "build: i386, make, gcc -O0 (ASan build)" # ~ 30s
|
||||
scripts/config.pl full
|
||||
make CC=gcc CFLAGS='-O0 -Werror -Wall -Wextra -m32 -fsanitize=address' LDFLAGS='-m32'
|
||||
make CC=gcc CFLAGS='-O0 -Werror -Wall -Wextra -m32 -fsanitize=address' LDFLAGS='-m32 -fsanitize=address'
|
||||
|
||||
msg "test: i386, make, gcc -O0 (ASan build)"
|
||||
make test
|
||||
@ -1054,7 +1055,7 @@ component_test_m32_o1 () {
|
||||
scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE
|
||||
scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C
|
||||
scripts/config.pl unset MBEDTLS_MEMORY_DEBUG
|
||||
make CC=gcc CFLAGS='-O1 -Werror -Wall -Wextra -m32 -fsanitize=address' LDFLAGS='-m32'
|
||||
make CC=gcc CFLAGS='-O1 -Werror -Wall -Wextra -m32 -fsanitize=address' LDFLAGS='-m32 -fsanitize=address'
|
||||
|
||||
msg "test: i386, make, gcc -O1 (ASan build)"
|
||||
make test
|
||||
|
@ -64,6 +64,7 @@ echo
|
||||
|
||||
# Step 1 - Make and instrumented build for code coverage
|
||||
export CFLAGS=' --coverage -g3 -O0 '
|
||||
export LDFLAGS=' --coverage'
|
||||
make clean
|
||||
cp "$CONFIG_H" "$CONFIG_BAK"
|
||||
scripts/config.pl full
|
||||
|
Loading…
Reference in New Issue
Block a user