From 5c72bf627222ed2f8d285c2277bb93b7afe9fd2e Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Mon, 11 Aug 2014 16:29:19 -0600 Subject: [PATCH 1/3] fuzzer callbacks --- cyassl/internal.h | 3 +++ cyassl/ssl.h | 14 ++++++++++++++ src/internal.c | 27 +++++++++++++++++++++++++++ src/ssl.c | 7 +++++++ src/tls.c | 5 +++++ 5 files changed, 56 insertions(+) diff --git a/cyassl/internal.h b/cyassl/internal.h index ccd7c8138..6f53ba0b0 100644 --- a/cyassl/internal.h +++ b/cyassl/internal.h @@ -1969,6 +1969,9 @@ struct CYASSL { byte hsInfoOn; /* track handshake info */ byte toInfoOn; /* track timeout info */ #endif +#ifdef HAVE_FUZZER + CallbackFuzzer fuzzerCb; /* for testing with using fuzzer */ +#endif #ifdef KEEP_PEER_CERT CYASSL_X509 peerCert; /* X509 peer cert */ #endif diff --git a/cyassl/ssl.h b/cyassl/ssl.h index 7109b0726..33f7a3f71 100644 --- a/cyassl/ssl.h +++ b/cyassl/ssl.h @@ -930,6 +930,20 @@ CYASSL_API int CyaSSL_set_group_messages(CYASSL*); typedef int (*CallbackIORecv)(CYASSL *ssl, char *buf, int sz, void *ctx); typedef int (*CallbackIOSend)(CYASSL *ssl, char *buf, int sz, void *ctx); +#ifdef HAVE_FUZZER +enum fuzzer_type { + FUZZ_HMAC = 0, + FUZZ_ENCRYPT = 1, + FUZZ_SIGNATURE = 2, + FUZZ_HASH = 3 +}; + +typedef int (*CallbackFuzzer)(const unsigned char* buf, int sz, int type, + void* ctx); + +CYASSL_API void CyaSSL_SetFuzzerCb(CYASSL* ssl, CallbackFuzzer cbf); +#endif + CYASSL_API void CyaSSL_SetIORecv(CYASSL_CTX*, CallbackIORecv); CYASSL_API void CyaSSL_SetIOSend(CYASSL_CTX*, CallbackIOSend); diff --git a/src/internal.c b/src/internal.c index eb7baccb5..1819b4e0e 100644 --- a/src/internal.c +++ b/src/internal.c @@ -1752,6 +1752,9 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx) ssl->MacEncryptCtx = NULL; ssl->DecryptVerifyCtx = NULL; #endif +#ifdef HAVE_FUZZER + ssl->fuzzerCb = NULL; +#endif #ifdef HAVE_PK_CALLBACKS #ifdef HAVE_ECC ssl->EccSignCtx = NULL; @@ -2527,6 +2530,10 @@ static int HashOutput(CYASSL* ssl, const byte* output, int sz, int ivSz) const byte* adj = output + RECORD_HEADER_SZ + ivSz; sz -= RECORD_HEADER_SZ; +#ifdef HAVE_FUZZER + if (ssl->fuzzerCb) + ssl->fuzzerCb(output, sz, FUZZ_HASH, ssl->ctx); +#endif #ifdef CYASSL_DTLS if (ssl->options.dtls) { adj += DTLS_RECORD_EXTRA; @@ -5113,6 +5120,11 @@ static INLINE int Encrypt(CYASSL* ssl, byte* out, const byte* input, word16 sz) return ENCRYPT_ERROR; } +#ifdef HAVE_FUZZER + if (ssl->fuzzerCb) + ssl->fuzzerCb(input, sz, FUZZ_ENCRYPT, ssl->ctx); +#endif + switch (ssl->specs.bulk_cipher_algorithm) { #ifdef BUILD_ARC4 case cyassl_rc4: @@ -6390,6 +6402,11 @@ static int SSL_hmac(CYASSL* ssl, byte* digest, const byte* in, word32 sz, byte conLen[ENUM_LEN + LENGTH_SZ]; /* content & length */ const byte* macSecret = CyaSSL_GetMacSecret(ssl, verify); +#ifdef HAVE_FUZZER + if (ssl->fuzzerCb) + ssl->fuzzerCb(in, sz, FUZZ_HMAC, ssl->ctx); +#endif + XMEMSET(seq, 0, SEQ_SZ); conLen[0] = (byte)content; c16toa((word16)sz, &conLen[ENUM_LEN]); @@ -10543,6 +10560,11 @@ static void PickHashSigAlgo(CYASSL* ssl, /* Signtaure length will be written later, when we're sure what it is */ +#ifdef HAVE_FUZZER + if (ssl->fuzzerCb) + ssl->fuzzerCb(output + preSigIdx, preSigSz, FUZZ_SIGNATURE, ssl->ctx); +#endif + /* do signature */ { #ifndef NO_OLD_TLS @@ -10895,6 +10917,11 @@ static void PickHashSigAlgo(CYASSL* ssl, c16toa((word16)sigSz, output + idx); idx += LENGTH_SZ; +#ifdef HAVE_FUZZER + if (ssl->fuzzerCb) + ssl->fuzzerCb(output + preSigIdx, preSigSz, FUZZ_SIGNATURE, ssl->ctx); +#endif + /* do signature */ { #ifndef NO_OLD_TLS diff --git a/src/ssl.c b/src/ssl.c index 1b99e98fd..93d52c8d3 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -11501,6 +11501,13 @@ const byte* CyaSSL_get_sessionID(const CYASSL_SESSION* session) #endif /* SESSION_CERTS */ +#ifdef HAVE_FUZZER +void CyaSSL_SetFuzzerCb(CYASSL* ssl, CallbackFuzzer cbf) +{ + if (ssl) + ssl->fuzzerCb = cbf; +} +#endif #ifndef NO_CERTS #ifdef HAVE_PK_CALLBACKS diff --git a/src/tls.c b/src/tls.c index a569f064e..f52160df6 100644 --- a/src/tls.c +++ b/src/tls.c @@ -677,6 +677,11 @@ int TLS_hmac(CYASSL* ssl, byte* digest, const byte* in, word32 sz, if (ssl == NULL) return BAD_FUNC_ARG; +#ifdef HAVE_FUZZER + if (ssl->fuzzerCb) + ssl->fuzzerCb(in, sz, FUZZ_HMAC, ssl->ctx); +#endif + CyaSSL_SetTlsHmacInner(ssl, myInner, sz, content, verify); ret = HmacSetKey(&hmac, CyaSSL_GetHmacType(ssl), From a18602951b7a3366ab167ff17f413b3eec2d3839 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Tue, 12 Aug 2014 11:56:20 -0600 Subject: [PATCH 2/3] record header fuzz --- cyassl/ssl.h | 3 ++- src/internal.c | 11 +++++++++++ 2 files changed, 13 insertions(+), 1 deletion(-) diff --git a/cyassl/ssl.h b/cyassl/ssl.h index 33f7a3f71..2d6f3aebc 100644 --- a/cyassl/ssl.h +++ b/cyassl/ssl.h @@ -935,7 +935,8 @@ enum fuzzer_type { FUZZ_HMAC = 0, FUZZ_ENCRYPT = 1, FUZZ_SIGNATURE = 2, - FUZZ_HASH = 3 + FUZZ_HASH = 3, + FUZZ_HEAD = 4 }; typedef int (*CallbackFuzzer)(const unsigned char* buf, int sz, int type, diff --git a/src/internal.c b/src/internal.c index 1819b4e0e..f24c0c58e 100644 --- a/src/internal.c +++ b/src/internal.c @@ -2959,6 +2959,11 @@ static int GetRecordHeader(CYASSL* ssl, const byte* input, word32* inOutIdx, RecordLayerHeader* rh, word16 *size) { if (!ssl->options.dtls) { +#ifdef HAVE_FUZZER + if (ssl->fuzzerCb) + ssl->fuzzerCb(input + *inOutIdx, RECORD_HEADER_SZ, FUZZ_HEAD, + ssl->ctx); +#endif XMEMCPY(rh, input + *inOutIdx, RECORD_HEADER_SZ); *inOutIdx += RECORD_HEADER_SZ; ato16(rh->length, size); @@ -2974,6 +2979,12 @@ static int GetRecordHeader(CYASSL* ssl, const byte* input, word32* inOutIdx, *inOutIdx += 4; /* advance past rest of seq */ ato16(input + *inOutIdx, size); *inOutIdx += LENGTH_SZ; +#ifdef HAVE_FUZZER + if (ssl->fuzzerCb) + ssl->fuzzerCb(input + *inOutIdx - LENGTH_SZ - 8 - ENUM_LEN - + VERSION_SZ, ENUM_LEN + VERSION_SZ + 8 + LENGTH_SZ, + FUZZ_HEAD, ssl->ctx); +#endif #endif } From 856aab7f308670e69e8f5f3519e82857a6a259e3 Mon Sep 17 00:00:00 2001 From: JacobBarthelmeh Date: Tue, 12 Aug 2014 16:25:58 -0600 Subject: [PATCH 3/3] add fuzzer CYASSL* and fuzzer ctx --- cyassl/internal.h | 1 + cyassl/ssl.h | 6 +++--- src/internal.c | 23 +++++++++++++---------- src/ssl.c | 8 +++++--- src/tls.c | 2 +- 5 files changed, 23 insertions(+), 17 deletions(-) diff --git a/cyassl/internal.h b/cyassl/internal.h index 6f53ba0b0..3225f418c 100644 --- a/cyassl/internal.h +++ b/cyassl/internal.h @@ -1971,6 +1971,7 @@ struct CYASSL { #endif #ifdef HAVE_FUZZER CallbackFuzzer fuzzerCb; /* for testing with using fuzzer */ + void* fuzzerCtx; /* user defined pointer */ #endif #ifdef KEEP_PEER_CERT CYASSL_X509 peerCert; /* X509 peer cert */ diff --git a/cyassl/ssl.h b/cyassl/ssl.h index 2d6f3aebc..f8976d0f5 100644 --- a/cyassl/ssl.h +++ b/cyassl/ssl.h @@ -939,10 +939,10 @@ enum fuzzer_type { FUZZ_HEAD = 4 }; -typedef int (*CallbackFuzzer)(const unsigned char* buf, int sz, int type, - void* ctx); +typedef int (*CallbackFuzzer)(CYASSL* ssl, const unsigned char* buf, int sz, + int type, void* fuzzCtx); -CYASSL_API void CyaSSL_SetFuzzerCb(CYASSL* ssl, CallbackFuzzer cbf); +CYASSL_API void CyaSSL_SetFuzzerCb(CYASSL* ssl, CallbackFuzzer cbf, void* fCtx); #endif CYASSL_API void CyaSSL_SetIORecv(CYASSL_CTX*, CallbackIORecv); diff --git a/src/internal.c b/src/internal.c index f24c0c58e..963a0837c 100644 --- a/src/internal.c +++ b/src/internal.c @@ -1754,6 +1754,7 @@ int InitSSL(CYASSL* ssl, CYASSL_CTX* ctx) #endif #ifdef HAVE_FUZZER ssl->fuzzerCb = NULL; + ssl->fuzzerCtx = NULL; #endif #ifdef HAVE_PK_CALLBACKS #ifdef HAVE_ECC @@ -2532,7 +2533,7 @@ static int HashOutput(CYASSL* ssl, const byte* output, int sz, int ivSz) #ifdef HAVE_FUZZER if (ssl->fuzzerCb) - ssl->fuzzerCb(output, sz, FUZZ_HASH, ssl->ctx); + ssl->fuzzerCb(ssl, output, sz, FUZZ_HASH, ssl->fuzzerCtx); #endif #ifdef CYASSL_DTLS if (ssl->options.dtls) { @@ -2961,8 +2962,8 @@ static int GetRecordHeader(CYASSL* ssl, const byte* input, word32* inOutIdx, if (!ssl->options.dtls) { #ifdef HAVE_FUZZER if (ssl->fuzzerCb) - ssl->fuzzerCb(input + *inOutIdx, RECORD_HEADER_SZ, FUZZ_HEAD, - ssl->ctx); + ssl->fuzzerCb(ssl, input + *inOutIdx, RECORD_HEADER_SZ, FUZZ_HEAD, + ssl->fuzzerCtx); #endif XMEMCPY(rh, input + *inOutIdx, RECORD_HEADER_SZ); *inOutIdx += RECORD_HEADER_SZ; @@ -2981,9 +2982,9 @@ static int GetRecordHeader(CYASSL* ssl, const byte* input, word32* inOutIdx, *inOutIdx += LENGTH_SZ; #ifdef HAVE_FUZZER if (ssl->fuzzerCb) - ssl->fuzzerCb(input + *inOutIdx - LENGTH_SZ - 8 - ENUM_LEN - - VERSION_SZ, ENUM_LEN + VERSION_SZ + 8 + LENGTH_SZ, - FUZZ_HEAD, ssl->ctx); + ssl->fuzzerCb(ssl, input + *inOutIdx - LENGTH_SZ - 8 - ENUM_LEN - + VERSION_SZ, ENUM_LEN + VERSION_SZ + 8 + LENGTH_SZ, + FUZZ_HEAD, ssl->fuzzerCtx); #endif #endif } @@ -5133,7 +5134,7 @@ static INLINE int Encrypt(CYASSL* ssl, byte* out, const byte* input, word16 sz) #ifdef HAVE_FUZZER if (ssl->fuzzerCb) - ssl->fuzzerCb(input, sz, FUZZ_ENCRYPT, ssl->ctx); + ssl->fuzzerCb(ssl, input, sz, FUZZ_ENCRYPT, ssl->fuzzerCtx); #endif switch (ssl->specs.bulk_cipher_algorithm) { @@ -6415,7 +6416,7 @@ static int SSL_hmac(CYASSL* ssl, byte* digest, const byte* in, word32 sz, #ifdef HAVE_FUZZER if (ssl->fuzzerCb) - ssl->fuzzerCb(in, sz, FUZZ_HMAC, ssl->ctx); + ssl->fuzzerCb(ssl, in, sz, FUZZ_HMAC, ssl->fuzzerCtx); #endif XMEMSET(seq, 0, SEQ_SZ); @@ -10573,7 +10574,8 @@ static void PickHashSigAlgo(CYASSL* ssl, #ifdef HAVE_FUZZER if (ssl->fuzzerCb) - ssl->fuzzerCb(output + preSigIdx, preSigSz, FUZZ_SIGNATURE, ssl->ctx); + ssl->fuzzerCb(ssl, output + preSigIdx, preSigSz, FUZZ_SIGNATURE, + ssl->fuzzerCtx); #endif /* do signature */ @@ -10930,7 +10932,8 @@ static void PickHashSigAlgo(CYASSL* ssl, #ifdef HAVE_FUZZER if (ssl->fuzzerCb) - ssl->fuzzerCb(output + preSigIdx, preSigSz, FUZZ_SIGNATURE, ssl->ctx); + ssl->fuzzerCb(ssl, output + preSigIdx, preSigSz, FUZZ_SIGNATURE, + ssl->fuzzerCtx); #endif /* do signature */ diff --git a/src/ssl.c b/src/ssl.c index 93d52c8d3..e630a847a 100644 --- a/src/ssl.c +++ b/src/ssl.c @@ -11502,10 +11502,12 @@ const byte* CyaSSL_get_sessionID(const CYASSL_SESSION* session) #endif /* SESSION_CERTS */ #ifdef HAVE_FUZZER -void CyaSSL_SetFuzzerCb(CYASSL* ssl, CallbackFuzzer cbf) +void CyaSSL_SetFuzzerCb(CYASSL* ssl, CallbackFuzzer cbf, void* fCtx) { - if (ssl) - ssl->fuzzerCb = cbf; + if (ssl) { + ssl->fuzzerCb = cbf; + ssl->fuzzerCtx = fCtx; + } } #endif diff --git a/src/tls.c b/src/tls.c index f52160df6..30feb6129 100644 --- a/src/tls.c +++ b/src/tls.c @@ -679,7 +679,7 @@ int TLS_hmac(CYASSL* ssl, byte* digest, const byte* in, word32 sz, #ifdef HAVE_FUZZER if (ssl->fuzzerCb) - ssl->fuzzerCb(in, sz, FUZZ_HMAC, ssl->ctx); + ssl->fuzzerCb(ssl, in, sz, FUZZ_HMAC, ssl->fuzzerCtx); #endif CyaSSL_SetTlsHmacInner(ssl, myInner, sz, content, verify);