static int fuzzEnvelope( const char *fuzzFileName )
{
CRYPT_ENVELOPE cryptEnvelope;
BYTE buffer[ 4096 ];
int length, bytesIn, status;
/* Create the envelope */
status = cryptCreateEnvelope( &cryptEnvelope, CRYPT_UNUSED,
CRYPT_FORMAT_AUTO );
if( cryptStatusError( status ) )
return( status );
/* We're ready to go, start the forkserver and read the mutable data */
#ifndef __WINDOWS__
__afl_manual_init();
#endif /* !__WINDOWS__ */
length = readFileData( fuzzFileName, fuzzFileName, buffer, 4096, 64,
TRUE );
if( length < 64 )
return( CRYPT_ERROR_READ );
/* Process the input file */
( void ) cryptPushData( cryptEnvelope, buffer, length, &bytesIn );
cryptDestroyEnvelope( cryptEnvelope );
return( CRYPT_OK );
}
int main(int argc, char **argv) {
fprintf(stderr, "Running in AFl-fuzz mode\nUsage:\n"
"afl-fuzz [afl-flags] %s [N] "
"-- run N fuzzing iterations before "
"re-spawning the process (default: 1000)\n",
argv[0]);
if (LLVMFuzzerInitialize)
LLVMFuzzerInitialize(&argc, &argv);
// Do any other expensive one-time initialization here.
maybe_duplicate_stderr();
__afl_manual_init();
int N = 1000;
if (argc >= 2)
N = atoi(argv[1]);
assert(N > 0);
while (__afl_persistent_loop(N)) {
ssize_t n_read = read(0, AflInputBuf, kMaxAflInputSize);
if (n_read > 0) {
// Copy AflInputBuf into a separate buffer to let asan find buffer
// overflows. Don't use unique_ptr/etc to avoid extra dependencies.
uint8_t *copy = new uint8_t[n_read];
memcpy(copy, AflInputBuf, n_read);
LLVMFuzzerTestOneInput(copy, n_read);
delete[] copy;
}
}
}
__attribute__((constructor(0))) void __afl_auto_init(void) {
is_persistent = !!getenv(PERSIST_ENV_VAR);
if (getenv(DEFER_ENV_VAR)) return;
__afl_manual_init();
}
static int fuzzSpecial( const int fuzzType, const char *fuzzFileName )
{
CRYPT_CONTEXT cryptPrivKey;
BYTE buffer[ 8192 ];
const int minLength = ( fuzzType == 4000 ) ? 2 : 16;
int length, status;
/* If we're fuzzing bignum ops, load the private key that we'll need */
if( fuzzType == 4000 )
{
if( !loadRSAContexts( CRYPT_UNUSED, NULL, &cryptPrivKey ) )
return( CRYPT_ERROR_FAILED );
}
/* We're ready to go, start the forkserver and read the mutable data */
#ifndef __WINDOWS__
__afl_manual_init();
#endif /* !__WINDOWS__ */
length = readFileData( fuzzFileName, fuzzFileName, buffer, 8192,
minLength, TRUE );
if( length < minLength )
return( CRYPT_ERROR_READ );
/* Process the input file */
if( fuzzType == 4000 )
{
BYTE tmpBuffer[ 8192 ];
#if 0 /* We don't do an early-out in order to check that the bignum code
can actually reject all invalid input values */
/* Any value that's larger than the modulus will be trivially
rejected so there's no point in trying to process it */
if( buffer[ 0 ] > 0x9C )
{
cryptDestroyContext( cryptPrivKey );
return( CRYPT_OK );
}
#endif /* 0 */
memcpy( tmpBuffer, buffer, length );
status = cryptDecrypt( cryptPrivKey, buffer, length );
if( cryptStatusOK( status ) )
status = cryptEncrypt( cryptPrivKey, buffer, length );
if( cryptStatusOK( status ) )
{
/* Make sure that we got back what we started with */
assert( !memcmp( buffer, tmpBuffer, length ) );
}
cryptDestroyContext( cryptPrivKey );
}
static int fuzzKeyset( const char *fuzzFileName )
{
CRYPT_KEYSET cryptKeyset;
int status;
/* Start the forkserver */
#ifndef __WINDOWS__
__afl_manual_init();
#endif /* !__WINDOWS__ */
/* Process the input file */
status = cryptKeysetOpen( &cryptKeyset, CRYPT_UNUSED, CRYPT_KEYSET_FILE,
fuzzFileName, CRYPT_KEYOPT_READONLY );
if( cryptStatusOK( status ) )
cryptKeysetClose( cryptKeyset );
return( CRYPT_OK );
}
__attribute__((constructor(0))) void __afl_auto_init(void) {
if (getenv("AFL_DEFER_FORKSRV")) return;
__afl_manual_init();
}
static int fuzzSession( const CRYPT_SESSION_TYPE sessionType,
const char *fuzzFileName )
{
CRYPT_SESSION cryptSession;
CRYPT_CONTEXT cryptPrivKey = CRYPT_UNUSED;
BYTE buffer[ 4096 ];
const BOOLEAN isServer = \
( sessionType == CRYPT_SESSION_SSH_SERVER || \
sessionType == CRYPT_SESSION_SSL_SERVER || \
sessionType == CRYPT_SESSION_OCSP_SERVER || \
sessionType == CRYPT_SESSION_RTCS_SERVER || \
sessionType == CRYPT_SESSION_TSP_SERVER || \
sessionType == CRYPT_SESSION_CMP_SERVER || \
sessionType == CRYPT_SESSION_SCEP_SERVER ) ? \
TRUE : FALSE;
int length, status;
/* Create the session */
status = cryptCreateSession( &cryptSession, CRYPT_UNUSED, sessionType );
if( cryptStatusError( status ) )
return( status );
/* Set up the various attributes needed to establish a minimal session */
if( !isServer )
{
status = cryptSetAttributeString( cryptSession,
CRYPT_SESSINFO_SERVER_NAME,
"localhost", 9 );
if( cryptStatusError( status ) )
return( status );
}
if( isServer )
{
if( !loadRSAContexts( CRYPT_UNUSED, NULL, &cryptPrivKey ) )
return( CRYPT_ERROR_FAILED );
}
if( sessionType == CRYPT_SESSION_SSH || \
sessionType == CRYPT_SESSION_CMP )
{
status = cryptSetAttributeString( cryptSession,
CRYPT_SESSINFO_USERNAME,
SSH_USER_NAME,
paramStrlen( SSH_USER_NAME ) );
if( cryptStatusOK( status ) )
{
status = cryptSetAttributeString( cryptSession,
CRYPT_SESSINFO_PASSWORD,
SSH_PASSWORD,
paramStrlen( SSH_PASSWORD ) );
}
if( cryptStatusError( status ) )
return( status );
}
if( sessionType == CRYPT_SESSION_CMP )
{
status = cryptSetAttribute( cryptSession,
CRYPT_SESSINFO_CMP_REQUESTTYPE,
CRYPT_REQUESTTYPE_INITIALISATION );
if( cryptStatusError( status ) )
return( status );
}
/* Perform any final session initialisation */
cryptFuzzInit( cryptSession, cryptPrivKey );
/* We're ready to go, start the forkserver and read the mutable data */
#ifndef __WINDOWS__
__afl_manual_init();
#endif /* !__WINDOWS__ */
length = readFileData( fuzzFileName, fuzzFileName, buffer, 4096, 32,
TRUE );
if( length < 32 )
return( CRYPT_ERROR_READ );
/* Perform the fuzzing */
( void ) cryptSetFuzzData( cryptSession, buffer, length );
cryptDestroySession( cryptSession );
if( cryptPrivKey != CRYPT_UNUSED )
cryptDestroyContext( cryptPrivKey );
return( CRYPT_OK );
}
