• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 #include "mbedtls/ssl.h"
2 #include "mbedtls/entropy.h"
3 #include "mbedtls/ctr_drbg.h"
4 #include "mbedtls/certs.h"
5 #include "mbedtls/ssl_ticket.h"
6 #include "common.h"
7 #include <string.h>
8 #include <stdlib.h>
9 #include <stdint.h>
10 
11 
12 #if defined(MBEDTLS_SSL_SRV_C) && \
13     defined(MBEDTLS_ENTROPY_C) && \
14     defined(MBEDTLS_CTR_DRBG_C)
15 const char *pers = "fuzz_server";
16 static int initialized = 0;
17 #if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
18 static mbedtls_x509_crt srvcert;
19 static mbedtls_pk_context pkey;
20 #endif
21 const char *alpn_list[3];
22 
23 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
24 const unsigned char psk[] = {
25     0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
26     0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
27 };
28 const char psk_id[] = "Client_identity";
29 #endif
30 #endif // MBEDTLS_SSL_SRV_C && MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C
31 
32 
LLVMFuzzerTestOneInput(const uint8_t * Data,size_t Size)33 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
34 {
35 #if defined(MBEDTLS_SSL_SRV_C) && \
36     defined(MBEDTLS_ENTROPY_C) && \
37     defined(MBEDTLS_CTR_DRBG_C)
38     int ret;
39     size_t len;
40     mbedtls_ssl_context ssl;
41     mbedtls_ssl_config conf;
42     mbedtls_ctr_drbg_context ctr_drbg;
43     mbedtls_entropy_context entropy;
44 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C)
45     mbedtls_ssl_ticket_context ticket_ctx;
46 #endif
47     unsigned char buf[4096];
48     fuzzBufferOffset_t biomemfuzz;
49     uint8_t options;
50 
51     //we take 1 byte as options input
52     if (Size < 1) {
53         return 0;
54     }
55     options = Data[Size - 1];
56 
57     if (initialized == 0) {
58 #if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C) && \
59         defined(MBEDTLS_CERTS_C)
60         mbedtls_x509_crt_init(&srvcert);
61         mbedtls_pk_init(&pkey);
62         if (mbedtls_x509_crt_parse(&srvcert, (const unsigned char *) mbedtls_test_srv_crt,
63                                    mbedtls_test_srv_crt_len) != 0) {
64             return 1;
65         }
66         if (mbedtls_x509_crt_parse(&srvcert, (const unsigned char *) mbedtls_test_cas_pem,
67                                    mbedtls_test_cas_pem_len) != 0) {
68             return 1;
69         }
70         if (mbedtls_pk_parse_key(&pkey, (const unsigned char *) mbedtls_test_srv_key,
71                                  mbedtls_test_srv_key_len, NULL, 0) != 0) {
72             return 1;
73         }
74 #endif
75 
76         alpn_list[0] = "HTTP";
77         alpn_list[1] = "fuzzalpn";
78         alpn_list[2] = NULL;
79 
80         dummy_init();
81 
82         initialized = 1;
83     }
84     mbedtls_ssl_init(&ssl);
85     mbedtls_ssl_config_init(&conf);
86     mbedtls_ctr_drbg_init(&ctr_drbg);
87     mbedtls_entropy_init(&entropy);
88 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C)
89     mbedtls_ssl_ticket_init(&ticket_ctx);
90 #endif
91 
92 #if defined(MBEDTLS_USE_PSA_CRYPTO)
93     psa_status_t status = psa_crypto_init();
94     if (status != PSA_SUCCESS) {
95         goto exit;
96     }
97 #endif /* MBEDTLS_USE_PSA_CRYPTO */
98 
99     if (mbedtls_ctr_drbg_seed(&ctr_drbg, dummy_entropy, &entropy,
100                               (const unsigned char *) pers, strlen(pers)) != 0) {
101         goto exit;
102     }
103 
104 
105     if (mbedtls_ssl_config_defaults(&conf,
106                                     MBEDTLS_SSL_IS_SERVER,
107                                     MBEDTLS_SSL_TRANSPORT_STREAM,
108                                     MBEDTLS_SSL_PRESET_DEFAULT) != 0) {
109         goto exit;
110     }
111 
112     srand(1);
113     mbedtls_ssl_conf_rng(&conf, dummy_random, &ctr_drbg);
114 
115 #if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
116     mbedtls_ssl_conf_ca_chain(&conf, srvcert.next, NULL);
117     if (mbedtls_ssl_conf_own_cert(&conf, &srvcert, &pkey) != 0) {
118         goto exit;
119     }
120 #endif
121 
122     mbedtls_ssl_conf_cert_req_ca_list(&conf,
123                                       (options &
124                                        0x1) ? MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED : MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED);
125 #if defined(MBEDTLS_SSL_ALPN)
126     if (options & 0x2) {
127         mbedtls_ssl_conf_alpn_protocols(&conf, alpn_list);
128     }
129 #endif
130 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C)
131     if (options & 0x4) {
132         if (mbedtls_ssl_ticket_setup(&ticket_ctx,
133                                      dummy_random, &ctr_drbg,
134                                      MBEDTLS_CIPHER_AES_256_GCM,
135                                      86400) != 0) {
136             goto exit;
137         }
138 
139         mbedtls_ssl_conf_session_tickets_cb(&conf,
140                                             mbedtls_ssl_ticket_write,
141                                             mbedtls_ssl_ticket_parse,
142                                             &ticket_ctx);
143     }
144 #endif
145 #if defined(MBEDTLS_SSL_TRUNCATED_HMAC)
146     mbedtls_ssl_conf_truncated_hmac(&conf,
147                                     (options &
148                                      0x8) ? MBEDTLS_SSL_TRUNC_HMAC_ENABLED : MBEDTLS_SSL_TRUNC_HMAC_DISABLED);
149 #endif
150 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
151     mbedtls_ssl_conf_extended_master_secret(&conf,
152                                             (options &
153                                              0x10) ? MBEDTLS_SSL_EXTENDED_MS_DISABLED : MBEDTLS_SSL_EXTENDED_MS_ENABLED);
154 #endif
155 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
156     mbedtls_ssl_conf_encrypt_then_mac(&conf,
157                                       (options &
158                                        0x20) ? MBEDTLS_SSL_ETM_ENABLED : MBEDTLS_SSL_ETM_DISABLED);
159 #endif
160 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
161     if (options & 0x40) {
162         mbedtls_ssl_conf_psk(&conf, psk, sizeof(psk),
163                              (const unsigned char *) psk_id, sizeof(psk_id) - 1);
164     }
165 #endif
166 #if defined(MBEDTLS_SSL_RENEGOTIATION)
167     mbedtls_ssl_conf_renegotiation(&conf,
168                                    (options &
169                                     0x80) ? MBEDTLS_SSL_RENEGOTIATION_ENABLED : MBEDTLS_SSL_RENEGOTIATION_DISABLED);
170 #endif
171 
172     if (mbedtls_ssl_setup(&ssl, &conf) != 0) {
173         goto exit;
174     }
175 
176     biomemfuzz.Data = Data;
177     biomemfuzz.Size = Size-1;
178     biomemfuzz.Offset = 0;
179     mbedtls_ssl_set_bio(&ssl, &biomemfuzz, dummy_send, fuzz_recv, NULL);
180 
181     mbedtls_ssl_session_reset(&ssl);
182     ret = mbedtls_ssl_handshake(&ssl);
183     if (ret == 0) {
184         //keep reading data from server until the end
185         do {
186             len = sizeof(buf) - 1;
187             ret = mbedtls_ssl_read(&ssl, buf, len);
188 
189             if (ret == MBEDTLS_ERR_SSL_WANT_READ) {
190                 continue;
191             } else if (ret <= 0) {
192                 //EOF or error
193                 break;
194             }
195         } while (1);
196     }
197 
198 exit:
199 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C)
200     mbedtls_ssl_ticket_free(&ticket_ctx);
201 #endif
202     mbedtls_entropy_free(&entropy);
203     mbedtls_ctr_drbg_free(&ctr_drbg);
204     mbedtls_ssl_config_free(&conf);
205 #if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
206     mbedtls_x509_crt_free(&srvcert);
207     mbedtls_pk_free(&pkey);
208 #endif
209     mbedtls_ssl_free(&ssl);
210 #if defined(MBEDTLS_USE_PSA_CRYPTO)
211     mbedtls_psa_crypto_free();
212 #endif
213 #else
214     (void) Data;
215     (void) Size;
216 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C */
217 
218     return 0;
219 }
220