1 /*
2 * (C) 2015,2016 Jack Lloyd
3 *
4 * Botan is released under the Simplified BSD License (see license.txt)
5 */
6
7 #include "fuzzers.h"
8 #include <botan/tls_server.h>
9 #include <botan/data_src.h>
10
11 const char* fixed_rsa_key =
12 "-----BEGIN PRIVATE KEY-----\n"
13 "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCe6qqpMQVJ7zCJ\n"
14 "oSnpxia0yO6M7Ie3FGqPcd0DzueC+kWPvuHQ+PpP5vfO6qqRaDVII37PFX5NUZQm\n"
15 "GK/rAm7spjIHTCMgqSZ8pN13LU8m1gDwIdu9al16LXN9zZjB67uLlFn2trtLi234\n"
16 "i0cnyeF8IC0cz7tgCOzMSVEBcqJjkdgGrZ3WUgOXecVm2lXVrYlEiaSxFp4VOE9k\n"
17 "RFeVrELCjmNtc4hRd1yJsF+vObCtvyqGYQE1Qcb0MVSQDBHMkiUVmO6zuW7td5ef\n"
18 "O/1OyntQJGyVa+SnWbkSLCybta2J7MreHENrF5GA0K1KL140SNRHeWifRMuNQua7\n"
19 "qmKXMBTFAgMBAAECggEAIk3fxyQI0zvpy1vZ01ft1QqmzA7nAPNMSWi33/GS8iga\n"
20 "SfxXfKeySPs/tQ/dAARxs//NiOBH4mLgyxR7LQzaawU5OXALCSraXv+ruuUx990s\n"
21 "WKnGaG4EfbJAAwEVn47Gbkv425P4fEc91vAhzQn8PbIoatbAyOtESpjs/pYDTeC/\n"
22 "mnJId8gqO90cqyRECEMjk9sQ8iEjWPlik4ayGlUVbeeMu6/pJ9F8IZEgkLZiNDAB\n"
23 "4anmOFaT7EmqUjI4IlcaqfbbXyDXlvWUYukidEss+CNvPuqbQHBDnpFVvBxdDR2N\n"
24 "Uj2D5Xd5blcIe2/+1IVRnznjoQ5zvutzb7ThBmMehQKBgQDOITKG0ht2kXLxjVoR\n"
25 "r/pVpx+f3hs3H7wE0+vrLHoQgkVjpMWXQ47YuZTT9rCOOYNI2cMoH2D27t1j78/B\n"
26 "9kGYABUVpvQQ+6amqJDI1eYI6e68TPueEDjeALfSCdmPNiI3lZZrCIK9XLpkoy8K\n"
27 "tGYBRRJ+JJxjj1zPXj9SGshPgwKBgQDFXUtoxY3mCStH3+0b1qxGG9r1L5goHEmd\n"
28 "Am8WBYDheNpL0VqPNzouhuM/ZWMGyyAs/py6aLATe+qhR1uX5vn7LVZwjCSONZ4j\n"
29 "7ieEEUh1BHetPI1oI5PxgokRYfVuckotqVseanI/536Er3Yf2FXNQ1/ceVp9WykX\n"
30 "3mYTKMhQFwKBgQDKakcXpZNaZ5IcKdZcsBZ/rdGcR5sqEnursf9lvRNQytwg8Vkn\n"
31 "JSxNHlBLpV/TCh8lltHRwJ6TXhUBYij+KzhWbx5FWOErHDOWTMmArqtp7W6GcoJT\n"
32 "wVJWjxXzp8CApYQMWVSQXpckJL7UvHohZO0WKiHyxTjde5aD++TqV2qEyQKBgBbD\n"
33 "jvoTpy08K4DLxCZs2Uvw1I1pIuylbpwsdrGciuP2s38BM6fHH+/T4Qwj3osfDKQD\n"
34 "7gHWJ1Dn/wUBHQBlRLoC3bB3iZPZfVb5lhc2gxv0GvWhQVIcoGi/vJ2DpfJKPmIL\n"
35 "4ZWdg3X5dm9JaZ98rVDSj5D3ckd5J0E4hp95GbmbAoGBAJJHM4O9lx60tIjw9Sf/\n"
36 "QmKWyUk0NLnt8DcgRMW7fVxtzPNDy9DBKGIkDdWZ2s+ForICA3C9WSxBC1EOEHGG\n"
37 "xkg2xKt66CeutGroP6M191mHQrRClt1VbEYzQFX21BCk5kig9i/BURyoTHtFiV+t\n"
38 "kbf4VLg8Vk9u/R3RU1HsYWhe\n"
39 "-----END PRIVATE KEY-----\n";
40
41 const char* fixed_rsa_cert =
42 "-----BEGIN CERTIFICATE-----\n"
43 "MIIDUDCCAjgCCQD7pIb1ZsoafjANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJW\n"
44 "VDEQMA4GA1UECAwHVmVybW9udDEWMBQGA1UEBwwNVGhlIEludGVybmV0czEUMBIG\n"
45 "A1UECgwLTWFuZ29zIFIgVXMxGzAZBgNVBAMMEnNlcnZlci5leGFtcGxlLmNvbTAe\n"
46 "Fw0xNjAxMDYxNzQ3MjNaFw0yNjAxMDMxNzQ3MjNaMGoxCzAJBgNVBAYTAlZUMRAw\n"
47 "DgYDVQQIDAdWZXJtb250MRYwFAYDVQQHDA1UaGUgSW50ZXJuZXRzMRQwEgYDVQQK\n"
48 "DAtNYW5nb3MgUiBVczEbMBkGA1UEAwwSc2VydmVyLmV4YW1wbGUuY29tMIIBIjAN\n"
49 "BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnuqqqTEFSe8wiaEp6cYmtMjujOyH\n"
50 "txRqj3HdA87ngvpFj77h0Pj6T+b3zuqqkWg1SCN+zxV+TVGUJhiv6wJu7KYyB0wj\n"
51 "IKkmfKTddy1PJtYA8CHbvWpdei1zfc2Yweu7i5RZ9ra7S4tt+ItHJ8nhfCAtHM+7\n"
52 "YAjszElRAXKiY5HYBq2d1lIDl3nFZtpV1a2JRImksRaeFThPZERXlaxCwo5jbXOI\n"
53 "UXdcibBfrzmwrb8qhmEBNUHG9DFUkAwRzJIlFZjus7lu7XeXnzv9Tsp7UCRslWvk\n"
54 "p1m5Eiwsm7WtiezK3hxDaxeRgNCtSi9eNEjUR3lon0TLjULmu6pilzAUxQIDAQAB\n"
55 "MA0GCSqGSIb3DQEBCwUAA4IBAQA1eZGc/4V7z/E/6eG0hVkzoAZeuTcSP7WqBSx+\n"
56 "OP2yh0163UYjoa6nehmkKYQQ9PbYPZGzIcl+dBFyYzy6jcp0NdtzpWnTFrjl4rMq\n"
57 "akcQ1D0LTYjJXVP9G/vF/SvatOFeVTnQmLlLt/a8ZtRUINqejeZZPzH8ifzFW6tu\n"
58 "mlhTVIEKyPHpxClh5Y3ubw/mZYygekFTqMkTx3FwJxKU8J6rYGZxanWAODUIvCUo\n"
59 "Fxer1qC5Love3uWl3vXPLEZWZdORnExSRByzz2immBP2vX4zYZoeZRhTQ9ae1TIV\n"
60 "Dk02a/1AOJZdZReDbgXhlqaUx5pk/rzo4mDzvu5HSCeXmClz\n"
61 "-----END CERTIFICATE-----\n";
62
63 class Fuzzer_TLS_Server_Creds : public Botan::Credentials_Manager
64 {
65 public:
Fuzzer_TLS_Server_Creds()66 Fuzzer_TLS_Server_Creds()
67 {
68 Botan::DataSource_Memory cert_in(fixed_rsa_cert);
69 Botan::DataSource_Memory key_in(fixed_rsa_key);
70
71 m_rsa_cert.reset(new Botan::X509_Certificate(cert_in));
72 //m_rsa_key.reset(Botan::PKCS8::load_key(key_in, fuzzer_rng());
73 }
74
cert_chain(const std::vector<std::string> & algos,const std::string &,const std::string &)75 std::vector<Botan::X509_Certificate> cert_chain(
76 const std::vector<std::string>& algos,
77 const std::string& /*type*/,
78 const std::string& /*hostname*/) override
79 {
80 std::vector<Botan::X509_Certificate> v;
81
82 for(auto algo : algos)
83 {
84 if(algo == "RSA")
85 {
86 v.push_back(*m_rsa_cert);
87 break;
88 }
89 }
90
91 return v;
92 }
93
private_key_for(const Botan::X509_Certificate &,const std::string &,const std::string &)94 Botan::Private_Key* private_key_for(const Botan::X509_Certificate& /*cert*/,
95 const std::string& /*type*/,
96 const std::string& /*context*/) override
97 {
98 return m_rsa_key.get();
99 }
100
psk_identity_hint(const std::string &,const std::string &)101 std::string psk_identity_hint(const std::string&, const std::string&) override { return "psk_hint"; }
psk_identity(const std::string &,const std::string &,const std::string &)102 std::string psk_identity(const std::string&, const std::string&, const std::string&) override { return "psk_id"; }
psk(const std::string &,const std::string &,const std::string &)103 Botan::SymmetricKey psk(const std::string&, const std::string&, const std::string&) override
104 {
105 return Botan::SymmetricKey("AABBCCDDEEFF00112233445566778899");
106 }
107 private:
108 std::unique_ptr<Botan::X509_Certificate> m_rsa_cert;
109 std::unique_ptr<Botan::Private_Key> m_rsa_key;
110 };
111
112 class Fuzzer_TLS_Policy : public Botan::TLS::Policy
113 {
114 public:
ciphersuite_list(Botan::TLS::Protocol_Version version,bool have_srp) const115 std::vector<uint16_t> ciphersuite_list(Botan::TLS::Protocol_Version version,
116 bool have_srp) const
117 {
118 std::vector<uint16_t> ciphersuites;
119
120 for(auto&& suite : Botan::TLS::Ciphersuite::all_known_ciphersuites())
121 {
122 if(suite.valid() == false)
123 continue;
124
125 // Are we doing SRP?
126 if(!have_srp && suite.kex_method() == Botan::TLS::Kex_Algo::SRP_SHA)
127 continue;
128
129 if(!version.supports_aead_modes())
130 {
131 // Are we doing AEAD in a non-AEAD version?
132 if(suite.mac_algo() == "AEAD")
133 continue;
134
135 // Older (v1.0/v1.1) versions also do not support any hash but SHA-1
136 if(suite.mac_algo() != "SHA-1")
137 continue;
138 }
139
140 ciphersuites.push_back(suite.ciphersuite_code());
141 }
142
143 return ciphersuites;
144 }
145 };
146
147 class Fuzzer_TLS_Server_Callbacks : public Botan::TLS::Callbacks
148 {
149 public:
tls_emit_data(const uint8_t[],size_t)150 void tls_emit_data(const uint8_t[], size_t) override
151 {
152 // discard
153 }
154
tls_record_received(uint64_t,const uint8_t[],size_t)155 void tls_record_received(uint64_t, const uint8_t[], size_t) override
156 {
157 // ignore peer data
158 }
159
tls_alert(Botan::TLS::Alert)160 void tls_alert(Botan::TLS::Alert) override
161 {
162 // ignore alert
163 }
164
tls_session_established(const Botan::TLS::Session &)165 bool tls_session_established(const Botan::TLS::Session&) override
166 {
167 return true; // cache it
168 }
169
tls_server_choose_app_protocol(const std::vector<std::string> & client_protos)170 std::string tls_server_choose_app_protocol(const std::vector<std::string>& client_protos) override
171 {
172 if(client_protos.size() > 1)
173 return client_protos[0];
174 else
175 return "fuzzy";
176 }
177
tls_verify_cert_chain(const std::vector<Botan::X509_Certificate> & cert_chain,const std::vector<std::shared_ptr<const Botan::OCSP::Response>> & ocsp_responses,const std::vector<Botan::Certificate_Store * > & trusted_roots,Botan::Usage_Type usage,const std::string & hostname,const Botan::TLS::Policy & policy)178 void tls_verify_cert_chain(
179 const std::vector<Botan::X509_Certificate>& cert_chain,
180 const std::vector<std::shared_ptr<const Botan::OCSP::Response>>& ocsp_responses,
181 const std::vector<Botan::Certificate_Store*>& trusted_roots,
182 Botan::Usage_Type usage,
183 const std::string& hostname,
184 const Botan::TLS::Policy& policy) override
185 {
186 try
187 {
188 // try to validate to exercise those code paths
189 Botan::TLS::Callbacks::tls_verify_cert_chain(cert_chain, ocsp_responses,
190 trusted_roots, usage, hostname, policy);
191 }
192 catch(...)
193 {
194 // ignore validation result
195 }
196 }
197
198 };
199
fuzz(const uint8_t in[],size_t len)200 void fuzz(const uint8_t in[], size_t len)
201 {
202 if(len <= 1)
203 return;
204
205 Botan::TLS::Session_Manager_Noop session_manager;
206 Fuzzer_TLS_Policy policy;
207 Botan::TLS::Server_Information info("server.name", 443);
208 Fuzzer_TLS_Server_Creds creds;
209 Fuzzer_TLS_Server_Callbacks callbacks;
210
211 const bool is_datagram = in[0] & 1;
212
213 Botan::TLS::Server server(callbacks,
214 session_manager,
215 creds,
216 policy,
217 fuzzer_rng(),
218 is_datagram);
219
220 try
221 {
222 server.received_data(in + 1, len - 1);
223 }
224 catch(std::exception& e)
225 {
226 }
227 }
228