AuroraMiddleware/mbedtls
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Fuzz testing

Browse Source 
Fuzz targets are x509 crt csr and crl parsing
as well as private and public key parsing
and client and server communication

Fuzz targets for DTLS
Simple corpus with valid DTLS connection
Deterministic behavior for fuzzing, ie no timestamps
This commit is contained in:
Philippe Antoine 2018-05-03 16:40:24 +02:00
parent 66b7edb108
commit 7233352432
25 changed files with 1156 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
tests/CMakeLists.txt
View File

@ -77,3 +77,5 @@ if (NOT ${CMAKE_CURRENT_BINARY_DIR} STREQUAL ${CMAKE_CURRENT_SOURCE_DIR})
link_to_source(scripts)
link_to_source(ssl-opt.sh)
endif()
add_subdirectory(fuzz)

38
tests/fuzz/CMakeLists.txt Normal file
View File

@ -0,0 +1,38 @@
set(libs
mbedtls
)
if(USE_PKCS11_HELPER_LIBRARY)
set(libs ${libs} pkcs11-helper)
endif(USE_PKCS11_HELPER_LIBRARY)
if(ENABLE_ZLIB_SUPPORT)
set(libs ${libs} ${ZLIB_LIBRARIES})
endif(ENABLE_ZLIB_SUPPORT)
add_executable(fuzz_x509csr fuzz_x509csr.c onefile.c)
target_link_libraries(fuzz_x509csr ${libs})
add_executable(fuzz_x509crl fuzz_x509crl.c onefile.c)
target_link_libraries(fuzz_x509crl ${libs})
add_executable(fuzz_x509crt fuzz_x509crt.c onefile.c)
target_link_libraries(fuzz_x509crt ${libs})
add_executable(fuzz_privkey fuzz_privkey.c onefile.c)
target_link_libraries(fuzz_privkey ${libs})
add_executable(fuzz_pubkey fuzz_pubkey.c onefile.c)
target_link_libraries(fuzz_pubkey ${libs})
add_executable(fuzz_client fuzz_client.c onefile.c)
target_link_libraries(fuzz_client ${libs})
add_executable(fuzz_server fuzz_server.c onefile.c)
target_link_libraries(fuzz_server ${libs})
add_executable(fuzz_dtlsclient fuzz_dtlsclient.c onefile.c)
target_link_libraries(fuzz_dtlsclient ${libs})
add_executable(fuzz_dtlsserver fuzz_dtlsserver.c onefile.c)
target_link_libraries(fuzz_dtlsserver ${libs})

BIN
tests/fuzz/corpuses/client Normal file
View File

Binary file not shown.

BIN
tests/fuzz/corpuses/dtlsclient Normal file
View File

Binary file not shown.

BIN
tests/fuzz/corpuses/dtlsserver Normal file
View File

Binary file not shown.

BIN
tests/fuzz/corpuses/server Normal file
View File

Binary file not shown.

227
tests/fuzz/fuzz_client.c Normal file
View File

@ -0,0 +1,227 @@
#include "mbedtls/ssl.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/certs.h"
#include <string.h>
#include <stdlib.h>
#include <stdbool.h>
#include <stdint.h>
static bool initialized = 0;
#if defined(MBEDTLS_X509_CRT_PARSE_C)
static mbedtls_x509_crt cacert;
#endif
const char *alpn_list[3];
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
const unsigned char psk[] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
};
const char psk_id[] = "Client_identity";
#endif
const char *pers = "fuzz_client";
typedef struct fuzzBufferOffset
{
const uint8_t *Data;
size_t Size;
size_t Offset;
} fuzzBufferOffset_t;
static int dummy_send( void *ctx, const unsigned char *buf, size_t len )
{
//silence warning about unused parameter
(void) ctx;
(void) buf;
//pretends we wrote everything ok
return( len );
}
static int fuzz_recv( void *ctx, unsigned char *buf, size_t len )
{
//reads from the buffer from fuzzer
fuzzBufferOffset_t * biomemfuzz = (fuzzBufferOffset_t *) ctx;
if (biomemfuzz->Offset == biomemfuzz->Size) {
//EOF
return (0);
}
if (len + biomemfuzz->Offset > biomemfuzz->Size) {
//do not overflow
len = biomemfuzz->Size - biomemfuzz->Offset;
}
memcpy(buf, biomemfuzz->Data + biomemfuzz->Offset, len);
biomemfuzz->Offset += len;
return( len );
}
static int dummy_random( void *p_rng, unsigned char *output, size_t output_len )
{
int ret;
size_t i;
//use mbedtls_ctr_drbg_random to find bugs in it
ret = mbedtls_ctr_drbg_random(p_rng, output, output_len);
for (i=0; i<output_len; i++) {
//replace result with pseudo random
output[i] = (unsigned char) random();
}
return( ret );
}
static int dummy_entropy( void *data, unsigned char *output, size_t len )
{
int ret;
size_t i;
//use mbedtls_entropy_func to find bugs in it
ret = mbedtls_entropy_func(data, output, len);
for (i=0; i<len; i++) {
//replace result with pseudo random
output[i] = (unsigned char) random();
}
return( ret );
}
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
int ret;
size_t len;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_entropy_context entropy;
unsigned char buf[4096];
fuzzBufferOffset_t biomemfuzz;
uint16_t options;
if (initialized == 0) {
#if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_x509_crt_init( &cacert );
if (mbedtls_x509_crt_parse( &cacert, (const unsigned char *) mbedtls_test_cas_pem,
mbedtls_test_cas_pem_len ) != 0)
return 1;
#endif
alpn_list[0] = "HTTP";
alpn_list[1] = "fuzzalpn";
alpn_list[2] = NULL;
initialized = 1;
}
//we take 1 byte as options input
if (Size < 2) {
return 0;
}
options = (Data[Size - 2] << 8) | Data[Size - 1];
//Avoid warnings if compile options imply no options
(void) options;
mbedtls_ssl_init( &ssl );
mbedtls_ssl_config_init( &conf );
mbedtls_ctr_drbg_init( &ctr_drbg );
mbedtls_entropy_init( &entropy );
if( mbedtls_ctr_drbg_seed( &ctr_drbg, dummy_entropy, &entropy,
(const unsigned char *) pers, strlen( pers ) ) != 0 )
goto exit;
if( mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT ) != 0 )
goto exit;
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
if (options & 2) {
mbedtls_ssl_conf_psk( &conf, psk, sizeof( psk ),
(const unsigned char *) psk_id, sizeof( psk_id ) - 1 );
}
#endif
#if defined(MBEDTLS_X509_CRT_PARSE_C)
if (options & 4) {
mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_REQUIRED );
} else
#endif
{
mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_NONE );
}
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
mbedtls_ssl_conf_truncated_hmac( &conf, (options & 8) ? MBEDTLS_SSL_TRUNC_HMAC_ENABLED : MBEDTLS_SSL_TRUNC_HMAC_DISABLED);
#endif
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
mbedtls_ssl_conf_extended_master_secret( &conf, (options & 0x10) ? MBEDTLS_SSL_EXTENDED_MS_DISABLED : MBEDTLS_SSL_EXTENDED_MS_ENABLED);
#endif
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
mbedtls_ssl_conf_encrypt_then_mac( &conf, (options & 0x20) ? MBEDTLS_SSL_ETM_DISABLED : MBEDTLS_SSL_ETM_ENABLED);
#endif
#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING)
mbedtls_ssl_conf_cbc_record_splitting( &conf, (options & 0x40) ? MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED : MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED );
#endif
#if defined(MBEDTLS_SSL_RENEGOTIATION)
mbedtls_ssl_conf_renegotiation( &conf, (options & 0x80) ? MBEDTLS_SSL_RENEGOTIATION_ENABLED : MBEDTLS_SSL_RENEGOTIATION_DISABLED );
#endif
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
mbedtls_ssl_conf_session_tickets( &conf, (options & 0x100) ? MBEDTLS_SSL_SESSION_TICKETS_DISABLED : MBEDTLS_SSL_SESSION_TICKETS_ENABLED );
#endif
#if defined(MBEDTLS_SSL_ALPN)
if (options & 0x200) {
mbedtls_ssl_conf_alpn_protocols( &conf, alpn_list );
}
#endif
//There may be other options to add :
// mbedtls_ssl_conf_cert_profile, mbedtls_ssl_conf_sig_hashes
srandom(1);
mbedtls_ssl_conf_rng( &conf, dummy_random, &ctr_drbg );
if( mbedtls_ssl_setup( &ssl, &conf ) != 0 )
goto exit;
#if defined(MBEDTLS_X509_CRT_PARSE_C)
if ((options & 1) == 0) {
if( mbedtls_ssl_set_hostname( &ssl, "localhost" ) != 0 )
goto exit;
}
#endif
biomemfuzz.Data = Data;
biomemfuzz.Size = Size-2;
biomemfuzz.Offset = 0;
mbedtls_ssl_set_bio( &ssl, &biomemfuzz, dummy_send, fuzz_recv, NULL );
ret = mbedtls_ssl_handshake( &ssl );
if( ret == 0 )
{
//keep reading data from server until the end
do
{
len = sizeof( buf ) - 1;
ret = mbedtls_ssl_read( &ssl, buf, len );
if( ret == MBEDTLS_ERR_SSL_WANT_READ )
continue;
else if( ret <= 0 )
//EOF or error
break;
}
while( 1 );
}
exit:
mbedtls_entropy_free( &entropy );
mbedtls_ctr_drbg_free( &ctr_drbg );
mbedtls_ssl_config_free( &conf );
mbedtls_ssl_free( &ssl );
return 0;
}

2
tests/fuzz/fuzz_client.options Normal file
View File

@ -0,0 +1,2 @@
[libfuzzer]
max_len = 1048575

185
tests/fuzz/fuzz_dtlsclient.c Normal file
View File

@ -0,0 +1,185 @@
#include <string.h>
#include <stdlib.h>
#include <stdbool.h>
#include <stdint.h>
#include "mbedtls/ssl.h"
#if defined(MBEDTLS_SSL_PROTO_DTLS)
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/certs.h"
#include "mbedtls/timing.h"
static bool initialized = 0;
#if defined(MBEDTLS_X509_CRT_PARSE_C)
static mbedtls_x509_crt cacert;
#endif
const char *pers = "fuzz_dtlsclient";
typedef struct fuzzBufferOffset
{
const uint8_t *Data;
size_t Size;
size_t Offset;
} fuzzBufferOffset_t;
static int dummy_send( void *ctx, const unsigned char *buf, size_t len )
{
//silence warning about unused parameter
(void) ctx;
(void) buf;
//pretends we wrote everything ok
return( len );
}
static int fuzz_recv( void *ctx, unsigned char *buf, size_t len )
{
//reads from the buffer from fuzzer
fuzzBufferOffset_t * biomemfuzz = (fuzzBufferOffset_t *) ctx;
if (biomemfuzz->Offset == biomemfuzz->Size) {
//EOF
return (0);
}
if (len + biomemfuzz->Offset > biomemfuzz->Size) {
//do not overflow
len = biomemfuzz->Size - biomemfuzz->Offset;
}
memcpy(buf, biomemfuzz->Data + biomemfuzz->Offset, len);
biomemfuzz->Offset += len;
return( len );
}
static int fuzz_recv_timeout( void *ctx, unsigned char *buf, size_t len,
uint32_t timeout )
{
(void) timeout;
return fuzz_recv(ctx, buf, len);
}
static int dummy_random( void *p_rng, unsigned char *output, size_t output_len )
{
int ret;
size_t i;
//use mbedtls_ctr_drbg_random to find bugs in it
ret = mbedtls_ctr_drbg_random(p_rng, output, output_len);
for (i=0; i<output_len; i++) {
//replace result with pseudo random
output[i] = (unsigned char) random();
}
return( ret );
}
static int dummy_entropy( void *data, unsigned char *output, size_t len )
{
int ret;
size_t i;
//use mbedtls_entropy_func to find bugs in it
ret = mbedtls_entropy_func(data, output, len);
for (i=0; i<len; i++) {
//replace result with pseudo random
output[i] = (unsigned char) random();
}
return( ret );
}
#endif
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
#if defined(MBEDTLS_SSL_PROTO_DTLS)
int ret;
size_t len;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_entropy_context entropy;
mbedtls_timing_delay_context timer;
unsigned char buf[4096];
fuzzBufferOffset_t biomemfuzz;
if (initialized == 0) {
#if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_x509_crt_init( &cacert );
if (mbedtls_x509_crt_parse( &cacert, (const unsigned char *) mbedtls_test_cas_pem,
mbedtls_test_cas_pem_len ) != 0)
return 1;
#endif
initialized = 1;
}
mbedtls_ssl_init( &ssl );
mbedtls_ssl_config_init( &conf );
mbedtls_ctr_drbg_init( &ctr_drbg );
mbedtls_entropy_init( &entropy );
srandom(1);
if( mbedtls_ctr_drbg_seed( &ctr_drbg, dummy_entropy, &entropy,
(const unsigned char *) pers, strlen( pers ) ) != 0 )
goto exit;
if( mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_CLIENT,
MBEDTLS_SSL_TRANSPORT_DATAGRAM,
MBEDTLS_SSL_PRESET_DEFAULT ) != 0 )
goto exit;
#if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
#endif
mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_NONE );
mbedtls_ssl_conf_rng( &conf, dummy_random, &ctr_drbg );
if( mbedtls_ssl_setup( &ssl, &conf ) != 0 )
goto exit;
mbedtls_ssl_set_timer_cb( &ssl, &timer, mbedtls_timing_set_delay,
mbedtls_timing_get_delay );
#if defined(MBEDTLS_X509_CRT_PARSE_C)
if( mbedtls_ssl_set_hostname( &ssl, "localhost" ) != 0 )
goto exit;
#endif
biomemfuzz.Data = Data;
biomemfuzz.Size = Size;
biomemfuzz.Offset = 0;
mbedtls_ssl_set_bio( &ssl, &biomemfuzz, dummy_send, fuzz_recv, fuzz_recv_timeout );
ret = mbedtls_ssl_handshake( &ssl );
if( ret == 0 )
{
//keep reading data from server until the end
do
{
len = sizeof( buf ) - 1;
ret = mbedtls_ssl_read( &ssl, buf, len );
if( ret == MBEDTLS_ERR_SSL_WANT_READ )
continue;
else if( ret <= 0 )
//EOF or error
break;
}
while( 1 );
}
exit:
mbedtls_entropy_free( &entropy );
mbedtls_ctr_drbg_free( &ctr_drbg );
mbedtls_ssl_config_free( &conf );
mbedtls_ssl_free( &ssl );
#else
(void) Data;
(void) Size;
#endif
return 0;
}

2
tests/fuzz/fuzz_dtlsclient.options Normal file
View File

@ -0,0 +1,2 @@
[libfuzzer]
max_len = 1048575

209
tests/fuzz/fuzz_dtlsserver.c Normal file
View File

@ -0,0 +1,209 @@
#include <string.h>
#include <stdlib.h>
#include <stdbool.h>
#include <stdint.h>
#include "mbedtls/ssl.h"
#if defined(MBEDTLS_SSL_PROTO_DTLS)
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/certs.h"
#include "mbedtls/timing.h"
#include "mbedtls/ssl_cookie.h"
const char *pers = "fuzz_dtlsserver";
const unsigned char client_ip[4] = {0x7F, 0, 0, 1};
static bool initialized = 0;
#if defined(MBEDTLS_X509_CRT_PARSE_C)
static mbedtls_x509_crt srvcert;
static mbedtls_pk_context pkey;
#endif
typedef struct fuzzBufferOffset
{
const uint8_t *Data;
size_t Size;
size_t Offset;
} fuzzBufferOffset_t;
static int dummy_send( void *ctx, const unsigned char *buf, size_t len )
{
//silence warning about unused parameter
(void) ctx;
(void) buf;
//pretends we wrote everything ok
return( len );
}
static int fuzz_recv( void *ctx, unsigned char *buf, size_t len )
{
//reads from the buffer from fuzzer
fuzzBufferOffset_t * biomemfuzz = (fuzzBufferOffset_t *) ctx;
if (biomemfuzz->Offset == biomemfuzz->Size) {
//EOF
return (0);
}
if (len + biomemfuzz->Offset > biomemfuzz->Size) {
//do not overflow
len = biomemfuzz->Size - biomemfuzz->Offset;
}
memcpy(buf, biomemfuzz->Data + biomemfuzz->Offset, len);
biomemfuzz->Offset += len;
return( len );
}
static int fuzz_recv_timeout( void *ctx, unsigned char *buf, size_t len,
uint32_t timeout )
{
(void) timeout;
return fuzz_recv(ctx, buf, len);
}
static int dummy_random( void *p_rng, unsigned char *output, size_t output_len )
{
int ret;
size_t i;
//use mbedtls_ctr_drbg_random to find bugs in it
ret = mbedtls_ctr_drbg_random(p_rng, output, output_len);
for (i=0; i<output_len; i++) {
//replace result with pseudo random
output[i] = (unsigned char) random();
}
return( ret );
}
static int dummy_entropy( void *data, unsigned char *output, size_t len )
{
int ret;
size_t i;
//use mbedtls_entropy_func to find bugs in it
ret = mbedtls_entropy_func(data, output, len);
for (i=0; i<len; i++) {
//replace result with pseudo random
output[i] = (unsigned char) random();
}
return( ret );
}
#endif
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
#if defined(MBEDTLS_SSL_PROTO_DTLS)
int ret;
size_t len;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_entropy_context entropy;
mbedtls_timing_delay_context timer;
mbedtls_ssl_cookie_ctx cookie_ctx;
unsigned char buf[4096];
fuzzBufferOffset_t biomemfuzz;
if (initialized == 0) {
#if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_x509_crt_init( &srvcert );
mbedtls_pk_init( &pkey );
if (mbedtls_x509_crt_parse( &srvcert, (const unsigned char *) mbedtls_test_srv_crt,
mbedtls_test_srv_crt_len ) != 0)
return 1;
if (mbedtls_x509_crt_parse( &srvcert, (const unsigned char *) mbedtls_test_cas_pem,
mbedtls_test_cas_pem_len ) != 0)
return 1;
if (mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_srv_key,
mbedtls_test_srv_key_len, NULL, 0 ) != 0)
return 1;
#endif
initialized = 1;
}
mbedtls_ssl_init( &ssl );
mbedtls_ssl_config_init( &conf );
mbedtls_ctr_drbg_init( &ctr_drbg );
mbedtls_entropy_init( &entropy );
mbedtls_ssl_cookie_init( &cookie_ctx );
if( mbedtls_ctr_drbg_seed( &ctr_drbg, dummy_entropy, &entropy,
(const unsigned char *) pers, strlen( pers ) ) != 0 )
goto exit;
if( mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_SERVER,
MBEDTLS_SSL_TRANSPORT_DATAGRAM,
MBEDTLS_SSL_PRESET_DEFAULT ) != 0 )
goto exit;
srandom(1);
mbedtls_ssl_conf_rng( &conf, dummy_random, &ctr_drbg );
#if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_conf_ca_chain( &conf, srvcert.next, NULL );
if( mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) != 0 )
goto exit;
#endif
if( mbedtls_ssl_cookie_setup( &cookie_ctx, dummy_random, &ctr_drbg ) != 0 )
goto exit;
mbedtls_ssl_conf_dtls_cookies( &conf, mbedtls_ssl_cookie_write, mbedtls_ssl_cookie_check, &cookie_ctx );
if( mbedtls_ssl_setup( &ssl, &conf ) != 0 )
goto exit;
mbedtls_ssl_set_timer_cb( &ssl, &timer, mbedtls_timing_set_delay,
mbedtls_timing_get_delay );
biomemfuzz.Data = Data;
biomemfuzz.Size = Size;
biomemfuzz.Offset = 0;
mbedtls_ssl_set_bio( &ssl, &biomemfuzz, dummy_send, fuzz_recv, fuzz_recv_timeout );
if( mbedtls_ssl_set_client_transport_id( &ssl, client_ip, sizeof(client_ip) ) != 0 )
goto exit;
ret = mbedtls_ssl_handshake( &ssl );
if (ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED) {
biomemfuzz.Offset = ssl.next_record_offset;
mbedtls_ssl_session_reset( &ssl );
mbedtls_ssl_set_bio( &ssl, &biomemfuzz, dummy_send, fuzz_recv, fuzz_recv_timeout );
if( mbedtls_ssl_set_client_transport_id( &ssl, client_ip, sizeof(client_ip) ) != 0 )
goto exit;
ret = mbedtls_ssl_handshake( &ssl );
if( ret == 0 )
{
//keep reading data from server until the end
do
{
len = sizeof( buf ) - 1;
ret = mbedtls_ssl_read( &ssl, buf, len );
if( ret == MBEDTLS_ERR_SSL_WANT_READ )
continue;
else if( ret <= 0 )
//EOF or error
break;
}
while( 1 );
}
}
exit:
mbedtls_ssl_cookie_free( &cookie_ctx );
mbedtls_entropy_free( &entropy );
mbedtls_ctr_drbg_free( &ctr_drbg );
mbedtls_ssl_config_free( &conf );
mbedtls_ssl_free( &ssl );
#else
(void) Data;
(void) Size;
#endif
return 0;
}

2
tests/fuzz/fuzz_dtlsserver.options Normal file
View File

@ -0,0 +1,2 @@
[libfuzzer]
max_len = 1048575

64
tests/fuzz/fuzz_privkey.c Normal file
View File

@ -0,0 +1,64 @@
#include <stdint.h>
#include "mbedtls/pk.h"
//4 Kb should be enough for every bug ;-)
#define MAX_LEN 0x1000
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
#ifdef MBEDTLS_PK_PARSE_C
int ret;
mbedtls_pk_context pk;
if (Size > MAX_LEN) {
//only work on small inputs
Size = MAX_LEN;
}
mbedtls_pk_init( &pk );
ret = mbedtls_pk_parse_key( &pk, Data, Size, NULL, 0 );
if (ret == 0) {
#if defined(MBEDTLS_RSA_C)
if( mbedtls_pk_get_type( &pk ) == MBEDTLS_PK_RSA )
{
mbedtls_mpi N, P, Q, D, E, DP, DQ, QP;
mbedtls_rsa_context *rsa;
mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P ); mbedtls_mpi_init( &Q );
mbedtls_mpi_init( &D ); mbedtls_mpi_init( &E ); mbedtls_mpi_init( &DP );
mbedtls_mpi_init( &DQ ); mbedtls_mpi_init( &QP );
rsa = mbedtls_pk_rsa( pk );
mbedtls_rsa_export( rsa, &N, &P, &Q, &D, &E );
mbedtls_rsa_export_crt( rsa, &DP, &DQ, &QP );
mbedtls_mpi_free( &N ); mbedtls_mpi_free( &P ); mbedtls_mpi_free( &Q );
mbedtls_mpi_free( &D ); mbedtls_mpi_free( &E ); mbedtls_mpi_free( &DP );
mbedtls_mpi_free( &DQ ); mbedtls_mpi_free( &QP );
}
else
#endif
#if defined(MBEDTLS_ECP_C)
if( mbedtls_pk_get_type( &pk ) == MBEDTLS_PK_ECKEY )
{
mbedtls_ecp_keypair *ecp;
ecp = mbedtls_pk_ec( pk );
if (ecp) {
ret = 0;
}
}
else
#endif
{
ret = 0;
}
}
mbedtls_pk_free( &pk );
#else
(void) Data;
(void) Size;
#endif //MBEDTLS_PK_PARSE_C
return 0;
}

2
tests/fuzz/fuzz_privkey.options Normal file
View File

@ -0,0 +1,2 @@
[libfuzzer]
max_len = 65535

57
tests/fuzz/fuzz_pubkey.c Normal file
View File

@ -0,0 +1,57 @@
#include <stdint.h>
#include "mbedtls/pk.h"
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
#ifdef MBEDTLS_PK_PARSE_C
int ret;
mbedtls_pk_context pk;
mbedtls_pk_init( &pk );
ret = mbedtls_pk_parse_public_key( &pk, Data, Size );
if (ret == 0) {
#if defined(MBEDTLS_RSA_C)
if( mbedtls_pk_get_type( &pk ) == MBEDTLS_PK_RSA )
{
mbedtls_mpi N, P, Q, D, E, DP, DQ, QP;
mbedtls_rsa_context *rsa;
mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P ); mbedtls_mpi_init( &Q );
mbedtls_mpi_init( &D ); mbedtls_mpi_init( &E ); mbedtls_mpi_init( &DP );
mbedtls_mpi_init( &DQ ); mbedtls_mpi_init( &QP );
rsa = mbedtls_pk_rsa( pk );
ret = mbedtls_rsa_export( rsa, &N, &P, &Q, &D, &E );
ret = mbedtls_rsa_export_crt( rsa, &DP, &DQ, &QP );
mbedtls_mpi_free( &N ); mbedtls_mpi_free( &P ); mbedtls_mpi_free( &Q );
mbedtls_mpi_free( &D ); mbedtls_mpi_free( &E ); mbedtls_mpi_free( &DP );
mbedtls_mpi_free( &DQ ); mbedtls_mpi_free( &QP );
}
else
#endif
#if defined(MBEDTLS_ECP_C)
if( mbedtls_pk_get_type( &pk ) == MBEDTLS_PK_ECKEY )
{
mbedtls_ecp_keypair *ecp;
ecp = mbedtls_pk_ec( pk );
//dummy use of value
if (ecp) {
ret = 0;
}
}
else
#endif
{
ret = 0;
}
}
mbedtls_pk_free( &pk );
#else
(void) Data;
(void) Size;
#endif //MBEDTLS_PK_PARSE_C
return 0;
}

2
tests/fuzz/fuzz_pubkey.options Normal file
View File

@ -0,0 +1,2 @@
[libfuzzer]
max_len = 65535

240
tests/fuzz/fuzz_server.c Normal file
View File

@ -0,0 +1,240 @@
#include "mbedtls/ssl.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/certs.h"
#include "mbedtls/ssl_ticket.h"
#include <string.h>
#include <stdlib.h>
#include <stdbool.h>
#include <stdint.h>
const char *pers = "fuzz_server";
static bool initialized = 0;
#if defined(MBEDTLS_X509_CRT_PARSE_C)
static mbedtls_x509_crt srvcert;
static mbedtls_pk_context pkey;
#endif
const char *alpn_list[3];
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
const unsigned char psk[] = {
0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
};
const char psk_id[] = "Client_identity";
#endif
typedef struct fuzzBufferOffset
{
const uint8_t *Data;
size_t Size;
size_t Offset;
} fuzzBufferOffset_t;
static int dummy_send( void *ctx, const unsigned char *buf, size_t len )
{
//silence warning about unused parameter
(void) ctx;
(void) buf;
//pretends we wrote everything ok
return( len );
}
static int fuzz_recv( void *ctx, unsigned char *buf, size_t len )
{
//reads from the buffer from fuzzer
fuzzBufferOffset_t * biomemfuzz = (fuzzBufferOffset_t *) ctx;
if (biomemfuzz->Offset == biomemfuzz->Size) {
//EOF
return (0);
}
if (len + biomemfuzz->Offset > biomemfuzz->Size) {
//do not overflow
len = biomemfuzz->Size - biomemfuzz->Offset;
}
memcpy(buf, biomemfuzz->Data + biomemfuzz->Offset, len);
biomemfuzz->Offset += len;
return( len );
}
static int dummy_random( void *p_rng, unsigned char *output, size_t output_len )
{
int ret;
size_t i;
//use mbedtls_ctr_drbg_random to find bugs in it
ret = mbedtls_ctr_drbg_random(p_rng, output, output_len);
for (i=0; i<output_len; i++) {
//replace result with pseudo random
output[i] = (unsigned char) random();
}
return( ret );
}
static int dummy_entropy( void *data, unsigned char *output, size_t len )
{
int ret;
size_t i;
//use mbedtls_entropy_func to find bugs in it
ret = mbedtls_entropy_func(data, output, len);
for (i=0; i<len; i++) {
//replace result with pseudo random
output[i] = (unsigned char) random();
}
return( ret );
}
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
int ret;
size_t len;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_entropy_context entropy;
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
mbedtls_ssl_ticket_context ticket_ctx;
#endif
unsigned char buf[4096];
fuzzBufferOffset_t biomemfuzz;
uint8_t options;
//we take 1 byte as options input
if (Size < 1) {
return 0;
}
options = Data[Size - 1];
if (initialized == 0) {
#if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_x509_crt_init( &srvcert );
mbedtls_pk_init( &pkey );
if (mbedtls_x509_crt_parse( &srvcert, (const unsigned char *) mbedtls_test_srv_crt,
mbedtls_test_srv_crt_len ) != 0)
return 1;
if (mbedtls_x509_crt_parse( &srvcert, (const unsigned char *) mbedtls_test_cas_pem,
mbedtls_test_cas_pem_len ) != 0)
return 1;
if (mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_srv_key,
mbedtls_test_srv_key_len, NULL, 0 ) != 0)
return 1;
#endif
alpn_list[0] = "HTTP";
alpn_list[1] = "fuzzalpn";
alpn_list[2] = NULL;
initialized = 1;
}
mbedtls_ssl_init( &ssl );
mbedtls_ssl_config_init( &conf );
mbedtls_ctr_drbg_init( &ctr_drbg );
mbedtls_entropy_init( &entropy );
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
mbedtls_ssl_ticket_init( &ticket_ctx );
#endif
if( mbedtls_ctr_drbg_seed( &ctr_drbg, dummy_entropy, &entropy,
(const unsigned char *) pers, strlen( pers ) ) != 0 )
goto exit;
if( mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_SERVER,
MBEDTLS_SSL_TRANSPORT_STREAM,
MBEDTLS_SSL_PRESET_DEFAULT ) != 0 )
goto exit;
srandom(1);
mbedtls_ssl_conf_rng( &conf, dummy_random, &ctr_drbg );
#if defined(MBEDTLS_X509_CRT_PARSE_C)
mbedtls_ssl_conf_ca_chain( &conf, srvcert.next, NULL );
if( mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) != 0 )
goto exit;
#endif
mbedtls_ssl_conf_cert_req_ca_list( &conf, (options & 0x1) ? MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED : MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED );
#if defined(MBEDTLS_SSL_ALPN)
if (options & 0x2) {
mbedtls_ssl_conf_alpn_protocols( &conf, alpn_list );
}
#endif
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
if( options & 0x4 )
{
if( mbedtls_ssl_ticket_setup( &ticket_ctx,
dummy_random, &ctr_drbg,
MBEDTLS_CIPHER_AES_256_GCM,
86400 ) != 0 )
goto exit;
mbedtls_ssl_conf_session_tickets_cb( &conf,
mbedtls_ssl_ticket_write,
mbedtls_ssl_ticket_parse,
&ticket_ctx );
}
#endif
#if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
mbedtls_ssl_conf_truncated_hmac( &conf, (options & 0x8) ? MBEDTLS_SSL_TRUNC_HMAC_ENABLED : MBEDTLS_SSL_TRUNC_HMAC_DISABLED);
#endif
#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
mbedtls_ssl_conf_extended_master_secret( &conf, (options & 0x10) ? MBEDTLS_SSL_EXTENDED_MS_DISABLED : MBEDTLS_SSL_EXTENDED_MS_ENABLED);
#endif
#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
mbedtls_ssl_conf_encrypt_then_mac( &conf, (options & 0x20) ? MBEDTLS_SSL_ETM_ENABLED : MBEDTLS_SSL_ETM_DISABLED);
#endif
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
if (options & 0x40) {
mbedtls_ssl_conf_psk( &conf, psk, sizeof( psk ),
(const unsigned char *) psk_id, sizeof( psk_id ) - 1 );
}
#endif
#if defined(MBEDTLS_SSL_RENEGOTIATION)
mbedtls_ssl_conf_renegotiation( &conf, (options & 0x80) ? MBEDTLS_SSL_RENEGOTIATION_ENABLED : MBEDTLS_SSL_RENEGOTIATION_DISABLED );
#endif
if( mbedtls_ssl_setup( &ssl, &conf ) != 0 )
goto exit;
biomemfuzz.Data = Data;
biomemfuzz.Size = Size-1;
biomemfuzz.Offset = 0;
mbedtls_ssl_set_bio( &ssl, &biomemfuzz, dummy_send, fuzz_recv, NULL );
mbedtls_ssl_session_reset( &ssl );
ret = mbedtls_ssl_handshake( &ssl );
if( ret == 0 )
{
//keep reading data from server until the end
do
{
len = sizeof( buf ) - 1;
ret = mbedtls_ssl_read( &ssl, buf, len );
if( ret == MBEDTLS_ERR_SSL_WANT_READ )
continue;
else if( ret <= 0 )
//EOF or error
break;
}
while( 1 );
}
exit:
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
mbedtls_ssl_ticket_free( &ticket_ctx );
#endif
mbedtls_entropy_free( &entropy );
mbedtls_ctr_drbg_free( &ctr_drbg );
mbedtls_ssl_config_free( &conf );
mbedtls_ssl_free( &ssl );
return 0;
}

2
tests/fuzz/fuzz_server.options Normal file
View File

@ -0,0 +1,2 @@
[libfuzzer]
max_len = 1048575

22
tests/fuzz/fuzz_x509crl.c Normal file
View File

@ -0,0 +1,22 @@
#include <stdint.h>
#include "mbedtls/x509_crl.h"
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
#ifdef MBEDTLS_X509_CRL_PARSE_C
int ret;
mbedtls_x509_crl crl;
unsigned char buf[4096];
mbedtls_x509_crl_init( &crl );
ret = mbedtls_x509_crl_parse( &crl, Data, Size );
if (ret == 0) {
ret = mbedtls_x509_crl_info( (char *) buf, sizeof( buf ) - 1, " ", &crl );
}
mbedtls_x509_crl_free( &crl );
#else
(void) Data;
(void) Size;
#endif
return 0;
}

2
tests/fuzz/fuzz_x509crl.options Normal file
View File

@ -0,0 +1,2 @@
[libfuzzer]
max_len = 65535

22
tests/fuzz/fuzz_x509crt.c Normal file
View File

@ -0,0 +1,22 @@
#include <stdint.h>
#include "mbedtls/x509_crt.h"
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
#ifdef MBEDTLS_X509_CRT_PARSE_C
int ret;
mbedtls_x509_crt crt;
unsigned char buf[4096];
mbedtls_x509_crt_init( &crt );
ret = mbedtls_x509_crt_parse( &crt, Data, Size );
if (ret == 0) {
ret = mbedtls_x509_crt_info( (char *) buf, sizeof( buf ) - 1, " ", &crt );
}
mbedtls_x509_crt_free( &crt );
#else
(void) Data;
(void) Size;
#endif
return 0;
}

2
tests/fuzz/fuzz_x509crt.options Normal file
View File

@ -0,0 +1,2 @@
[libfuzzer]
max_len = 65535

22
tests/fuzz/fuzz_x509csr.c Normal file
View File

@ -0,0 +1,22 @@
#include <stdint.h>
#include "mbedtls/x509_csr.h"
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
#ifdef MBEDTLS_X509_CSR_PARSE_C
int ret;
mbedtls_x509_csr csr;
unsigned char buf[4096];
mbedtls_x509_csr_init( &csr );
ret = mbedtls_x509_csr_parse( &csr, Data, Size );
if (ret == 0) {
ret = mbedtls_x509_csr_info( (char *) buf, sizeof( buf ) - 1, " ", &csr );
}
mbedtls_x509_csr_free( &csr );
#else
(void) Data;
(void) Size;
#endif
return 0;
}

2
tests/fuzz/fuzz_x509csr.options Normal file
View File

@ -0,0 +1,2 @@
[libfuzzer]
max_len = 65535

50
tests/fuzz/onefile.c Normal file
View File

@ -0,0 +1,50 @@
#include <stdint.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);
int main(int argc, char** argv)
{
FILE * fp;
uint8_t *Data;
size_t Size;
if (argc != 2) {
return 1;
}
//opens the file, get its size, and reads it into a buffer
fp = fopen(argv[1], "rb");
if (fp == NULL) {
return 2;
}
if (fseek(fp, 0L, SEEK_END) != 0) {
fclose(fp);
return 2;
}
Size = ftell(fp);
if (Size == (size_t) -1) {
fclose(fp);
return 2;
}
if (fseek(fp, 0L, SEEK_SET) != 0) {
fclose(fp);
return 2;
}
Data = malloc(Size);
if (Data == NULL) {
fclose(fp);
return 2;
}
if (fread(Data, Size, 1, fp) != 1) {
fclose(fp);
return 2;
}
//lauch fuzzer
LLVMFuzzerTestOneInput(Data, Size);
fclose(fp);
return 0;
}