/src/botan/src/fuzzer/tls_server.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * (C) 2015,2016 Jack Lloyd |
3 | | * |
4 | | * Botan is released under the Simplified BSD License (see license.txt) |
5 | | */ |
6 | | |
7 | | #include "fuzzers.h" |
8 | | #include <botan/tls_server.h> |
9 | | #include <botan/data_src.h> |
10 | | |
11 | | const char* fixed_rsa_key = |
12 | | "-----BEGIN PRIVATE KEY-----\n" |
13 | | "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCe6qqpMQVJ7zCJ\n" |
14 | | "oSnpxia0yO6M7Ie3FGqPcd0DzueC+kWPvuHQ+PpP5vfO6qqRaDVII37PFX5NUZQm\n" |
15 | | "GK/rAm7spjIHTCMgqSZ8pN13LU8m1gDwIdu9al16LXN9zZjB67uLlFn2trtLi234\n" |
16 | | "i0cnyeF8IC0cz7tgCOzMSVEBcqJjkdgGrZ3WUgOXecVm2lXVrYlEiaSxFp4VOE9k\n" |
17 | | "RFeVrELCjmNtc4hRd1yJsF+vObCtvyqGYQE1Qcb0MVSQDBHMkiUVmO6zuW7td5ef\n" |
18 | | "O/1OyntQJGyVa+SnWbkSLCybta2J7MreHENrF5GA0K1KL140SNRHeWifRMuNQua7\n" |
19 | | "qmKXMBTFAgMBAAECggEAIk3fxyQI0zvpy1vZ01ft1QqmzA7nAPNMSWi33/GS8iga\n" |
20 | | "SfxXfKeySPs/tQ/dAARxs//NiOBH4mLgyxR7LQzaawU5OXALCSraXv+ruuUx990s\n" |
21 | | "WKnGaG4EfbJAAwEVn47Gbkv425P4fEc91vAhzQn8PbIoatbAyOtESpjs/pYDTeC/\n" |
22 | | "mnJId8gqO90cqyRECEMjk9sQ8iEjWPlik4ayGlUVbeeMu6/pJ9F8IZEgkLZiNDAB\n" |
23 | | "4anmOFaT7EmqUjI4IlcaqfbbXyDXlvWUYukidEss+CNvPuqbQHBDnpFVvBxdDR2N\n" |
24 | | "Uj2D5Xd5blcIe2/+1IVRnznjoQ5zvutzb7ThBmMehQKBgQDOITKG0ht2kXLxjVoR\n" |
25 | | "r/pVpx+f3hs3H7wE0+vrLHoQgkVjpMWXQ47YuZTT9rCOOYNI2cMoH2D27t1j78/B\n" |
26 | | "9kGYABUVpvQQ+6amqJDI1eYI6e68TPueEDjeALfSCdmPNiI3lZZrCIK9XLpkoy8K\n" |
27 | | "tGYBRRJ+JJxjj1zPXj9SGshPgwKBgQDFXUtoxY3mCStH3+0b1qxGG9r1L5goHEmd\n" |
28 | | "Am8WBYDheNpL0VqPNzouhuM/ZWMGyyAs/py6aLATe+qhR1uX5vn7LVZwjCSONZ4j\n" |
29 | | "7ieEEUh1BHetPI1oI5PxgokRYfVuckotqVseanI/536Er3Yf2FXNQ1/ceVp9WykX\n" |
30 | | "3mYTKMhQFwKBgQDKakcXpZNaZ5IcKdZcsBZ/rdGcR5sqEnursf9lvRNQytwg8Vkn\n" |
31 | | "JSxNHlBLpV/TCh8lltHRwJ6TXhUBYij+KzhWbx5FWOErHDOWTMmArqtp7W6GcoJT\n" |
32 | | "wVJWjxXzp8CApYQMWVSQXpckJL7UvHohZO0WKiHyxTjde5aD++TqV2qEyQKBgBbD\n" |
33 | | "jvoTpy08K4DLxCZs2Uvw1I1pIuylbpwsdrGciuP2s38BM6fHH+/T4Qwj3osfDKQD\n" |
34 | | "7gHWJ1Dn/wUBHQBlRLoC3bB3iZPZfVb5lhc2gxv0GvWhQVIcoGi/vJ2DpfJKPmIL\n" |
35 | | "4ZWdg3X5dm9JaZ98rVDSj5D3ckd5J0E4hp95GbmbAoGBAJJHM4O9lx60tIjw9Sf/\n" |
36 | | "QmKWyUk0NLnt8DcgRMW7fVxtzPNDy9DBKGIkDdWZ2s+ForICA3C9WSxBC1EOEHGG\n" |
37 | | "xkg2xKt66CeutGroP6M191mHQrRClt1VbEYzQFX21BCk5kig9i/BURyoTHtFiV+t\n" |
38 | | "kbf4VLg8Vk9u/R3RU1HsYWhe\n" |
39 | | "-----END PRIVATE KEY-----\n"; |
40 | | |
41 | | const char* fixed_rsa_cert = |
42 | | "-----BEGIN CERTIFICATE-----\n" |
43 | | "MIIDUDCCAjgCCQD7pIb1ZsoafjANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJW\n" |
44 | | "VDEQMA4GA1UECAwHVmVybW9udDEWMBQGA1UEBwwNVGhlIEludGVybmV0czEUMBIG\n" |
45 | | "A1UECgwLTWFuZ29zIFIgVXMxGzAZBgNVBAMMEnNlcnZlci5leGFtcGxlLmNvbTAe\n" |
46 | | "Fw0xNjAxMDYxNzQ3MjNaFw0yNjAxMDMxNzQ3MjNaMGoxCzAJBgNVBAYTAlZUMRAw\n" |
47 | | "DgYDVQQIDAdWZXJtb250MRYwFAYDVQQHDA1UaGUgSW50ZXJuZXRzMRQwEgYDVQQK\n" |
48 | | "DAtNYW5nb3MgUiBVczEbMBkGA1UEAwwSc2VydmVyLmV4YW1wbGUuY29tMIIBIjAN\n" |
49 | | "BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnuqqqTEFSe8wiaEp6cYmtMjujOyH\n" |
50 | | "txRqj3HdA87ngvpFj77h0Pj6T+b3zuqqkWg1SCN+zxV+TVGUJhiv6wJu7KYyB0wj\n" |
51 | | "IKkmfKTddy1PJtYA8CHbvWpdei1zfc2Yweu7i5RZ9ra7S4tt+ItHJ8nhfCAtHM+7\n" |
52 | | "YAjszElRAXKiY5HYBq2d1lIDl3nFZtpV1a2JRImksRaeFThPZERXlaxCwo5jbXOI\n" |
53 | | "UXdcibBfrzmwrb8qhmEBNUHG9DFUkAwRzJIlFZjus7lu7XeXnzv9Tsp7UCRslWvk\n" |
54 | | "p1m5Eiwsm7WtiezK3hxDaxeRgNCtSi9eNEjUR3lon0TLjULmu6pilzAUxQIDAQAB\n" |
55 | | "MA0GCSqGSIb3DQEBCwUAA4IBAQA1eZGc/4V7z/E/6eG0hVkzoAZeuTcSP7WqBSx+\n" |
56 | | "OP2yh0163UYjoa6nehmkKYQQ9PbYPZGzIcl+dBFyYzy6jcp0NdtzpWnTFrjl4rMq\n" |
57 | | "akcQ1D0LTYjJXVP9G/vF/SvatOFeVTnQmLlLt/a8ZtRUINqejeZZPzH8ifzFW6tu\n" |
58 | | "mlhTVIEKyPHpxClh5Y3ubw/mZYygekFTqMkTx3FwJxKU8J6rYGZxanWAODUIvCUo\n" |
59 | | "Fxer1qC5Love3uWl3vXPLEZWZdORnExSRByzz2immBP2vX4zYZoeZRhTQ9ae1TIV\n" |
60 | | "Dk02a/1AOJZdZReDbgXhlqaUx5pk/rzo4mDzvu5HSCeXmClz\n" |
61 | | "-----END CERTIFICATE-----\n"; |
62 | | |
63 | | class Fuzzer_TLS_Server_Creds : public Botan::Credentials_Manager |
64 | | { |
65 | | public: |
66 | | Fuzzer_TLS_Server_Creds() |
67 | 5.55k | { |
68 | 5.55k | Botan::DataSource_Memory cert_in(fixed_rsa_cert); |
69 | 5.55k | Botan::DataSource_Memory key_in(fixed_rsa_key); |
70 | 5.55k | |
71 | 5.55k | m_rsa_cert.reset(new Botan::X509_Certificate(cert_in)); |
72 | | //m_rsa_key.reset(Botan::PKCS8::load_key(key_in, fuzzer_rng()); |
73 | 5.55k | } |
74 | | |
75 | | std::vector<Botan::X509_Certificate> cert_chain( |
76 | | const std::vector<std::string>& algos, |
77 | | const std::string& /*type*/, |
78 | | const std::string& /*hostname*/) override |
79 | 75.8k | { |
80 | 75.8k | std::vector<Botan::X509_Certificate> v; |
81 | 75.8k | |
82 | 75.8k | for(auto algo : algos) |
83 | 75.8k | { |
84 | 75.8k | if(algo == "RSA") |
85 | 25.2k | { |
86 | 25.2k | v.push_back(*m_rsa_cert); |
87 | 25.2k | break; |
88 | 25.2k | } |
89 | 75.8k | } |
90 | 75.8k | |
91 | 75.8k | return v; |
92 | 75.8k | } |
93 | | |
94 | | Botan::Private_Key* private_key_for(const Botan::X509_Certificate& /*cert*/, |
95 | | const std::string& /*type*/, |
96 | | const std::string& /*context*/) override |
97 | 140 | { |
98 | 140 | return m_rsa_key.get(); |
99 | 140 | } |
100 | | |
101 | 21.7k | std::string psk_identity_hint(const std::string&, const std::string&) override { return "psk_hint"; } |
102 | 0 | std::string psk_identity(const std::string&, const std::string&, const std::string&) override { return "psk_id"; } |
103 | | Botan::SymmetricKey psk(const std::string&, const std::string&, const std::string&) override |
104 | 47.8k | { |
105 | 47.8k | return Botan::SymmetricKey("AABBCCDDEEFF00112233445566778899"); |
106 | 47.8k | } |
107 | | private: |
108 | | std::unique_ptr<Botan::X509_Certificate> m_rsa_cert; |
109 | | std::unique_ptr<Botan::Private_Key> m_rsa_key; |
110 | | }; |
111 | | |
112 | | class Fuzzer_TLS_Policy : public Botan::TLS::Policy |
113 | | { |
114 | | public: |
115 | | std::vector<uint16_t> ciphersuite_list(Botan::TLS::Protocol_Version version, |
116 | | bool have_srp) const |
117 | 31.4k | { |
118 | 31.4k | std::vector<uint16_t> ciphersuites; |
119 | 31.4k | |
120 | 31.4k | for(auto&& suite : Botan::TLS::Ciphersuite::all_known_ciphersuites()) |
121 | 5.75M | { |
122 | 5.75M | if(suite.valid() == false) |
123 | 0 | continue; |
124 | 5.75M | |
125 | | // Are we doing SRP? |
126 | 5.75M | if(!have_srp && suite.kex_method() == Botan::TLS::Kex_Algo::SRP_SHA) |
127 | 282k | continue; |
128 | 5.47M | |
129 | 5.47M | if(!version.supports_aead_modes()) |
130 | 0 | { |
131 | | // Are we doing AEAD in a non-AEAD version? |
132 | 0 | if(suite.mac_algo() == "AEAD") |
133 | 0 | continue; |
134 | 0 | |
135 | | // Older (v1.0/v1.1) versions also do not support any hash but SHA-1 |
136 | 0 | if(suite.mac_algo() != "SHA-1") |
137 | 0 | continue; |
138 | 5.47M | } |
139 | 5.47M | |
140 | 5.47M | ciphersuites.push_back(suite.ciphersuite_code()); |
141 | 5.47M | } |
142 | 31.4k | |
143 | 31.4k | return ciphersuites; |
144 | 31.4k | } |
145 | | }; |
146 | | |
147 | | class Fuzzer_TLS_Server_Callbacks : public Botan::TLS::Callbacks |
148 | | { |
149 | | public: |
150 | | void tls_emit_data(const uint8_t[], size_t) override |
151 | 85.7k | { |
152 | | // discard |
153 | 85.7k | } |
154 | | |
155 | | void tls_record_received(uint64_t, const uint8_t[], size_t) override |
156 | 0 | { |
157 | | // ignore peer data |
158 | 0 | } |
159 | | |
160 | | void tls_alert(Botan::TLS::Alert) override |
161 | 47.1k | { |
162 | | // ignore alert |
163 | 47.1k | } |
164 | | |
165 | | bool tls_session_established(const Botan::TLS::Session&) override |
166 | 450 | { |
167 | 450 | return true; // cache it |
168 | 450 | } |
169 | | |
170 | | std::string tls_server_choose_app_protocol(const std::vector<std::string>& client_protos) override |
171 | 6.85k | { |
172 | 6.85k | if(client_protos.size() > 1) |
173 | 9 | return client_protos[0]; |
174 | 6.84k | else |
175 | 6.84k | return "fuzzy"; |
176 | 6.85k | } |
177 | | |
178 | | void tls_verify_cert_chain( |
179 | | const std::vector<Botan::X509_Certificate>& cert_chain, |
180 | | const std::vector<std::shared_ptr<const Botan::OCSP::Response>>& ocsp_responses, |
181 | | const std::vector<Botan::Certificate_Store*>& trusted_roots, |
182 | | Botan::Usage_Type usage, |
183 | | const std::string& hostname, |
184 | | const Botan::TLS::Policy& policy) override |
185 | 0 | { |
186 | 0 | try |
187 | 0 | { |
188 | | // try to validate to exercise those code paths |
189 | 0 | Botan::TLS::Callbacks::tls_verify_cert_chain(cert_chain, ocsp_responses, |
190 | 0 | trusted_roots, usage, hostname, policy); |
191 | 0 | } |
192 | 0 | catch(...) |
193 | 0 | { |
194 | | // ignore validation result |
195 | 0 | } |
196 | 0 | } |
197 | | |
198 | | }; |
199 | | |
200 | | void fuzz(const uint8_t in[], size_t len) |
201 | 5.55k | { |
202 | 5.55k | if(len <= 1) |
203 | 2 | return; |
204 | 5.55k | |
205 | 5.55k | Botan::TLS::Session_Manager_Noop session_manager; |
206 | 5.55k | Fuzzer_TLS_Policy policy; |
207 | 5.55k | Botan::TLS::Server_Information info("server.name", 443); |
208 | 5.55k | Fuzzer_TLS_Server_Creds creds; |
209 | 5.55k | Fuzzer_TLS_Server_Callbacks callbacks; |
210 | 5.55k | |
211 | 5.55k | const bool is_datagram = in[0] & 1; |
212 | 5.55k | |
213 | 5.55k | Botan::TLS::Server server(callbacks, |
214 | 5.55k | session_manager, |
215 | 5.55k | creds, |
216 | 5.55k | policy, |
217 | 5.55k | fuzzer_rng(), |
218 | 5.55k | is_datagram); |
219 | 5.55k | |
220 | 5.55k | try |
221 | 5.55k | { |
222 | 5.55k | server.received_data(in + 1, len - 1); |
223 | 5.55k | } |
224 | 5.55k | catch(std::exception& e) |
225 | 3.09k | { |
226 | 3.09k | } |
227 | 5.55k | } |