Add support for building fuzzers using american fuzzy lop
Builds fuzzers using http://lcamtuf.coredump.cx/afl/
This commit is contained in:
parent
aacf115468
commit
f47aabd094
6 changed files with 227 additions and 3 deletions
50
Makefile
50
Makefile
|
@ -4,8 +4,11 @@ BUILD_DIR := build
|
||||||
RELEASE_OPTIMIZE_FLAGS ?= -g -O3
|
RELEASE_OPTIMIZE_FLAGS ?= -g -O3
|
||||||
DEBUG_OPTIMIZE_FLAGS ?= -g -O0
|
DEBUG_OPTIMIZE_FLAGS ?= -g -O0
|
||||||
JS_OPTIMIZE_FLAGS ?= -O3
|
JS_OPTIMIZE_FLAGS ?= -O3
|
||||||
|
FUZZING_OPTIMIZE_FLAGS ?= -O3
|
||||||
CC = gcc
|
CC = gcc
|
||||||
EMCC = emcc
|
EMCC = emcc
|
||||||
|
AFL_CC = afl_gcc
|
||||||
|
AFL_CXX = afl-g++
|
||||||
RELEASE_TARGET := $(BUILD_DIR)/libolm.so
|
RELEASE_TARGET := $(BUILD_DIR)/libolm.so
|
||||||
DEBUG_TARGET := $(BUILD_DIR)/libolm_debug.so
|
DEBUG_TARGET := $(BUILD_DIR)/libolm_debug.so
|
||||||
JS_TARGET := javascript/olm.js
|
JS_TARGET := javascript/olm.js
|
||||||
|
@ -17,6 +20,10 @@ PUBLIC_HEADERS := include/olm/olm.hh
|
||||||
SOURCES := $(wildcard src/*.cpp) $(wildcard src/*.c)
|
SOURCES := $(wildcard src/*.cpp) $(wildcard src/*.c)
|
||||||
RELEASE_OBJECTS := $(patsubst src/%,$(BUILD_DIR)/release/%,$(patsubst %.c,%.o,$(patsubst %.cpp,%.o,$(SOURCES))))
|
RELEASE_OBJECTS := $(patsubst src/%,$(BUILD_DIR)/release/%,$(patsubst %.c,%.o,$(patsubst %.cpp,%.o,$(SOURCES))))
|
||||||
DEBUG_OBJECTS := $(patsubst src/%,$(BUILD_DIR)/debug/%,$(patsubst %.c,%.o,$(patsubst %.cpp,%.o,$(SOURCES))))
|
DEBUG_OBJECTS := $(patsubst src/%,$(BUILD_DIR)/debug/%,$(patsubst %.c,%.o,$(patsubst %.cpp,%.o,$(SOURCES))))
|
||||||
|
FUZZER_OBJECTS := $(patsubst src/%,$(BUILD_DIR)/fuzzers/objects/%,$(patsubst %.c,%.o,$(patsubst %.cpp,%.o,$(SOURCES))))
|
||||||
|
FUZZER_SOURCES := $(wildcard fuzzers/fuzz_*.cpp) $(wildcard fuzzers/fuzz_*.c)
|
||||||
|
FUZZER_BINARIES := $(patsubst fuzzers/%,$(BUILD_DIR)/fuzzers/%,$(patsubst %.c,%,$(patsubst %.cpp,%,$(FUZZER_SOURCES))))
|
||||||
|
FUZZER_DEBUG_BINARIES := $(patsubst $(BUILD_DIR)/fuzzers/fuzz_%,$(BUILD_DIR)/fuzzers/debug_%,$(FUZZER_BINARIES))
|
||||||
TEST_SOURCES := $(wildcard tests/test_*.cpp) $(wildcard tests/test_*.c)
|
TEST_SOURCES := $(wildcard tests/test_*.cpp) $(wildcard tests/test_*.c)
|
||||||
TEST_BINARIES := $(patsubst tests/%,$(BUILD_DIR)/tests/%,$(patsubst %.c,%,$(patsubst %.cpp,%,$(TEST_SOURCES))))
|
TEST_BINARIES := $(patsubst tests/%,$(BUILD_DIR)/tests/%,$(patsubst %.c,%,$(patsubst %.cpp,%,$(TEST_SOURCES))))
|
||||||
JS_OBJECTS := $(patsubst src/%,$(BUILD_DIR)/javascript/%,$(patsubst %.c,%.js.bc,$(patsubst %.cpp,%.js.bc,$(SOURCES))))
|
JS_OBJECTS := $(patsubst src/%,$(BUILD_DIR)/javascript/%,$(patsubst %.c,%.js.bc,$(patsubst %.cpp,%.js.bc,$(SOURCES))))
|
||||||
|
@ -37,6 +44,11 @@ EMCC.c = $(EMCC) $(CFLAGS) $(CPPFLAGS) -c
|
||||||
EMCC.cc = $(EMCC) $(CXXFLAGS) $(CPPFLAGS) -c
|
EMCC.cc = $(EMCC) $(CXXFLAGS) $(CPPFLAGS) -c
|
||||||
EMCC_LINK = $(EMCC) $(LDFLAGS) $(EMCCFLAGS)
|
EMCC_LINK = $(EMCC) $(LDFLAGS) $(EMCCFLAGS)
|
||||||
|
|
||||||
|
AFL.c = $(AFL_CC) $(CFLAGS) $(CPPFLAGS) -c
|
||||||
|
AFL.cc = $(AFL_CXX) $(CXXFLAGS) $(CPPFLAGS) -c
|
||||||
|
AFL_LINK.c = $(AFL_CC) $(LDFLAGS) $(CFLAGS) $(CPPFLAGS)
|
||||||
|
AFL_LINK.cc = $(AFL_CXX) $(LDFLAGS) $(CXXFLAGS) $(CPPFLAGS)
|
||||||
|
|
||||||
# generate .d files when compiling
|
# generate .d files when compiling
|
||||||
CPPFLAGS += -MMD
|
CPPFLAGS += -MMD
|
||||||
|
|
||||||
|
@ -53,6 +65,13 @@ $(DEBUG_TARGET): LDFLAGS += $(DEBUG_OPTIMIZE_FLAGS)
|
||||||
$(TEST_BINARIES): CPPFLAGS += -Itests/include
|
$(TEST_BINARIES): CPPFLAGS += -Itests/include
|
||||||
$(TEST_BINARIES): LDFLAGS += $(TEST_OPTIMIZE_FLAGS) -L$(BUILD_DIR)
|
$(TEST_BINARIES): LDFLAGS += $(TEST_OPTIMIZE_FLAGS) -L$(BUILD_DIR)
|
||||||
|
|
||||||
|
$(FUZZER_OBJECTS): CFLAGS += $(FUZZER_OPTIMIZE_FLAGS)
|
||||||
|
$(FUZZER_OBJECTS): CXXFLAGS += $(FUZZER_OPTIMIZE_FLAGS)
|
||||||
|
$(FUZZER_BINARIES): CPPFLAGS += -Ifuzzers/include
|
||||||
|
$(FUZZER_BINARIES): LDFLAGS += $(FUZZER_OPTIMIZE_FLAGS) -L$(BUILD_DIR)
|
||||||
|
$(FUZZER_DEBUG_BINARIES): CPPFLAGS += -Ifuzzers/include
|
||||||
|
$(FUZZER_DEBUG_BINARIES): LDFLAGS += $(DEBUG_OPTIMIZE_FLAGS)
|
||||||
|
|
||||||
$(JS_OBJECTS): CFLAGS += $(JS_OPTIMIZE_FLAGS)
|
$(JS_OBJECTS): CFLAGS += $(JS_OPTIMIZE_FLAGS)
|
||||||
$(JS_OBJECTS): CXXFLAGS += $(JS_OPTIMIZE_FLAGS)
|
$(JS_OBJECTS): CXXFLAGS += $(JS_OPTIMIZE_FLAGS)
|
||||||
$(JS_TARGET): LDFLAGS += $(JS_OPTIMIZE_FLAGS)
|
$(JS_TARGET): LDFLAGS += $(JS_OPTIMIZE_FLAGS)
|
||||||
|
@ -65,9 +84,11 @@ lib: $(RELEASE_TARGET)
|
||||||
# Make sure that the build directory exists.
|
# Make sure that the build directory exists.
|
||||||
# We can't check the build directory into git because it is empty.
|
# We can't check the build directory into git because it is empty.
|
||||||
makedirs:
|
makedirs:
|
||||||
mkdir -p $(BUILD_DIR)/release $(BUILD_DIR)/debug $(BUILD_DIR)/javascript $(BUILD_DIR)/tests
|
mkdir -p $(BUILD_DIR)/release $(BUILD_DIR)/debug $(BUILD_DIR)/javascript\
|
||||||
|
$(BUILD_DIR)/tests $(BUILD_DIR)/fuzzers/objects
|
||||||
.PHONY: makedirs
|
.PHONY: makedirs
|
||||||
|
|
||||||
|
|
||||||
$(RELEASE_TARGET): $(RELEASE_OBJECTS)
|
$(RELEASE_TARGET): $(RELEASE_OBJECTS)
|
||||||
$(CXX) $(LDFLAGS) --shared -fPIC \
|
$(CXX) $(LDFLAGS) --shared -fPIC \
|
||||||
-Wl,--version-script,version_script.ver \
|
-Wl,--version-script,version_script.ver \
|
||||||
|
@ -81,7 +102,6 @@ $(DEBUG_TARGET): $(DEBUG_OBJECTS)
|
||||||
-Wl,--version-script,version_script.ver \
|
-Wl,--version-script,version_script.ver \
|
||||||
$(OUTPUT_OPTION) $(DEBUG_OBJECTS)
|
$(OUTPUT_OPTION) $(DEBUG_OBJECTS)
|
||||||
|
|
||||||
|
|
||||||
js: $(JS_TARGET)
|
js: $(JS_TARGET)
|
||||||
.PHONY: js
|
.PHONY: js
|
||||||
|
|
||||||
|
@ -98,6 +118,9 @@ clean:;
|
||||||
$(JS_OBJECTS) $(JS_OBJECTS:.bc=.d) $(JS_TARGET) \
|
$(JS_OBJECTS) $(JS_OBJECTS:.bc=.d) $(JS_TARGET) \
|
||||||
$(JS_EXPORTED_FUNCTIONS)\
|
$(JS_EXPORTED_FUNCTIONS)\
|
||||||
$(RELEASE_TARGET) $(DEBUG_TARGET)\
|
$(RELEASE_TARGET) $(DEBUG_TARGET)\
|
||||||
|
$(FUZZER_OBJECTS) $(FUZZER_OBJECTS:.o=.d)\
|
||||||
|
$(FUZZER_BINARIES) $(FUZZER_BINARIES:=.d)\
|
||||||
|
$(FUZZER_DEBUG_BINARIES) $(FUZZER_DEBUG_BINARIES:=.d)\
|
||||||
|
|
||||||
build_tests: $(TEST_BINARIES)
|
build_tests: $(TEST_BINARIES)
|
||||||
|
|
||||||
|
@ -107,6 +130,9 @@ test: build_tests
|
||||||
$$i || exit $$?; \
|
$$i || exit $$?; \
|
||||||
done
|
done
|
||||||
|
|
||||||
|
fuzzers: $(FUZZER_BINARIES) $(FUZZER_DEBUG_BINARIES)
|
||||||
|
.PHONY: fuzzers
|
||||||
|
|
||||||
$(JS_EXPORTED_FUNCTIONS): $(PUBLIC_HEADERS)
|
$(JS_EXPORTED_FUNCTIONS): $(PUBLIC_HEADERS)
|
||||||
perl -MJSON -ne '/(olm_[^( ]*)\(/ && push @f, "_$$1"; END { print encode_json \@f }' $^ > $@.tmp
|
perl -MJSON -ne '/(olm_[^( ]*)\(/ && push @f, "_$$1"; END { print encode_json \@f }' $^ > $@.tmp
|
||||||
mv $@.tmp $@
|
mv $@.tmp $@
|
||||||
|
@ -139,6 +165,23 @@ $(BUILD_DIR)/tests/%: tests/%.c $(DEBUG_OBJECTS)
|
||||||
$(BUILD_DIR)/tests/%: tests/%.cpp $(DEBUG_OBJECTS)
|
$(BUILD_DIR)/tests/%: tests/%.cpp $(DEBUG_OBJECTS)
|
||||||
$(LINK.cc) $< $(DEBUG_OBJECTS) $(LOADLIBES) $(LDLIBS) -o $@
|
$(LINK.cc) $< $(DEBUG_OBJECTS) $(LOADLIBES) $(LDLIBS) -o $@
|
||||||
|
|
||||||
|
$(BUILD_DIR)/fuzzers/objects/%.o: src/%.c | makedirs
|
||||||
|
$(AFL.c) $(OUTPUT_OPTION) $<
|
||||||
|
|
||||||
|
$(BUILD_DIR)/fuzzers/objects/%.o: src/%.cpp | makedirs
|
||||||
|
$(AFL.cc) $(OUTPUT_OPTION) $<
|
||||||
|
|
||||||
|
$(BUILD_DIR)/fuzzers/fuzz_%: fuzzers/fuzz_%.c $(FUZZER_OBJECTS)
|
||||||
|
$(AFL_LINK.c) $< $(FUZZER_OBJECTS) $(LOADLIBES) $(LDLIBS) -o $@
|
||||||
|
|
||||||
|
$(BUILD_DIR)/fuzzers/fuzz_%: fuzzers/fuzz_%.cpp $(FUZZER_OBJECTS)
|
||||||
|
$(AFL_LINK.cc) $< $(FUZZER_OBJECTS) $(LOADLIBES) $(LDLIBS) -o $@
|
||||||
|
|
||||||
|
$(BUILD_DIR)/fuzzers/debug_%: fuzzers/fuzz_%.c $(DEBUG_OBJECTS)
|
||||||
|
$(LINK.c) $< $(DEBUG_OBJECTS) $(LOADLIBES) $(LDLIBS) -o $@
|
||||||
|
|
||||||
|
$(BUILD_DIR)/fuzzers/debug_%: fuzzers/fuzz_%.cpp $(DEBUG_OBJECTS)
|
||||||
|
$(LINK.cc) $< $(DEBUG_OBJECTS) $(LOADLIBES) $(LDLIBS) -o $@
|
||||||
|
|
||||||
### dependencies
|
### dependencies
|
||||||
|
|
||||||
|
@ -146,3 +189,6 @@ $(BUILD_DIR)/tests/%: tests/%.cpp $(DEBUG_OBJECTS)
|
||||||
-include $(DEBUG_OBJECTS:.o=.d)
|
-include $(DEBUG_OBJECTS:.o=.d)
|
||||||
-include $(JS_OBJECTS:.bc=.d)
|
-include $(JS_OBJECTS:.bc=.d)
|
||||||
-include $(TEST_BINARIES:=.d)
|
-include $(TEST_BINARIES:=.d)
|
||||||
|
-include $(FUZZER_OBJECTS:.o=.d)
|
||||||
|
-include $(FUZZER_BINARIES:=.d)
|
||||||
|
-include $(FUZZER_DEBUG_BINARIES:=.d)
|
||||||
|
|
14
fuzzers/fuzz_decode_message.cpp
Normal file
14
fuzzers/fuzz_decode_message.cpp
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
#include "olm/message.hh"
|
||||||
|
#include "fuzzing.hh"
|
||||||
|
|
||||||
|
int main(int argc, const char *argv[]) {
|
||||||
|
int message_fd = STDIN_FILENO;
|
||||||
|
uint8_t * message_buffer;
|
||||||
|
ssize_t message_length = check_errno(
|
||||||
|
"Error reading message file", read_file(message_fd, &message_buffer)
|
||||||
|
);
|
||||||
|
olm::MessageReader * reader = new olm::MessageReader;
|
||||||
|
decode_message(*reader, message_buffer, message_length, 8);
|
||||||
|
free(message_buffer);
|
||||||
|
delete reader;
|
||||||
|
}
|
64
fuzzers/fuzz_decrypt.cpp
Normal file
64
fuzzers/fuzz_decrypt.cpp
Normal file
|
@ -0,0 +1,64 @@
|
||||||
|
#include "olm/olm.hh"
|
||||||
|
|
||||||
|
#include "fuzzing.hh"
|
||||||
|
|
||||||
|
int main(int argc, const char *argv[]) {
|
||||||
|
size_t ignored;
|
||||||
|
if (argc <= 3) {
|
||||||
|
const char * message = "Usage: decrypt: <session_key> <session_file>"
|
||||||
|
" <message_type>\n";
|
||||||
|
ignored = write(STDERR_FILENO, message, strlen(message));
|
||||||
|
exit(3);
|
||||||
|
}
|
||||||
|
|
||||||
|
const char * key = argv[1];
|
||||||
|
size_t key_length = strlen(key);
|
||||||
|
|
||||||
|
|
||||||
|
int session_fd = check_errno(
|
||||||
|
"Error opening session file", open(argv[2], O_RDONLY)
|
||||||
|
);
|
||||||
|
|
||||||
|
int message_type = atoi(argv[3]);
|
||||||
|
|
||||||
|
uint8_t *session_buffer;
|
||||||
|
ssize_t session_length = check_errno(
|
||||||
|
"Error reading session file", read_file(session_fd, &session_buffer)
|
||||||
|
);
|
||||||
|
|
||||||
|
int message_fd = STDIN_FILENO;
|
||||||
|
uint8_t * message_buffer;
|
||||||
|
ssize_t message_length = check_errno(
|
||||||
|
"Error reading message file", read_file(message_fd, &message_buffer)
|
||||||
|
);
|
||||||
|
|
||||||
|
uint8_t * tmp_buffer = (uint8_t *) malloc(message_length);
|
||||||
|
memcpy(tmp_buffer, message_buffer, message_length);
|
||||||
|
|
||||||
|
uint8_t session_memory[olm_session_size()];
|
||||||
|
OlmSession * session = olm_session(session_memory);
|
||||||
|
check_session(session, "Error unpickling session", olm_unpickle_session(
|
||||||
|
session, key, key_length, session_buffer, session_length
|
||||||
|
));
|
||||||
|
|
||||||
|
size_t max_length = check_session(
|
||||||
|
session,
|
||||||
|
"Error getting plaintext length",
|
||||||
|
olm_decrypt_max_plaintext_length(
|
||||||
|
session, message_type, tmp_buffer, message_length
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
|
uint8_t plaintext[max_length];
|
||||||
|
|
||||||
|
size_t length = check_session(
|
||||||
|
session, "Error decrypting message", olm_decrypt(
|
||||||
|
session, message_type,
|
||||||
|
message_buffer, message_length,
|
||||||
|
plaintext, max_length
|
||||||
|
)
|
||||||
|
);
|
||||||
|
|
||||||
|
ignored = write(STDOUT_FILENO, plaintext, length);
|
||||||
|
ignored = write(STDOUT_FILENO, "\n", 1);
|
||||||
|
}
|
14
fuzzers/fuzz_unpickle_account.cpp
Normal file
14
fuzzers/fuzz_unpickle_account.cpp
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
#include "olm/account.hh"
|
||||||
|
#include "fuzzing.hh"
|
||||||
|
|
||||||
|
int main(int argc, const char *argv[]) {
|
||||||
|
int pickle_fd = STDIN_FILENO;
|
||||||
|
uint8_t * pickle_buffer;
|
||||||
|
ssize_t pickle_length = check_errno(
|
||||||
|
"Error reading pickle file", read_file(pickle_fd, &pickle_buffer)
|
||||||
|
);
|
||||||
|
olm::Account * account = new olm::Account;
|
||||||
|
unpickle(pickle_buffer, pickle_buffer + pickle_length, *account);
|
||||||
|
free(pickle_buffer);
|
||||||
|
delete account;
|
||||||
|
}
|
14
fuzzers/fuzz_unpickle_session.cpp
Normal file
14
fuzzers/fuzz_unpickle_session.cpp
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
#include "olm/session.hh"
|
||||||
|
#include "fuzzing.hh"
|
||||||
|
|
||||||
|
int main(int argc, const char *argv[]) {
|
||||||
|
int pickle_fd = STDIN_FILENO;
|
||||||
|
uint8_t * pickle_buffer;
|
||||||
|
ssize_t pickle_length = check_errno(
|
||||||
|
"Error reading pickle file", read_file(pickle_fd, &pickle_buffer)
|
||||||
|
);
|
||||||
|
olm::Session * session = new olm::Session;
|
||||||
|
unpickle(pickle_buffer, pickle_buffer + pickle_length, *session);
|
||||||
|
free(pickle_buffer);
|
||||||
|
delete session;
|
||||||
|
}
|
72
fuzzers/include/fuzzing.hh
Normal file
72
fuzzers/include/fuzzing.hh
Normal file
|
@ -0,0 +1,72 @@
|
||||||
|
#include "olm/olm.hh"
|
||||||
|
|
||||||
|
#include <stdio.h>
|
||||||
|
#include <stdlib.h>
|
||||||
|
#include <unistd.h>
|
||||||
|
#include <stddef.h>
|
||||||
|
#include <string.h>
|
||||||
|
#include <sys/types.h>
|
||||||
|
#include <sys/stat.h>
|
||||||
|
#include <fcntl.h>
|
||||||
|
|
||||||
|
|
||||||
|
ssize_t read_file(
|
||||||
|
int fd,
|
||||||
|
uint8_t **buffer
|
||||||
|
) {
|
||||||
|
size_t buffer_size = 4096;
|
||||||
|
uint8_t * current_buffer = (uint8_t *) malloc(buffer_size);
|
||||||
|
if (current_buffer == NULL) return -1;
|
||||||
|
size_t buffer_pos = 0;
|
||||||
|
while (1) {
|
||||||
|
ssize_t count = read(
|
||||||
|
fd, current_buffer + buffer_pos, buffer_size - buffer_pos
|
||||||
|
);
|
||||||
|
if (count < 0) break;
|
||||||
|
if (count == 0) {
|
||||||
|
uint8_t * return_buffer = (uint8_t *) realloc(current_buffer, buffer_pos);
|
||||||
|
if (return_buffer == NULL) break;
|
||||||
|
*buffer = return_buffer;
|
||||||
|
return buffer_pos;
|
||||||
|
}
|
||||||
|
buffer_pos += count;
|
||||||
|
if (buffer_pos == buffer_size) {
|
||||||
|
buffer_size *= 2;
|
||||||
|
uint8_t * new_buffer = (uint8_t *) realloc(current_buffer, buffer_size);
|
||||||
|
if (new_buffer == NULL) break;
|
||||||
|
current_buffer = new_buffer;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
free(current_buffer);
|
||||||
|
return -1;
|
||||||
|
}
|
||||||
|
|
||||||
|
template<typename T>
|
||||||
|
T check_errno(
|
||||||
|
const char * message,
|
||||||
|
T value
|
||||||
|
) {
|
||||||
|
if (value == T(-1)) {
|
||||||
|
perror(message);
|
||||||
|
exit(1);
|
||||||
|
}
|
||||||
|
return value;
|
||||||
|
}
|
||||||
|
|
||||||
|
size_t check_session(
|
||||||
|
OlmSession * session,
|
||||||
|
const char * message,
|
||||||
|
size_t value
|
||||||
|
) {
|
||||||
|
if (value == olm_error()) {
|
||||||
|
const char * olm_message = olm_session_last_error(session);
|
||||||
|
ssize_t ignored;
|
||||||
|
ignored = write(STDERR_FILENO, message, strlen(message));
|
||||||
|
ignored = write(STDERR_FILENO, ": ", 2);
|
||||||
|
ignored = write(STDERR_FILENO, olm_message, strlen(olm_message));
|
||||||
|
ignored = write(STDERR_FILENO, "\n", 1);
|
||||||
|
exit(2);
|
||||||
|
return ignored;
|
||||||
|
}
|
||||||
|
return value;
|
||||||
|
}
|
Loading…
Reference in a new issue