1 // Copyright 2016 The Chromium Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4 
5 #include <assert.h>
6 #include <stddef.h>
7 #include <stdint.h>
8 
9 #include <algorithm>
10 #include <vector>
11 
12 #include "third_party/libsrtp/include/srtp.h"
13 #include "third_party/libsrtp/include/srtp_priv.h"
14 #include "third_party/libsrtp/test/rtp.h"
15 
16 // TODO(katrielc) Also test the authenticated path, which is what
17 // WebRTC uses.  This is nontrivial because you need to bypass the MAC
18 // check. Two options: add a UNSAFE_FUZZER_MODE flag to libsrtp (or
19 // the chromium fork of it), or compute the HMAC of whatever gibberish
20 // the fuzzer produces and write it into the packet manually.
21 
22 namespace LibSrtpFuzzer {
23 enum CryptoPolicy {
24   NONE,
25   LIKE_WEBRTC,
26   LIKE_WEBRTC_SHORT_AUTH,
27   LIKE_WEBRTC_WITHOUT_AUTH,
28   AES_128_GCM,
29   AES_256_GCM,
30   NUMBER_OF_POLICIES,
31 };
32 }
33 
GetKeyLength(LibSrtpFuzzer::CryptoPolicy crypto_policy)34 static size_t GetKeyLength(LibSrtpFuzzer::CryptoPolicy crypto_policy) {
35   switch (crypto_policy) {
36     case LibSrtpFuzzer::NUMBER_OF_POLICIES:
37     case LibSrtpFuzzer::NONE:
38       return 0;
39     case LibSrtpFuzzer::LIKE_WEBRTC:
40     case LibSrtpFuzzer::LIKE_WEBRTC_SHORT_AUTH:
41     case LibSrtpFuzzer::LIKE_WEBRTC_WITHOUT_AUTH:
42       return SRTP_AES_ICM_128_KEY_LEN_WSALT;
43     case LibSrtpFuzzer::AES_128_GCM:
44       return SRTP_AES_GCM_128_KEY_LEN_WSALT;
45     case LibSrtpFuzzer::AES_256_GCM:
46       return SRTP_AES_GCM_256_KEY_LEN_WSALT;
47   }
48 }
49 
50 struct Environment {
GetCryptoPolicyEnvironment51   srtp_policy_t GetCryptoPolicy(LibSrtpFuzzer::CryptoPolicy crypto_policy,
52                                 const unsigned char* replacement_key,
53                                 size_t key_length) {
54     switch (crypto_policy) {
55       case LibSrtpFuzzer::NUMBER_OF_POLICIES:
56       case LibSrtpFuzzer::NONE:
57         srtp_crypto_policy_set_null_cipher_null_auth(&policy.rtp);
58         srtp_crypto_policy_set_null_cipher_null_auth(&policy.rtcp);
59         break;
60       case LibSrtpFuzzer::LIKE_WEBRTC:
61         srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80(&policy.rtp);
62         srtp_crypto_policy_set_aes_cm_128_hmac_sha1_80(&policy.rtcp);
63         break;
64       case LibSrtpFuzzer::LIKE_WEBRTC_SHORT_AUTH:
65         srtp_crypto_policy_set_aes_cm_128_hmac_sha1_32(&policy.rtp);
66         srtp_crypto_policy_set_aes_cm_128_hmac_sha1_32(&policy.rtcp);
67         break;
68       case LibSrtpFuzzer::LIKE_WEBRTC_WITHOUT_AUTH:
69         srtp_crypto_policy_set_aes_cm_128_null_auth(&policy.rtp);
70         srtp_crypto_policy_set_aes_cm_128_null_auth(&policy.rtcp);
71         break;
72       case LibSrtpFuzzer::AES_128_GCM:
73         // There was a security bug in the GCM mode in libsrtp 1.5.2.
74         srtp_crypto_policy_set_aes_gcm_128_16_auth(&policy.rtp);
75         srtp_crypto_policy_set_aes_gcm_128_16_auth(&policy.rtcp);
76         break;
77       case LibSrtpFuzzer::AES_256_GCM:
78         // WebRTC uses AES-256-GCM by default if GCM ciphers are enabled.
79         srtp_crypto_policy_set_aes_gcm_256_16_auth(&policy.rtp);
80         srtp_crypto_policy_set_aes_gcm_256_16_auth(&policy.rtcp);
81         break;
82     }
83 
84     assert(static_cast<size_t>(policy.rtp.cipher_key_len) == key_length);
85     assert(static_cast<size_t>(policy.rtcp.cipher_key_len) == key_length);
86     memcpy(key, replacement_key, key_length);
87     return policy;
88   }
89 
EnvironmentEnvironment90   Environment() {
91     srtp_init();
92 
93     memset(&policy, 0, sizeof(policy));
94     policy.allow_repeat_tx = 1;
95     policy.ekt = nullptr;
96     policy.key = key;
97     policy.next = nullptr;
98     policy.ssrc.type = ssrc_any_inbound;
99     policy.ssrc.value = 0xdeadbeef;
100     policy.window_size = 1024;
101   }
102 
103  private:
104   srtp_policy_t policy;
105   unsigned char key[SRTP_MAX_KEY_LEN] = {0};
106 
srtp_crypto_policy_set_null_cipher_null_authEnvironment107   static void srtp_crypto_policy_set_null_cipher_null_auth(
108       srtp_crypto_policy_t* p) {
109     p->cipher_type = SRTP_NULL_CIPHER;
110     p->cipher_key_len = 0;
111     p->auth_type = SRTP_NULL_AUTH;
112     p->auth_key_len = 0;
113     p->auth_tag_len = 0;
114     p->sec_serv = sec_serv_none;
115   }
116 };
117 
ReadLength(const uint8_t * data,size_t size)118 size_t ReadLength(const uint8_t* data, size_t size) {
119   // Read one byte of input and interpret it as a length to read from
120   // data. Don't return more bytes than are available.
121   size_t n = static_cast<size_t>(data[0]);
122   return std::min(n, size - 1);
123 }
124 
125 Environment* env = new Environment();
126 
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)127 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
128   // Read one byte and use it to choose a crypto policy.
129   if (size <= 2 + SRTP_MAX_KEY_LEN)
130     return 0;
131   LibSrtpFuzzer::CryptoPolicy policy = static_cast<LibSrtpFuzzer::CryptoPolicy>(
132       data[0] % LibSrtpFuzzer::NUMBER_OF_POLICIES);
133   data += 1;
134   size -= 1;
135 
136   // Read some more bytes to use as a key.
137   size_t key_length = GetKeyLength(policy);
138   srtp_policy_t srtp_policy = env->GetCryptoPolicy(policy, data, key_length);
139   data += SRTP_MAX_KEY_LEN;
140   size -= SRTP_MAX_KEY_LEN;
141 
142   // Read one byte and use as number of encrypted header extensions.
143   uint8_t num_encrypted_headers = data[0];
144   data += 1;
145   size -= 1;
146   if (num_encrypted_headers > 0) {
147     // Use next bytes as extension ids.
148     if (size <= num_encrypted_headers)
149       return 0;
150     srtp_policy.enc_xtn_hdr_count = static_cast<int>(num_encrypted_headers);
151     srtp_policy.enc_xtn_hdr =
152         static_cast<int*>(malloc(srtp_policy.enc_xtn_hdr_count * sizeof(int)));
153     assert(srtp_policy.enc_xtn_hdr);
154     for (int i = 0; i < srtp_policy.enc_xtn_hdr_count; ++i) {
155       srtp_policy.enc_xtn_hdr[i] = static_cast<int>(data[i]);
156     }
157     data += srtp_policy.enc_xtn_hdr_count;
158     size -= srtp_policy.enc_xtn_hdr_count;
159   }
160 
161   srtp_t session;
162   srtp_err_status_t error = srtp_create(&session, &srtp_policy);
163   free(srtp_policy.enc_xtn_hdr);
164   if (error != srtp_err_status_ok) {
165     assert(false);
166     return 0;
167   }
168 
169   // Read one byte as a packet length N, then feed the next N bytes
170   // into srtp_unprotect. Keep going until we run out of data.
171   size_t packet_size;
172   while (size > 0 && (packet_size = ReadLength(data, size)) > 0) {
173     // One byte was used by ReadLength.
174     data++;
175     size--;
176 
177     size_t header_size = std::min(sizeof(srtp_hdr_t), packet_size);
178     size_t body_size = packet_size - header_size;
179 
180     // We deliberately do not initialise this struct. MSAN will catch
181     // usage of the uninitialised memory.
182     rtp_msg_t message;
183     memcpy(&message.header, data, header_size);
184     memcpy(&message.body, data + header_size, body_size);
185 
186     int out_len = static_cast<int>(packet_size);
187     srtp_unprotect(session, &message, &out_len);
188 
189     // |packet_size| bytes were used above.
190     data += packet_size;
191     size -= packet_size;
192   }
193 
194   srtp_dealloc(session);
195   return 0;
196 }
197