From: Guido Vranken <guidovranken@gmail.com>
Date: Tue, 27 Jun 2017 09:27:05 +0000 (+0200)
Subject: Add crypto.c fuzzer
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=3165125727b2d55f4622cd3ef9b257ea0c5f5115;p=thirdparty%2Fopenvpn.git

Add crypto.c fuzzer
---

diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
index a3bbe366d..de8b6ed89 100644
--- a/src/openvpn/Makefile.am
+++ b/src/openvpn/Makefile.am
@@ -135,7 +135,8 @@ extra_PROGRAMS = \
 				 openvpn-fuzzer-list openvpn-fuzzer-list-standalone \
 				 openvpn-fuzzer-misc openvpn-fuzzer-misc-standalone \
 				 openvpn-fuzzer-mroute openvpn-fuzzer-mroute-standalone \
-				 openvpn-fuzzer-comp openvpn-fuzzer-comp-standalone
+				 openvpn-fuzzer-comp openvpn-fuzzer-comp-standalone \
+				 openvpn-fuzzer-crypto openvpn-fuzzer-crypto-standalone
 extradir = .
 fuzzer_sources = dummy.cpp
 fuzzer_cflags = \
@@ -218,6 +219,11 @@ openvpn_fuzzer_comp_LDFLAGS = $(fuzzer_ldflags)
 openvpn_fuzzer_comp_CFLAGS = $(fuzzer_cflags)
 openvpn_fuzzer_comp_LDADD = $(fuzzer_ldadd) fuzzer-comp.o libFuzzer.a
 
+openvpn_fuzzer_crypto_SOURCES = $(fuzzer_sources)
+openvpn_fuzzer_crypto_LDFLAGS = $(fuzzer_ldflags)
+openvpn_fuzzer_crypto_CFLAGS = $(fuzzer_cflags)
+openvpn_fuzzer_crypto_LDADD = $(fuzzer_ldadd) fuzzer-crypto.o libFuzzer.a
+
 openvpn_fuzzer_base64_standalone_SOURCES = fuzzer-standalone-loader.c
 openvpn_fuzzer_base64_standalone_LDFLAGS = $(fuzzer_ldflags)
 openvpn_fuzzer_base64_standalone_CFLAGS = $(fuzzer_cflags)
@@ -277,3 +283,8 @@ openvpn_fuzzer_comp_standalone_SOURCES = fuzzer-standalone-loader.c
 openvpn_fuzzer_comp_standalone_LDFLAGS = $(fuzzer_ldflags)
 openvpn_fuzzer_comp_standalone_CFLAGS = $(fuzzer_cflags)
 openvpn_fuzzer_comp_standalone_LDADD = $(fuzzer_ldadd) fuzzer-comp.o
+
+openvpn_fuzzer_crypto_standalone_SOURCES = fuzzer-standalone-loader.c
+openvpn_fuzzer_crypto_standalone_LDFLAGS = $(fuzzer_ldflags)
+openvpn_fuzzer_crypto_standalone_CFLAGS = $(fuzzer_cflags)
+openvpn_fuzzer_crypto_standalone_LDADD = $(fuzzer_ldadd) fuzzer-crypto.o
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index f0c22bf43..81f15051a 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -756,7 +756,7 @@ init_key_type(struct key_type *kt, const char *ciphername,
         kt->cipher = cipher_kt_get(translate_cipher_name_from_openvpn(ciphername));
         if (!kt->cipher)
         {
-            msg(M_FATAL, "Cipher %s not supported", ciphername);
+            return;
         }
 
         kt->cipher_length = cipher_kt_key_size(kt->cipher);
@@ -774,12 +774,12 @@ init_key_type(struct key_type *kt, const char *ciphername,
 #endif
               ))
         {
-            msg(M_FATAL, "Cipher '%s' mode not supported", ciphername);
+            return;
         }
 
         if (OPENVPN_MAX_CIPHER_BLOCK_SIZE < cipher_kt_block_size(kt->cipher))
         {
-            msg(M_FATAL, "Cipher '%s' not allowed: block size too big.", ciphername);
+            return;
         }
     }
     else
@@ -801,7 +801,7 @@ init_key_type(struct key_type *kt, const char *ciphername,
 
             if (OPENVPN_MAX_HMAC_SIZE < kt->hmac_length)
             {
-                msg(M_FATAL, "HMAC '%s' not allowed: digest size too big.", authname);
+                return;
             }
         }
     }
diff --git a/src/openvpn/crypto_openssl.c b/src/openvpn/crypto_openssl.c
index 5baae6fc6..702f1f43c 100644
--- a/src/openvpn/crypto_openssl.c
+++ b/src/openvpn/crypto_openssl.c
@@ -812,14 +812,11 @@ md_kt_get(const char *digest)
     md = EVP_get_digestbyname(digest);
     if (!md)
     {
-        crypto_msg(M_FATAL, "Message hash algorithm '%s' not found", digest);
+        return NULL;
     }
     if (EVP_MD_size(md) > MAX_HMAC_KEY_LENGTH)
     {
-        crypto_msg(M_FATAL, "Message hash algorithm '%s' uses a default hash "
-                   "size (%d bytes) which is larger than " PACKAGE_NAME "'s current "
-                   "maximum hash size (%d bytes)",
-                   digest, EVP_MD_size(md), MAX_HMAC_KEY_LENGTH);
+        return NULL;
     }
     return md;
 }
diff --git a/src/openvpn/fuzzer-crypto.c b/src/openvpn/fuzzer-crypto.c
new file mode 100644
index 000000000..fc8443bc8
--- /dev/null
+++ b/src/openvpn/fuzzer-crypto.c
@@ -0,0 +1,59 @@
+#include "config.h"
+#include "syshead.h"
+#include "fuzzing.h"
+#include "crypto.h"
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+
+int LLVMFuzzerInitialize(int *argc, char ***argv)
+{
+#if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL)
+    CRYPTO_malloc_init();
+    SSL_library_init();
+    ERR_load_crypto_strings();
+
+    OpenSSL_add_all_algorithms();
+    OpenSSL_add_ssl_algorithms();
+
+    SSL_load_error_strings();
+#else
+#error "This fuzzing target cannot be built"
+#endif
+    return 1;
+}
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    ssize_t choice;
+    struct gc_arena gc;
+    gc = gc_new();
+
+    fuzzer_set_input((unsigned char*)data, size);
+    FUZZER_GET_INTEGER(choice, 1);
+    switch ( choice )
+    {
+        case    0:
+            {
+                struct key2 key2;
+                char* input;
+                FUZZER_GET_STRING_GC(input, 1024, &gc);
+                read_key_file(&key2, (const char*)input, RKF_INLINE);
+                break;
+            }
+        case    1:
+            {
+                struct key_type kt;
+                char* ciphername, *authname;
+                int keysize;
+                int tls_mode;
+                FUZZER_GET_STRING_GC(ciphername, 1024, &gc);
+                FUZZER_GET_STRING_GC(authname, 1024, &gc);
+                FUZZER_GET_INTEGER(keysize, (MAX_CIPHER_KEY_LENGTH+10));
+                FUZZER_GET_INTEGER(tls_mode, 1);
+                init_key_type(&kt, ciphername, authname, keysize, tls_mode ? true : false, 0);
+            }
+            break;
+    }
+cleanup:
+    gc_free(&gc);
+    return 0;
+}