diff options
-rw-r--r-- | fuzz/Makefile.am | 6 | ||||
-rw-r--r-- | fuzz/gnutls_handshake_client_fuzzer.c | 85 | ||||
-rw-r--r-- | fuzz/gnutls_handshake_client_fuzzer.in/b8bf41c354dcafcd24d437e5a26b666a2cbea58c357b24e9e5549c1ec1d5bfda | bin | 0 -> 1700 bytes | |||
-rw-r--r-- | fuzz/gnutls_handshake_server_fuzzer.c | 130 | ||||
-rw-r--r-- | fuzz/gnutls_handshake_server_fuzzer.in/455834990de124995c50d9d19439062dcedd17249ff24f5ed93bf74d72f3b2db | bin | 0 -> 398 bytes | |||
-rw-r--r-- | fuzz/handshake.h | 93 |
6 files changed, 313 insertions, 1 deletions
diff --git a/fuzz/Makefile.am b/fuzz/Makefile.am index cf7fab1072..f5e5c64db8 100644 --- a/fuzz/Makefile.am +++ b/fuzz/Makefile.am @@ -33,7 +33,9 @@ FUZZERS = \ gnutls_x509_crl_parser_fuzzer$(EXEEXT) \ gnutls_x509_crq_parser_fuzzer$(EXEEXT) \ gnutls_x509_parser_fuzzer$(EXEEXT) \ - gnutls_ext_raw_parse_fuzzer$(EXEEXT) + gnutls_ext_raw_parse_fuzzer$(EXEEXT) \ + gnutls_handshake_client_fuzzer$(EXEEXT) \ + gnutls_handshake_server_fuzzer$(EXEEXT) check_PROGRAMS = $(FUZZERS) @@ -43,6 +45,7 @@ gnutls_base64_decoder_fuzzer_SOURCES = gnutls_base64_decoder_fuzzer.c $(COMMON_S gnutls_base64_encoder_fuzzer_SOURCES = gnutls_base64_encoder_fuzzer.c $(COMMON_SOURCES) gnutls_client_fuzzer_SOURCES = gnutls_client_fuzzer.c $(COMMON_SOURCES) mem.h certs.h gnutls_client_rawpk_fuzzer_SOURCES = gnutls_client_rawpk_fuzzer.c $(COMMON_SOURCES) mem.h certs.h +gnutls_handshake_client_fuzzer_SOURCES = gnutls_handshake_client_fuzzer.c $(COMMON_SOURCES) handshake.h gnutls_dn_parser_fuzzer_SOURCES = gnutls_dn_parser_fuzzer.c $(COMMON_SOURCES) gnutls_idna_parser_fuzzer_SOURCES = gnutls_idna_parser_fuzzer.c $(COMMON_SOURCES) gnutls_ocsp_req_parser_fuzzer_SOURCES = gnutls_ocsp_req_parser_fuzzer.c $(COMMON_SOURCES) @@ -56,6 +59,7 @@ gnutls_psk_server_fuzzer_SOURCES = gnutls_psk_server_fuzzer.c $(COMMON_SOURCES) gnutls_reverse_idna_parser_fuzzer_SOURCES = gnutls_reverse_idna_parser_fuzzer.c $(COMMON_SOURCES) gnutls_server_fuzzer_SOURCES = gnutls_server_fuzzer.c $(COMMON_SOURCES) mem.h certs.h gnutls_server_rawpk_fuzzer_SOURCES = gnutls_server_rawpk_fuzzer.c $(COMMON_SOURCES) mem.h certs.h +gnutls_handshake_server_fuzzer_SOURCES = gnutls_handshake_server_fuzzer.c $(COMMON_SOURCES) handshake.h certs.h gnutls_srp_client_fuzzer_SOURCES = gnutls_srp_client_fuzzer.c $(COMMON_SOURCES) mem.h srp.h gnutls_srp_server_fuzzer_SOURCES = gnutls_srp_server_fuzzer.c $(COMMON_SOURCES) mem.h srp.h gnutls_set_trust_file_fuzzer_SOURCES = gnutls_set_trust_file_fuzzer.c $(COMMON_SOURCES) diff --git a/fuzz/gnutls_handshake_client_fuzzer.c b/fuzz/gnutls_handshake_client_fuzzer.c new file mode 100644 index 0000000000..8ae5babdc0 --- /dev/null +++ b/fuzz/gnutls_handshake_client_fuzzer.c @@ -0,0 +1,85 @@ +/* +# Copyright 2016 Google Inc. +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +*/ + +#include <assert.h> +#include <fcntl.h> +#include <stdint.h> +#include <sys/types.h> +#include <unistd.h> +#include <string.h> +#include <stdlib.h> +#include <stdbool.h> + +#include <gnutls/crypto.h> +#include <gnutls/gnutls.h> +#include "handshake.h" +#include "fuzzer.h" + +int __attribute__ ((visibility ("protected"))) +gnutls_rnd(gnutls_rnd_level_t level, void *data, size_t len) +{ + memset(data, 0xff, len); + + /* Flip the first byte to avoid infinite loop in the RSA + * blinding code of Nettle */ + if (len > 0) + memset(data, 0x0, 1); + return 0; +} + +int LLVMFuzzerTestOneInput(const uint8_t * data, size_t size) +{ + int res; + gnutls_session_t session; + gnutls_certificate_credentials_t xcred; + struct mem_st memdata; + + res = gnutls_init(&session, GNUTLS_CLIENT); + assert(res >= 0); + + res = gnutls_certificate_allocate_credentials(&xcred); + assert(res >= 0); + res = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + assert(res >= 0); + + /*res = gnutls_set_default_priority(session);*/ + res = gnutls_priority_set_direct(session, "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3", NULL); + assert(res >= 0); + + memdata.data = data; + memdata.size = size; + + gnutls_transport_set_push_function(session, error_push); + gnutls_transport_set_pull_function(session, error_pull); + gnutls_handshake_set_read_function(session, handshake_discard); + + do { + res = gnutls_handshake(session); + if (res == GNUTLS_E_AGAIN) { + if (handshake_pull(session, &memdata) < 0) { + res = GNUTLS_E_INTERNAL_ERROR; + break; + } + } + } while (res < 0 && gnutls_error_is_fatal(res) == 0); + + gnutls_deinit(session); + gnutls_certificate_free_credentials(xcred); + return 0; +} diff --git a/fuzz/gnutls_handshake_client_fuzzer.in/b8bf41c354dcafcd24d437e5a26b666a2cbea58c357b24e9e5549c1ec1d5bfda b/fuzz/gnutls_handshake_client_fuzzer.in/b8bf41c354dcafcd24d437e5a26b666a2cbea58c357b24e9e5549c1ec1d5bfda Binary files differnew file mode 100644 index 0000000000..6873151b9b --- /dev/null +++ b/fuzz/gnutls_handshake_client_fuzzer.in/b8bf41c354dcafcd24d437e5a26b666a2cbea58c357b24e9e5549c1ec1d5bfda diff --git a/fuzz/gnutls_handshake_server_fuzzer.c b/fuzz/gnutls_handshake_server_fuzzer.c new file mode 100644 index 0000000000..06b4218dc7 --- /dev/null +++ b/fuzz/gnutls_handshake_server_fuzzer.c @@ -0,0 +1,130 @@ +/* +# Copyright 2017 Red Hat, Inc. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# https://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ +*/ + +#include <assert.h> +#include <stdint.h> +#include <unistd.h> +#include <string.h> +#include <stdlib.h> + +#include <gnutls/crypto.h> +#include <gnutls/gnutls.h> + +#include "certs.h" +#include "handshake.h" +#include "fuzzer.h" + +int __attribute__ ((visibility ("protected"))) +gnutls_rnd(gnutls_rnd_level_t level, void *data, size_t len) +{ + memset(data, 0xff, len); + + /* Flip the first byte to avoid infinite loop in the RSA + * blinding code of Nettle */ + if (len > 0) + memset(data, 0x0, 1); + return 0; +} + +int LLVMFuzzerTestOneInput(const uint8_t * data, size_t size) +{ + int res; + gnutls_datum_t rsa_cert, rsa_key; + gnutls_datum_t ecdsa_cert, ecdsa_key; + gnutls_datum_t ed25519_cert, ed25519_key; + gnutls_datum_t ed448_cert, ed448_key; + gnutls_session_t session; + gnutls_certificate_credentials_t xcred; + struct mem_st memdata; + + res = gnutls_init(&session, GNUTLS_SERVER); + assert(res >= 0); + + res = gnutls_certificate_allocate_credentials(&xcred); + assert(res >= 0); + + rsa_cert.data = (unsigned char *)kRSACertificateDER; + rsa_cert.size = sizeof(kRSACertificateDER); + rsa_key.data = (unsigned char *)kRSAPrivateKeyDER; + rsa_key.size = sizeof(kRSAPrivateKeyDER); + + ecdsa_cert.data = (unsigned char *)kECDSACertificateDER; + ecdsa_cert.size = sizeof(kECDSACertificateDER); + ecdsa_key.data = (unsigned char *)kECDSAPrivateKeyDER; + ecdsa_key.size = sizeof(kECDSAPrivateKeyDER); + + ed25519_cert.data = (unsigned char *)kEd25519CertificateDER; + ed25519_cert.size = sizeof(kEd25519CertificateDER); + ed25519_key.data = (unsigned char *)kEd25519PrivateKeyDER; + ed25519_key.size = sizeof(kEd25519PrivateKeyDER); + + ed448_cert.data = (unsigned char *)kEd448CertificateDER; + ed448_cert.size = sizeof(kEd448CertificateDER); + ed448_key.data = (unsigned char *)kEd448PrivateKeyDER; + ed448_key.size = sizeof(kEd448PrivateKeyDER); + + res = + gnutls_certificate_set_x509_key_mem(xcred, &rsa_cert, &rsa_key, + GNUTLS_X509_FMT_DER); + assert(res >= 0); + + res = + gnutls_certificate_set_x509_key_mem(xcred, &ecdsa_cert, &ecdsa_key, + GNUTLS_X509_FMT_DER); + assert(res >= 0); + + res = + gnutls_certificate_set_x509_key_mem(xcred, &ed25519_cert, &ed25519_key, + GNUTLS_X509_FMT_DER); + assert(res >= 0); + + res = + gnutls_certificate_set_x509_key_mem(xcred, &ed448_cert, &ed448_key, + GNUTLS_X509_FMT_DER); + assert(res >= 0); + + gnutls_certificate_set_known_dh_params(xcred, GNUTLS_SEC_PARAM_MEDIUM); + + res = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred); + assert(res >= 0); + + /*res = gnutls_set_default_priority(session);*/ + res = gnutls_priority_set_direct(session, "NORMAL:-VERS-TLS-ALL:+VERS-TLS1.3", NULL); + assert(res >= 0); + + memdata.data = data; + memdata.size = size; + + gnutls_transport_set_push_function(session, error_push); + gnutls_transport_set_pull_function(session, error_pull); + gnutls_handshake_set_read_function(session, handshake_discard); + + do { + res = gnutls_handshake(session); + if (res == GNUTLS_E_AGAIN) { + if (handshake_pull(session, &memdata) < 0) { + res = GNUTLS_E_INTERNAL_ERROR; + break; + } + } + } while (res < 0 && gnutls_error_is_fatal(res) == 0); + + gnutls_deinit(session); + gnutls_certificate_free_credentials(xcred); + return 0; +} diff --git a/fuzz/gnutls_handshake_server_fuzzer.in/455834990de124995c50d9d19439062dcedd17249ff24f5ed93bf74d72f3b2db b/fuzz/gnutls_handshake_server_fuzzer.in/455834990de124995c50d9d19439062dcedd17249ff24f5ed93bf74d72f3b2db Binary files differnew file mode 100644 index 0000000000..0372d3efd9 --- /dev/null +++ b/fuzz/gnutls_handshake_server_fuzzer.in/455834990de124995c50d9d19439062dcedd17249ff24f5ed93bf74d72f3b2db diff --git a/fuzz/handshake.h b/fuzz/handshake.h new file mode 100644 index 0000000000..72f26e9ea2 --- /dev/null +++ b/fuzz/handshake.h @@ -0,0 +1,93 @@ +/* + * Copyright (C) 2017 Nikos Mavrogiannopoulos + * + * Permission is hereby granted, free of charge, to any person obtaining a + * copy of this software and associated documentation files (the "Software"), + * to deal in the Software without restriction, including without limitation + * the rights to use, copy, modify, merge, publish, distribute, sublicense, + * and/or sell copies of the Software, and to permit persons to whom the + * Software is furnished to do so, subject to the following conditions: + * + * The above copyright notice and this permission notice shall be included in + * all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR + * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, + * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE + * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER + * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING + * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER + * DEALINGS IN THE SOFTWARE. + * + */ + +#ifndef HANDSHAKE_H +# define HANDSHAKE_H + +typedef struct mem_st { + const uint8_t *data; + size_t size; +} mem_st; + +static ssize_t +error_push(gnutls_transport_ptr_t tr, const void *data, size_t len) +{ + return -1; +} + +static ssize_t +error_pull(gnutls_transport_ptr_t tr, void *data, size_t len) +{ + return -1; +} + +static int +handshake_discard(gnutls_session_t session, + gnutls_record_encryption_level_t level, + gnutls_handshake_description_t htype, + const void *data, size_t data_size) +{ + return 0; +} + +static int +handshake_pull(gnutls_session_t session, mem_st *data) +{ + uint32_t level, size; + int ret; + + if (data->size < 4) { + return -1; + } + + level = (data->data[0] << 24) | (data->data[1] << 16) | + (data->data[2] << 8) | data->data[3]; + + data->size -= 4; + data->data += 4; + + if (data->size < 4) { + return -1; + } + + size = (data->data[0] << 24) | (data->data[1] << 16) | + (data->data[2] << 8) | data->data[3]; + + data->size -= 4; + data->data += 4; + + if (size > data->size) { + return -1; + } + + ret = gnutls_handshake_write(session, + (gnutls_record_encryption_level_t)level, + data->data, + size); + data->size -= size; + data->data += size; + + return ret; +} + +#endif |