1 /* -*- mode: c; c-basic-offset: 4; indent-tabs-mode: nil -*- */
2 /* tests/fuzzing/fuzz_des.c - fuzzing harness for DES functions */
3 /*
4 * Copyright (C) 2024 by Arjun. All rights reserved.
5 *
6 * Redistribution and use in source and binary forms, with or without
7 * modification, are permitted provided that the following conditions
8 * are met:
9 *
10 * * Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 *
13 * * Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in
15 * the documentation and/or other materials provided with the
16 * distribution.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
19 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
20 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
21 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
22 * COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT,
23 * INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
24 * (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR
25 * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
27 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
28 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
29 * OF THE POSSIBILITY OF SUCH DAMAGE.
30 */
31
32 #include "autoconf.h"
33 #include <k5-int.h>
34 #include <des_int.h>
35
36 #include <f_cbc.c>
37
38 #define kMinInputLength 32
39 #define kMaxInputLength 128
40
41 extern int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size);
42
43 uint8_t default_ivec[8] = { 0x12, 0x34, 0x56, 0x78, 0x90, 0xAB, 0xCD, 0xEF };
44
45 static void
fuzz_des(uint8_t * input,mit_des_key_schedule sched)46 fuzz_des(uint8_t *input, mit_des_key_schedule sched)
47 {
48 uint8_t encrypt[8], decrypt[8];
49
50 mit_des_cbc_encrypt((const mit_des_cblock *)input,
51 (mit_des_cblock *)encrypt, 8,
52 sched, default_ivec, MIT_DES_ENCRYPT);
53
54 mit_des_cbc_encrypt((const mit_des_cblock *)encrypt,
55 (mit_des_cblock *)decrypt, 8,
56 sched, default_ivec, MIT_DES_DECRYPT);
57
58 if (memcmp(input, decrypt, 8) != 0)
59 abort();
60 }
61
62 static void
fuzz_decrypt(uint8_t * input,mit_des_key_schedule sched)63 fuzz_decrypt(uint8_t *input, mit_des_key_schedule sched)
64 {
65 uint8_t output[8];
66
67 mit_des_cbc_encrypt((const mit_des_cblock *)input,
68 (mit_des_cblock *)output, 8,
69 sched, default_ivec, MIT_DES_DECRYPT);
70 }
71
72 static void
fuzz_cksum(uint8_t * input,mit_des_key_schedule sched)73 fuzz_cksum(uint8_t *input, mit_des_key_schedule sched)
74 {
75 uint8_t output[8];
76
77 mit_des_cbc_cksum(input, output, 8, sched, default_ivec);
78 }
79
80 int
LLVMFuzzerTestOneInput(const uint8_t * data,size_t size)81 LLVMFuzzerTestOneInput(const uint8_t *data, size_t size)
82 {
83 krb5_error_code ret;
84 mit_des_key_schedule sched;
85 uint8_t *data_in, input[8];
86
87 if (size < kMinInputLength || size > kMaxInputLength)
88 return 0;
89
90 memcpy(input, data, 8);
91 ret = mit_des_key_sched(input, sched);
92 if (ret)
93 return 0;
94
95 memcpy(input, data + 8, 8);
96 fuzz_des(input, sched);
97
98 memcpy(input, data + 16, 8);
99 fuzz_decrypt(input, sched);
100
101 data_in = k5memdup(data + 24, size - 24, &ret);
102 if (ret)
103 return 0;
104
105 fuzz_cksum(data_in, sched);
106 free(data_in);
107
108 return 0;
109 }
110