static int fuzzEnvelope( const char *fuzzFileName ) { CRYPT_ENVELOPE cryptEnvelope; BYTE buffer[ 4096 ]; int length, bytesIn, status; /* Create the envelope */ status = cryptCreateEnvelope( &cryptEnvelope, CRYPT_UNUSED, CRYPT_FORMAT_AUTO ); if( cryptStatusError( status ) ) return( status ); /* We're ready to go, start the forkserver and read the mutable data */ #ifndef __WINDOWS__ __afl_manual_init(); #endif /* !__WINDOWS__ */ length = readFileData( fuzzFileName, fuzzFileName, buffer, 4096, 64, TRUE ); if( length < 64 ) return( CRYPT_ERROR_READ ); /* Process the input file */ ( void ) cryptPushData( cryptEnvelope, buffer, length, &bytesIn ); cryptDestroyEnvelope( cryptEnvelope ); return( CRYPT_OK ); }
int main(int argc, char **argv) { fprintf(stderr, "Running in AFl-fuzz mode\nUsage:\n" "afl-fuzz [afl-flags] %s [N] " "-- run N fuzzing iterations before " "re-spawning the process (default: 1000)\n", argv[0]); if (LLVMFuzzerInitialize) LLVMFuzzerInitialize(&argc, &argv); // Do any other expensive one-time initialization here. maybe_duplicate_stderr(); __afl_manual_init(); int N = 1000; if (argc >= 2) N = atoi(argv[1]); assert(N > 0); while (__afl_persistent_loop(N)) { ssize_t n_read = read(0, AflInputBuf, kMaxAflInputSize); if (n_read > 0) { // Copy AflInputBuf into a separate buffer to let asan find buffer // overflows. Don't use unique_ptr/etc to avoid extra dependencies. uint8_t *copy = new uint8_t[n_read]; memcpy(copy, AflInputBuf, n_read); LLVMFuzzerTestOneInput(copy, n_read); delete[] copy; } } }
__attribute__((constructor(0))) void __afl_auto_init(void) { is_persistent = !!getenv(PERSIST_ENV_VAR); if (getenv(DEFER_ENV_VAR)) return; __afl_manual_init(); }
static int fuzzSpecial( const int fuzzType, const char *fuzzFileName ) { CRYPT_CONTEXT cryptPrivKey; BYTE buffer[ 8192 ]; const int minLength = ( fuzzType == 4000 ) ? 2 : 16; int length, status; /* If we're fuzzing bignum ops, load the private key that we'll need */ if( fuzzType == 4000 ) { if( !loadRSAContexts( CRYPT_UNUSED, NULL, &cryptPrivKey ) ) return( CRYPT_ERROR_FAILED ); } /* We're ready to go, start the forkserver and read the mutable data */ #ifndef __WINDOWS__ __afl_manual_init(); #endif /* !__WINDOWS__ */ length = readFileData( fuzzFileName, fuzzFileName, buffer, 8192, minLength, TRUE ); if( length < minLength ) return( CRYPT_ERROR_READ ); /* Process the input file */ if( fuzzType == 4000 ) { BYTE tmpBuffer[ 8192 ]; #if 0 /* We don't do an early-out in order to check that the bignum code can actually reject all invalid input values */ /* Any value that's larger than the modulus will be trivially rejected so there's no point in trying to process it */ if( buffer[ 0 ] > 0x9C ) { cryptDestroyContext( cryptPrivKey ); return( CRYPT_OK ); } #endif /* 0 */ memcpy( tmpBuffer, buffer, length ); status = cryptDecrypt( cryptPrivKey, buffer, length ); if( cryptStatusOK( status ) ) status = cryptEncrypt( cryptPrivKey, buffer, length ); if( cryptStatusOK( status ) ) { /* Make sure that we got back what we started with */ assert( !memcmp( buffer, tmpBuffer, length ) ); } cryptDestroyContext( cryptPrivKey ); }
static int fuzzKeyset( const char *fuzzFileName ) { CRYPT_KEYSET cryptKeyset; int status; /* Start the forkserver */ #ifndef __WINDOWS__ __afl_manual_init(); #endif /* !__WINDOWS__ */ /* Process the input file */ status = cryptKeysetOpen( &cryptKeyset, CRYPT_UNUSED, CRYPT_KEYSET_FILE, fuzzFileName, CRYPT_KEYOPT_READONLY ); if( cryptStatusOK( status ) ) cryptKeysetClose( cryptKeyset ); return( CRYPT_OK ); }
__attribute__((constructor(0))) void __afl_auto_init(void) { if (getenv("AFL_DEFER_FORKSRV")) return; __afl_manual_init(); }
static int fuzzSession( const CRYPT_SESSION_TYPE sessionType, const char *fuzzFileName ) { CRYPT_SESSION cryptSession; CRYPT_CONTEXT cryptPrivKey = CRYPT_UNUSED; BYTE buffer[ 4096 ]; const BOOLEAN isServer = \ ( sessionType == CRYPT_SESSION_SSH_SERVER || \ sessionType == CRYPT_SESSION_SSL_SERVER || \ sessionType == CRYPT_SESSION_OCSP_SERVER || \ sessionType == CRYPT_SESSION_RTCS_SERVER || \ sessionType == CRYPT_SESSION_TSP_SERVER || \ sessionType == CRYPT_SESSION_CMP_SERVER || \ sessionType == CRYPT_SESSION_SCEP_SERVER ) ? \ TRUE : FALSE; int length, status; /* Create the session */ status = cryptCreateSession( &cryptSession, CRYPT_UNUSED, sessionType ); if( cryptStatusError( status ) ) return( status ); /* Set up the various attributes needed to establish a minimal session */ if( !isServer ) { status = cryptSetAttributeString( cryptSession, CRYPT_SESSINFO_SERVER_NAME, "localhost", 9 ); if( cryptStatusError( status ) ) return( status ); } if( isServer ) { if( !loadRSAContexts( CRYPT_UNUSED, NULL, &cryptPrivKey ) ) return( CRYPT_ERROR_FAILED ); } if( sessionType == CRYPT_SESSION_SSH || \ sessionType == CRYPT_SESSION_CMP ) { status = cryptSetAttributeString( cryptSession, CRYPT_SESSINFO_USERNAME, SSH_USER_NAME, paramStrlen( SSH_USER_NAME ) ); if( cryptStatusOK( status ) ) { status = cryptSetAttributeString( cryptSession, CRYPT_SESSINFO_PASSWORD, SSH_PASSWORD, paramStrlen( SSH_PASSWORD ) ); } if( cryptStatusError( status ) ) return( status ); } if( sessionType == CRYPT_SESSION_CMP ) { status = cryptSetAttribute( cryptSession, CRYPT_SESSINFO_CMP_REQUESTTYPE, CRYPT_REQUESTTYPE_INITIALISATION ); if( cryptStatusError( status ) ) return( status ); } /* Perform any final session initialisation */ cryptFuzzInit( cryptSession, cryptPrivKey ); /* We're ready to go, start the forkserver and read the mutable data */ #ifndef __WINDOWS__ __afl_manual_init(); #endif /* !__WINDOWS__ */ length = readFileData( fuzzFileName, fuzzFileName, buffer, 4096, 32, TRUE ); if( length < 32 ) return( CRYPT_ERROR_READ ); /* Perform the fuzzing */ ( void ) cryptSetFuzzData( cryptSession, buffer, length ); cryptDestroySession( cryptSession ); if( cryptPrivKey != CRYPT_UNUSED ) cryptDestroyContext( cryptPrivKey ); return( CRYPT_OK ); }