aboutsummaryrefslogtreecommitdiffhomepage
path: root/test/core/security/ssl_server_fuzzer.c
blob: f9b754b8f21407053f5e7659ba9f66003a2d6a9c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
/*
 *
 * Copyright 2016 gRPC authors.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 */

#include <grpc/grpc.h>
#include <grpc/grpc_security.h>
#include <grpc/support/log.h>

#include "src/core/lib/iomgr/load_file.h"
#include "src/core/lib/security/credentials/credentials.h"
#include "src/core/lib/security/transport/security_connector.h"
#include "test/core/end2end/data/ssl_test_data.h"
#include "test/core/util/memory_counters.h"
#include "test/core/util/mock_endpoint.h"

bool squelch = true;
// ssl has an array of global gpr_mu's that are never released.
// Turning this on will fail the leak check.
bool leak_check = false;

static void discard_write(grpc_slice slice) {}

static void dont_log(gpr_log_func_args *args) {}

struct handshake_state {
  bool done_callback_called;
};

static void on_handshake_done(grpc_exec_ctx *exec_ctx, void *arg,
                              grpc_error *error) {
  grpc_handshaker_args *args = arg;
  struct handshake_state *state = args->user_data;
  GPR_ASSERT(state->done_callback_called == false);
  state->done_callback_called = true;
  // The fuzzer should not pass the handshake.
  GPR_ASSERT(error != GRPC_ERROR_NONE);
}

int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
  struct grpc_memory_counters counters;
  if (squelch) gpr_set_log_function(dont_log);
  if (leak_check) grpc_memory_counters_init();
  grpc_init();
  grpc_exec_ctx exec_ctx = GRPC_EXEC_CTX_INIT;

  grpc_resource_quota *resource_quota =
      grpc_resource_quota_create("ssl_server_fuzzer");
  grpc_endpoint *mock_endpoint =
      grpc_mock_endpoint_create(discard_write, resource_quota);
  grpc_resource_quota_unref_internal(&exec_ctx, resource_quota);

  grpc_mock_endpoint_put_read(
      &exec_ctx, mock_endpoint,
      grpc_slice_from_copied_buffer((const char *)data, size));

  // Load key pair and establish server SSL credentials.
  grpc_ssl_pem_key_cert_pair pem_key_cert_pair;
  grpc_slice ca_slice, cert_slice, key_slice;
  ca_slice = grpc_slice_from_static_string(test_root_cert);
  cert_slice = grpc_slice_from_static_string(test_server1_cert);
  key_slice = grpc_slice_from_static_string(test_server1_key);
  const char *ca_cert = (const char *)GRPC_SLICE_START_PTR(ca_slice);
  pem_key_cert_pair.private_key = (const char *)GRPC_SLICE_START_PTR(key_slice);
  pem_key_cert_pair.cert_chain = (const char *)GRPC_SLICE_START_PTR(cert_slice);
  grpc_server_credentials *creds = grpc_ssl_server_credentials_create(
      ca_cert, &pem_key_cert_pair, 1, 0, NULL);

  // Create security connector
  grpc_server_security_connector *sc = NULL;
  grpc_security_status status =
      grpc_server_credentials_create_security_connector(&exec_ctx, creds, &sc);
  GPR_ASSERT(status == GRPC_SECURITY_OK);
  grpc_millis deadline = GPR_MS_PER_SEC + grpc_exec_ctx_now(&exec_ctx);

  struct handshake_state state;
  state.done_callback_called = false;
  grpc_handshake_manager *handshake_mgr = grpc_handshake_manager_create();
  grpc_server_security_connector_add_handshakers(&exec_ctx, sc, handshake_mgr);
  grpc_handshake_manager_do_handshake(
      &exec_ctx, handshake_mgr, mock_endpoint, NULL /* channel_args */,
      deadline, NULL /* acceptor */, on_handshake_done, &state);
  grpc_exec_ctx_flush(&exec_ctx);

  // If the given string happens to be part of the correct client hello, the
  // server will wait for more data. Explicitly fail the server by shutting down
  // the endpoint.
  if (!state.done_callback_called) {
    grpc_endpoint_shutdown(
        &exec_ctx, mock_endpoint,
        GRPC_ERROR_CREATE_FROM_STATIC_STRING("Explicit close"));
    grpc_exec_ctx_flush(&exec_ctx);
  }

  GPR_ASSERT(state.done_callback_called);

  grpc_handshake_manager_destroy(&exec_ctx, handshake_mgr);
  GRPC_SECURITY_CONNECTOR_UNREF(&exec_ctx, &sc->base, "test");
  grpc_server_credentials_release(creds);
  grpc_slice_unref(cert_slice);
  grpc_slice_unref(key_slice);
  grpc_slice_unref(ca_slice);
  grpc_exec_ctx_flush(&exec_ctx);

  grpc_shutdown();
  if (leak_check) {
    counters = grpc_memory_counters_snapshot();
    grpc_memory_counters_destroy();
    GPR_ASSERT(counters.total_size_relative == 0);
  }
  return 0;
}