diff options
| -rw-r--r-- | fuzz/Cargo.lock | 11 | ||||
| -rw-r--r-- | fuzz/Cargo.toml | 8 | ||||
| -rw-r--r-- | fuzz/fuzz_targets/zears_vs_aez.rs | 37 | ||||
| -rw-r--r-- | src/lib.rs | 8 |
4 files changed, 64 insertions, 0 deletions
diff --git a/fuzz/Cargo.lock b/fuzz/Cargo.lock index 8f40151..2ae96d1 100644 --- a/fuzz/Cargo.lock +++ b/fuzz/Cargo.lock @@ -14,6 +14,15 @@ dependencies = [ ] [[package]] +name = "aez" +version = "0.0.7" +source = "registry+https://github.com/rust-lang/crates.io-index" +checksum = "4c0763d41b5091ea56fa39dd9390f08355b9e45c0310ec5d9fd99c0d23c9322e" +dependencies = [ + "cc", +] + +[[package]] name = "arbitrary" version = "1.4.1" source = "registry+https://github.com/rust-lang/crates.io-index" @@ -267,12 +276,14 @@ dependencies = [ "aes", "blake2", "constant_time_eq", + "cpufeatures", ] [[package]] name = "zears-fuzz" version = "0.0.0" dependencies = [ + "aez", "arbitrary", "libfuzzer-sys", "zears", diff --git a/fuzz/Cargo.toml b/fuzz/Cargo.toml index 357b0ac..7c063d6 100644 --- a/fuzz/Cargo.toml +++ b/fuzz/Cargo.toml @@ -10,6 +10,7 @@ cargo-fuzz = true [dependencies] arbitrary = { version = "1.4.1", features = ["derive"] } libfuzzer-sys = "0.4" +aez = "0.0.7" [dependencies.zears] path = ".." @@ -20,3 +21,10 @@ path = "fuzz_targets/fuzz_target_1.rs" test = false doc = false bench = false + +[[bin]] +name = "zears_vs_aez" +path = "fuzz_targets/zears_vs_aez.rs" +test = false +doc = false +bench = false diff --git a/fuzz/fuzz_targets/zears_vs_aez.rs b/fuzz/fuzz_targets/zears_vs_aez.rs new file mode 100644 index 0000000..eda644d --- /dev/null +++ b/fuzz/fuzz_targets/zears_vs_aez.rs @@ -0,0 +1,37 @@ +#![no_main] + +use libfuzzer_sys::fuzz_target; + +use arbitrary::Arbitrary; +use zears::Aez; + +#[derive(Debug, Arbitrary)] +struct Parameters<'a> { + key: &'a [u8], + nonce: &'a [u8], + ad: Option<&'a [u8]>, + tau: u32, + message: &'a [u8], +} + +fuzz_target!(|data: Parameters| { + // Limitations stem from AEZ's underlying C library + if data.nonce.len() >= 1 + && data.nonce.len() <= 16 + && data.ad.map(|x| x.len()).unwrap_or(0) <= 16 + && data.tau <= 16 + && data.message.len() <= u32::MAX.try_into().unwrap() + && (!data.message.is_empty() || data.tau > 0) + { + let ad = match data.ad { + Some(ad) => &[ad] as &[&[u8]], + None => &[], + }; + let actual = Aez::new(data.key).encrypt(data.nonce, ad, data.tau, data.message); + + let mut expected = vec![0; data.message.len() + data.tau as usize]; + aez::Aez::new(data.key).encrypt(data.nonce, data.ad, data.message, &mut expected); + + assert_eq!(actual, expected); + } +}); @@ -895,4 +895,12 @@ mod test { let aez = Aez::new(b""); aez.encrypt(b"", &[], 673261693, &[]); } + + #[test] + fn test_fuzzed_3() { + // AEZ crashes if given an empty message and empty tau + let aez = Aez::new(&[0, 110, 109, 0]); + let value = aez.encrypt(&[0], &[], 0, &[]); + assert_eq!(&value, &[]); + } } |