aboutsummaryrefslogtreecommitdiff
path: root/lib/mbedtls-2.27.0/programs/fuzz/README.md
diff options
context:
space:
mode:
Diffstat (limited to 'lib/mbedtls-2.27.0/programs/fuzz/README.md')
-rw-r--r--lib/mbedtls-2.27.0/programs/fuzz/README.md68
1 files changed, 68 insertions, 0 deletions
diff --git a/lib/mbedtls-2.27.0/programs/fuzz/README.md b/lib/mbedtls-2.27.0/programs/fuzz/README.md
new file mode 100644
index 0000000..b6a4333
--- /dev/null
+++ b/lib/mbedtls-2.27.0/programs/fuzz/README.md
@@ -0,0 +1,68 @@
+What is it?
+------
+
+This directory contains fuzz targets.
+Fuzz targets are simple codes using the library.
+They are used with a so-called fuzz driver, which will generate inputs, try to process them with the fuzz target, and alert in case of an unwanted behavior (such as a buffer overflow for instance).
+
+These targets were meant to be used with oss-fuzz but can be used in other contexts.
+
+This code was contributed by Philippe Antoine ( Catena cyber ).
+
+How to run?
+------
+
+To run the fuzz targets like oss-fuzz:
+```
+git clone https://github.com/google/oss-fuzz
+cd oss-fuzz
+python infra/helper.py build_image mbedtls
+python infra/helper.py build_fuzzers --sanitizer address mbedtls
+python infra/helper.py run_fuzzer mbedtls fuzz_client
+```
+You can use `undefined` sanitizer as well as `address` sanitizer.
+And you can run any of the fuzz targets like `fuzz_client`.
+
+To run the fuzz targets without oss-fuzz, you first need to install one libFuzzingEngine (libFuzzer for instance).
+Then you need to compile the code with the compiler flags of the wished sanitizer.
+```
+perl scripts/config.py set MBEDTLS_PLATFORM_TIME_ALT
+mkdir build
+cd build
+cmake ..
+make
+```
+Finally, you can run the targets like `./test/fuzz/fuzz_client`.
+
+
+Corpus generation for network trafic targets
+------
+
+These targets use network trafic as inputs :
+* client : simulates a client against (fuzzed) server traffic
+* server : simulates a server against (fuzzed) client traffic
+* dtls_client
+* dtls_server
+
+They also use the last bytes as configuration options.
+
+To generate corpus for these targets, you can do the following, not fully automated steps :
+* Build mbedtls programs ssl_server2 and ssl_client2
+* Run them one against the other with `reproducible` option turned on while capturing trafic into test.pcap
+* Extract tcp payloads, for instance with tshark : `tshark -Tfields -e tcp.dstport -e tcp.payload -r test.pcap > test.txt`
+* Run a dummy python script to output either client or server corpus file like `python dummy.py test.txt > test.cor`
+* Finally, you can add the options by appending the last bytes to the file test.cor
+
+Here is an example of dummy.py for extracting payload from client to server (if we used `tcp.dstport` in tshark command)
+```
+import sys
+import binascii
+
+f = open(sys.argv[1])
+for l in f.readlines():
+ portAndPl=l.split()
+ if len(portAndPl) == 2:
+ # determine client or server based on port
+ if portAndPl[0] == "4433":
+ print(binascii.unhexlify(portAndPl[1].replace(":","")))
+```