From 1849b42fbaa8233fc4bf466d6cf8553f5bfcf022 Mon Sep 17 00:00:00 2001
From: Guido Vranken <guidovranken@gmail.com>
Date: Fri, 23 Jun 2017 16:06:58 +0200
Subject: [PATCH] Add proxy.c fuzzer

---
 src/openvpn/Makefile.am    | 13 +++++-
 src/openvpn/fuzzer-proxy.c | 96 ++++++++++++++++++++++++++++++++++++++
 src/openvpn/proxy.c        |  2 +
 3 files changed, 110 insertions(+), 1 deletion(-)
 create mode 100644 src/openvpn/fuzzer-proxy.c

diff --git a/src/openvpn/Makefile.am b/src/openvpn/Makefile.am
index 99b9d0daf..9b73c2cdf 100644
--- a/src/openvpn/Makefile.am
+++ b/src/openvpn/Makefile.am
@@ -127,7 +127,8 @@ extra_PROGRAMS = \
 				 openvpn-fuzzer-base64 openvpn-fuzzer-base64-standalone \
 				 openvpn-fuzzer-route openvpn-fuzzer-route-standalone \
 				 openvpn-fuzzer-dhcp openvpn-fuzzer-dhcp-standalone \
-				 openvpn-fuzzer-forward openvpn-fuzzer-forward-standalone
+				 openvpn-fuzzer-forward openvpn-fuzzer-forward-standalone \
+				 openvpn-fuzzer-proxy openvpn-fuzzer-proxy-standalone
 extradir = .
 fuzzer_sources = dummy.cpp
 fuzzer_cflags = \
@@ -160,6 +161,11 @@ openvpn_fuzzer_route_LDFLAGS = $(fuzzer_ldflags)
 openvpn_fuzzer_route_CFLAGS = $(fuzzer_cflags)
 openvpn_fuzzer_route_LDADD = $(fuzzer_ldadd) fuzzer-route.o libFuzzer.a
 
+openvpn_fuzzer_proxy_SOURCES = $(fuzzer_sources)
+openvpn_fuzzer_proxy_LDFLAGS = $(fuzzer_ldflags)
+openvpn_fuzzer_proxy_CFLAGS = $(fuzzer_cflags)
+openvpn_fuzzer_proxy_LDADD = $(fuzzer_ldadd) fuzzer-proxy.o libFuzzer.a
+
 openvpn_fuzzer_dhcp_SOURCES = $(fuzzer_sources)
 openvpn_fuzzer_dhcp_LDFLAGS = $(fuzzer_ldflags)
 openvpn_fuzzer_dhcp_CFLAGS = $(fuzzer_cflags)
@@ -189,3 +195,8 @@ openvpn_fuzzer_forward_standalone_SOURCES = fuzzer-standalone-loader.c
 openvpn_fuzzer_forward_standalone_LDFLAGS = $(fuzzer_ldflags)
 openvpn_fuzzer_forward_standalone_CFLAGS = $(fuzzer_cflags)
 openvpn_fuzzer_forward_standalone_LDADD = $(fuzzer_ldadd) fuzzer-forward.o
+
+openvpn_fuzzer_proxy_standalone_SOURCES = fuzzer-standalone-loader.c
+openvpn_fuzzer_proxy_standalone_LDFLAGS = $(fuzzer_ldflags)
+openvpn_fuzzer_proxy_standalone_CFLAGS = $(fuzzer_cflags)
+openvpn_fuzzer_proxy_standalone_LDADD = $(fuzzer_ldadd) fuzzer-proxy.o
diff --git a/src/openvpn/fuzzer-proxy.c b/src/openvpn/fuzzer-proxy.c
new file mode 100644
index 000000000..3e6627dd4
--- /dev/null
+++ b/src/openvpn/fuzzer-proxy.c
@@ -0,0 +1,96 @@
+#include "config.h"
+#include "syshead.h"
+#include "fuzzing.h"
+#include "proxy.h"
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+
+int LLVMFuzzerInitialize(int *argc, char ***argv) {
+#if defined(ENABLE_CRYPTO) && defined(ENABLE_CRYPTO_OPENSSL)
+    CRYPTO_malloc_init();
+    SSL_library_init();
+    ERR_load_crypto_strings();
+
+    OpenSSL_add_all_algorithms();
+    OpenSSL_add_ssl_algorithms();
+
+    SSL_load_error_strings();
+    return 1;
+#else
+#error "This fuzzing target cannot be built"
+#endif
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
+{
+    struct gc_arena gc = gc_new();
+    struct http_proxy_info pi;
+    ssize_t len;
+    ssize_t generic_ssizet;
+    int signal_received = 0;
+    struct buffer lookahead = alloc_buf(1024);
+
+    fuzzer_set_input((unsigned char*)data, size);
+    memset(&pi, 0, sizeof(pi));
+    pi.proxy_authenticate = NULL;
+
+    FUZZER_GET_INTEGER(generic_ssizet, 1);
+    fuzzer_set_recv_no_rnd((int)generic_ssizet);
+
+    FUZZER_GET_INTEGER(len, USER_PASS_LEN-1);
+    FUZZER_GET_DATA(pi.up.username, len);
+    if ( strlen(pi.up.username) == 0 ) {
+        goto cleanup;
+    }
+
+    FUZZER_GET_INTEGER(len, USER_PASS_LEN-1);
+    FUZZER_GET_DATA(pi.up.password, len);
+    pi.up.password[len] = 0;
+    if ( strlen(pi.up.password) == 0 ) {
+        goto cleanup;
+    }
+
+    FUZZER_GET_INTEGER(generic_ssizet, 4);
+    switch ( generic_ssizet )
+    {
+        case    0:
+            pi.auth_method = HTTP_AUTH_NONE;
+            break;
+        case    1:
+            pi.auth_method = HTTP_AUTH_BASIC;
+            break;
+        case    2:
+            pi.auth_method = HTTP_AUTH_DIGEST;
+            break;
+        case    3:
+            pi.auth_method = HTTP_AUTH_NTLM;
+            break;
+        case    4:
+            pi.auth_method = HTTP_AUTH_NTLM2;
+            break;
+    }
+    pi.options.http_version = "1.1";
+
+    FUZZER_GET_INTEGER(generic_ssizet, 2);
+    switch ( generic_ssizet )
+    {
+        case    0:
+            pi.options.auth_retry = PAR_NO;
+            break;
+        case    1:
+            pi.options.auth_retry = PAR_ALL;
+            break;
+        case    2:
+            pi.options.auth_retry = PAR_NCT;
+            break;
+    }
+
+    FUZZER_GET_STRING(pi.proxy_authenticate, 256);
+    
+    establish_http_proxy_passthru(&pi, 0, "1.2.3.4", "777", NULL, &lookahead, &signal_received);
+cleanup:
+    free(pi.proxy_authenticate);
+    gc_free(&gc);
+    free_buf(&lookahead);
+    return 0;
+}
diff --git a/src/openvpn/proxy.c b/src/openvpn/proxy.c
index 6acd9eac2..57796ae54 100644
--- a/src/openvpn/proxy.c
+++ b/src/openvpn/proxy.c
@@ -256,6 +256,7 @@ username_password_as_base64(const struct http_proxy_info *p,
 static void
 get_user_pass_http(struct http_proxy_info *p, const bool force)
 {
+/* Disabled for fuzzing
     if (!static_proxy_user_pass.defined || force)
     {
         unsigned int flags = GET_USER_PASS_MANAGEMENT;
@@ -274,6 +275,7 @@ get_user_pass_http(struct http_proxy_info *p, const bool force)
         p->queried_creds = true;
         p->up = static_proxy_user_pass;
     }
+*/
 }
 static void
 clear_user_pass_http(void)
-- 
2.47.2