1 // Copyright 2017 The BoringSSL Authors
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 // https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14
15 #ifndef HEADER_SSL_TEST_FUZZER
16 #define HEADER_SSL_TEST_FUZZER
17
18 #include <assert.h>
19 #include <stdlib.h>
20 #include <string.h>
21
22 #include <algorithm>
23 #include <vector>
24
25 #include <openssl/bio.h>
26 #include <openssl/bytestring.h>
27 #include <openssl/crypto.h>
28 #include <openssl/err.h>
29 #include <openssl/evp.h>
30 #include <openssl/hpke.h>
31 #include <openssl/rand.h>
32 #include <openssl/rsa.h>
33 #include <openssl/ssl.h>
34 #include <openssl/x509.h>
35
36 #include "../../crypto/internal.h"
37 #include "./fuzzer_tags.h"
38
39 #if defined(OPENSSL_WINDOWS)
40 // Windows defines struct timeval in winsock2.h.
41 #include <winsock2.h>
42 #else
43 #include <sys/time.h>
44 #endif
45
46 namespace {
47
48 const uint8_t kP256KeyPKCS8[] = {
49 0x30, 0x81, 0x87, 0x02, 0x01, 0x00, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86,
50 0x48, 0xce, 0x3d, 0x02, 0x01, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d,
51 0x03, 0x01, 0x07, 0x04, 0x6d, 0x30, 0x6b, 0x02, 0x01, 0x01, 0x04, 0x20,
52 0x43, 0x09, 0xc0, 0x67, 0x75, 0x21, 0x47, 0x9d, 0xa8, 0xfa, 0x16, 0xdf,
53 0x15, 0x73, 0x61, 0x34, 0x68, 0x6f, 0xe3, 0x8e, 0x47, 0x91, 0x95, 0xab,
54 0x79, 0x4a, 0x72, 0x14, 0xcb, 0xe2, 0x49, 0x4f, 0xa1, 0x44, 0x03, 0x42,
55 0x00, 0x04, 0xde, 0x09, 0x08, 0x07, 0x03, 0x2e, 0x8f, 0x37, 0x9a, 0xd5,
56 0xad, 0xe5, 0xc6, 0x9d, 0xd4, 0x63, 0xc7, 0x4a, 0xe7, 0x20, 0xcb, 0x90,
57 0xa0, 0x1f, 0x18, 0x18, 0x72, 0xb5, 0x21, 0x88, 0x38, 0xc0, 0xdb, 0xba,
58 0xf6, 0x99, 0xd8, 0xa5, 0x3b, 0x83, 0xe9, 0xe3, 0xd5, 0x61, 0x99, 0x73,
59 0x42, 0xc6, 0x6c, 0xe8, 0x0a, 0x95, 0x40, 0x41, 0x3b, 0x0d, 0x10, 0xa7,
60 0x4a, 0x93, 0xdb, 0x5a, 0xe7, 0xec,
61 };
62
63 const uint8_t kOCSPResponse[] = {0x01, 0x02, 0x03, 0x04};
64
65 const uint8_t kSCT[] = {0x00, 0x06, 0x00, 0x04, 0x05, 0x06, 0x07, 0x08};
66
67 const uint8_t kCertificateDER[] = {
68 0x30, 0x82, 0x02, 0xff, 0x30, 0x82, 0x01, 0xe7, 0xa0, 0x03, 0x02, 0x01,
69 0x02, 0x02, 0x11, 0x00, 0xb1, 0x84, 0xee, 0x34, 0x99, 0x98, 0x76, 0xfb,
70 0x6f, 0xb2, 0x15, 0xc8, 0x47, 0x79, 0x05, 0x9b, 0x30, 0x0d, 0x06, 0x09,
71 0x2a, 0x86, 0x48, 0x86, 0xf7, 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x30,
72 0x12, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55, 0x04, 0x0a, 0x13, 0x07,
73 0x41, 0x63, 0x6d, 0x65, 0x20, 0x43, 0x6f, 0x30, 0x1e, 0x17, 0x0d, 0x31,
74 0x35, 0x31, 0x31, 0x30, 0x37, 0x30, 0x30, 0x32, 0x34, 0x35, 0x36, 0x5a,
75 0x17, 0x0d, 0x31, 0x36, 0x31, 0x31, 0x30, 0x36, 0x30, 0x30, 0x32, 0x34,
76 0x35, 0x36, 0x5a, 0x30, 0x12, 0x31, 0x10, 0x30, 0x0e, 0x06, 0x03, 0x55,
77 0x04, 0x0a, 0x13, 0x07, 0x41, 0x63, 0x6d, 0x65, 0x20, 0x43, 0x6f, 0x30,
78 0x82, 0x01, 0x22, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
79 0x0d, 0x01, 0x01, 0x01, 0x05, 0x00, 0x03, 0x82, 0x01, 0x0f, 0x00, 0x30,
80 0x82, 0x01, 0x0a, 0x02, 0x82, 0x01, 0x01, 0x00, 0xce, 0x47, 0xcb, 0x11,
81 0xbb, 0xd2, 0x9d, 0x8e, 0x9e, 0xd2, 0x1e, 0x14, 0xaf, 0xc7, 0xea, 0xb6,
82 0xc9, 0x38, 0x2a, 0x6f, 0xb3, 0x7e, 0xfb, 0xbc, 0xfc, 0x59, 0x42, 0xb9,
83 0x56, 0xf0, 0x4c, 0x3f, 0xf7, 0x31, 0x84, 0xbe, 0xac, 0x03, 0x9e, 0x71,
84 0x91, 0x85, 0xd8, 0x32, 0xbd, 0x00, 0xea, 0xac, 0x65, 0xf6, 0x03, 0xc8,
85 0x0f, 0x8b, 0xfd, 0x6e, 0x58, 0x88, 0x04, 0x41, 0x92, 0x74, 0xa6, 0x57,
86 0x2e, 0x8e, 0x88, 0xd5, 0x3d, 0xda, 0x14, 0x3e, 0x63, 0x88, 0x22, 0xe3,
87 0x53, 0xe9, 0xba, 0x39, 0x09, 0xac, 0xfb, 0xd0, 0x4c, 0xf2, 0x3c, 0x20,
88 0xd6, 0x97, 0xe6, 0xed, 0xf1, 0x62, 0x1e, 0xe5, 0xc9, 0x48, 0xa0, 0xca,
89 0x2e, 0x3c, 0x14, 0x5a, 0x82, 0xd4, 0xed, 0xb1, 0xe3, 0x43, 0xc1, 0x2a,
90 0x59, 0xa5, 0xb9, 0xc8, 0x48, 0xa7, 0x39, 0x23, 0x74, 0xa7, 0x37, 0xb0,
91 0x6f, 0xc3, 0x64, 0x99, 0x6c, 0xa2, 0x82, 0xc8, 0xf6, 0xdb, 0x86, 0x40,
92 0xce, 0xd1, 0x85, 0x9f, 0xce, 0x69, 0xf4, 0x15, 0x2a, 0x23, 0xca, 0xea,
93 0xb7, 0x7b, 0xdf, 0xfb, 0x43, 0x5f, 0xff, 0x7a, 0x49, 0x49, 0x0e, 0xe7,
94 0x02, 0x51, 0x45, 0x13, 0xe8, 0x90, 0x64, 0x21, 0x0c, 0x26, 0x2b, 0x5d,
95 0xfc, 0xe4, 0xb5, 0x86, 0x89, 0x43, 0x22, 0x4c, 0xf3, 0x3b, 0xf3, 0x09,
96 0xc4, 0xa4, 0x10, 0x80, 0xf2, 0x46, 0xe2, 0x46, 0x8f, 0x76, 0x50, 0xbf,
97 0xaf, 0x2b, 0x90, 0x1b, 0x78, 0xc7, 0xcf, 0xc1, 0x77, 0xd0, 0xfb, 0xa9,
98 0xfb, 0xc9, 0x66, 0x5a, 0xc5, 0x9b, 0x31, 0x41, 0x67, 0x01, 0xbe, 0x33,
99 0x10, 0xba, 0x05, 0x58, 0xed, 0x76, 0x53, 0xde, 0x5d, 0xc1, 0xe8, 0xbb,
100 0x9f, 0xf1, 0xcd, 0xfb, 0xdf, 0x64, 0x7f, 0xd7, 0x18, 0xab, 0x0f, 0x94,
101 0x28, 0x95, 0x4a, 0xcc, 0x6a, 0xa9, 0x50, 0xc7, 0x05, 0x47, 0x10, 0x41,
102 0x02, 0x03, 0x01, 0x00, 0x01, 0xa3, 0x50, 0x30, 0x4e, 0x30, 0x0e, 0x06,
103 0x03, 0x55, 0x1d, 0x0f, 0x01, 0x01, 0xff, 0x04, 0x04, 0x03, 0x02, 0x05,
104 0xa0, 0x30, 0x13, 0x06, 0x03, 0x55, 0x1d, 0x25, 0x04, 0x0c, 0x30, 0x0a,
105 0x06, 0x08, 0x2b, 0x06, 0x01, 0x05, 0x05, 0x07, 0x03, 0x01, 0x30, 0x0c,
106 0x06, 0x03, 0x55, 0x1d, 0x13, 0x01, 0x01, 0xff, 0x04, 0x02, 0x30, 0x00,
107 0x30, 0x19, 0x06, 0x03, 0x55, 0x1d, 0x11, 0x04, 0x12, 0x30, 0x10, 0x82,
108 0x0e, 0x66, 0x75, 0x7a, 0x7a, 0x2e, 0x62, 0x6f, 0x72, 0x69, 0x6e, 0x67,
109 0x73, 0x73, 0x6c, 0x30, 0x0d, 0x06, 0x09, 0x2a, 0x86, 0x48, 0x86, 0xf7,
110 0x0d, 0x01, 0x01, 0x0b, 0x05, 0x00, 0x03, 0x82, 0x01, 0x01, 0x00, 0x92,
111 0xde, 0xef, 0x96, 0x06, 0x7b, 0xff, 0x71, 0x7d, 0x4e, 0xa0, 0x7d, 0xae,
112 0xb8, 0x22, 0xb4, 0x2c, 0xf7, 0x96, 0x9c, 0x37, 0x1d, 0x8f, 0xe7, 0xd9,
113 0x47, 0xff, 0x3f, 0xe9, 0x35, 0x95, 0x0e, 0xdd, 0xdc, 0x7f, 0xc8, 0x8a,
114 0x1e, 0x36, 0x1d, 0x38, 0x47, 0xfc, 0x76, 0xd2, 0x1f, 0x98, 0xa1, 0x36,
115 0xac, 0xc8, 0x70, 0x38, 0x0a, 0x3d, 0x51, 0x8d, 0x0f, 0x03, 0x1b, 0xef,
116 0x62, 0xa1, 0xcb, 0x2b, 0x4a, 0x8c, 0x12, 0x2b, 0x54, 0x50, 0x9a, 0x6b,
117 0xfe, 0xaf, 0xd9, 0xf6, 0xbf, 0x58, 0x11, 0x58, 0x5e, 0xe5, 0x86, 0x1e,
118 0x3b, 0x6b, 0x30, 0x7e, 0x72, 0x89, 0xe8, 0x6b, 0x7b, 0xb7, 0xaf, 0xef,
119 0x8b, 0xa9, 0x3e, 0xb0, 0xcd, 0x0b, 0xef, 0xb0, 0x0c, 0x96, 0x2b, 0xc5,
120 0x3b, 0xd5, 0xf1, 0xc2, 0xae, 0x3a, 0x60, 0xd9, 0x0f, 0x75, 0x37, 0x55,
121 0x4d, 0x62, 0xd2, 0xed, 0x96, 0xac, 0x30, 0x6b, 0xda, 0xa1, 0x48, 0x17,
122 0x96, 0x23, 0x85, 0x9a, 0x57, 0x77, 0xe9, 0x22, 0xa2, 0x37, 0x03, 0xba,
123 0x49, 0x77, 0x40, 0x3b, 0x76, 0x4b, 0xda, 0xc1, 0x04, 0x57, 0x55, 0x34,
124 0x22, 0x83, 0x45, 0x29, 0xab, 0x2e, 0x11, 0xff, 0x0d, 0xab, 0x55, 0xb1,
125 0xa7, 0x58, 0x59, 0x05, 0x25, 0xf9, 0x1e, 0x3d, 0xb7, 0xac, 0x04, 0x39,
126 0x2c, 0xf9, 0xaf, 0xb8, 0x68, 0xfb, 0x8e, 0x35, 0x71, 0x32, 0xff, 0x70,
127 0xe9, 0x46, 0x6d, 0x5c, 0x06, 0x90, 0x88, 0x23, 0x48, 0x0c, 0x50, 0xeb,
128 0x0a, 0xa9, 0xae, 0xe8, 0xfc, 0xbe, 0xa5, 0x76, 0x94, 0xd7, 0x64, 0x22,
129 0x38, 0x98, 0x17, 0xa4, 0x3a, 0xa7, 0x59, 0x9f, 0x1d, 0x3b, 0x75, 0x90,
130 0x1a, 0x81, 0xef, 0x19, 0xfb, 0x2b, 0xb7, 0xa7, 0x64, 0x61, 0x22, 0xa4,
131 0x6f, 0x7b, 0xfa, 0x58, 0xbb, 0x8c, 0x4e, 0x77, 0x67, 0xd0, 0x5d, 0x58,
132 0x76, 0x8a, 0xbb,
133 };
134
135 const uint8_t kRSAPrivateKeyDER[] = {
136 0x30, 0x82, 0x04, 0xa5, 0x02, 0x01, 0x00, 0x02, 0x82, 0x01, 0x01, 0x00,
137 0xce, 0x47, 0xcb, 0x11, 0xbb, 0xd2, 0x9d, 0x8e, 0x9e, 0xd2, 0x1e, 0x14,
138 0xaf, 0xc7, 0xea, 0xb6, 0xc9, 0x38, 0x2a, 0x6f, 0xb3, 0x7e, 0xfb, 0xbc,
139 0xfc, 0x59, 0x42, 0xb9, 0x56, 0xf0, 0x4c, 0x3f, 0xf7, 0x31, 0x84, 0xbe,
140 0xac, 0x03, 0x9e, 0x71, 0x91, 0x85, 0xd8, 0x32, 0xbd, 0x00, 0xea, 0xac,
141 0x65, 0xf6, 0x03, 0xc8, 0x0f, 0x8b, 0xfd, 0x6e, 0x58, 0x88, 0x04, 0x41,
142 0x92, 0x74, 0xa6, 0x57, 0x2e, 0x8e, 0x88, 0xd5, 0x3d, 0xda, 0x14, 0x3e,
143 0x63, 0x88, 0x22, 0xe3, 0x53, 0xe9, 0xba, 0x39, 0x09, 0xac, 0xfb, 0xd0,
144 0x4c, 0xf2, 0x3c, 0x20, 0xd6, 0x97, 0xe6, 0xed, 0xf1, 0x62, 0x1e, 0xe5,
145 0xc9, 0x48, 0xa0, 0xca, 0x2e, 0x3c, 0x14, 0x5a, 0x82, 0xd4, 0xed, 0xb1,
146 0xe3, 0x43, 0xc1, 0x2a, 0x59, 0xa5, 0xb9, 0xc8, 0x48, 0xa7, 0x39, 0x23,
147 0x74, 0xa7, 0x37, 0xb0, 0x6f, 0xc3, 0x64, 0x99, 0x6c, 0xa2, 0x82, 0xc8,
148 0xf6, 0xdb, 0x86, 0x40, 0xce, 0xd1, 0x85, 0x9f, 0xce, 0x69, 0xf4, 0x15,
149 0x2a, 0x23, 0xca, 0xea, 0xb7, 0x7b, 0xdf, 0xfb, 0x43, 0x5f, 0xff, 0x7a,
150 0x49, 0x49, 0x0e, 0xe7, 0x02, 0x51, 0x45, 0x13, 0xe8, 0x90, 0x64, 0x21,
151 0x0c, 0x26, 0x2b, 0x5d, 0xfc, 0xe4, 0xb5, 0x86, 0x89, 0x43, 0x22, 0x4c,
152 0xf3, 0x3b, 0xf3, 0x09, 0xc4, 0xa4, 0x10, 0x80, 0xf2, 0x46, 0xe2, 0x46,
153 0x8f, 0x76, 0x50, 0xbf, 0xaf, 0x2b, 0x90, 0x1b, 0x78, 0xc7, 0xcf, 0xc1,
154 0x77, 0xd0, 0xfb, 0xa9, 0xfb, 0xc9, 0x66, 0x5a, 0xc5, 0x9b, 0x31, 0x41,
155 0x67, 0x01, 0xbe, 0x33, 0x10, 0xba, 0x05, 0x58, 0xed, 0x76, 0x53, 0xde,
156 0x5d, 0xc1, 0xe8, 0xbb, 0x9f, 0xf1, 0xcd, 0xfb, 0xdf, 0x64, 0x7f, 0xd7,
157 0x18, 0xab, 0x0f, 0x94, 0x28, 0x95, 0x4a, 0xcc, 0x6a, 0xa9, 0x50, 0xc7,
158 0x05, 0x47, 0x10, 0x41, 0x02, 0x03, 0x01, 0x00, 0x01, 0x02, 0x82, 0x01,
159 0x01, 0x00, 0xa8, 0x47, 0xb9, 0x4a, 0x06, 0x47, 0x93, 0x71, 0x3d, 0xef,
160 0x7b, 0xca, 0xb4, 0x7c, 0x0a, 0xe6, 0x82, 0xd0, 0xe7, 0x0d, 0xa9, 0x08,
161 0xf6, 0xa4, 0xfd, 0xd8, 0x73, 0xae, 0x6f, 0x56, 0x29, 0x5e, 0x25, 0x72,
162 0xa8, 0x30, 0x44, 0x73, 0xcf, 0x56, 0x26, 0xb9, 0x61, 0xde, 0x42, 0x81,
163 0xf4, 0xf0, 0x1f, 0x5d, 0xcb, 0x47, 0xf2, 0x26, 0xe9, 0xe0, 0x93, 0x28,
164 0xa3, 0x10, 0x3b, 0x42, 0x1e, 0x51, 0x11, 0x12, 0x06, 0x5e, 0xaf, 0xce,
165 0xb0, 0xa5, 0x14, 0xdd, 0x82, 0x58, 0xa1, 0xa4, 0x12, 0xdf, 0x65, 0x1d,
166 0x51, 0x70, 0x64, 0xd5, 0x58, 0x68, 0x11, 0xa8, 0x6a, 0x23, 0xc2, 0xbf,
167 0xa1, 0x25, 0x24, 0x47, 0xb3, 0xa4, 0x3c, 0x83, 0x96, 0xb7, 0x1f, 0xf4,
168 0x44, 0xd4, 0xd1, 0xe9, 0xfc, 0x33, 0x68, 0x5e, 0xe2, 0x68, 0x99, 0x9c,
169 0x91, 0xe8, 0x72, 0xc9, 0xd7, 0x8c, 0x80, 0x20, 0x8e, 0x77, 0x83, 0x4d,
170 0xe4, 0xab, 0xf9, 0x74, 0xa1, 0xdf, 0xd3, 0xc0, 0x0d, 0x5b, 0x05, 0x51,
171 0xc2, 0x6f, 0xb2, 0x91, 0x02, 0xec, 0xc0, 0x02, 0x1a, 0x5c, 0x91, 0x05,
172 0xf1, 0xe3, 0xfa, 0x65, 0xc2, 0xad, 0x24, 0xe6, 0xe5, 0x3c, 0xb6, 0x16,
173 0xf1, 0xa1, 0x67, 0x1a, 0x9d, 0x37, 0x56, 0xbf, 0x01, 0xd7, 0x3b, 0x35,
174 0x30, 0x57, 0x73, 0xf4, 0xf0, 0x5e, 0xa7, 0xe8, 0x0a, 0xc1, 0x94, 0x17,
175 0xcf, 0x0a, 0xbd, 0xf5, 0x31, 0xa7, 0x2d, 0xf7, 0xf5, 0xd9, 0x8c, 0xc2,
176 0x01, 0xbd, 0xda, 0x16, 0x8e, 0xb9, 0x30, 0x40, 0xa6, 0x6e, 0xbd, 0xcd,
177 0x4d, 0x84, 0x67, 0x4e, 0x0b, 0xce, 0xd5, 0xef, 0xf8, 0x08, 0x63, 0x02,
178 0xc6, 0xc7, 0xf7, 0x67, 0x92, 0xe2, 0x23, 0x9d, 0x27, 0x22, 0x1d, 0xc6,
179 0x67, 0x5e, 0x66, 0xbf, 0x03, 0xb8, 0xa9, 0x67, 0xd4, 0x39, 0xd8, 0x75,
180 0xfa, 0xe8, 0xed, 0x56, 0xb8, 0x81, 0x02, 0x81, 0x81, 0x00, 0xf7, 0x46,
181 0x68, 0xc6, 0x13, 0xf8, 0xba, 0x0f, 0x83, 0xdb, 0x05, 0xa8, 0x25, 0x00,
182 0x70, 0x9c, 0x9e, 0x8b, 0x12, 0x34, 0x0d, 0x96, 0xcf, 0x0d, 0x98, 0x9b,
183 0x8d, 0x9c, 0x96, 0x78, 0xd1, 0x3c, 0x01, 0x8c, 0xb9, 0x35, 0x5c, 0x20,
184 0x42, 0xb4, 0x38, 0xe3, 0xd6, 0x54, 0xe7, 0x55, 0xd6, 0x26, 0x8a, 0x0c,
185 0xf6, 0x1f, 0xe0, 0x04, 0xc1, 0x22, 0x42, 0x19, 0x61, 0xc4, 0x94, 0x7c,
186 0x07, 0x2e, 0x80, 0x52, 0xfe, 0x8d, 0xe6, 0x92, 0x3a, 0x91, 0xfe, 0x72,
187 0x99, 0xe1, 0x2a, 0x73, 0x76, 0xb1, 0x24, 0x20, 0x67, 0xde, 0x28, 0xcb,
188 0x0e, 0xe6, 0x52, 0xb5, 0xfa, 0xfb, 0x8b, 0x1e, 0x6a, 0x1d, 0x09, 0x26,
189 0xb9, 0xa7, 0x61, 0xba, 0xf8, 0x79, 0xd2, 0x66, 0x57, 0x28, 0xd7, 0x31,
190 0xb5, 0x0b, 0x27, 0x19, 0x1e, 0x6f, 0x46, 0xfc, 0x54, 0x95, 0xeb, 0x78,
191 0x01, 0xb6, 0xd9, 0x79, 0x5a, 0x4d, 0x02, 0x81, 0x81, 0x00, 0xd5, 0x8f,
192 0x16, 0x53, 0x2f, 0x57, 0x93, 0xbf, 0x09, 0x75, 0xbf, 0x63, 0x40, 0x3d,
193 0x27, 0xfd, 0x23, 0x21, 0xde, 0x9b, 0xe9, 0x73, 0x3f, 0x49, 0x02, 0xd2,
194 0x38, 0x96, 0xcf, 0xc3, 0xba, 0x92, 0x07, 0x87, 0x52, 0xa9, 0x35, 0xe3,
195 0x0c, 0xe4, 0x2f, 0x05, 0x7b, 0x37, 0xa5, 0x40, 0x9c, 0x3b, 0x94, 0xf7,
196 0xad, 0xa0, 0xee, 0x3a, 0xa8, 0xfb, 0x1f, 0x11, 0x1f, 0xd8, 0x9a, 0x80,
197 0x42, 0x3d, 0x7f, 0xa4, 0xb8, 0x9a, 0xaa, 0xea, 0x72, 0xc1, 0xe3, 0xed,
198 0x06, 0x60, 0x92, 0x37, 0xf9, 0xba, 0xfb, 0x9e, 0xed, 0x05, 0xa6, 0xd4,
199 0x72, 0x68, 0x4f, 0x63, 0xfe, 0xd6, 0x10, 0x0d, 0x4f, 0x0a, 0x93, 0xc6,
200 0xb9, 0xd7, 0xaf, 0xfd, 0xd9, 0x57, 0x7d, 0xcb, 0x75, 0xe8, 0x93, 0x2b,
201 0xae, 0x4f, 0xea, 0xd7, 0x30, 0x0b, 0x58, 0x44, 0x82, 0x0f, 0x84, 0x5d,
202 0x62, 0x11, 0x78, 0xea, 0x5f, 0xc5, 0x02, 0x81, 0x81, 0x00, 0x82, 0x0c,
203 0xc1, 0xe6, 0x0b, 0x72, 0xf1, 0x48, 0x5f, 0xac, 0xbd, 0x98, 0xe5, 0x7d,
204 0x09, 0xbd, 0x15, 0x95, 0x47, 0x09, 0xa1, 0x6c, 0x03, 0x91, 0xbf, 0x05,
205 0x70, 0xc1, 0x3e, 0x52, 0x64, 0x99, 0x0e, 0xa7, 0x98, 0x70, 0xfb, 0xf6,
206 0xeb, 0x9e, 0x25, 0x9d, 0x8e, 0x88, 0x30, 0xf2, 0xf0, 0x22, 0x6c, 0xd0,
207 0xcc, 0x51, 0x8f, 0x5c, 0x70, 0xc7, 0x37, 0xc4, 0x69, 0xab, 0x1d, 0xfc,
208 0xed, 0x3a, 0x03, 0xbb, 0xa2, 0xad, 0xb6, 0xea, 0x89, 0x6b, 0x67, 0x4b,
209 0x96, 0xaa, 0xd9, 0xcc, 0xc8, 0x4b, 0xfa, 0x18, 0x21, 0x08, 0xb2, 0xa3,
210 0xb9, 0x3e, 0x61, 0x99, 0xdc, 0x5a, 0x97, 0x9c, 0x73, 0x6a, 0xb9, 0xf9,
211 0x68, 0x03, 0x24, 0x5f, 0x55, 0x77, 0x9c, 0xb4, 0xbe, 0x7a, 0x78, 0x53,
212 0x68, 0x48, 0x69, 0x53, 0xc8, 0xb1, 0xf5, 0xbf, 0x98, 0x2d, 0x11, 0x1e,
213 0x98, 0xa8, 0x36, 0x50, 0xa0, 0xb1, 0x02, 0x81, 0x81, 0x00, 0x90, 0x88,
214 0x30, 0x71, 0xc7, 0xfe, 0x9b, 0x6d, 0x95, 0x37, 0x6d, 0x79, 0xfc, 0x85,
215 0xe7, 0x44, 0x78, 0xbc, 0x79, 0x6e, 0x47, 0x86, 0xc9, 0xf3, 0xdd, 0xc6,
216 0xec, 0xa9, 0x94, 0x9f, 0x40, 0xeb, 0x87, 0xd0, 0xdb, 0xee, 0xcd, 0x1b,
217 0x87, 0x23, 0xff, 0x76, 0xd4, 0x37, 0x8a, 0xcd, 0xb9, 0x6e, 0xd1, 0x98,
218 0xf6, 0x97, 0x8d, 0xe3, 0x81, 0x6d, 0xc3, 0x4e, 0xd1, 0xa0, 0xc4, 0x9f,
219 0xbd, 0x34, 0xe5, 0xe8, 0x53, 0x4f, 0xca, 0x10, 0xb5, 0xed, 0xe7, 0x16,
220 0x09, 0x54, 0xde, 0x60, 0xa7, 0xd1, 0x16, 0x6e, 0x2e, 0xb7, 0xbe, 0x7a,
221 0xd5, 0x9b, 0x26, 0xef, 0xe4, 0x0e, 0x77, 0xfa, 0xa9, 0xdd, 0xdc, 0xb9,
222 0x88, 0x19, 0x23, 0x70, 0xc7, 0xe1, 0x60, 0xaf, 0x8c, 0x73, 0x04, 0xf7,
223 0x71, 0x17, 0x81, 0x36, 0x75, 0xbb, 0x97, 0xd7, 0x75, 0xb6, 0x8e, 0xbc,
224 0xac, 0x9c, 0x6a, 0x9b, 0x24, 0x89, 0x02, 0x81, 0x80, 0x5a, 0x2b, 0xc7,
225 0x6b, 0x8c, 0x65, 0xdb, 0x04, 0x73, 0xab, 0x25, 0xe1, 0x5b, 0xbc, 0x3c,
226 0xcf, 0x5a, 0x3c, 0x04, 0xae, 0x97, 0x2e, 0xfd, 0xa4, 0x97, 0x1f, 0x05,
227 0x17, 0x27, 0xac, 0x7c, 0x30, 0x85, 0xb4, 0x82, 0x3f, 0x5b, 0xb7, 0x94,
228 0x3b, 0x7f, 0x6c, 0x0c, 0xc7, 0x16, 0xc6, 0xa0, 0xbd, 0x80, 0xb0, 0x81,
229 0xde, 0xa0, 0x23, 0xa6, 0xf6, 0x75, 0x33, 0x51, 0x35, 0xa2, 0x75, 0x55,
230 0x70, 0x4d, 0x42, 0xbb, 0xcf, 0x54, 0xe4, 0xdb, 0x2d, 0x88, 0xa0, 0x7a,
231 0xf2, 0x17, 0xa7, 0xdd, 0x13, 0x44, 0x9f, 0x5f, 0x6b, 0x2c, 0x42, 0x42,
232 0x8b, 0x13, 0x4d, 0xf9, 0x5b, 0xf8, 0x33, 0x42, 0xd9, 0x9e, 0x50, 0x1c,
233 0x7c, 0xbc, 0xfa, 0x62, 0x85, 0x0b, 0xcf, 0x99, 0xda, 0x9e, 0x04, 0x90,
234 0xb2, 0xc6, 0xb2, 0x0a, 0x2a, 0x7c, 0x6d, 0x6a, 0x40, 0xfc, 0xf5, 0x50,
235 0x98, 0x46, 0x89, 0x82, 0x40,
236 };
237
238 const uint8_t kALPNProtocols[] = {
239 0x01, 'a', 0x02, 'a', 'a', 0x03, 'a', 'a', 'a',
240 };
241
242 const uint8_t kECHKey[] = {
243 0x35, 0x6d, 0x45, 0x06, 0xb3, 0x88, 0x89, 0x2e, 0xd6, 0x87, 0x84,
244 0xd2, 0x2d, 0x6f, 0x83, 0x48, 0xad, 0xf2, 0xfd, 0x08, 0x51, 0x73,
245 0x10, 0xa0, 0xb8, 0xdd, 0xe9, 0x96, 0x6a, 0xde, 0xbc, 0x82,
246 };
247
ALPNSelectCallback(SSL * ssl,const uint8_t ** out,uint8_t * out_len,const uint8_t * in,unsigned in_len,void * arg)248 int ALPNSelectCallback(SSL *ssl, const uint8_t **out, uint8_t *out_len,
249 const uint8_t *in, unsigned in_len, void *arg) {
250 static const uint8_t kProtocol[] = {'a', 'a'};
251 *out = kProtocol;
252 *out_len = sizeof(kProtocol);
253 return SSL_TLSEXT_ERR_OK;
254 }
255
NPNSelectCallback(SSL * ssl,uint8_t ** out,uint8_t * out_len,const uint8_t * in,unsigned in_len,void * arg)256 int NPNSelectCallback(SSL *ssl, uint8_t **out, uint8_t *out_len,
257 const uint8_t *in, unsigned in_len, void *arg) {
258 static const uint8_t kProtocol[] = {'a', 'a'};
259 *out = const_cast<uint8_t *>(kProtocol);
260 *out_len = sizeof(kProtocol);
261 return SSL_TLSEXT_ERR_OK;
262 }
263
NPNAdvertiseCallback(SSL * ssl,const uint8_t ** out,unsigned * out_len,void * arg)264 int NPNAdvertiseCallback(SSL *ssl, const uint8_t **out, unsigned *out_len,
265 void *arg) {
266 static const uint8_t kProtocols[] = {
267 0x01, 'a', 0x02, 'a', 'a', 0x03, 'a', 'a', 'a',
268 };
269 *out = kProtocols;
270 *out_len = sizeof(kProtocols);
271 return SSL_TLSEXT_ERR_OK;
272 }
273
274 class TLSFuzzer {
275 public:
276 enum Protocol {
277 kTLS,
278 kDTLS,
279 };
280
281 enum Role {
282 kClient,
283 kServer,
284 };
285
286 enum FuzzerMode {
287 kFuzzerModeOn,
288 kFuzzerModeOff,
289 };
290
TLSFuzzer(Protocol protocol,Role role,FuzzerMode fuzzer_mode)291 TLSFuzzer(Protocol protocol, Role role, FuzzerMode fuzzer_mode)
292 : debug_(getenv("BORINGSSL_FUZZER_DEBUG") != nullptr),
293 protocol_(protocol),
294 role_(role) {
295 #if defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
296 if (fuzzer_mode == kFuzzerModeOn) {
297 CRYPTO_set_fuzzer_mode(1);
298 }
299 #endif
300 if (!Init()) {
301 abort();
302 }
303 }
304
MoveBIOs(SSL * dest,SSL * src)305 static void MoveBIOs(SSL *dest, SSL *src) {
306 BIO *rbio = SSL_get_rbio(src);
307 BIO_up_ref(rbio);
308 SSL_set0_rbio(dest, rbio);
309
310 BIO *wbio = SSL_get_wbio(src);
311 BIO_up_ref(wbio);
312 SSL_set0_wbio(dest, wbio);
313
314 SSL_set0_rbio(src, nullptr);
315 SSL_set0_wbio(src, nullptr);
316 }
317
TestOneInput(const uint8_t * buf,size_t len)318 int TestOneInput(const uint8_t *buf, size_t len) {
319 #if defined(FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION)
320 RAND_reset_for_fuzzing();
321 #endif
322
323 CBS cbs;
324 CBS_init(&cbs, buf, len);
325 bssl::UniquePtr<SSL> ssl = SetupTest(&cbs);
326 if (!ssl) {
327 if (debug_) {
328 fprintf(stderr, "Error parsing parameters.\n");
329 }
330 return 0;
331 }
332
333 if (role_ == kClient) {
334 SSL_set_renegotiate_mode(ssl.get(), ssl_renegotiate_freely);
335 SSL_set_tlsext_host_name(ssl.get(), "hostname");
336 }
337
338 // ssl_handoff may or may not be used.
339 bssl::UniquePtr<SSL> ssl_handoff(SSL_new(ctx_.get()));
340 bssl::UniquePtr<SSL> ssl_handback(SSL_new(ctx_.get()));
341 SSL_set_accept_state(ssl_handoff.get());
342
343 SSL_set0_rbio(ssl.get(), MakeBIO(CBS_data(&cbs), CBS_len(&cbs)).release());
344 SSL_set0_wbio(ssl.get(), BIO_new(BIO_s_mem()));
345
346 SSL *ssl_handshake = ssl.get();
347 bool handshake_successful = false;
348 bool handback_successful = false;
349 for (;;) {
350 int ret = SSL_do_handshake(ssl_handshake);
351 if (ret < 0 && SSL_get_error(ssl_handshake, ret) == SSL_ERROR_HANDOFF) {
352 MoveBIOs(ssl_handoff.get(), ssl.get());
353 // Ordinarily we would call SSL_serialize_handoff(ssl.get(). But for
354 // fuzzing, use the serialized handoff that's getting fuzzed.
355 if (!bssl::SSL_apply_handoff(ssl_handoff.get(), handoff_)) {
356 if (debug_) {
357 fprintf(stderr, "Handoff failed.\n");
358 }
359 break;
360 }
361 ssl_handshake = ssl_handoff.get();
362 } else if (ret < 0 &&
363 SSL_get_error(ssl_handshake, ret) == SSL_ERROR_HANDBACK) {
364 MoveBIOs(ssl_handback.get(), ssl_handoff.get());
365 if (!bssl::SSL_apply_handback(ssl_handback.get(), handback_)) {
366 if (debug_) {
367 fprintf(stderr, "Handback failed.\n");
368 }
369 break;
370 }
371 handback_successful = true;
372 ssl_handshake = ssl_handback.get();
373 } else {
374 handshake_successful = ret == 1;
375 break;
376 }
377 }
378
379 if (debug_) {
380 if (!handshake_successful) {
381 fprintf(stderr, "Handshake failed.\n");
382 } else if (handback_successful) {
383 fprintf(stderr, "Handback successful.\n");
384 }
385 }
386
387 if (handshake_successful) {
388 // Keep reading application data until error or EOF.
389 uint8_t tmp[1024];
390 for (;;) {
391 if (SSL_read(ssl_handshake, tmp, sizeof(tmp)) <= 0) {
392 break;
393 }
394 }
395 }
396
397 if (debug_) {
398 ERR_print_errors_fp(stderr);
399 }
400 ERR_clear_error();
401 return 0;
402 }
403
404 private:
405 // Init initializes |ctx_| with settings common to all inputs.
Init()406 bool Init() {
407 ctx_.reset(SSL_CTX_new(protocol_ == kDTLS ? DTLS_method() : TLS_method()));
408 bssl::UniquePtr<EVP_PKEY> pkey(EVP_PKEY_new());
409 bssl::UniquePtr<RSA> privkey(RSA_private_key_from_bytes(
410 kRSAPrivateKeyDER, sizeof(kRSAPrivateKeyDER)));
411 if (!ctx_ || !privkey || !pkey ||
412 !EVP_PKEY_set1_RSA(pkey.get(), privkey.get()) ||
413 !SSL_CTX_use_PrivateKey(ctx_.get(), pkey.get())) {
414 return false;
415 }
416
417 const uint8_t *bufp = kCertificateDER;
418 bssl::UniquePtr<X509> cert(d2i_X509(NULL, &bufp, sizeof(kCertificateDER)));
419 if (!cert ||
420 !SSL_CTX_use_certificate(ctx_.get(), cert.get()) ||
421 !SSL_CTX_set_ocsp_response(ctx_.get(), kOCSPResponse,
422 sizeof(kOCSPResponse)) ||
423 !SSL_CTX_set_signed_cert_timestamp_list(ctx_.get(), kSCT,
424 sizeof(kSCT))) {
425 return false;
426 }
427
428 // Use a constant clock.
429 SSL_CTX_set_current_time_cb(ctx_.get(),
430 [](const SSL *ssl, timeval *out_clock) {
431 *out_clock = {1234, 1234};
432 });
433
434 // When accepting peer certificates, allow any certificate.
435 SSL_CTX_set_cert_verify_callback(
436 ctx_.get(),
437 [](X509_STORE_CTX *store_ctx, void *arg) -> int { return 1; }, nullptr);
438
439 SSL_CTX_enable_signed_cert_timestamps(ctx_.get());
440 SSL_CTX_enable_ocsp_stapling(ctx_.get());
441
442 // Enable versions and ciphers that are off by default.
443 uint16_t min_version = protocol_ == kDTLS ? DTLS1_VERSION : TLS1_VERSION;
444 uint16_t max_version =
445 protocol_ == kDTLS ? DTLS1_3_VERSION : TLS1_3_VERSION;
446 if (!SSL_CTX_set_min_proto_version(ctx_.get(), min_version) ||
447 !SSL_CTX_set_max_proto_version(ctx_.get(), max_version) ||
448 !SSL_CTX_set_strict_cipher_list(ctx_.get(), "ALL:3DES")) {
449 return false;
450 }
451
452 static const uint16_t kGroups[] = {
453 SSL_GROUP_X25519_MLKEM768, SSL_GROUP_X25519_KYBER768_DRAFT00,
454 SSL_GROUP_MLKEM1024, SSL_GROUP_X25519,
455 SSL_GROUP_SECP256R1, SSL_GROUP_SECP384R1,
456 SSL_GROUP_SECP521R1};
457 if (!SSL_CTX_set1_group_ids(ctx_.get(), kGroups,
458 OPENSSL_ARRAY_SIZE(kGroups))) {
459 return false;
460 }
461
462 SSL_CTX_set_early_data_enabled(ctx_.get(), 1);
463
464 SSL_CTX_set_next_proto_select_cb(ctx_.get(), NPNSelectCallback, nullptr);
465 SSL_CTX_set_next_protos_advertised_cb(ctx_.get(), NPNAdvertiseCallback,
466 nullptr);
467
468 SSL_CTX_set_alpn_select_cb(ctx_.get(), ALPNSelectCallback, nullptr);
469 if (SSL_CTX_set_alpn_protos(ctx_.get(), kALPNProtocols,
470 sizeof(kALPNProtocols)) != 0) {
471 return false;
472 }
473
474 CBS cbs;
475 CBS_init(&cbs, kP256KeyPKCS8, sizeof(kP256KeyPKCS8));
476 pkey.reset(EVP_parse_private_key(&cbs));
477 if (!pkey || !SSL_CTX_set1_tls_channel_id(ctx_.get(), pkey.get())) {
478 return false;
479 }
480 SSL_CTX_set_tls_channel_id_enabled(ctx_.get(), 1);
481
482 if (role_ == kServer) {
483 bssl::UniquePtr<SSL_ECH_KEYS> keys(SSL_ECH_KEYS_new());
484 bssl::ScopedEVP_HPKE_KEY key;
485 uint8_t *ech_config;
486 size_t ech_config_len;
487 if (!keys ||
488 !EVP_HPKE_KEY_init(key.get(), EVP_hpke_x25519_hkdf_sha256(), kECHKey,
489 sizeof(kECHKey)) ||
490 // Match |echConfig| in |addEncryptedClientHelloTests| from runner.go.
491 !SSL_marshal_ech_config(&ech_config, &ech_config_len,
492 /*config_id=*/42, key.get(), "public.example",
493 /*max_name_len=*/64)) {
494 return false;
495 }
496 bssl::UniquePtr<uint8_t> free_ech_config(ech_config);
497 if (!SSL_ECH_KEYS_add(keys.get(), /*is_retry_config=*/true, ech_config,
498 ech_config_len, key.get()) ||
499 !SSL_CTX_set1_ech_keys(ctx_.get(), keys.get())) {
500 return false;
501 }
502 }
503
504 return true;
505 }
506
507 // SetupTest parses parameters from |cbs| and returns a newly-configured |SSL|
508 // object or nullptr on error. On success, the caller should feed the
509 // remaining input in |cbs| to the SSL stack.
SetupTest(CBS * cbs)510 bssl::UniquePtr<SSL> SetupTest(CBS *cbs) {
511 // |ctx| is shared between runs, so we must clear any modifications to it
512 // made later on in this function.
513 SSL_CTX_flush_sessions(ctx_.get(), 0);
514 handoff_ = {};
515 handback_ = {};
516
517 bssl::UniquePtr<SSL> ssl(SSL_new(ctx_.get()));
518 if (role_ == kServer) {
519 SSL_set_accept_state(ssl.get());
520 } else {
521 SSL_set_connect_state(ssl.get());
522 }
523
524 for (;;) {
525 uint16_t tag;
526 if (!CBS_get_u16(cbs, &tag)) {
527 return nullptr;
528 }
529 switch (tag) {
530 case kDataTag:
531 return ssl;
532
533 case kSessionTag: {
534 CBS data;
535 if (!CBS_get_u24_length_prefixed(cbs, &data)) {
536 return nullptr;
537 }
538 bssl::UniquePtr<SSL_SESSION> session(SSL_SESSION_from_bytes(
539 CBS_data(&data), CBS_len(&data), ctx_.get()));
540 if (!session) {
541 return nullptr;
542 }
543
544 if (role_ == kServer) {
545 SSL_CTX_add_session(ctx_.get(), session.get());
546 } else {
547 SSL_set_session(ssl.get(), session.get());
548 }
549 break;
550 }
551
552 case kRequestClientCert:
553 if (role_ == kClient) {
554 return nullptr;
555 }
556 SSL_set_verify(ssl.get(), SSL_VERIFY_PEER, nullptr);
557 break;
558
559 case kHandoffTag: {
560 CBS handoff;
561 if (!CBS_get_u24_length_prefixed(cbs, &handoff)) {
562 return nullptr;
563 }
564 handoff_.assign(CBS_data(&handoff),
565 CBS_data(&handoff) + CBS_len(&handoff));
566 bssl::SSL_set_handoff_mode(ssl.get(), 1);
567 break;
568 }
569
570 case kHandbackTag: {
571 CBS handback;
572 if (!CBS_get_u24_length_prefixed(cbs, &handback)) {
573 return nullptr;
574 }
575 handback_.assign(CBS_data(&handback),
576 CBS_data(&handback) + CBS_len(&handback));
577 bssl::SSL_set_handoff_mode(ssl.get(), 1);
578 break;
579 }
580
581 case kHintsTag: {
582 CBS hints;
583 if (!CBS_get_u24_length_prefixed(cbs, &hints)) {
584 return nullptr;
585 }
586 SSL_set_handshake_hints(ssl.get(), CBS_data(&hints), CBS_len(&hints));
587 break;
588 }
589
590 default:
591 return nullptr;
592 }
593 }
594 }
595
596 struct BIOData {
597 Protocol protocol;
598 CBS cbs;
599 };
600
MakeBIO(const uint8_t * in,size_t len)601 bssl::UniquePtr<BIO> MakeBIO(const uint8_t *in, size_t len) {
602 BIOData *b = new BIOData;
603 b->protocol = protocol_;
604 CBS_init(&b->cbs, in, len);
605
606 bssl::UniquePtr<BIO> bio(BIO_new(BIOMethod()));
607 BIO_set_init(bio.get(), 1);
608 BIO_set_data(bio.get(), b);
609 return bio;
610 }
611
BIORead(BIO * bio,char * out,int len)612 static int BIORead(BIO *bio, char *out, int len) {
613 BIOData *b = reinterpret_cast<BIOData *>(BIO_get_data(bio));
614 if (b->protocol == kTLS) {
615 len = std::min(static_cast<size_t>(len), CBS_len(&b->cbs));
616 memcpy(out, CBS_data(&b->cbs), len);
617 CBS_skip(&b->cbs, len);
618 return len;
619 }
620
621 // Preserve packet boundaries for DTLS.
622 CBS packet;
623 if (!CBS_get_u24_length_prefixed(&b->cbs, &packet)) {
624 return -1;
625 }
626 len = std::min(static_cast<size_t>(len), CBS_len(&packet));
627 memcpy(out, CBS_data(&packet), len);
628 return len;
629 }
630
BIODestroy(BIO * bio)631 static int BIODestroy(BIO *bio) {
632 BIOData *b = reinterpret_cast<BIOData *>(BIO_get_data(bio));
633 delete b;
634 return 1;
635 }
636
BIOMethod()637 static const BIO_METHOD *BIOMethod() {
638 static const BIO_METHOD *method = [] {
639 BIO_METHOD *ret = BIO_meth_new(0, nullptr);
640 BSSL_CHECK(ret);
641 BSSL_CHECK(BIO_meth_set_read(ret, BIORead));
642 BSSL_CHECK(BIO_meth_set_destroy(ret, BIODestroy));
643 return ret;
644 }();
645 return method;
646 }
647
648 bool debug_;
649 Protocol protocol_;
650 Role role_;
651 bssl::UniquePtr<SSL_CTX> ctx_;
652 std::vector<uint8_t> handoff_, handback_;
653 };
654
655 } // namespace
656
657
658 #endif // HEADER_SSL_TEST_FUZZER
659