Add ALTS fuzzer

CMakeLists.txt

@@ -454,6 +454,7 @@ if(_gRPC_PLATFORM_LINUX OR _gRPC_PLATFORM_MAC OR _gRPC_PLATFORM_POSIX)
 add_dependencies(buildtests_c h2_uds_nosec_test)
 endif()
 add_dependencies(buildtests_c inproc_nosec_test)
+add_dependencies(buildtests_c alts_credentials_fuzzer_one_entry)
 add_dependencies(buildtests_c api_fuzzer_one_entry)
 add_dependencies(buildtests_c client_fuzzer_one_entry)
 add_dependencies(buildtests_c hpack_parser_fuzzer_test_one_entry)
@@ -1672,6 +1673,7 @@ add_library(grpc_test_util
   test/core/end2end/fixtures/proxy.cc
   test/core/iomgr/endpoint_tests.cc
   test/core/util/debugger_macros.cc
+  test/core/util/fuzzer_util.cc
   test/core/util/grpc_profiler.cc
   test/core/util/histogram.cc
   test/core/util/memory_counters.cc
@@ -1975,6 +1977,7 @@ add_library(grpc_test_util_unsecure
   test/core/end2end/fixtures/proxy.cc
   test/core/iomgr/endpoint_tests.cc
   test/core/util/debugger_macros.cc
+  test/core/util/fuzzer_util.cc
   test/core/util/grpc_profiler.cc
   test/core/util/histogram.cc
   test/core/util/memory_counters.cc
@@ -15712,6 +15715,35 @@ endif()
 endif (gRPC_BUILD_TESTS)
 if (gRPC_BUILD_TESTS)
 
+add_executable(alts_credentials_fuzzer_one_entry
+  test/core/security/alts_credentials_fuzzer.cc
+  test/core/util/one_corpus_entry_fuzzer.cc
+)
+
+
+target_include_directories(alts_credentials_fuzzer_one_entry
+  PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}
+  PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/include
+  PRIVATE ${_gRPC_SSL_INCLUDE_DIR}
+  PRIVATE ${_gRPC_PROTOBUF_INCLUDE_DIR}
+  PRIVATE ${_gRPC_ZLIB_INCLUDE_DIR}
+  PRIVATE ${_gRPC_BENCHMARK_INCLUDE_DIR}
+  PRIVATE ${_gRPC_CARES_INCLUDE_DIR}
+  PRIVATE ${_gRPC_GFLAGS_INCLUDE_DIR}
+  PRIVATE ${_gRPC_ADDRESS_SORTING_INCLUDE_DIR}
+)
+
+target_link_libraries(alts_credentials_fuzzer_one_entry
+  ${_gRPC_ALLTARGETS_LIBRARIES}
+  grpc_test_util
+  grpc
+  gpr_test_util
+  gpr
+)
+
+endif (gRPC_BUILD_TESTS)
+if (gRPC_BUILD_TESTS)
+
 add_executable(api_fuzzer_one_entry
   test/core/end2end/fuzzers/api_fuzzer.cc
   test/core/util/one_corpus_entry_fuzzer.cc

Makefile

@@ -960,6 +960,7 @@ stop:
 algorithm_test: $(BINDIR)/$(CONFIG)/algorithm_test
 alloc_test: $(BINDIR)/$(CONFIG)/alloc_test
 alpn_test: $(BINDIR)/$(CONFIG)/alpn_test
+alts_credentials_fuzzer: $(BINDIR)/$(CONFIG)/alts_credentials_fuzzer
 api_fuzzer: $(BINDIR)/$(CONFIG)/api_fuzzer
 arena_test: $(BINDIR)/$(CONFIG)/arena_test
 avl_test: $(BINDIR)/$(CONFIG)/avl_test
@@ -1325,6 +1326,7 @@ resolver_component_tests_runner_invoker_unsecure: $(BINDIR)/$(CONFIG)/resolver_c
 resolver_component_tests_runner_invoker: $(BINDIR)/$(CONFIG)/resolver_component_tests_runner_invoker
 address_sorting_test_unsecure: $(BINDIR)/$(CONFIG)/address_sorting_test_unsecure
 address_sorting_test: $(BINDIR)/$(CONFIG)/address_sorting_test
+alts_credentials_fuzzer_one_entry: $(BINDIR)/$(CONFIG)/alts_credentials_fuzzer_one_entry
 api_fuzzer_one_entry: $(BINDIR)/$(CONFIG)/api_fuzzer_one_entry
 client_fuzzer_one_entry: $(BINDIR)/$(CONFIG)/client_fuzzer_one_entry
 hpack_parser_fuzzer_test_one_entry: $(BINDIR)/$(CONFIG)/hpack_parser_fuzzer_test_one_entry
@@ -1571,6 +1573,7 @@ buildtests_c: privatelibs_c \
   $(BINDIR)/$(CONFIG)/h2_sockpair_1byte_nosec_test \
   $(BINDIR)/$(CONFIG)/h2_uds_nosec_test \
   $(BINDIR)/$(CONFIG)/inproc_nosec_test \
+  $(BINDIR)/$(CONFIG)/alts_credentials_fuzzer_one_entry \
   $(BINDIR)/$(CONFIG)/api_fuzzer_one_entry \
   $(BINDIR)/$(CONFIG)/client_fuzzer_one_entry \
   $(BINDIR)/$(CONFIG)/hpack_parser_fuzzer_test_one_entry \
@@ -4057,6 +4060,7 @@ LIBGRPC_TEST_UTIL_SRC = \
     test/core/end2end/fixtures/proxy.cc \
     test/core/iomgr/endpoint_tests.cc \
     test/core/util/debugger_macros.cc \
+    test/core/util/fuzzer_util.cc \
     test/core/util/grpc_profiler.cc \
     test/core/util/histogram.cc \
     test/core/util/memory_counters.cc \
@@ -4352,6 +4356,7 @@ LIBGRPC_TEST_UTIL_UNSECURE_SRC = \
     test/core/end2end/fixtures/proxy.cc \
     test/core/iomgr/endpoint_tests.cc \
     test/core/util/debugger_macros.cc \
+    test/core/util/fuzzer_util.cc \
     test/core/util/grpc_profiler.cc \
     test/core/util/histogram.cc \
     test/core/util/memory_counters.cc \
@@ -10226,6 +10231,38 @@ endif
 endif
 
 
+ALTS_CREDENTIALS_FUZZER_SRC = \
+    test/core/security/alts_credentials_fuzzer.cc \
+
+ALTS_CREDENTIALS_FUZZER_OBJS = $(addprefix $(OBJDIR)/$(CONFIG)/, $(addsuffix .o, $(basename $(ALTS_CREDENTIALS_FUZZER_SRC))))
+ifeq ($(NO_SECURE),true)
+
+# You can't build secure targets if you don't have OpenSSL.
+
+$(BINDIR)/$(CONFIG)/alts_credentials_fuzzer: openssl_dep_error
+
+else
+
+
+
+$(BINDIR)/$(CONFIG)/alts_credentials_fuzzer: $(ALTS_CREDENTIALS_FUZZER_OBJS) $(LIBDIR)/$(CONFIG)/libgrpc_test_util.a $(LIBDIR)/$(CONFIG)/libgrpc.a $(LIBDIR)/$(CONFIG)/libgpr_test_util.a $(LIBDIR)/$(CONFIG)/libgpr.a
+	$(E) "[LD]      Linking $@"
+	$(Q) mkdir -p `dirname $@`
+	$(Q) $(LDXX) $(LDFLAGS) $(ALTS_CREDENTIALS_FUZZER_OBJS) $(LIBDIR)/$(CONFIG)/libgrpc_test_util.a $(LIBDIR)/$(CONFIG)/libgrpc.a $(LIBDIR)/$(CONFIG)/libgpr_test_util.a $(LIBDIR)/$(CONFIG)/libgpr.a $(LDLIBS) $(LDLIBS_SECURE) -lFuzzer -o $(BINDIR)/$(CONFIG)/alts_credentials_fuzzer
+
+endif
+
+$(OBJDIR)/$(CONFIG)/test/core/security/alts_credentials_fuzzer.o:  $(LIBDIR)/$(CONFIG)/libgrpc_test_util.a $(LIBDIR)/$(CONFIG)/libgrpc.a $(LIBDIR)/$(CONFIG)/libgpr_test_util.a $(LIBDIR)/$(CONFIG)/libgpr.a
+
+deps_alts_credentials_fuzzer: $(ALTS_CREDENTIALS_FUZZER_OBJS:.o=.dep)
+
+ifneq ($(NO_SECURE),true)
+ifneq ($(NO_DEPS),true)
+-include $(ALTS_CREDENTIALS_FUZZER_OBJS:.o=.dep)
+endif
+endif
+
+
 API_FUZZER_SRC = \
     test/core/end2end/fuzzers/api_fuzzer.cc \
 
@@ -23445,6 +23482,41 @@ endif
 endif
 
 
+ALTS_CREDENTIALS_FUZZER_ONE_ENTRY_SRC = \
+    test/core/security/alts_credentials_fuzzer.cc \
+    test/core/util/one_corpus_entry_fuzzer.cc \
+
+ALTS_CREDENTIALS_FUZZER_ONE_ENTRY_OBJS = $(addprefix $(OBJDIR)/$(CONFIG)/, $(addsuffix .o, $(basename $(ALTS_CREDENTIALS_FUZZER_ONE_ENTRY_SRC))))
+ifeq ($(NO_SECURE),true)
+
+# You can't build secure targets if you don't have OpenSSL.
+
+$(BINDIR)/$(CONFIG)/alts_credentials_fuzzer_one_entry: openssl_dep_error
+
+else
+
+
+
+$(BINDIR)/$(CONFIG)/alts_credentials_fuzzer_one_entry: $(ALTS_CREDENTIALS_FUZZER_ONE_ENTRY_OBJS) $(LIBDIR)/$(CONFIG)/libgrpc_test_util.a $(LIBDIR)/$(CONFIG)/libgrpc.a $(LIBDIR)/$(CONFIG)/libgpr_test_util.a $(LIBDIR)/$(CONFIG)/libgpr.a
+	$(E) "[LD]      Linking $@"
+	$(Q) mkdir -p `dirname $@`
+	$(Q) $(LD) $(LDFLAGS) $(ALTS_CREDENTIALS_FUZZER_ONE_ENTRY_OBJS) $(LIBDIR)/$(CONFIG)/libgrpc_test_util.a $(LIBDIR)/$(CONFIG)/libgrpc.a $(LIBDIR)/$(CONFIG)/libgpr_test_util.a $(LIBDIR)/$(CONFIG)/libgpr.a $(LDLIBS) $(LDLIBS_SECURE) -o $(BINDIR)/$(CONFIG)/alts_credentials_fuzzer_one_entry
+
+endif
+
+$(OBJDIR)/$(CONFIG)/test/core/security/alts_credentials_fuzzer.o:  $(LIBDIR)/$(CONFIG)/libgrpc_test_util.a $(LIBDIR)/$(CONFIG)/libgrpc.a $(LIBDIR)/$(CONFIG)/libgpr_test_util.a $(LIBDIR)/$(CONFIG)/libgpr.a
+
+$(OBJDIR)/$(CONFIG)/test/core/util/one_corpus_entry_fuzzer.o:  $(LIBDIR)/$(CONFIG)/libgrpc_test_util.a $(LIBDIR)/$(CONFIG)/libgrpc.a $(LIBDIR)/$(CONFIG)/libgpr_test_util.a $(LIBDIR)/$(CONFIG)/libgpr.a
+
+deps_alts_credentials_fuzzer_one_entry: $(ALTS_CREDENTIALS_FUZZER_ONE_ENTRY_OBJS:.o=.dep)
+
+ifneq ($(NO_SECURE),true)
+ifneq ($(NO_DEPS),true)
+-include $(ALTS_CREDENTIALS_FUZZER_ONE_ENTRY_OBJS:.o=.dep)
+endif
+endif
+
+
 API_FUZZER_ONE_ENTRY_SRC = \
     test/core/end2end/fuzzers/api_fuzzer.cc \
     test/core/util/one_corpus_entry_fuzzer.cc \

build.yaml

@@ -827,6 +827,7 @@ filegroups:
   - test/core/end2end/fixtures/proxy.h
   - test/core/iomgr/endpoint_tests.h
   - test/core/util/debugger_macros.h
+  - test/core/util/fuzzer_util.h
   - test/core/util/grpc_profiler.h
   - test/core/util/histogram.h
   - test/core/util/memory_counters.h
@@ -846,6 +847,7 @@ filegroups:
   - test/core/end2end/fixtures/proxy.cc
   - test/core/iomgr/endpoint_tests.cc
   - test/core/util/debugger_macros.cc
+  - test/core/util/fuzzer_util.cc
   - test/core/util/grpc_profiler.cc
   - test/core/util/histogram.cc
   - test/core/util/memory_counters.cc
@@ -1991,6 +1993,19 @@ targets:
   - grpc
   - gpr_test_util
   - gpr
+- name: alts_credentials_fuzzer
+  build: fuzzer
+  language: c
+  src:
+  - test/core/security/alts_credentials_fuzzer.cc
+  deps:
+  - grpc_test_util
+  - grpc
+  - gpr_test_util
+  - gpr
+  corpus_dirs:
+  - test/core/security/corpus/alts_credentials_corpus
+  maxlen: 2048
 - name: api_fuzzer
   build: fuzzer
   language: c

gRPC-Core.podspec

@@ -1126,6 +1126,7 @@ Pod::Spec.new do |s|
                       'test/core/end2end/fixtures/proxy.cc',
                       'test/core/iomgr/endpoint_tests.cc',
                       'test/core/util/debugger_macros.cc',
+                      'test/core/util/fuzzer_util.cc',
                       'test/core/util/grpc_profiler.cc',
                       'test/core/util/histogram.cc',
                       'test/core/util/memory_counters.cc',
@@ -1148,6 +1149,7 @@ Pod::Spec.new do |s|
                       'test/core/end2end/fixtures/proxy.h',
                       'test/core/iomgr/endpoint_tests.h',
                       'test/core/util/debugger_macros.h',
+                      'test/core/util/fuzzer_util.h',
                       'test/core/util/grpc_profiler.h',
                       'test/core/util/histogram.h',
                       'test/core/util/memory_counters.h',

grpc.gyp

@@ -577,6 +577,7 @@
         'test/core/end2end/fixtures/proxy.cc',
         'test/core/iomgr/endpoint_tests.cc',
         'test/core/util/debugger_macros.cc',
+        'test/core/util/fuzzer_util.cc',
         'test/core/util/grpc_profiler.cc',
         'test/core/util/histogram.cc',
         'test/core/util/memory_counters.cc',
@@ -807,6 +808,7 @@
         'test/core/end2end/fixtures/proxy.cc',
         'test/core/iomgr/endpoint_tests.cc',
         'test/core/util/debugger_macros.cc',
+        'test/core/util/fuzzer_util.cc',
         'test/core/util/grpc_profiler.cc',
         'test/core/util/histogram.cc',
         'test/core/util/memory_counters.cc',

test/core/end2end/fuzzers/api_fuzzer.cc

@@ -38,8 +38,14 @@
 #include "src/core/lib/surface/server.h"
 #include "src/core/lib/transport/metadata.h"
 #include "test/core/end2end/data/ssl_test_data.h"
+#include "test/core/util/fuzzer_util.h"
 #include "test/core/util/passthru_endpoint.h"
 
+using grpc_core::testing::grpc_fuzzer_get_next_byte;
+using grpc_core::testing::grpc_fuzzer_get_next_string;
+using grpc_core::testing::grpc_fuzzer_get_next_uint32;
+using grpc_core::testing::input_stream;
+
 ////////////////////////////////////////////////////////////////////////////////
 // logging
 
@@ -65,58 +71,20 @@ static gpr_timespec now_impl(gpr_clock_type clock_type) {
   return ts;
 }
 
-////////////////////////////////////////////////////////////////////////////////
-// input_stream: allows easy access to input bytes, and allows reading a little
-//               past the end (avoiding needing to check everywhere)
-
-typedef struct {
-  const uint8_t* cur;
-  const uint8_t* end;
-} input_stream;
-
-static uint8_t next_byte(input_stream* inp) {
-  if (inp->cur == inp->end) {
-    return 0;
-  }
-  return *inp->cur++;
-}
-
 static void end(input_stream* inp) { inp->cur = inp->end; }
 
-static char* read_string(input_stream* inp, bool* special) {
-  char* str = nullptr;
-  size_t cap = 0;
-  size_t sz = 0;
-  char c;
-  do {
-    if (cap == sz) {
-      cap = GPR_MAX(3 * cap / 2, cap + 8);
-      str = static_cast<char*>(gpr_realloc(str, cap));
-    }
-    c = static_cast<char>(next_byte(inp));
-    str[sz++] = c;
-  } while (c != 0 && c != 1);
-  if (special != nullptr) {
-    *special = (c == 1);
-  }
-  if (c == 1) {
-    str[sz - 1] = 0;
-  }
-  return str;
-}
-
 static void read_buffer(input_stream* inp, char** buffer, size_t* length,
                         bool* special) {
-  *length = next_byte(inp);
+  *length = grpc_fuzzer_get_next_byte(inp);
   if (*length == 255) {
     if (special != nullptr) *special = true;
-    *length = next_byte(inp);
+    *length = grpc_fuzzer_get_next_byte(inp);
   } else {
     if (special != nullptr) *special = false;
   }
   *buffer = static_cast<char*>(gpr_malloc(*length));
   for (size_t i = 0; i < *length; i++) {
-    (*buffer)[i] = static_cast<char>(next_byte(inp));
+    (*buffer)[i] = static_cast<char>(grpc_fuzzer_get_next_byte(inp));
   }
 }
 
@@ -128,7 +96,7 @@ static grpc_slice maybe_intern(grpc_slice s, bool intern) {
 
 static grpc_slice read_string_like_slice(input_stream* inp) {
   bool special;
-  char* s = read_string(inp, &special);
+  char* s = grpc_fuzzer_get_next_string(inp, &special);
   grpc_slice r = maybe_intern(grpc_slice_from_copied_string(s), special);
   gpr_free(s);
   return r;
@@ -146,39 +114,15 @@ static grpc_slice read_buffer_like_slice(input_stream* inp) {
 }
 
 static uint32_t read_uint22(input_stream* inp) {
-  uint8_t b = next_byte(inp);
+  uint8_t b = grpc_fuzzer_get_next_byte(inp);
   uint32_t x = b & 0x7f;
   if (b & 0x80) {
     x <<= 7;
-    b = next_byte(inp);
+    b = grpc_fuzzer_get_next_byte(inp);
     x |= b & 0x7f;
     if (b & 0x80) {
       x <<= 8;
-      x |= next_byte(inp);
-    }
-  }
-  return x;
-}
-
-static uint32_t read_uint32(input_stream* inp) {
-  uint8_t b = next_byte(inp);
-  uint32_t x = b & 0x7f;
-  if (b & 0x80) {
-    x <<= 7;
-    b = next_byte(inp);
-    x |= b & 0x7f;
-    if (b & 0x80) {
-      x <<= 7;
-      b = next_byte(inp);
-      x |= b & 0x7f;
-      if (b & 0x80) {
-        x <<= 7;
-        b = next_byte(inp);
-        x |= b & 0x7f;
-        if (b & 0x80) {
-          x = (x << 4) | (next_byte(inp) & 0x0f);
-        }
-      }
+      x |= grpc_fuzzer_get_next_byte(inp);
     }
   }
   return x;
@@ -193,22 +137,22 @@ static grpc_byte_buffer* read_message(input_stream* inp) {
 }
 
 static int read_int(input_stream* inp) {
-  return static_cast<int>(read_uint32(inp));
+  return static_cast<int>(grpc_fuzzer_get_next_uint32(inp));
 }
 
 static grpc_channel_args* read_args(input_stream* inp) {
-  size_t n = next_byte(inp);
+  size_t n = grpc_fuzzer_get_next_byte(inp);
   grpc_arg* args = static_cast<grpc_arg*>(gpr_malloc(sizeof(*args) * n));
   for (size_t i = 0; i < n; i++) {
-    switch (next_byte(inp)) {
+    switch (grpc_fuzzer_get_next_byte(inp)) {
       case 1:
         args[i].type = GRPC_ARG_STRING;
-        args[i].key = read_string(inp, nullptr);
-        args[i].value.string = read_string(inp, nullptr);
+        args[i].key = grpc_fuzzer_get_next_string(inp, nullptr);
+        args[i].value.string = grpc_fuzzer_get_next_string(inp, nullptr);
         break;
       case 2:
         args[i].type = GRPC_ARG_INTEGER;
-        args[i].key = read_string(inp, nullptr);
+        args[i].key = grpc_fuzzer_get_next_string(inp, nullptr);
         args[i].value.integer = read_int(inp);
         break;
       case 3:
@@ -249,10 +193,11 @@ static void cred_artifact_ctx_finish(cred_artifact_ctx* ctx) {
 static const char* read_cred_artifact(cred_artifact_ctx* ctx, input_stream* inp,
                                       const char** builtins,
                                       size_t num_builtins) {
-  uint8_t b = next_byte(inp);
+  uint8_t b = grpc_fuzzer_get_next_byte(inp);
   if (b == 0) return nullptr;
   if (b == 1)
-    return ctx->release[ctx->num_release++] = read_string(inp, nullptr);
+    return ctx->release[ctx->num_release++] =
+               grpc_fuzzer_get_next_string(inp, nullptr);
   if (b >= num_builtins + 1) {
     end(inp);
     return nullptr;
@@ -288,7 +233,7 @@ static grpc_call_credentials* read_call_creds(input_stream* inp, int depth) {
     end(inp);
     return nullptr;
   }
-  switch (next_byte(inp)) {
+  switch (grpc_fuzzer_get_next_byte(inp)) {
     default:
       end(inp);
       return nullptr;
@@ -339,7 +284,7 @@ static grpc_call_credentials* read_call_creds(input_stream* inp, int depth) {
 }
 
 static grpc_channel_credentials* read_channel_creds(input_stream* inp) {
-  switch (next_byte(inp)) {
+  switch (grpc_fuzzer_get_next_byte(inp)) {
     case 0:
       return read_ssl_channel_creds(inp);
       break;
@@ -673,7 +618,7 @@ static grpc_slice* add_slice_to_unref(call_state* call, grpc_slice s) {
 
 static void read_metadata(input_stream* inp, size_t* count,
                           grpc_metadata** metadata, call_state* cs) {
-  *count = next_byte(inp);
+  *count = grpc_fuzzer_get_next_byte(inp);
   if (*count) {
     *metadata =
         static_cast<grpc_metadata*>(gpr_malloc(*count * sizeof(**metadata)));
@@ -681,7 +626,7 @@ static void read_metadata(input_stream* inp, size_t* count,
     for (size_t i = 0; i < *count; i++) {
       (*metadata)[i].key = read_string_like_slice(inp);
       (*metadata)[i].value = read_buffer_like_slice(inp);
-      (*metadata)[i].flags = read_uint32(inp);
+      (*metadata)[i].flags = grpc_fuzzer_get_next_uint32(inp);
       add_slice_to_unref(cs, (*metadata)[i].key);
       add_slice_to_unref(cs, (*metadata)[i].value);
     }
@@ -811,7 +756,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
 
     grpc_timer_manager_tick();
 
-    switch (next_byte(&inp)) {
+    switch (grpc_fuzzer_get_next_byte(&inp)) {
       // terminate on bad bytes
       default:
         end(&inp);
@@ -838,13 +783,14 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
       // increment global time
       case 1: {
         g_now = gpr_time_add(
-            g_now, gpr_time_from_micros(read_uint32(&inp), GPR_TIMESPAN));
+            g_now, gpr_time_from_micros(grpc_fuzzer_get_next_uint32(&inp),
+                                        GPR_TIMESPAN));
         break;
       }
       // create an insecure channel
       case 2: {
         if (g_channel == nullptr) {
-          char* target = read_string(&inp, nullptr);
+          char* target = grpc_fuzzer_get_next_string(&inp, nullptr);
           char* target_uri;
           gpr_asprintf(&target_uri, "dns:%s", target);
           grpc_channel_args* args = read_args(&inp);
@@ -927,7 +873,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
       // check connectivity
       case 8: {
         if (g_channel != nullptr) {
-          uint8_t try_to_connect = next_byte(&inp);
+          uint8_t try_to_connect = grpc_fuzzer_get_next_byte(&inp);
           if (try_to_connect == 0 || try_to_connect == 1) {
             grpc_channel_check_connectivity_state(g_channel, try_to_connect);
           } else {
@@ -946,7 +892,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
           if (st != GRPC_CHANNEL_SHUTDOWN) {
             gpr_timespec deadline = gpr_time_add(
                 gpr_now(GPR_CLOCK_REALTIME),
-                gpr_time_from_micros(read_uint32(&inp), GPR_TIMESPAN));
+                gpr_time_from_micros(grpc_fuzzer_get_next_uint32(&inp),
+                                     GPR_TIMESPAN));
             grpc_channel_watch_connectivity_state(
                 g_channel, st, deadline, cq,
                 create_validator(validate_connectivity_watch,
@@ -971,7 +918,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
           }
           parent_call = g_active_call->call;
         }
-        uint32_t propagation_mask = read_uint32(&inp);
+        uint32_t propagation_mask = grpc_fuzzer_get_next_uint32(&inp);
         grpc_slice method = read_string_like_slice(&inp);
         if (GRPC_SLICE_LENGTH(method) == 0) {
           ok = false;
@@ -979,7 +926,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
         grpc_slice host = read_string_like_slice(&inp);
         gpr_timespec deadline =
             gpr_time_add(gpr_now(GPR_CLOCK_REALTIME),
-                         gpr_time_from_micros(read_uint32(&inp), GPR_TIMESPAN));
+                         gpr_time_from_micros(grpc_fuzzer_get_next_uint32(&inp),
+                                              GPR_TIMESPAN));
 
         if (ok) {
           call_state* cs = new_call(g_active_call, CLIENT);
@@ -1005,7 +953,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
           end(&inp);
           break;
         }
-        size_t num_ops = next_byte(&inp);
+        size_t num_ops = grpc_fuzzer_get_next_byte(&inp);
         if (num_ops > 6) {
           end(&inp);
           break;
@@ -1019,7 +967,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
         uint8_t has_ops = 0;
         for (i = 0; i < num_ops; i++) {
           op = &ops[i];
-          switch (next_byte(&inp)) {
+          switch (grpc_fuzzer_get_next_byte(&inp)) {
             default:
               /* invalid value */
               op->op = (grpc_op_type)-1;
@@ -1060,7 +1008,8 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
                   &op->data.send_status_from_server.trailing_metadata,
                   g_active_call);
               op->data.send_status_from_server.status =
-                  static_cast<grpc_status_code>(next_byte(&inp));
+                  static_cast<grpc_status_code>(
+                      grpc_fuzzer_get_next_byte(&inp));
               op->data.send_status_from_server.status_details =
                   add_slice_to_unref(g_active_call,
                                      read_buffer_like_slice(&inp));
@@ -1097,7 +1046,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
               break;
           }
           op->reserved = nullptr;
-          op->flags = read_uint32(&inp);
+          op->flags = grpc_fuzzer_get_next_uint32(&inp);
         }
         if (ok) {
           validator* v = make_finished_batch_validator(g_active_call, has_ops);
@@ -1160,14 +1109,14 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
       }
       // enable a tracer
       case 17: {
-        char* tracer = read_string(&inp, nullptr);
+        char* tracer = grpc_fuzzer_get_next_string(&inp, nullptr);
         grpc_tracer_set_enabled(tracer, 1);
         gpr_free(tracer);
         break;
       }
       // disable a tracer
       case 18: {
-        char* tracer = read_string(&inp, nullptr);
+        char* tracer = grpc_fuzzer_get_next_string(&inp, nullptr);
         grpc_tracer_set_enabled(tracer, 0);
         gpr_free(tracer);
         break;
@@ -1209,7 +1158,7 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
       // create a secure channel
       case 22: {
         if (g_channel == nullptr) {
-          char* target = read_string(&inp, nullptr);
+          char* target = grpc_fuzzer_get_next_string(&inp, nullptr);
           char* target_uri;
           gpr_asprintf(&target_uri, "dns:%s", target);
           grpc_channel_args* args = read_args(&inp);

test/core/security/BUILD

@@ -20,6 +20,18 @@ grpc_package(name = "test/core/security")
 
 load("//test/core/util:grpc_fuzzer.bzl", "grpc_fuzzer")
 
+grpc_fuzzer(
+    name = "alts_credentials_fuzzer",
+    srcs = ["alts_credentials_fuzzer.cc"],
+    language = "C++",
+    corpus = "corpus/alts_credentials_corpus",
+    deps = [
+        "//:gpr",
+        "//:grpc",
+        "//test/core/util:grpc_test_util",
+    ],
+)
+
 grpc_fuzzer(
     name = "ssl_server_fuzzer",
     srcs = ["ssl_server_fuzzer.cc"],

test/core/security/alts_credentials_fuzzer.cc

@@ -0,0 +1,120 @@
+/*
+ *
+ * Copyright 2018 gRPC authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+#include <string.h>
+
+#include <grpc/grpc.h>
+#include <grpc/grpc_security.h>
+#include <grpc/support/alloc.h>
+#include <grpc/support/log.h>
+#include <grpc/support/string_util.h>
+#include "test/core/util/fuzzer_util.h"
+#include "test/core/util/memory_counters.h"
+
+#include "src/core/lib/gpr/env.h"
+#include "src/core/lib/security/credentials/alts/alts_credentials.h"
+#include "src/core/lib/security/credentials/alts/check_gcp_environment.h"
+#include "src/core/lib/security/credentials/alts/grpc_alts_credentials_options.h"
+
+using grpc_core::testing::grpc_fuzzer_get_next_byte;
+using grpc_core::testing::grpc_fuzzer_get_next_string;
+using grpc_core::testing::input_stream;
+
+// Logging
+bool squelch = true;
+bool leak_check = true;
+
+static void dont_log(gpr_log_func_args* args) {}
+
+// Add a random number of target service accounts to client options.
+static void read_target_service_accounts(
+    input_stream* inp, grpc_alts_credentials_options* options) {
+  size_t n = grpc_fuzzer_get_next_byte(inp);
+  for (size_t i = 0; i < n; i++) {
+    char* service_account = grpc_fuzzer_get_next_string(inp, nullptr);
+    if (service_account != nullptr) {
+      grpc_alts_credentials_client_options_add_target_service_account(
+          options, service_account);
+      gpr_free(service_account);
+    }
+  }
+  // Added to improve code coverage.
+  grpc_alts_credentials_client_options_add_target_service_account(options,
+                                                                  nullptr);
+  grpc_alts_credentials_client_options_add_target_service_account(
+      nullptr, "this is service account");
+}
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  char* grpc_trace_fuzzer = gpr_getenv("GRPC_TRACE_FUZZER");
+  if (squelch && grpc_trace_fuzzer == nullptr) {
+    gpr_set_log_function(dont_log);
+  }
+  gpr_free(grpc_trace_fuzzer);
+  struct grpc_memory_counters counters;
+  if (leak_check) {
+    grpc_memory_counters_init();
+  }
+  input_stream inp = {data, data + size};
+  grpc_init();
+  bool is_on_gcp = grpc_alts_is_running_on_gcp();
+  while (inp.cur != inp.end) {
+    bool enable_untrusted_alts = grpc_fuzzer_get_next_byte(&inp) & 0x01;
+    char* handshaker_service_url =
+        grpc_fuzzer_get_next_byte(&inp) & 0x01
+            ? grpc_fuzzer_get_next_string(&inp, nullptr)
+            : nullptr;
+    if (grpc_fuzzer_get_next_byte(&inp) & 0x01) {
+      // Test ALTS channel credentials.
+      grpc_alts_credentials_options* options =
+          grpc_alts_credentials_client_options_create();
+      read_target_service_accounts(&inp, options);
+      grpc_channel_credentials* cred = grpc_alts_credentials_create_customized(
+          options, handshaker_service_url, enable_untrusted_alts);
+      if (!enable_untrusted_alts && !is_on_gcp) {
+        GPR_ASSERT(cred == nullptr);
+      } else {
+        GPR_ASSERT(cred != nullptr);
+      }
+      grpc_channel_credentials_release(cred);
+      grpc_alts_credentials_options_destroy(options);
+    } else {
+      // Test ALTS server credentials.
+      grpc_alts_credentials_options* options =
+          grpc_alts_credentials_server_options_create();
+      grpc_server_credentials* cred =
+          grpc_alts_server_credentials_create_customized(
+              options, handshaker_service_url, enable_untrusted_alts);
+      if (!enable_untrusted_alts && !is_on_gcp) {
+        GPR_ASSERT(cred == nullptr);
+      } else {
+        GPR_ASSERT(cred != nullptr);
+      }
+      grpc_server_credentials_release(cred);
+      grpc_alts_credentials_options_destroy(options);
+    }
+    gpr_free(handshaker_service_url);
+  }
+  grpc_shutdown();
+  if (leak_check) {
+    counters = grpc_memory_counters_snapshot();
+    grpc_memory_counters_destroy();
+    GPR_ASSERT(counters.total_size_relative == 0);
+  }
+  return 0;
+}

test/core/security/corpus/alts_credentials_corpus/147696a264cd6f197adb7c68aff834c30b1b77f8

@@ -0,0 +1 @@
+<EFBFBD>+<EFBFBD>

test/core/security/corpus/alts_credentials_corpus/173d02167db431040b0540d98f6fc5e8b456587d

@@ -0,0 +1 @@
+ђв
в

test/core/security/corpus/alts_credentials_corpus/195abd83b2e9d32b1b5b854fe33da44b6db40880

@@ -0,0 +1 @@
+ap˙





ě





















~








!







ő





ě














































A

~















;













ě

test/core/security/corpus/alts_credentials_corpus/27416437ad287bd3cc1c5efdecebc39f20df73c1

@@ -0,0 +1 @@
+ﾄ
=ﾄｼyyyyy㊥yyyyz

test/core/security/corpus/alts_credentials_corpus/2cca5cb1b135c35f6e5e1ec4c37deb9e12d37dc0

@@ -0,0 +1,2 @@
+<EFBFBD>
+<EFBFBD><EFBFBD>

test/core/security/corpus/alts_credentials_corpus/2e9ddd1339d8e599cef658a08965985c4f45e428

@@ -0,0 +1,2 @@
+<EFBFBD>
+<EFBFBD>e

test/core/security/corpus/alts_credentials_corpus/31a2d12a84a7a56ace831a9668d6ab4847390679

@@ -0,0 +1,2 @@
+ן
+ןי

test/core/security/corpus/alts_credentials_corpus/348d9ae6eebb2e1644addf7f07231d108cf6f3b8

@@ -0,0 +1 @@
+<EFBFBD><EFBFBD>
<EFBFBD>

test/core/security/corpus/alts_credentials_corpus/3a3ca061863499ebc171a4f910fa1b49523baad4

@@ -0,0 +1 @@
+<EFBFBD><EFBFBD><EFBFBD>9

test/core/security/corpus/alts_credentials_corpus/3b9554038a425bd1fae057ba41f9366bb467e946

@@ -0,0 +1 @@
+<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>ﾜﾜﾜ

test/core/security/corpus/alts_credentials_corpus/4257a018f08f13a3a9adc848ef808e1be50bc4cf

@@ -0,0 +1,2 @@
+ňÓ99999999999999999999999999999999999ŹŹŹŹŹŹŹŹŹ˙˙˙˙˙˙˙˙˙˙˙˙˙/////˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙
+˙˙˙˙˙˙˙˙˙˙˛˛˛˛˛˛˛˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙˙NSt6locale5

test/core/security/corpus/alts_credentials_corpus/4e84eb54a0e438052b0c2e83653135042d9eb59a

@@ -0,0 +1 @@
+<EFBFBD>


test/core/security/corpus/alts_credentials_corpus/50839d5c8bf33f0970986dcc4b73b024f11a95b7

@@ -0,0 +1 @@
+<EFBFBD><EFBFBD>t_<EFBFBD>	<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>&<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>

test/core/security/corpus/alts_credentials_corpus/55321649e7b7f1b5664ae20724e683c930643fc4

@@ -0,0 +1 @@
+ђ

)в

test/core/security/corpus/alts_credentials_corpus/55cc52f25865baee3e6e52c3110a9723caa2b3cb

@@ -0,0 +1 @@
+<EFBFBD>
ﾎ

test/core/security/corpus/alts_credentials_corpus/5bd6fb6fc4163bf3a9db6ddaf509dce8df8a5000

@@ -0,0 +1 @@
+)applea.˙˙˙˙„ÜÜ.˙ß˙˙˙˙˙Ü˙˙˙Ü˙˙„ÜÜ.

test/core/security/corpus/alts_credentials_corpus/5d06fc38005503af3d084721c60e574fb9d2f370

@@ -0,0 +1 @@
+ﾓ
ﾓﾗ

test/core/security/corpus/alts_credentials_corpus/61c449793347cf2e1ed0c38d54d23c63dfaabeb8

@@ -0,0 +1 @@
+<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>

test/core/security/corpus/alts_credentials_corpus/6551d02d20573cfa2944ec1f12b0c01f264a1326

@@ -0,0 +1 @@
+<EFBFBD>s

test/core/security/corpus/alts_credentials_corpus/74002471a854059cb29de7cad8f9fb7adc3c5ec2

@@ -0,0 +1,2 @@
+
+<EFBFBD>

test/core/security/corpus/alts_credentials_corpus/749d5d7a9e0b1545b297117e834462af32b3e230

@@ -0,0 +1 @@
+a





















č





































































˙˙+

test/core/security/corpus/alts_credentials_corpus/77de0b1de120ac702ca45868b1008a48626daf12

@@ -0,0 +1 @@
+<EFBFBD>
^