public/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
openssl/fuzz/slh-dsa.c
Neil Horman c0eb5c57f7 fix slh-dsa incorrect prediction of result code 
The slh_dsa fuzzer predicts failure in EVP_message_sign_init in the
event we pass a context_string param of more than 255 bytes.  That makes
for an accurate prediction, but only if we actually create  the param.

augment the setting of exepct_rc_init to be determined not only by our
allocation of a > 255 byte message, but also on selector bit 1, which
determines if we create the parameter at all.

Fixes https://oss-fuzz.com/testcase-detail/4807793999937536

Reviewed-by: Saša Nedvědický <sashan@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <ppzgs1@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/26884)
2025-02-25 16:04:02 -05:00

608 lines
20 KiB
C
Raw Permalink Blame History

/*
* Copyright 2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
* https://www.openssl.org/source/license.html
* or in the file LICENSE in the source distribution.
*/
/*
* Test slh-dsa operation.
*/
#include <string.h>
#include <openssl/evp.h>
#include <openssl/err.h>
#include <openssl/rand.h>
#include <openssl/byteorder.h>
#include <openssl/core_names.h>
#include "crypto/slh_dsa.h"
#include "internal/nelem.h"
#include "fuzzer.h"
/**
* @brief Consumes an 8-bit unsigned integer from a buffer.
*
* This function extracts an 8-bit unsigned integer from the provided buffer,
* updates the buffer pointer, and adjusts the remaining length.
*
* @param buf Pointer to the input buffer.
* @param len Pointer to the size of the remaining buffer; updated after consumption.
* @param val Pointer to store the extracted 8-bit value.
*
* @return Pointer to the updated buffer position after reading the value,
* or NULL if the buffer does not contain enough data.
*/
static uint8_t *consume_uint8t(const uint8_t *buf, size_t *len, uint8_t *val)
{
if (*len < sizeof(uint8_t))
return NULL;
*val = *buf;
*len -= sizeof(uint8_t);
return (uint8_t *)buf + 1;
}
/**
* @brief Generates a DSA key pair using OpenSSL EVP API.
*
* This function creates a DSA key pair based on the specified key size and
* parameters. It supports generating keys using explicit parameters if provided.
*
* @param name The name of the key type (e.g., "DSA").
* @param keysize The desired key size in bits.
* @param params Optional OpenSSL parameters for key generation.
* @param param_broken A flag indicating if the parameters are broken.
* If true, key generation will fail.
*
* @return A pointer to the generated EVP_PKEY structure on success,
* or NULL on failure.
*/
static EVP_PKEY *slh_dsa_gen_key(const char *name, uint32_t keysize,
OSSL_PARAM params[], uint8_t *param_broken)
{
EVP_PKEY_CTX *ctx;
EVP_PKEY *new = NULL;
int rc;
ctx = EVP_PKEY_CTX_new_from_name(NULL, name, NULL);
OPENSSL_assert(ctx != NULL);
if (params != NULL) {
new = EVP_PKEY_new();
OPENSSL_assert(EVP_PKEY_fromdata_init(ctx));
if (*param_broken) {
rc = EVP_PKEY_fromdata(ctx, &new, EVP_PKEY_KEYPAIR, params);
OPENSSL_assert(rc == 0);
EVP_PKEY_free(new);
new = NULL;
} else {
OPENSSL_assert(EVP_PKEY_fromdata(ctx, &new, EVP_PKEY_KEYPAIR, params) == 1);
}
goto out;
}
OPENSSL_assert(EVP_PKEY_keygen_init(ctx));
OPENSSL_assert(EVP_PKEY_generate(ctx, &new));
out:
EVP_PKEY_CTX_free(ctx);
return new;
}
/**
* @brief Selects a key type and determines the key size.
*
* This function maps a selector value to a specific SLH-DSA algorithm
* using a modulo operation. It then retrieves the corresponding
* algorithm name and assigns an appropriate key size based on the
* selected algorithm.
*
* @param selector A random selector value used to determine the key type.
* @param keysize Pointer to a variable where the determined key size
* (in bytes) will be stored.
*
* @return A pointer to a string containing the long name of the
* selected key type, or NULL if invalid.
*/
static const char *select_keytype(uint8_t selector, uint32_t *keysize)
{
unsigned int choice;
const char *name = NULL;
*keysize = 0;
/*
* There are 12 SLH-DSA algs with registered NIDS at the moment
* So use our random selector value to get one of them by computing
* its modulo 12 value and adding the offset of the first NID, 1460
* Then convert that to a long name
*/
choice = (selector % 12) + 1460;
name = OBJ_nid2ln(choice);
/*
* Select a keysize, values taken from
* man7/EVP_PKEY-SLH-DSA.pod
*/
switch (choice) {
case NID_SLH_DSA_SHA2_128s:
case NID_SLH_DSA_SHA2_128f:
case NID_SLH_DSA_SHAKE_128s:
case NID_SLH_DSA_SHAKE_128f:
*keysize = 16;
break;
case NID_SLH_DSA_SHA2_192s:
case NID_SLH_DSA_SHA2_192f:
case NID_SLH_DSA_SHAKE_192s:
case NID_SLH_DSA_SHAKE_192f:
*keysize = 24;
break;
case NID_SLH_DSA_SHA2_256s:
case NID_SLH_DSA_SHA2_256f:
case NID_SLH_DSA_SHAKE_256s:
case NID_SLH_DSA_SHAKE_256f:
*keysize = 32;
break;
default:
fprintf(stderr, "Selecting invalid key size\n");
*keysize = 0;
break;
}
return name;
}
/**
* @brief Generates two SLH-DSA key pairs based on consumed selector values.
*
* This function extracts two selector values from the provided buffer,
* determines the corresponding key types and sizes, and generates two
* SLH-DSA key pairs.
*
* @param buf Pointer to a buffer containing selector values. The buffer
* pointer is updated as values are consumed.
* @param len Pointer to the remaining buffer length, updated as values
* are consumed.
* @param out1 Pointer to store the first generated key.
* @param out2 Pointer to store the second generated key.
*/
static void slh_dsa_gen_keys(uint8_t **buf, size_t *len,
void **out1, void **out2)
{
uint8_t selector = 0;
const char *keytype = NULL;
uint32_t keysize;
*buf = consume_uint8t(*buf, len, &selector);
keytype = select_keytype(selector, &keysize);
*out1 = (void *)slh_dsa_gen_key(keytype, keysize, NULL, 0);
*buf = consume_uint8t(*buf, len, &selector);
keytype = select_keytype(selector, &keysize);
*out2 = (void *)slh_dsa_gen_key(keytype, keysize, NULL, 0);
return;
}
#define PARAM_BUF_SZ 256
/**
* @brief Generates an SLH-DSA key pair with custom parameters.
*
* This function extracts a selector value from the provided buffer,
* determines the corresponding key type and size, and generates an
* SLH-DSA key pair using randomly generated public and private key
* buffers. It also introduces intentional modifications to test
* invalid parameter handling.
*
* @param buf Pointer to a buffer containing the selector value. The
* buffer pointer is updated as values are consumed.
* @param len Pointer to the remaining buffer length, updated as values
* are consumed.
* @param out1 Pointer to store the generated key. Will be NULL if key
* generation fails due to invalid parameters.
* @param out2 Unused output parameter (placeholder for symmetry with
* other key generation functions).
*/
static void slh_dsa_gen_key_with_params(uint8_t **buf, size_t *len,
void **out1, void **out2)
{
uint8_t selector = 0;
const char *keytype = NULL;
uint32_t keysize;
uint8_t pubbuf[PARAM_BUF_SZ]; /* expressly bigger than max key size * 3 */
uint8_t prvbuf[PARAM_BUF_SZ]; /* expressly bigger than max key size * 3 */
uint8_t sdbuf[PARAM_BUF_SZ]; /* expressly bigger than max key size * 3 */
uint8_t *bufptr;
OSSL_PARAM params[3];
size_t buflen;
uint8_t broken = 0;
*out1 = NULL;
*buf = consume_uint8t(*buf, len, &selector);
keytype = select_keytype(selector, &keysize);
RAND_bytes(pubbuf, PARAM_BUF_SZ);
RAND_bytes(prvbuf, PARAM_BUF_SZ);
RAND_bytes(sdbuf, PARAM_BUF_SZ);
/*
* select an invalid length if the buffer 0th bit is one
* make it too big if the 2nd bit is 0, smaller otherwise
*/
buflen = keysize * 2; /* these params are 2 * the keysize */
if ((*buf)[0] & 0x1) {
buflen = ((*buf)[0] & 0x2) ? buflen - 1 : buflen + 1;
broken = 1;
}
/* pass a null buffer if the third bit of the buffer is 1 */
bufptr = ((*buf)[0] & 0x4) ? NULL : pubbuf;
if (!broken)
broken = (bufptr == NULL) ? 1 : 0;
params[0] = OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_PUB_KEY,
(char *)bufptr, buflen);
buflen = keysize * 2;
/* select an invalid length if the 4th bit is true */
if ((*buf)[0] & 0x8) {
buflen = (*buf[0] & 0x1) ? buflen - 1 : buflen + 1;
broken = 1;
}
/* pass a null buffer if the 5th bit is true */
bufptr = ((*buf)[0] & 0x10) ? NULL : prvbuf;
if (!broken)
broken = (bufptr == NULL) ? 1 : 0;
params[1] = OSSL_PARAM_construct_octet_string(OSSL_PKEY_PARAM_PRIV_KEY,
(char *)bufptr, buflen);
params[2] = OSSL_PARAM_construct_end();
*out1 = (void *)slh_dsa_gen_key(keytype, keysize, params, &broken);
if (broken)
OPENSSL_assert(*out1 == NULL);
else
OPENSSL_assert(*out1 != NULL);
return;
}
/**
* @brief Frees allocated SLH-DSA key structures.
*
* This function releases memory allocated for SLH-DSA key pairs
* by freeing the provided EVP_PKEY structures.
*
* @param in1 Pointer to the first input key to be freed.
* @param in2 Pointer to the second input key to be freed.
* @param out1 Pointer to the first output key to be freed.
* @param out2 Pointer to the second output key to be freed.
*/
static void slh_dsa_clean_keys(void *in1, void *in2, void *out1, void *out2)
{
EVP_PKEY_free((EVP_PKEY *)in1);
EVP_PKEY_free((EVP_PKEY *)in2);
EVP_PKEY_free((EVP_PKEY *)out1);
EVP_PKEY_free((EVP_PKEY *)out2);
}
/**
* @brief Performs SLH-DSA signing and verification on a given message.
*
* This function generates an SLH-DSA key, signs a message, and verifies
* the generated signature. It extracts necessary parameters from the buffer
* to determine signing options.
*
* @param buf Pointer to a buffer containing the selector and message data.
* The buffer pointer is updated as values are consumed.
* @param len Pointer to the remaining buffer length, updated as values
* are consumed.
* @param key1 Unused key parameter (placeholder for function signature consistency).
* @param key2 Unused key parameter (placeholder for function signature consistency).
* @param out1 Pointer to store the generated key (for cleanup purposes).
* @param out2 Unused output parameter (placeholder for consistency).
*/
static void slh_dsa_sign_verify(uint8_t **buf, size_t *len, void *key1,
void *key2, void **out1, void **out2)
{
EVP_PKEY_CTX *ctx = NULL;
EVP_PKEY *key = NULL;
EVP_SIGNATURE *sig_alg = NULL;
const char *keytype;
uint32_t keylen;
uint8_t selector = 0;
unsigned char *msg = NULL;
size_t msg_len;
size_t sig_len;
unsigned char *sig = NULL;
OSSL_PARAM params[4];
int paramidx = 0;
int intval1, intval2;
int expect_init_rc = 1;
*buf = consume_uint8t(*buf, len, &selector);
if (*buf == NULL)
return;
keytype = select_keytype(selector, &keylen);
/*
* Consume another byte to figure out our params
*/
*buf = consume_uint8t(*buf, len, &selector);
if (*buf == NULL)
return;
/*
* Remainder of the buffer is the msg to sign
*/
msg = (unsigned char *)*buf;
msg_len = *len;
/* if msg_len > 255, sign_message_init will fail */
if (msg_len > 255 && (selector & 0x1) != 0)
expect_init_rc = 0;
*len = 0;
if (selector & 0x1)
params[paramidx++] = OSSL_PARAM_construct_octet_string(OSSL_SIGNATURE_PARAM_CONTEXT_STRING,
msg, msg_len);
if (selector & 0x2) {
intval1 = selector & 0x4;
params[paramidx++] = OSSL_PARAM_construct_int(OSSL_SIGNATURE_PARAM_MESSAGE_ENCODING,
&intval1);
}
if (selector & 0x8) {
intval2 = selector & 0x10;
params[paramidx++] = OSSL_PARAM_construct_int(OSSL_SIGNATURE_PARAM_DETERMINISTIC,
&intval2);
}
params[paramidx] = OSSL_PARAM_construct_end();
key = (void *)slh_dsa_gen_key(keytype, keylen, NULL, 0);
OPENSSL_assert(key != NULL);
*out1 = key; /* for cleanup */
ctx = EVP_PKEY_CTX_new_from_pkey(NULL, key, NULL);
OPENSSL_assert(ctx != NULL);
sig_alg = EVP_SIGNATURE_fetch(NULL, keytype, NULL);
OPENSSL_assert(sig_alg != NULL);
OPENSSL_assert(EVP_PKEY_sign_message_init(ctx, sig_alg, params) == expect_init_rc);
/*
* the context_string parameter can be no more than 255 bytes, so if
* our random input buffer is greater than that, we expect failure above,
* which we check for. In that event, theres nothing more we can do here
* so bail out
*/
if (expect_init_rc == 0)
goto out;
OPENSSL_assert(EVP_PKEY_sign(ctx, NULL, &sig_len, msg, msg_len));
sig = OPENSSL_zalloc(sig_len);
OPENSSL_assert(sig != NULL);
OPENSSL_assert(EVP_PKEY_sign(ctx, sig, &sig_len, msg, msg_len));
OPENSSL_assert(EVP_PKEY_verify_message_init(ctx, sig_alg, params));
OPENSSL_assert(EVP_PKEY_verify(ctx, sig, sig_len, msg, msg_len));
out:
OPENSSL_free(sig);
EVP_SIGNATURE_free(sig_alg);
EVP_PKEY_CTX_free(ctx);
}
/**
* @brief Exports and imports SLH-DSA key pairs, verifying equivalence.
*
* This function extracts key data from two given SLH-DSA keys (`alice` and `bob`),
* reconstructs new keys from the extracted data, and verifies that the imported
* keys are equivalent to the originals. It ensures that key export/import
* functionality is working correctly.
*
* @param buf Unused buffer parameter (placeholder for function signature consistency).
* @param len Unused length parameter (placeholder for function signature consistency).
* @param key1 Pointer to the first key (`alice`) to be exported and imported.
* @param key2 Pointer to the second key (`bob`) to be exported and imported.
* @param out1 Unused output parameter (placeholder for consistency).
* @param out2 Unused output parameter (placeholder for consistency).
*/
static void slh_dsa_export_import(uint8_t **buf, size_t *len, void *key1,
void *key2, void **out1, void **out2)
{
int rc;
EVP_PKEY *alice = (EVP_PKEY *)key1;
EVP_PKEY *bob = (EVP_PKEY *)key2;
EVP_PKEY *new = NULL;
EVP_PKEY_CTX *ctx = NULL;
OSSL_PARAM *params = NULL;
OPENSSL_assert(EVP_PKEY_todata(alice, EVP_PKEY_KEYPAIR, &params) == 1);
ctx = EVP_PKEY_CTX_new_from_pkey(NULL, alice, NULL);
OPENSSL_assert(ctx != NULL);
OPENSSL_assert(EVP_PKEY_fromdata_init(ctx));
new = EVP_PKEY_new();
OPENSSL_assert(new != NULL);
OPENSSL_assert(EVP_PKEY_fromdata(ctx, &new, EVP_PKEY_KEYPAIR, params) == 1);
/*
* EVP_PKEY returns:
* 1 if the keys are equivalent
* 0 if the keys are not equivalent
* -1 if the key types are differnt
* -2 if the operation is not supported
*/
OPENSSL_assert(EVP_PKEY_eq(alice, new) == 1);
EVP_PKEY_free(new);
EVP_PKEY_CTX_free(ctx);
OSSL_PARAM_free(params);
params = NULL;
ctx = NULL;
new = NULL;
OPENSSL_assert(EVP_PKEY_todata(bob, EVP_PKEY_KEYPAIR, &params) == 1);
ctx = EVP_PKEY_CTX_new_from_pkey(NULL, bob, NULL);
OPENSSL_assert(ctx != NULL);
OPENSSL_assert(EVP_PKEY_fromdata_init(ctx));
new = EVP_PKEY_new();
OPENSSL_assert(new != NULL);
OPENSSL_assert(EVP_PKEY_fromdata(ctx, &new, EVP_PKEY_KEYPAIR, params) == 1);
OPENSSL_assert(EVP_PKEY_eq(bob, new) == 1);
/*
* Depending on the types of eys that get generated
* we might get a simple non-equivalence or a type mismatch here
*/
rc = EVP_PKEY_eq(alice, new);
OPENSSL_assert(rc == 0 || rc == -1);
EVP_PKEY_CTX_free(ctx);
EVP_PKEY_free(new);
OSSL_PARAM_free(params);
}
/**
* @brief Represents an operation table entry for cryptographic operations.
*
* This structure defines a table entry containing function pointers for
* setting up, executing, and cleaning up cryptographic operations, along
* with associated metadata such as a name and description.
*
* @struct op_table_entry
*/
struct op_table_entry {
/** Name of the operation. */
char *name;
/**
* @brief Function pointer for setting up the operation.
*
* @param buf Pointer to the buffer pointer; may be updated.
* @param len Pointer to the remaining buffer size; may be updated.
* @param out1 Pointer to store the first output of the setup function.
* @param out2 Pointer to store the second output of the setup function.
*/
void (*setup)(uint8_t **buf, size_t *len, void **out1, void **out2);
/**
* @brief Function pointer for executing the operation.
*
* @param buf Pointer to the buffer pointer; may be updated.
* @param len Pointer to the remaining buffer size; may be updated.
* @param in1 First input parameter for the operation.
* @param in2 Second input parameter for the operation.
* @param out1 Pointer to store the first output of the operation.
* @param out2 Pointer to store the second output of the operation.
*/
void (*doit)(uint8_t **buf, size_t *len, void *in1, void *in2,
void **out1, void **out2);
/**
* @brief Function pointer for cleaning up after the operation.
*
* @param in1 First input parameter to be cleaned up.
* @param in2 Second input parameter to be cleaned up.
* @param out1 First output parameter to be cleaned up.
* @param out2 Second output parameter to be cleaned up.
*/
void (*cleanup)(void *in1, void *in2, void *out1, void *out2);
};
static struct op_table_entry ops[] = {
{
"Generate SLH-DSA keys",
slh_dsa_gen_keys,
NULL,
slh_dsa_clean_keys
}, {
"Generate SLH-DSA keys with params",
slh_dsa_gen_key_with_params,
NULL,
slh_dsa_clean_keys
}, {
"SLH-DSA Export/Import",
slh_dsa_gen_keys,
slh_dsa_export_import,
slh_dsa_clean_keys
}, {
"SLH-DSA sign and verify",
NULL,
slh_dsa_sign_verify,
slh_dsa_clean_keys
}
};
int FuzzerInitialize(int *argc, char ***argv)
{
return 0;
}
/**
* @brief Processes a fuzzing input by selecting and executing an operation.
*
* This function interprets the first byte of the input buffer to determine
* an operation to execute. It then follows a setup, execution, and cleanup
* sequence based on the selected operation.
*
* @param buf Pointer to the input buffer.
* @param len Length of the input buffer.
*
* @return 0 on successful execution, -1 if the input is too short.
*
* @note The function requires at least 32 bytes in the buffer to proceed.
* It utilizes the `ops` operation table to dynamically determine and
* execute the selected operation.
*/
int FuzzerTestOneInput(const uint8_t *buf, size_t len)
{
uint8_t operation;
uint8_t *buffer_cursor;
void *in1 = NULL, *in2 = NULL;
void *out1 = NULL, *out2 = NULL;
if (len < 32)
return -1;
/*
* Get the first byte of the buffer to tell us what operation
* to preform
*/
buffer_cursor = consume_uint8t(buf, &len, &operation);
if (buffer_cursor == NULL)
return -1;
/*
* Adjust for operational array size
*/
operation %= OSSL_NELEM(ops);
/*
* And run our setup/doit/cleanup sequence
*/
if (ops[operation].setup != NULL)
ops[operation].setup(&buffer_cursor, &len, &in1, &in2);
if (ops[operation].doit != NULL)
ops[operation].doit(&buffer_cursor, &len, in1, in2, &out1, &out2);
if (ops[operation].cleanup != NULL)
ops[operation].cleanup(in1, in2, out1, out2);
return 0;
}
void FuzzerCleanup(void)
{
OPENSSL_cleanup();
}
Reference in a new issue View git blame Copy permalink