Add a fuzzer for ssl server side

author: yang-g <yangg@google.com> 2016-11-04 15:10:03 -0700
committer: yang-g <yangg@google.com> 2016-11-04 15:10:03 -0700
commit: 31e212857106b5e366f3ad1903d95383d0ed489f (patch)
tree: a7554edbe9842256e891b9c63c7a5f661e4f06aa
parent: 3b476d4d3e6db2bb418c6fc483a6fcbcd04f2040 (diff)
5 files changed, 316 insertions, 0 deletions
diff --git a/Makefile b/Makefile
index de8a26283b..cb7658d8cc 100644
--- a/Makefile
+++ b/Makefile
@@ -1019,6 +1019,7 @@ set_initial_connect_string_test: $(BINDIR)/$(CONFIG)/set_initial_connect_string_
 sockaddr_resolver_test: $(BINDIR)/$(CONFIG)/sockaddr_resolver_test
 sockaddr_utils_test: $(BINDIR)/$(CONFIG)/sockaddr_utils_test
 socket_utils_test: $(BINDIR)/$(CONFIG)/socket_utils_test
+ssl_server_fuzzer: $(BINDIR)/$(CONFIG)/ssl_server_fuzzer
 tcp_client_posix_test: $(BINDIR)/$(CONFIG)/tcp_client_posix_test
 tcp_posix_test: $(BINDIR)/$(CONFIG)/tcp_posix_test
 tcp_server_posix_test: $(BINDIR)/$(CONFIG)/tcp_server_posix_test
@@ -1183,6 +1184,7 @@ nanopb_fuzzer_serverlist_test_one_entry: $(BINDIR)/$(CONFIG)/nanopb_fuzzer_serve
 percent_decode_fuzzer_one_entry: $(BINDIR)/$(CONFIG)/percent_decode_fuzzer_one_entry
 percent_encode_fuzzer_one_entry: $(BINDIR)/$(CONFIG)/percent_encode_fuzzer_one_entry
 server_fuzzer_one_entry: $(BINDIR)/$(CONFIG)/server_fuzzer_one_entry
+ssl_server_fuzzer_one_entry: $(BINDIR)/$(CONFIG)/ssl_server_fuzzer_one_entry
 uri_fuzzer_test_one_entry: $(BINDIR)/$(CONFIG)/uri_fuzzer_test_one_entry
 
 run_dep_checks:
@@ -1411,6 +1413,7 @@ buildtests_c: privatelibs_c \
   $(BINDIR)/$(CONFIG)/percent_decode_fuzzer_one_entry \
   $(BINDIR)/$(CONFIG)/percent_encode_fuzzer_one_entry \
   $(BINDIR)/$(CONFIG)/server_fuzzer_one_entry \
+  $(BINDIR)/$(CONFIG)/ssl_server_fuzzer_one_entry \
   $(BINDIR)/$(CONFIG)/uri_fuzzer_test_one_entry \
 
 
@@ -10779,6 +10782,38 @@ endif
 endif
 
 
+SSL_SERVER_FUZZER_SRC = \
+    test/core/security/ssl_server_fuzzer.c \
+
+SSL_SERVER_FUZZER_OBJS = $(addprefix $(OBJDIR)/$(CONFIG)/, $(addsuffix .o, $(basename $(SSL_SERVER_FUZZER_SRC))))
+ifeq ($(NO_SECURE),true)
+
+# You can't build secure targets if you don't have OpenSSL.
+
+$(BINDIR)/$(CONFIG)/ssl_server_fuzzer: openssl_dep_error
+
+else
+
+
+
+$(BINDIR)/$(CONFIG)/ssl_server_fuzzer: $(SSL_SERVER_FUZZER_OBJS) $(LIBDIR)/$(CONFIG)/libgrpc_test_util.a $(LIBDIR)/$(CONFIG)/libgrpc.a $(LIBDIR)/$(CONFIG)/libgpr_test_util.a $(LIBDIR)/$(CONFIG)/libgpr.a
+	$(E) "[LD]      Linking $@"
+	$(Q) mkdir -p `dirname $@`
+	$(Q) $(LDXX) $(LDFLAGS) $(SSL_SERVER_FUZZER_OBJS) $(LIBDIR)/$(CONFIG)/libgrpc_test_util.a $(LIBDIR)/$(CONFIG)/libgrpc.a $(LIBDIR)/$(CONFIG)/libgpr_test_util.a $(LIBDIR)/$(CONFIG)/libgpr.a $(LDLIBS) $(LDLIBS_SECURE) -lFuzzer -o $(BINDIR)/$(CONFIG)/ssl_server_fuzzer
+
+endif
+
+$(OBJDIR)/$(CONFIG)/test/core/security/ssl_server_fuzzer.o:  $(LIBDIR)/$(CONFIG)/libgrpc_test_util.a $(LIBDIR)/$(CONFIG)/libgrpc.a $(LIBDIR)/$(CONFIG)/libgpr_test_util.a $(LIBDIR)/$(CONFIG)/libgpr.a
+
+deps_ssl_server_fuzzer: $(SSL_SERVER_FUZZER_OBJS:.o=.dep)
+
+ifneq ($(NO_SECURE),true)
+ifneq ($(NO_DEPS),true)
+-include $(SSL_SERVER_FUZZER_OBJS:.o=.dep)
+endif
+endif
+
+
 TCP_CLIENT_POSIX_TEST_SRC = \
     test/core/iomgr/tcp_client_posix_test.c \
 
@@ -16225,6 +16260,41 @@ endif
 endif
 
 
+SSL_SERVER_FUZZER_ONE_ENTRY_SRC = \
+    test/core/security/ssl_server_fuzzer.c \
+    test/core/util/one_corpus_entry_fuzzer.c \
+
+SSL_SERVER_FUZZER_ONE_ENTRY_OBJS = $(addprefix $(OBJDIR)/$(CONFIG)/, $(addsuffix .o, $(basename $(SSL_SERVER_FUZZER_ONE_ENTRY_SRC))))
+ifeq ($(NO_SECURE),true)
+
+# You can't build secure targets if you don't have OpenSSL.
+
+$(BINDIR)/$(CONFIG)/ssl_server_fuzzer_one_entry: openssl_dep_error
+
+else
+
+
+
+$(BINDIR)/$(CONFIG)/ssl_server_fuzzer_one_entry: $(SSL_SERVER_FUZZER_ONE_ENTRY_OBJS) $(LIBDIR)/$(CONFIG)/libgrpc_test_util.a $(LIBDIR)/$(CONFIG)/libgrpc.a $(LIBDIR)/$(CONFIG)/libgpr_test_util.a $(LIBDIR)/$(CONFIG)/libgpr.a
+	$(E) "[LD]      Linking $@"
+	$(Q) mkdir -p `dirname $@`
+	$(Q) $(LD) $(LDFLAGS) $(SSL_SERVER_FUZZER_ONE_ENTRY_OBJS) $(LIBDIR)/$(CONFIG)/libgrpc_test_util.a $(LIBDIR)/$(CONFIG)/libgrpc.a $(LIBDIR)/$(CONFIG)/libgpr_test_util.a $(LIBDIR)/$(CONFIG)/libgpr.a $(LDLIBS) $(LDLIBS_SECURE) -o $(BINDIR)/$(CONFIG)/ssl_server_fuzzer_one_entry
+
+endif
+
+$(OBJDIR)/$(CONFIG)/test/core/security/ssl_server_fuzzer.o:  $(LIBDIR)/$(CONFIG)/libgrpc_test_util.a $(LIBDIR)/$(CONFIG)/libgrpc.a $(LIBDIR)/$(CONFIG)/libgpr_test_util.a $(LIBDIR)/$(CONFIG)/libgpr.a
+
+$(OBJDIR)/$(CONFIG)/test/core/util/one_corpus_entry_fuzzer.o:  $(LIBDIR)/$(CONFIG)/libgrpc_test_util.a $(LIBDIR)/$(CONFIG)/libgrpc.a $(LIBDIR)/$(CONFIG)/libgpr_test_util.a $(LIBDIR)/$(CONFIG)/libgpr.a
+
+deps_ssl_server_fuzzer_one_entry: $(SSL_SERVER_FUZZER_ONE_ENTRY_OBJS:.o=.dep)
+
+ifneq ($(NO_SECURE),true)
+ifneq ($(NO_DEPS),true)
+-include $(SSL_SERVER_FUZZER_ONE_ENTRY_OBJS:.o=.dep)
+endif
+endif
+
+
 URI_FUZZER_TEST_ONE_ENTRY_SRC = \
     test/core/client_channel/uri_fuzzer_test.c \
     test/core/util/one_corpus_entry_fuzzer.c \
diff --git a/build.yaml b/build.yaml
index a5b811e800..059a2b315d 100644
--- a/build.yaml
+++ b/build.yaml
@@ -2554,6 +2554,19 @@ targets:
   - mac
   - linux
   - posix
+- name: ssl_server_fuzzer
+  build: fuzzer
+  language: c
+  src:
+  - test/core/security/ssl_server_fuzzer.c
+  deps:
+  - grpc_test_util
+  - grpc
+  - gpr_test_util
+  - gpr
+  corpus_dirs:
+  - test/core/security/corpus/ssl_server_corpus
+  maxlen: 2048
 - name: tcp_client_posix_test
   cpu_cost: 0.5
   build: test
diff --git a/test/core/security/ssl_server_fuzzer.c b/test/core/security/ssl_server_fuzzer.c
new file mode 100644
index 0000000000..7723a67ff5
--- /dev/null
+++ b/test/core/security/ssl_server_fuzzer.c
@@ -0,0 +1,154 @@
+/*
+ *
+ * Copyright 2016, Google Inc.
+ * All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions are
+ * met:
+ *
+ *     * Redistributions of source code must retain the above copyright
+ * notice, this list of conditions and the following disclaimer.
+ *     * Redistributions in binary form must reproduce the above
+ * copyright notice, this list of conditions and the following disclaimer
+ * in the documentation and/or other materials provided with the
+ * distribution.
+ *     * Neither the name of Google Inc. nor the names of its
+ * contributors may be used to endorse or promote products derived from
+ * this software without specific prior written permission.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+ * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+ * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+ * A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+ * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+ * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+ * OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <grpc/grpc.h>
+#include <grpc/grpc_security.h>
+#include <grpc/support/log.h>
+
+#include "src/core/lib/iomgr/load_file.h"
+#include "src/core/lib/security/credentials/credentials.h"
+#include "src/core/lib/security/transport/security_connector.h"
+#include "test/core/util/memory_counters.h"
+#include "test/core/util/mock_endpoint.h"
+
+bool squelch = true;
+// ssl has an array of global gpr_mu's that are never released.
+// Turning this on will fail the leak check.
+bool leak_check = false;
+
+#define SSL_CERT_PATH "src/core/lib/tsi/test_creds/server1.pem"
+#define SSL_KEY_PATH "src/core/lib/tsi/test_creds/server1.key"
+#define SSL_CA_PATH "src/core/lib/tsi/test_creds/ca.pem"
+
+static void discard_write(gpr_slice slice) {}
+
+static void dont_log(gpr_log_func_args *args) {}
+
+struct handshake_state {
+  bool done_callback_called;
+};
+
+static void on_secure_handshake_done(grpc_exec_ctx *exec_ctx, void *statep,
+                                     grpc_security_status status,
+                                     grpc_endpoint *secure_endpoint,
+                                     grpc_auth_context *auth_context) {
+  struct handshake_state *state = (struct handshake_state *)statep;
+  GPR_ASSERT(state->done_callback_called == false);
+  state->done_callback_called = true;
+  // The fuzzer should not pass the handshake.
+  GPR_ASSERT(status != GRPC_SECURITY_OK);
+  GPR_ASSERT(secure_endpoint == NULL);
+  GPR_ASSERT(auth_context == NULL);
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+  struct grpc_memory_counters counters;
+  if (squelch) gpr_set_log_function(dont_log);
+  if (leak_check) grpc_memory_counters_init();
+  grpc_init();
+  grpc_exec_ctx exec_ctx = GRPC_EXEC_CTX_INIT;
+
+  grpc_resource_quota *resource_quota =
+      grpc_resource_quota_create("ssl_server_fuzzer");
+  grpc_endpoint *mock_endpoint =
+      grpc_mock_endpoint_create(discard_write, resource_quota);
+  grpc_resource_quota_internal_unref(&exec_ctx, resource_quota);
+
+  grpc_mock_endpoint_put_read(
+      &exec_ctx, mock_endpoint,
+      gpr_slice_from_copied_buffer((const char *)data, size));
+
+  // Load key pair and establish server SSL credentials.
+  grpc_ssl_pem_key_cert_pair pem_key_cert_pair;
+  gpr_slice ca_slice, cert_slice, key_slice;
+  GPR_ASSERT(GRPC_LOG_IF_ERROR("load_file",
+                               grpc_load_file(SSL_CA_PATH, 1, &ca_slice)));
+  GPR_ASSERT(GRPC_LOG_IF_ERROR("load_file",
+                               grpc_load_file(SSL_CERT_PATH, 1, &cert_slice)));
+  GPR_ASSERT(GRPC_LOG_IF_ERROR("load_file",
+                               grpc_load_file(SSL_KEY_PATH, 1, &key_slice)));
+  const char *ca_cert = (const char *)GPR_SLICE_START_PTR(ca_slice);
+  pem_key_cert_pair.private_key = (const char *)GPR_SLICE_START_PTR(key_slice);
+  pem_key_cert_pair.cert_chain = (const char *)GPR_SLICE_START_PTR(cert_slice);
+  grpc_server_credentials *creds = grpc_ssl_server_credentials_create(
+      ca_cert, &pem_key_cert_pair, 1, 0, NULL);
+
+  // Create security connector
+  grpc_server_security_connector *sc = NULL;
+  grpc_security_status status =
+      grpc_server_credentials_create_security_connector(creds, &sc);
+  GPR_ASSERT(status == GRPC_SECURITY_OK);
+  sc->channel_args = NULL;
+  gpr_timespec deadline = gpr_time_add(
+              gpr_now(GPR_CLOCK_MONOTONIC),
+              gpr_time_from_seconds(1, GPR_TIMESPAN));
+
+  struct handshake_state state;
+  state.done_callback_called = false;
+  grpc_server_security_connector_do_handshake(
+      &exec_ctx, sc, NULL, mock_endpoint, NULL, deadline,
+      on_secure_handshake_done, &state);
+  grpc_exec_ctx_flush(&exec_ctx);
+
+  bool mock_endpoint_shutdown = false;
+  // If the given string happens to be part of the correct client hello, the
+  // server will wait for more data. Explicitly fail the server by shutting down
+  // the endpoint.
+  if (!state.done_callback_called) {
+    mock_endpoint_shutdown = true;
+    grpc_endpoint_shutdown(&exec_ctx, mock_endpoint);
+    grpc_exec_ctx_flush(&exec_ctx);
+  }
+
+  GPR_ASSERT(state.done_callback_called);
+
+  GRPC_SECURITY_CONNECTOR_UNREF(&sc->base, "test");
+  grpc_server_credentials_release(creds);
+  gpr_slice_unref(cert_slice);
+  gpr_slice_unref(key_slice);
+  gpr_slice_unref(ca_slice);
+  // grpc_endpoint_destroy has been called in handshake failure handling code.
+  if (!mock_endpoint_shutdown) {
+    grpc_endpoint_shutdown(&exec_ctx, mock_endpoint);
+    grpc_exec_ctx_flush(&exec_ctx);
+  }
+  grpc_exec_ctx_flush(&exec_ctx);
+
+  grpc_shutdown();
+  if (leak_check) {
+    counters = grpc_memory_counters_snapshot();
+    grpc_memory_counters_destroy();
+    GPR_ASSERT(counters.total_size_relative == 0);
+  }
+  return 0;
+}
diff --git a/tools/fuzzer/runners/ssl_server_fuzzer.sh b/tools/fuzzer/runners/ssl_server_fuzzer.sh
new file mode 100644
index 0000000000..23aef992e0
--- /dev/null
+++ b/tools/fuzzer/runners/ssl_server_fuzzer.sh
@@ -0,0 +1,44 @@
+#!/bin/bash
+# Copyright 2016, Google Inc.
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions are
+# met:
+#
+#     * Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+#     * Redistributions in binary form must reproduce the above
+# copyright notice, this list of conditions and the following disclaimer
+# in the documentation and/or other materials provided with the
+# distribution.
+#     * Neither the name of Google Inc. nor the names of its
+# contributors may be used to endorse or promote products derived from
+# this software without specific prior written permission.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+# A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+# OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+# LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+# OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+#
+
+flags="-max_total_time=$runtime -artifact_prefix=fuzzer_output/ -max_len=2048 -timeout=120"
+
+if [ "$jobs" != "1" ]
+then
+  flags="-jobs=$jobs -workers=$jobs $flags"
+fi
+
+if [ "$config" == "asan-trace-cmp" ]
+then
+  flags="-use_traces=1 $flags"
+fi
+
+bins/$config/ssl_server_fuzzer $flags fuzzer_output test/core/security/corpus/ssl_server_corpus
diff --git a/tools/run_tests/sources_and_headers.json b/tools/run_tests/sources_and_headers.json
index 8efa2f40d6..231c302b09 100644
--- a/tools/run_tests/sources_and_headers.json
+++ b/tools/run_tests/sources_and_headers.json
@@ -1919,6 +1919,23 @@
     "headers": [], 
     "is_filegroup": false, 
     "language": "c", 
+    "name": "ssl_server_fuzzer", 
+    "src": [
+      "test/core/security/ssl_server_fuzzer.c"
+    ], 
+    "third_party": false, 
+    "type": "target"
+  }, 
+  {
+    "deps": [
+      "gpr", 
+      "gpr_test_util", 
+      "grpc", 
+      "grpc_test_util"
+    ], 
+    "headers": [], 
+    "is_filegroup": false, 
+    "language": "c", 
     "name": "tcp_client_posix_test", 
     "src": [
       "test/core/iomgr/tcp_client_posix_test.c"
@@ -4792,6 +4809,24 @@
     "headers": [], 
     "is_filegroup": false, 
     "language": "c", 
+    "name": "ssl_server_fuzzer_one_entry", 
+    "src": [
+      "test/core/security/ssl_server_fuzzer.c", 
+      "test/core/util/one_corpus_entry_fuzzer.c"
+    ], 
+    "third_party": false, 
+    "type": "target"
+  }, 
+  {
+    "deps": [
+      "gpr", 
+      "gpr_test_util", 
+      "grpc", 
+      "grpc_test_util"
+    ], 
+    "headers": [], 
+    "is_filegroup": false, 
+    "language": "c", 
     "name": "uri_fuzzer_test_one_entry", 
     "src": [
       "test/core/client_channel/uri_fuzzer_test.c",
author	yang-g <yangg@google.com>	2016-11-04 15:10:03 -0700
committer	yang-g <yangg@google.com>	2016-11-04 15:10:03 -0700
commit	31e212857106b5e366f3ad1903d95383d0ed489f (patch)
tree	a7554edbe9842256e891b9c63c7a5f661e4f06aa
parent	3b476d4d3e6db2bb418c6fc483a6fcbcd04f2040 (diff)