fuzz/*: add fuzz testing for host mode

use libfuzz for host mode

Signed-off-by: Pengyu Chen <[email protected]>

CMakeLists.txt

@@ -101,6 +101,7 @@ if(BUILD_SAMPLES)
     message(STATUS "Build Samples: on")
     add_subdirectory(samples)
 endif()
+add_subdirectory(fuzz)
 
 # Uninstall target
 if(NOT TARGET uninstall)

fuzz/CMakeLists.txt

@@ -0,0 +1,4 @@
+add_subdirectory(tls_init)
+add_subdirectory(tls_negotiate)
+add_subdirectory(tls_server)
+add_subdirectory(tls_transmit)

fuzz/README.md

@@ -0,0 +1,22 @@
+## build
+just use cmake to build in the host mode, and you would see fuzz in `/usr/share/rats-tls/fuzz` 
+
++ tls_init
+to fuzz `rats_tls_init()`, we use random input `* data` to fill the `conf`, and set value to part of the `conf` in order to run `rats_tls_init()` more frequently
+> cd /usr/share/rats-tls/fuzz/
+> ./fuzz_init -max_len=1000
+
+
++ tls_negotiate
+start the `/usr/share/rats_tls/fuzz/fuzz_server` first, then use `tls_negotiate` to connect to server and fuzz the `rats_tls_negotiate()` API
+
+> cd /usr/share/rats_tls/fuzz/
+> ./fuzz_server &
+> ./fuzz_negotiate -max_len=3000
+
+
++ tls_transmit/recv/clean_up
+we synthesis the 3 sequential API in one program, start the `/usr/share/rats_tls/fuzz/fuzz_server` first, then use `tls_transmit` to connect to server and fuzz the `rats_tls_transmit()` and `rats_tls_recv()`,`rats_tls_cleanup` APIs by sending ramdom string and receiving the same response
+> cd /usr/share/rats_tls/fuzz/
+> ./fuzz_server &
+> ./fuzz_transmit -max_len=3000

fuzz/tls_init/CMakeLists.txt

@@ -0,0 +1,74 @@
+project(fuzz_init CXX)
+
+if(NOT SGX)
+    #set(CMAKE_C_FLAGS "-fPIE ${CMAKE_C_FLAGS}")
+    set(CMAKE_C_FLAGS ${CMAKE_C_FLAGS})
+    set(CMAKE_CXX_COMPILER "/usr/bin/clang++")
+    set(CMAKE_CXX_FLAGS "-g -fsanitize=address,fuzzer  ${CMAKE_CXX_FLAGS}")
+    set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS}")
+endif()
+
+if(SGX)
+    list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake")
+    include(CustomInstallDirs)
+    include(FindRatsTls)
+    if(NOT RATS_TLS_FOUND)
+        message(FATAL_ERROR "Failed to find rats_tls!")
+    endif()
+
+    include(FindSGX)
+    if(NOT SGX_FOUND)
+        message(FATAL_ERROR "Failed to find sgx!")
+    endif()
+
+    include(CompilerOptions)
+    include(SGXCommon)
+
+    set(EDL_SEARCH_PATHS ${CMAKE_CURRENT_SOURCE_DIR}/../sgx-stub-enclave
+                             ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include/edl
+			     )
+    set(INCLUDE_DIRS ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include
+                     ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include/edl
+                     ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include/rats-tls
+                     )
+    list(APPEND LIBRARY_DIRS ${CMAKE_BINARY_DIR}/src/sgx/untrust
+                             ${CMAKE_BINARY_DIR}/samples/sgx-stub-enclave
+                             )
+    set(EDL_SEARCH_PATHS ${CMAKE_CURRENT_SOURCE_DIR}/../sgx-stub-enclave
+                         ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include/edl
+                         )
+    set(DEPEND_UNTRUSTED_LIBS ${CMAKE_BINARY_DIR}/src/sgx/untrust/librats_tls_u.a)
+
+else()
+    set(INCLUDE_DIRS ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include
+                     ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include/edl
+                     ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include/rats-tls
+                     ${RATS_TLS_INSTALL_INCLUDE_PATH}
+                     ${RATS_TLS_INSTALL_INCLUDE_PATH}/edl
+                     )
+    set(LIBRARY_DIRS ${RATS_TLS_INSTALL_LIB_PATH})
+endif()
+
+include_directories(${INCLUDE_DIRS})
+link_directories(${LIBRARY_DIRS})
+
+# Set source file
+set(SOURCES fuzz_init.cc)
+
+# Generate bin file
+if(SGX)
+    set(EDLS ${CMAKE_CURRENT_SOURCE_DIR}/../sgx-stub-enclave/sgx_stub.edl)
+    add_untrusted_executable(${PROJECT_NAME}
+                             SRCS ${SOURCES}
+                             UNTRUSTED_LIBS ${DEPEND_UNTRUSTED_LIBS}
+                             EDL ${EDLS}
+                             EDL_SEARCH_PATHS ${EDL_SEARCH_PATHS}
+                             )
+    add_dependencies(${PROJECT_NAME} sgx_stub_enclave-sign)
+else()
+    add_executable(${PROJECT_NAME} ${SOURCES})
+    target_link_libraries(${PROJECT_NAME} rats_tls)
+endif()
+
+install(TARGETS ${PROJECT_NAME}
+	DESTINATION /usr/share/rats-tls/fuzz)

fuzz/tls_init/fuzz_init.cc

@@ -0,0 +1,79 @@
+/* Copyright (c) 2021 Intel Corporation
+ * Copyright (c) 2020-2021 Alibaba Cloud
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+extern "C"{
+#include <stdint.h>
+#include <stddef.h>
+#include <string.h>
+#include "rats-tls/api.h"
+#include "rats-tls/log.h"
+#include "rats-tls/claim.h"
+#include "internal/core.h"
+}
+#include <fuzzer/FuzzedDataProvider.h>
+#include <vector>
+
+#define CUSTOM_CLAIMS_SIZE 10
+using namespace std;
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data,size_t size){
+    rats_tls_conf_t conf; // consume 192 bytes
+    // conf | claim_array | random char *  in claim_array
+    if(size < sizeof(rats_tls_conf_t) + 10 * sizeof(claim_t) + 50 * 10){
+        return 0;
+    }
+    memcpy(&conf, data, sizeof(conf));
+    conf.log_level  = RATS_TLS_LOG_LEVEL_DEFAULT;
+    conf.api_version = 0;
+
+    /*fuzz log level*/
+    /*fuzz round could not be too huge, that leads to unexpected log_level*/
+    strcpy(conf.attester_type, "nullattester");
+    strcpy(conf.verifier_type, "nullverifier");
+    strcpy(conf.tls_type, "nulltls");
+    strcpy(conf.crypto_type, "nullcrypto");
+
+    conf.cert_algo = RATS_TLS_CERT_ALGO_DEFAULT;
+    conf.flags = RATS_TLS_CONF_FLAGS_MUTUAL;
+
+    FuzzedDataProvider fuzzed_data(data + sizeof(conf), size - sizeof(conf));
+    claim_t custom_claims[CUSTOM_CLAIMS_SIZE];
+    std::vector<std::string> str_lists;
+    for(int i=0;i<CUSTOM_CLAIMS_SIZE;i++){
+        //const char * str = fuzzed_data.ConsumeBytesWithTerminator(50,'\0').data();
+        /*这里不能使用上面的方法,否则会有空悬指针的问题*/
+        std::vector<char> vec_str = fuzzed_data.ConsumeBytesWithTerminator(50,'\0');
+        std::string str(vec_str.begin(),vec_str.end());
+        str_lists.push_back(str);
+        custom_claims[i].value = (uint8_t *)str_lists[i].c_str();
+        //custom_claims[i].value_size = 51; // \0 also need 1 byte 
+        custom_claims[i].value_size = (strlen(str_lists[i].c_str()) + 1) *sizeof(char);
+        /*
+            there exist a question, when I use strlen(str) to get 
+            the size of used byte, Fuzzer warn I trigger `heap-use-after-free` 
+            here, so I use a const number to assign to the value_size 
+        */
+        if(fuzzed_data.remaining_bytes() <= 0 ){
+            return 0;
+        }
+        custom_claims[i].name = "key";
+
+    }
+    conf.custom_claims = (claim_t *)custom_claims;
+    conf.custom_claims_length = CUSTOM_CLAIMS_SIZE;
+
+    //claim_t custom_claims[2] = {
+		//{ .name = "key_0", .value = (uint8_t *)"value_0", .value_size = sizeof("value_0") },
+		//{ .name = "key_1", .value = (uint8_t *)"value_1", .value_size = sizeof("value_1") },
+	//};
+	//conf.custom_claims = (claim_t *)custom_claims;
+	//conf.custom_claims_length = 2;
+
+    rats_tls_handle handle;
+    rats_tls_err_t err = rats_tls_init(&conf,&handle);
+    return 0;
+
+
+}

fuzz/tls_negotiate/CMakeLists.txt

@@ -0,0 +1,75 @@
+project(fuzz_negotiate CXX)
+
+if(NOT SGX)
+    #set(CMAKE_C_FLAGS "-fPIE ${CMAKE_C_FLAGS}")
+    set(CMAKE_C_FLAGS ${CMAKE_C_FLAGS})
+    set(CMAKE_CXX_COMPILER "/usr/bin/clang++")
+    set(CMAKE_CXX_FLAGS "-g -fsanitize=address,fuzzer ${CMAKE_CXX_FLAGS}")
+    set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS}")
+endif()
+
+if(SGX)
+    list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake")
+    include(CustomInstallDirs)
+    include(FindRatsTls)
+    if(NOT RATS_TLS_FOUND)
+        message(FATAL_ERROR "Failed to find rats_tls!")
+    endif()
+
+    include(FindSGX)
+    if(NOT SGX_FOUND)
+        message(FATAL_ERROR "Failed to find sgx!")
+    endif()
+
+    include(CompilerOptions)
+    include(SGXCommon)
+
+    set(EDL_SEARCH_PATHS ${CMAKE_CURRENT_SOURCE_DIR}/../sgx-stub-enclave
+                             ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include/edl
+			     )
+    set(INCLUDE_DIRS ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include
+                     ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include/edl
+                     ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include/rats-tls
+                     )
+    list(APPEND LIBRARY_DIRS ${CMAKE_BINARY_DIR}/src/sgx/untrust
+                             ${CMAKE_BINARY_DIR}/samples/sgx-stub-enclave
+                             )
+    set(EDL_SEARCH_PATHS ${CMAKE_CURRENT_SOURCE_DIR}/../sgx-stub-enclave
+                         ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include/edl
+                         )
+    set(DEPEND_UNTRUSTED_LIBS ${CMAKE_BINARY_DIR}/src/sgx/untrust/librats_tls_u.a)
+
+else()
+    set(INCLUDE_DIRS ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include
+                     ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include/edl
+                     ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include/rats-tls
+                     ${RATS_TLS_INSTALL_INCLUDE_PATH}
+                     ${RATS_TLS_INSTALL_INCLUDE_PATH}/edl
+                     )
+    set(LIBRARY_DIRS ${RATS_TLS_INSTALL_LIB_PATH})
+endif()
+
+include_directories(${INCLUDE_DIRS})
+link_directories(${LIBRARY_DIRS})
+
+# Set source file
+set(SOURCES fuzz_negotiate.cc)
+
+# Generate bin file
+if(SGX)
+    set(EDLS ${CMAKE_CURRENT_SOURCE_DIR}/../sgx-stub-enclave/sgx_stub.edl)
+    add_untrusted_executable(${PROJECT_NAME}
+                             SRCS ${SOURCES}
+                             UNTRUSTED_LIBS ${DEPEND_UNTRUSTED_LIBS}
+                             EDL ${EDLS}
+                             EDL_SEARCH_PATHS ${EDL_SEARCH_PATHS}
+                             )
+    add_dependencies(${PROJECT_NAME} sgx_stub_enclave-sign)
+else()
+    add_executable(${PROJECT_NAME} ${SOURCES})
+    target_link_libraries(${PROJECT_NAME} rats_tls)
+endif()
+
+install(TARGETS ${PROJECT_NAME}
+	DESTINATION /usr/share/rats-tls/fuzz)
+

fuzz/tls_negotiate/fuzz_negotiate.cc

@@ -0,0 +1,110 @@
+/* Copyright (c) 2021 Intel Corporation
+ * Copyright (c) 2020-2021 Alibaba Cloud
+ *
+ * SPDX-License-Identifier: Apache-2.0
+ */
+
+extern "C"{
+#include <stdint.h>
+#include <stddef.h>
+#include <string.h>
+#include <stdlib.h>
+#include <sys/socket.h>
+#include <netinet/in.h>
+#include <unistd.h>
+#include <arpa/inet.h>
+#include "rats-tls/api.h"
+#include "rats-tls/log.h"
+#include "rats-tls/claim.h"
+#include "internal/core.h"
+#include "internal/crypto_wrapper.h"
+#include "internal/attester.h"
+#include "internal/verifier.h"
+#include "internal/tls_wrapper.h"
+}
+#include <fuzzer/FuzzedDataProvider.h>
+
+#define FUZZ_IP "127.0.0.1"
+#define FUZZ_PORT 1234
+#define CUSTOM_CLAIMS_SIZE 10
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data,size_t size){
+
+    if(size < sizeof(rats_tls_conf_t) + 10 * sizeof(claim_t) + 50 * 10){
+        return 0;
+    }
+    rats_tls_conf_t conf;
+    memcpy(&conf, data, sizeof(conf));
+	conf.log_level = RATS_TLS_LOG_LEVEL_DEFAULT;
+    conf.api_version = 0;
+
+    strcpy(conf.attester_type, "nullattester");
+    strcpy(conf.verifier_type, "nullverifier");
+    strcpy(conf.tls_type, "nulltls");
+    strcpy(conf.crypto_type, "nullcrypto");
+
+	conf.cert_algo = RATS_TLS_CERT_ALGO_DEFAULT;
+    conf.flags = RATS_TLS_CONF_FLAGS_MUTUAL;
+
+    //claim_t custom_claims[2] = {
+		//{ .name = "key_0", .value = (uint8_t *)"value_0", .value_size = sizeof("value_0") },
+		//{ .name = "key_1", .value = (uint8_t *)"value_1", .value_size = sizeof("value_1") },
+	//};
+	//conf.custom_claims = (claim_t *)custom_claims;
+	//conf.custom_claims_length = 2;
+
+    FuzzedDataProvider fuzzed_data(data + sizeof(conf), size - sizeof(conf));
+    claim_t custom_claims[CUSTOM_CLAIMS_SIZE];
+    std::vector<std::string> str_lists;
+    for(int i=0;i<CUSTOM_CLAIMS_SIZE;i++){
+        std::vector<char> vec_str = fuzzed_data.ConsumeBytesWithTerminator(50,'\0');
+        std::string str(vec_str.begin(),vec_str.end());
+        str_lists.push_back(str);
+        custom_claims[i].value = (uint8_t *)str_lists[i].c_str();
+        custom_claims[i].value_size = (strlen(str_lists[i].c_str()) + 1) *sizeof(char);
+
+        if(fuzzed_data.remaining_bytes() <= 0 ){
+            return 0;
+        }
+        custom_claims[i].name = "key";
+
+    }
+    conf.custom_claims = (claim_t *)custom_claims;
+    conf.custom_claims_length = CUSTOM_CLAIMS_SIZE; 
+
+	/* Create a socket that uses an internet IPv4 address,
+	 * Sets the socket to be stream based (TCP),
+	 * 0 means choose the default protocol.
+	 */
+	int sockfd = socket(AF_INET, SOCK_STREAM, 0);
+	if (sockfd < 0) {
+		return 0;
+	}
+
+	struct sockaddr_in s_addr;
+	memset(&s_addr, 0, sizeof(s_addr));
+	s_addr.sin_family = AF_INET;
+	s_addr.sin_port = htons(FUZZ_PORT);
+
+	/* Get the server IPv4 address from the command line call */
+	if (inet_pton(AF_INET, FUZZ_IP, &s_addr.sin_addr) != 1) {
+		return 0;
+	}
+
+	/* Connect to the server */
+	if (connect(sockfd, (struct sockaddr *)&s_addr, sizeof(s_addr)) == -1) {
+		return 0;
+	}
+
+	rats_tls_handle handle;
+	rats_tls_err_t ret = rats_tls_init(&conf, &handle);
+	if (ret != RATS_TLS_ERR_NONE) {
+		return 0;
+	}
+
+    rats_tls_negotiate(handle,sockfd);
+
+
+    return 0;
+
+}