1 #define MBEDTLS_ALLOW_PRIVATE_ACCESS
2
3 #include "mbedtls/ssl.h"
4 #include "mbedtls/entropy.h"
5 #include "mbedtls/ctr_drbg.h"
6 #include "mbedtls/ssl_ticket.h"
7 #include "test/certs.h"
8 #include "common.h"
9 #include <string.h>
10 #include <stdlib.h>
11 #include <stdint.h>
12
13
14 #if defined(MBEDTLS_SSL_SRV_C) && \
15 defined(MBEDTLS_ENTROPY_C) && \
16 defined(MBEDTLS_CTR_DRBG_C)
17 const char *pers = "fuzz_server";
18 static int initialized = 0;
19 #if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
20 static mbedtls_x509_crt srvcert;
21 static mbedtls_pk_context pkey;
22 #endif
23 const char *alpn_list[3];
24
25 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
26 const unsigned char psk[] = {
27 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
28 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
29 };
30 const char psk_id[] = "Client_identity";
31 #endif
32 #endif // MBEDTLS_SSL_SRV_C && MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C
33
34
LLVMFuzzerTestOneInput(const uint8_t * Data,size_t Size)35 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
36 {
37 #if defined(MBEDTLS_SSL_SRV_C) && \
38 defined(MBEDTLS_ENTROPY_C) && \
39 defined(MBEDTLS_CTR_DRBG_C)
40 int ret;
41 size_t len;
42 mbedtls_ssl_context ssl;
43 mbedtls_ssl_config conf;
44 mbedtls_ctr_drbg_context ctr_drbg;
45 mbedtls_entropy_context entropy;
46 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C)
47 mbedtls_ssl_ticket_context ticket_ctx;
48 #endif
49 unsigned char buf[4096];
50 fuzzBufferOffset_t biomemfuzz;
51 uint8_t options;
52
53 //we take 1 byte as options input
54 if (Size < 1) {
55 return 0;
56 }
57 options = Data[Size - 1];
58
59 mbedtls_ctr_drbg_init(&ctr_drbg);
60 mbedtls_entropy_init(&entropy);
61
62 if (mbedtls_ctr_drbg_seed(&ctr_drbg, dummy_entropy, &entropy,
63 (const unsigned char *) pers, strlen(pers)) != 0) {
64 return 1;
65 }
66
67 if (initialized == 0) {
68
69 #if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
70 mbedtls_x509_crt_init(&srvcert);
71 mbedtls_pk_init(&pkey);
72 if (mbedtls_x509_crt_parse(&srvcert, (const unsigned char *) mbedtls_test_srv_crt,
73 mbedtls_test_srv_crt_len) != 0) {
74 return 1;
75 }
76 if (mbedtls_x509_crt_parse(&srvcert, (const unsigned char *) mbedtls_test_cas_pem,
77 mbedtls_test_cas_pem_len) != 0) {
78 return 1;
79 }
80 if (mbedtls_pk_parse_key(&pkey, (const unsigned char *) mbedtls_test_srv_key,
81 mbedtls_test_srv_key_len, NULL, 0,
82 dummy_random, &ctr_drbg) != 0) {
83 return 1;
84 }
85 #endif
86
87 alpn_list[0] = "HTTP";
88 alpn_list[1] = "fuzzalpn";
89 alpn_list[2] = NULL;
90
91 dummy_init();
92
93 initialized = 1;
94 }
95 mbedtls_ssl_init(&ssl);
96 mbedtls_ssl_config_init(&conf);
97 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C)
98 mbedtls_ssl_ticket_init(&ticket_ctx);
99 #endif
100
101 if (mbedtls_ssl_config_defaults(&conf,
102 MBEDTLS_SSL_IS_SERVER,
103 MBEDTLS_SSL_TRANSPORT_STREAM,
104 MBEDTLS_SSL_PRESET_DEFAULT) != 0) {
105 goto exit;
106 }
107
108 srand(1);
109 mbedtls_ssl_conf_rng(&conf, dummy_random, &ctr_drbg);
110
111 #if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
112 mbedtls_ssl_conf_ca_chain(&conf, srvcert.next, NULL);
113 if (mbedtls_ssl_conf_own_cert(&conf, &srvcert, &pkey) != 0) {
114 goto exit;
115 }
116 #endif
117
118 mbedtls_ssl_conf_cert_req_ca_list(&conf,
119 (options &
120 0x1) ? MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED : MBEDTLS_SSL_CERT_REQ_CA_LIST_DISABLED);
121 #if defined(MBEDTLS_SSL_ALPN)
122 if (options & 0x2) {
123 mbedtls_ssl_conf_alpn_protocols(&conf, alpn_list);
124 }
125 #endif
126 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C)
127 if (options & 0x4) {
128 if (mbedtls_ssl_ticket_setup(&ticket_ctx,
129 dummy_random, &ctr_drbg,
130 MBEDTLS_CIPHER_AES_256_GCM,
131 86400) != 0) {
132 goto exit;
133 }
134
135 mbedtls_ssl_conf_session_tickets_cb(&conf,
136 mbedtls_ssl_ticket_write,
137 mbedtls_ssl_ticket_parse,
138 &ticket_ctx);
139 }
140 #endif
141 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
142 mbedtls_ssl_conf_extended_master_secret(&conf,
143 (options &
144 0x10) ? MBEDTLS_SSL_EXTENDED_MS_DISABLED : MBEDTLS_SSL_EXTENDED_MS_ENABLED);
145 #endif
146 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
147 mbedtls_ssl_conf_encrypt_then_mac(&conf,
148 (options &
149 0x20) ? MBEDTLS_SSL_ETM_ENABLED : MBEDTLS_SSL_ETM_DISABLED);
150 #endif
151 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
152 if (options & 0x40) {
153 mbedtls_ssl_conf_psk(&conf, psk, sizeof(psk),
154 (const unsigned char *) psk_id, sizeof(psk_id) - 1);
155 }
156 #endif
157 #if defined(MBEDTLS_SSL_RENEGOTIATION)
158 mbedtls_ssl_conf_renegotiation(&conf,
159 (options &
160 0x80) ? MBEDTLS_SSL_RENEGOTIATION_ENABLED : MBEDTLS_SSL_RENEGOTIATION_DISABLED);
161 #endif
162
163 if (mbedtls_ssl_setup(&ssl, &conf) != 0) {
164 goto exit;
165 }
166
167 biomemfuzz.Data = Data;
168 biomemfuzz.Size = Size-1;
169 biomemfuzz.Offset = 0;
170 mbedtls_ssl_set_bio(&ssl, &biomemfuzz, dummy_send, fuzz_recv, NULL);
171
172 mbedtls_ssl_session_reset(&ssl);
173 ret = mbedtls_ssl_handshake(&ssl);
174 if (ret == 0) {
175 //keep reading data from server until the end
176 do {
177 len = sizeof(buf) - 1;
178 ret = mbedtls_ssl_read(&ssl, buf, len);
179
180 if (ret == MBEDTLS_ERR_SSL_WANT_READ) {
181 continue;
182 } else if (ret <= 0) {
183 //EOF or error
184 break;
185 }
186 } while (1);
187 }
188
189 exit:
190 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C)
191 mbedtls_ssl_ticket_free(&ticket_ctx);
192 #endif
193 mbedtls_entropy_free(&entropy);
194 mbedtls_ctr_drbg_free(&ctr_drbg);
195 mbedtls_ssl_config_free(&conf);
196 mbedtls_ssl_free(&ssl);
197
198 #else
199 (void) Data;
200 (void) Size;
201 #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C */
202
203 return 0;
204 }
205
