1/* 2 * Copyright (c) 2019-2022 Yubico AB. All rights reserved. 3 * Use of this source code is governed by a BSD-style 4 * license that can be found in the LICENSE file. 5 * SPDX-License-Identifier: BSD-2-Clause 6 */ 7 8#include <sys/types.h> 9#include <sys/random.h> 10#include <sys/socket.h> 11 12#include <openssl/bn.h> 13#include <openssl/evp.h> 14#include <openssl/sha.h> 15 16#include <cbor.h> 17#include <stdbool.h> 18#include <stdint.h> 19#include <stdio.h> 20#include <stdlib.h> 21#include <zlib.h> 22 23#include "mutator_aux.h" 24 25extern int prng_up; 26 27int fuzz_save_corpus; 28 29/* 30 * Build wrappers around functions of interest, and have them fail 31 * in a pseudo-random manner. A uniform probability of 0.25% (1/400) 32 * allows for a depth of log(0.5)/log(399/400) > 276 operations 33 * before simulated errors become statistically more likely. 34 */ 35 36#define WRAP(type, name, args, retval, param, prob) \ 37extern type __wrap_##name args; \ 38extern type __real_##name args; \ 39type __wrap_##name args { \ 40 if (prng_up && uniform_random(400) < (prob)) { \ 41 return (retval); \ 42 } \ 43 \ 44 return (__real_##name param); \ 45} 46 47WRAP(void *, 48 malloc, 49 (size_t size), 50 NULL, 51 (size), 52 1 53) 54 55WRAP(void *, 56 calloc, 57 (size_t nmemb, size_t size), 58 NULL, 59 (nmemb, size), 60 1 61) 62 63WRAP(void *, 64 realloc, 65 (void *ptr, size_t size), 66 NULL, 67 (ptr, size), 68 1 69) 70 71WRAP(char *, 72 strdup, 73 (const char *s), 74 NULL, 75 (s), 76 1 77) 78 79WRAP(ssize_t, 80 getrandom, 81 (void *buf, size_t buflen, unsigned int flags), 82 -1, 83 (buf, buflen, flags), 84 1 85) 86 87WRAP(int, 88 EVP_Cipher, 89 (EVP_CIPHER_CTX *ctx, unsigned char *out, const unsigned char *in, 90 unsigned int inl), 91 -1, 92 (ctx, out, in, inl), 93 1 94) 95 96WRAP(int, 97 EVP_CIPHER_CTX_ctrl, 98 (EVP_CIPHER_CTX *ctx, int type, int arg, void *ptr), 99 0, 100 (ctx, type, arg, ptr), 101 1 102) 103 104WRAP(EVP_CIPHER_CTX *, 105 EVP_CIPHER_CTX_new, 106 (void), 107 NULL, 108 (), 109 1 110) 111 112WRAP(int, 113 EVP_CipherInit, 114 (EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, 115 const unsigned char *key, const unsigned char *iv, int enc), 116 0, 117 (ctx, cipher, key, iv, enc), 118 1 119) 120 121WRAP(RSA *, 122 EVP_PKEY_get0_RSA, 123 (EVP_PKEY *pkey), 124 NULL, 125 (pkey), 126 1 127) 128 129WRAP(EC_KEY *, 130 EVP_PKEY_get0_EC_KEY, 131 (EVP_PKEY *pkey), 132 NULL, 133 (pkey), 134 1 135) 136 137WRAP(int, 138 EVP_PKEY_get_raw_public_key, 139 (const EVP_PKEY *pkey, unsigned char *pub, size_t *len), 140 0, 141 (pkey, pub, len), 142 1 143) 144 145WRAP(EVP_MD_CTX *, 146 EVP_MD_CTX_new, 147 (void), 148 NULL, 149 (), 150 1 151) 152 153WRAP(int, 154 EVP_DigestVerifyInit, 155 (EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, const EVP_MD *type, ENGINE *e, 156 EVP_PKEY *pkey), 157 0, 158 (ctx, pctx, type, e, pkey), 159 1 160) 161 162WRAP(int, 163 EVP_DigestInit_ex, 164 (EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl), 165 0, 166 (ctx, type, impl), 167 1 168) 169 170WRAP(int, 171 EVP_DigestUpdate, 172 (EVP_MD_CTX *ctx, const void *data, size_t count), 173 0, 174 (ctx, data, count), 175 1 176) 177 178WRAP(int, 179 EVP_DigestFinal_ex, 180 (EVP_MD_CTX *ctx, unsigned char *md, unsigned int *isize), 181 0, 182 (ctx, md, isize), 183 1 184) 185 186WRAP(BIGNUM *, 187 BN_bin2bn, 188 (const unsigned char *s, int len, BIGNUM *ret), 189 NULL, 190 (s, len, ret), 191 1 192) 193 194WRAP(int, 195 BN_bn2bin, 196 (const BIGNUM *a, unsigned char *to), 197 -1, 198 (a, to), 199 1 200) 201 202WRAP(BIGNUM *, 203 BN_CTX_get, 204 (BN_CTX *ctx), 205 NULL, 206 (ctx), 207 1 208) 209 210WRAP(BN_CTX *, 211 BN_CTX_new, 212 (void), 213 NULL, 214 (), 215 1 216) 217 218WRAP(BIGNUM *, 219 BN_new, 220 (void), 221 NULL, 222 (), 223 1 224) 225 226WRAP(RSA *, 227 RSA_new, 228 (void), 229 NULL, 230 (), 231 1 232) 233 234WRAP(int, 235 RSA_set0_key, 236 (RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d), 237 0, 238 (r, n, e, d), 239 1 240) 241 242WRAP(int, 243 RSA_pkey_ctx_ctrl, 244 (EVP_PKEY_CTX *ctx, int optype, int cmd, int p1, void *p2), 245 -1, 246 (ctx, optype, cmd, p1, p2), 247 1 248) 249 250WRAP(EC_KEY *, 251 EC_KEY_new_by_curve_name, 252 (int nid), 253 NULL, 254 (nid), 255 1 256) 257 258WRAP(const EC_GROUP *, 259 EC_KEY_get0_group, 260 (const EC_KEY *key), 261 NULL, 262 (key), 263 1 264) 265 266WRAP(const BIGNUM *, 267 EC_KEY_get0_private_key, 268 (const EC_KEY *key), 269 NULL, 270 (key), 271 1 272) 273 274WRAP(EC_POINT *, 275 EC_POINT_new, 276 (const EC_GROUP *group), 277 NULL, 278 (group), 279 1 280) 281 282WRAP(int, 283 EC_POINT_get_affine_coordinates_GFp, 284 (const EC_GROUP *group, const EC_POINT *p, BIGNUM *x, BIGNUM *y, BN_CTX *ctx), 285 0, 286 (group, p, x, y, ctx), 287 1 288) 289 290WRAP(EVP_PKEY *, 291 EVP_PKEY_new, 292 (void), 293 NULL, 294 (), 295 1 296) 297 298WRAP(int, 299 EVP_PKEY_assign, 300 (EVP_PKEY *pkey, int type, void *key), 301 0, 302 (pkey, type, key), 303 1 304) 305 306WRAP(int, 307 EVP_PKEY_keygen_init, 308 (EVP_PKEY_CTX *ctx), 309 0, 310 (ctx), 311 1 312) 313 314WRAP(int, 315 EVP_PKEY_keygen, 316 (EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey), 317 0, 318 (ctx, ppkey), 319 1 320) 321 322WRAP(int, 323 EVP_PKEY_paramgen_init, 324 (EVP_PKEY_CTX *ctx), 325 0, 326 (ctx), 327 1 328) 329 330WRAP(int, 331 EVP_PKEY_paramgen, 332 (EVP_PKEY_CTX *ctx, EVP_PKEY **ppkey), 333 0, 334 (ctx, ppkey), 335 1 336) 337 338WRAP(EVP_PKEY *, 339 EVP_PKEY_new_raw_public_key, 340 (int type, ENGINE *e, const unsigned char *key, size_t keylen), 341 NULL, 342 (type, e, key, keylen), 343 1 344) 345 346WRAP(EVP_PKEY_CTX *, 347 EVP_PKEY_CTX_new, 348 (EVP_PKEY *pkey, ENGINE *e), 349 NULL, 350 (pkey, e), 351 1 352) 353 354WRAP(EVP_PKEY_CTX *, 355 EVP_PKEY_CTX_new_id, 356 (int id, ENGINE *e), 357 NULL, 358 (id, e), 359 1 360) 361 362WRAP(int, 363 EVP_PKEY_derive, 364 (EVP_PKEY_CTX *ctx, unsigned char *key, size_t *pkeylen), 365 0, 366 (ctx, key, pkeylen), 367 1 368) 369 370WRAP(int, 371 EVP_PKEY_derive_init, 372 (EVP_PKEY_CTX *ctx), 373 0, 374 (ctx), 375 1 376) 377 378WRAP(int, 379 EVP_PKEY_derive_set_peer, 380 (EVP_PKEY_CTX *ctx, EVP_PKEY *peer), 381 0, 382 (ctx, peer), 383 1 384) 385 386WRAP(int, 387 EVP_PKEY_verify_init, 388 (EVP_PKEY_CTX *ctx), 389 0, 390 (ctx), 391 1 392) 393 394WRAP(int, 395 EVP_PKEY_CTX_ctrl, 396 (EVP_PKEY_CTX *ctx, int keytype, int optype, int cmd, int p1, void *p2), 397 -1, 398 (ctx, keytype, optype, cmd, p1, p2), 399 1 400) 401 402WRAP(const EVP_MD *, 403 EVP_sha1, 404 (void), 405 NULL, 406 (), 407 1 408) 409 410WRAP(const EVP_MD *, 411 EVP_sha256, 412 (void), 413 NULL, 414 (), 415 1 416) 417 418WRAP(const EVP_CIPHER *, 419 EVP_aes_256_cbc, 420 (void), 421 NULL, 422 (), 423 1 424) 425 426WRAP(const EVP_CIPHER *, 427 EVP_aes_256_gcm, 428 (void), 429 NULL, 430 (), 431 1 432) 433 434WRAP(unsigned char *, 435 HMAC, 436 (const EVP_MD *evp_md, const void *key, int key_len, 437 const unsigned char *d, int n, unsigned char *md, 438 unsigned int *md_len), 439 NULL, 440 (evp_md, key, key_len, d, n, md, md_len), 441 1 442) 443 444WRAP(HMAC_CTX *, 445 HMAC_CTX_new, 446 (void), 447 NULL, 448 (), 449 1 450) 451 452WRAP(int, 453 HMAC_Init_ex, 454 (HMAC_CTX *ctx, const void *key, int key_len, const EVP_MD *md, 455 ENGINE *impl), 456 0, 457 (ctx, key, key_len, md, impl), 458 1 459) 460 461WRAP(int, 462 HMAC_Update, 463 (HMAC_CTX *ctx, const unsigned char *data, int len), 464 0, 465 (ctx, data, len), 466 1 467) 468 469WRAP(int, 470 HMAC_Final, 471 (HMAC_CTX *ctx, unsigned char *md, unsigned int *len), 472 0, 473 (ctx, md, len), 474 1 475) 476 477WRAP(unsigned char *, 478 SHA1, 479 (const unsigned char *d, size_t n, unsigned char *md), 480 NULL, 481 (d, n, md), 482 1 483) 484 485WRAP(unsigned char *, 486 SHA256, 487 (const unsigned char *d, size_t n, unsigned char *md), 488 NULL, 489 (d, n, md), 490 1 491) 492 493WRAP(cbor_item_t *, 494 cbor_build_string, 495 (const char *val), 496 NULL, 497 (val), 498 1 499) 500 501WRAP(cbor_item_t *, 502 cbor_build_bytestring, 503 (cbor_data handle, size_t length), 504 NULL, 505 (handle, length), 506 1 507) 508 509WRAP(cbor_item_t *, 510 cbor_build_bool, 511 (bool value), 512 NULL, 513 (value), 514 1 515) 516 517WRAP(cbor_item_t *, 518 cbor_build_negint8, 519 (uint8_t value), 520 NULL, 521 (value), 522 1 523) 524 525WRAP(cbor_item_t *, 526 cbor_build_negint16, 527 (uint16_t value), 528 NULL, 529 (value), 530 1 531) 532 533WRAP(cbor_item_t *, 534 cbor_load, 535 (cbor_data source, size_t source_size, struct cbor_load_result *result), 536 NULL, 537 (source, source_size, result), 538 1 539) 540 541WRAP(cbor_item_t *, 542 cbor_build_uint8, 543 (uint8_t value), 544 NULL, 545 (value), 546 1 547) 548 549WRAP(cbor_item_t *, 550 cbor_build_uint16, 551 (uint16_t value), 552 NULL, 553 (value), 554 1 555) 556 557WRAP(cbor_item_t *, 558 cbor_build_uint32, 559 (uint32_t value), 560 NULL, 561 (value), 562 1 563) 564 565WRAP(cbor_item_t *, 566 cbor_build_uint64, 567 (uint64_t value), 568 NULL, 569 (value), 570 1 571) 572 573WRAP(struct cbor_pair *, 574 cbor_map_handle, 575 (const cbor_item_t *item), 576 NULL, 577 (item), 578 1 579) 580 581WRAP(cbor_item_t **, 582 cbor_array_handle, 583 (const cbor_item_t *item), 584 NULL, 585 (item), 586 1 587) 588 589WRAP(bool, 590 cbor_array_push, 591 (cbor_item_t *array, cbor_item_t *pushee), 592 false, 593 (array, pushee), 594 1 595) 596 597WRAP(bool, 598 cbor_map_add, 599 (cbor_item_t *item, struct cbor_pair pair), 600 false, 601 (item, pair), 602 1 603) 604 605WRAP(cbor_item_t *, 606 cbor_new_definite_map, 607 (size_t size), 608 NULL, 609 (size), 610 1 611) 612 613WRAP(cbor_item_t *, 614 cbor_new_definite_array, 615 (size_t size), 616 NULL, 617 (size), 618 1 619) 620 621WRAP(cbor_item_t *, 622 cbor_new_definite_bytestring, 623 (void), 624 NULL, 625 (), 626 1 627) 628 629WRAP(size_t, 630 cbor_serialize_alloc, 631 (const cbor_item_t *item, cbor_mutable_data *buffer, 632 size_t *buffer_size), 633 0, 634 (item, buffer, buffer_size), 635 1 636) 637 638WRAP(int, 639 fido_tx, 640 (fido_dev_t *d, uint8_t cmd, const void *buf, size_t count, int *ms), 641 -1, 642 (d, cmd, buf, count, ms), 643 1 644) 645 646WRAP(int, 647 bind, 648 (int sockfd, const struct sockaddr *addr, socklen_t addrlen), 649 -1, 650 (sockfd, addr, addrlen), 651 1 652) 653 654WRAP(int, 655 deflateInit2_, 656 (z_streamp strm, int level, int method, int windowBits, int memLevel, 657 int strategy, const char *version, int stream_size), 658 Z_STREAM_ERROR, 659 (strm, level, method, windowBits, memLevel, strategy, version, 660 stream_size), 661 1 662) 663 664int __wrap_deflate(z_streamp, int); 665int __real_deflate(z_streamp, int); 666 667int 668__wrap_deflate(z_streamp strm, int flush) 669{ 670 if (prng_up && uniform_random(400) < 1) { 671 return Z_BUF_ERROR; 672 } 673 /* should never happen, but we check for it */ 674 if (prng_up && uniform_random(400) < 1) { 675 strm->avail_out = UINT_MAX; 676 return Z_STREAM_END; 677 } 678 679 return __real_deflate(strm, flush); 680} 681 682int __wrap_asprintf(char **, const char *, ...); 683 684int 685__wrap_asprintf(char **strp, const char *fmt, ...) 686{ 687 va_list ap; 688 int r; 689 690 if (prng_up && uniform_random(400) < 1) { 691 *strp = (void *)0xdeadbeef; 692 return -1; 693 } 694 695 va_start(ap, fmt); 696 r = vasprintf(strp, fmt, ap); 697 va_end(ap); 698 699 return r; 700} 701