fuzz: added SRP server and client fuzzers

Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>

10 files changed, 339 insertions, 1 deletions

diff --git a/devel/fuzz/Makefile b/devel/fuzz/Makefile
index 07704bee0b..21696779b4 100644
--- a/devel/fuzz/Makefile
+++ b/devel/fuzz/Makefile
@@ -25,7 +25,8 @@ all: gnutls_pkcs7_parser_fuzzer gnutls_client_fuzzer gnutls_dn_parser_fuzzer \
 	gnutls_private_key_parser_fuzzer gnutls_server_fuzzer gnutls_x509_parser_fuzzer \
 	gnutls_reverse_idna_parser_fuzzer gnutls_idna_parser_fuzzer gnutls_ocsp_resp_parser_fuzzer \
 	gnutls_ocsp_req_parser_fuzzer gnutls_pkcs12_key_parser_fuzzer gnutls_base64_decoder_fuzzer \
-	gnutls_base64_encoder_fuzzer gnutls_psk_client_fuzzer gnutls_psk_server_fuzzer
+	gnutls_base64_encoder_fuzzer gnutls_psk_client_fuzzer gnutls_psk_server_fuzzer \
+	gnutls_srp_client_fuzzer gnutls_srp_server_fuzzer
 
 %: %.cc
 	$(CC) $(CFLAGS) main.c $^ $(COMMON) -o $@
diff --git a/devel/fuzz/gnutls_srp_client.in/trace-server-srp b/devel/fuzz/gnutls_srp_client.in/trace-server-srp
new file mode 100644
index 0000000000..2e5dc9232c
--- /dev/null
+++ b/devel/fuzz/gnutls_srp_client.in/trace-server-srp
diff --git a/devel/fuzz/gnutls_srp_client.in/trace-server-srp-dss b/devel/fuzz/gnutls_srp_client.in/trace-server-srp-dss
new file mode 100644
index 0000000000..578552a3e0
--- /dev/null
+++ b/devel/fuzz/gnutls_srp_client.in/trace-server-srp-dss
diff --git a/devel/fuzz/gnutls_srp_client.in/trace-server-srp-rsa b/devel/fuzz/gnutls_srp_client.in/trace-server-srp-rsa
new file mode 100644
index 0000000000..661e73d019
--- /dev/null
+++ b/devel/fuzz/gnutls_srp_client.in/trace-server-srp-rsa
diff --git a/devel/fuzz/gnutls_srp_client_fuzzer.cc b/devel/fuzz/gnutls_srp_client_fuzzer.cc
new file mode 100644
index 0000000000..e3944eb33b
--- /dev/null
+++ b/devel/fuzz/gnutls_srp_client_fuzzer.cc
@@ -0,0 +1,125 @@
+/*
+ * Copyright (C) 2017 Nikos Mavrogiannopoulos
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ *
+ */
+
+#include <assert.h>
+#include <fcntl.h>
+#include <stdint.h>
+#include <sys/types.h>
+#include <unistd.h>
+#include <string.h>
+#include <stdlib.h>
+
+#include <gnutls/gnutls.h>
+
+#include "srp.h"
+
+struct mem_st {
+	const uint8_t *data;
+	size_t size;
+};
+
+#define MIN(x,y) ((x)<(y)?(x):(y))
+static ssize_t
+client_push(gnutls_transport_ptr_t tr, const void *data, size_t len)
+{
+	return len;
+}
+
+static ssize_t client_pull(gnutls_transport_ptr_t tr, void *data, size_t len)
+{
+	struct mem_st *p = (struct mem_st *)tr;
+
+	if (p->size == 0) {
+		return 0;
+	}
+
+	len = MIN(len, p->size);
+	memcpy(data, p->data, len);
+
+	p->size -= len;
+	p->data += len;
+
+	return len;
+}
+
+int client_pull_timeout_func(gnutls_transport_ptr_t tr, unsigned int ms)
+{
+	struct mem_st *p = (struct mem_st *)tr;
+
+	if (p->size > 0)
+		return 1;	/* available data */
+	else
+		return 0;	/* timeout */
+}
+
+#ifdef __cplusplus
+extern "C"
+#endif
+int LLVMFuzzerTestOneInput(const uint8_t * data, size_t size)
+{
+	int res;
+	gnutls_session_t session;
+	gnutls_srp_client_credentials_t pcred;
+	struct mem_st memdata;
+
+	res = gnutls_init(&session, GNUTLS_CLIENT);
+	assert(res >= 0);
+
+	res = gnutls_srp_allocate_client_credentials(&pcred);
+	assert(res >= 0);
+
+	res = gnutls_srp_set_client_credentials(pcred, USERNAME, PASSWORD);
+	assert(res >= 0);
+
+	res = gnutls_credentials_set(session, GNUTLS_CRD_SRP, pcred);
+	assert(res >= 0);
+
+	res = gnutls_priority_set_direct(session, "NORMAL:-KX-ALL:+SRP:+SRP-RSA:+SRP-DSS", NULL);
+	assert(res >= 0);
+
+	memdata.data = data;
+	memdata.size = size;
+
+	gnutls_transport_set_push_function(session, client_push);
+	gnutls_transport_set_pull_function(session, client_pull);
+	gnutls_transport_set_pull_timeout_function(session,
+						   client_pull_timeout_func);
+	gnutls_transport_set_ptr(session, &memdata);
+
+	do {
+		res = gnutls_handshake(session);
+	} while (res < 0 && gnutls_error_is_fatal(res) == 0);
+	if (res >= 0) {
+		while (true) {
+			char buf[16384];
+			res = gnutls_record_recv(session, buf, sizeof(buf));
+			if (res <= 0) {
+				break;
+			}
+		}
+	}
+
+	gnutls_deinit(session);
+	gnutls_srp_free_client_credentials(pcred);
+	return 0;
+}
diff --git a/devel/fuzz/gnutls_srp_server.in/trace-client-srp b/devel/fuzz/gnutls_srp_server.in/trace-client-srp
new file mode 100644
index 0000000000..8a6dd02a7d
--- /dev/null
+++ b/devel/fuzz/gnutls_srp_server.in/trace-client-srp
diff --git a/devel/fuzz/gnutls_srp_server.in/trace-client-srp-dss b/devel/fuzz/gnutls_srp_server.in/trace-client-srp-dss
new file mode 100644
index 0000000000..4e589add75
--- /dev/null
+++ b/devel/fuzz/gnutls_srp_server.in/trace-client-srp-dss
diff --git a/devel/fuzz/gnutls_srp_server.in/trace-client-srp-rsa b/devel/fuzz/gnutls_srp_server.in/trace-client-srp-rsa
new file mode 100644
index 0000000000..9d1bd6e310
--- /dev/null
+++ b/devel/fuzz/gnutls_srp_server.in/trace-client-srp-rsa
diff --git a/devel/fuzz/gnutls_srp_server_fuzzer.cc b/devel/fuzz/gnutls_srp_server_fuzzer.cc
new file mode 100644
index 0000000000..aacb26a9b5
--- /dev/null
+++ b/devel/fuzz/gnutls_srp_server_fuzzer.cc
@@ -0,0 +1,179 @@
+/*
+ * Copyright (C) 2017 Nikos Mavrogiannopoulos
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ *
+ */
+
+#include <assert.h>
+#include <stdint.h>
+#include <unistd.h>
+#include <string.h>
+#include <stdlib.h>
+
+#include <gnutls/gnutls.h>
+
+#include "certs.h"
+#include "srp.h"
+
+struct mem_st {
+	const uint8_t *data;
+	size_t size;
+};
+
+#define MIN(x,y) ((x)<(y)?(x):(y))
+static ssize_t
+server_push(gnutls_transport_ptr_t tr, const void *data, size_t len)
+{
+	return len;
+}
+
+static ssize_t server_pull(gnutls_transport_ptr_t tr, void *data, size_t len)
+{
+	struct mem_st *p = (struct mem_st*)tr;
+
+	if (p->size == 0) {
+		return 0;
+	}
+
+	len = MIN(len, p->size);
+	memcpy(data, p->data, len);
+
+	p->size -= len;
+	p->data += len;
+
+	return len;
+}
+
+int server_pull_timeout_func(gnutls_transport_ptr_t tr, unsigned int ms)
+{
+	struct mem_st *p = (struct mem_st*)tr;
+
+	if (p->size > 0)
+		return 1;	/* available data */
+	else
+		return 0;	/* timeout */
+}
+
+static int
+srp_cb(gnutls_session_t session, const char *username,
+	gnutls_datum_t *salt, gnutls_datum_t *verifier, gnutls_datum_t *generator, gnutls_datum_t *prime)
+{
+	int ret;
+
+	salt->data = (unsigned char*)gnutls_malloc(SALT_SIZE);
+	memcpy(salt->data, (unsigned char*)SALT, SALT_SIZE);
+	salt->size = SALT_SIZE;
+
+	generator->data = (unsigned char*)gnutls_malloc(gnutls_srp_1024_group_generator.size);
+	memcpy(generator->data, gnutls_srp_1024_group_generator.data, gnutls_srp_1024_group_generator.size);
+	generator->size = gnutls_srp_1024_group_generator.size;
+
+	prime->data = (unsigned char*)gnutls_malloc(gnutls_srp_1024_group_prime.size);
+	memcpy(prime->data, gnutls_srp_1024_group_prime.data, gnutls_srp_1024_group_prime.size);
+	prime->size = gnutls_srp_1024_group_prime.size;
+
+	ret = gnutls_srp_verifier(USERNAME, PASSWORD, salt, generator, prime, verifier);
+	if (ret < 0)
+		return -1;
+
+	return 0;
+}
+
+#ifdef __cplusplus
+extern "C"
+#endif
+int LLVMFuzzerTestOneInput(const uint8_t * data, size_t size)
+{
+	int res;
+	gnutls_datum_t rsa_cert, rsa_key;
+	gnutls_datum_t ecdsa_cert, ecdsa_key;
+	gnutls_session_t session;
+	gnutls_certificate_credentials_t xcred;
+	gnutls_srp_server_credentials_t pcred;
+	struct mem_st memdata;
+
+	res = gnutls_init(&session, GNUTLS_SERVER);
+	assert(res >= 0);
+
+	res = gnutls_certificate_allocate_credentials(&xcred);
+	assert(res >= 0);
+
+	res = gnutls_srp_allocate_server_credentials(&pcred);
+	assert(res >= 0);
+
+	gnutls_srp_set_server_credentials_function(pcred, srp_cb);
+
+	rsa_cert.data = (unsigned char *)kRSACertificateDER;
+	rsa_cert.size = sizeof(kRSACertificateDER);
+	rsa_key.data = (unsigned char *)kRSAPrivateKeyDER;
+	rsa_key.size = sizeof(kRSAPrivateKeyDER);
+
+	ecdsa_cert.data = (unsigned char *)kECDSACertificateDER;
+	ecdsa_cert.size = sizeof(kECDSACertificateDER);
+	ecdsa_key.data = (unsigned char *)kECDSAPrivateKeyDER;
+	ecdsa_key.size = sizeof(kECDSAPrivateKeyDER);
+
+	res =
+	    gnutls_certificate_set_x509_key_mem(xcred, &rsa_cert, &rsa_key,
+						GNUTLS_X509_FMT_DER);
+	assert(res >= 0);
+
+	res =
+	    gnutls_certificate_set_x509_key_mem(xcred, &ecdsa_cert, &ecdsa_key,
+						GNUTLS_X509_FMT_DER);
+	assert(res >= 0);
+
+	gnutls_certificate_set_known_dh_params(xcred, GNUTLS_SEC_PARAM_MEDIUM);
+
+	res = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
+	assert(res >= 0);
+
+	res = gnutls_credentials_set(session, GNUTLS_CRD_SRP, pcred);
+	assert(res >= 0);
+
+	res = gnutls_priority_set_direct(session, "NORMAL:-KX-ALL:+SRP:+SRP-RSA:+SRP-DSS", NULL);
+	assert(res >= 0);
+
+	memdata.data = data;
+	memdata.size = size;
+
+	gnutls_transport_set_push_function(session, server_push);
+	gnutls_transport_set_pull_function(session, server_pull);
+	gnutls_transport_set_pull_timeout_function(session, server_pull_timeout_func);
+	gnutls_transport_set_ptr(session, &memdata);
+
+	do {
+		res = gnutls_handshake(session);
+	} while (res < 0 && gnutls_error_is_fatal(res) == 0);
+	if (res >= 0) {
+		while (true) {
+			char buf[16384];
+			res = gnutls_record_recv(session, buf, sizeof(buf));
+			if (res <= 0) {
+				break;
+			}
+		}
+	}
+
+	gnutls_deinit(session);
+	gnutls_certificate_free_credentials(xcred);
+	gnutls_srp_free_server_credentials(pcred);
+	return 0;
+}
diff --git a/devel/fuzz/srp.h b/devel/fuzz/srp.h
new file mode 100644
index 0000000000..90bc283c2f
--- /dev/null
+++ b/devel/fuzz/srp.h
@@ -0,0 +1,33 @@
+/*
+ * Copyright (C) 2017 Nikos Mavrogiannopoulos
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+ * copy of this software and associated documentation files (the "Software"),
+ * to deal in the Software without restriction, including without limitation
+ * the rights to use, copy, modify, merge, publish, distribute, sublicense,
+ * and/or sell copies of the Software, and to permit persons to whom the
+ * Software is furnished to do so, subject to the following conditions:
+ *
+ * The above copyright notice and this permission notice shall be included in
+ * all copies or substantial portions of the Software.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+ * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
+ * DEALINGS IN THE SOFTWARE.
+ *
+ */
+
+#ifndef SRP_H
+# define SRP_H
+
+#define USERNAME "test"
+#define PASSWORD "test"
+
+#define SALT "\xeb\x0e\x6a\x5c\x02\x0d\x4b\xa9\x97\xb6\xbe\x73\x4a\x71\xc5\x00"
+#define SALT_SIZE 16
+
+#endif