1a8e1175bSopenharmony_ciWhat is it?
2a8e1175bSopenharmony_ci------
3a8e1175bSopenharmony_ci
4a8e1175bSopenharmony_ciThis directory contains fuzz targets.
5a8e1175bSopenharmony_ciFuzz targets are simple codes using the library.
6a8e1175bSopenharmony_ciThey are used with a so-called fuzz driver, which will generate inputs, try to process them with the fuzz target, and alert in case of an unwanted behavior (such as a buffer overflow for instance).
7a8e1175bSopenharmony_ci
8a8e1175bSopenharmony_ciThese targets were meant to be used with oss-fuzz but can be used in other contexts.
9a8e1175bSopenharmony_ci
10a8e1175bSopenharmony_ciThis code was contributed by Philippe Antoine ( Catena cyber ).
11a8e1175bSopenharmony_ci
12a8e1175bSopenharmony_ciHow to run?
13a8e1175bSopenharmony_ci------
14a8e1175bSopenharmony_ci
15a8e1175bSopenharmony_ciTo run the fuzz targets like oss-fuzz:
16a8e1175bSopenharmony_ci```
17a8e1175bSopenharmony_cigit clone https://github.com/google/oss-fuzz
18a8e1175bSopenharmony_cicd oss-fuzz
19a8e1175bSopenharmony_cipython infra/helper.py build_image mbedtls
20a8e1175bSopenharmony_cipython infra/helper.py build_fuzzers --sanitizer address mbedtls
21a8e1175bSopenharmony_cipython infra/helper.py run_fuzzer mbedtls fuzz_client
22a8e1175bSopenharmony_ci```
23a8e1175bSopenharmony_ciYou can use `undefined` sanitizer as well as `address` sanitizer.
24a8e1175bSopenharmony_ciAnd you can run any of the fuzz targets like `fuzz_client`.
25a8e1175bSopenharmony_ci
26a8e1175bSopenharmony_ciTo run the fuzz targets without oss-fuzz, you first need to install one libFuzzingEngine (libFuzzer for instance).
27a8e1175bSopenharmony_ciThen you need to compile the code with the compiler flags of the wished sanitizer.
28a8e1175bSopenharmony_ci```
29a8e1175bSopenharmony_ciperl scripts/config.py set MBEDTLS_PLATFORM_TIME_ALT
30a8e1175bSopenharmony_cimkdir build
31a8e1175bSopenharmony_cicd build
32a8e1175bSopenharmony_cicmake ..
33a8e1175bSopenharmony_cimake
34a8e1175bSopenharmony_ci```
35a8e1175bSopenharmony_ciFinally, you can run the targets like `./test/fuzz/fuzz_client`.
36a8e1175bSopenharmony_ci
37a8e1175bSopenharmony_ci
38a8e1175bSopenharmony_ciCorpus generation for network traffic targets
39a8e1175bSopenharmony_ci------
40a8e1175bSopenharmony_ci
41a8e1175bSopenharmony_ciThese targets use network traffic as inputs :
42a8e1175bSopenharmony_ci* client : simulates a client against (fuzzed) server traffic
43a8e1175bSopenharmony_ci* server : simulates a server against (fuzzed) client traffic
44a8e1175bSopenharmony_ci* dtls_client
45a8e1175bSopenharmony_ci* dtls_server
46a8e1175bSopenharmony_ci
47a8e1175bSopenharmony_ciThey also use the last bytes as configuration options.
48a8e1175bSopenharmony_ci
49a8e1175bSopenharmony_ciTo generate corpus for these targets, you can do the following, not fully automated steps :
50a8e1175bSopenharmony_ci* Build mbedtls programs ssl_server2 and ssl_client2
51a8e1175bSopenharmony_ci* Run them one against the other with `reproducible` option turned on while capturing traffic into test.pcap
52a8e1175bSopenharmony_ci* Extract tcp payloads, for instance with tshark : `tshark -Tfields -e tcp.dstport -e tcp.payload -r test.pcap > test.txt`
53a8e1175bSopenharmony_ci* Run a dummy python script to output either client or server corpus file like `python dummy.py test.txt > test.cor`
54a8e1175bSopenharmony_ci* Finally, you can add the options by appending the last bytes to the file test.cor
55a8e1175bSopenharmony_ci
56a8e1175bSopenharmony_ciHere is an example of dummy.py for extracting payload from client to server (if we used `tcp.dstport` in tshark command)
57a8e1175bSopenharmony_ci```
58a8e1175bSopenharmony_ciimport sys
59a8e1175bSopenharmony_ciimport binascii
60a8e1175bSopenharmony_ci
61a8e1175bSopenharmony_cif = open(sys.argv[1])
62a8e1175bSopenharmony_cifor l in f.readlines():
63a8e1175bSopenharmony_ci    portAndPl=l.split()
64a8e1175bSopenharmony_ci    if len(portAndPl) == 2:
65a8e1175bSopenharmony_ci        # determine client or server based on port
66a8e1175bSopenharmony_ci        if portAndPl[0] == "4433":
67a8e1175bSopenharmony_ci            print(binascii.unhexlify(portAndPl[1].replace(":","")))
68a8e1175bSopenharmony_ci```
69