From 1e9d19dd49fe177c631b355d65da8c75cd56f12e Mon Sep 17 00:00:00 2001
From: Guillaume BIENKOWSKI <guitreize@gmail.com>
Date: Wed, 29 Jul 2015 12:32:57 +0200
Subject: [PATCH] Add documentation about AFL fuzzing and seed SIP messages

---
 tester/afl.md                       | 39 +++++++++++++++++++++++++++++
 tester/afl/sip/401Unauthorized.txt  | 11 ++++++++
 tester/afl/sip/REGISTER.txt         | 16 ++++++++++++
 tester/afl/sip/SIP200RegSuccess.txt | 12 +++++++++
 4 files changed, 78 insertions(+)
 create mode 100644 tester/afl.md
 create mode 100644 tester/afl/sip/401Unauthorized.txt
 create mode 100644 tester/afl/sip/REGISTER.txt
 create mode 100644 tester/afl/sip/SIP200RegSuccess.txt

diff --git a/tester/afl.md b/tester/afl.md
new file mode 100644
index 00000000..a22c5707
--- /dev/null
+++ b/tester/afl.md
@@ -0,0 +1,39 @@
+# Using the afl-fuzz to look for bugs in the belle-sip parser
+
+This guide expects that you have installed the afl-fuzz package for your distribution, or on Mac using Homebrew or port.
+Windows is not supported right now.
+
+Then follow these steps:
+
+1. Configure belle-sip with the afl instrumentation tools as CC and OBJC, and with static linking:
+
+        # Linux
+        CC=`which afl-gcc` ./configure --disable-shared
+
+        # Mac
+        CC=`which afl-clang` OBJC=`which afl-clang` ./configure --disable-shared
+
+2. Compile and make sure the testers are build. You should have an executable file named testers/belle_sip_parser
+
+        make clean && make
+
+3. You can now run the afl fuzzy tester in the tester/ directory to test the parser for SDP, HTTP or SIP.
+
+        afl-fuzz -i afl/sip -o afl_sip_results -- ./belle_sip_parser --protocol sip @@
+
+With this command:
+
+- It will show you a screen with informations on the current state of the fuzzing steps.  
+
+- The `afl/sip` directory contains valid SIP messages that the fuzzer will use as a base for its investigations. You can add 
+
+- The results of the investigations will be placed in a directory named `afl_sip_results/`. You will have access to the SIP messages that provoked a crash in the `crashes/` directory.
+
+# Notes
+
+The afl directory contains test messages that will be the base for mutation with the afl fuzzer. They are saved using the CRLF line endings. This is important since the parser expects two "\r\n\r\n" at the end of a message.
+
+## TODO:
+
+1. add HTTP and SDP fuzzy tests
+2. add a dictionary of keywords to help the fuzzer generate some valid messages (instead of bitflipping randomly) (see `afl-fuzz -x` option)
\ No newline at end of file
diff --git a/tester/afl/sip/401Unauthorized.txt b/tester/afl/sip/401Unauthorized.txt
new file mode 100644
index 00000000..2357ae73
--- /dev/null
+++ b/tester/afl/sip/401Unauthorized.txt
@@ -0,0 +1,11 @@
+SIP/2.0 401 Unauthorized
+Via: SIP/2.0/TLS 192.168.0.109:49949;alias;branch=z9hG4bK.gWH~ix41h;rport=49949;received=82.216.250.246
+From: <sip:gbi@sip.linphone.org>;tag=5exJTQayL
+To: <sip:gbi@sip.linphone.org>;tag=jv0pZ0cH8ejaF
+Call-ID: PkUb7A2nxg
+CSeq: 20 REGISTER
+Server: Flexisip/1.0.2 (sofia-sip-nta/2.0)
+WWW-Authenticate: Digest realm="sip.linphone.org", nonce="WR5i2QAAAAA9uY8IAADQ03f3p94AAAAA", opaque="+GNywA==", algorithm=MD5, qop="auth"
+Content-Length: 0
+
+
diff --git a/tester/afl/sip/REGISTER.txt b/tester/afl/sip/REGISTER.txt
new file mode 100644
index 00000000..8683c9fe
--- /dev/null
+++ b/tester/afl/sip/REGISTER.txt
@@ -0,0 +1,16 @@
+REGISTER sip:sip.linphone.org SIP/2.0
+Via: SIP/2.0/TLS 192.168.0.109:49949;alias;branch=z9hG4bK.gdQJOpBN5;rport
+From: <sip:gbi@sip.linphone.org>;tag=5exJTQayL
+To: sip:gbi@sip.linphone.org
+CSeq: 21 REGISTER
+Call-ID: PkUb7A2nxg
+Max-Forwards: 70
+Supported: outbound
+Accept: application/sdp, text/plain, application/vnd.gsma.rcs-ft-http+xml
+Contact: <sip:gbi@82.216.250.246:49949;transport=tls>;+sip.instance="<urn:uuid:21cd159b-12cf-4b8b-b653-282bb811da23>"
+Expires: 3600
+User-Agent: Linphone/3.8.5 (belle-sip/1.4.1)
+Content-Length: 0
+Authorization:  Digest realm="sip.linphone.org", nonce="WR5i2QAAAAA9uY8IAADQ03f3p94AAAAA", algorithm=MD5, opaque="+GNywA==", username="gbi",  uri="sip:sip.linphone.org", response="124f0c0ea212786c9f8b5b6f1de92b43", cnonce="faaac8d5", nc=00000001, qop=auth
+
+
diff --git a/tester/afl/sip/SIP200RegSuccess.txt b/tester/afl/sip/SIP200RegSuccess.txt
new file mode 100644
index 00000000..f7853a45
--- /dev/null
+++ b/tester/afl/sip/SIP200RegSuccess.txt
@@ -0,0 +1,12 @@
+SIP/2.0 200 Registration successful
+Via: SIP/2.0/TLS 192.168.0.109:49949;alias;branch=z9hG4bK.gdQJOpBN5;rport=49949;received=82.216.250.246
+From: <sip:gbi@sip.linphone.org>;tag=5exJTQayL
+To: <sip:gbi@sip.linphone.org>;tag=K5SF1UXm5Q8va
+Call-ID: PkUb7A2nxg
+CSeq: 21 REGISTER
+Contact: <sip:gbi@82.216.250.246:49949;transport=tls>;expires=3600;q=0.00
+Contact: <sip:gbi@82.216.250.246:62954;app-id=org.linphone.phone.dev;pn-type=apple;pn-tok=1FDA61D1A73B5C6307699D89DFDB83BD8DC970C481FE4D9D356E80FD19D3240E;pn-msg-str=IM_MSG;pn-call-str=IC_MSG;pn-call-snd=ring.caf;pn-msg-snd=msg.caf;transport=tls>;expires=604442;q=0.00
+Server: Flexisip/1.0.2 (sofia-sip-nta/2.0)
+Content-Length: 0
+
+
-- 
GitLab