From ed2ee1adacc6ff6647d72bbe1a08ad2404869f1b Mon Sep 17 00:00:00 2001
From: Alex Gaynor <alex.gaynor@gmail.com>
Date: Fri, 9 Dec 2016 10:36:42 -0500
Subject: [In progress] Fuzzer for GNUTLS (#135)

* First cut at gnutls. Doesn't actually find coverage.

* link everything right

* pipes are not sockets

* send not write

* these are not used

* stick this here

* this doesn't exit

* remove jenkinsfile

* move to the right dir

* project file

* update for more recent conventions

* ugh, typo

* new lib

* docs take forever

* name it client fuzzer

* stick a cert store on there!

* add a timeout, ugh

* Shtudown the right side instead of using a timeout

* Use boringssl's test corpus

* simplify grabbing the tarballs

* statically link things. pthread is still dynamically linked because I was not able to make it work

* Added an x509 parser fuzzer

* update for the lastest convention
---
 projects/gnutls/Dockerfile                   | 31 ++++++++++++
 projects/gnutls/build.sh                     | 34 +++++++++++++
 projects/gnutls/gnutls_client_fuzzer.cc      | 73 ++++++++++++++++++++++++++++
 projects/gnutls/gnutls_x509_parser_fuzzer.cc | 47 ++++++++++++++++++
 projects/gnutls/project.yaml                 |  1 +
 5 files changed, 186 insertions(+)
 create mode 100644 projects/gnutls/Dockerfile
 create mode 100755 projects/gnutls/build.sh
 create mode 100644 projects/gnutls/gnutls_client_fuzzer.cc
 create mode 100644 projects/gnutls/gnutls_x509_parser_fuzzer.cc
 create mode 100644 projects/gnutls/project.yaml

(limited to 'projects/gnutls')

diff --git a/projects/gnutls/Dockerfile b/projects/gnutls/Dockerfile
new file mode 100644
index 00000000..6daadb56
--- /dev/null
+++ b/projects/gnutls/Dockerfile
@@ -0,0 +1,31 @@
+# Copyright 2016 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+FROM ossfuzz/base-libfuzzer
+MAINTAINER alex.gaynor@gmail.com
+RUN apt-get install -y make autoconf automake libtool autopoint libnettle6 nettle-dev pkg-config gperf bison autogen texinfo curl
+
+RUN git clone https://gitlab.com/gnutls/gnutls.git
+RUN cd gnutls && git submodule update --init
+
+# Using the client_corpus transcripts from boringssl, they're a decent starting point.
+RUN mkdir boringssl-testcases
+RUN cd boringssl-testcases/ && curl https://boringssl.googlesource.com/boringssl/+archive/master/fuzz/client_corpus.tar.gz | tar -zx
+RUN cd boringssl-testcases/ && curl https://boringssl.googlesource.com/boringssl/+archive/master/fuzz/client_corpus_no_fuzzer_mode.tar.gz | tar -zx
+RUN zip gnutls_client_fuzzer_seed_corpus.zip boringssl-testcases/*
+
+WORKDIR gnutls
+COPY build.sh gnutls_client_fuzzer.cc gnutls_x509_parser_fuzzer.cc $SRC/
diff --git a/projects/gnutls/build.sh b/projects/gnutls/build.sh
new file mode 100755
index 00000000..ba66f8b3
--- /dev/null
+++ b/projects/gnutls/build.sh
@@ -0,0 +1,34 @@
+#!/bin/bash -eu
+# Copyright 2016 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+make bootstrap
+./configure --enable-gcc-warnings --enable-static --with-included-libtasn1 --with-included-unistring --without-p11-kit --disable-doc
+make "-j$(nproc)"
+
+fuzzers="
+client
+x509_parser
+"
+
+for fuzzer in $fuzzers; do
+    $CXX $CXXFLAGS -std=c++11 -Ilib/includes \
+        "$SRC/gnutls_${fuzzer}_fuzzer.cc" -o "$OUT/gnutls_${fuzzer}_fuzzer" \
+        lib/.libs/libgnutls.a -lFuzzingEngine -lpthread -Wl,-Bstatic \
+        -lhogweed -lnettle -lgmp -Wl,-Bdynamic
+done
+
+cp "$SRC/gnutls_client_fuzzer_seed_corpus.zip" "$OUT/"
diff --git a/projects/gnutls/gnutls_client_fuzzer.cc b/projects/gnutls/gnutls_client_fuzzer.cc
new file mode 100644
index 00000000..b155ca5e
--- /dev/null
+++ b/projects/gnutls/gnutls_client_fuzzer.cc
@@ -0,0 +1,73 @@
+/*
+# Copyright 2016 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+*/
+
+#include <assert.h>
+#include <fcntl.h>
+#include <stdint.h>
+#include <sys/types.h>
+#include <sys/socket.h>
+#include <unistd.h>
+
+#include <gnutls/gnutls.h>
+
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+    int res;
+    gnutls_session_t session;
+    gnutls_certificate_credentials_t xcred;
+
+    int socket_fds[2];
+    res = socketpair(AF_UNIX, SOCK_STREAM, 0, socket_fds);
+    assert(res >= 0);
+    ssize_t send_res = send(socket_fds[1], data, size, 0);
+    assert(send_res == size);
+    res = shutdown(socket_fds[1], SHUT_WR);
+    assert(res == 0);
+
+    res = gnutls_init(&session, GNUTLS_CLIENT);
+    assert(res >= 0);
+
+    res = gnutls_certificate_allocate_credentials(&xcred);
+    assert(res >= 0);
+    res = gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
+    assert(res >= 0);
+
+    res = gnutls_set_default_priority(session);
+    assert(res >= 0);
+
+    gnutls_transport_set_int(session, socket_fds[0]);
+
+    do {
+        res = gnutls_handshake(session);
+    } while (res < 0 && gnutls_error_is_fatal(res) == 0);
+    if (res >= 0) {
+        while (true) {
+            char buf[16384];
+            res = gnutls_record_recv(session, buf, sizeof(buf));
+            if (res <= 0) {
+                break;
+            }
+        }
+    }
+
+    close(socket_fds[0]);
+    close(socket_fds[1]);
+    gnutls_deinit(session);
+    gnutls_certificate_free_credentials(xcred);
+    return 0;
+}
diff --git a/projects/gnutls/gnutls_x509_parser_fuzzer.cc b/projects/gnutls/gnutls_x509_parser_fuzzer.cc
new file mode 100644
index 00000000..28dc3397
--- /dev/null
+++ b/projects/gnutls/gnutls_x509_parser_fuzzer.cc
@@ -0,0 +1,47 @@
+/*
+# Copyright 2016 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+*/
+
+#include <assert.h>
+#include <stdint.h>
+
+#include <gnutls/gnutls.h>
+#include <gnutls/x509.h>
+
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+    gnutls_datum_t raw;
+    gnutls_datum_t out;
+    gnutls_x509_crt_t crt;
+    int ret;
+
+    raw.data = (unsigned char *)data;
+    raw.size = size;
+
+    ret = gnutls_x509_crt_init(&crt);
+    assert(ret >= 0);
+
+    ret = gnutls_x509_crt_import(crt, &raw, GNUTLS_X509_FMT_DER);
+    if (ret >= 0) {
+        ret = gnutls_x509_crt_print(crt, GNUTLS_CRT_PRINT_FULL, &out);
+        assert(ret >= 0);
+        gnutls_free(out.data);
+    }
+
+    gnutls_x509_crt_deinit(crt);
+    return 0;
+}
diff --git a/projects/gnutls/project.yaml b/projects/gnutls/project.yaml
new file mode 100644
index 00000000..e89e677b
--- /dev/null
+++ b/projects/gnutls/project.yaml
@@ -0,0 +1 @@
+homepage: https://www.gnutls.org/
-- 
cgit v1.2.3