openvpn: fix build (#7001)

projects/openvpn/build.sh

@@ -70,7 +70,7 @@ ar r libopenvpn.a *.o
 $CXX $CXXFLAGS -g -c $SRC/fuzz_randomizer.cpp -o $SRC/fuzz_randomizer.o
 
 # Compile the fuzzers
-for fuzzname in dhcp misc base64 proxy buffer route packet_id mroute list verify_cert forward crypto; do
+for fuzzname in dhcp misc base64 proxy buffer route packet_id mroute list verify_cert forward; do
     $CC -DHAVE_CONFIG_H -I. -I../.. -I../../include -I../../src/compat \
       -DPLUGIN_LIBDIR=\"/usr/local/lib/openvpn/plugins\" -std=c99 $CFLAGS \
       -c $SRC/fuzz_${fuzzname}.c -o $SRC/fuzz_${fuzzname}.o

projects/openvpn/crypto_patch.txt

@@ -1,28 +1,29 @@
 diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c
-index b9c95225..7adff4bb 100644
+index a63a2619..dac0ae49 100644
 --- a/src/openvpn/crypto.c
 +++ b/src/openvpn/crypto.c
-@@ -133,7 +133,10 @@ openvpn_encrypt_aead(struct buffer *buf, struct buffer work,
+@@ -131,7 +131,10 @@ openvpn_encrypt_aead(struct buffer *buf, struct buffer work,
      ASSERT(buf_inc_len(&work, outlen));
  
      /* Flush the encryption buffer */
 -    ASSERT(cipher_ctx_final(ctx->cipher, BEND(&work), &outlen));
 +    //ASSERT(cipher_ctx_final(ctx->cipher, BEND(&work), &outlen));
 +    if (!(cipher_ctx_final(ctx->cipher, BEND(&work), &outlen))) {
-+      goto err;
++        goto err;
 +    }
      ASSERT(buf_inc_len(&work, outlen));
  
      /* Write authentication tag */
-@@ -737,6 +740,7 @@ warn_insecure_key_type(const char *ciphername, const cipher_kt_t *cipher)
+@@ -723,6 +726,8 @@ warn_insecure_key_type(const char *ciphername, const cipher_kt_t *cipher)
+     }
+ }
+ 
++extern int fuzz_success;
++
  /*
   * Build a struct key_type.
   */
-+extern int fuzz_success;
- void
- init_key_type(struct key_type *kt, const char *ciphername,
-               const char *authname, bool tls_mode, bool warn)
-@@ -752,6 +756,7 @@ init_key_type(struct key_type *kt, const char *ciphername,
+@@ -741,6 +746,7 @@ init_key_type(struct key_type *kt, const char *ciphername,
          kt->cipher = cipher_kt_get(ciphername);
          if (!kt->cipher)
          {
@@ -30,7 +31,7 @@ index b9c95225..7adff4bb 100644
              msg(M_FATAL, "Cipher %s not supported", ciphername);
          }
  
-@@ -766,11 +771,13 @@ init_key_type(struct key_type *kt, const char *ciphername,
+@@ -753,15 +759,18 @@ init_key_type(struct key_type *kt, const char *ciphername,
  #endif
                ))
          {
@@ -44,7 +45,12 @@ index b9c95225..7adff4bb 100644
              msg(M_FATAL, "Cipher '%s' not allowed: block size too big.", ciphername);
          }
          if (warn)
-@@ -782,6 +789,7 @@ init_key_type(struct key_type *kt, const char *ciphername,
+         {
++            fuzz_success = 0;
+             warn_insecure_key_type(ciphername, kt->cipher);
+         }
+     }
+@@ -769,6 +778,7 @@ init_key_type(struct key_type *kt, const char *ciphername,
      {
          if (warn)
          {
@@ -52,15 +58,15 @@ index b9c95225..7adff4bb 100644
              msg(M_WARN, "******* WARNING *******: '--cipher none' was specified. "
                  "This means NO encryption will be performed and tunnelled "
                  "data WILL be transmitted in clear text over the network! "
-@@ -797,6 +805,7 @@ init_key_type(struct key_type *kt, const char *ciphername,
+@@ -784,6 +794,7 @@ init_key_type(struct key_type *kt, const char *ciphername,
  
-             if (OPENVPN_MAX_HMAC_SIZE < kt->hmac_length)
+             if (OPENVPN_MAX_HMAC_SIZE < hmac_length)
              {
 +                fuzz_success = 0;
                  msg(M_FATAL, "HMAC '%s' not allowed: digest size too big.", authname);
              }
          }
-@@ -805,6 +814,7 @@ init_key_type(struct key_type *kt, const char *ciphername,
+@@ -792,6 +803,7 @@ init_key_type(struct key_type *kt, const char *ciphername,
      {
          if (warn)
          {
@@ -68,23 +74,23 @@ index b9c95225..7adff4bb 100644
              msg(M_WARN, "******* WARNING *******: '--auth none' was specified. "
                  "This means no authentication will be performed on received "
                  "packets, meaning you CANNOT trust that the data received by "
-@@ -812,6 +822,7 @@ init_key_type(struct key_type *kt, const char *ciphername,
+@@ -799,6 +811,7 @@ init_key_type(struct key_type *kt, const char *ciphername,
                  "PLEASE DO RECONSIDER THIS SETTING!");
          }
      }
-+            fuzz_success = 1;
++    fuzz_success = 1;
  }
  
  /* given a key and key_type, build a key_ctx */
-@@ -1037,6 +1048,7 @@ generate_key_random(struct key *key, const struct key_type *kt)
+@@ -966,6 +979,7 @@ generate_key_random(struct key *key, const struct key_type *kt)
          if (!rand_bytes(key->cipher, cipher_len)
              || !rand_bytes(key->hmac, hmac_len))
          {
-+          fuzz_success = 0;
++            fuzz_success = 0;
              msg(M_FATAL, "ERROR: Random number generator cannot obtain entropy for key generation");
          }
  
-@@ -1050,6 +1062,7 @@ generate_key_random(struct key *key, const struct key_type *kt)
+@@ -975,6 +989,7 @@ generate_key_random(struct key *key, const struct key_type *kt)
      } while (kt && !check_key(key, kt));
  
      gc_free(&gc);
@@ -92,18 +98,18 @@ index b9c95225..7adff4bb 100644
  }
  
  /*
-@@ -1390,10 +1403,14 @@ read_key_file(struct key2 *key2, const char *file, const unsigned int flags)
+@@ -1313,10 +1328,14 @@ read_key_file(struct key2 *key2, const char *file, const unsigned int flags)
  
          if (state != PARSE_FINISHED)
          {
-+          fuzz_success = 0;
++            fuzz_success = 0;
              msg(M_FATAL, "Footer text not found in file '%s' (%d/%d/%d bytes found/min/max)",
                  print_key_filename(file, flags & RKF_INLINE), count, onekeylen,
                  keylen);
          }
-+        else {
-+          fuzz_success = 1;
-+        }
++	else {
++            fuzz_success = 1;
++	}
      }
  
      /* zero file read buffer if not an inline file */

projects/openvpn/fuzz_buffer.c

@@ -214,7 +214,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
     }
 
     if (buflistp == NULL) {
-      buflistp = buffer_list_new(fuzz_randomizer_get_int(0, 200));
+      buflistp = buffer_list_new();
     } else {
 #define NUM_LIST_TARGETS 6
       generic_ssizet = fuzz_randomizer_get_int(0, NUM_LIST_TARGETS);

projects/openvpn/fuzz_crypto.c

@@ -31,10 +31,11 @@ limitations under the License.
 
 static void key_ctx_update_implicit_iv(struct key_ctx *ctx, uint8_t *key,
                                        size_t key_len) {
-  const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt(ctx->cipher);
+  //const cipher_kt_t *cipher_kt = cipher_ctx_get_cipher_kt(ctx->cipher);
 
+  cipher_ctx_t *cipher_kt = ctx->cipher;
   /* Only use implicit IV in AEAD cipher mode, where HMAC key is not used */
-  if (cipher_kt_mode_aead(cipher_kt)) {
+  if (cipher_ctx_mode_aead(cipher_kt)) {
     size_t impl_iv_len = 0;
     ASSERT(cipher_kt_iv_size(cipher_kt) >= OPENVPN_AEAD_MIN_IV_LEN);
     impl_iv_len = cipher_kt_iv_size(cipher_kt) - sizeof(packet_id_type);