From f47aabd094a4eafeed5a510c650d7a063a148076 Mon Sep 17 00:00:00 2001
From: Mark Haines <mjark@negativecurvature.net>
Date: Mon, 23 May 2016 17:32:24 +0100
Subject: Add support for building fuzzers using american fuzzy lop

Builds fuzzers using http://lcamtuf.coredump.cx/afl/
---
 fuzzers/fuzz_decode_message.cpp   | 14 ++++++++
 fuzzers/fuzz_decrypt.cpp          | 64 ++++++++++++++++++++++++++++++++++
 fuzzers/fuzz_unpickle_account.cpp | 14 ++++++++
 fuzzers/fuzz_unpickle_session.cpp | 14 ++++++++
 fuzzers/include/fuzzing.hh        | 72 +++++++++++++++++++++++++++++++++++++++
 5 files changed, 178 insertions(+)
 create mode 100644 fuzzers/fuzz_decode_message.cpp
 create mode 100644 fuzzers/fuzz_decrypt.cpp
 create mode 100644 fuzzers/fuzz_unpickle_account.cpp
 create mode 100644 fuzzers/fuzz_unpickle_session.cpp
 create mode 100644 fuzzers/include/fuzzing.hh

(limited to 'fuzzers')

diff --git a/fuzzers/fuzz_decode_message.cpp b/fuzzers/fuzz_decode_message.cpp
new file mode 100644
index 0000000..2ef734c
--- /dev/null
+++ b/fuzzers/fuzz_decode_message.cpp
@@ -0,0 +1,14 @@
+#include "olm/message.hh"
+#include "fuzzing.hh"
+
+int main(int argc, const char *argv[]) {
+    int message_fd = STDIN_FILENO;
+    uint8_t * message_buffer;
+    ssize_t message_length = check_errno(
+        "Error reading message file", read_file(message_fd, &message_buffer)
+    );
+    olm::MessageReader * reader = new olm::MessageReader;
+    decode_message(*reader, message_buffer, message_length, 8);
+    free(message_buffer);
+    delete reader;
+}
diff --git a/fuzzers/fuzz_decrypt.cpp b/fuzzers/fuzz_decrypt.cpp
new file mode 100644
index 0000000..6116934
--- /dev/null
+++ b/fuzzers/fuzz_decrypt.cpp
@@ -0,0 +1,64 @@
+#include "olm/olm.hh"
+
+#include "fuzzing.hh"
+
+int main(int argc, const char *argv[]) {
+    size_t ignored;
+    if (argc <= 3) {
+        const char * message = "Usage: decrypt: <session_key> <session_file>"
+            " <message_type>\n";
+        ignored = write(STDERR_FILENO, message, strlen(message));
+        exit(3);
+    }
+
+    const char * key = argv[1];
+    size_t key_length = strlen(key);
+
+
+    int session_fd = check_errno(
+        "Error opening session file", open(argv[2], O_RDONLY)
+    );
+
+    int message_type = atoi(argv[3]);
+
+    uint8_t *session_buffer;
+    ssize_t session_length = check_errno(
+        "Error reading session file", read_file(session_fd, &session_buffer)
+    );
+
+    int message_fd = STDIN_FILENO;
+    uint8_t * message_buffer;
+    ssize_t message_length = check_errno(
+        "Error reading message file", read_file(message_fd, &message_buffer)
+    );
+
+    uint8_t * tmp_buffer = (uint8_t *) malloc(message_length);
+    memcpy(tmp_buffer, message_buffer, message_length);
+
+    uint8_t session_memory[olm_session_size()];
+    OlmSession * session = olm_session(session_memory);
+    check_session(session, "Error unpickling session", olm_unpickle_session(
+        session, key, key_length, session_buffer, session_length
+    ));
+
+    size_t max_length = check_session(
+        session,
+        "Error getting plaintext length",
+        olm_decrypt_max_plaintext_length(
+            session, message_type, tmp_buffer, message_length
+        )
+    );
+
+    uint8_t plaintext[max_length];
+
+    size_t length = check_session(
+        session, "Error decrypting message", olm_decrypt(
+            session, message_type,
+            message_buffer, message_length,
+            plaintext, max_length
+        )
+    );
+
+    ignored = write(STDOUT_FILENO, plaintext, length);
+    ignored = write(STDOUT_FILENO, "\n", 1);
+}
diff --git a/fuzzers/fuzz_unpickle_account.cpp b/fuzzers/fuzz_unpickle_account.cpp
new file mode 100644
index 0000000..12c6d9b
--- /dev/null
+++ b/fuzzers/fuzz_unpickle_account.cpp
@@ -0,0 +1,14 @@
+#include "olm/account.hh"
+#include "fuzzing.hh"
+
+int main(int argc, const char *argv[]) {
+    int pickle_fd = STDIN_FILENO;
+    uint8_t * pickle_buffer;
+    ssize_t pickle_length = check_errno(
+        "Error reading pickle file", read_file(pickle_fd, &pickle_buffer)
+    );
+    olm::Account * account = new olm::Account;
+    unpickle(pickle_buffer, pickle_buffer + pickle_length, *account);
+    free(pickle_buffer);
+    delete account;
+}
diff --git a/fuzzers/fuzz_unpickle_session.cpp b/fuzzers/fuzz_unpickle_session.cpp
new file mode 100644
index 0000000..6edbc96
--- /dev/null
+++ b/fuzzers/fuzz_unpickle_session.cpp
@@ -0,0 +1,14 @@
+#include "olm/session.hh"
+#include "fuzzing.hh"
+
+int main(int argc, const char *argv[]) {
+    int pickle_fd = STDIN_FILENO;
+    uint8_t * pickle_buffer;
+    ssize_t pickle_length = check_errno(
+        "Error reading pickle file", read_file(pickle_fd, &pickle_buffer)
+    );
+    olm::Session * session = new olm::Session;
+    unpickle(pickle_buffer, pickle_buffer + pickle_length, *session);
+    free(pickle_buffer);
+    delete session;
+}
diff --git a/fuzzers/include/fuzzing.hh b/fuzzers/include/fuzzing.hh
new file mode 100644
index 0000000..e4f5eb9
--- /dev/null
+++ b/fuzzers/include/fuzzing.hh
@@ -0,0 +1,72 @@
+#include "olm/olm.hh"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <stddef.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+
+ssize_t read_file(
+    int fd,
+    uint8_t **buffer
+) {
+    size_t buffer_size = 4096;
+    uint8_t * current_buffer = (uint8_t *) malloc(buffer_size);
+    if (current_buffer == NULL) return -1;
+    size_t buffer_pos = 0;
+    while (1) {
+        ssize_t count = read(
+            fd, current_buffer + buffer_pos, buffer_size - buffer_pos
+        );
+        if (count < 0) break;
+        if (count == 0) {
+            uint8_t * return_buffer = (uint8_t *) realloc(current_buffer, buffer_pos);
+            if (return_buffer == NULL) break;
+            *buffer = return_buffer;
+            return buffer_pos;
+        }
+        buffer_pos += count;
+        if (buffer_pos == buffer_size) {
+            buffer_size *= 2;
+            uint8_t * new_buffer = (uint8_t *) realloc(current_buffer, buffer_size);
+            if (new_buffer == NULL) break;
+            current_buffer = new_buffer;
+        }
+    }
+    free(current_buffer);
+    return -1;
+}
+
+template<typename T>
+T check_errno(
+    const char * message,
+    T value
+) {
+    if (value == T(-1)) {
+        perror(message);
+        exit(1);
+    }
+    return value;
+}
+
+size_t check_session(
+    OlmSession * session,
+    const char * message,
+    size_t value
+) {
+    if (value == olm_error()) {
+        const char * olm_message = olm_session_last_error(session);
+        ssize_t ignored;
+        ignored = write(STDERR_FILENO, message, strlen(message));
+        ignored = write(STDERR_FILENO, ": ", 2);
+        ignored = write(STDERR_FILENO, olm_message, strlen(olm_message));
+        ignored = write(STDERR_FILENO, "\n", 1);
+        exit(2);
+        return ignored;
+    }
+    return value;
+}
-- 
cgit v1.2.3