mbedtls/programs/fuzz
Paul Elliott 00738bf65e Ensure ctr_drbg is initialised every time
ctr_drbg is a local variable and thus needs initialisation every time
LLVMFuzzerTestOneInput() is called, the rest of the variables inside the
if(initialised) block are all static.

Add extra validation to attempt to catch this issue in future.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2022-02-10 18:38:53 +00:00
..
corpuses Move fuzz directory to programs 2019-06-27 08:46:45 +02:00
.gitignore With make, build query_config.c only once 2021-01-05 21:06:05 +01:00
CMakeLists.txt Fix cmake build of fuzz_privkey 2021-06-17 09:41:01 +02:00
common.c Fix builds when config.h only defines MBEDTLS_BIGNUM_C 2021-12-06 17:50:53 +00:00
common.h Move fuzz directory to programs 2019-06-27 08:46:45 +02:00
fuzz_client.c Removes MBEDTLS_SSL_TRUNCATED_HMAC code from fuzz programs 2021-06-16 16:19:53 +01:00
fuzz_client.options Move fuzz directory to programs 2019-06-27 08:46:45 +02:00
fuzz_dtlsclient.c Add MBEDTLS_ALLOW_PRIVATE_ACCESS to test programs 2021-05-21 18:10:44 +02:00
fuzz_dtlsclient.options Move fuzz directory to programs 2019-06-27 08:46:45 +02:00
fuzz_dtlsserver.c Use the dedicated dummy_random in fuzzing programs 2021-06-17 09:38:38 +02:00
fuzz_dtlsserver.options Move fuzz directory to programs 2019-06-27 08:46:45 +02:00
fuzz_privkey.c Use the dedicated dummy_random in fuzzing programs 2021-06-17 09:38:38 +02:00
fuzz_privkey.options Move fuzz directory to programs 2019-06-27 08:46:45 +02:00
fuzz_pubkey.c Add MBEDTLS_ALLOW_PRIVATE_ACCESS to test programs 2021-05-21 18:10:44 +02:00
fuzz_pubkey.options Move fuzz directory to programs 2019-06-27 08:46:45 +02:00
fuzz_server.c Ensure ctr_drbg is initialised every time 2022-02-10 18:38:53 +00:00
fuzz_server.options Move fuzz directory to programs 2019-06-27 08:46:45 +02:00
fuzz_x509crl.c Add MBEDTLS_ALLOW_PRIVATE_ACCESS to test programs 2021-05-21 18:10:44 +02:00
fuzz_x509crl.options Move fuzz directory to programs 2019-06-27 08:46:45 +02:00
fuzz_x509crt.c Add MBEDTLS_ALLOW_PRIVATE_ACCESS to test programs 2021-05-21 18:10:44 +02:00
fuzz_x509crt.options Move fuzz directory to programs 2019-06-27 08:46:45 +02:00
fuzz_x509csr.c Add MBEDTLS_ALLOW_PRIVATE_ACCESS to test programs 2021-05-21 18:10:44 +02:00
fuzz_x509csr.options Move fuzz directory to programs 2019-06-27 08:46:45 +02:00
Makefile Merge pull request #4393 from gilles-peskine-arm/generate-tests-python3-make-2.x 2021-05-18 13:30:36 +02:00
onefile.c Rename config.h to mbedtls_config.h 2021-06-28 09:28:33 +01:00
README.md Invoke config.py instead of config.pl 2019-09-13 11:04:23 +02:00

What is it?

This directory contains fuzz targets. Fuzz targets are simple codes using the library. They are used with a so-called fuzz driver, which will generate inputs, try to process them with the fuzz target, and alert in case of an unwanted behavior (such as a buffer overflow for instance).

These targets were meant to be used with oss-fuzz but can be used in other contexts.

This code was contributed by Philippe Antoine ( Catena cyber ).

How to run?

To run the fuzz targets like oss-fuzz:

git clone https://github.com/google/oss-fuzz
cd oss-fuzz
python infra/helper.py build_image mbedtls
python infra/helper.py build_fuzzers --sanitizer address mbedtls
python infra/helper.py run_fuzzer mbedtls fuzz_client

You can use undefined sanitizer as well as address sanitizer. And you can run any of the fuzz targets like fuzz_client.

To run the fuzz targets without oss-fuzz, you first need to install one libFuzzingEngine (libFuzzer for instance). Then you need to compile the code with the compiler flags of the wished sanitizer.

perl scripts/config.py set MBEDTLS_PLATFORM_TIME_ALT
mkdir build
cd build
cmake ..
make

Finally, you can run the targets like ./test/fuzz/fuzz_client.

Corpus generation for network trafic targets

These targets use network trafic as inputs :

  • client : simulates a client against (fuzzed) server traffic
  • server : simulates a server against (fuzzed) client traffic
  • dtls_client
  • dtls_server

They also use the last bytes as configuration options.

To generate corpus for these targets, you can do the following, not fully automated steps :

  • Build mbedtls programs ssl_server2 and ssl_client2
  • Run them one against the other with reproducible option turned on while capturing trafic into test.pcap
  • Extract tcp payloads, for instance with tshark : tshark -Tfields -e tcp.dstport -e tcp.payload -r test.pcap > test.txt
  • Run a dummy python script to output either client or server corpus file like python dummy.py test.txt > test.cor
  • Finally, you can add the options by appending the last bytes to the file test.cor

Here is an example of dummy.py for extracting payload from client to server (if we used tcp.dstport in tshark command)

import sys
import binascii

f = open(sys.argv[1])
for l in f.readlines():
    portAndPl=l.split()
    if len(portAndPl) == 2:
        # determine client or server based on port
        if portAndPl[0] == "4433":
            print(binascii.unhexlify(portAndPl[1].replace(":","")))