/src/botan/src/fuzzer/tls_server.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * (C) 2015,2016 Jack Lloyd |
3 | | * |
4 | | * Botan is released under the Simplified BSD License (see license.txt) |
5 | | */ |
6 | | |
7 | | #include "fuzzers.h" |
8 | | #include <botan/tls_server.h> |
9 | | #include <botan/data_src.h> |
10 | | |
11 | | const char* fixed_rsa_key = |
12 | | "-----BEGIN PRIVATE KEY-----\n" |
13 | | "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCe6qqpMQVJ7zCJ\n" |
14 | | "oSnpxia0yO6M7Ie3FGqPcd0DzueC+kWPvuHQ+PpP5vfO6qqRaDVII37PFX5NUZQm\n" |
15 | | "GK/rAm7spjIHTCMgqSZ8pN13LU8m1gDwIdu9al16LXN9zZjB67uLlFn2trtLi234\n" |
16 | | "i0cnyeF8IC0cz7tgCOzMSVEBcqJjkdgGrZ3WUgOXecVm2lXVrYlEiaSxFp4VOE9k\n" |
17 | | "RFeVrELCjmNtc4hRd1yJsF+vObCtvyqGYQE1Qcb0MVSQDBHMkiUVmO6zuW7td5ef\n" |
18 | | "O/1OyntQJGyVa+SnWbkSLCybta2J7MreHENrF5GA0K1KL140SNRHeWifRMuNQua7\n" |
19 | | "qmKXMBTFAgMBAAECggEAIk3fxyQI0zvpy1vZ01ft1QqmzA7nAPNMSWi33/GS8iga\n" |
20 | | "SfxXfKeySPs/tQ/dAARxs//NiOBH4mLgyxR7LQzaawU5OXALCSraXv+ruuUx990s\n" |
21 | | "WKnGaG4EfbJAAwEVn47Gbkv425P4fEc91vAhzQn8PbIoatbAyOtESpjs/pYDTeC/\n" |
22 | | "mnJId8gqO90cqyRECEMjk9sQ8iEjWPlik4ayGlUVbeeMu6/pJ9F8IZEgkLZiNDAB\n" |
23 | | "4anmOFaT7EmqUjI4IlcaqfbbXyDXlvWUYukidEss+CNvPuqbQHBDnpFVvBxdDR2N\n" |
24 | | "Uj2D5Xd5blcIe2/+1IVRnznjoQ5zvutzb7ThBmMehQKBgQDOITKG0ht2kXLxjVoR\n" |
25 | | "r/pVpx+f3hs3H7wE0+vrLHoQgkVjpMWXQ47YuZTT9rCOOYNI2cMoH2D27t1j78/B\n" |
26 | | "9kGYABUVpvQQ+6amqJDI1eYI6e68TPueEDjeALfSCdmPNiI3lZZrCIK9XLpkoy8K\n" |
27 | | "tGYBRRJ+JJxjj1zPXj9SGshPgwKBgQDFXUtoxY3mCStH3+0b1qxGG9r1L5goHEmd\n" |
28 | | "Am8WBYDheNpL0VqPNzouhuM/ZWMGyyAs/py6aLATe+qhR1uX5vn7LVZwjCSONZ4j\n" |
29 | | "7ieEEUh1BHetPI1oI5PxgokRYfVuckotqVseanI/536Er3Yf2FXNQ1/ceVp9WykX\n" |
30 | | "3mYTKMhQFwKBgQDKakcXpZNaZ5IcKdZcsBZ/rdGcR5sqEnursf9lvRNQytwg8Vkn\n" |
31 | | "JSxNHlBLpV/TCh8lltHRwJ6TXhUBYij+KzhWbx5FWOErHDOWTMmArqtp7W6GcoJT\n" |
32 | | "wVJWjxXzp8CApYQMWVSQXpckJL7UvHohZO0WKiHyxTjde5aD++TqV2qEyQKBgBbD\n" |
33 | | "jvoTpy08K4DLxCZs2Uvw1I1pIuylbpwsdrGciuP2s38BM6fHH+/T4Qwj3osfDKQD\n" |
34 | | "7gHWJ1Dn/wUBHQBlRLoC3bB3iZPZfVb5lhc2gxv0GvWhQVIcoGi/vJ2DpfJKPmIL\n" |
35 | | "4ZWdg3X5dm9JaZ98rVDSj5D3ckd5J0E4hp95GbmbAoGBAJJHM4O9lx60tIjw9Sf/\n" |
36 | | "QmKWyUk0NLnt8DcgRMW7fVxtzPNDy9DBKGIkDdWZ2s+ForICA3C9WSxBC1EOEHGG\n" |
37 | | "xkg2xKt66CeutGroP6M191mHQrRClt1VbEYzQFX21BCk5kig9i/BURyoTHtFiV+t\n" |
38 | | "kbf4VLg8Vk9u/R3RU1HsYWhe\n" |
39 | | "-----END PRIVATE KEY-----\n"; |
40 | | |
41 | | const char* fixed_rsa_cert = |
42 | | "-----BEGIN CERTIFICATE-----\n" |
43 | | "MIIDUDCCAjgCCQD7pIb1ZsoafjANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJW\n" |
44 | | "VDEQMA4GA1UECAwHVmVybW9udDEWMBQGA1UEBwwNVGhlIEludGVybmV0czEUMBIG\n" |
45 | | "A1UECgwLTWFuZ29zIFIgVXMxGzAZBgNVBAMMEnNlcnZlci5leGFtcGxlLmNvbTAe\n" |
46 | | "Fw0xNjAxMDYxNzQ3MjNaFw0yNjAxMDMxNzQ3MjNaMGoxCzAJBgNVBAYTAlZUMRAw\n" |
47 | | "DgYDVQQIDAdWZXJtb250MRYwFAYDVQQHDA1UaGUgSW50ZXJuZXRzMRQwEgYDVQQK\n" |
48 | | "DAtNYW5nb3MgUiBVczEbMBkGA1UEAwwSc2VydmVyLmV4YW1wbGUuY29tMIIBIjAN\n" |
49 | | "BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnuqqqTEFSe8wiaEp6cYmtMjujOyH\n" |
50 | | "txRqj3HdA87ngvpFj77h0Pj6T+b3zuqqkWg1SCN+zxV+TVGUJhiv6wJu7KYyB0wj\n" |
51 | | "IKkmfKTddy1PJtYA8CHbvWpdei1zfc2Yweu7i5RZ9ra7S4tt+ItHJ8nhfCAtHM+7\n" |
52 | | "YAjszElRAXKiY5HYBq2d1lIDl3nFZtpV1a2JRImksRaeFThPZERXlaxCwo5jbXOI\n" |
53 | | "UXdcibBfrzmwrb8qhmEBNUHG9DFUkAwRzJIlFZjus7lu7XeXnzv9Tsp7UCRslWvk\n" |
54 | | "p1m5Eiwsm7WtiezK3hxDaxeRgNCtSi9eNEjUR3lon0TLjULmu6pilzAUxQIDAQAB\n" |
55 | | "MA0GCSqGSIb3DQEBCwUAA4IBAQA1eZGc/4V7z/E/6eG0hVkzoAZeuTcSP7WqBSx+\n" |
56 | | "OP2yh0163UYjoa6nehmkKYQQ9PbYPZGzIcl+dBFyYzy6jcp0NdtzpWnTFrjl4rMq\n" |
57 | | "akcQ1D0LTYjJXVP9G/vF/SvatOFeVTnQmLlLt/a8ZtRUINqejeZZPzH8ifzFW6tu\n" |
58 | | "mlhTVIEKyPHpxClh5Y3ubw/mZYygekFTqMkTx3FwJxKU8J6rYGZxanWAODUIvCUo\n" |
59 | | "Fxer1qC5Love3uWl3vXPLEZWZdORnExSRByzz2immBP2vX4zYZoeZRhTQ9ae1TIV\n" |
60 | | "Dk02a/1AOJZdZReDbgXhlqaUx5pk/rzo4mDzvu5HSCeXmClz\n" |
61 | | "-----END CERTIFICATE-----\n"; |
62 | | |
63 | | class Fuzzer_TLS_Server_Creds : public Botan::Credentials_Manager |
64 | | { |
65 | | public: |
66 | | Fuzzer_TLS_Server_Creds() |
67 | 4.53k | { |
68 | 4.53k | Botan::DataSource_Memory cert_in(fixed_rsa_cert); |
69 | 4.53k | Botan::DataSource_Memory key_in(fixed_rsa_key); |
70 | | |
71 | 4.53k | m_rsa_cert.reset(new Botan::X509_Certificate(cert_in)); |
72 | | //m_rsa_key.reset(Botan::PKCS8::load_key(key_in, fuzzer_rng()); |
73 | 4.53k | } |
74 | | |
75 | | std::vector<Botan::X509_Certificate> cert_chain( |
76 | | const std::vector<std::string>& algos, |
77 | | const std::string& /*type*/, |
78 | | const std::string& /*hostname*/) override |
79 | 59.8k | { |
80 | 59.8k | std::vector<Botan::X509_Certificate> v; |
81 | | |
82 | 59.8k | for(auto algo : algos) |
83 | 59.8k | { |
84 | 59.8k | if(algo == "RSA") |
85 | 19.9k | { |
86 | 19.9k | v.push_back(*m_rsa_cert); |
87 | 19.9k | break; |
88 | 19.9k | } |
89 | 59.8k | } |
90 | | |
91 | 59.8k | return v; |
92 | 59.8k | } |
93 | | |
94 | | Botan::Private_Key* private_key_for(const Botan::X509_Certificate& /*cert*/, |
95 | | const std::string& /*type*/, |
96 | | const std::string& /*context*/) override |
97 | 91 | { |
98 | 91 | return m_rsa_key.get(); |
99 | 91 | } |
100 | | |
101 | 19.6k | std::string psk_identity_hint(const std::string&, const std::string&) override { return "psk_hint"; } |
102 | 0 | std::string psk_identity(const std::string&, const std::string&, const std::string&) override { return "psk_id"; } |
103 | | Botan::SymmetricKey psk(const std::string&, const std::string&, const std::string&) override |
104 | 41.3k | { |
105 | 41.3k | return Botan::SymmetricKey("AABBCCDDEEFF00112233445566778899"); |
106 | 41.3k | } |
107 | | private: |
108 | | std::unique_ptr<Botan::X509_Certificate> m_rsa_cert; |
109 | | std::unique_ptr<Botan::Private_Key> m_rsa_key; |
110 | | }; |
111 | | |
112 | | class Fuzzer_TLS_Policy : public Botan::TLS::Policy |
113 | | { |
114 | | public: |
115 | | std::vector<uint16_t> ciphersuite_list(Botan::TLS::Protocol_Version) const override |
116 | 19.9k | { |
117 | 19.9k | std::vector<uint16_t> ciphersuites; |
118 | | |
119 | 19.9k | for(auto&& suite : Botan::TLS::Ciphersuite::all_known_ciphersuites()) |
120 | 1.89M | { |
121 | 1.89M | if(suite.valid()) |
122 | 1.89M | ciphersuites.push_back(suite.ciphersuite_code()); |
123 | 1.89M | } |
124 | | |
125 | 19.9k | return ciphersuites; |
126 | 19.9k | } |
127 | | }; |
128 | | |
129 | | class Fuzzer_TLS_Server_Callbacks : public Botan::TLS::Callbacks |
130 | | { |
131 | | public: |
132 | | void tls_emit_data(const uint8_t[], size_t) override |
133 | 63.5k | { |
134 | | // discard |
135 | 63.5k | } |
136 | | |
137 | | void tls_record_received(uint64_t, const uint8_t[], size_t) override |
138 | 0 | { |
139 | | // ignore peer data |
140 | 0 | } |
141 | | |
142 | | void tls_alert(Botan::TLS::Alert) override |
143 | 18.9k | { |
144 | | // ignore alert |
145 | 18.9k | } |
146 | | |
147 | | bool tls_session_established(const Botan::TLS::Session&) override |
148 | 308 | { |
149 | 308 | return true; // cache it |
150 | 308 | } |
151 | | |
152 | | std::string tls_server_choose_app_protocol(const std::vector<std::string>& client_protos) override |
153 | 3.42k | { |
154 | 3.42k | if(client_protos.size() > 1) |
155 | 22 | return client_protos[0]; |
156 | 3.40k | else |
157 | 3.40k | return "fuzzy"; |
158 | 3.42k | } |
159 | | |
160 | | void tls_verify_cert_chain( |
161 | | const std::vector<Botan::X509_Certificate>& cert_chain, |
162 | | const std::vector<std::optional<Botan::OCSP::Response>>& ocsp_responses, |
163 | | const std::vector<Botan::Certificate_Store*>& trusted_roots, |
164 | | Botan::Usage_Type usage, |
165 | | const std::string& hostname, |
166 | | const Botan::TLS::Policy& policy) override |
167 | 0 | { |
168 | 0 | try |
169 | 0 | { |
170 | | // try to validate to exercise those code paths |
171 | 0 | Botan::TLS::Callbacks::tls_verify_cert_chain(cert_chain, ocsp_responses, |
172 | 0 | trusted_roots, usage, hostname, policy); |
173 | 0 | } |
174 | 0 | catch(...) |
175 | 0 | { |
176 | | // ignore validation result |
177 | 0 | } |
178 | 0 | } |
179 | | |
180 | | }; |
181 | | |
182 | | void fuzz(const uint8_t in[], size_t len) |
183 | 4.53k | { |
184 | 4.53k | if(len <= 1) |
185 | 1 | return; |
186 | | |
187 | 4.53k | Botan::TLS::Session_Manager_Noop session_manager; |
188 | 4.53k | Fuzzer_TLS_Policy policy; |
189 | 4.53k | Botan::TLS::Server_Information info("server.name", 443); |
190 | 4.53k | Fuzzer_TLS_Server_Creds creds; |
191 | 4.53k | Fuzzer_TLS_Server_Callbacks callbacks; |
192 | | |
193 | 4.53k | const bool is_datagram = in[0] & 1; |
194 | | |
195 | 4.53k | Botan::TLS::Server server(callbacks, |
196 | 4.53k | session_manager, |
197 | 4.53k | creds, |
198 | 4.53k | policy, |
199 | 4.53k | fuzzer_rng(), |
200 | 4.53k | is_datagram); |
201 | | |
202 | 4.53k | try |
203 | 4.53k | { |
204 | 4.53k | server.received_data(in + 1, len - 1); |
205 | 4.53k | } |
206 | 4.53k | catch(std::exception& e) |
207 | 4.53k | { |
208 | 2.44k | } |
209 | 4.53k | } |