1 /*
2  * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
3  *
4  * Licensed under the Apache License, Version 2.0 (the "License").
5  * You may not use this file except in compliance with the License.
6  * A copy of the License is located at
7  *
8  *  http://aws.amazon.com/apache2.0
9  *
10  * or in the "license" file accompanying this file. This file is distributed
11  * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
12  * express or implied. See the License for the specific language governing
13  * permissions and limitations under the License.
14  */
15 
16 /* Target Functions: s2n_server_finished_recv */
17 
18 #include <stdint.h>
19 
20 #include <openssl/crypto.h>
21 #include <openssl/err.h>
22 
23 #include "api/s2n.h"
24 #include "stuffer/s2n_stuffer.h"
25 #include "tls/s2n_connection.h"
26 #include "tls/s2n_tls.h"
27 #include "utils/s2n_safety.h"
28 #include "s2n_test.h"
29 
30 static const uint8_t TLS_VERSIONS[] = {S2N_TLS10, S2N_TLS11, S2N_TLS12, S2N_TLS13, S2N_SSLv3};
31 
s2n_fuzz_test(const uint8_t * buf,size_t len)32 int s2n_fuzz_test(const uint8_t *buf, size_t len)
33 {
34     /* We need at least one byte of input to set parameters */
35     S2N_FUZZ_ENSURE_MIN_LEN(len, 1);
36 
37     /* Setup */
38     struct s2n_connection *client_conn = s2n_connection_new(S2N_SERVER);
39     POSIX_ENSURE_REF(client_conn);
40     POSIX_GUARD(s2n_stuffer_write_bytes(&client_conn->handshake.io, buf, len));
41 
42     /* Pull a byte off the libfuzzer input and use it to set parameters */
43     uint8_t randval = 0;
44     POSIX_GUARD(s2n_stuffer_read_uint8(&client_conn->handshake.io, &randval));
45     client_conn->actual_protocol_version = TLS_VERSIONS[randval % s2n_array_len(TLS_VERSIONS)];
46 
47     uint8_t finished_len = S2N_TLS_FINISHED_LEN;
48     if (TLS_VERSIONS[randval % s2n_array_len(TLS_VERSIONS)] == S2N_SSLv3) {
49         finished_len = S2N_SSL_FINISHED_LEN;
50     }
51 
52     /* We do not use a GUARD macro here as there may not be enough bytes to write the necessary
53      * amount, and the result of a failed read_bytes call is an acceptable test input. */
54     s2n_stuffer_read_bytes(&client_conn->handshake.io, client_conn->handshake.server_finished, finished_len);
55 
56     /* Run Test
57      * Do not use GUARD macro here since the connection memory hasn't been freed.
58      */
59     s2n_server_finished_recv(client_conn);
60 
61     /* Cleanup */
62     POSIX_GUARD(s2n_connection_free(client_conn));
63 
64     return S2N_SUCCESS;
65 }
66 
67 S2N_FUZZ_TARGET(NULL, s2n_fuzz_test, NULL)
68