1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
|
diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
index b9c95225..7adff4bb 100644
--- a/src/openvpn/crypto.c
+++ b/src/openvpn/crypto.c
@@ -133,7 +133,10 @@ openvpn_encrypt_aead(struct buffer *buf, struct buffer work,
ASSERT(buf_inc_len(&work, outlen));
/* Flush the encryption buffer */
- ASSERT(cipher_ctx_final(ctx->cipher, BEND(&work), &outlen));
+ //ASSERT(cipher_ctx_final(ctx->cipher, BEND(&work), &outlen));
+ if (!(cipher_ctx_final(ctx->cipher, BEND(&work), &outlen))) {
+ goto err;
+ }
ASSERT(buf_inc_len(&work, outlen));
/* Write authentication tag */
@@ -737,6 +740,7 @@ warn_insecure_key_type(const char *ciphername, const cipher_kt_t *cipher)
/*
* Build a struct key_type.
*/
+extern int fuzz_success;
void
init_key_type(struct key_type *kt, const char *ciphername,
const char *authname, bool tls_mode, bool warn)
@@ -752,6 +756,7 @@ init_key_type(struct key_type *kt, const char *ciphername,
kt->cipher = cipher_kt_get(ciphername);
if (!kt->cipher)
{
+ fuzz_success = 0;
msg(M_FATAL, "Cipher %s not supported", ciphername);
}
@@ -766,11 +771,13 @@ init_key_type(struct key_type *kt, const char *ciphername,
#endif
))
{
+ fuzz_success = 0;
msg(M_FATAL, "Cipher '%s' mode not supported", ciphername);
}
if (OPENVPN_MAX_CIPHER_BLOCK_SIZE < cipher_kt_block_size(kt->cipher))
{
+ fuzz_success = 0;
msg(M_FATAL, "Cipher '%s' not allowed: block size too big.", ciphername);
}
if (warn)
@@ -782,6 +789,7 @@ init_key_type(struct key_type *kt, const char *ciphername,
{
if (warn)
{
+ fuzz_success = 0;
msg(M_WARN, "******* WARNING *******: '--cipher none' was specified. "
"This means NO encryption will be performed and tunnelled "
"data WILL be transmitted in clear text over the network! "
@@ -797,6 +805,7 @@ init_key_type(struct key_type *kt, const char *ciphername,
if (OPENVPN_MAX_HMAC_SIZE < kt->hmac_length)
{
+ fuzz_success = 0;
msg(M_FATAL, "HMAC '%s' not allowed: digest size too big.", authname);
}
}
@@ -805,6 +814,7 @@ init_key_type(struct key_type *kt, const char *ciphername,
{
if (warn)
{
+ fuzz_success = 0;
msg(M_WARN, "******* WARNING *******: '--auth none' was specified. "
"This means no authentication will be performed on received "
"packets, meaning you CANNOT trust that the data received by "
@@ -812,6 +822,7 @@ init_key_type(struct key_type *kt, const char *ciphername,
"PLEASE DO RECONSIDER THIS SETTING!");
}
}
+ fuzz_success = 1;
}
/* given a key and key_type, build a key_ctx */
@@ -1037,6 +1048,7 @@ generate_key_random(struct key *key, const struct key_type *kt)
if (!rand_bytes(key->cipher, cipher_len)
|| !rand_bytes(key->hmac, hmac_len))
{
+ fuzz_success = 0;
msg(M_FATAL, "ERROR: Random number generator cannot obtain entropy for key generation");
}
@@ -1050,6 +1062,7 @@ generate_key_random(struct key *key, const struct key_type *kt)
} while (kt && !check_key(key, kt));
gc_free(&gc);
+ fuzz_success = 1;
}
/*
@@ -1390,10 +1403,14 @@ read_key_file(struct key2 *key2, const char *file, const unsigned int flags)
if (state != PARSE_FINISHED)
{
+ fuzz_success = 0;
msg(M_FATAL, "Footer text not found in file '%s' (%d/%d/%d bytes found/min/max)",
print_key_filename(file, flags & RKF_INLINE), count, onekeylen,
keylen);
}
+ else {
+ fuzz_success = 1;
+ }
}
/* zero file read buffer if not an inline file */
|