]> git.bitcoin.ninja Git - rust-lightning/commitdiff
Add some fuzz targets.
authorMatt Corallo <git@bluematt.me>
Mon, 19 Mar 2018 21:45:58 +0000 (17:45 -0400)
committerMatt Corallo <git@bluematt.me>
Fri, 23 Mar 2018 17:16:24 +0000 (13:16 -0400)
Sadly none of them are really any good without some hand-holding to
generate good input data, and unless sha256 gets stubbed out I'm
not sure they're gonna get good without a symbolic execution fuzzer

Cargo.toml
fuzz/Cargo.toml [new file with mode: 0644]
fuzz/fuzz_targets/channel_target.rs [new file with mode: 0644]
fuzz/fuzz_targets/full_stack_target.rs [new file with mode: 0644]
fuzz/fuzz_targets/peer_crypt_target.rs [new file with mode: 0644]

index 072f5a3a9746963e384657d2ab94ec6eff70414d..f5aa85db4aa7f4280b39f37682ce90d54dd15940 100644 (file)
@@ -12,7 +12,7 @@ Still super-early code-dump quality and is missing large chunks. See README in g
 [features]
 # Supports tracking channels with a non-bitcoin chain hashes. Currently enables all kinds of fun DoS attacks.
 non_bitcoin_chain_hash_routing = []
-fuzztarget = ["secp256k1/fuzztarget"]
+fuzztarget = ["secp256k1/fuzztarget", "bitcoin/fuzztarget"]
 
 [dependencies]
 bitcoin = "0.12"
diff --git a/fuzz/Cargo.toml b/fuzz/Cargo.toml
new file mode 100644 (file)
index 0000000..6b45066
--- /dev/null
@@ -0,0 +1,35 @@
+[package]
+name = "lightning-fuzz"
+version = "0.0.1"
+authors = ["Automatically generated"]
+publish = false
+
+[package.metadata]
+cargo-fuzz = true
+
+[features]
+afl_fuzz = ["afl"]
+honggfuzz_fuzz = ["honggfuzz"]
+
+[dependencies]
+lightning = { path = "..", features = ["fuzztarget"] }
+bitcoin = { version = "0.12", features = ["fuzztarget"] }
+secp256k1 = { version = "0.9", features = ["fuzztarget"] }
+honggfuzz = { version = "0.5", optional = true }
+afl = { version = "0.3", optional = true }
+
+# Prevent this from interfering with workspaces
+[workspace]
+members = ["."]
+
+[[bin]]
+name = "peer_crypt_target"
+path = "fuzz_targets/peer_crypt_target.rs"
+
+[[bin]]
+name = "channel_target"
+path = "fuzz_targets/channel_target.rs"
+
+[[bin]]
+name = "full_stack_target"
+path = "fuzz_targets/full_stack_target.rs"
diff --git a/fuzz/fuzz_targets/channel_target.rs b/fuzz/fuzz_targets/channel_target.rs
new file mode 100644 (file)
index 0000000..b8da216
--- /dev/null
@@ -0,0 +1,299 @@
+extern crate bitcoin;
+extern crate lightning;
+extern crate secp256k1;
+
+use bitcoin::blockdata::block::BlockHeader;
+use bitcoin::blockdata::transaction::Transaction;
+use bitcoin::util::hash::Sha256dHash;
+use bitcoin::network::serialize::{serialize, BitcoinHash};
+
+use lightning::ln::channel::Channel;
+use lightning::ln::channelmanager::PendingForwardHTLCInfo;
+use lightning::ln::msgs;
+use lightning::ln::msgs::MsgDecodable;
+use lightning::chain::chaininterface::{FeeEstimator, ConfirmationTarget};
+
+use secp256k1::key::PublicKey;
+use secp256k1::Secp256k1;
+
+use std::sync::atomic::{AtomicUsize,Ordering};
+
+#[inline]
+pub fn slice_to_be16(v: &[u8]) -> u16 {
+       ((v[0] as u16) << 8*1) |
+       ((v[1] as u16) << 8*0)
+}
+
+#[inline]
+pub fn slice_to_be32(v: &[u8]) -> u32 {
+       ((v[0] as u32) << 8*3) |
+       ((v[1] as u32) << 8*2) |
+       ((v[2] as u32) << 8*1) |
+       ((v[3] as u32) << 8*0)
+}
+
+#[inline]
+pub fn slice_to_be64(v: &[u8]) -> u64 {
+       ((v[0] as u64) << 8*7) |
+       ((v[1] as u64) << 8*6) |
+       ((v[2] as u64) << 8*5) |
+       ((v[3] as u64) << 8*4) |
+       ((v[4] as u64) << 8*3) |
+       ((v[5] as u64) << 8*2) |
+       ((v[6] as u64) << 8*1) |
+       ((v[7] as u64) << 8*0)
+}
+
+#[inline]
+fn slice_to_be24(v: &[u8]) -> u64 {
+       //TODO: We should probably be returning a Result for channel creation, not panic!()ing on
+       //>2**24 values...
+       ((v[0] as u64) << 8*2) |
+       ((v[1] as u64) << 8*1) |
+       ((v[2] as u64) << 8*0)
+}
+
+struct InputData<'a> {
+       data: &'a [u8],
+       read_pos: AtomicUsize,
+}
+impl<'a> InputData<'a> {
+       fn get_slice(&self, len: usize) -> Option<&'a [u8]> {
+               let old_pos = self.read_pos.fetch_add(len, Ordering::AcqRel);
+               if self.data.len() < old_pos + len {
+                       return None;
+               }
+               Some(&self.data[old_pos..old_pos + len])
+       }
+       fn get_slice_nonadvancing(&self, len: usize) -> Option<&'a [u8]> {
+               let old_pos = self.read_pos.load(Ordering::Acquire);
+               if self.data.len() < old_pos + len {
+                       return None;
+               }
+               Some(&self.data[old_pos..old_pos + len])
+       }
+}
+
+struct FuzzEstimator<'a> {
+       input: &'a InputData<'a>,
+}
+impl<'a> FeeEstimator for FuzzEstimator<'a> {
+       fn get_est_sat_per_vbyte(&self, _: ConfirmationTarget) -> u64 {
+               //TODO: We should actually be testing at least much more than 64k...
+               match self.input.get_slice(2) {
+                       Some(slice) => slice_to_be16(slice) as u64,
+                       None => 0
+               }
+       }
+}
+
+#[inline]
+pub fn do_test(data: &[u8]) {
+       let input = InputData {
+               data,
+               read_pos: AtomicUsize::new(0),
+       };
+       let fee_est = FuzzEstimator {
+               input: &input,
+       };
+
+       macro_rules! get_slice {
+               ($len: expr) => {
+                       match input.get_slice($len as usize) {
+                               Some(slice) => slice,
+                               None => return,
+                       }
+               }
+       }
+
+       macro_rules! decode_msg {
+               ($MsgType: path, $len: expr) => {
+                       match <($MsgType)>::decode(get_slice!($len)) {
+                               Ok(msg) => msg,
+                               Err(e) => match e {
+                                       msgs::DecodeError::UnknownRealmByte => return,
+                                       msgs::DecodeError::BadPublicKey => return,
+                                       msgs::DecodeError::BadSignature => return,
+                                       msgs::DecodeError::WrongLength => panic!("We picked the length..."),
+                               }
+                       }
+               }
+       }
+
+       macro_rules! decode_msg_with_len16 {
+               ($MsgType: path, $begin_len: expr, $factor: expr) => {
+                       {
+                               let extra_len = slice_to_be16(&match input.get_slice_nonadvancing($begin_len as usize + 2) {
+                                       Some(slice) => slice,
+                                       None => return,
+                               }[$begin_len..$begin_len + 2]);
+                               match <($MsgType)>::decode(get_slice!($begin_len as usize + 2 + (extra_len as usize)*$factor)) {
+                                       Ok(msg) => msg,
+                                       Err(e) => match e {
+                                               msgs::DecodeError::UnknownRealmByte => return,
+                                               msgs::DecodeError::BadPublicKey => return,
+                                               msgs::DecodeError::BadSignature => return,
+                                               msgs::DecodeError::WrongLength => panic!("We picked the length..."),
+                                       }
+                               }
+                       }
+               }
+       }
+
+       let secp_ctx = Secp256k1::new();
+       macro_rules! get_pubkey {
+               () => {
+                       match PublicKey::from_slice(&secp_ctx, get_slice!(33)) {
+                               Ok(key) => key,
+                               Err(_) => return,
+                       }
+               }
+       }
+
+       macro_rules! return_err {
+               ($expr: expr) => {
+                       match $expr {
+                               Ok(_) => {},
+                               Err(_) => return,
+                       }
+               }
+       }
+
+       let their_pubkey = get_pubkey!();
+
+       let tx = Transaction { version: 0, lock_time: 0, input: Vec::new(), output: Vec::new(), witness: Vec::new() };
+       let funding_output = (Sha256dHash::from_data(&serialize(&tx).unwrap()[..]), 0);
+
+       let mut channel = if get_slice!(1)[0] != 0 {
+               let mut chan = Channel::new_outbound(&fee_est, their_pubkey, slice_to_be24(get_slice!(3)), get_slice!(1)[0] == 0, slice_to_be64(get_slice!(8)));
+               chan.get_open_channel(Sha256dHash::from(get_slice!(32)), &fee_est).unwrap();
+               let accept_chan = if get_slice!(1)[0] == 0 {
+                       decode_msg_with_len16!(msgs::AcceptChannel, 270, 1)
+               } else {
+                       decode_msg!(msgs::AcceptChannel, 270)
+               };
+               return_err!(chan.accept_channel(&accept_chan));
+               chan.get_outbound_funding_created(funding_output.0.clone(), funding_output.1).unwrap();
+               let funding_signed = decode_msg!(msgs::FundingSigned, 32+64);
+               return_err!(chan.funding_signed(&funding_signed));
+               chan
+       } else {
+               let open_chan = if get_slice!(1)[0] == 0 {
+                       decode_msg_with_len16!(msgs::OpenChannel, 2*32+6*8+4+2*2+6*33+1, 1)
+               } else {
+                       decode_msg!(msgs::OpenChannel, 2*32+6*8+4+2*2+6*33+1)
+               };
+               let mut chan = match Channel::new_from_req(&fee_est, their_pubkey, &open_chan, slice_to_be64(get_slice!(8)), get_slice!(1)[0] == 0) {
+                       Ok(chan) => chan,
+                       Err(_) => return,
+               };
+               chan.get_accept_channel().unwrap();
+               let mut funding_created = decode_msg!(msgs::FundingCreated, 32+32+2+64);
+               funding_created.funding_txid = funding_output.0.clone();
+               funding_created.funding_output_index = funding_output.1;
+               return_err!(chan.funding_created(&funding_created));
+               chan
+       };
+
+       let mut header = BlockHeader { version: 0x20000000, prev_blockhash: Default::default(), merkle_root: Default::default(), time: 42, bits: 42, nonce: 42 };
+       channel.block_connected(&header, 1, &[&tx; 1], &[42; 1]);
+       for i in 2..100 {
+               header = BlockHeader { version: 0x20000000, prev_blockhash: header.bitcoin_hash(), merkle_root: Default::default(), time: 42, bits: 42, nonce: 42 };
+               channel.block_connected(&header, i, &[&tx; 0], &[0; 0]);
+       }
+
+       let funding_locked = decode_msg!(msgs::FundingLocked, 32+33);
+       return_err!(channel.funding_locked(&funding_locked));
+
+       loop {
+               match get_slice!(1)[0] {
+                       0 => {
+                               return_err!(channel.send_htlc(slice_to_be64(get_slice!(8)), [42; 32], slice_to_be32(get_slice!(4)), msgs::OnionPacket {
+                                       version: get_slice!(1)[0],
+                                       public_key: get_pubkey!(),
+                                       hop_data: [0; 20*65],
+                                       hmac: [0; 32],
+                               }));
+                       },
+                       1 => {
+                               return_err!(channel.send_commitment());
+                       },
+                       2 => {
+                               let update_add_htlc = decode_msg!(msgs::UpdateAddHTLC, 32+8+8+32+4+4+33+20*65+32);
+                               return_err!(channel.update_add_htlc(&update_add_htlc, PendingForwardHTLCInfo::dummy()));
+                       },
+                       3 => {
+                               let update_fulfill_htlc = decode_msg!(msgs::UpdateFulfillHTLC, 32 + 8 + 32);
+                               return_err!(channel.update_fulfill_htlc(&update_fulfill_htlc));
+                       },
+                       4 => {
+                               let update_fail_htlc = decode_msg_with_len16!(msgs::UpdateFailHTLC, 32 + 8, 1);
+                               return_err!(channel.update_fail_htlc(&update_fail_htlc));
+                       },
+                       5 => {
+                               let update_fail_malformed_htlc = decode_msg!(msgs::UpdateFailMalformedHTLC, 32+8+32+2);
+                               return_err!(channel.update_fail_malformed_htlc(&update_fail_malformed_htlc));
+                       },
+                       6 => {
+                               let commitment_signed = decode_msg_with_len16!(msgs::CommitmentSigned, 32+64, 64);
+                               return_err!(channel.commitment_signed(&commitment_signed));
+                       },
+                       7 => {
+                               let revoke_and_ack = decode_msg!(msgs::RevokeAndACK, 32+32+33);
+                               return_err!(channel.revoke_and_ack(&revoke_and_ack));
+                       },
+                       8 => {
+                               let update_fee = decode_msg!(msgs::UpdateFee, 32+4);
+                               return_err!(channel.update_fee(&fee_est, &update_fee));
+                       },
+                       _ => return,
+               }
+       }
+}
+
+#[cfg(feature = "afl")]
+extern crate afl;
+#[cfg(feature = "afl")]
+fn main() {
+       afl::read_stdio_bytes(|data| {
+               do_test(&data);
+       });
+}
+
+#[cfg(feature = "honggfuzz")]
+#[macro_use] extern crate honggfuzz;
+#[cfg(feature = "honggfuzz")]
+fn main() {
+       loop {
+               fuzz!(|data| {
+                       do_test(data);
+               });
+       }
+}
+
+#[cfg(test)]
+mod tests {
+       fn extend_vec_from_hex(hex: &str, out: &mut Vec<u8>) {
+               let mut b = 0;
+               for (idx, c) in hex.as_bytes().iter().enumerate() {
+                       b <<= 4;
+                       match *c {
+                               b'A'...b'F' => b |= c - b'A' + 10,
+                               b'a'...b'f' => b |= c - b'a' + 10,
+                               b'0'...b'9' => b |= c - b'0',
+                               _ => panic!("Bad hex"),
+                       }
+                       if (idx & 1) == 1 {
+                               out.push(b);
+                               b = 0;
+                       }
+               }
+       }
+
+       #[test]
+       fn duplicate_crash() {
+               let mut a = Vec::new();
+               extend_vec_from_hex("00", &mut a);
+               super::do_test(&a);
+       }
+}
diff --git a/fuzz/fuzz_targets/full_stack_target.rs b/fuzz/fuzz_targets/full_stack_target.rs
new file mode 100644 (file)
index 0000000..0264bbe
--- /dev/null
@@ -0,0 +1,224 @@
+extern crate bitcoin;
+extern crate lightning;
+extern crate secp256k1;
+
+use bitcoin::network::constants::Network;
+use bitcoin::util::hash::Sha256dHash;
+
+use lightning::chain::chaininterface::{ConfirmationTarget,FeeEstimator,ChainWatchInterfaceUtil};
+use lightning::ln::{channelmonitor,msgs};
+use lightning::ln::channelmanager::ChannelManager;
+use lightning::ln::peer_handler::{MessageHandler,PeerManager,SocketDescriptor};
+use lightning::ln::router::Router;
+
+use secp256k1::key::{PublicKey,SecretKey};
+use secp256k1::Secp256k1;
+
+use std::sync::Arc;
+use std::sync::atomic::{AtomicUsize,Ordering};
+
+#[inline]
+pub fn slice_to_be16(v: &[u8]) -> u16 {
+       ((v[0] as u16) << 8*1) |
+       ((v[1] as u16) << 8*0)
+}
+
+#[inline]
+pub fn slice_to_be32(v: &[u8]) -> u32 {
+       ((v[0] as u32) << 8*3) |
+       ((v[1] as u32) << 8*2) |
+       ((v[2] as u32) << 8*1) |
+       ((v[3] as u32) << 8*0)
+}
+
+struct InputData {
+       data: Vec<u8>,
+       read_pos: AtomicUsize,
+}
+impl InputData {
+       fn get_slice(&self, len: usize) -> Option<&[u8]> {
+               let old_pos = self.read_pos.fetch_add(len, Ordering::AcqRel);
+               if self.data.len() < old_pos + len {
+                       return None;
+               }
+               Some(&self.data[old_pos..old_pos + len])
+       }
+       fn get_slice_nonadvancing(&self, len: usize) -> Option<&[u8]> {
+               let old_pos = self.read_pos.load(Ordering::Acquire);
+               if self.data.len() < old_pos + len {
+                       return None;
+               }
+               Some(&self.data[old_pos..old_pos + len])
+       }
+}
+
+struct FuzzEstimator {
+       input: Arc<InputData>,
+}
+impl FeeEstimator for FuzzEstimator {
+       fn get_est_sat_per_vbyte(&self, _: ConfirmationTarget) -> u64 {
+               //TODO: We should actually be testing at least much more than 64k...
+               match self.input.get_slice(2) {
+                       Some(slice) => slice_to_be16(slice) as u64,
+                       None => 0
+               }
+       }
+}
+
+struct TestChannelMonitor {}
+impl channelmonitor::ManyChannelMonitor for TestChannelMonitor {
+       fn add_update_monitor(&self, _funding_txo: (Sha256dHash, u16), _monitor: channelmonitor::ChannelMonitor) -> Result<(), msgs::HandleError> {
+               //TODO!
+               Ok(())
+       }
+}
+
+#[derive(Clone, PartialEq, Eq, Hash)]
+struct Peer {
+       id: u8,
+}
+impl SocketDescriptor for Peer {
+       fn send_data(&mut self, data: &Vec<u8>, write_offset: usize, _resume_read: bool) -> usize {
+               assert!(write_offset < data.len());
+               data.len() - write_offset
+       }
+}
+
+#[inline]
+pub fn do_test(data: &[u8]) {
+       let input = Arc::new(InputData {
+               data: data.to_vec(),
+               read_pos: AtomicUsize::new(0),
+       });
+       let fee_est = Arc::new(FuzzEstimator {
+               input: input.clone(),
+       });
+
+       macro_rules! get_slice {
+               ($len: expr) => {
+                       match input.get_slice($len as usize) {
+                               Some(slice) => slice,
+                               None => return,
+                       }
+               }
+       }
+
+       let secp_ctx = Secp256k1::new();
+       macro_rules! get_pubkey {
+               () => {
+                       match PublicKey::from_slice(&secp_ctx, get_slice!(33)) {
+                               Ok(key) => key,
+                               Err(_) => return,
+                       }
+               }
+       }
+
+       let our_network_key = match SecretKey::from_slice(&secp_ctx, get_slice!(32)) {
+               Ok(key) => key,
+               Err(_) => return,
+       };
+
+       let monitor = Arc::new(TestChannelMonitor{});
+       let watch = Arc::new(ChainWatchInterfaceUtil::new());
+
+       let channelmanager = ChannelManager::new(our_network_key, slice_to_be32(get_slice!(4)), get_slice!(1)[0] != 0, Network::Bitcoin, fee_est.clone(), monitor.clone(), watch.clone()).unwrap();
+       let router = Arc::new(Router::new(PublicKey::from_secret_key(&secp_ctx, &our_network_key).unwrap()));
+
+       let handler = PeerManager::new(MessageHandler {
+               chan_handler: channelmanager.clone(),
+               route_handler: router.clone(),
+       }, our_network_key);
+
+       let mut peers = [false; 256];
+
+       loop {
+               match get_slice!(1)[0] {
+                       0 => {
+                               let mut new_id = 0;
+                               for i in 1..256 {
+                                       if !peers[i-1] {
+                                               new_id = i;
+                                               break;
+                                       }
+                               }
+                               if new_id == 0 { return; }
+                               peers[new_id - 1] = true;
+                               handler.new_outbound_connection(get_pubkey!(), Peer{id: (new_id - 1) as u8}).unwrap();
+                       },
+                       1 => {
+                               let mut new_id = 0;
+                               for i in 1..256 {
+                                       if !peers[i-1] {
+                                               new_id = i;
+                                               break;
+                                       }
+                               }
+                               if new_id == 0 { return; }
+                               peers[new_id - 1] = true;
+                               handler.new_inbound_connection(Peer{id: (new_id - 1) as u8}).unwrap();
+                       },
+                       2 => {
+                               let peer_id = get_slice!(1)[0];
+                               if !peers[peer_id as usize] { return; }
+                               peers[peer_id as usize] = false;
+                               handler.disconnect_event(&Peer{id: peer_id});
+                       },
+                       3 => {
+                               let peer_id = get_slice!(1)[0];
+                               if !peers[peer_id as usize] { return; }
+                               match handler.read_event(&mut Peer{id: peer_id}, get_slice!(get_slice!(1)[0]).to_vec()) {
+                                       Ok(res) => assert!(!res),
+                                       Err(_) => { peers[peer_id as usize] = false; }
+                               }
+                       },
+                       _ => return,
+               }
+       }
+}
+
+#[cfg(feature = "afl")]
+extern crate afl;
+#[cfg(feature = "afl")]
+fn main() {
+       afl::read_stdio_bytes(|data| {
+               do_test(&data);
+       });
+}
+
+#[cfg(feature = "honggfuzz")]
+#[macro_use] extern crate honggfuzz;
+#[cfg(feature = "honggfuzz")]
+fn main() {
+       loop {
+               fuzz!(|data| {
+                       do_test(data);
+               });
+       }
+}
+
+#[cfg(test)]
+mod tests {
+       fn extend_vec_from_hex(hex: &str, out: &mut Vec<u8>) {
+               let mut b = 0;
+               for (idx, c) in hex.as_bytes().iter().enumerate() {
+                       b <<= 4;
+                       match *c {
+                               b'A'...b'F' => b |= c - b'A' + 10,
+                               b'a'...b'f' => b |= c - b'a' + 10,
+                               b'0'...b'9' => b |= c - b'0',
+                               _ => panic!("Bad hex"),
+                       }
+                       if (idx & 1) == 1 {
+                               out.push(b);
+                               b = 0;
+                       }
+               }
+       }
+
+       #[test]
+       fn duplicate_crash() {
+               let mut a = Vec::new();
+               extend_vec_from_hex("00", &mut a);
+               super::do_test(&a);
+       }
+}
diff --git a/fuzz/fuzz_targets/peer_crypt_target.rs b/fuzz/fuzz_targets/peer_crypt_target.rs
new file mode 100644 (file)
index 0000000..b7287fb
--- /dev/null
@@ -0,0 +1,124 @@
+extern crate lightning;
+extern crate secp256k1;
+
+use lightning::ln::peer_channel_encryptor::PeerChannelEncryptor;
+
+use secp256k1::key::{PublicKey,SecretKey};
+use secp256k1::Secp256k1;
+
+#[inline]
+fn slice_to_be16(v: &[u8]) -> u16 {
+       ((v[0] as u16) << 8*1) |
+       ((v[1] as u16) << 8*0)
+}
+
+#[inline]
+pub fn do_test(data: &[u8]) {
+       let mut read_pos = 0;
+       macro_rules! get_slice {
+               ($len: expr) => {
+                       {
+                               let slice_len = $len as usize;
+                               if data.len() < read_pos + slice_len {
+                                       return;
+                               }
+                               read_pos += slice_len;
+                               &data[read_pos - slice_len..read_pos]
+                       }
+               }
+       }
+
+       let secp_ctx = Secp256k1::new();
+       let our_network_key = match SecretKey::from_slice(&secp_ctx, get_slice!(32)) {
+               Ok(key) => key,
+               Err(_) => return,
+       };
+
+       let mut crypter = if get_slice!(1)[0] != 0 {
+               let their_pubkey = match PublicKey::from_slice(&secp_ctx, get_slice!(33)) {
+                       Ok(key) => key,
+                       Err(_) => return,
+               };
+               let mut crypter = PeerChannelEncryptor::new_outbound(their_pubkey);
+               crypter.get_act_one();
+               match crypter.process_act_two(get_slice!(50), &our_network_key) {
+                       Ok(_) => {},
+                       Err(_) => return,
+               }
+               assert!(crypter.is_ready_for_encryption());
+               crypter
+       } else {
+               let mut crypter = PeerChannelEncryptor::new_inbound(&our_network_key);
+               match crypter.process_act_one_with_key(get_slice!(50), &our_network_key) {
+                       Ok(_) => {},
+                       Err(_) => return,
+               }
+               match crypter.process_act_three(get_slice!(66)) {
+                       Ok(_) => {},
+                       Err(_) => return,
+               }
+               assert!(crypter.is_ready_for_encryption());
+               crypter
+       };
+       loop {
+               if get_slice!(1)[0] == 0 {
+                       crypter.encrypt_message(get_slice!(slice_to_be16(get_slice!(2))));
+               } else {
+                       let len = match crypter.decrypt_length_header(get_slice!(16+2)) {
+                               Ok(len) => len,
+                               Err(_) => return,
+                       };
+                       match crypter.decrypt_message(get_slice!(len as usize + 16)) {
+                               Ok(_) => {},
+                               Err(_) => return,
+                       }
+               }
+       }
+}
+
+#[cfg(feature = "afl")]
+extern crate afl;
+#[cfg(feature = "afl")]
+fn main() {
+       afl::read_stdio_bytes(|data| {
+               do_test(&data);
+       });
+}
+
+#[cfg(feature = "honggfuzz")]
+#[macro_use] extern crate honggfuzz;
+#[cfg(feature = "honggfuzz")]
+fn main() {
+       loop {
+               fuzz!(|data| {
+                       do_test(data);
+               });
+       }
+}
+
+#[cfg(test)]
+mod tests {
+       fn extend_vec_from_hex(hex: &str, out: &mut Vec<u8>) {
+               let mut b = 0;
+               for (idx, c) in hex.as_bytes().iter().enumerate() {
+                       b <<= 4;
+                       match *c {
+                               b'A'...b'F' => b |= c - b'A' + 10,
+                               b'a'...b'f' => b |= c - b'a' + 10,
+                               b'0'...b'9' => b |= c - b'0',
+                               _ => panic!("Bad hex"),
+                       }
+                       if (idx & 1) == 1 {
+                               out.push(b);
+                               b = 0;
+                       }
+               }
+       }
+
+       #[test]
+       fn duplicate_crash() {
+               let mut a = Vec::new();
+               extend_vec_from_hex("01", &mut a);
+               super::do_test(&a);
+       }
+}