1 /*
2 * Copyright (c) 2019-2022 Yubico AB. All rights reserved.
3 * Use of this source code is governed by a BSD-style
4 * license that can be found in the LICENSE file.
5 * SPDX-License-Identifier: BSD-2-Clause
6 */
7
8 #include <sys/types.h>
9 #include <sys/random.h>
10 #include <sys/socket.h>
11
12 #include <openssl/bn.h>
13 #include <openssl/evp.h>
14 #include <openssl/sha.h>
15
16 #include <cbor.h>
17 #include <stdbool.h>
18 #include <stdint.h>
19 #include <stdio.h>
20 #include <stdlib.h>
21 #include <zlib.h>
22
23 #include "mutator_aux.h"
24
25 extern int prng_up;
26
27 int fuzz_save_corpus;
28
29 /*
30 * Build wrappers around functions of interest, and have them fail
31 * in a pseudo-random manner. A uniform probability of 0.25% (1/400)
32 * allows for a depth of log(0.5)/log(399/400) > 276 operations
33 * before simulated errors become statistically more likely.
34 */
35
36 #define WRAP(type, name, args, retval, param, prob) \
37 extern type __wrap_##name args; \
38 extern type __real_##name args; \
39 type __wrap_##name args { \
40 if (prng_up && uniform_random(400) < (prob)) { \
41 return (retval); \
42 } \
43 \
44 return (__real_##name param); \
45 }
46
47 WRAP(void *,
48 malloc,
49 (size_t size),
50 NULL,
51 (size),
52 1
53 )
54
55 WRAP(void *,
56 calloc,
57 (size_t nmemb, size_t size),
58 NULL,
59 (nmemb, size),
60 1
61 )
62
63 WRAP(void *,
64 realloc,
65 (void *ptr, size_t size),
66 NULL,
67 (ptr, size),
68 1
69 )
70
71 WRAP(char *,
72 strdup,
73 (const char *s),
74 NULL,
75 (s),
76 1
77 )
78
79 WRAP(ssize_t,
80 getrandom,
81 (void *buf, size_t buflen, unsigned int flags),
82 -1,
83 (buf, buflen, flags),
84 1
85 )
86
87 WRAP(int,
88 EVP_Cipher,
89 (EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in,
90 unsigned int inl),
91 -1,
92 (ctx, out, in, inl),
93 1
94 )
95
96 WRAP(int,
97 EVP_CIPHER_CTX_ctrl,
98 (EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr),
99 0,
100 (ctx, type, arg, ptr),
101 1
102 )
103
104 WRAP(EVP_CIPHER_CTX *,
105 EVP_CIPHER_CTX_new,
106 (void),
107 NULL,
108 (),
109 1
110 )
111
112 WRAP(int,
113 EVP_CipherInit,
114 (EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher,
115 const unsigned char *key, const unsigned char *iv, int enc),
116 0,
117 (ctx, cipher, key, iv, enc),
118 1
119 )
120
121 WRAP(RSA *,
122 EVP_PKEY_get0_RSA,
123 (EVP_PKEY *pkey),
124 NULL,
125 (pkey),
126 1
127 )
128
129 WRAP(EC_KEY *,
130 EVP_PKEY_get0_EC_KEY,
131 (EVP_PKEY *pkey),
132 NULL,
133 (pkey),
134 1
135 )
136
137 WRAP(int,
138 EVP_PKEY_get_raw_public_key,
139 (const EVP_PKEY *pkey, unsigned char *pub, size_t *len),
140 0,
141 (pkey, pub, len),
142 1
143 )
144
145 WRAP(EVP_MD_CTX *,
146 EVP_MD_CTX_new,
147 (void),
148 NULL,
149 (),
150 1
151 )
152
153 WRAP(int,
154 EVP_DigestVerifyInit,
155 (EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type, ENGINE *e,
156 EVP_PKEY *pkey),
157 0,
158 (ctx, pctx, type, e, pkey),
159 1
160 )
161
162 WRAP(int,
163 EVP_DigestInit_ex,
164 (EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl),
165 0,
166 (ctx, type, impl),
167 1
168 )
169
170 WRAP(int,
171 EVP_DigestUpdate,
172 (EVP_MD_CTX *ctx, const void *data, size_t count),
173 0,
174 (ctx, data, count),
175 1
176 )
177
178 WRAP(int,
179 EVP_DigestFinal_ex,
180 (EVP_MD_CTX *ctx, unsigned char *md, unsigned int *isize),
181 0,
182 (ctx, md, isize),
183 1
184 )
185
186 WRAP(BIGNUM *,
187 BN_bin2bn,
188 (const unsigned char *s, int len, BIGNUM *ret),
189 NULL,
190 (s, len, ret),
191 1
192 )
193
194 WRAP(int,
195 BN_bn2bin,
196 (const BIGNUM *a, unsigned char *to),
197 -1,
198 (a, to),
199 1
200 )
201
202 WRAP(BIGNUM *,
203 BN_CTX_get,
204 (BN_CTX *ctx),
205 NULL,
206 (ctx),
207 1
208 )
209
210 WRAP(BN_CTX *,
211 BN_CTX_new,
212 (void),
213 NULL,
214 (),
215 1
216 )
217
218 WRAP(BIGNUM *,
219 BN_new,
220 (void),
221 NULL,
222 (),
223 1
224 )
225
226 WRAP(RSA *,
227 RSA_new,
228 (void),
229 NULL,
230 (),
231 1
232 )
233
234 WRAP(int,
235 RSA_set0_key,
236 (RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d),
237 0,
238 (r, n, e, d),
239 1
240 )
241
242 WRAP(int,
243 RSA_pkey_ctx_ctrl,
244 (EVP_PKEY_CTX *ctx, int optype, int cmd, int p1, void *p2),
245 -1,
246 (ctx, optype, cmd, p1, p2),
247 1
248 )
249
250 WRAP(EC_KEY *,
251 EC_KEY_new_by_curve_name,
252 (int nid),
253 NULL,
254 (nid),
255 1
256 )
257
258 WRAP(const EC_GROUP *,
259 EC_KEY_get0_group,
260 (const EC_KEY *key),
261 NULL,
262 (key),
263 1
264 )
265
266 WRAP(const BIGNUM *,
267 EC_KEY_get0_private_key,
268 (const EC_KEY *key),
269 NULL,
270 (key),
271 1
272 )
273
274 WRAP(EC_POINT *,
275 EC_POINT_new,
276 (const EC_GROUP *group),
277 NULL,
278 (group),
279 1
280 )
281
282 WRAP(int,
283 EC_POINT_get_affine_coordinates_GFp,
284 (const EC_GROUP *group, const EC_POINT *p, BIGNUM *x, BIGNUM *y, BN_CTX *ctx),
285 0,
286 (group, p, x, y, ctx),
287 1
288 )
289
290 WRAP(EVP_PKEY *,
291 EVP_PKEY_new,
292 (void),
293 NULL,
294 (),
295 1
296 )
297
298 WRAP(int,
299 EVP_PKEY_assign,
300 (EVP_PKEY *pkey, int type, void *key),
301 0,
302 (pkey, type, key),
303 1
304 )
305
306 WRAP(int,
307 EVP_PKEY_keygen_init,
308 (EVP_PKEY_CTX *ctx),
309 0,
310 (ctx),
311 1
312 )
313
314 WRAP(int,
315 EVP_PKEY_keygen,
316 (EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey),
317 0,
318 (ctx, ppkey),
319 1
320 )
321
322 WRAP(int,
323 EVP_PKEY_paramgen_init,
324 (EVP_PKEY_CTX *ctx),
325 0,
326 (ctx),
327 1
328 )
329
330 WRAP(int,
331 EVP_PKEY_paramgen,
332 (EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey),
333 0,
334 (ctx, ppkey),
335 1
336 )
337
338 WRAP(EVP_PKEY *,
339 EVP_PKEY_new_raw_public_key,
340 (int type, ENGINE *e, const unsigned char *key, size_t keylen),
341 NULL,
342 (type, e, key, keylen),
343 1
344 )
345
346 WRAP(EVP_PKEY_CTX *,
347 EVP_PKEY_CTX_new,
348 (EVP_PKEY *pkey, ENGINE *e),
349 NULL,
350 (pkey, e),
351 1
352 )
353
354 WRAP(EVP_PKEY_CTX *,
355 EVP_PKEY_CTX_new_id,
356 (int id, ENGINE *e),
357 NULL,
358 (id, e),
359 1
360 )
361
362 WRAP(int,
363 EVP_PKEY_derive,
364 (EVP_PKEY_CTX *ctx, unsigned char *key, size_t *pkeylen),
365 0,
366 (ctx, key, pkeylen),
367 1
368 )
369
370 WRAP(int,
371 EVP_PKEY_derive_init,
372 (EVP_PKEY_CTX *ctx),
373 0,
374 (ctx),
375 1
376 )
377
378 WRAP(int,
379 EVP_PKEY_derive_set_peer,
380 (EVP_PKEY_CTX *ctx, EVP_PKEY *peer),
381 0,
382 (ctx, peer),
383 1
384 )
385
386 WRAP(int,
387 EVP_PKEY_verify_init,
388 (EVP_PKEY_CTX *ctx),
389 0,
390 (ctx),
391 1
392 )
393
394 WRAP(int,
395 EVP_PKEY_CTX_ctrl,
396 (EVP_PKEY_CTX *ctx, int keytype, int optype, int cmd, int p1, void *p2),
397 -1,
398 (ctx, keytype, optype, cmd, p1, p2),
399 1
400 )
401
402 WRAP(const EVP_MD *,
403 EVP_sha1,
404 (void),
405 NULL,
406 (),
407 1
408 )
409
410 WRAP(const EVP_MD *,
411 EVP_sha256,
412 (void),
413 NULL,
414 (),
415 1
416 )
417
418 WRAP(const EVP_CIPHER *,
419 EVP_aes_256_cbc,
420 (void),
421 NULL,
422 (),
423 1
424 )
425
426 WRAP(const EVP_CIPHER *,
427 EVP_aes_256_gcm,
428 (void),
429 NULL,
430 (),
431 1
432 )
433
434 WRAP(unsigned char *,
435 HMAC,
436 (const EVP_MD *evp_md, const void *key, int key_len,
437 const unsigned char *d, int n, unsigned char *md,
438 unsigned int *md_len),
439 NULL,
440 (evp_md, key, key_len, d, n, md, md_len),
441 1
442 )
443
444 WRAP(HMAC_CTX *,
445 HMAC_CTX_new,
446 (void),
447 NULL,
448 (),
449 1
450 )
451
452 WRAP(int,
453 HMAC_Init_ex,
454 (HMAC_CTX *ctx, const void *key, int key_len, const EVP_MD *md,
455 ENGINE *impl),
456 0,
457 (ctx, key, key_len, md, impl),
458 1
459 )
460
461 WRAP(int,
462 HMAC_Update,
463 (HMAC_CTX *ctx, const unsigned char *data, int len),
464 0,
465 (ctx, data, len),
466 1
467 )
468
469 WRAP(int,
470 HMAC_Final,
471 (HMAC_CTX *ctx, unsigned char *md, unsigned int *len),
472 0,
473 (ctx, md, len),
474 1
475 )
476
477 WRAP(unsigned char *,
478 SHA1,
479 (const unsigned char *d, size_t n, unsigned char *md),
480 NULL,
481 (d, n, md),
482 1
483 )
484
485 WRAP(unsigned char *,
486 SHA256,
487 (const unsigned char *d, size_t n, unsigned char *md),
488 NULL,
489 (d, n, md),
490 1
491 )
492
493 WRAP(cbor_item_t *,
494 cbor_build_string,
495 (const char *val),
496 NULL,
497 (val),
498 1
499 )
500
501 WRAP(cbor_item_t *,
502 cbor_build_bytestring,
503 (cbor_data handle, size_t length),
504 NULL,
505 (handle, length),
506 1
507 )
508
509 WRAP(cbor_item_t *,
510 cbor_build_bool,
511 (bool value),
512 NULL,
513 (value),
514 1
515 )
516
517 WRAP(cbor_item_t *,
518 cbor_build_negint8,
519 (uint8_t value),
520 NULL,
521 (value),
522 1
523 )
524
525 WRAP(cbor_item_t *,
526 cbor_build_negint16,
527 (uint16_t value),
528 NULL,
529 (value),
530 1
531 )
532
533 WRAP(cbor_item_t *,
534 cbor_load,
535 (cbor_data source, size_t source_size, struct cbor_load_result *result),
536 NULL,
537 (source, source_size, result),
538 1
539 )
540
541 WRAP(cbor_item_t *,
542 cbor_build_uint8,
543 (uint8_t value),
544 NULL,
545 (value),
546 1
547 )
548
549 WRAP(cbor_item_t *,
550 cbor_build_uint16,
551 (uint16_t value),
552 NULL,
553 (value),
554 1
555 )
556
557 WRAP(cbor_item_t *,
558 cbor_build_uint32,
559 (uint32_t value),
560 NULL,
561 (value),
562 1
563 )
564
565 WRAP(cbor_item_t *,
566 cbor_build_uint64,
567 (uint64_t value),
568 NULL,
569 (value),
570 1
571 )
572
573 WRAP(struct cbor_pair *,
574 cbor_map_handle,
575 (const cbor_item_t *item),
576 NULL,
577 (item),
578 1
579 )
580
581 WRAP(cbor_item_t **,
582 cbor_array_handle,
583 (const cbor_item_t *item),
584 NULL,
585 (item),
586 1
587 )
588
589 WRAP(bool,
590 cbor_array_push,
591 (cbor_item_t *array, cbor_item_t *pushee),
592 false,
593 (array, pushee),
594 1
595 )
596
597 WRAP(bool,
598 cbor_map_add,
599 (cbor_item_t *item, struct cbor_pair pair),
600 false,
601 (item, pair),
602 1
603 )
604
605 WRAP(cbor_item_t *,
606 cbor_new_definite_map,
607 (size_t size),
608 NULL,
609 (size),
610 1
611 )
612
613 WRAP(cbor_item_t *,
614 cbor_new_definite_array,
615 (size_t size),
616 NULL,
617 (size),
618 1
619 )
620
621 WRAP(cbor_item_t *,
622 cbor_new_definite_bytestring,
623 (void),
624 NULL,
625 (),
626 1
627 )
628
629 WRAP(size_t,
630 cbor_serialize_alloc,
631 (const cbor_item_t *item, cbor_mutable_data *buffer,
632 size_t *buffer_size),
633 0,
634 (item, buffer, buffer_size),
635 1
636 )
637
638 WRAP(int,
639 fido_tx,
640 (fido_dev_t *d, uint8_t cmd, const void *buf, size_t count, int *ms),
641 -1,
642 (d, cmd, buf, count, ms),
643 1
644 )
645
646 WRAP(int,
647 bind,
648 (int sockfd, const struct sockaddr *addr, socklen_t addrlen),
649 -1,
650 (sockfd, addr, addrlen),
651 1
652 )
653
654 WRAP(int,
655 deflateInit2_,
656 (z_streamp strm, int level, int method, int windowBits, int memLevel,
657 int strategy, const char *version, int stream_size),
658 Z_STREAM_ERROR,
659 (strm, level, method, windowBits, memLevel, strategy, version,
660 stream_size),
661 1
662 )
663
664 int __wrap_deflate(z_streamp, int);
665 int __real_deflate(z_streamp, int);
666
667 int
__wrap_deflate(z_streamp strm,int flush)668 __wrap_deflate(z_streamp strm, int flush)
669 {
670 if (prng_up && uniform_random(400) < 1) {
671 return Z_BUF_ERROR;
672 }
673 /* should never happen, but we check for it */
674 if (prng_up && uniform_random(400) < 1) {
675 strm->avail_out = UINT_MAX;
676 return Z_STREAM_END;
677 }
678
679 return __real_deflate(strm, flush);
680 }
681
682 int __wrap_asprintf(char **, const char *, ...);
683
684 int
__wrap_asprintf(char ** strp,const char * fmt,...)685 __wrap_asprintf(char **strp, const char *fmt, ...)
686 {
687 va_list ap;
688 int r;
689
690 if (prng_up && uniform_random(400) < 1) {
691 *strp = (void *)0xdeadbeef;
692 return -1;
693 }
694
695 va_start(ap, fmt);
696 r = vasprintf(strp, fmt, ap);
697 va_end(ap);
698
699 return r;
700 }
701