Coverage Report

Created: 2020-11-21 08:34

/src/botan/src/fuzzer/tls_server.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* (C) 2015,2016 Jack Lloyd
3
*
4
* Botan is released under the Simplified BSD License (see license.txt)
5
*/
6
7
#include "fuzzers.h"
8
#include <botan/tls_server.h>
9
#include <botan/data_src.h>
10
11
const char* fixed_rsa_key =
12
   "-----BEGIN PRIVATE KEY-----\n"
13
   "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCe6qqpMQVJ7zCJ\n"
14
   "oSnpxia0yO6M7Ie3FGqPcd0DzueC+kWPvuHQ+PpP5vfO6qqRaDVII37PFX5NUZQm\n"
15
   "GK/rAm7spjIHTCMgqSZ8pN13LU8m1gDwIdu9al16LXN9zZjB67uLlFn2trtLi234\n"
16
   "i0cnyeF8IC0cz7tgCOzMSVEBcqJjkdgGrZ3WUgOXecVm2lXVrYlEiaSxFp4VOE9k\n"
17
   "RFeVrELCjmNtc4hRd1yJsF+vObCtvyqGYQE1Qcb0MVSQDBHMkiUVmO6zuW7td5ef\n"
18
   "O/1OyntQJGyVa+SnWbkSLCybta2J7MreHENrF5GA0K1KL140SNRHeWifRMuNQua7\n"
19
   "qmKXMBTFAgMBAAECggEAIk3fxyQI0zvpy1vZ01ft1QqmzA7nAPNMSWi33/GS8iga\n"
20
   "SfxXfKeySPs/tQ/dAARxs//NiOBH4mLgyxR7LQzaawU5OXALCSraXv+ruuUx990s\n"
21
   "WKnGaG4EfbJAAwEVn47Gbkv425P4fEc91vAhzQn8PbIoatbAyOtESpjs/pYDTeC/\n"
22
   "mnJId8gqO90cqyRECEMjk9sQ8iEjWPlik4ayGlUVbeeMu6/pJ9F8IZEgkLZiNDAB\n"
23
   "4anmOFaT7EmqUjI4IlcaqfbbXyDXlvWUYukidEss+CNvPuqbQHBDnpFVvBxdDR2N\n"
24
   "Uj2D5Xd5blcIe2/+1IVRnznjoQ5zvutzb7ThBmMehQKBgQDOITKG0ht2kXLxjVoR\n"
25
   "r/pVpx+f3hs3H7wE0+vrLHoQgkVjpMWXQ47YuZTT9rCOOYNI2cMoH2D27t1j78/B\n"
26
   "9kGYABUVpvQQ+6amqJDI1eYI6e68TPueEDjeALfSCdmPNiI3lZZrCIK9XLpkoy8K\n"
27
   "tGYBRRJ+JJxjj1zPXj9SGshPgwKBgQDFXUtoxY3mCStH3+0b1qxGG9r1L5goHEmd\n"
28
   "Am8WBYDheNpL0VqPNzouhuM/ZWMGyyAs/py6aLATe+qhR1uX5vn7LVZwjCSONZ4j\n"
29
   "7ieEEUh1BHetPI1oI5PxgokRYfVuckotqVseanI/536Er3Yf2FXNQ1/ceVp9WykX\n"
30
   "3mYTKMhQFwKBgQDKakcXpZNaZ5IcKdZcsBZ/rdGcR5sqEnursf9lvRNQytwg8Vkn\n"
31
   "JSxNHlBLpV/TCh8lltHRwJ6TXhUBYij+KzhWbx5FWOErHDOWTMmArqtp7W6GcoJT\n"
32
   "wVJWjxXzp8CApYQMWVSQXpckJL7UvHohZO0WKiHyxTjde5aD++TqV2qEyQKBgBbD\n"
33
   "jvoTpy08K4DLxCZs2Uvw1I1pIuylbpwsdrGciuP2s38BM6fHH+/T4Qwj3osfDKQD\n"
34
   "7gHWJ1Dn/wUBHQBlRLoC3bB3iZPZfVb5lhc2gxv0GvWhQVIcoGi/vJ2DpfJKPmIL\n"
35
   "4ZWdg3X5dm9JaZ98rVDSj5D3ckd5J0E4hp95GbmbAoGBAJJHM4O9lx60tIjw9Sf/\n"
36
   "QmKWyUk0NLnt8DcgRMW7fVxtzPNDy9DBKGIkDdWZ2s+ForICA3C9WSxBC1EOEHGG\n"
37
   "xkg2xKt66CeutGroP6M191mHQrRClt1VbEYzQFX21BCk5kig9i/BURyoTHtFiV+t\n"
38
   "kbf4VLg8Vk9u/R3RU1HsYWhe\n"
39
   "-----END PRIVATE KEY-----\n";
40
41
const char* fixed_rsa_cert =
42
   "-----BEGIN CERTIFICATE-----\n"
43
   "MIIDUDCCAjgCCQD7pIb1ZsoafjANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJW\n"
44
   "VDEQMA4GA1UECAwHVmVybW9udDEWMBQGA1UEBwwNVGhlIEludGVybmV0czEUMBIG\n"
45
   "A1UECgwLTWFuZ29zIFIgVXMxGzAZBgNVBAMMEnNlcnZlci5leGFtcGxlLmNvbTAe\n"
46
   "Fw0xNjAxMDYxNzQ3MjNaFw0yNjAxMDMxNzQ3MjNaMGoxCzAJBgNVBAYTAlZUMRAw\n"
47
   "DgYDVQQIDAdWZXJtb250MRYwFAYDVQQHDA1UaGUgSW50ZXJuZXRzMRQwEgYDVQQK\n"
48
   "DAtNYW5nb3MgUiBVczEbMBkGA1UEAwwSc2VydmVyLmV4YW1wbGUuY29tMIIBIjAN\n"
49
   "BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnuqqqTEFSe8wiaEp6cYmtMjujOyH\n"
50
   "txRqj3HdA87ngvpFj77h0Pj6T+b3zuqqkWg1SCN+zxV+TVGUJhiv6wJu7KYyB0wj\n"
51
   "IKkmfKTddy1PJtYA8CHbvWpdei1zfc2Yweu7i5RZ9ra7S4tt+ItHJ8nhfCAtHM+7\n"
52
   "YAjszElRAXKiY5HYBq2d1lIDl3nFZtpV1a2JRImksRaeFThPZERXlaxCwo5jbXOI\n"
53
   "UXdcibBfrzmwrb8qhmEBNUHG9DFUkAwRzJIlFZjus7lu7XeXnzv9Tsp7UCRslWvk\n"
54
   "p1m5Eiwsm7WtiezK3hxDaxeRgNCtSi9eNEjUR3lon0TLjULmu6pilzAUxQIDAQAB\n"
55
   "MA0GCSqGSIb3DQEBCwUAA4IBAQA1eZGc/4V7z/E/6eG0hVkzoAZeuTcSP7WqBSx+\n"
56
   "OP2yh0163UYjoa6nehmkKYQQ9PbYPZGzIcl+dBFyYzy6jcp0NdtzpWnTFrjl4rMq\n"
57
   "akcQ1D0LTYjJXVP9G/vF/SvatOFeVTnQmLlLt/a8ZtRUINqejeZZPzH8ifzFW6tu\n"
58
   "mlhTVIEKyPHpxClh5Y3ubw/mZYygekFTqMkTx3FwJxKU8J6rYGZxanWAODUIvCUo\n"
59
   "Fxer1qC5Love3uWl3vXPLEZWZdORnExSRByzz2immBP2vX4zYZoeZRhTQ9ae1TIV\n"
60
   "Dk02a/1AOJZdZReDbgXhlqaUx5pk/rzo4mDzvu5HSCeXmClz\n"
61
   "-----END CERTIFICATE-----\n";
62
63
class Fuzzer_TLS_Server_Creds : public Botan::Credentials_Manager
64
   {
65
   public:
66
      Fuzzer_TLS_Server_Creds()
67
5.33k
         {
68
5.33k
         Botan::DataSource_Memory cert_in(fixed_rsa_cert);
69
5.33k
         Botan::DataSource_Memory key_in(fixed_rsa_key);
70
71
5.33k
         m_rsa_cert.reset(new Botan::X509_Certificate(cert_in));
72
         //m_rsa_key.reset(Botan::PKCS8::load_key(key_in, fuzzer_rng());
73
5.33k
         }
74
75
      std::vector<Botan::X509_Certificate> cert_chain(
76
         const std::vector<std::string>& algos,
77
         const std::string& /*type*/,
78
         const std::string& /*hostname*/) override
79
77.8k
         {
80
77.8k
         std::vector<Botan::X509_Certificate> v;
81
82
77.8k
         for(auto algo : algos)
83
77.8k
            {
84
77.8k
            if(algo == "RSA")
85
25.9k
               {
86
25.9k
               v.push_back(*m_rsa_cert);
87
25.9k
               break;
88
25.9k
               }
89
77.8k
            }
90
91
77.8k
         return v;
92
77.8k
         }
93
94
      Botan::Private_Key* private_key_for(const Botan::X509_Certificate& /*cert*/,
95
                                          const std::string& /*type*/,
96
                                          const std::string& /*context*/) override
97
148
         {
98
148
         return m_rsa_key.get();
99
148
         }
100
101
21.9k
      std::string psk_identity_hint(const std::string&, const std::string&) override { return "psk_hint"; }
102
0
      std::string psk_identity(const std::string&, const std::string&, const std::string&) override { return "psk_id"; }
103
      Botan::SymmetricKey psk(const std::string&, const std::string&, const std::string&) override
104
49.0k
         {
105
49.0k
         return Botan::SymmetricKey("AABBCCDDEEFF00112233445566778899");
106
49.0k
         }
107
   private:
108
      std::unique_ptr<Botan::X509_Certificate> m_rsa_cert;
109
      std::unique_ptr<Botan::Private_Key> m_rsa_key;
110
   };
111
112
class Fuzzer_TLS_Policy : public Botan::TLS::Policy
113
   {
114
   public:
115
      std::vector<uint16_t> ciphersuite_list(Botan::TLS::Protocol_Version version,
116
                                             bool have_srp) const override
117
31.9k
         {
118
31.9k
         std::vector<uint16_t> ciphersuites;
119
120
31.9k
         for(auto&& suite : Botan::TLS::Ciphersuite::all_known_ciphersuites())
121
5.85M
            {
122
5.85M
            if(suite.valid() == false)
123
0
               continue;
124
125
            // Are we doing SRP?
126
5.85M
            if(!have_srp && suite.kex_method() == Botan::TLS::Kex_Algo::SRP_SHA)
127
287k
               continue;
128
129
5.56M
            if(!version.supports_aead_modes())
130
0
               {
131
               // Are we doing AEAD in a non-AEAD version?
132
0
               if(suite.mac_algo() == "AEAD")
133
0
                  continue;
134
135
               // Older (v1.0/v1.1) versions also do not support any hash but SHA-1
136
0
               if(suite.mac_algo() != "SHA-1")
137
0
                  continue;
138
5.56M
               }
139
140
5.56M
            ciphersuites.push_back(suite.ciphersuite_code());
141
5.56M
            }
142
143
31.9k
         return ciphersuites;
144
31.9k
         }
145
   };
146
147
class Fuzzer_TLS_Server_Callbacks : public Botan::TLS::Callbacks
148
   {
149
   public:
150
       void tls_emit_data(const uint8_t[], size_t) override
151
87.3k
         {
152
         // discard
153
87.3k
         }
154
155
      void tls_record_received(uint64_t, const uint8_t[], size_t) override
156
0
         {
157
         // ignore peer data
158
0
         }
159
160
      void tls_alert(Botan::TLS::Alert) override
161
44.5k
         {
162
         // ignore alert
163
44.5k
         }
164
165
      bool tls_session_established(const Botan::TLS::Session&) override
166
444
         {
167
444
         return true; // cache it
168
444
         }
169
170
      std::string tls_server_choose_app_protocol(const std::vector<std::string>& client_protos) override
171
7.65k
         {
172
7.65k
         if(client_protos.size() > 1)
173
9
            return client_protos[0];
174
7.64k
         else
175
7.64k
            return "fuzzy";
176
7.65k
         }
177
178
      void tls_verify_cert_chain(
179
         const std::vector<Botan::X509_Certificate>& cert_chain,
180
         const std::vector<std::shared_ptr<const Botan::OCSP::Response>>& ocsp_responses,
181
         const std::vector<Botan::Certificate_Store*>& trusted_roots,
182
         Botan::Usage_Type usage,
183
         const std::string& hostname,
184
         const Botan::TLS::Policy& policy) override
185
0
         {
186
0
         try
187
0
            {
188
            // try to validate to exercise those code paths
189
0
            Botan::TLS::Callbacks::tls_verify_cert_chain(cert_chain, ocsp_responses,
190
0
                                                         trusted_roots, usage, hostname, policy);
191
0
            }
192
0
         catch(...)
193
0
            {
194
            // ignore validation result
195
0
            }
196
0
         }
197
198
   };
199
200
void fuzz(const uint8_t in[], size_t len)
201
5.33k
   {
202
5.33k
   if(len <= 1)
203
2
      return;
204
205
5.33k
   Botan::TLS::Session_Manager_Noop session_manager;
206
5.33k
   Fuzzer_TLS_Policy policy;
207
5.33k
   Botan::TLS::Server_Information info("server.name", 443);
208
5.33k
   Fuzzer_TLS_Server_Creds creds;
209
5.33k
   Fuzzer_TLS_Server_Callbacks callbacks;
210
211
5.33k
   const bool is_datagram = in[0] & 1;
212
213
5.33k
   Botan::TLS::Server server(callbacks,
214
5.33k
                             session_manager,
215
5.33k
                             creds,
216
5.33k
                             policy,
217
5.33k
                             fuzzer_rng(),
218
5.33k
                             is_datagram);
219
220
5.33k
   try
221
5.33k
      {
222
5.33k
      server.received_data(in + 1, len - 1);
223
5.33k
      }
224
5.33k
   catch(std::exception& e)
225
2.77k
      {
226
2.77k
      }
227
5.33k
   }