LLVMFuzzerTestOneInput:
   22|    185|extern int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {//ntpsec/tests/ntpd/nts_extens.c
   23|       |	
   24|    185|	if (Size < kMinInputLength || Size > kMaxInputLength){
  ------------------
  |  |   19|    370|#define kMinInputLength 20
  ------------------
              	if (Size < kMinInputLength || Size > kMaxInputLength){
  ------------------
  |  |   20|    177|#define kMaxInputLength 1024
  ------------------
  |  Branch (24:6): [True: 8, False: 177]
  |  Branch (24:32): [True: 24, False: 153]
  ------------------
   25|     32|        return 0;
   26|     32|    }
   27|       |
   28|    153|	struct ntspacket_t ntspkt;
   29|    153|	memset(&ntspkt, 0, sizeof(ntspkt));
   30|       |
   31|    153|	return extens_server_recv(&ntspkt,(uint8_t*)Data, Size);
   32|    185|}

ex_next_record:
  485|    804|uint16_t ex_next_record(BufCtl* buf, int *length) {
  486|    804|	uint16_t *ptr = (uint16_t *)buf->next;
  487|    804|	uint16_t type = ntohs(*ptr++);
  488|    804|	*length = ntohs(*ptr++)-NTS_KE_HDR_LNG;
  ------------------
  |  |   71|    804|#define NTS_KE_HDR_LNG 4
  ------------------
  489|    804|	buf->next += NTS_KE_HDR_LNG;
  ------------------
  |  |   71|    804|#define NTS_KE_HDR_LNG 4
  ------------------
  490|    804|	buf->left -= NTS_KE_HDR_LNG;
  ------------------
  |  |   71|    804|#define NTS_KE_HDR_LNG 4
  ------------------
  491|    804|	return type;
  492|    804|}
next_bytes:
  504|    202|uint16_t next_bytes(BufCtl* buf, uint8_t *data, int length) {
  505|    202|	memcpy(data, buf->next, length);
  506|    202|	buf->next += length;
  507|    202|	buf->left -= length;
  508|    202|	return length;
  509|    202|}

nts_unpack_cookie:
  362|      3|  uint8_t *c2s, uint8_t *s2c, int *keylen) {
  363|      3|	uint8_t *finger;
  364|      3|	uint8_t plaintext[NTS_MAX_COOKIELEN];
  365|      3|	uint8_t *nonce;
  366|      3|	uint32_t temp;
  367|      3|	size_t plainlength;
  368|      3|	int cipherlength;
  369|      3|	bool ok;
  370|      3|	struct NTS_Key *key;
  371|      3|	int i;
  372|       |
  373|      3|	if (NULL == cookie_ctx)
  ------------------
  |  Branch (373:6): [True: 3, False: 0]
  ------------------
  374|      3|		return false;	/* We aren't initialized yet. */
  375|       |
  376|      0|	if (0 == nts_nKeys) {
  ------------------
  |  Branch (376:6): [True: 0, False: 0]
  ------------------
  377|      0|		nts_cnt.cookie_not_server++;
  378|      0|		return false;  /* We are not a NTS enabled server. */
  379|      0|	}
  380|       |
  381|       |	/* We may get garbage from the net */
  382|      0|	if (cookielen > NTS_MAX_COOKIELEN)
  ------------------
  |  |   97|      0|#define NTS_MAX_COOKIELEN	192	/* see nts_cookie.c */
  ------------------
  |  Branch (382:6): [True: 0, False: 0]
  ------------------
  383|      0|		return false;
  384|       |
  385|      0|	finger = cookie;
  386|      0|	key = NULL;		/* squash uninitialized warning */
  387|      0|	for (i=0; i<nts_nKeys; i++) {
  ------------------
  |  Branch (387:12): [True: 0, False: 0]
  ------------------
  388|      0|	  key = &nts_keys[i];
  389|      0|	  if (0 == memcmp(finger, &key->I, sizeof(key->I))) {
  ------------------
  |  Branch (389:8): [True: 0, False: 0]
  ------------------
  390|      0|		break;
  391|      0|	  }
  392|      0|	}
  393|      0|	nts_cnt.cookie_decode_total++;  /* total attempts, includes too old */
  394|      0|	if (nts_nKeys == i) {
  ------------------
  |  Branch (394:6): [True: 0, False: 0]
  ------------------
  395|      0|		nts_cnt.cookie_decode_too_old++;
  396|      0|		return false;
  397|      0|        }
  398|      0|	if (0 == i) {
  ------------------
  |  Branch (398:6): [True: 0, False: 0]
  ------------------
  399|      0|		nts_cnt.cookie_decode_current++;
  400|      0|	} else if (1 == i) {
  ------------------
  |  Branch (400:13): [True: 0, False: 0]
  ------------------
  401|      0|		nts_cnt.cookie_decode_old++;
  402|      0|	} else if (2 == i) {
  ------------------
  |  Branch (402:13): [True: 0, False: 0]
  ------------------
  403|      0|		nts_cnt.cookie_decode_old2++;
  404|      0|	} else {
  405|      0|		nts_cnt.cookie_decode_older++;
  406|      0|	}
  407|       |#if 0
  408|       |	if (1<i) {
  409|       |	  /* Hack for debugging */
  410|       |	  /* Beware: DoS possibility on a public server */
  411|       |	  msyslog(LOG_INFO, "NTS: Old cookie: %d days.", i);
  412|       |	}
  413|       |#endif
  414|       |
  415|      0|	finger += sizeof(key->I);
  416|      0|	nonce = finger;
  417|      0|	finger += NONCE_LENGTH;
  ------------------
  |  |  168|      0|#define NONCE_LENGTH 16
  ------------------
  418|       |
  419|       |	// require(AD_LENGTH==finger-cookie);
  420|       |
  421|      0|	cipherlength = cookielen - AD_LENGTH;
  ------------------
  |  |  109|      0|#define AD_LENGTH 20
  ------------------
  422|      0|	plainlength = NTS_MAX_COOKIELEN;
  ------------------
  |  |   97|      0|#define NTS_MAX_COOKIELEN	192	/* see nts_cookie.c */
  ------------------
  423|       |
  424|      0|	nts_lock_cookielock();
  425|       |
  426|      0|	ok = AES_SIV_Decrypt(cookie_ctx,
  427|      0|			     plaintext, &plainlength,
  428|      0|			     key->K, K_length,
  429|      0|			     nonce, NONCE_LENGTH,
  ------------------
  |  |  168|      0|#define NONCE_LENGTH 16
  ------------------
  430|      0|			     finger, cipherlength,
  431|      0|			     cookie, AD_LENGTH);
  ------------------
  |  |  109|      0|#define AD_LENGTH 20
  ------------------
  432|       |
  433|      0|	nts_unlock_cookielock();
  434|       |
  435|      0|	if (!ok) {
  ------------------
  |  Branch (435:6): [True: 0, False: 0]
  ------------------
  436|      0|		nts_cnt.cookie_decode_error++;
  437|      0|		return false;
  438|      0|	}
  439|       |
  440|      0|	*keylen = (plainlength-AEAD_LENGTH)/2;
  ------------------
  |  |  110|      0|#define AEAD_LENGTH 4
  ------------------
  441|      0|	finger = plaintext;
  442|      0|	memcpy(&temp, finger, AEAD_LENGTH);
  ------------------
  |  |  110|      0|#define AEAD_LENGTH 4
  ------------------
  443|      0|	*aead = temp;
  444|      0|	finger += AEAD_LENGTH;
  ------------------
  |  |  110|      0|#define AEAD_LENGTH 4
  ------------------
  445|      0|	memcpy(c2s, finger, *keylen);
  446|      0|	finger += *keylen;
  447|      0|	memcpy(s2c, finger, *keylen);
  448|      0|	finger += *keylen;
  449|       |
  450|       |	return true;
  451|      0|}

extens_server_recv:
  120|    153|bool extens_server_recv(struct ntspacket_t *ntspacket, uint8_t *pkt, int lng) {
  121|    153|	struct BufCtl_t buf;
  122|    153|	uint16_t aead;
  123|    153|	int noncelen, cmaclen;
  124|    153|	bool sawcookie, sawAEEF;
  125|    153|	int cookielen;			/* cookie and placeholder(s) */
  126|       |
  127|    153|	nts_cnt.server_recv_bad++;		/* assume bad, undo if OK */
  128|       |
  129|    153|	buf.next = pkt+LEN_PKT_NOMAC;
  ------------------
  |  |  375|    153|#define	LEN_PKT_NOMAC	48	/* min header length */
  ------------------
  130|    153|	buf.left = lng-LEN_PKT_NOMAC;
  ------------------
  |  |  375|    153|#define	LEN_PKT_NOMAC	48	/* min header length */
  ------------------
  131|       |
  132|    153|	sawcookie = sawAEEF = false;
  133|    153|	cookielen = 0;
  134|    153|	ntspacket->uidlen = 0;
  135|    153|	ntspacket->needed = 0;
  136|       |
  137|    857|	while (buf.left >= NTS_KE_HDR_LNG) {
  ------------------
  |  |   71|    857|#define NTS_KE_HDR_LNG 4
  ------------------
  |  Branch (137:9): [True: 804, False: 53]
  ------------------
  138|    804|		uint16_t type;
  139|    804|		int length, adlength;
  140|    804|		size_t outlen;
  141|    804|		uint8_t *nonce, *cmac;
  142|    804|		bool ok;
  143|       |
  144|    804|		type = ex_next_record(&buf, &length); /* length excludes header */
  145|    804|		if (length&3 || length > buf.left || length < 0) {
  ------------------
  |  Branch (145:7): [True: 6, False: 798]
  |  Branch (145:19): [True: 32, False: 766]
  |  Branch (145:40): [True: 17, False: 749]
  ------------------
  146|     55|			return false;
  147|     55|		}
  148|    749|		switch (type) {
  149|    209|		    case Unique_Identifier:
  ------------------
  |  Branch (149:7): [True: 209, False: 540]
  ------------------
  150|    209|			if (length > NTS_UID_MAX_LENGTH) {
  ------------------
  |  |  100|    209|#define NTS_UID_MAX_LENGTH	64
  ------------------
  |  Branch (150:8): [True: 7, False: 202]
  ------------------
  151|      7|				return false;
  152|      7|			}
  153|    202|			ntspacket->uidlen = length;
  154|    202|			next_bytes(&buf, ntspacket->UID, length);
  155|    202|			break;
  156|     20|		    case NTS_Cookie:
  ------------------
  |  Branch (156:7): [True: 20, False: 729]
  ------------------
  157|       |			/* cookies and placeholders must be the same length
  158|       |			 * in order to avoid amplification attacks.
  159|       |			 */
  160|     20|			if (sawcookie) {
  ------------------
  |  Branch (160:8): [True: 0, False: 20]
  ------------------
  161|      0|				return false; /* second cookie */
  162|      0|			}
  163|     20|			if (0 == cookielen) {
  ------------------
  |  Branch (163:8): [True: 2, False: 18]
  ------------------
  164|      2|				cookielen = length;
  165|      2|			}
  166|     18|			else if (length != cookielen) {
  ------------------
  |  Branch (166:13): [True: 17, False: 1]
  ------------------
  167|     17|				return false;
  168|     17|			}
  169|      3|			ok = nts_unpack_cookie(buf.next, length, &aead, ntspacket->c2s,
  170|      3|					       ntspacket->s2c, &ntspacket->keylen);
  171|      3|			if (!ok) {
  ------------------
  |  Branch (171:8): [True: 3, False: 0]
  ------------------
  172|      3|				return false;
  173|      3|			}
  174|      0|			buf.next += length;
  175|      0|			buf.left -= length;
  176|      0|			sawcookie = true;
  177|      0|			ntspacket->needed++;
  178|      0|			ntspacket->aead = aead;
  179|      0|			break;
  180|    323|		    case NTS_Cookie_Placeholder:
  ------------------
  |  Branch (180:7): [True: 323, False: 426]
  ------------------
  181|    323|			if (0 == cookielen) {
  ------------------
  |  Branch (181:8): [True: 240, False: 83]
  ------------------
  182|    240|				cookielen = length;
  183|    240|			}
  184|     83|			else if (length != cookielen) {
  ------------------
  |  Branch (184:13): [True: 17, False: 66]
  ------------------
  185|     17|				return false;
  186|     17|			}
  187|    306|			ntspacket->needed++;
  188|    306|			buf.next += length;
  189|    306|			buf.left -= length;
  190|    306|			break;
  191|      1|		    case NTS_AEEF:
  ------------------
  |  Branch (191:7): [True: 1, False: 748]
  ------------------
  192|      1|			if (!sawcookie) {
  ------------------
  |  Branch (192:8): [True: 1, False: 0]
  ------------------
  193|      1|				return false; /* no cookie yet, no c2s */
  194|      1|			}
  195|      0|			if (length != NTP_EX_HDR_LNG+NONCE_LENGTH+CMAC_LENGTH) {
  ------------------
  |  |   32|      0|#define NTP_EX_HDR_LNG 4
  ------------------
              			if (length != NTP_EX_HDR_LNG+NONCE_LENGTH+CMAC_LENGTH) {
  ------------------
  |  |   29|      0|#define NONCE_LENGTH 16
  ------------------
              			if (length != NTP_EX_HDR_LNG+NONCE_LENGTH+CMAC_LENGTH) {
  ------------------
  |  |   30|      0|#define CMAC_LENGTH 16
  ------------------
  |  Branch (195:8): [True: 0, False: 0]
  ------------------
  196|      0|				return false;
  197|      0|			}
  198|       |			/* Additional data is up to this exten. */
  199|       |			/* backup over header */
  200|      0|			adlength = buf.next-NTP_EX_HDR_LNG-pkt;
  ------------------
  |  |   32|      0|#define NTP_EX_HDR_LNG 4
  ------------------
  201|      0|			noncelen = next_uint16(&buf);
  202|      0|			cmaclen = next_uint16(&buf);
  203|      0|			if (noncelen & 3) {
  ------------------
  |  Branch (203:8): [True: 0, False: 0]
  ------------------
  204|      0|				return false; /* would require padding */
  205|      0|			}
  206|      0|			if (CMAC_LENGTH != cmaclen) {
  ------------------
  |  |   30|      0|#define CMAC_LENGTH 16
  ------------------
  |  Branch (206:8): [True: 0, False: 0]
  ------------------
  207|      0|				return false;
  208|      0|			}
  209|      0|			nonce = buf.next;
  210|      0|			cmac = nonce+NONCE_LENGTH;
  ------------------
  |  |   29|      0|#define NONCE_LENGTH 16
  ------------------
  211|      0|			outlen = 6;
  212|      0|			ok = AES_SIV_Decrypt(wire_ctx,
  213|      0|					     NULL, &outlen,
  214|      0|					     ntspacket->c2s, ntspacket->keylen,
  215|      0|					     nonce, noncelen,
  216|      0|					     cmac, CMAC_LENGTH,
  ------------------
  |  |   30|      0|#define CMAC_LENGTH 16
  ------------------
  217|      0|					     pkt, adlength);
  218|      0|			if (!ok) {
  ------------------
  |  Branch (218:8): [True: 0, False: 0]
  ------------------
  219|      0|				return false;
  220|      0|			}
  221|      0|			if (0 != outlen) {
  ------------------
  |  Branch (221:8): [True: 0, False: 0]
  ------------------
  222|      0|				return false;
  223|      0|			}
  224|       |			/* we already used 2 length slots way above*/
  225|      0|			length -= (NTP_EX_U16_LNG+NTP_EX_U16_LNG);
  ------------------
  |  |   33|      0|#define NTP_EX_U16_LNG 2
  ------------------
              			length -= (NTP_EX_U16_LNG+NTP_EX_U16_LNG);
  ------------------
  |  |   33|      0|#define NTP_EX_U16_LNG 2
  ------------------
  226|      0|			buf.next += length;
  227|      0|			buf.left -= length;
  228|      0|			if (0 != buf.left) {
  ------------------
  |  Branch (228:8): [True: 0, False: 0]
  ------------------
  229|      0|				return false; /* Reject extens after AEEF block */
  230|      0|			}
  231|      0|			sawAEEF = true;
  232|      0|			break;
  233|    196|		    default:
  ------------------
  |  Branch (233:7): [True: 196, False: 553]
  ------------------
  234|       |			/* Non NTS extensions on requests at server.
  235|       |			 * Call out when we get some that we want.
  236|       |			 * Until then, just ignore it */
  237|    196|			buf.next += length;
  238|    196|			buf.left -= length;
  239|    196|			break;
  240|    749|		}
  241|    749|	}
  242|       |
  243|     53|	if (!sawAEEF) {
  ------------------
  |  Branch (243:6): [True: 53, False: 0]
  ------------------
  244|     53|		return false;
  245|     53|	}
  246|      0|	if (buf.left > 0)
  ------------------
  |  Branch (246:6): [True: 0, False: 0]
  ------------------
  247|      0|		return false;
  248|       |
  249|       |	//  printf("ESRx: %d, %d, %d\n",
  250|       |	//      lng-LEN_PKT_NOMAC, ntspacket->needed, ntspacket->keylen);
  251|      0|	ntspacket->valid = true;
  252|      0|	nts_cnt.server_recv_good++;
  253|      0|	nts_cnt.server_recv_bad--;
  254|       |	return true;
  255|      0|}

