1 #define MBEDTLS_ALLOW_PRIVATE_ACCESS
2 
3 #include "mbedtls/ssl.h"
4 #include "mbedtls/entropy.h"
5 #include "mbedtls/ctr_drbg.h"
6 #include "test/certs.h"
7 #include "common.h"
8 #include <string.h>
9 #include <stdlib.h>
10 #include <stdint.h>
11 
12 
13 #if defined(MBEDTLS_SSL_CLI_C) && \
14     defined(MBEDTLS_ENTROPY_C) && \
15     defined(MBEDTLS_CTR_DRBG_C)
16 static int initialized = 0;
17 #if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
18 static mbedtls_x509_crt cacert;
19 #endif
20 const char *alpn_list[3];
21 
22 
23 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
24 const unsigned char psk[] = {
25     0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07,
26     0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f
27 };
28 const char psk_id[] = "Client_identity";
29 #endif
30 
31 const char *pers = "fuzz_client";
32 #endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C */
33 
34 
LLVMFuzzerTestOneInput(const uint8_t * Data,size_t Size)35 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
36 #if defined(MBEDTLS_SSL_CLI_C) && \
37     defined(MBEDTLS_ENTROPY_C) && \
38     defined(MBEDTLS_CTR_DRBG_C)
39     int ret;
40     size_t len;
41     mbedtls_ssl_context ssl;
42     mbedtls_ssl_config conf;
43     mbedtls_ctr_drbg_context ctr_drbg;
44     mbedtls_entropy_context entropy;
45     unsigned char buf[4096];
46     fuzzBufferOffset_t biomemfuzz;
47     uint16_t options;
48 
49     if (initialized == 0) {
50 #if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
51         mbedtls_x509_crt_init( &cacert );
52         if (mbedtls_x509_crt_parse( &cacert, (const unsigned char *) mbedtls_test_cas_pem,
53                                    mbedtls_test_cas_pem_len ) != 0)
54             return 1;
55 #endif
56 
57         alpn_list[0] = "HTTP";
58         alpn_list[1] = "fuzzalpn";
59         alpn_list[2] = NULL;
60 
61         dummy_init();
62 
63         initialized = 1;
64     }
65 
66     //we take 1 byte as options input
67     if (Size < 2) {
68         return 0;
69     }
70     options = (Data[Size - 2] << 8) | Data[Size - 1];
71     //Avoid warnings if compile options imply no options
72     (void) options;
73 
74     mbedtls_ssl_init( &ssl );
75     mbedtls_ssl_config_init( &conf );
76     mbedtls_ctr_drbg_init( &ctr_drbg );
77     mbedtls_entropy_init( &entropy );
78 
79     if( mbedtls_ctr_drbg_seed( &ctr_drbg, dummy_entropy, &entropy,
80                               (const unsigned char *) pers, strlen( pers ) ) != 0 )
81         goto exit;
82 
83     if( mbedtls_ssl_config_defaults( &conf,
84                                     MBEDTLS_SSL_IS_CLIENT,
85                                     MBEDTLS_SSL_TRANSPORT_STREAM,
86                                     MBEDTLS_SSL_PRESET_DEFAULT ) != 0 )
87         goto exit;
88 
89 #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
90     if (options & 2) {
91         mbedtls_ssl_conf_psk( &conf, psk, sizeof( psk ),
92                              (const unsigned char *) psk_id, sizeof( psk_id ) - 1 );
93     }
94 #endif
95 
96 #if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
97     if (options & 4) {
98         mbedtls_ssl_conf_ca_chain( &conf, &cacert, NULL );
99         mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_REQUIRED );
100     } else
101 #endif
102     {
103         mbedtls_ssl_conf_authmode( &conf, MBEDTLS_SSL_VERIFY_NONE );
104     }
105 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
106     mbedtls_ssl_conf_extended_master_secret( &conf, (options & 0x10) ? MBEDTLS_SSL_EXTENDED_MS_DISABLED : MBEDTLS_SSL_EXTENDED_MS_ENABLED);
107 #endif
108 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
109     mbedtls_ssl_conf_encrypt_then_mac( &conf, (options & 0x20) ? MBEDTLS_SSL_ETM_DISABLED : MBEDTLS_SSL_ETM_ENABLED);
110 #endif
111 #if defined(MBEDTLS_SSL_RENEGOTIATION)
112     mbedtls_ssl_conf_renegotiation( &conf, (options & 0x80) ? MBEDTLS_SSL_RENEGOTIATION_ENABLED : MBEDTLS_SSL_RENEGOTIATION_DISABLED );
113 #endif
114 #if defined(MBEDTLS_SSL_SESSION_TICKETS)
115     mbedtls_ssl_conf_session_tickets( &conf, (options & 0x100) ? MBEDTLS_SSL_SESSION_TICKETS_DISABLED : MBEDTLS_SSL_SESSION_TICKETS_ENABLED );
116 #endif
117 #if defined(MBEDTLS_SSL_ALPN)
118     if (options & 0x200) {
119         mbedtls_ssl_conf_alpn_protocols( &conf, alpn_list );
120     }
121 #endif
122     //There may be other options to add :
123     // mbedtls_ssl_conf_cert_profile, mbedtls_ssl_conf_sig_hashes
124 
125     srand(1);
126     mbedtls_ssl_conf_rng( &conf, dummy_random, &ctr_drbg );
127 
128     if( mbedtls_ssl_setup( &ssl, &conf ) != 0 )
129         goto exit;
130 
131 #if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
132     if ((options & 1) == 0) {
133         if( mbedtls_ssl_set_hostname( &ssl, "localhost" ) != 0 )
134             goto exit;
135     }
136 #endif
137 
138     biomemfuzz.Data = Data;
139     biomemfuzz.Size = Size-2;
140     biomemfuzz.Offset = 0;
141     mbedtls_ssl_set_bio( &ssl, &biomemfuzz, dummy_send, fuzz_recv, NULL );
142 
143     ret = mbedtls_ssl_handshake( &ssl );
144     if( ret == 0 )
145     {
146         //keep reading data from server until the end
147         do
148         {
149             len = sizeof( buf ) - 1;
150             ret = mbedtls_ssl_read( &ssl, buf, len );
151 
152             if( ret == MBEDTLS_ERR_SSL_WANT_READ )
153                 continue;
154             else if( ret <= 0 )
155                 //EOF or error
156                 break;
157         }
158         while( 1 );
159     }
160 
161 exit:
162     mbedtls_entropy_free( &entropy );
163     mbedtls_ctr_drbg_free( &ctr_drbg );
164     mbedtls_ssl_config_free( &conf );
165     mbedtls_ssl_free( &ssl );
166 
167 #else
168     (void) Data;
169     (void) Size;
170 #endif /* MBEDTLS_SSL_CLI_C && MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C */
171 
172     return 0;
173 }
174