diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c index b9c95225..7adff4bb 100644 --- a/src/openvpn/crypto.c +++ b/src/openvpn/crypto.c @@ -133,7 +133,10 @@ openvpn_encrypt_aead(struct buffer *buf, struct buffer work, ASSERT(buf_inc_len(&work, outlen)); /* Flush the encryption buffer */ - ASSERT(cipher_ctx_final(ctx->cipher, BEND(&work), &outlen)); + //ASSERT(cipher_ctx_final(ctx->cipher, BEND(&work), &outlen)); + if (!(cipher_ctx_final(ctx->cipher, BEND(&work), &outlen))) { + goto err; + } ASSERT(buf_inc_len(&work, outlen)); /* Write authentication tag */ @@ -737,6 +740,7 @@ warn_insecure_key_type(const char *ciphername, const cipher_kt_t *cipher) /* * Build a struct key_type. */ +extern int fuzz_success; void init_key_type(struct key_type *kt, const char *ciphername, const char *authname, bool tls_mode, bool warn) @@ -752,6 +756,7 @@ init_key_type(struct key_type *kt, const char *ciphername, kt->cipher = cipher_kt_get(ciphername); if (!kt->cipher) { + fuzz_success = 0; msg(M_FATAL, "Cipher %s not supported", ciphername); } @@ -766,11 +771,13 @@ init_key_type(struct key_type *kt, const char *ciphername, #endif )) { + fuzz_success = 0; msg(M_FATAL, "Cipher '%s' mode not supported", ciphername); } if (OPENVPN_MAX_CIPHER_BLOCK_SIZE < cipher_kt_block_size(kt->cipher)) { + fuzz_success = 0; msg(M_FATAL, "Cipher '%s' not allowed: block size too big.", ciphername); } if (warn) @@ -782,6 +789,7 @@ init_key_type(struct key_type *kt, const char *ciphername, { if (warn) { + fuzz_success = 0; msg(M_WARN, "******* WARNING *******: '--cipher none' was specified. " "This means NO encryption will be performed and tunnelled " "data WILL be transmitted in clear text over the network! " @@ -797,6 +805,7 @@ init_key_type(struct key_type *kt, const char *ciphername, if (OPENVPN_MAX_HMAC_SIZE < kt->hmac_length) { + fuzz_success = 0; msg(M_FATAL, "HMAC '%s' not allowed: digest size too big.", authname); } } @@ -805,6 +814,7 @@ init_key_type(struct key_type *kt, const char *ciphername, { if (warn) { + fuzz_success = 0; msg(M_WARN, "******* WARNING *******: '--auth none' was specified. " "This means no authentication will be performed on received " "packets, meaning you CANNOT trust that the data received by " @@ -812,6 +822,7 @@ init_key_type(struct key_type *kt, const char *ciphername, "PLEASE DO RECONSIDER THIS SETTING!"); } } + fuzz_success = 1; } /* given a key and key_type, build a key_ctx */ @@ -1037,6 +1048,7 @@ generate_key_random(struct key *key, const struct key_type *kt) if (!rand_bytes(key->cipher, cipher_len) || !rand_bytes(key->hmac, hmac_len)) { + fuzz_success = 0; msg(M_FATAL, "ERROR: Random number generator cannot obtain entropy for key generation"); } @@ -1050,6 +1062,7 @@ generate_key_random(struct key *key, const struct key_type *kt) } while (kt && !check_key(key, kt)); gc_free(&gc); + fuzz_success = 1; } /* @@ -1390,10 +1403,14 @@ read_key_file(struct key2 *key2, const char *file, const unsigned int flags) if (state != PARSE_FINISHED) { + fuzz_success = 0; msg(M_FATAL, "Footer text not found in file '%s' (%d/%d/%d bytes found/min/max)", print_key_filename(file, flags & RKF_INLINE), count, onekeylen, keylen); } + else { + fuzz_success = 1; + } } /* zero file read buffer if not an inline file */