1diff --git a/src/openvpn/crypto.c b/src/openvpn/crypto.c 2index b9c95225..7adff4bb 100644 3--- a/src/openvpn/crypto.c 4+++ b/src/openvpn/crypto.c 5@@ -133,7 +133,10 @@ openvpn_encrypt_aead(struct buffer *buf, struct buffer work, 6 ASSERT(buf_inc_len(&work, outlen)); 7 8 /* Flush the encryption buffer */ 9- ASSERT(cipher_ctx_final(ctx->cipher, BEND(&work), &outlen)); 10+ //ASSERT(cipher_ctx_final(ctx->cipher, BEND(&work), &outlen)); 11+ if (!(cipher_ctx_final(ctx->cipher, BEND(&work), &outlen))) { 12+ goto err; 13+ } 14 ASSERT(buf_inc_len(&work, outlen)); 15 16 /* Write authentication tag */ 17@@ -737,6 +740,7 @@ warn_insecure_key_type(const char *ciphername, const cipher_kt_t *cipher) 18 /* 19 * Build a struct key_type. 20 */ 21+extern int fuzz_success; 22 void 23 init_key_type(struct key_type *kt, const char *ciphername, 24 const char *authname, bool tls_mode, bool warn) 25@@ -752,6 +756,7 @@ init_key_type(struct key_type *kt, const char *ciphername, 26 kt->cipher = cipher_kt_get(ciphername); 27 if (!kt->cipher) 28 { 29+ fuzz_success = 0; 30 msg(M_FATAL, "Cipher %s not supported", ciphername); 31 } 32 33@@ -766,11 +771,13 @@ init_key_type(struct key_type *kt, const char *ciphername, 34 #endif 35 )) 36 { 37+ fuzz_success = 0; 38 msg(M_FATAL, "Cipher '%s' mode not supported", ciphername); 39 } 40 41 if (OPENVPN_MAX_CIPHER_BLOCK_SIZE < cipher_kt_block_size(kt->cipher)) 42 { 43+ fuzz_success = 0; 44 msg(M_FATAL, "Cipher '%s' not allowed: block size too big.", ciphername); 45 } 46 if (warn) 47@@ -782,6 +789,7 @@ init_key_type(struct key_type *kt, const char *ciphername, 48 { 49 if (warn) 50 { 51+ fuzz_success = 0; 52 msg(M_WARN, "******* WARNING *******: '--cipher none' was specified. " 53 "This means NO encryption will be performed and tunnelled " 54 "data WILL be transmitted in clear text over the network! " 55@@ -797,6 +805,7 @@ init_key_type(struct key_type *kt, const char *ciphername, 56 57 if (OPENVPN_MAX_HMAC_SIZE < kt->hmac_length) 58 { 59+ fuzz_success = 0; 60 msg(M_FATAL, "HMAC '%s' not allowed: digest size too big.", authname); 61 } 62 } 63@@ -805,6 +814,7 @@ init_key_type(struct key_type *kt, const char *ciphername, 64 { 65 if (warn) 66 { 67+ fuzz_success = 0; 68 msg(M_WARN, "******* WARNING *******: '--auth none' was specified. " 69 "This means no authentication will be performed on received " 70 "packets, meaning you CANNOT trust that the data received by " 71@@ -812,6 +822,7 @@ init_key_type(struct key_type *kt, const char *ciphername, 72 "PLEASE DO RECONSIDER THIS SETTING!"); 73 } 74 } 75+ fuzz_success = 1; 76 } 77 78 /* given a key and key_type, build a key_ctx */ 79@@ -1037,6 +1048,7 @@ generate_key_random(struct key *key, const struct key_type *kt) 80 if (!rand_bytes(key->cipher, cipher_len) 81 || !rand_bytes(key->hmac, hmac_len)) 82 { 83+ fuzz_success = 0; 84 msg(M_FATAL, "ERROR: Random number generator cannot obtain entropy for key generation"); 85 } 86 87@@ -1050,6 +1062,7 @@ generate_key_random(struct key *key, const struct key_type *kt) 88 } while (kt && !check_key(key, kt)); 89 90 gc_free(&gc); 91+ fuzz_success = 1; 92 } 93 94 /* 95@@ -1390,10 +1403,14 @@ read_key_file(struct key2 *key2, const char *file, const unsigned int flags) 96 97 if (state != PARSE_FINISHED) 98 { 99+ fuzz_success = 0; 100 msg(M_FATAL, "Footer text not found in file '%s' (%d/%d/%d bytes found/min/max)", 101 print_key_filename(file, flags & RKF_INLINE), count, onekeylen, 102 keylen); 103 } 104+ else { 105+ fuzz_success = 1; 106+ } 107 } 108 109 /* zero file read buffer if not an inline file */ 110