diff --git a/.clusterfuzzlite/Dockerfile b/.clusterfuzzlite/Dockerfile
new file mode 100644
index 000000000..32efe99a5
--- /dev/null
+++ b/.clusterfuzzlite/Dockerfile
@@ -0,0 +1,17 @@
+FROM ghcr.io/ledgerhq/ledger-app-builder/ledger-app-builder-lite:latest AS LITE_BUILDER
+
+# Base image with clang toolchain
+FROM gcr.io/oss-fuzz-base/base-builder:v1
+
+# Copy the project's source code.
+COPY . $SRC/app-ethereum
+COPY --from=LITE_BUILDER /opt/ledger-secure-sdk $SRC/app-ethereum/BOLOS_SDK
+
+# Add the ethereum-plugin-sdk submodule
+RUN git clone https://github.com/LedgerHQ/ethereum-plugin-sdk.git $SRC/app-ethereum/ethereum-plugin-sdk
+
+# Working directory for build.sh
+WORKDIR $SRC/app-ethereum
+
+# Copy build.sh into $SRC dir.
+COPY ./.clusterfuzzlite/build.sh $SRC/
diff --git a/.clusterfuzzlite/build.sh b/.clusterfuzzlite/build.sh
new file mode 100644
index 000000000..7d9169f61
--- /dev/null
+++ b/.clusterfuzzlite/build.sh
@@ -0,0 +1,9 @@
+#!/bin/bash -eu
+
+# build fuzzers
+
+pushd tests/fuzzing
+cmake -DBOLOS_SDK=../../BOLOS_SDK -Bbuild -H.
+make -C build
+mv ./build/fuzz_app_eth "${OUT}"
+popd
diff --git a/.clusterfuzzlite/project.yaml b/.clusterfuzzlite/project.yaml
new file mode 100644
index 000000000..b455aa397
--- /dev/null
+++ b/.clusterfuzzlite/project.yaml
@@ -0,0 +1 @@
+language: c
diff --git a/.github/workflows/cflite_cron.yml b/.github/workflows/cflite_cron.yml
new file mode 100644
index 000000000..17c1e65a2
--- /dev/null
+++ b/.github/workflows/cflite_cron.yml
@@ -0,0 +1,40 @@
+name: ClusterFuzzLite cron tasks
+on:
+ workflow_dispatch:
+ push:
+ branches:
+ - main # Use your actual default branch here.
+ schedule:
+ - cron: '0 13 * * 6' # At 01:00 PM, only on Saturday
+permissions: read-all
+jobs:
+ Fuzzing:
+ runs-on: ubuntu-latest
+ strategy:
+ fail-fast: false
+ matrix:
+ include:
+ - mode: batch
+ sanitizer: address
+ - mode: batch
+ sanitizer: memory
+ - mode: prune
+ sanitizer: address
+ - mode: coverage
+ sanitizer: coverage
+ steps:
+ - name: Build Fuzzers (${{ matrix.mode }} - ${{ matrix.sanitizer }})
+ id: build
+ uses: google/clusterfuzzlite/actions/build_fuzzers@v1
+ with:
+ github-token: ${{ secrets.GITHUB_TOKEN }}
+ language: c # Change this to the language you are fuzzing.
+ sanitizer: ${{ matrix.sanitizer }}
+ - name: Run Fuzzers (${{ matrix.mode }} - ${{ matrix.sanitizer }})
+ id: run
+ uses: google/clusterfuzzlite/actions/run_fuzzers@v1
+ with:
+ github-token: ${{ secrets.GITHUB_TOKEN }}
+ fuzz-seconds: 300 # 5 minutes
+ mode: ${{ matrix.mode }}
+ sanitizer: ${{ matrix.sanitizer }}
diff --git a/.github/workflows/cflite_pr.yml b/.github/workflows/cflite_pr.yml
new file mode 100644
index 000000000..09f91dafe
--- /dev/null
+++ b/.github/workflows/cflite_pr.yml
@@ -0,0 +1,43 @@
+name: ClusterFuzzLite PR fuzzing
+on:
+ pull_request:
+ paths:
+ - '**'
+permissions: read-all
+jobs:
+ PR:
+ runs-on: ubuntu-latest
+ concurrency:
+ group: ${{ github.workflow }}-${{ matrix.sanitizer }}-${{ github.ref }}
+ cancel-in-progress: true
+ strategy:
+ fail-fast: false
+ matrix:
+ sanitizer: [address, undefined, memory] # Override this with the sanitizers you want.
+ steps:
+ - name: Build Fuzzers (${{ matrix.sanitizer }})
+ id: build
+ uses: google/clusterfuzzlite/actions/build_fuzzers@v1
+ with:
+ language: c # Change this to the language you are fuzzing.
+ github-token: ${{ secrets.GITHUB_TOKEN }}
+ sanitizer: ${{ matrix.sanitizer }}
+ # Optional but recommended: used to only run fuzzers that are affected
+ # by the PR.
+ # storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/OWNER/STORAGE-REPO-NAME.git
+ # storage-repo-branch: main # Optional. Defaults to "main"
+ # storage-repo-branch-coverage: gh-pages # Optional. Defaults to "gh-pages".
+ - name: Run Fuzzers (${{ matrix.sanitizer }})
+ id: run
+ uses: google/clusterfuzzlite/actions/run_fuzzers@v1
+ with:
+ github-token: ${{ secrets.GITHUB_TOKEN }}
+ fuzz-seconds: 300 # 5 minutes
+ mode: 'code-change'
+ sanitizer: ${{ matrix.sanitizer }}
+ output-sarif: true
+ # Optional but recommended: used to download the corpus produced by
+ # batch fuzzing.
+ # storage-repo: https://${{ secrets.PERSONAL_ACCESS_TOKEN }}@github.com/OWNER/STORAGE-REPO-NAME.git
+ # storage-repo-branch: main # Optional. Defaults to "main"
+ # storage-repo-branch-coverage: gh-pages # Optional. Defaults to "gh-pages".
diff --git a/tests/fuzzing/CMakeLists.txt b/tests/fuzzing/CMakeLists.txt
new file mode 100644
index 000000000..1a59c68f7
--- /dev/null
+++ b/tests/fuzzing/CMakeLists.txt
@@ -0,0 +1,184 @@
+cmake_minimum_required(VERSION 3.10)
+
+if(${CMAKE_VERSION} VERSION_LESS 3.10)
+ cmake_policy(VERSION ${CMAKE_MAJOR_VERSION}.${CMAKE_MINOR_VERSION})
+endif()
+
+# project information
+project(Fuzzer
+ VERSION 1.0
+ DESCRIPTION "Eth Fuzzer"
+ LANGUAGES C)
+
+set(CMAKE_C_COMPILER clang)
+
+set(CMAKE_BUILD_TYPE "Debug")
+
+# compatible with ClusterFuzzLite
+if (NOT DEFINED ENV{LIB_FUZZING_ENGINE})
+ set(COMPILATION_FLAGS_ "-g -Wall -fsanitize=fuzzer,address,undefined")
+else()
+ set(COMPILATION_FLAGS_ "$ENV{LIB_FUZZING_ENGINE} $ENV{CXXFLAGS}")
+endif()
+
+set(CMAKE_EXPORT_COMPILE_COMMANDS ON)
+
+string(REPLACE " " ";" COMPILATION_FLAGS ${COMPILATION_FLAGS_})
+
+# specify C standard
+set(CMAKE_C_STANDARD 11)
+set(CMAKE_C_STANDARD_REQUIRED True)
+set(CMAKE_C_FLAGS_DEBUG
+ "${CMAKE_C_FLAGS_DEBUG} -Wall -Wextra -Wno-unused-function -DFUZZ -pedantic -g -O0"
+)
+
+# guard against in-source builds
+if(${CMAKE_SOURCE_DIR} STREQUAL ${CMAKE_BINARY_DIR})
+ message(FATAL_ERROR "In-source builds not allowed. Please make a new directory (called a build directory) and run CMake from there. You may need to remove CMakeCache.txt. ")
+endif()
+
+set(TARGET_DEVICE flex)
+if (NOT DEFINED BOLOS_SDK)
+ message(FATAL_ERROR "BOLOS_SDK environment variable not found.")
+endif()
+
+set(DEFINES
+ gcc
+ APPNAME=\"Fuzzing\"
+ API_LEVEL=21
+ TARGET=\"flex\"
+ TARGET_NAME=\"TARGET_FLEX\"
+ APPVERSION=\"1.1.0\"
+ SDK_NAME=\"ledger-secure-sdk\"
+ SDK_VERSION=\"v21.3.3\"
+ SDK_HASH=\"d88d4db3c93665f52b5b1f45099d9d36dfaa06ba\"
+ gcc
+ __IO=volatile
+ NDEBUG
+ HAVE_BAGL_FONT_INTER_REGULAR_28PX
+ HAVE_BAGL_FONT_INTER_SEMIBOLD_28PX
+ HAVE_BAGL_FONT_INTER_MEDIUM_36PX
+ HAVE_INAPP_BLE_PAIRING
+ HAVE_NBGL
+ HAVE_PIEZO_SOUND
+ HAVE_SE_TOUCH
+ HAVE_SE_EINK_DISPLAY
+ NBGL_PAGE
+ NBGL_USE_CASE
+ SCREEN_SIZE_WALLET
+ HAVE_FAST_HOLD_TO_APPROVE
+ HAVE_LEDGER_PKI
+ HAVE_NES_CRYPT
+ HAVE_ST_AES
+ NATIVE_LITTLE_ENDIAN
+ HAVE_CRC
+ HAVE_HASH
+ HAVE_RIPEMD160
+ HAVE_SHA224
+ HAVE_SHA256
+ HAVE_SHA3
+ HAVE_SHA384
+ HAVE_SHA512
+ HAVE_SHA512_WITH_BLOCK_ALT_METHOD
+ HAVE_SHA512_WITH_BLOCK_ALT_METHOD_M0
+ HAVE_BLAKE2
+ HAVE_HMAC
+ HAVE_PBKDF2
+ HAVE_AES
+ HAVE_MATH
+ HAVE_RNG
+ HAVE_RNG_RFC6979
+ HAVE_RNG_SP800_90A
+ HAVE_ECC
+ HAVE_ECC_WEIERSTRASS
+ HAVE_ECC_TWISTED_EDWARDS
+ HAVE_ECC_MONTGOMERY
+ HAVE_SECP256K1_CURVE
+ HAVE_SECP256R1_CURVE
+ HAVE_SECP384R1_CURVE
+ HAVE_SECP521R1_CURVE
+ HAVE_FR256V1_CURVE
+ HAVE_STARK256_CURVE
+ HAVE_BRAINPOOL_P256R1_CURVE
+ HAVE_BRAINPOOL_P256T1_CURVE
+ HAVE_BRAINPOOL_P320R1_CURVE
+ HAVE_BRAINPOOL_P320T1_CURVE
+ HAVE_BRAINPOOL_P384R1_CURVE
+ HAVE_BRAINPOOL_P384T1_CURVE
+ HAVE_BRAINPOOL_P512R1_CURVE
+ HAVE_BRAINPOOL_P512T1_CURVE
+ HAVE_BLS12_381_G1_CURVE
+ HAVE_CV25519_CURVE
+ HAVE_CV448_CURVE
+ HAVE_ED25519_CURVE
+ HAVE_ED448_CURVE
+ HAVE_ECDH
+ HAVE_ECDSA
+ HAVE_EDDSA
+ HAVE_ECSCHNORR
+ HAVE_X25519
+ HAVE_X448
+ HAVE_AES_GCM
+ HAVE_CMAC
+ HAVE_AES_SIV
+ COIN_VARIANT=1
+ HAVE_BOLOS_APP_STACK_CANARY
+ IO_SEPROXYHAL_BUFFER_SIZE_B=300
+ HAVE_BLE
+ BLE_COMMAND_TIMEOUT_MS=2000
+ HAVE_BLE_APDU
+ BLE_SEGMENT_SIZE=32
+ HAVE_DEBUG_THROWS
+ NBGL_QRCODE
+ MAJOR_VERSION=1
+ MINOR_VERSION=1
+ PATCH_VERSION=0
+ IO_HID_EP_LENGTH=64
+ HAVE_SPRINTF
+ HAVE_SNPRINTF_FORMAT_U
+ HAVE_IO_USB
+ HAVE_L4_USBLIB
+ IO_USB_MAX_ENDPOINTS=4
+ HAVE_USB_APDU
+ USB_SEGMENT_SIZE=64
+ HAVE_WEBUSB
+ WEBUSB_URL_SIZE_B=0
+ WEBUSB_URL=
+ OS_IO_SEPROXYHAL
+ STANDARD_APP_SYNC_RAPDU
+ HAVE_GENERIC_TX_PARSER
+ HAVE_TRUSTED_NAME
+ HAVE_DYN_MEM_ALLOC
+ HAVE_SWAP
+ HAVE_ENUM_VALUE
+ HAVE_NFT_SUPPORT
+)
+set(DEFINE ${DEFINES} HAVE_PRINTF PRINTF=printf)
+
+add_compile_definitions(${DEFINES})
+
+FILE(GLOB_RECURSE SDK_STD_SOURCES ${BOLOS_SDK}/lib_standard_app/write.c src/mock.c)
+
+
+include_directories(
+ ${CMAKE_SOURCE_DIR}/../../ethereum-plugin-sdk/src/
+ ${CMAKE_SOURCE_DIR}/../../src
+ ${CMAKE_SOURCE_DIR}/../../src_features/provideDynamicNetwork/
+ ${BOLOS_SDK}/include
+ ${BOLOS_SDK}/lib_standard_app
+ ${BOLOS_SDK}/target/${TARGET_DEVICE}/include
+ ${BOLOS_SDK}/lib_cxng/include
+ ${BOLOS_SDK}/lib_cxng/src
+ ${BOLOS_SDK}/lib_ux_nbgl
+ ${BOLOS_SDK}/lib_nbgl/include
+ ${CMAKE_SOURCE_DIR}/src
+)
+
+FILE(GLOB_RECURSE SOURCES
+ ${CMAKE_SOURCE_DIR}/../../src_features/provideDynamicNetwork/*.c
+ ${CMAKE_SOURCE_DIR}/../../src/hash_bytes.c
+)
+
+add_executable(fuzz_app_eth src/fuzz_app_eth.c ${SDK_STD_SOURCES} ${SOURCES})
+target_compile_options(fuzz_app_eth PUBLIC ${COMPILATION_FLAGS})
+target_link_options(fuzz_app_eth PUBLIC ${COMPILATION_FLAGS})
diff --git a/tests/fuzzing/README.md b/tests/fuzzing/README.md
new file mode 100644
index 000000000..43ad67b02
--- /dev/null
+++ b/tests/fuzzing/README.md
@@ -0,0 +1,83 @@
+# Fuzzing Tests
+
+## Fuzzing
+
+Fuzzing allows us to test how a program behaves when provided with invalid, unexpected, or random data as input.
+
+Our fuzz target needs to implement `int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)`,
+which provides an array of random bytes that can be used to simulate a serialized buffer.
+If the application crashes, or a [sanitizer](https://github.com/google/sanitizers) detects
+any kind of access violation, the fuzzing process is stopped, a report regarding the vulnerability is shown,
+and the input that triggered the bug is written to disk under the name `crash-*`.
+The vulnerable input file created can be passed as an argument to the fuzzer to triage the issue.
+
+> **Note**: Usually we want to write a separate fuzz target for each functionality.
+
+## Manual usage based on Ledger container
+
+### Preparation
+
+The fuzzer can run from the docker `ledger-app-builder-legacy`. You can download it from the `ghcr.io` docker repository:
+
+```console
+sudo docker pull ghcr.io/ledgerhq/ledger-app-builder/ledger-app-builder-legacy:latest
+```
+
+You can then enter this development environment by executing the following command from the repository root directory:
+
+```console
+sudo docker run --rm -ti --user "$(id -u):$(id -g)" -v "$(realpath .):/app" ghcr.io/ledgerhq/ledger-app-builder/ledger-app-builder-legacy:latest
+```
+
+### Compilation
+
+Once in the container, go into the `tests/fuzzing` folder to compile the fuzzer:
+
+```console
+cd tests/fuzzing
+
+# cmake initialization
+cmake -DBOLOS_SDK=/opt/ledger-secure-sdk -Bbuild -H.
+
+# Fuzzer compilation
+make -C build
+```
+
+### Run
+
+```console
+./build/fuzz_app_eth
+```
+
+## Full usage based on `clusterfuzzlite` container
+
+Exactly the same context as the CI, directly using the `clusterfuzzlite` environment.
+
+More info can be found here:
+
+
+### Preparation
+
+The principle is to build the container, and run it to perform the fuzzing.
+
+> **Note**: The container contains a copy of the sources (they are not cloned),
+> which means the `docker build` command must be re-executed after each code modification.
+
+```console
+# Prepare directory tree
+mkdir tests/fuzzing/{corpus,out}
+# Container generation
+docker build -t app-ethereum --file .clusterfuzzlite/Dockerfile .
+```
+
+### Compilation
+
+```console
+docker run --rm --privileged -e FUZZING_LANGUAGE=c -v "$(realpath .)/tests/fuzzing/out:/out" -ti app-ethereum
+```
+
+### Run
+
+```console
+docker run --rm --privileged -e FUZZING_ENGINE=libfuzzer -e RUN_FUZZER_MODE=interactive -v "$(realpath .)/tests/fuzzing/corpus:/tmp/fuzz_corpus" -v "$(realpath .)/tests/fuzzing/out:/out" -ti gcr.io/oss-fuzz-base/base-runner run_fuzzer fuzz_app_eth
+```
diff --git a/tests/fuzzing/src/fuzz_app_eth.c b/tests/fuzzing/src/fuzz_app_eth.c
new file mode 100644
index 000000000..c4f55501a
--- /dev/null
+++ b/tests/fuzzing/src/fuzz_app_eth.c
@@ -0,0 +1,36 @@
+#include
+#include
+#include
+#include
+#include
+#include
+
+#include "shared_context.h"
+#include "network_dynamic.h"
+
+unsigned char G_io_apdu_buffer[IO_APDU_BUFFER_SIZE];
+tmpContent_t tmpContent;
+const chain_config_t *chainConfig;
+txContext_t txContext;
+
+int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
+ explicit_bzero(G_io_apdu_buffer, 500);
+ explicit_bzero(&tmpContent, sizeof(tmpContent_t));
+ explicit_bzero(&txContext, sizeof(txContext_t));
+ size_t offset = 0;
+ size_t len = 0;
+ uint8_t p1;
+ uint8_t p2;
+ unsigned int tx;
+
+ while (size - offset > 4) {
+ if (data[offset++] == 0) break;
+ p1 = data[offset++];
+ p2 = data[offset++];
+ len = data[offset++];
+ if (size - offset < len) return 0;
+ handleNetworkConfiguration(p1, p2, data + offset, len, &tx);
+ offset += len;
+ }
+ return 0;
+}
diff --git a/tests/fuzzing/src/glyphs.h b/tests/fuzzing/src/glyphs.h
new file mode 100644
index 000000000..e69de29bb
diff --git a/tests/fuzzing/src/mock.c b/tests/fuzzing/src/mock.c
new file mode 100644
index 000000000..7328a6adc
--- /dev/null
+++ b/tests/fuzzing/src/mock.c
@@ -0,0 +1,110 @@
+#include
+
+#include "cx_errors.h"
+#include "cx_sha256.h"
+#include "cx_sha3.h"
+
+cx_err_t cx_sha256_init_no_throw(cx_sha256_t *hash) {
+ memset(hash, 0, sizeof(cx_sha256_t));
+ return CX_OK;
+}
+
+cx_err_t cx_hash_no_throw(cx_hash_t *hash,
+ uint32_t mode,
+ const uint8_t *in,
+ size_t len,
+ uint8_t *out,
+ size_t out_len) {
+ UNUSED(hash);
+ UNUSED(mode);
+ if (len > 0 && out_len > 0) out[out_len - 1] = in[len - 1];
+ return CX_OK;
+}
+
+void assert_exit(bool confirm) {
+ UNUSED(confirm);
+ exit(1);
+}
+
+cx_err_t cx_keccak_256_hash_iovec(const cx_iovec_t *iovec,
+ size_t iovec_len,
+ uint8_t digest[static CX_KECCAK_256_SIZE]) {
+ UNUSED(iovec);
+ UNUSED(iovec_len);
+ digest[CX_KECCAK_256_SIZE - 1] = 0;
+ return CX_OK;
+}
+
+cx_err_t cx_sha256_hash_iovec(const cx_iovec_t *iovec,
+ size_t iovec_len,
+ uint8_t digest[static CX_SHA256_SIZE]) {
+ UNUSED(iovec);
+ UNUSED(iovec_len);
+ digest[CX_SHA256_SIZE - 1] = 0;
+ return CX_OK;
+}
+
+int check_signature_with_pubkey(const char *tag,
+ uint8_t *buffer,
+ const uint8_t bufLen,
+ const uint8_t *PubKey,
+ const uint8_t keyLen,
+#ifdef HAVE_LEDGER_PKI
+ const uint8_t keyUsageExp,
+#endif
+ uint8_t *signature,
+ const uint8_t sigLen) {
+ UNUSED(tag);
+ UNUSED(buffer);
+ UNUSED(bufLen);
+ UNUSED(PubKey);
+#ifdef HAVE_LEDGER_PKI
+ UNUSED(keyUsageExp);
+#endif
+ UNUSED(keyLen);
+ UNUSED(signature);
+ UNUSED(sigLen);
+ return CX_OK;
+}
+
+uint64_t u64_from_BE(const uint8_t *in, uint8_t size) {
+ uint8_t i = 0;
+ uint64_t res = 0;
+
+ while (i < size && i < sizeof(res)) {
+ res <<= 8;
+ res |= in[i];
+ i++;
+ }
+
+ return res;
+}
+
+bool u64_to_string(uint64_t src, char *dst, uint8_t dst_size) {
+ // Copy the numbers in ASCII format.
+ uint8_t i = 0;
+ do {
+ // Checking `i + 1` to make sure we have enough space for '\0'.
+ if (i + 1 >= dst_size) {
+ return false;
+ }
+ dst[i] = src % 10 + '0';
+ src /= 10;
+ i++;
+ } while (src);
+
+ // Null terminate string
+ dst[i] = '\0';
+
+ // Revert the string
+ i--;
+ uint8_t j = 0;
+ while (j < i) {
+ char tmp = dst[i];
+ dst[i] = dst[j];
+ dst[j] = tmp;
+ i--;
+ j++;
+ }
+ return true;
+}