From 566d56c300aff7fe8cc4929d6f3523740527c965 Mon Sep 17 00:00:00 2001 From: chenpengyu Date: Sat, 22 Jul 2023 02:25:30 +0000 Subject: [PATCH] fuzz/*: add fuzz testing for host mode use libfuzz for host mode Signed-off-by: Pengyu Chen --- CMakeLists.txt | 1 + fuzz/CMakeLists.txt | 4 + fuzz/README.md | 22 ++++++ fuzz/tls_init/CMakeLists.txt | 74 +++++++++++++++++ fuzz/tls_init/fuzz_init.cc | 79 +++++++++++++++++++ fuzz/tls_negotiate/CMakeLists.txt | 75 ++++++++++++++++++ fuzz/tls_negotiate/fuzz_negotiate.cc | 110 ++++++++++++++++++++++++++ fuzz/tls_server/CMakeLists.txt | 75 ++++++++++++++++++ fuzz/tls_server/fuzz_server.cc | 114 +++++++++++++++++++++++++++ fuzz/tls_transmit/CMakeLists.txt | 75 ++++++++++++++++++ fuzz/tls_transmit/fuzz_transmit.cc | 114 +++++++++++++++++++++++++++ 11 files changed, 743 insertions(+) create mode 100644 fuzz/CMakeLists.txt create mode 100644 fuzz/README.md create mode 100644 fuzz/tls_init/CMakeLists.txt create mode 100644 fuzz/tls_init/fuzz_init.cc create mode 100644 fuzz/tls_negotiate/CMakeLists.txt create mode 100644 fuzz/tls_negotiate/fuzz_negotiate.cc create mode 100644 fuzz/tls_server/CMakeLists.txt create mode 100644 fuzz/tls_server/fuzz_server.cc create mode 100644 fuzz/tls_transmit/CMakeLists.txt create mode 100644 fuzz/tls_transmit/fuzz_transmit.cc diff --git a/CMakeLists.txt b/CMakeLists.txt index 388a34ff..9abda06f 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -101,6 +101,7 @@ if(BUILD_SAMPLES) message(STATUS "Build Samples: on") add_subdirectory(samples) endif() +add_subdirectory(fuzz) # Uninstall target if(NOT TARGET uninstall) diff --git a/fuzz/CMakeLists.txt b/fuzz/CMakeLists.txt new file mode 100644 index 00000000..de3d568c --- /dev/null +++ b/fuzz/CMakeLists.txt @@ -0,0 +1,4 @@ +add_subdirectory(tls_init) +add_subdirectory(tls_negotiate) +add_subdirectory(tls_server) +add_subdirectory(tls_transmit) \ No newline at end of file diff --git a/fuzz/README.md b/fuzz/README.md new file mode 100644 index 00000000..88bd1487 --- /dev/null +++ b/fuzz/README.md @@ -0,0 +1,22 @@ +## build +just use cmake to build in the host mode, and you would see fuzz in `/usr/share/rats-tls/fuzz` + ++ tls_init +to fuzz `rats_tls_init()`, we use random input `* data` to fill the `conf`, and set value to part of the `conf` in order to run `rats_tls_init()` more frequently +> cd /usr/share/rats-tls/fuzz/ +> ./fuzz_init -max_len=1000 + + ++ tls_negotiate +start the `/usr/share/rats_tls/fuzz/fuzz_server` first, then use `tls_negotiate` to connect to server and fuzz the `rats_tls_negotiate()` API + +> cd /usr/share/rats_tls/fuzz/ +> ./fuzz_server & +> ./fuzz_negotiate -max_len=3000 + + ++ tls_transmit/recv/clean_up +we synthesis the 3 sequential API in one program, start the `/usr/share/rats_tls/fuzz/fuzz_server` first, then use `tls_transmit` to connect to server and fuzz the `rats_tls_transmit()` and `rats_tls_recv()`,`rats_tls_cleanup` APIs by sending ramdom string and receiving the same response +> cd /usr/share/rats_tls/fuzz/ +> ./fuzz_server & +> ./fuzz_transmit -max_len=3000 \ No newline at end of file diff --git a/fuzz/tls_init/CMakeLists.txt b/fuzz/tls_init/CMakeLists.txt new file mode 100644 index 00000000..1a2ff9e7 --- /dev/null +++ b/fuzz/tls_init/CMakeLists.txt @@ -0,0 +1,74 @@ +project(fuzz_init CXX) + +if(NOT SGX) + #set(CMAKE_C_FLAGS "-fPIE ${CMAKE_C_FLAGS}") + set(CMAKE_C_FLAGS ${CMAKE_C_FLAGS}) + set(CMAKE_CXX_COMPILER "/usr/bin/clang++") + set(CMAKE_CXX_FLAGS "-g -fsanitize=address,fuzzer ${CMAKE_CXX_FLAGS}") + set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS}") +endif() + +if(SGX) + list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake") + include(CustomInstallDirs) + include(FindRatsTls) + if(NOT RATS_TLS_FOUND) + message(FATAL_ERROR "Failed to find rats_tls!") + endif() + + include(FindSGX) + if(NOT SGX_FOUND) + message(FATAL_ERROR "Failed to find sgx!") + endif() + + include(CompilerOptions) + include(SGXCommon) + + set(EDL_SEARCH_PATHS ${CMAKE_CURRENT_SOURCE_DIR}/../sgx-stub-enclave + ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include/edl + ) + set(INCLUDE_DIRS ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include + ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include/edl + ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include/rats-tls + ) + list(APPEND LIBRARY_DIRS ${CMAKE_BINARY_DIR}/src/sgx/untrust + ${CMAKE_BINARY_DIR}/samples/sgx-stub-enclave + ) + set(EDL_SEARCH_PATHS ${CMAKE_CURRENT_SOURCE_DIR}/../sgx-stub-enclave + ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include/edl + ) + set(DEPEND_UNTRUSTED_LIBS ${CMAKE_BINARY_DIR}/src/sgx/untrust/librats_tls_u.a) + +else() + set(INCLUDE_DIRS ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include + ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include/edl + ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include/rats-tls + ${RATS_TLS_INSTALL_INCLUDE_PATH} + ${RATS_TLS_INSTALL_INCLUDE_PATH}/edl + ) + set(LIBRARY_DIRS ${RATS_TLS_INSTALL_LIB_PATH}) +endif() + +include_directories(${INCLUDE_DIRS}) +link_directories(${LIBRARY_DIRS}) + +# Set source file +set(SOURCES fuzz_init.cc) + +# Generate bin file +if(SGX) + set(EDLS ${CMAKE_CURRENT_SOURCE_DIR}/../sgx-stub-enclave/sgx_stub.edl) + add_untrusted_executable(${PROJECT_NAME} + SRCS ${SOURCES} + UNTRUSTED_LIBS ${DEPEND_UNTRUSTED_LIBS} + EDL ${EDLS} + EDL_SEARCH_PATHS ${EDL_SEARCH_PATHS} + ) + add_dependencies(${PROJECT_NAME} sgx_stub_enclave-sign) +else() + add_executable(${PROJECT_NAME} ${SOURCES}) + target_link_libraries(${PROJECT_NAME} rats_tls) +endif() + +install(TARGETS ${PROJECT_NAME} + DESTINATION /usr/share/rats-tls/fuzz) diff --git a/fuzz/tls_init/fuzz_init.cc b/fuzz/tls_init/fuzz_init.cc new file mode 100644 index 00000000..56b3703d --- /dev/null +++ b/fuzz/tls_init/fuzz_init.cc @@ -0,0 +1,79 @@ +/* Copyright (c) 2021 Intel Corporation + * Copyright (c) 2020-2021 Alibaba Cloud + * + * SPDX-License-Identifier: Apache-2.0 + */ +extern "C"{ +#include +#include +#include +#include "rats-tls/api.h" +#include "rats-tls/log.h" +#include "rats-tls/claim.h" +#include "internal/core.h" +} +#include +#include + +#define CUSTOM_CLAIMS_SIZE 10 +using namespace std; + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data,size_t size){ + rats_tls_conf_t conf; // consume 192 bytes + // conf | claim_array | random char * in claim_array + if(size < sizeof(rats_tls_conf_t) + 10 * sizeof(claim_t) + 50 * 10){ + return 0; + } + memcpy(&conf, data, sizeof(conf)); + conf.log_level = RATS_TLS_LOG_LEVEL_DEFAULT; + conf.api_version = 0; + + /*fuzz log level*/ + /*fuzz round could not be too huge, that leads to unexpected log_level*/ + strcpy(conf.attester_type, "nullattester"); + strcpy(conf.verifier_type, "nullverifier"); + strcpy(conf.tls_type, "nulltls"); + strcpy(conf.crypto_type, "nullcrypto"); + + conf.cert_algo = RATS_TLS_CERT_ALGO_DEFAULT; + conf.flags = RATS_TLS_CONF_FLAGS_MUTUAL; + + FuzzedDataProvider fuzzed_data(data + sizeof(conf), size - sizeof(conf)); + claim_t custom_claims[CUSTOM_CLAIMS_SIZE]; + std::vector str_lists; + for(int i=0;i vec_str = fuzzed_data.ConsumeBytesWithTerminator(50,'\0'); + std::string str(vec_str.begin(),vec_str.end()); + str_lists.push_back(str); + custom_claims[i].value = (uint8_t *)str_lists[i].c_str(); + //custom_claims[i].value_size = 51; // \0 also need 1 byte + custom_claims[i].value_size = (strlen(str_lists[i].c_str()) + 1) *sizeof(char); + /* + there exist a question, when I use strlen(str) to get + the size of used byte, Fuzzer warn I trigger `heap-use-after-free` + here, so I use a const number to assign to the value_size + */ + if(fuzzed_data.remaining_bytes() <= 0 ){ + return 0; + } + custom_claims[i].name = "key"; + + } + conf.custom_claims = (claim_t *)custom_claims; + conf.custom_claims_length = CUSTOM_CLAIMS_SIZE; + + //claim_t custom_claims[2] = { + //{ .name = "key_0", .value = (uint8_t *)"value_0", .value_size = sizeof("value_0") }, + //{ .name = "key_1", .value = (uint8_t *)"value_1", .value_size = sizeof("value_1") }, + //}; + //conf.custom_claims = (claim_t *)custom_claims; + //conf.custom_claims_length = 2; + + rats_tls_handle handle; + rats_tls_err_t err = rats_tls_init(&conf,&handle); + return 0; + + +} \ No newline at end of file diff --git a/fuzz/tls_negotiate/CMakeLists.txt b/fuzz/tls_negotiate/CMakeLists.txt new file mode 100644 index 00000000..c261066c --- /dev/null +++ b/fuzz/tls_negotiate/CMakeLists.txt @@ -0,0 +1,75 @@ +project(fuzz_negotiate CXX) + +if(NOT SGX) + #set(CMAKE_C_FLAGS "-fPIE ${CMAKE_C_FLAGS}") + set(CMAKE_C_FLAGS ${CMAKE_C_FLAGS}) + set(CMAKE_CXX_COMPILER "/usr/bin/clang++") + set(CMAKE_CXX_FLAGS "-g -fsanitize=address,fuzzer ${CMAKE_CXX_FLAGS}") + set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS}") +endif() + +if(SGX) + list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake") + include(CustomInstallDirs) + include(FindRatsTls) + if(NOT RATS_TLS_FOUND) + message(FATAL_ERROR "Failed to find rats_tls!") + endif() + + include(FindSGX) + if(NOT SGX_FOUND) + message(FATAL_ERROR "Failed to find sgx!") + endif() + + include(CompilerOptions) + include(SGXCommon) + + set(EDL_SEARCH_PATHS ${CMAKE_CURRENT_SOURCE_DIR}/../sgx-stub-enclave + ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include/edl + ) + set(INCLUDE_DIRS ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include + ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include/edl + ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include/rats-tls + ) + list(APPEND LIBRARY_DIRS ${CMAKE_BINARY_DIR}/src/sgx/untrust + ${CMAKE_BINARY_DIR}/samples/sgx-stub-enclave + ) + set(EDL_SEARCH_PATHS ${CMAKE_CURRENT_SOURCE_DIR}/../sgx-stub-enclave + ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include/edl + ) + set(DEPEND_UNTRUSTED_LIBS ${CMAKE_BINARY_DIR}/src/sgx/untrust/librats_tls_u.a) + +else() + set(INCLUDE_DIRS ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include + ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include/edl + ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include/rats-tls + ${RATS_TLS_INSTALL_INCLUDE_PATH} + ${RATS_TLS_INSTALL_INCLUDE_PATH}/edl + ) + set(LIBRARY_DIRS ${RATS_TLS_INSTALL_LIB_PATH}) +endif() + +include_directories(${INCLUDE_DIRS}) +link_directories(${LIBRARY_DIRS}) + +# Set source file +set(SOURCES fuzz_negotiate.cc) + +# Generate bin file +if(SGX) + set(EDLS ${CMAKE_CURRENT_SOURCE_DIR}/../sgx-stub-enclave/sgx_stub.edl) + add_untrusted_executable(${PROJECT_NAME} + SRCS ${SOURCES} + UNTRUSTED_LIBS ${DEPEND_UNTRUSTED_LIBS} + EDL ${EDLS} + EDL_SEARCH_PATHS ${EDL_SEARCH_PATHS} + ) + add_dependencies(${PROJECT_NAME} sgx_stub_enclave-sign) +else() + add_executable(${PROJECT_NAME} ${SOURCES}) + target_link_libraries(${PROJECT_NAME} rats_tls) +endif() + +install(TARGETS ${PROJECT_NAME} + DESTINATION /usr/share/rats-tls/fuzz) + diff --git a/fuzz/tls_negotiate/fuzz_negotiate.cc b/fuzz/tls_negotiate/fuzz_negotiate.cc new file mode 100644 index 00000000..e723614b --- /dev/null +++ b/fuzz/tls_negotiate/fuzz_negotiate.cc @@ -0,0 +1,110 @@ +/* Copyright (c) 2021 Intel Corporation + * Copyright (c) 2020-2021 Alibaba Cloud + * + * SPDX-License-Identifier: Apache-2.0 + */ + +extern "C"{ +#include +#include +#include +#include +#include +#include +#include +#include +#include "rats-tls/api.h" +#include "rats-tls/log.h" +#include "rats-tls/claim.h" +#include "internal/core.h" +#include "internal/crypto_wrapper.h" +#include "internal/attester.h" +#include "internal/verifier.h" +#include "internal/tls_wrapper.h" +} +#include + +#define FUZZ_IP "127.0.0.1" +#define FUZZ_PORT 1234 +#define CUSTOM_CLAIMS_SIZE 10 + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data,size_t size){ + + if(size < sizeof(rats_tls_conf_t) + 10 * sizeof(claim_t) + 50 * 10){ + return 0; + } + rats_tls_conf_t conf; + memcpy(&conf, data, sizeof(conf)); + conf.log_level = RATS_TLS_LOG_LEVEL_DEFAULT; + conf.api_version = 0; + + strcpy(conf.attester_type, "nullattester"); + strcpy(conf.verifier_type, "nullverifier"); + strcpy(conf.tls_type, "nulltls"); + strcpy(conf.crypto_type, "nullcrypto"); + + conf.cert_algo = RATS_TLS_CERT_ALGO_DEFAULT; + conf.flags = RATS_TLS_CONF_FLAGS_MUTUAL; + + //claim_t custom_claims[2] = { + //{ .name = "key_0", .value = (uint8_t *)"value_0", .value_size = sizeof("value_0") }, + //{ .name = "key_1", .value = (uint8_t *)"value_1", .value_size = sizeof("value_1") }, + //}; + //conf.custom_claims = (claim_t *)custom_claims; + //conf.custom_claims_length = 2; + + FuzzedDataProvider fuzzed_data(data + sizeof(conf), size - sizeof(conf)); + claim_t custom_claims[CUSTOM_CLAIMS_SIZE]; + std::vector str_lists; + for(int i=0;i vec_str = fuzzed_data.ConsumeBytesWithTerminator(50,'\0'); + std::string str(vec_str.begin(),vec_str.end()); + str_lists.push_back(str); + custom_claims[i].value = (uint8_t *)str_lists[i].c_str(); + custom_claims[i].value_size = (strlen(str_lists[i].c_str()) + 1) *sizeof(char); + + if(fuzzed_data.remaining_bytes() <= 0 ){ + return 0; + } + custom_claims[i].name = "key"; + + } + conf.custom_claims = (claim_t *)custom_claims; + conf.custom_claims_length = CUSTOM_CLAIMS_SIZE; + + /* Create a socket that uses an internet IPv4 address, + * Sets the socket to be stream based (TCP), + * 0 means choose the default protocol. + */ + int sockfd = socket(AF_INET, SOCK_STREAM, 0); + if (sockfd < 0) { + return 0; + } + + struct sockaddr_in s_addr; + memset(&s_addr, 0, sizeof(s_addr)); + s_addr.sin_family = AF_INET; + s_addr.sin_port = htons(FUZZ_PORT); + + /* Get the server IPv4 address from the command line call */ + if (inet_pton(AF_INET, FUZZ_IP, &s_addr.sin_addr) != 1) { + return 0; + } + + /* Connect to the server */ + if (connect(sockfd, (struct sockaddr *)&s_addr, sizeof(s_addr)) == -1) { + return 0; + } + + rats_tls_handle handle; + rats_tls_err_t ret = rats_tls_init(&conf, &handle); + if (ret != RATS_TLS_ERR_NONE) { + return 0; + } + + rats_tls_negotiate(handle,sockfd); + + + return 0; + +} \ No newline at end of file diff --git a/fuzz/tls_server/CMakeLists.txt b/fuzz/tls_server/CMakeLists.txt new file mode 100644 index 00000000..a364cc50 --- /dev/null +++ b/fuzz/tls_server/CMakeLists.txt @@ -0,0 +1,75 @@ +project(fuzz_server CXX) + +if(NOT SGX) + #set(CMAKE_C_FLAGS "-fPIE ${CMAKE_C_FLAGS}") + set(CMAKE_C_FLAGS ${CMAKE_C_FLAGS}) + set(CMAKE_CXX_COMPILER "/usr/bin/clang++") + #set(CMAKE_CXX_FLAGS "-g -fsanitize=address,fuzzer ${CMAKE_CXX_FLAGS}") + set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS}") +endif() + +if(SGX) + list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake") + include(CustomInstallDirs) + include(FindRatsTls) + if(NOT RATS_TLS_FOUND) + message(FATAL_ERROR "Failed to find rats_tls!") + endif() + + include(FindSGX) + if(NOT SGX_FOUND) + message(FATAL_ERROR "Failed to find sgx!") + endif() + + include(CompilerOptions) + include(SGXCommon) + + set(EDL_SEARCH_PATHS ${CMAKE_CURRENT_SOURCE_DIR}/../sgx-stub-enclave + ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include/edl + ) + set(INCLUDE_DIRS ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include + ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include/edl + ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include/rats-tls + ) + list(APPEND LIBRARY_DIRS ${CMAKE_BINARY_DIR}/src/sgx/untrust + ${CMAKE_BINARY_DIR}/samples/sgx-stub-enclave + ) + set(EDL_SEARCH_PATHS ${CMAKE_CURRENT_SOURCE_DIR}/../sgx-stub-enclave + ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include/edl + ) + set(DEPEND_UNTRUSTED_LIBS ${CMAKE_BINARY_DIR}/src/sgx/untrust/librats_tls_u.a) + +else() + set(INCLUDE_DIRS ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include + ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include/edl + ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include/rats-tls + ${RATS_TLS_INSTALL_INCLUDE_PATH} + ${RATS_TLS_INSTALL_INCLUDE_PATH}/edl + ) + set(LIBRARY_DIRS ${RATS_TLS_INSTALL_LIB_PATH}) +endif() + +include_directories(${INCLUDE_DIRS}) +link_directories(${LIBRARY_DIRS}) + +# Set source file +set(SOURCES fuzz_server.cc) + +# Generate bin file +if(SGX) + set(EDLS ${CMAKE_CURRENT_SOURCE_DIR}/../sgx-stub-enclave/sgx_stub.edl) + add_untrusted_executable(${PROJECT_NAME} + SRCS ${SOURCES} + UNTRUSTED_LIBS ${DEPEND_UNTRUSTED_LIBS} + EDL ${EDLS} + EDL_SEARCH_PATHS ${EDL_SEARCH_PATHS} + ) + add_dependencies(${PROJECT_NAME} sgx_stub_enclave-sign) +else() + add_executable(${PROJECT_NAME} ${SOURCES}) + target_link_libraries(${PROJECT_NAME} rats_tls) +endif() + +install(TARGETS ${PROJECT_NAME} + DESTINATION /usr/share/rats-tls/fuzz) + diff --git a/fuzz/tls_server/fuzz_server.cc b/fuzz/tls_server/fuzz_server.cc new file mode 100644 index 00000000..d63dd486 --- /dev/null +++ b/fuzz/tls_server/fuzz_server.cc @@ -0,0 +1,114 @@ +/* Copyright (c) 2021 Intel Corporation + * Copyright (c) 2020-2021 Alibaba Cloud + * + * SPDX-License-Identifier: Apache-2.0 + */ + +extern "C"{ +#include +#include +#include +#include +#include +#include +#include +#include +#include "rats-tls/api.h" +#include "rats-tls/log.h" +#include "rats-tls/claim.h" +#include "internal/core.h" +#include "internal/crypto_wrapper.h" +#include "internal/attester.h" +#include "internal/verifier.h" +#include "internal/tls_wrapper.h" + +} +#define FUZZ_IP "127.0.0.1" +#define FUZZ_PORT 1234 +#define TRANS + +int main(){ + rats_tls_conf_t conf; + + memset(&conf, 0, sizeof(conf)); + conf.log_level = RATS_TLS_LOG_LEVEL_INFO; + strcpy(conf.attester_type, "nullattester"); + strcpy(conf.verifier_type, "nullverifier"); + strcpy(conf.tls_type, "nulltls"); + strcpy(conf.crypto_type, "nullcrypto"); + + /* Optional: Set some user-defined custom claims, which will be embedded in the certificate. */ + claim_t custom_claims[2] = { + { .name = "key_0", .value = (uint8_t *)"value_0", .value_size = sizeof("value_0") }, + { .name = "key_1", .value = (uint8_t *)"value_1", .value_size = sizeof("value_1") }, + }; + conf.custom_claims = (claim_t *)custom_claims; + conf.custom_claims_length = 2; + + conf.cert_algo = RATS_TLS_CERT_ALGO_DEFAULT; + conf.flags |= RATS_TLS_CONF_FLAGS_SERVER; + + int sockfd = socket(AF_INET, SOCK_STREAM, 0); + if (sockfd < 0) { + return -1; + } + + struct sockaddr_in s_addr; + memset(&s_addr, 0, sizeof(s_addr)); + s_addr.sin_family = AF_INET; + s_addr.sin_addr.s_addr = inet_addr(FUZZ_IP); + s_addr.sin_port = htons(FUZZ_PORT); + + /* Bind the server socket */ + if (bind(sockfd, (struct sockaddr *)&s_addr, sizeof(s_addr)) == -1) { + return -1; + } + + /* Listen for a new connection, allow 5 pending connections */ + if (listen(sockfd, 5) == -1) { + return -1; + } + + rats_tls_handle handle; + rats_tls_err_t ret = rats_tls_init(&conf, &handle); + if (ret != RATS_TLS_ERR_NONE) { + return -1; + } + + ret = rats_tls_set_verification_callback(&handle, NULL); + if (ret != RATS_TLS_ERR_NONE) { + return -1; + } + + RTLS_INFO("waiting for socket connection\n"); + while (1) { + /* Accept client connections */ + struct sockaddr_in c_addr; + socklen_t size = sizeof(c_addr); + + int connd = accept(sockfd, (struct sockaddr *)&c_addr, &size); + if (connd < 0) { + exit(0); + } + RTLS_INFO("receive socket connection\n"); + + ret = rats_tls_negotiate(handle, connd); + if (ret != RATS_TLS_ERR_NONE) { + continue; + } + char buf[256]; + memset(buf,0,sizeof(buf)); + size_t len = sizeof(buf); + ret = rats_tls_receive(handle, buf, &len); + if (ret != RATS_TLS_ERR_NONE) { + continue; + } + RTLS_INFO("Receive successfully, the str is %s\n",buf); + ret = rats_tls_transmit(handle, buf, &len); + if (ret != RATS_TLS_ERR_NONE) { + continue; + } + + close(connd); + } +} \ No newline at end of file diff --git a/fuzz/tls_transmit/CMakeLists.txt b/fuzz/tls_transmit/CMakeLists.txt new file mode 100644 index 00000000..fc1647e3 --- /dev/null +++ b/fuzz/tls_transmit/CMakeLists.txt @@ -0,0 +1,75 @@ +project(fuzz_transmit CXX) + +if(NOT SGX) + #set(CMAKE_C_FLAGS "-fPIE ${CMAKE_C_FLAGS}") + set(CMAKE_C_FLAGS ${CMAKE_C_FLAGS}) + set(CMAKE_CXX_COMPILER "/usr/bin/clang++") + set(CMAKE_CXX_FLAGS "-g -fsanitize=address,fuzzer ${CMAKE_CXX_FLAGS}") + set(CMAKE_EXE_LINKER_FLAGS "${CMAKE_EXE_LINKER_FLAGS}") +endif() + +if(SGX) + list(APPEND CMAKE_MODULE_PATH "${CMAKE_CURRENT_SOURCE_DIR}/cmake") + include(CustomInstallDirs) + include(FindRatsTls) + if(NOT RATS_TLS_FOUND) + message(FATAL_ERROR "Failed to find rats_tls!") + endif() + + include(FindSGX) + if(NOT SGX_FOUND) + message(FATAL_ERROR "Failed to find sgx!") + endif() + + include(CompilerOptions) + include(SGXCommon) + + set(EDL_SEARCH_PATHS ${CMAKE_CURRENT_SOURCE_DIR}/../sgx-stub-enclave + ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include/edl + ) + set(INCLUDE_DIRS ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include + ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include/edl + ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include/rats-tls + ) + list(APPEND LIBRARY_DIRS ${CMAKE_BINARY_DIR}/src/sgx/untrust + ${CMAKE_BINARY_DIR}/samples/sgx-stub-enclave + ) + set(EDL_SEARCH_PATHS ${CMAKE_CURRENT_SOURCE_DIR}/../sgx-stub-enclave + ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include/edl + ) + set(DEPEND_UNTRUSTED_LIBS ${CMAKE_BINARY_DIR}/src/sgx/untrust/librats_tls_u.a) + +else() + set(INCLUDE_DIRS ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include + ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include/edl + ${CMAKE_CURRENT_SOURCE_DIR}/../../src/include/rats-tls + ${RATS_TLS_INSTALL_INCLUDE_PATH} + ${RATS_TLS_INSTALL_INCLUDE_PATH}/edl + ) + set(LIBRARY_DIRS ${RATS_TLS_INSTALL_LIB_PATH}) +endif() + +include_directories(${INCLUDE_DIRS}) +link_directories(${LIBRARY_DIRS}) + +# Set source file +set(SOURCES fuzz_transmit.cc) + +# Generate bin file +if(SGX) + set(EDLS ${CMAKE_CURRENT_SOURCE_DIR}/../sgx-stub-enclave/sgx_stub.edl) + add_untrusted_executable(${PROJECT_NAME} + SRCS ${SOURCES} + UNTRUSTED_LIBS ${DEPEND_UNTRUSTED_LIBS} + EDL ${EDLS} + EDL_SEARCH_PATHS ${EDL_SEARCH_PATHS} + ) + add_dependencies(${PROJECT_NAME} sgx_stub_enclave-sign) +else() + add_executable(${PROJECT_NAME} ${SOURCES}) + target_link_libraries(${PROJECT_NAME} rats_tls) +endif() + +install(TARGETS ${PROJECT_NAME} + DESTINATION /usr/share/rats-tls/fuzz) + diff --git a/fuzz/tls_transmit/fuzz_transmit.cc b/fuzz/tls_transmit/fuzz_transmit.cc new file mode 100644 index 00000000..9eeca561 --- /dev/null +++ b/fuzz/tls_transmit/fuzz_transmit.cc @@ -0,0 +1,114 @@ +/* Copyright (c) 2021 Intel Corporation + * Copyright (c) 2020-2021 Alibaba Cloud + * + * SPDX-License-Identifier: Apache-2.0 + */ + +extern "C"{ +#include +#include +#include +#include +#include +#include +#include +#include +#include "rats-tls/api.h" +#include "rats-tls/log.h" +#include "rats-tls/claim.h" + +} +#include +#define FUZZ_IP "127.0.0.1" +#define FUZZ_PORT 1234 +#define TRANS + +extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data,size_t size){ + + if(size < sizeof(rats_tls_conf_t) + 100){ + return 0; + } + rats_tls_conf_t conf; + memcpy(&conf, data, sizeof(conf)); + conf.log_level = RATS_TLS_LOG_LEVEL_DEFAULT; + conf.api_version = 0; + strcpy(conf.attester_type, "nullattester"); + strcpy(conf.verifier_type, "nullverifier"); + strcpy(conf.tls_type, "nulltls"); + strcpy(conf.crypto_type, "nullcrypto"); + conf.cert_algo = RATS_TLS_CERT_ALGO_DEFAULT; + conf.flags = RATS_TLS_CONF_FLAGS_MUTUAL; + + claim_t custom_claims[2] = { + { .name = "key_0", .value = (uint8_t *)"value_0", .value_size = sizeof("value_0") }, + { .name = "key_1", .value = (uint8_t *)"value_1", .value_size = sizeof("value_1") }, + }; + conf.custom_claims = (claim_t *)custom_claims; + conf.custom_claims_length = 2; + + /* Create a socket that uses an internet IPv4 address, + * Sets the socket to be stream based (TCP), + * 0 means choose the default protocol. + */ + int sockfd = socket(AF_INET, SOCK_STREAM, 0); + if (sockfd < 0) { + RTLS_ERR("failed to call socket()\n"); + return 0; + } + + struct sockaddr_in s_addr; + memset(&s_addr, 0, sizeof(s_addr)); + s_addr.sin_family = AF_INET; + s_addr.sin_port = htons(FUZZ_PORT); + + /* Get the server IPv4 address from the command line call */ + if (inet_pton(AF_INET, FUZZ_IP, &s_addr.sin_addr) != 1) { + return 0; + } + + /* Connect to the server */ + if (connect(sockfd, (struct sockaddr *)&s_addr, sizeof(s_addr)) == -1) { + return 0; + } + + rats_tls_handle handle; + rats_tls_err_t ret = rats_tls_init(&conf, &handle); + if (ret != RATS_TLS_ERR_NONE) { + return 0; + } + + ret = rats_tls_set_verification_callback(&handle, NULL); + if (ret != RATS_TLS_ERR_NONE) { + return 0; + } + + + rats_tls_negotiate(handle,sockfd); + FuzzedDataProvider fuzzed_data(data + sizeof(conf), size - sizeof(conf)); + //const char * msg = fuzzed_data.ConsumeBytesAsString(50).c_str(); + std::vector vec_str = fuzzed_data.ConsumeBytesWithTerminator(50,'\0'); + if(fuzzed_data.remaining_bytes() < 0){ + return 0; + } + const char * msg = vec_str.data(); + size_t len = strlen(msg); + ret = rats_tls_transmit(handle, (void *)msg, &len); + if (ret != RATS_TLS_ERR_NONE) { + return 0; + } + + char buf[256]; + len = sizeof(buf); + ret = rats_tls_receive(handle, buf, &len); + if (ret != RATS_TLS_ERR_NONE) { + return 0; + } + ret = rats_tls_cleanup(handle); + if (ret != RATS_TLS_ERR_NONE){ + return 0; + } + + + return 0; + +} \ No newline at end of file