From 0d42da0cb3d4b16ba65b24972a9ebc48d08cf314 Mon Sep 17 00:00:00 2001 From: nsa Date: Thu, 30 Jan 2020 13:44:55 -0500 Subject: [PATCH] fuzz/brontide: random+static round-trip encrypt+decrypt harnesses --- fuzz/brontide/random_init_enc_dec.go | 48 +++++++++++++++++++++++++++ fuzz/brontide/random_resp_enc_dec.go | 48 +++++++++++++++++++++++++++ fuzz/brontide/static_init_enc_dec.go | 49 ++++++++++++++++++++++++++++ fuzz/brontide/static_resp_enc_dec.go | 48 +++++++++++++++++++++++++++ 4 files changed, 193 insertions(+) create mode 100644 fuzz/brontide/random_init_enc_dec.go create mode 100644 fuzz/brontide/random_resp_enc_dec.go create mode 100644 fuzz/brontide/static_init_enc_dec.go create mode 100644 fuzz/brontide/static_resp_enc_dec.go diff --git a/fuzz/brontide/random_init_enc_dec.go b/fuzz/brontide/random_init_enc_dec.go new file mode 100644 index 00000000..17f5583f --- /dev/null +++ b/fuzz/brontide/random_init_enc_dec.go @@ -0,0 +1,48 @@ +// +build gofuzz + +package brontidefuzz + +import ( + "bytes" + "math" +) + +// Fuzz_random_init_enc_dec is a go-fuzz harness that tests round-trip +// encryption and decryption between the initiator and the responder. +func Fuzz_random_init_enc_dec(data []byte) int { + // Ensure that length of message is not greater than max allowed size. + if len(data) > math.MaxUint16 { + return 0 + } + + // This will return brontide machines with random keys. + initiator, responder := getBrontideMachines() + + // Complete the brontide handshake. + completeHandshake(initiator, responder) + + var b bytes.Buffer + + // Encrypt the message using WriteMessage w/ initiator machine. + if err := initiator.WriteMessage(data); err != nil { + nilAndPanic(initiator, responder, err) + } + + // Flush the encrypted message w/ initiator machine. + if _, err := initiator.Flush(&b); err != nil { + nilAndPanic(initiator, responder, err) + } + + // Decrypt the ciphertext using ReadMessage w/ responder machine. + plaintext, err := responder.ReadMessage(&b) + if err != nil { + nilAndPanic(initiator, responder, err) + } + + // Check that the decrypted message and the original message are equal. + if !bytes.Equal(data, plaintext) { + nilAndPanic(initiator, responder, nil) + } + + return 1 +} diff --git a/fuzz/brontide/random_resp_enc_dec.go b/fuzz/brontide/random_resp_enc_dec.go new file mode 100644 index 00000000..e2fad9a5 --- /dev/null +++ b/fuzz/brontide/random_resp_enc_dec.go @@ -0,0 +1,48 @@ +// +build gofuzz + +package brontidefuzz + +import ( + "bytes" + "math" +) + +// Fuzz_random_resp_enc_dec is a go-fuzz harness that tests round-trip +// encryption and decryption between the responder and the initiator. +func Fuzz_random_resp_enc_dec(data []byte) int { + // Ensure that length of message is not greater than max allowed size. + if len(data) > math.MaxUint16 { + return 0 + } + + // This will return brontide machines with random keys. + initiator, responder := getBrontideMachines() + + // Complete the brontide handshake. + completeHandshake(initiator, responder) + + var b bytes.Buffer + + // Encrypt the message using WriteMessage w/ responder machine. + if err := responder.WriteMessage(data); err != nil { + nilAndPanic(initiator, responder, err) + } + + // Flush the encrypted message w/ responder machine. + if _, err := responder.Flush(&b); err != nil { + nilAndPanic(initiator, responder, err) + } + + // Decrypt the ciphertext using ReadMessage w/ initiator machine. + plaintext, err := initiator.ReadMessage(&b) + if err != nil { + nilAndPanic(initiator, responder, err) + } + + // Check that the decrypted message and the original message are equal. + if !bytes.Equal(data, plaintext) { + nilAndPanic(initiator, responder, nil) + } + + return 1 +} diff --git a/fuzz/brontide/static_init_enc_dec.go b/fuzz/brontide/static_init_enc_dec.go new file mode 100644 index 00000000..a333c3f4 --- /dev/null +++ b/fuzz/brontide/static_init_enc_dec.go @@ -0,0 +1,49 @@ +// +build gofuzz + +package brontidefuzz + +import ( + "bytes" + "math" +) + +// Fuzz_static_init_enc_dec is a go-fuzz harness that tests round-trip +// encryption and decryption +// between the initiator and the responder. +func Fuzz_static_init_enc_dec(data []byte) int { + // Ensure that length of message is not greater than max allowed size. + if len(data) > math.MaxUint16 { + return 0 + } + + // This will return brontide machines with static keys. + initiator, responder := getStaticBrontideMachines() + + // Complete the brontide handshake. + completeHandshake(initiator, responder) + + var b bytes.Buffer + + // Encrypt the message using WriteMessage w/ initiator machine. + if err := initiator.WriteMessage(data); err != nil { + nilAndPanic(initiator, responder, err) + } + + // Flush the encrypted message w/ initiator machine. + if _, err := initiator.Flush(&b); err != nil { + nilAndPanic(initiator, responder, err) + } + + // Decrypt the ciphertext using ReadMessage w/ responder machine. + plaintext, err := responder.ReadMessage(&b) + if err != nil { + nilAndPanic(initiator, responder, err) + } + + // Check that the decrypted message and the original message are equal. + if !bytes.Equal(data, plaintext) { + nilAndPanic(initiator, responder, nil) + } + + return 1 +} diff --git a/fuzz/brontide/static_resp_enc_dec.go b/fuzz/brontide/static_resp_enc_dec.go new file mode 100644 index 00000000..b9a3ad39 --- /dev/null +++ b/fuzz/brontide/static_resp_enc_dec.go @@ -0,0 +1,48 @@ +// +build gofuzz + +package brontidefuzz + +import ( + "bytes" + "math" +) + +// Fuzz_static_resp_enc_dec is a go-fuzz harness that tests round-trip +// encryption and decryption between the responder and the initiator. +func Fuzz_static_resp_enc_dec(data []byte) int { + // Ensure that length of message is not greater than max allowed size. + if len(data) > math.MaxUint16 { + return 0 + } + + // This will return brontide machines with static keys. + initiator, responder := getStaticBrontideMachines() + + // Complete the brontide handshake. + completeHandshake(initiator, responder) + + var b bytes.Buffer + + // Encrypt the message using WriteMessage w/ responder machine. + if err := responder.WriteMessage(data); err != nil { + nilAndPanic(initiator, responder, err) + } + + // Flush the encrypted message w/ responder machine. + if _, err := responder.Flush(&b); err != nil { + nilAndPanic(initiator, responder, err) + } + + // Decrypt the ciphertext using ReadMessage w/ initiator machine. + plaintext, err := initiator.ReadMessage(&b) + if err != nil { + nilAndPanic(initiator, responder, err) + } + + // Check that the decrypted message and the original message are equal. + if !bytes.Equal(data, plaintext) { + nilAndPanic(initiator, responder, nil) + } + + return 1 +}