1 // Copyright 2016 The Chromium Authors
2 // Use of this source code is governed by a BSD-style license that can be
3 // found in the LICENSE file.
4
5 #include "net/http/http_proxy_client_socket.h"
6
7 #include <stddef.h>
8 #include <stdint.h>
9
10 #include <fuzzer/FuzzedDataProvider.h>
11
12 #include <memory>
13 #include <string>
14
15 #include "base/check_op.h"
16 #include "base/strings/utf_string_conversions.h"
17 #include "net/base/address_list.h"
18 #include "net/base/auth.h"
19 #include "net/base/host_port_pair.h"
20 #include "net/base/network_anonymization_key.h"
21 #include "net/base/proxy_chain.h"
22 #include "net/base/proxy_server.h"
23 #include "net/base/test_completion_callback.h"
24 #include "net/http/http_auth_cache.h"
25 #include "net/http/http_auth_handler_basic.h"
26 #include "net/http/http_auth_handler_digest.h"
27 #include "net/http/http_auth_handler_factory.h"
28 #include "net/http/http_auth_preferences.h"
29 #include "net/http/http_auth_scheme.h"
30 #include "net/log/net_log.h"
31 #include "net/log/test_net_log.h"
32 #include "net/socket/fuzzed_socket.h"
33 #include "net/socket/next_proto.h"
34 #include "net/traffic_annotation/network_traffic_annotation_test_helper.h"
35
36 // Fuzzer for HttpProxyClientSocket only tests establishing a connection when
37 // using the proxy as a tunnel.
38 //
39 // |data| is used to create a FuzzedSocket to fuzz reads and writes, see that
40 // class for details.
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)41 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
42 FuzzedDataProvider data_provider(data, size);
43 // Including an observer; even though the recorded results aren't currently
44 // used, it'll ensure the netlogging code is fuzzed as well.
45 net::RecordingNetLogObserver net_log_observer;
46
47 net::TestCompletionCallback callback;
48 auto fuzzed_socket =
49 std::make_unique<net::FuzzedSocket>(&data_provider, net::NetLog::Get());
50 CHECK_EQ(net::OK, fuzzed_socket->Connect(callback.callback()));
51
52 // Create auth handler supporting basic and digest schemes. Other schemes can
53 // make system calls, which doesn't seem like a great idea.
54 net::HttpAuthCache auth_cache(
55 false /* key_server_entries_by_network_anonymization_key */);
56 net::HttpAuthPreferences http_auth_preferences;
57 http_auth_preferences.set_allowed_schemes(
58 std::set<std::string>{net::kBasicAuthScheme, net::kDigestAuthScheme});
59 net::HttpAuthHandlerRegistryFactory auth_handler_factory(
60 &http_auth_preferences);
61
62 scoped_refptr<net::HttpAuthController> auth_controller(
63 base::MakeRefCounted<net::HttpAuthController>(
64 net::HttpAuth::AUTH_PROXY, GURL("http://proxy:42/"),
65 net::NetworkAnonymizationKey(), &auth_cache, &auth_handler_factory,
66 nullptr));
67 // Determine if the HttpProxyClientSocket should be told the underlying socket
68 // is HTTPS.
69 net::HttpProxyClientSocket socket(
70 std::move(fuzzed_socket), "Bond/007", net::HostPortPair("foo", 80),
71 net::ProxyChain(net::ProxyServer::SCHEME_HTTP,
72 net::HostPortPair("proxy", 42)),
73 /*proxy_chain_index=*/0, auth_controller.get(),
74 /*proxy_delegate=*/nullptr, TRAFFIC_ANNOTATION_FOR_TESTS);
75 int result = socket.Connect(callback.callback());
76 result = callback.GetResult(result);
77
78 // Repeatedly try to log in with the same credentials.
79 while (result == net::ERR_PROXY_AUTH_REQUESTED) {
80 if (!auth_controller->HaveAuth()) {
81 auth_controller->ResetAuth(net::AuthCredentials(u"user", u"pass"));
82 }
83 result = socket.RestartWithAuth(callback.callback());
84 result = callback.GetResult(result);
85 }
86
87 return 0;
88 }
89