diff --git a/ChangeLog b/ChangeLog index 20491edcb..37373a23c 100644 --- a/ChangeLog +++ b/ChangeLog @@ -128,6 +128,8 @@ Changes * Add `reproducible` option to `ssl_client2` and `ssl_server2` to enable test runs without variability. Contributed by Philippe Antoine (Catena cyber) in #2681. + * Adds fuzz targets, especially for continuous fuzzing with OSS-Fuzz. + Contributed by Philippe Antoine (Catena cyber). = mbed TLS 2.17.0 branch released 2019-03-19 diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index cd3be09e0..6983d60e8 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -32,6 +32,7 @@ #include "x509.h" #include "x509_crl.h" +#include "bignum.h" /** * \addtogroup x509_module diff --git a/programs/CMakeLists.txt b/programs/CMakeLists.txt index 4cdae7821..2af4d119a 100644 --- a/programs/CMakeLists.txt +++ b/programs/CMakeLists.txt @@ -6,3 +6,6 @@ add_subdirectory(ssl) add_subdirectory(test) add_subdirectory(x509) add_subdirectory(util) +if (NOT WIN32) + add_subdirectory(fuzz) +endif() diff --git a/programs/Makefile b/programs/Makefile index 4c05d915a..857be7837 100644 --- a/programs/Makefile +++ b/programs/Makefile @@ -90,9 +90,18 @@ endif .SILENT: -.PHONY: all clean list +.PHONY: all clean list fuzz all: $(APPS) +ifndef WINDOWS +# APPS doesn't include the fuzzing programs, which aren't "normal" +# sample or test programs, and don't build with MSVC which is +# warning about fopen +all: fuzz +endif + +fuzz: + $(MAKE) -C fuzz $(DEP): $(MAKE) -C ../library @@ -305,6 +314,7 @@ ifndef WINDOWS else del /S /Q /F *.o *.exe endif + $(MAKE) -C fuzz clean list: echo $(APPS) diff --git a/programs/fuzz/.gitignore b/programs/fuzz/.gitignore new file mode 100644 index 000000000..6fcc004b7 --- /dev/null +++ b/programs/fuzz/.gitignore @@ -0,0 +1,10 @@ +*.o +fuzz_client +fuzz_dtlsclient +fuzz_dtlsserver +fuzz_privkey +fuzz_pubkey +fuzz_server +fuzz_x509crl +fuzz_x509crt +fuzz_x509csr diff --git a/programs/fuzz/CMakeLists.txt b/programs/fuzz/CMakeLists.txt new file mode 100644 index 000000000..17ec3f64c --- /dev/null +++ b/programs/fuzz/CMakeLists.txt @@ -0,0 +1,80 @@ +set(libs + mbedtls +) + +if(USE_PKCS11_HELPER_LIBRARY) + set(libs ${libs} pkcs11-helper) +endif(USE_PKCS11_HELPER_LIBRARY) + +if(ENABLE_ZLIB_SUPPORT) + set(libs ${libs} ${ZLIB_LIBRARIES}) +endif(ENABLE_ZLIB_SUPPORT) + +find_library(FUZZINGENGINE_LIB FuzzingEngine) + +if(NOT FUZZINGENGINE_LIB) + add_executable(fuzz_x509csr fuzz_x509csr.c onefile.c) + target_link_libraries(fuzz_x509csr ${libs}) + + add_executable(fuzz_x509crl fuzz_x509crl.c onefile.c) + target_link_libraries(fuzz_x509crl ${libs}) + + add_executable(fuzz_x509crt fuzz_x509crt.c onefile.c) + target_link_libraries(fuzz_x509crt ${libs}) + + add_executable(fuzz_privkey fuzz_privkey.c onefile.c) + target_link_libraries(fuzz_privkey ${libs}) + + add_executable(fuzz_pubkey fuzz_pubkey.c onefile.c) + target_link_libraries(fuzz_pubkey ${libs}) + + add_executable(fuzz_client fuzz_client.c common.c onefile.c) + target_link_libraries(fuzz_client ${libs}) + + add_executable(fuzz_server fuzz_server.c common.c onefile.c) + target_link_libraries(fuzz_server ${libs}) + + add_executable(fuzz_dtlsclient fuzz_dtlsclient.c common.c onefile.c) + target_link_libraries(fuzz_dtlsclient ${libs}) + + add_executable(fuzz_dtlsserver fuzz_dtlsserver.c common.c onefile.c) + target_link_libraries(fuzz_dtlsserver ${libs}) +else() + project(fuzz CXX) + + add_executable(fuzz_x509csr fuzz_x509csr.c) + target_link_libraries(fuzz_x509csr ${libs} FuzzingEngine) + SET_TARGET_PROPERTIES(fuzz_x509csr PROPERTIES LINKER_LANGUAGE CXX) + + add_executable(fuzz_x509crl fuzz_x509crl.c) + target_link_libraries(fuzz_x509crl ${libs} FuzzingEngine) + SET_TARGET_PROPERTIES(fuzz_x509crl PROPERTIES LINKER_LANGUAGE CXX) + + add_executable(fuzz_x509crt fuzz_x509crt.c) + target_link_libraries(fuzz_x509crt ${libs} FuzzingEngine) + SET_TARGET_PROPERTIES(fuzz_x509crt PROPERTIES LINKER_LANGUAGE CXX) + + add_executable(fuzz_privkey fuzz_privkey.c) + target_link_libraries(fuzz_privkey ${libs} FuzzingEngine) + SET_TARGET_PROPERTIES(fuzz_privkey PROPERTIES LINKER_LANGUAGE CXX) + + add_executable(fuzz_pubkey fuzz_pubkey.c) + target_link_libraries(fuzz_pubkey ${libs} FuzzingEngine) + SET_TARGET_PROPERTIES(fuzz_pubkey PROPERTIES LINKER_LANGUAGE CXX) + + add_executable(fuzz_client fuzz_client.c common.c) + target_link_libraries(fuzz_client ${libs} FuzzingEngine) + SET_TARGET_PROPERTIES(fuzz_client PROPERTIES LINKER_LANGUAGE CXX) + + add_executable(fuzz_server fuzz_server.c common.c) + target_link_libraries(fuzz_server ${libs} FuzzingEngine) + SET_TARGET_PROPERTIES(fuzz_server PROPERTIES LINKER_LANGUAGE CXX) + + add_executable(fuzz_dtlsclient fuzz_dtlsclient.c common.c) + target_link_libraries(fuzz_dtlsclient ${libs} FuzzingEngine) + SET_TARGET_PROPERTIES(fuzz_dtlsclient PROPERTIES LINKER_LANGUAGE CXX) + + add_executable(fuzz_dtlsserver fuzz_dtlsserver.c common.c) + target_link_libraries(fuzz_dtlsserver ${libs} FuzzingEngine) + SET_TARGET_PROPERTIES(fuzz_dtlsserver PROPERTIES LINKER_LANGUAGE CXX) +endif() diff --git a/programs/fuzz/Makefile b/programs/fuzz/Makefile new file mode 100644 index 000000000..f2195d129 --- /dev/null +++ b/programs/fuzz/Makefile @@ -0,0 +1,72 @@ + +LOCAL_CFLAGS = -I../../include -D_FILE_OFFSET_BITS=64 +LOCAL_LDFLAGS = -L../../library \ + -lmbedtls$(SHARED_SUFFIX) \ + -lmbedx509$(SHARED_SUFFIX) \ + -lmbedcrypto$(SHARED_SUFFIX) + +LOCAL_LDFLAGS += -L../../crypto/library +LOCAL_CFLAGS += -I../../crypto/include +CRYPTO := ../../crypto/library/ + +ifndef SHARED +DEP=$(CRYPTO)libmbedcrypto.a ../../library/libmbedx509.a ../../library/libmbedtls.a +else +DEP=$(CRYPTO)libmbedcrypto.$(DLEXT) ../../library/libmbedx509.$(DLEXT) ../../library/libmbedtls.$(DLEXT) +endif + + +DLEXT ?= so +EXEXT= +SHARED_SUFFIX= +# python2 for POSIX since FreeBSD has only python2 as default. +PYTHON ?= python2 + +# Zlib shared library extensions: +ifdef ZLIB +LOCAL_LDFLAGS += -lz +endif + +ifdef FUZZINGENGINE +LOCAL_LDFLAGS += -lFuzzingEngine +endif + +# A test application is built for each suites/test_suite_*.data file. +# Application name is same as .data file's base name and can be +# constructed by stripping path 'suites/' and extension .data. +APPS = $(basename $(wildcard fuzz_*.c)) + +# Construct executable name by adding OS specific suffix $(EXEXT). +BINARIES := $(addsuffix $(EXEXT),$(APPS)) + +.SILENT: + +.PHONY: all check test clean + +all: $(BINARIES) + +$(DEP): + $(MAKE) -C ../../library + +C_FILES := $(addsuffix .c,$(APPS)) + +%.o: %.c + $(CC) $(LOCAL_CFLAGS) $(CFLAGS) -c $< -o $@ + + +ifdef FUZZINGENGINE +$(BINARIES): %$(EXEXT): %.o common.o $(DEP) + echo " $(CC) common.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@" + $(CXX) common.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ +else +$(BINARIES): %$(EXEXT): %.o common.o onefile.o $(DEP) + echo " $(CC) common.o onefile.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@" + $(CC) common.o onefile.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ +endif + +clean: +ifndef WINDOWS + rm -rf $(BINARIES) *.o +else + del /Q /F *.o *.exe +endif diff --git a/programs/fuzz/README.md b/programs/fuzz/README.md new file mode 100644 index 000000000..8b24908f9 --- /dev/null +++ b/programs/fuzz/README.md @@ -0,0 +1,68 @@ +What is it? +------ + +This directory contains fuzz targets. +Fuzz targets are simple codes using the library. +They are used with a so-called fuzz driver, which will generate inputs, try to process them with the fuzz target, and alert in case of an unwanted behavior (such as a buffer overflow for instance). + +These targets were meant to be used with oss-fuzz but can be used in other contexts. + +This code was contributed by Philippe Antoine ( Catena cyber ). + +How to run? +------ + +To run the fuzz targets like oss-fuzz: +``` +git clone https://github.com/google/oss-fuzz +cd oss-fuzz +python infra/helper.py build_image mbedtls +python infra/helper.py build_fuzzers --sanitizer address mbedtls +python infra/helper.py run_fuzzer mbedtls fuzz_client +``` +You can use `undefined` sanitizer as well as `address` sanitizer. +And you can run any of the fuzz targets like `fuzz_client`. + +To run the fuzz targets without oss-fuzz, you first need to install one libFuzzingEngine (libFuzzer for instance). +Then you need to compile the code with the compiler flags of the wished sanitizer. +``` +perl scripts/config.pl set MBEDTLS_PLATFORM_TIME_ALT +mkdir build +cd build +cmake .. +make +``` +Finally, you can run the targets like `./test/fuzz/fuzz_client`. + + +Corpus generation for network trafic targets +------ + +These targets use network trafic as inputs : +* client : simulates a client against (fuzzed) server traffic +* server : simulates a server against (fuzzed) client traffic +* dtls_client +* dtls_server + +They also use the last bytes as configuration options. + +To generate corpus for these targets, you can do the following, not fully automated steps : +* Build mbedtls programs ssl_server2 and ssl_client2 +* Run them one against the other with `reproducible` option turned on while capturing trafic into test.pcap +* Extract tcp payloads, for instance with tshark : `tshark -Tfields -e tcp.dstport -e tcp.payload -r test.pcap > test.txt` +* Run a dummy python script to output either client or server corpus file like `python dummy.py test.txt > test.cor` +* Finally, you can add the options by appending the last bytes to the file test.cor + +Here is an example of dummy.py for extracting payload from client to server (if we used `tcp.dstport` in tshark command) +``` +import sys +import binascii + +f = open(sys.argv[1]) +for l in f.readlines(): + portAndPl=l.split() + if len(portAndPl) == 2: + # determine client or server based on port + if portAndPl[0] == "4433": + print(binascii.unhexlify(portAndPl[1].replace(":",""))) +``` diff --git a/programs/fuzz/common.c b/programs/fuzz/common.c new file mode 100644 index 000000000..5e6c84c26 --- /dev/null +++ b/programs/fuzz/common.c @@ -0,0 +1,91 @@ +#include "common.h" +#include +#include +#include +#include "mbedtls/ctr_drbg.h" + +mbedtls_time_t dummy_constant_time( mbedtls_time_t* time ) +{ + (void) time; + return 0x5af2a056; +} + +void dummy_init() +{ +#if defined(MBEDTLS_PLATFORM_TIME_ALT) + mbedtls_platform_set_time( dummy_constant_time ); +#else + fprintf(stderr, "Warning: fuzzing without constant time\n"); +#endif +} + +int dummy_send( void *ctx, const unsigned char *buf, size_t len ) +{ + //silence warning about unused parameter + (void) ctx; + (void) buf; + + //pretends we wrote everything ok + if( len > INT_MAX ) { + return( -1 ); + } + return( (int) len ); +} + +int fuzz_recv( void *ctx, unsigned char *buf, size_t len ) +{ + //reads from the buffer from fuzzer + fuzzBufferOffset_t * biomemfuzz = (fuzzBufferOffset_t *) ctx; + + if(biomemfuzz->Offset == biomemfuzz->Size) { + //EOF + return( 0 ); + } + if( len > INT_MAX ) { + return( -1 ); + } + if( len + biomemfuzz->Offset > biomemfuzz->Size ) { + //do not overflow + len = biomemfuzz->Size - biomemfuzz->Offset; + } + memcpy(buf, biomemfuzz->Data + biomemfuzz->Offset, len); + biomemfuzz->Offset += len; + return( (int) len ); +} + +int dummy_random( void *p_rng, unsigned char *output, size_t output_len ) +{ + int ret; + size_t i; + + //use mbedtls_ctr_drbg_random to find bugs in it + ret = mbedtls_ctr_drbg_random(p_rng, output, output_len); + for (i=0; i + +typedef struct fuzzBufferOffset +{ + const uint8_t *Data; + size_t Size; + size_t Offset; +} fuzzBufferOffset_t; + +mbedtls_time_t dummy_constant_time( mbedtls_time_t* time ); +void dummy_init(); + +int dummy_send( void *ctx, const unsigned char *buf, size_t len ); +int fuzz_recv( void *ctx, unsigned char *buf, size_t len ); +int dummy_random( void *p_rng, unsigned char *output, size_t output_len ); +int dummy_entropy( void *data, unsigned char *output, size_t len ); +int fuzz_recv_timeout( void *ctx, unsigned char *buf, size_t len, + uint32_t timeout ); diff --git a/programs/fuzz/corpuses/client b/programs/fuzz/corpuses/client new file mode 100644 index 000000000..48d0a67c8 Binary files /dev/null and b/programs/fuzz/corpuses/client differ diff --git a/programs/fuzz/corpuses/dtlsclient b/programs/fuzz/corpuses/dtlsclient new file mode 100644 index 000000000..87c3ca333 Binary files /dev/null and b/programs/fuzz/corpuses/dtlsclient differ diff --git a/programs/fuzz/corpuses/dtlsserver b/programs/fuzz/corpuses/dtlsserver new file mode 100644 index 000000000..7a7a11790 Binary files /dev/null and b/programs/fuzz/corpuses/dtlsserver differ diff --git a/programs/fuzz/corpuses/server b/programs/fuzz/corpuses/server new file mode 100644 index 000000000..fbeb019f2 Binary files /dev/null and b/programs/fuzz/corpuses/server differ diff --git a/programs/fuzz/fuzz_client.c b/programs/fuzz/fuzz_client.c new file mode 100644 index 000000000..ca7a8ab7c --- /dev/null +++ b/programs/fuzz/fuzz_client.c @@ -0,0 +1,173 @@ +#include "mbedtls/ssl.h" +#include "mbedtls/entropy.h" +#include "mbedtls/ctr_drbg.h" +#include "mbedtls/certs.h" +#include "common.h" +#include +#include +#include + + +#ifdef MBEDTLS_SSL_CLI_C +static int initialized = 0; +#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C) +static mbedtls_x509_crt cacert; +#endif +const char *alpn_list[3]; + + +#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) +const unsigned char psk[] = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f +}; +const char psk_id[] = "Client_identity"; +#endif + +const char *pers = "fuzz_client"; +#endif //MBEDTLS_SSL_CLI_C + + +int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { +#ifdef MBEDTLS_SSL_CLI_C + int ret; + size_t len; + mbedtls_ssl_context ssl; + mbedtls_ssl_config conf; + mbedtls_ctr_drbg_context ctr_drbg; + mbedtls_entropy_context entropy; + unsigned char buf[4096]; + fuzzBufferOffset_t biomemfuzz; + uint16_t options; + + if (initialized == 0) { +#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C) + mbedtls_x509_crt_init( &cacert ); + if (mbedtls_x509_crt_parse( &cacert, (const unsigned char *) mbedtls_test_cas_pem, + mbedtls_test_cas_pem_len ) != 0) + return 1; +#endif + + alpn_list[0] = "HTTP"; + alpn_list[1] = "fuzzalpn"; + alpn_list[2] = NULL; + + dummy_init(); + + initialized = 1; + } + + //we take 1 byte as options input + if (Size < 2) { + return 0; + } + options = (Data[Size - 2] << 8) | Data[Size - 1]; + //Avoid warnings if compile options imply no options + (void) options; + + mbedtls_ssl_init( &ssl ); + mbedtls_ssl_config_init( &conf ); + mbedtls_ctr_drbg_init( &ctr_drbg ); + mbedtls_entropy_init( &entropy ); + + if( mbedtls_ctr_drbg_seed( &ctr_drbg, dummy_entropy, &entropy, + (const unsigned char *) pers, strlen( pers ) ) != 0 ) + goto exit; + + if( mbedtls_ssl_config_defaults( &conf, + MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_TRANSPORT_STREAM, + MBEDTLS_SSL_PRESET_DEFAULT ) != 0 ) + goto exit; + +#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) + if (options & 2) { + mbedtls_ssl_conf_psk( &conf, psk, sizeof( psk ), + (const unsigned char *) psk_id, sizeof( psk_id ) - 1 ); + } +#endif + +#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C) + if (options & 4) { + mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL ); + mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_REQUIRED ); + } else +#endif + { + mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_NONE ); + } +#if defined(MBEDTLS_SSL_TRUNCATED_HMAC) + mbedtls_ssl_conf_truncated_hmac( &conf, (options & 8) ? MBEDTLS_SSL_TRUNC_HMAC_ENABLED : MBEDTLS_SSL_TRUNC_HMAC_DISABLED); +#endif +#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) + mbedtls_ssl_conf_extended_master_secret( &conf, (options & 0x10) ? MBEDTLS_SSL_EXTENDED_MS_DISABLED : MBEDTLS_SSL_EXTENDED_MS_ENABLED); +#endif +#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) + mbedtls_ssl_conf_encrypt_then_mac( &conf, (options & 0x20) ? MBEDTLS_SSL_ETM_DISABLED : MBEDTLS_SSL_ETM_ENABLED); +#endif +#if defined(MBEDTLS_SSL_CBC_RECORD_SPLITTING) + mbedtls_ssl_conf_cbc_record_splitting( &conf, (options & 0x40) ? MBEDTLS_SSL_CBC_RECORD_SPLITTING_ENABLED : MBEDTLS_SSL_CBC_RECORD_SPLITTING_DISABLED ); +#endif +#if defined(MBEDTLS_SSL_RENEGOTIATION) + mbedtls_ssl_conf_renegotiation( &conf, (options & 0x80) ? MBEDTLS_SSL_RENEGOTIATION_ENABLED : MBEDTLS_SSL_RENEGOTIATION_DISABLED ); +#endif +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + mbedtls_ssl_conf_session_tickets( &conf, (options & 0x100) ? MBEDTLS_SSL_SESSION_TICKETS_DISABLED : MBEDTLS_SSL_SESSION_TICKETS_ENABLED ); +#endif +#if defined(MBEDTLS_SSL_ALPN) + if (options & 0x200) { + mbedtls_ssl_conf_alpn_protocols( &conf, alpn_list ); + } +#endif + //There may be other options to add : + // mbedtls_ssl_conf_cert_profile, mbedtls_ssl_conf_sig_hashes + + srand(1); + mbedtls_ssl_conf_rng( &conf, dummy_random, &ctr_drbg ); + + if( mbedtls_ssl_setup( &ssl, &conf ) != 0 ) + goto exit; + +#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C) + if ((options & 1) == 0) { + if( mbedtls_ssl_set_hostname( &ssl, "localhost" ) != 0 ) + goto exit; + } +#endif + + biomemfuzz.Data = Data; + biomemfuzz.Size = Size-2; + biomemfuzz.Offset = 0; + mbedtls_ssl_set_bio( &ssl, &biomemfuzz, dummy_send, fuzz_recv, NULL ); + + ret = mbedtls_ssl_handshake( &ssl ); + if( ret == 0 ) + { + //keep reading data from server until the end + do + { + len = sizeof( buf ) - 1; + ret = mbedtls_ssl_read( &ssl, buf, len ); + + if( ret == MBEDTLS_ERR_SSL_WANT_READ ) + continue; + else if( ret <= 0 ) + //EOF or error + break; + } + while( 1 ); + } + +exit: + mbedtls_entropy_free( &entropy ); + mbedtls_ctr_drbg_free( &ctr_drbg ); + mbedtls_ssl_config_free( &conf ); + mbedtls_ssl_free( &ssl ); + +#else + (void) Data; + (void) Size; +#endif //MBEDTLS_SSL_CLI_C + + return 0; +} diff --git a/programs/fuzz/fuzz_client.options b/programs/fuzz/fuzz_client.options new file mode 100644 index 000000000..4d7340f49 --- /dev/null +++ b/programs/fuzz/fuzz_client.options @@ -0,0 +1,2 @@ +[libfuzzer] +max_len = 1048575 diff --git a/programs/fuzz/fuzz_dtlsclient.c b/programs/fuzz/fuzz_dtlsclient.c new file mode 100644 index 000000000..8197a6484 --- /dev/null +++ b/programs/fuzz/fuzz_dtlsclient.c @@ -0,0 +1,116 @@ +#include +#include +#include +#include "common.h" +#include "mbedtls/ssl.h" +#if defined(MBEDTLS_SSL_PROTO_DTLS) +#include "mbedtls/entropy.h" +#include "mbedtls/ctr_drbg.h" +#include "mbedtls/certs.h" +#include "mbedtls/timing.h" + + +#ifdef MBEDTLS_SSL_CLI_C +static int initialized = 0; +#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C) +static mbedtls_x509_crt cacert; +#endif + +const char *pers = "fuzz_dtlsclient"; +#endif // MBEDTLS_SSL_CLI_C +#endif // MBEDTLS_SSL_PROTO_DTLS + + + +int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { +#if defined(MBEDTLS_SSL_PROTO_DTLS) && defined(MBEDTLS_SSL_CLI_C) + int ret; + size_t len; + mbedtls_ssl_context ssl; + mbedtls_ssl_config conf; + mbedtls_ctr_drbg_context ctr_drbg; + mbedtls_entropy_context entropy; + mbedtls_timing_delay_context timer; + unsigned char buf[4096]; + fuzzBufferOffset_t biomemfuzz; + + if (initialized == 0) { +#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C) + mbedtls_x509_crt_init( &cacert ); + if (mbedtls_x509_crt_parse( &cacert, (const unsigned char *) mbedtls_test_cas_pem, + mbedtls_test_cas_pem_len ) != 0) + return 1; +#endif + dummy_init(); + + initialized = 1; + } + + mbedtls_ssl_init( &ssl ); + mbedtls_ssl_config_init( &conf ); + mbedtls_ctr_drbg_init( &ctr_drbg ); + mbedtls_entropy_init( &entropy ); + + srand(1); + if( mbedtls_ctr_drbg_seed( &ctr_drbg, dummy_entropy, &entropy, + (const unsigned char *) pers, strlen( pers ) ) != 0 ) + goto exit; + + if( mbedtls_ssl_config_defaults( &conf, + MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_TRANSPORT_DATAGRAM, + MBEDTLS_SSL_PRESET_DEFAULT ) != 0 ) + goto exit; + +#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C) + mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL ); +#endif + mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_NONE ); + mbedtls_ssl_conf_rng( &conf, dummy_random, &ctr_drbg ); + + if( mbedtls_ssl_setup( &ssl, &conf ) != 0 ) + goto exit; + + mbedtls_ssl_set_timer_cb( &ssl, &timer, mbedtls_timing_set_delay, + mbedtls_timing_get_delay ); + +#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C) + if( mbedtls_ssl_set_hostname( &ssl, "localhost" ) != 0 ) + goto exit; +#endif + + biomemfuzz.Data = Data; + biomemfuzz.Size = Size; + biomemfuzz.Offset = 0; + mbedtls_ssl_set_bio( &ssl, &biomemfuzz, dummy_send, fuzz_recv, fuzz_recv_timeout ); + + ret = mbedtls_ssl_handshake( &ssl ); + if( ret == 0 ) + { + //keep reading data from server until the end + do + { + len = sizeof( buf ) - 1; + ret = mbedtls_ssl_read( &ssl, buf, len ); + + if( ret == MBEDTLS_ERR_SSL_WANT_READ ) + continue; + else if( ret <= 0 ) + //EOF or error + break; + } + while( 1 ); + } + +exit: + mbedtls_entropy_free( &entropy ); + mbedtls_ctr_drbg_free( &ctr_drbg ); + mbedtls_ssl_config_free( &conf ); + mbedtls_ssl_free( &ssl ); + +#else + (void) Data; + (void) Size; +#endif + return 0; +} diff --git a/programs/fuzz/fuzz_dtlsclient.options b/programs/fuzz/fuzz_dtlsclient.options new file mode 100644 index 000000000..4d7340f49 --- /dev/null +++ b/programs/fuzz/fuzz_dtlsclient.options @@ -0,0 +1,2 @@ +[libfuzzer] +max_len = 1048575 diff --git a/programs/fuzz/fuzz_dtlsserver.c b/programs/fuzz/fuzz_dtlsserver.c new file mode 100644 index 000000000..9e9fe8ebd --- /dev/null +++ b/programs/fuzz/fuzz_dtlsserver.c @@ -0,0 +1,141 @@ +#include +#include +#include +#include "common.h" +#include "mbedtls/ssl.h" +#if defined(MBEDTLS_SSL_PROTO_DTLS) +#include "mbedtls/entropy.h" +#include "mbedtls/ctr_drbg.h" +#include "mbedtls/certs.h" +#include "mbedtls/timing.h" +#include "mbedtls/ssl_cookie.h" + + +#ifdef MBEDTLS_SSL_SRV_C +const char *pers = "fuzz_dtlsserver"; +const unsigned char client_ip[4] = {0x7F, 0, 0, 1}; +static int initialized = 0; +#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C) +static mbedtls_x509_crt srvcert; +static mbedtls_pk_context pkey; +#endif +#endif // MBEDTLS_SSL_SRV_C +#endif // MBEDTLS_SSL_PROTO_DTLS + +int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { +#if defined(MBEDTLS_SSL_PROTO_DTLS) && defined(MBEDTLS_SSL_SRV_C) + int ret; + size_t len; + mbedtls_ssl_context ssl; + mbedtls_ssl_config conf; + mbedtls_ctr_drbg_context ctr_drbg; + mbedtls_entropy_context entropy; + mbedtls_timing_delay_context timer; + mbedtls_ssl_cookie_ctx cookie_ctx; + unsigned char buf[4096]; + fuzzBufferOffset_t biomemfuzz; + + if (initialized == 0) { +#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C) + mbedtls_x509_crt_init( &srvcert ); + mbedtls_pk_init( &pkey ); + if (mbedtls_x509_crt_parse( &srvcert, (const unsigned char *) mbedtls_test_srv_crt, + mbedtls_test_srv_crt_len ) != 0) + return 1; + if (mbedtls_x509_crt_parse( &srvcert, (const unsigned char *) mbedtls_test_cas_pem, + mbedtls_test_cas_pem_len ) != 0) + return 1; + if (mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_srv_key, + mbedtls_test_srv_key_len, NULL, 0 ) != 0) + return 1; +#endif + dummy_init(); + + initialized = 1; + } + mbedtls_ssl_init( &ssl ); + mbedtls_ssl_config_init( &conf ); + mbedtls_ctr_drbg_init( &ctr_drbg ); + mbedtls_entropy_init( &entropy ); + mbedtls_ssl_cookie_init( &cookie_ctx ); + + if( mbedtls_ctr_drbg_seed( &ctr_drbg, dummy_entropy, &entropy, + (const unsigned char *) pers, strlen( pers ) ) != 0 ) + goto exit; + + + if( mbedtls_ssl_config_defaults( &conf, + MBEDTLS_SSL_IS_SERVER, + MBEDTLS_SSL_TRANSPORT_DATAGRAM, + MBEDTLS_SSL_PRESET_DEFAULT ) != 0 ) + goto exit; + + + srand(1); + mbedtls_ssl_conf_rng( &conf, dummy_random, &ctr_drbg ); + +#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C) + mbedtls_ssl_conf_ca_chain( &conf, srvcert.next, NULL ); + if( mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) != 0 ) + goto exit; +#endif + + if( mbedtls_ssl_cookie_setup( &cookie_ctx, dummy_random, &ctr_drbg ) != 0 ) + goto exit; + + mbedtls_ssl_conf_dtls_cookies( &conf, mbedtls_ssl_cookie_write, mbedtls_ssl_cookie_check, &cookie_ctx ); + + if( mbedtls_ssl_setup( &ssl, &conf ) != 0 ) + goto exit; + + mbedtls_ssl_set_timer_cb( &ssl, &timer, mbedtls_timing_set_delay, + mbedtls_timing_get_delay ); + + biomemfuzz.Data = Data; + biomemfuzz.Size = Size; + biomemfuzz.Offset = 0; + mbedtls_ssl_set_bio( &ssl, &biomemfuzz, dummy_send, fuzz_recv, fuzz_recv_timeout ); + if( mbedtls_ssl_set_client_transport_id( &ssl, client_ip, sizeof(client_ip) ) != 0 ) + goto exit; + + ret = mbedtls_ssl_handshake( &ssl ); + + if (ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED) { + biomemfuzz.Offset = ssl.next_record_offset; + mbedtls_ssl_session_reset( &ssl ); + mbedtls_ssl_set_bio( &ssl, &biomemfuzz, dummy_send, fuzz_recv, fuzz_recv_timeout ); + if( mbedtls_ssl_set_client_transport_id( &ssl, client_ip, sizeof(client_ip) ) != 0 ) + goto exit; + + ret = mbedtls_ssl_handshake( &ssl ); + + if( ret == 0 ) + { + //keep reading data from server until the end + do + { + len = sizeof( buf ) - 1; + ret = mbedtls_ssl_read( &ssl, buf, len ); + if( ret == MBEDTLS_ERR_SSL_WANT_READ ) + continue; + else if( ret <= 0 ) + //EOF or error + break; + } + while( 1 ); + } + } + +exit: + mbedtls_ssl_cookie_free( &cookie_ctx ); + mbedtls_entropy_free( &entropy ); + mbedtls_ctr_drbg_free( &ctr_drbg ); + mbedtls_ssl_config_free( &conf ); + mbedtls_ssl_free( &ssl ); + +#else + (void) Data; + (void) Size; +#endif + return 0; +} diff --git a/programs/fuzz/fuzz_dtlsserver.options b/programs/fuzz/fuzz_dtlsserver.options new file mode 100644 index 000000000..4d7340f49 --- /dev/null +++ b/programs/fuzz/fuzz_dtlsserver.options @@ -0,0 +1,2 @@ +[libfuzzer] +max_len = 1048575 diff --git a/programs/fuzz/fuzz_privkey.c b/programs/fuzz/fuzz_privkey.c new file mode 100644 index 000000000..533a647dc --- /dev/null +++ b/programs/fuzz/fuzz_privkey.c @@ -0,0 +1,64 @@ +#include +#include "mbedtls/pk.h" + +//4 Kb should be enough for every bug ;-) +#define MAX_LEN 0x1000 + + +int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { +#ifdef MBEDTLS_PK_PARSE_C + int ret; + mbedtls_pk_context pk; + + if (Size > MAX_LEN) { + //only work on small inputs + Size = MAX_LEN; + } + + mbedtls_pk_init( &pk ); + ret = mbedtls_pk_parse_key( &pk, Data, Size, NULL, 0 ); + if (ret == 0) { +#if defined(MBEDTLS_RSA_C) + if( mbedtls_pk_get_type( &pk ) == MBEDTLS_PK_RSA ) + { + mbedtls_mpi N, P, Q, D, E, DP, DQ, QP; + mbedtls_rsa_context *rsa; + + mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P ); mbedtls_mpi_init( &Q ); + mbedtls_mpi_init( &D ); mbedtls_mpi_init( &E ); mbedtls_mpi_init( &DP ); + mbedtls_mpi_init( &DQ ); mbedtls_mpi_init( &QP ); + + rsa = mbedtls_pk_rsa( pk ); + mbedtls_rsa_export( rsa, &N, &P, &Q, &D, &E ); + mbedtls_rsa_export_crt( rsa, &DP, &DQ, &QP ); + + mbedtls_mpi_free( &N ); mbedtls_mpi_free( &P ); mbedtls_mpi_free( &Q ); + mbedtls_mpi_free( &D ); mbedtls_mpi_free( &E ); mbedtls_mpi_free( &DP ); + mbedtls_mpi_free( &DQ ); mbedtls_mpi_free( &QP ); + } + else +#endif +#if defined(MBEDTLS_ECP_C) + if( mbedtls_pk_get_type( &pk ) == MBEDTLS_PK_ECKEY ) + { + mbedtls_ecp_keypair *ecp; + + ecp = mbedtls_pk_ec( pk ); + if (ecp) { + ret = 0; + } + } + else +#endif + { + ret = 0; + } + } + mbedtls_pk_free( &pk ); +#else + (void) Data; + (void) Size; +#endif //MBEDTLS_PK_PARSE_C + + return 0; +} diff --git a/programs/fuzz/fuzz_privkey.options b/programs/fuzz/fuzz_privkey.options new file mode 100644 index 000000000..0824b19fa --- /dev/null +++ b/programs/fuzz/fuzz_privkey.options @@ -0,0 +1,2 @@ +[libfuzzer] +max_len = 65535 diff --git a/programs/fuzz/fuzz_pubkey.c b/programs/fuzz/fuzz_pubkey.c new file mode 100644 index 000000000..df42f7d53 --- /dev/null +++ b/programs/fuzz/fuzz_pubkey.c @@ -0,0 +1,57 @@ +#include +#include "mbedtls/pk.h" + +int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { +#ifdef MBEDTLS_PK_PARSE_C + int ret; + mbedtls_pk_context pk; + + mbedtls_pk_init( &pk ); + ret = mbedtls_pk_parse_public_key( &pk, Data, Size ); + if (ret == 0) { +#if defined(MBEDTLS_RSA_C) + if( mbedtls_pk_get_type( &pk ) == MBEDTLS_PK_RSA ) + { + mbedtls_mpi N, P, Q, D, E, DP, DQ, QP; + mbedtls_rsa_context *rsa; + + mbedtls_mpi_init( &N ); mbedtls_mpi_init( &P ); mbedtls_mpi_init( &Q ); + mbedtls_mpi_init( &D ); mbedtls_mpi_init( &E ); mbedtls_mpi_init( &DP ); + mbedtls_mpi_init( &DQ ); mbedtls_mpi_init( &QP ); + + rsa = mbedtls_pk_rsa( pk ); + ret = mbedtls_rsa_export( rsa, &N, &P, &Q, &D, &E ); + ret = mbedtls_rsa_export_crt( rsa, &DP, &DQ, &QP ); + + mbedtls_mpi_free( &N ); mbedtls_mpi_free( &P ); mbedtls_mpi_free( &Q ); + mbedtls_mpi_free( &D ); mbedtls_mpi_free( &E ); mbedtls_mpi_free( &DP ); + mbedtls_mpi_free( &DQ ); mbedtls_mpi_free( &QP ); + + } + else +#endif +#if defined(MBEDTLS_ECP_C) + if( mbedtls_pk_get_type( &pk ) == MBEDTLS_PK_ECKEY ) + { + mbedtls_ecp_keypair *ecp; + + ecp = mbedtls_pk_ec( pk ); + //dummy use of value + if (ecp) { + ret = 0; + } + } + else +#endif + { + ret = 0; + } + } + mbedtls_pk_free( &pk ); +#else + (void) Data; + (void) Size; +#endif //MBEDTLS_PK_PARSE_C + + return 0; +} diff --git a/programs/fuzz/fuzz_pubkey.options b/programs/fuzz/fuzz_pubkey.options new file mode 100644 index 000000000..0824b19fa --- /dev/null +++ b/programs/fuzz/fuzz_pubkey.options @@ -0,0 +1,2 @@ +[libfuzzer] +max_len = 65535 diff --git a/programs/fuzz/fuzz_server.c b/programs/fuzz/fuzz_server.c new file mode 100644 index 000000000..7cb592238 --- /dev/null +++ b/programs/fuzz/fuzz_server.c @@ -0,0 +1,185 @@ +#include "mbedtls/ssl.h" +#include "mbedtls/entropy.h" +#include "mbedtls/ctr_drbg.h" +#include "mbedtls/certs.h" +#include "mbedtls/ssl_ticket.h" +#include "common.h" +#include +#include +#include + + +#ifdef MBEDTLS_SSL_SRV_C +const char *pers = "fuzz_server"; +static int initialized = 0; +#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C) +static mbedtls_x509_crt srvcert; +static mbedtls_pk_context pkey; +#endif +const char *alpn_list[3]; + +#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) +const unsigned char psk[] = { + 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, + 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f +}; +const char psk_id[] = "Client_identity"; +#endif +#endif // MBEDTLS_SSL_SRV_C + + +int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { +#ifdef MBEDTLS_SSL_SRV_C + int ret; + size_t len; + mbedtls_ssl_context ssl; + mbedtls_ssl_config conf; + mbedtls_ctr_drbg_context ctr_drbg; + mbedtls_entropy_context entropy; +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + mbedtls_ssl_ticket_context ticket_ctx; +#endif + unsigned char buf[4096]; + fuzzBufferOffset_t biomemfuzz; + uint8_t options; + + //we take 1 byte as options input + if (Size < 1) { + return 0; + } + options = Data[Size - 1]; + + if (initialized == 0) { +#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C) + mbedtls_x509_crt_init( &srvcert ); + mbedtls_pk_init( &pkey ); + if (mbedtls_x509_crt_parse( &srvcert, (const unsigned char *) mbedtls_test_srv_crt, + mbedtls_test_srv_crt_len ) != 0) + return 1; + if (mbedtls_x509_crt_parse( &srvcert, (const unsigned char *) mbedtls_test_cas_pem, + mbedtls_test_cas_pem_len ) != 0) + return 1; + if (mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_srv_key, + mbedtls_test_srv_key_len, NULL, 0 ) != 0) + return 1; +#endif + + alpn_list[0] = "HTTP"; + alpn_list[1] = "fuzzalpn"; + alpn_list[2] = NULL; + + dummy_init(); + + initialized = 1; + } + mbedtls_ssl_init( &ssl ); + mbedtls_ssl_config_init( &conf ); + mbedtls_ctr_drbg_init( &ctr_drbg ); + mbedtls_entropy_init( &entropy ); +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + mbedtls_ssl_ticket_init( &ticket_ctx ); +#endif + + if( mbedtls_ctr_drbg_seed( &ctr_drbg, dummy_entropy, &entropy, + (const unsigned char *) pers, strlen( pers ) ) != 0 ) + goto exit; + + + if( mbedtls_ssl_config_defaults( &conf, + MBEDTLS_SSL_IS_SERVER, + MBEDTLS_SSL_TRANSPORT_STREAM, + MBEDTLS_SSL_PRESET_DEFAULT ) != 0 ) + goto exit; + + srand(1); + mbedtls_ssl_conf_rng( &conf, dummy_random, &ctr_drbg ); + +#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C) + mbedtls_ssl_conf_ca_chain( &conf, srvcert.next, NULL ); + if( mbedtls_ssl_conf_own_cert( &conf, &srvcert, &pkey ) != 0 ) + goto exit; +#endif + + mbedtls_ssl_conf_cert_req_ca_list( &conf, (options & 0x1) ? MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED : MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED ); +#if defined(MBEDTLS_SSL_ALPN) + if (options & 0x2) { + mbedtls_ssl_conf_alpn_protocols( &conf, alpn_list ); + } +#endif +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + if( options & 0x4 ) + { + if( mbedtls_ssl_ticket_setup( &ticket_ctx, + dummy_random, &ctr_drbg, + MBEDTLS_CIPHER_AES_256_GCM, + 86400 ) != 0 ) + goto exit; + + mbedtls_ssl_conf_session_tickets_cb( &conf, + mbedtls_ssl_ticket_write, + mbedtls_ssl_ticket_parse, + &ticket_ctx ); + } +#endif +#if defined(MBEDTLS_SSL_TRUNCATED_HMAC) + mbedtls_ssl_conf_truncated_hmac( &conf, (options & 0x8) ? MBEDTLS_SSL_TRUNC_HMAC_ENABLED : MBEDTLS_SSL_TRUNC_HMAC_DISABLED); +#endif +#if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET) + mbedtls_ssl_conf_extended_master_secret( &conf, (options & 0x10) ? MBEDTLS_SSL_EXTENDED_MS_DISABLED : MBEDTLS_SSL_EXTENDED_MS_ENABLED); +#endif +#if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) + mbedtls_ssl_conf_encrypt_then_mac( &conf, (options & 0x20) ? MBEDTLS_SSL_ETM_ENABLED : MBEDTLS_SSL_ETM_DISABLED); +#endif +#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED) + if (options & 0x40) { + mbedtls_ssl_conf_psk( &conf, psk, sizeof( psk ), + (const unsigned char *) psk_id, sizeof( psk_id ) - 1 ); + } +#endif +#if defined(MBEDTLS_SSL_RENEGOTIATION) + mbedtls_ssl_conf_renegotiation( &conf, (options & 0x80) ? MBEDTLS_SSL_RENEGOTIATION_ENABLED : MBEDTLS_SSL_RENEGOTIATION_DISABLED ); +#endif + + if( mbedtls_ssl_setup( &ssl, &conf ) != 0 ) + goto exit; + + biomemfuzz.Data = Data; + biomemfuzz.Size = Size-1; + biomemfuzz.Offset = 0; + mbedtls_ssl_set_bio( &ssl, &biomemfuzz, dummy_send, fuzz_recv, NULL ); + + mbedtls_ssl_session_reset( &ssl ); + ret = mbedtls_ssl_handshake( &ssl ); + if( ret == 0 ) + { + //keep reading data from server until the end + do + { + len = sizeof( buf ) - 1; + ret = mbedtls_ssl_read( &ssl, buf, len ); + + if( ret == MBEDTLS_ERR_SSL_WANT_READ ) + continue; + else if( ret <= 0 ) + //EOF or error + break; + } + while( 1 ); + } + +exit: +#if defined(MBEDTLS_SSL_SESSION_TICKETS) + mbedtls_ssl_ticket_free( &ticket_ctx ); +#endif + mbedtls_entropy_free( &entropy ); + mbedtls_ctr_drbg_free( &ctr_drbg ); + mbedtls_ssl_config_free( &conf ); + mbedtls_ssl_free( &ssl ); + +#else + (void) Data; + (void) Size; +#endif //MBEDTLS_SSL_SRV_C + + return 0; +} diff --git a/programs/fuzz/fuzz_server.options b/programs/fuzz/fuzz_server.options new file mode 100644 index 000000000..4d7340f49 --- /dev/null +++ b/programs/fuzz/fuzz_server.options @@ -0,0 +1,2 @@ +[libfuzzer] +max_len = 1048575 diff --git a/programs/fuzz/fuzz_x509crl.c b/programs/fuzz/fuzz_x509crl.c new file mode 100644 index 000000000..02f521cc8 --- /dev/null +++ b/programs/fuzz/fuzz_x509crl.c @@ -0,0 +1,22 @@ +#include +#include "mbedtls/x509_crl.h" + +int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { +#ifdef MBEDTLS_X509_CRL_PARSE_C + int ret; + mbedtls_x509_crl crl; + unsigned char buf[4096]; + + mbedtls_x509_crl_init( &crl ); + ret = mbedtls_x509_crl_parse( &crl, Data, Size ); + if (ret == 0) { + ret = mbedtls_x509_crl_info( (char *) buf, sizeof( buf ) - 1, " ", &crl ); + } + mbedtls_x509_crl_free( &crl ); +#else + (void) Data; + (void) Size; +#endif + + return 0; +} diff --git a/programs/fuzz/fuzz_x509crl.options b/programs/fuzz/fuzz_x509crl.options new file mode 100644 index 000000000..0824b19fa --- /dev/null +++ b/programs/fuzz/fuzz_x509crl.options @@ -0,0 +1,2 @@ +[libfuzzer] +max_len = 65535 diff --git a/programs/fuzz/fuzz_x509crt.c b/programs/fuzz/fuzz_x509crt.c new file mode 100644 index 000000000..8f593a141 --- /dev/null +++ b/programs/fuzz/fuzz_x509crt.c @@ -0,0 +1,22 @@ +#include +#include "mbedtls/x509_crt.h" + +int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { +#ifdef MBEDTLS_X509_CRT_PARSE_C + int ret; + mbedtls_x509_crt crt; + unsigned char buf[4096]; + + mbedtls_x509_crt_init( &crt ); + ret = mbedtls_x509_crt_parse( &crt, Data, Size ); + if (ret == 0) { + ret = mbedtls_x509_crt_info( (char *) buf, sizeof( buf ) - 1, " ", &crt ); + } + mbedtls_x509_crt_free( &crt ); +#else + (void) Data; + (void) Size; +#endif + + return 0; +} diff --git a/programs/fuzz/fuzz_x509crt.options b/programs/fuzz/fuzz_x509crt.options new file mode 100644 index 000000000..0824b19fa --- /dev/null +++ b/programs/fuzz/fuzz_x509crt.options @@ -0,0 +1,2 @@ +[libfuzzer] +max_len = 65535 diff --git a/programs/fuzz/fuzz_x509csr.c b/programs/fuzz/fuzz_x509csr.c new file mode 100644 index 000000000..3cf28a6fa --- /dev/null +++ b/programs/fuzz/fuzz_x509csr.c @@ -0,0 +1,22 @@ +#include +#include "mbedtls/x509_csr.h" + +int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { +#ifdef MBEDTLS_X509_CSR_PARSE_C + int ret; + mbedtls_x509_csr csr; + unsigned char buf[4096]; + + mbedtls_x509_csr_init( &csr ); + ret = mbedtls_x509_csr_parse( &csr, Data, Size ); + if (ret == 0) { + ret = mbedtls_x509_csr_info( (char *) buf, sizeof( buf ) - 1, " ", &csr ); + } + mbedtls_x509_csr_free( &csr ); +#else + (void) Data; + (void) Size; +#endif + + return 0; +} diff --git a/programs/fuzz/fuzz_x509csr.options b/programs/fuzz/fuzz_x509csr.options new file mode 100644 index 000000000..0824b19fa --- /dev/null +++ b/programs/fuzz/fuzz_x509csr.options @@ -0,0 +1,2 @@ +[libfuzzer] +max_len = 65535 diff --git a/programs/fuzz/onefile.c b/programs/fuzz/onefile.c new file mode 100644 index 000000000..9e3986d6b --- /dev/null +++ b/programs/fuzz/onefile.c @@ -0,0 +1,53 @@ +#include +#include +#include +// Get platform-specific definition +#include "mbedtls/config.h" + +int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size); + +int main(int argc, char** argv) +{ + FILE * fp; + uint8_t *Data; + size_t Size; + + if (argc != 2) { + return 1; + } + //opens the file, get its size, and reads it into a buffer + fp = fopen(argv[1], "rb"); + if (fp == NULL) { + return 2; + } + if (fseek(fp, 0L, SEEK_END) != 0) { + fclose(fp); + return 2; + } + Size = ftell(fp); + if (Size == (size_t) -1) { + fclose(fp); + return 2; + } + if (fseek(fp, 0L, SEEK_SET) != 0) { + fclose(fp); + return 2; + } + Data = malloc(Size); + if (Data == NULL) { + fclose(fp); + return 2; + } + if (fread(Data, Size, 1, fp) != 1) { + free(Data); + fclose(fp); + return 2; + } + + //lauch fuzzer + LLVMFuzzerTestOneInput(Data, Size); + free(Data); + fclose(fp); + return 0; +} + diff --git a/tests/compat.sh b/tests/compat.sh index 0eae1eab3..80c2d31a3 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -15,6 +15,10 @@ set -u +# Limit the size of each log to 10 GiB, in case of failures with this script +# where it may output seemingly unlimited length error logs. +ulimit -f 20971520 + # initialise counters TESTS=0 FAILED=0 diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 42e00a1d0..1b799f744 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -24,7 +24,8 @@ # configurations, and can and will arbitrarily change the current CMake # configuration. The following files must be committed into git: # * include/mbedtls/config.h -# * Makefile, library/Makefile, programs/Makefile, tests/Makefile +# * Makefile, library/Makefile, programs/Makefile, tests/Makefile, +# programs/fuzz/Makefile # After running this script, the CMake cache will be lost and CMake # will no longer be initialised. # @@ -75,9 +76,9 @@ # * Run `make clean`. # * Restore `include/mbedtks/config.h` from a backup made before running # the component. -# * Check out `Makefile`, `library/Makefile`, `programs/Makefile` and -# `tests/Makefile` from git. This cleans up after an in-tree use of -# CMake. +# * Check out `Makefile`, `library/Makefile`, `programs/Makefile`, +# `tests/Makefile` and `programs/fuzz/Makefile` from git. +# This cleans up after an in-tree use of CMake. # # Any command that is expected to fail must be protected so that the # script keeps running in --keep-going mode despite `set -e`. In keep-going @@ -234,8 +235,8 @@ cleanup() -iname CMakeCache.txt \) -exec rm {} \+ # Recover files overwritten by in-tree CMake builds rm -f include/Makefile include/mbedtls/Makefile programs/*/Makefile - git update-index --no-skip-worktree Makefile library/Makefile programs/Makefile tests/Makefile - git checkout -- Makefile library/Makefile programs/Makefile tests/Makefile + git update-index --no-skip-worktree Makefile library/Makefile programs/Makefile tests/Makefile programs/fuzz/Makefile + git checkout -- Makefile library/Makefile programs/Makefile tests/Makefile programs/fuzz/Makefile cd crypto rm -f include/Makefile include/mbedtls/Makefile programs/*/Makefile git update-index --no-skip-worktree Makefile library/Makefile programs/Makefile tests/Makefile @@ -1052,7 +1053,7 @@ component_test_m32_o0 () { # Build once with -O0, to compile out the i386 specific inline assembly msg "build: i386, make, gcc -O0 (ASan build)" # ~ 30s scripts/config.pl full - make CC=gcc CFLAGS='-O0 -Werror -Wall -Wextra -m32 -fsanitize=address' LDFLAGS='-m32' + make CC=gcc CFLAGS='-O0 -Werror -Wall -Wextra -m32 -fsanitize=address' LDFLAGS='-m32 -fsanitize=address' msg "test: i386, make, gcc -O0 (ASan build)" make test @@ -1071,7 +1072,7 @@ component_test_m32_o1 () { scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE scripts/config.pl unset MBEDTLS_MEMORY_BUFFER_ALLOC_C scripts/config.pl unset MBEDTLS_MEMORY_DEBUG - make CC=gcc CFLAGS='-O1 -Werror -Wall -Wextra -m32 -fsanitize=address' LDFLAGS='-m32' + make CC=gcc CFLAGS='-O1 -Werror -Wall -Wextra -m32 -fsanitize=address' LDFLAGS='-m32 -fsanitize=address' msg "test: i386, make, gcc -O1 (ASan build)" make test diff --git a/tests/scripts/basic-build-test.sh b/tests/scripts/basic-build-test.sh index 2c9deb9ba..4b71ff69b 100755 --- a/tests/scripts/basic-build-test.sh +++ b/tests/scripts/basic-build-test.sh @@ -64,6 +64,7 @@ echo # Step 1 - Make and instrumented build for code coverage export CFLAGS=' --coverage -g3 -O0 ' +export LDFLAGS=' --coverage' make clean cp "$CONFIG_H" "$CONFIG_BAK" scripts/config.pl full diff --git a/tests/scripts/mbedtls_test.py b/tests/scripts/mbedtls_test.py index ac2912d4c..6ac68a4fb 100755 --- a/tests/scripts/mbedtls_test.py +++ b/tests/scripts/mbedtls_test.py @@ -79,7 +79,7 @@ class TestDataParser(object): split_colon_fn = lambda x: re.sub(r'\\' + split_char, split_char, x) if len(split_char) > 1: raise ValueError('Expected split character. Found string!') - out = map(split_colon_fn, re.split(r'(?&2 exit 1 diff --git a/tests/suites/target_test.function b/tests/suites/target_test.function index e4c3e30de..d430d9d5d 100644 --- a/tests/suites/target_test.function +++ b/tests/suites/target_test.function @@ -59,10 +59,29 @@ int verify_dependencies( uint8_t count, uint8_t * dep_p ) return( DEPENDENCY_SUPPORTED ); } +/** + * \brief Receives hex string on serial interface, and converts to a byte. + * + * \param none + * + * \return unsigned int8 + */ +uint8_t receive_byte() +{ + uint8_t byte; + uint8_t c[3]; + char *endptr; + c[0] = greentea_getc(); + c[1] = greentea_getc(); + c[2] = '\0'; + + assert( unhexify( &byte, c ) != 2 ); + return( byte ); +} /** * \brief Receives unsigned integer on serial interface. - * Integers are encoded in network order. + * Integers are encoded in network order, and sent as hex ascii string. * * \param none * @@ -71,10 +90,17 @@ int verify_dependencies( uint8_t count, uint8_t * dep_p ) uint32_t receive_uint32() { uint32_t value; - value = (uint8_t)greentea_getc() << 24; - value |= (uint8_t)greentea_getc() << 16; - value |= (uint8_t)greentea_getc() << 8; - value |= (uint8_t)greentea_getc(); + const uint8_t c[9] = { greentea_getc(), + greentea_getc(), + greentea_getc(), + greentea_getc(), + greentea_getc(), + greentea_getc(), + greentea_getc(), + greentea_getc(), + '\0' + }; + assert( unhexify( &value, c ) != 8 ); return( (uint32_t)value ); } @@ -132,7 +158,7 @@ uint8_t * receive_data( uint32_t * data_len ) greentea_getc(); // read ';' received after key i.e. *data_len for( i = 0; i < *data_len; i++ ) - data[i] = greentea_getc(); + data[i] = receive_byte(); /* Read closing braces */ for( i = 0; i < 2; i++ )