diff --git a/Makefile b/Makefile
index 1950016a00941ee1778c3a9411fd40b33e4097a1..1ea5bb4d000743cea2badd464ce91d1c1f567714 100644
--- a/Makefile
+++ b/Makefile
@@ -4,8 +4,11 @@ BUILD_DIR := build
RELEASE_OPTIMIZE_FLAGS ?= -g -O3
DEBUG_OPTIMIZE_FLAGS ?= -g -O0
JS_OPTIMIZE_FLAGS ?= -O3
+FUZZING_OPTIMIZE_FLAGS ?= -O3
CC = gcc
EMCC = emcc
+AFL_CC = afl_gcc
+AFL_CXX = afl-g++
RELEASE_TARGET := $(BUILD_DIR)/libolm.so
DEBUG_TARGET := $(BUILD_DIR)/libolm_debug.so
JS_TARGET := javascript/olm.js
@@ -17,6 +20,10 @@ PUBLIC_HEADERS := include/olm/olm.hh
SOURCES := $(wildcard src/*.cpp) $(wildcard src/*.c)
RELEASE_OBJECTS := $(patsubst src/%,$(BUILD_DIR)/release/%,$(patsubst %.c,%.o,$(patsubst %.cpp,%.o,$(SOURCES))))
DEBUG_OBJECTS := $(patsubst src/%,$(BUILD_DIR)/debug/%,$(patsubst %.c,%.o,$(patsubst %.cpp,%.o,$(SOURCES))))
+FUZZER_OBJECTS := $(patsubst src/%,$(BUILD_DIR)/fuzzers/objects/%,$(patsubst %.c,%.o,$(patsubst %.cpp,%.o,$(SOURCES))))
+FUZZER_SOURCES := $(wildcard fuzzers/fuzz_*.cpp) $(wildcard fuzzers/fuzz_*.c)
+FUZZER_BINARIES := $(patsubst fuzzers/%,$(BUILD_DIR)/fuzzers/%,$(patsubst %.c,%,$(patsubst %.cpp,%,$(FUZZER_SOURCES))))
+FUZZER_DEBUG_BINARIES := $(patsubst $(BUILD_DIR)/fuzzers/fuzz_%,$(BUILD_DIR)/fuzzers/debug_%,$(FUZZER_BINARIES))
TEST_SOURCES := $(wildcard tests/test_*.cpp) $(wildcard tests/test_*.c)
TEST_BINARIES := $(patsubst tests/%,$(BUILD_DIR)/tests/%,$(patsubst %.c,%,$(patsubst %.cpp,%,$(TEST_SOURCES))))
JS_OBJECTS := $(patsubst src/%,$(BUILD_DIR)/javascript/%,$(patsubst %.c,%.js.bc,$(patsubst %.cpp,%.js.bc,$(SOURCES))))
@@ -37,6 +44,11 @@ EMCC.c = $(EMCC) $(CFLAGS) $(CPPFLAGS) -c
EMCC.cc = $(EMCC) $(CXXFLAGS) $(CPPFLAGS) -c
EMCC_LINK = $(EMCC) $(LDFLAGS) $(EMCCFLAGS)
+AFL.c = $(AFL_CC) $(CFLAGS) $(CPPFLAGS) -c
+AFL.cc = $(AFL_CXX) $(CXXFLAGS) $(CPPFLAGS) -c
+AFL_LINK.c = $(AFL_CC) $(LDFLAGS) $(CFLAGS) $(CPPFLAGS)
+AFL_LINK.cc = $(AFL_CXX) $(LDFLAGS) $(CXXFLAGS) $(CPPFLAGS)
+
# generate .d files when compiling
CPPFLAGS += -MMD
@@ -53,6 +65,13 @@ $(DEBUG_TARGET): LDFLAGS += $(DEBUG_OPTIMIZE_FLAGS)
$(TEST_BINARIES): CPPFLAGS += -Itests/include
$(TEST_BINARIES): LDFLAGS += $(TEST_OPTIMIZE_FLAGS) -L$(BUILD_DIR)
+$(FUZZER_OBJECTS): CFLAGS += $(FUZZER_OPTIMIZE_FLAGS)
+$(FUZZER_OBJECTS): CXXFLAGS += $(FUZZER_OPTIMIZE_FLAGS)
+$(FUZZER_BINARIES): CPPFLAGS += -Ifuzzers/include
+$(FUZZER_BINARIES): LDFLAGS += $(FUZZER_OPTIMIZE_FLAGS) -L$(BUILD_DIR)
+$(FUZZER_DEBUG_BINARIES): CPPFLAGS += -Ifuzzers/include
+$(FUZZER_DEBUG_BINARIES): LDFLAGS += $(DEBUG_OPTIMIZE_FLAGS)
+
$(JS_OBJECTS): CFLAGS += $(JS_OPTIMIZE_FLAGS)
$(JS_OBJECTS): CXXFLAGS += $(JS_OPTIMIZE_FLAGS)
$(JS_TARGET): LDFLAGS += $(JS_OPTIMIZE_FLAGS)
@@ -65,9 +84,11 @@ lib: $(RELEASE_TARGET)
# Make sure that the build directory exists.
# We can't check the build directory into git because it is empty.
makedirs:
- mkdir -p $(BUILD_DIR)/release $(BUILD_DIR)/debug $(BUILD_DIR)/javascript $(BUILD_DIR)/tests
+ mkdir -p $(BUILD_DIR)/release $(BUILD_DIR)/debug $(BUILD_DIR)/javascript\
+ $(BUILD_DIR)/tests $(BUILD_DIR)/fuzzers/objects
.PHONY: makedirs
+
$(RELEASE_TARGET): $(RELEASE_OBJECTS)
$(CXX) $(LDFLAGS) --shared -fPIC \
-Wl,--version-script,version_script.ver \
@@ -81,7 +102,6 @@ $(DEBUG_TARGET): $(DEBUG_OBJECTS)
-Wl,--version-script,version_script.ver \
$(OUTPUT_OPTION) $(DEBUG_OBJECTS)
-
js: $(JS_TARGET)
.PHONY: js
@@ -96,8 +116,11 @@ clean:;
$(DEBUG_OBJECTS) $(DEBUG_OBJECTS:.o=.d) \
$(TEST_BINARIES) $(TEST_BINARIES:=.d) \
$(JS_OBJECTS) $(JS_OBJECTS:.bc=.d) $(JS_TARGET) \
- $(JS_EXPORTED_FUNCTIONS) \
+ $(JS_EXPORTED_FUNCTIONS)\
$(RELEASE_TARGET) $(DEBUG_TARGET)\
+ $(FUZZER_OBJECTS) $(FUZZER_OBJECTS:.o=.d)\
+ $(FUZZER_BINARIES) $(FUZZER_BINARIES:=.d)\
+ $(FUZZER_DEBUG_BINARIES) $(FUZZER_DEBUG_BINARIES:=.d)\
build_tests: $(TEST_BINARIES)
@@ -107,6 +130,9 @@ test: build_tests
$$i || exit $$?; \
done
+fuzzers: $(FUZZER_BINARIES) $(FUZZER_DEBUG_BINARIES)
+.PHONY: fuzzers
+
$(JS_EXPORTED_FUNCTIONS): $(PUBLIC_HEADERS)
perl -MJSON -ne '/(olm_[^( ]*)\(/ && push @f, "_$$1"; END { print encode_json \@f }' $^ > $@.tmp
mv $@.tmp $@
@@ -139,6 +165,23 @@ $(BUILD_DIR)/tests/%: tests/%.c $(DEBUG_OBJECTS)
$(BUILD_DIR)/tests/%: tests/%.cpp $(DEBUG_OBJECTS)
$(LINK.cc) $< $(DEBUG_OBJECTS) $(LOADLIBES) $(LDLIBS) -o $@
+$(BUILD_DIR)/fuzzers/objects/%.o: src/%.c | makedirs
+ $(AFL.c) $(OUTPUT_OPTION) $<
+
+$(BUILD_DIR)/fuzzers/objects/%.o: src/%.cpp | makedirs
+ $(AFL.cc) $(OUTPUT_OPTION) $<
+
+$(BUILD_DIR)/fuzzers/fuzz_%: fuzzers/fuzz_%.c $(FUZZER_OBJECTS)
+ $(AFL_LINK.c) $< $(FUZZER_OBJECTS) $(LOADLIBES) $(LDLIBS) -o $@
+
+$(BUILD_DIR)/fuzzers/fuzz_%: fuzzers/fuzz_%.cpp $(FUZZER_OBJECTS)
+ $(AFL_LINK.cc) $< $(FUZZER_OBJECTS) $(LOADLIBES) $(LDLIBS) -o $@
+
+$(BUILD_DIR)/fuzzers/debug_%: fuzzers/fuzz_%.c $(DEBUG_OBJECTS)
+ $(LINK.c) $< $(DEBUG_OBJECTS) $(LOADLIBES) $(LDLIBS) -o $@
+
+$(BUILD_DIR)/fuzzers/debug_%: fuzzers/fuzz_%.cpp $(DEBUG_OBJECTS)
+ $(LINK.cc) $< $(DEBUG_OBJECTS) $(LOADLIBES) $(LDLIBS) -o $@
### dependencies
@@ -146,3 +189,6 @@ $(BUILD_DIR)/tests/%: tests/%.cpp $(DEBUG_OBJECTS)
-include $(DEBUG_OBJECTS:.o=.d)
-include $(JS_OBJECTS:.bc=.d)
-include $(TEST_BINARIES:=.d)
+-include $(FUZZER_OBJECTS:.o=.d)
+-include $(FUZZER_BINARIES:=.d)
+-include $(FUZZER_DEBUG_BINARIES:=.d)
diff --git a/fuzzers/fuzz_decode_message.cpp b/fuzzers/fuzz_decode_message.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..2ef734c1eca6106cafcd0495ad6c2c1b63651937
--- /dev/null
+++ b/fuzzers/fuzz_decode_message.cpp
@@ -0,0 +1,14 @@
+#include "olm/message.hh"
+#include "fuzzing.hh"
+
+int main(int argc, const char *argv[]) {
+ int message_fd = STDIN_FILENO;
+ uint8_t * message_buffer;
+ ssize_t message_length = check_errno(
+ "Error reading message file", read_file(message_fd, &message_buffer)
+ );
+ olm::MessageReader * reader = new olm::MessageReader;
+ decode_message(*reader, message_buffer, message_length, 8);
+ free(message_buffer);
+ delete reader;
+}
diff --git a/fuzzers/fuzz_decrypt.cpp b/fuzzers/fuzz_decrypt.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..6116934f38c90bf33a9f50ab1a1d4eb3dc9bef39
--- /dev/null
+++ b/fuzzers/fuzz_decrypt.cpp
@@ -0,0 +1,64 @@
+#include "olm/olm.hh"
+
+#include "fuzzing.hh"
+
+int main(int argc, const char *argv[]) {
+ size_t ignored;
+ if (argc <= 3) {
+ const char * message = "Usage: decrypt: <session_key> <session_file>"
+ " <message_type>\n";
+ ignored = write(STDERR_FILENO, message, strlen(message));
+ exit(3);
+ }
+
+ const char * key = argv[1];
+ size_t key_length = strlen(key);
+
+
+ int session_fd = check_errno(
+ "Error opening session file", open(argv[2], O_RDONLY)
+ );
+
+ int message_type = atoi(argv[3]);
+
+ uint8_t *session_buffer;
+ ssize_t session_length = check_errno(
+ "Error reading session file", read_file(session_fd, &session_buffer)
+ );
+
+ int message_fd = STDIN_FILENO;
+ uint8_t * message_buffer;
+ ssize_t message_length = check_errno(
+ "Error reading message file", read_file(message_fd, &message_buffer)
+ );
+
+ uint8_t * tmp_buffer = (uint8_t *) malloc(message_length);
+ memcpy(tmp_buffer, message_buffer, message_length);
+
+ uint8_t session_memory[olm_session_size()];
+ OlmSession * session = olm_session(session_memory);
+ check_session(session, "Error unpickling session", olm_unpickle_session(
+ session, key, key_length, session_buffer, session_length
+ ));
+
+ size_t max_length = check_session(
+ session,
+ "Error getting plaintext length",
+ olm_decrypt_max_plaintext_length(
+ session, message_type, tmp_buffer, message_length
+ )
+ );
+
+ uint8_t plaintext[max_length];
+
+ size_t length = check_session(
+ session, "Error decrypting message", olm_decrypt(
+ session, message_type,
+ message_buffer, message_length,
+ plaintext, max_length
+ )
+ );
+
+ ignored = write(STDOUT_FILENO, plaintext, length);
+ ignored = write(STDOUT_FILENO, "\n", 1);
+}
diff --git a/fuzzers/fuzz_unpickle_account.cpp b/fuzzers/fuzz_unpickle_account.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..12c6d9bec417d1a67bf4f9b09dd0f4a578832f2a
--- /dev/null
+++ b/fuzzers/fuzz_unpickle_account.cpp
@@ -0,0 +1,14 @@
+#include "olm/account.hh"
+#include "fuzzing.hh"
+
+int main(int argc, const char *argv[]) {
+ int pickle_fd = STDIN_FILENO;
+ uint8_t * pickle_buffer;
+ ssize_t pickle_length = check_errno(
+ "Error reading pickle file", read_file(pickle_fd, &pickle_buffer)
+ );
+ olm::Account * account = new olm::Account;
+ unpickle(pickle_buffer, pickle_buffer + pickle_length, *account);
+ free(pickle_buffer);
+ delete account;
+}
diff --git a/fuzzers/fuzz_unpickle_session.cpp b/fuzzers/fuzz_unpickle_session.cpp
new file mode 100644
index 0000000000000000000000000000000000000000..6edbc961acae729c1874f45512846c8fac3b0c96
--- /dev/null
+++ b/fuzzers/fuzz_unpickle_session.cpp
@@ -0,0 +1,14 @@
+#include "olm/session.hh"
+#include "fuzzing.hh"
+
+int main(int argc, const char *argv[]) {
+ int pickle_fd = STDIN_FILENO;
+ uint8_t * pickle_buffer;
+ ssize_t pickle_length = check_errno(
+ "Error reading pickle file", read_file(pickle_fd, &pickle_buffer)
+ );
+ olm::Session * session = new olm::Session;
+ unpickle(pickle_buffer, pickle_buffer + pickle_length, *session);
+ free(pickle_buffer);
+ delete session;
+}
diff --git a/fuzzers/include/fuzzing.hh b/fuzzers/include/fuzzing.hh
new file mode 100644
index 0000000000000000000000000000000000000000..e4f5eb925048a7ca1dd4753679d3f620dc333ae5
--- /dev/null
+++ b/fuzzers/include/fuzzing.hh
@@ -0,0 +1,72 @@
+#include "olm/olm.hh"
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <unistd.h>
+#include <stddef.h>
+#include <string.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+
+
+ssize_t read_file(
+ int fd,
+ uint8_t **buffer
+) {
+ size_t buffer_size = 4096;
+ uint8_t * current_buffer = (uint8_t *) malloc(buffer_size);
+ if (current_buffer == NULL) return -1;
+ size_t buffer_pos = 0;
+ while (1) {
+ ssize_t count = read(
+ fd, current_buffer + buffer_pos, buffer_size - buffer_pos
+ );
+ if (count < 0) break;
+ if (count == 0) {
+ uint8_t * return_buffer = (uint8_t *) realloc(current_buffer, buffer_pos);
+ if (return_buffer == NULL) break;
+ *buffer = return_buffer;
+ return buffer_pos;
+ }
+ buffer_pos += count;
+ if (buffer_pos == buffer_size) {
+ buffer_size *= 2;
+ uint8_t * new_buffer = (uint8_t *) realloc(current_buffer, buffer_size);
+ if (new_buffer == NULL) break;
+ current_buffer = new_buffer;
+ }
+ }
+ free(current_buffer);
+ return -1;
+}
+
+template<typename T>
+T check_errno(
+ const char * message,
+ T value
+) {
+ if (value == T(-1)) {
+ perror(message);
+ exit(1);
+ }
+ return value;
+}
+
+size_t check_session(
+ OlmSession * session,
+ const char * message,
+ size_t value
+) {
+ if (value == olm_error()) {
+ const char * olm_message = olm_session_last_error(session);
+ ssize_t ignored;
+ ignored = write(STDERR_FILENO, message, strlen(message));
+ ignored = write(STDERR_FILENO, ": ", 2);
+ ignored = write(STDERR_FILENO, olm_message, strlen(olm_message));
+ ignored = write(STDERR_FILENO, "\n", 1);
+ exit(2);
+ return ignored;
+ }
+ return value;
+}