From bfeb554e8699c5cb90cab14dc74e15c30f963d74 Mon Sep 17 00:00:00 2001 From: Mark Haines Date: Thu, 26 May 2016 13:25:34 +0100 Subject: [PATCH] Add a fuzzer for olm_group_decrypt --- Makefile | 2 +- fuzzers/fuzz_decrypt.cpp | 1 + fuzzers/fuzz_group_decrypt.cpp | 71 ++++++++++++++++++++++++++++++++++ fuzzers/include/fuzzing.hh | 16 ++++++-- 4 files changed, 86 insertions(+), 4 deletions(-) create mode 100644 fuzzers/fuzz_group_decrypt.cpp diff --git a/Makefile b/Makefile index 49bec6a..6554c44 100644 --- a/Makefile +++ b/Makefile @@ -7,7 +7,7 @@ JS_OPTIMIZE_FLAGS ?= -O3 FUZZING_OPTIMIZE_FLAGS ?= -O3 CC = gcc EMCC = emcc -AFL_CC = afl_gcc +AFL_CC = afl-gcc AFL_CXX = afl-g++ RELEASE_TARGET := $(BUILD_DIR)/libolm.so DEBUG_TARGET := $(BUILD_DIR)/libolm_debug.so diff --git a/fuzzers/fuzz_decrypt.cpp b/fuzzers/fuzz_decrypt.cpp index 6116934..0b48060 100644 --- a/fuzzers/fuzz_decrypt.cpp +++ b/fuzzers/fuzz_decrypt.cpp @@ -61,4 +61,5 @@ int main(int argc, const char *argv[]) { ignored = write(STDOUT_FILENO, plaintext, length); ignored = write(STDOUT_FILENO, "\n", 1); + return ignored; } diff --git a/fuzzers/fuzz_group_decrypt.cpp b/fuzzers/fuzz_group_decrypt.cpp new file mode 100644 index 0000000..1fc99d7 --- /dev/null +++ b/fuzzers/fuzz_group_decrypt.cpp @@ -0,0 +1,71 @@ +#include "olm/olm.hh" + +#include "fuzzing.hh" + +int main(int argc, const char *argv[]) { + size_t ignored; + if (argc <= 2) { + const char * message = "Usage: decrypt \n"; + ignored = write(STDERR_FILENO, message, strlen(message)); + exit(3); + } + + const char * key = argv[1]; + size_t key_length = strlen(key); + + + int session_fd = check_errno( + "Error opening session file", open(argv[2], O_RDONLY) + ); + + uint8_t *session_buffer; + ssize_t session_length = check_errno( + "Error reading session file", read_file(session_fd, &session_buffer) + ); + + int message_fd = STDIN_FILENO; + uint8_t * message_buffer; + ssize_t message_length = check_errno( + "Error reading message file", read_file(message_fd, &message_buffer) + ); + + uint8_t * tmp_buffer = (uint8_t *) malloc(message_length); + memcpy(tmp_buffer, message_buffer, message_length); + + uint8_t session_memory[olm_inbound_group_session_size()]; + OlmInboundGroupSession * session = olm_inbound_group_session(session_memory); + check_error( + olm_inbound_group_session_last_error, + session, + "Error unpickling session", + olm_unpickle_inbound_group_session( + session, key, key_length, session_buffer, session_length + ) + ); + + size_t max_length = check_error( + olm_inbound_group_session_last_error, + session, + "Error getting plaintext length", + olm_group_decrypt_max_plaintext_length( + session, tmp_buffer, message_length + ) + ); + + uint8_t plaintext[max_length]; + + size_t length = check_error( + olm_inbound_group_session_last_error, + session, + "Error decrypting message", + olm_group_decrypt( + session, + message_buffer, message_length, + plaintext, max_length + ) + ); + + ignored = write(STDOUT_FILENO, plaintext, length); + ignored = write(STDOUT_FILENO, "\n", 1); + return ignored; +} diff --git a/fuzzers/include/fuzzing.hh b/fuzzers/include/fuzzing.hh index e4f5eb9..b27c396 100644 --- a/fuzzers/include/fuzzing.hh +++ b/fuzzers/include/fuzzing.hh @@ -53,13 +53,15 @@ T check_errno( return value; } -size_t check_session( - OlmSession * session, +template +size_t check_error( + F f, + T * object, const char * message, size_t value ) { if (value == olm_error()) { - const char * olm_message = olm_session_last_error(session); + const char * olm_message = f(object); ssize_t ignored; ignored = write(STDERR_FILENO, message, strlen(message)); ignored = write(STDERR_FILENO, ": ", 2); @@ -70,3 +72,11 @@ size_t check_session( } return value; } + +size_t check_session( + OlmSession * session, + const char * message, + size_t value +) { + return check_error(olm_session_last_error, session, message, value); +}