/src/hostap/tests/fuzzing/tls-server/tls-server.c

Source
/*
 * Testing tool for TLSv1 server routines
 * Copyright (c) 2019, Jouni Malinen <j@w1.fi>
 *
 * This software may be distributed under the terms of the BSD license.
 * See README for more details.
 */

#include "includes.h"

#include "common.h"
#include "crypto/tls.h"
#include "../fuzzer-common.h"

#ifndef CERTDIR
#define CERTDIR "../../hwsim/auth_serv/"
#endif

struct context {
  const u8 *data;
  size_t data_len;
  size_t data_offset;
};


static struct wpabuf * read_msg(struct context *ctx)
{
  u16 msg_len;
  struct wpabuf *msg;

  if (ctx->data_len - ctx->data_offset < 2) {
    wpa_printf(MSG_ERROR, "TEST-ERROR: Could not read msg len");
    return NULL;
  }
  msg_len = WPA_GET_BE16(&ctx->data[ctx->data_offset]);
  ctx->data_offset += 2;

  msg = wpabuf_alloc(msg_len);
  if (!msg)
    return NULL;
  if (msg_len > 0 && ctx->data_len - ctx->data_offset < msg_len) {
    wpa_printf(MSG_ERROR, "TEST-ERROR: Truncated msg (msg_len=%u)",
         msg_len);
    wpabuf_free(msg);
    return NULL;
  }
  wpabuf_put_data(msg, &ctx->data[ctx->data_offset], msg_len);
  ctx->data_offset += msg_len;
  wpa_hexdump_buf(MSG_DEBUG, "TEST: Read message from file", msg);

  return msg;
}


int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
{
  struct context ctx;
  struct tls_config conf;
  void *tls_server;
  struct tls_connection_params params;
  struct tls_connection *conn_server = NULL;
  int ret = -1;
  struct wpabuf *in = NULL, *out = NULL, *appl;

  wpa_fuzzer_set_debug_level();

  os_memset(&ctx, 0, sizeof(ctx));
  ctx.data = data;
  ctx.data_len = size;

  os_memset(&conf, 0, sizeof(conf));
  tls_server = tls_init(&conf);
  if (!tls_server)
    goto fail;

  os_memset(&params, 0, sizeof(params));
  params.ca_cert = CERTDIR "ca.pem";
  params.client_cert = CERTDIR "server.pem";
  params.private_key = CERTDIR "server.key";
  params.dh_file = CERTDIR "dh.conf";

  if (tls_global_set_params(tls_server, &params)) {
    wpa_printf(MSG_ERROR, "Failed to set TLS parameters");
    goto fail;
  }

  conn_server = tls_connection_init(tls_server);
  if (!conn_server)
    goto fail;

  in = NULL;
  for (;;) {
    appl = NULL;
    out = read_msg(&ctx);
    wpabuf_free(in);
    in = NULL;
    if (!out)
      goto fail;

    appl = NULL;
    in = tls_connection_server_handshake(tls_server, conn_server,
                 out, &appl);
    wpabuf_free(out);
    out = NULL;
    if (!in)
      goto fail;
    if (tls_connection_get_failed(tls_server, conn_server)) {
      wpa_printf(MSG_ERROR, "TLS handshake failed");
      goto fail;
    }
    if (tls_connection_established(tls_server, conn_server))
      break;
  }

  wpabuf_free(in);
  in = wpabuf_alloc(100);
  if (!in)
    goto fail;
  wpabuf_put_str(in, "PING");
  wpabuf_free(out);
  out = read_msg(&ctx);
  wpabuf_free(in);
  in = NULL;
  if (!out)
    goto fail;

  in = tls_connection_decrypt(tls_server, conn_server, out);
  wpabuf_free(out);
  out = NULL;
  if (!in)
    goto fail;
  wpa_hexdump_buf(MSG_DEBUG, "Server decrypted ApplData", in);

  wpabuf_free(in);
  in = wpabuf_alloc(100);
  if (!in)
    goto fail;
  wpabuf_put_str(in, "PONG");
  wpabuf_free(out);
  out = tls_connection_encrypt(tls_server, conn_server, in);
  wpabuf_free(in);
  in = NULL;
  if (!out)
    goto fail;

  ret = 0;
fail:
  if (tls_server) {
    if (conn_server)
      tls_connection_deinit(tls_server, conn_server);
    tls_deinit(tls_server);
  }
  wpabuf_free(in);
  wpabuf_free(out);

  return ret;
}

Line	Count	Source
1		/*
2		* Testing tool for TLSv1 server routines
3		* Copyright (c) 2019, Jouni Malinen <j@w1.fi>
4		*
5		* This software may be distributed under the terms of the BSD license.
6		* See README for more details.
7		*/
8
9		#include "includes.h"
10
11		#include "common.h"
12		#include "crypto/tls.h"
13		#include "../fuzzer-common.h"
14
15		#ifndef CERTDIR
16		#define CERTDIR "../../hwsim/auth_serv/"
17		#endif
18
19		struct context {
20		const u8 *data;
21		size_t data_len;
22		size_t data_offset;
23		};
24
25
26		static struct wpabuf * read_msg(struct context *ctx)
27	2	{
28	2	u16 msg_len;
29	2	struct wpabuf *msg;
30
31	2	if (ctx->data_len - ctx->data_offset < 2) {
32	2	wpa_printf(MSG_ERROR, "TEST-ERROR: Could not read msg len");
33	2	return NULL;
34	2	}
35	0	msg_len = WPA_GET_BE16(&ctx->data[ctx->data_offset]);
36	0	ctx->data_offset += 2;
37
38	0	msg = wpabuf_alloc(msg_len);
39	0	if (!msg)
40	0	return NULL;
41	0	if (msg_len > 0 && ctx->data_len - ctx->data_offset < msg_len) {
42	0	wpa_printf(MSG_ERROR, "TEST-ERROR: Truncated msg (msg_len=%u)",
43	0	msg_len);
44	0	wpabuf_free(msg);
45	0	return NULL;
46	0	}
47	0	wpabuf_put_data(msg, &ctx->data[ctx->data_offset], msg_len);
48	0	ctx->data_offset += msg_len;
49	0	wpa_hexdump_buf(MSG_DEBUG, "TEST: Read message from file", msg);
50
51	0	return msg;
52	0	}
53
54
55		int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
56	2	{
57	2	struct context ctx;
58	2	struct tls_config conf;
59	2	void *tls_server;
60	2	struct tls_connection_params params;
61	2	struct tls_connection *conn_server = NULL;
62	2	int ret = -1;
63	2	struct wpabuf in = NULL, out = NULL, *appl;
64
65	2	wpa_fuzzer_set_debug_level();
66
67	2	os_memset(&ctx, 0, sizeof(ctx));
68	2	ctx.data = data;
69	2	ctx.data_len = size;
70
71	2	os_memset(&conf, 0, sizeof(conf));
72	2	tls_server = tls_init(&conf);
73	2	if (!tls_server)
74	0	goto fail;
75
76	2	os_memset(&params, 0, sizeof(params));
77	2	params.ca_cert = CERTDIR "ca.pem";
78	2	params.client_cert = CERTDIR "server.pem";
79	2	params.private_key = CERTDIR "server.key";
80	2	params.dh_file = CERTDIR "dh.conf";
81
82	2	if (tls_global_set_params(tls_server, &params)) {
83	0	wpa_printf(MSG_ERROR, "Failed to set TLS parameters");
84	0	goto fail;
85	0	}
86
87	2	conn_server = tls_connection_init(tls_server);
88	2	if (!conn_server)
89	0	goto fail;
90
91	2	in = NULL;
92	2	for (;;) {
93	2	appl = NULL;
94	2	out = read_msg(&ctx);
95	2	wpabuf_free(in);
96	2	in = NULL;
97	2	if (!out)
98	2	goto fail;
99
100	0	appl = NULL;
101	0	in = tls_connection_server_handshake(tls_server, conn_server,
102	0	out, &appl);
103	0	wpabuf_free(out);
104	0	out = NULL;
105	0	if (!in)
106	0	goto fail;
107	0	if (tls_connection_get_failed(tls_server, conn_server)) {
108	0	wpa_printf(MSG_ERROR, "TLS handshake failed");
109	0	goto fail;
110	0	}
111	0	if (tls_connection_established(tls_server, conn_server))
112	0	break;
113	0	}
114
115	0	wpabuf_free(in);
116	0	in = wpabuf_alloc(100);
117	0	if (!in)
118	0	goto fail;
119	0	wpabuf_put_str(in, "PING");
120	0	wpabuf_free(out);
121	0	out = read_msg(&ctx);
122	0	wpabuf_free(in);
123	0	in = NULL;
124	0	if (!out)
125	0	goto fail;
126
127	0	in = tls_connection_decrypt(tls_server, conn_server, out);
128	0	wpabuf_free(out);
129	0	out = NULL;
130	0	if (!in)
131	0	goto fail;
132	0	wpa_hexdump_buf(MSG_DEBUG, "Server decrypted ApplData", in);
133
134	0	wpabuf_free(in);
135	0	in = wpabuf_alloc(100);
136	0	if (!in)
137	0	goto fail;
138	0	wpabuf_put_str(in, "PONG");
139	0	wpabuf_free(out);
140	0	out = tls_connection_encrypt(tls_server, conn_server, in);
141	0	wpabuf_free(in);
142	0	in = NULL;
143	0	if (!out)
144	0	goto fail;
145
146	0	ret = 0;
147	2	fail:
148	2	if (tls_server) {
149	2	if (conn_server)
150	2	tls_connection_deinit(tls_server, conn_server);
151	2	tls_deinit(tls_server);
152	2	}
153	2	wpabuf_free(in);
154	2	wpabuf_free(out);
155
156	2	return ret;
157	0	}

Coverage Report

Created: 2025-10-28 06:59