/src/fuzz_decrypt.c

Source
/* Copyright 2020 Google Inc.

Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

#include <stdint.h>
#include <stddef.h>
#include <stdlib.h>
#include <stdio.h>
#include <stdbool.h>
#include <ftw.h>

#include "config.h"
#include "gpg.h"
#include "../common/types.h"
#include "../common/iobuf.h"
#include "keydb.h"
#include "keyedit.h"
#include "../common/util.h"
#include "main.h"
#include "trustdb.h"

#include <sys/stat.h>
#include <fcntl.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/mount.h>

static bool initialized = false;
ctrl_t ctrlGlobal;
int fd;
char *filename;

//hack not to include gpg.c which has main function
extern int g10_errors_seen;
extern int assert_signer_true;
extern int assert_pubkey_algo_false;

void
g10_exit( int rc )
{
    gcry_control (GCRYCTL_UPDATE_RANDOM_SEED_FILE);
    gcry_control (GCRYCTL_TERM_SECMEM );
    /* Don't exit in fuzzer - just return to allow fuzzing to continue */
    (void)rc;
    return;
}

static void
gpg_deinit_default_ctrl (ctrl_t ctrl)
{
#ifdef USE_TOFU
    tofu_closedbs (ctrl);
#endif
    gpg_dirmngr_deinit_session_data (ctrl);

    keydb_release (ctrl->cached_getkey_kdb);
}

static void
my_gcry_logger (void *dummy, int level, const char *format, va_list arg_ptr)
{
    return;
}

static int unlink_cb(const char *fpath, const struct stat *sb, int typeflag)
{
    if (typeflag == FTW_F){
        unlink(fpath);
    }
    return 0;
}

static void rmrfdir(char *path)
{
    ftw(path, unlink_cb, 16);
    if (rmdir(path) != 0) {
        printf("failed rmdir, errno=%d\n", errno);
    }
}

// 65kb should be enough ;-)
#define MAX_LEN 0x10000

int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {

    if (! initialized) {
        ctrlGlobal = (ctrl_t) malloc(sizeof(*ctrlGlobal));
        if (!ctrlGlobal) {
            exit(1);
        }
        //deletes previous tmp dir and (re)create it as a ramfs
        //system("umount /tmp/fuzzdirdecrypt");
        rmrfdir("/tmp/fuzzdirdecrypt");
        mkdir("/tmp/fuzzdirdecrypt", 0700);
        //system("mount -t tmpfs -o size=64M tmpfs /tmp/fuzzdirdecrypt");
        filename=strdup("/tmp/fuzzdirdecrypt/fuzz.gpg");
        if (!filename) {
            free(ctrlGlobal);
            return 0;
        }
        fd = open("/tmp/fuzzdirdecrypt/fuzz.gpg", O_RDWR | O_CREAT, 0600);
        if (fd == -1) {
            free(ctrlGlobal);
            free(filename);
            return 0;
        }
        gnupg_set_homedir("/tmp/fuzzdirdecrypt/");
        if (keydb_add_resource ("pubring" EXTSEP_S GPGEXT_GPG,
                                KEYDB_RESOURCE_FLAG_DEFAULT) != GPG_ERR_NO_ERROR) {
            free(filename);
            free(ctrlGlobal);
            close(fd);
            return 0;
        }
        if (setup_trustdb (1, NULL) != GPG_ERR_NO_ERROR) {
            free(filename);
            free(ctrlGlobal);
            close(fd);
            return 0;
        }
        //populate /tmp/fuzzdirdecrypt/ as homedir ~/.gnupg
        strlist_t sl = NULL;
        public_key_list (ctrlGlobal, sl, 0, 0);
        free_strlist(sl);
        //no output for stderr
        log_set_file("/dev/null");
        gcry_set_log_handler (my_gcry_logger, NULL);
        //gnupg_initialize_compliance (GNUPG_MODULE_NAME_GPG);
        //overwrite output file
        //opt.batch = 1;
        //opt.answer_yes = 1;
        initialized = true;
    }

    memset(ctrlGlobal, 0, sizeof(*ctrlGlobal));
    ctrlGlobal->magic = SERVER_CONTROL_MAGIC;
    if (Size > MAX_LEN) {
        // limit maximum size to avoid long computing times
        Size = MAX_LEN;
    }

    if (ftruncate(fd, Size) == -1) {
        return 0;
    }
    if (lseek (fd, 0, SEEK_SET) < 0) {
        return 0;
    }
    if (write (fd, Data, Size) != Size) {
        return 0;
    }

    decrypt_messages(ctrlGlobal, 1, &filename);
    gpg_deinit_default_ctrl (ctrlGlobal);
    memset(ctrlGlobal, 0, sizeof(*ctrlGlobal));
    ctrlGlobal->magic = SERVER_CONTROL_MAGIC;
    decrypt_message(ctrlGlobal, filename, NULL);
    gpg_deinit_default_ctrl (ctrlGlobal);

    return 0;
}


Line	Count	Source
1		/* Copyright 2020 Google Inc.
2
3		Licensed under the Apache License, Version 2.0 (the "License");
4		you may not use this file except in compliance with the License.
5		You may obtain a copy of the License at
6
7		http://www.apache.org/licenses/LICENSE-2.0
8
9		Unless required by applicable law or agreed to in writing, software
10		distributed under the License is distributed on an "AS IS" BASIS,
11		WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12		See the License for the specific language governing permissions and
13		limitations under the License.
14		*/
15
16		#include <stdint.h>
17		#include <stddef.h>
18		#include <stdlib.h>
19		#include <stdio.h>
20		#include <stdbool.h>
21		#include <ftw.h>
22
23		#include "config.h"
24		#include "gpg.h"
25		#include "../common/types.h"
26		#include "../common/iobuf.h"
27		#include "keydb.h"
28		#include "keyedit.h"
29		#include "../common/util.h"
30		#include "main.h"
31		#include "trustdb.h"
32
33		#include <sys/stat.h>
34		#include <fcntl.h>
35		#include <sys/types.h>
36		#include <unistd.h>
37		#include <sys/mount.h>
38
39		static bool initialized = false;
40		ctrl_t ctrlGlobal;
41		int fd;
42		char *filename;
43
44		//hack not to include gpg.c which has main function
45		extern int g10_errors_seen;
46		extern int assert_signer_true;
47		extern int assert_pubkey_algo_false;
48
49		void
50		g10_exit( int rc )
51	0	{
52	0	gcry_control (GCRYCTL_UPDATE_RANDOM_SEED_FILE);
53	0	gcry_control (GCRYCTL_TERM_SECMEM );
54		/* Don't exit in fuzzer - just return to allow fuzzing to continue */
55	0	(void)rc;
56	0	return;
57	0	}
58
59		static void
60		gpg_deinit_default_ctrl (ctrl_t ctrl)
61	24	{
62		#ifdef USE_TOFU
63		tofu_closedbs (ctrl);
64		#endif
65	24	gpg_dirmngr_deinit_session_data (ctrl);
66
67	24	keydb_release (ctrl->cached_getkey_kdb);
68	24	}
69
70		static void
71		my_gcry_logger (void dummy, int level, const char format, va_list arg_ptr)
72	0	{
73	0	return;
74	0	}
75
76		static int unlink_cb(const char fpath, const struct stat sb, int typeflag)
77	5	{
78	5	if (typeflag == FTW_F){
79	4	unlink(fpath);
80	4	}
81	5	return 0;
82	5	}
83
84		static void rmrfdir(char *path)
85	1	{
86	1	ftw(path, unlink_cb, 16);
87	1	if (rmdir(path) != 0) {
88	0	printf("failed rmdir, errno=%d\n", errno);
89	0	}
90	1	}
91
92		// 65kb should be enough ;-)
93	24	#define MAX_LEN 0x10000
94
95	12	int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
96
97	12	if (! initialized) {
98	1	ctrlGlobal = (ctrl_t) malloc(sizeof(*ctrlGlobal));
99	1	if (!ctrlGlobal) {
100	0	exit(1);
101	0	}
102		//deletes previous tmp dir and (re)create it as a ramfs
103		//system("umount /tmp/fuzzdirdecrypt");
104	1	rmrfdir("/tmp/fuzzdirdecrypt");
105	1	mkdir("/tmp/fuzzdirdecrypt", 0700);
106		//system("mount -t tmpfs -o size=64M tmpfs /tmp/fuzzdirdecrypt");
107	1	filename=strdup("/tmp/fuzzdirdecrypt/fuzz.gpg");
108	1	if (!filename) {
109	0	free(ctrlGlobal);
110	0	return 0;
111	0	}
112	1	fd = open("/tmp/fuzzdirdecrypt/fuzz.gpg", O_RDWR \| O_CREAT, 0600);
113	1	if (fd == -1) {
114	0	free(ctrlGlobal);
115	0	free(filename);
116	0	return 0;
117	0	}
118	1	gnupg_set_homedir("/tmp/fuzzdirdecrypt/");
119	1	if (keydb_add_resource ("pubring" EXTSEP_S GPGEXT_GPG,
120	1	KEYDB_RESOURCE_FLAG_DEFAULT) != GPG_ERR_NO_ERROR) {
121	0	free(filename);
122	0	free(ctrlGlobal);
123	0	close(fd);
124	0	return 0;
125	0	}
126	1	if (setup_trustdb (1, NULL) != GPG_ERR_NO_ERROR) {
127	0	free(filename);
128	0	free(ctrlGlobal);
129	0	close(fd);
130	0	return 0;
131	0	}
132		//populate /tmp/fuzzdirdecrypt/ as homedir ~/.gnupg
133	1	strlist_t sl = NULL;
134	1	public_key_list (ctrlGlobal, sl, 0, 0);
135	1	free_strlist(sl);
136		//no output for stderr
137	1	log_set_file("/dev/null");
138	1	gcry_set_log_handler (my_gcry_logger, NULL);
139		//gnupg_initialize_compliance (GNUPG_MODULE_NAME_GPG);
140		//overwrite output file
141		//opt.batch = 1;
142		//opt.answer_yes = 1;
143	1	initialized = true;
144	1	}
145
146	12	memset(ctrlGlobal, 0, sizeof(*ctrlGlobal));
147	12	ctrlGlobal->magic = SERVER_CONTROL_MAGIC;
148	12	if (Size > MAX_LEN) {
149		// limit maximum size to avoid long computing times
150	12	Size = MAX_LEN;
151	12	}
152
153	12	if (ftruncate(fd, Size) == -1) {
154	0	return 0;
155	0	}
156	12	if (lseek (fd, 0, SEEK_SET) < 0) {
157	0	return 0;
158	0	}
159	12	if (write (fd, Data, Size) != Size) {
160	0	return 0;
161	0	}
162
163	12	decrypt_messages(ctrlGlobal, 1, &filename);
164	12	gpg_deinit_default_ctrl (ctrlGlobal);
165	12	memset(ctrlGlobal, 0, sizeof(*ctrlGlobal));
166	12	ctrlGlobal->magic = SERVER_CONTROL_MAGIC;
167	12	decrypt_message(ctrlGlobal, filename, NULL);
168	12	gpg_deinit_default_ctrl (ctrlGlobal);
169
170	12	return 0;
171	12	}
172

Coverage Report

Created: 2026-01-09 06:46