Merge pull request #5533 from paul-elliott-arm/fix_fuzz_privkey_null_ctx

Fix null context when using dummy_rand with mbedtls_pk_parse_key()
author: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com> 2022-02-16 09:55:01 +0100
committer: GitHub <noreply@github.com> 2022-02-16 09:55:01 +0100
commit: 6d2479516c8373ed8a335f664ee4e05c4d12dd62 (patch)
tree: 108bae5ffe39fba9316dbb704207d7c457f4583e /programs/fuzz
parent: a7a1deabf8537e7f13b99025727480155b2adcba (diff)
parent: 5d7e61fb61b1ca174827b0a71a6cef1fec0c91af (diff)
download: mbedtls-6d2479516c8373ed8a335f664ee4e05c4d12dd62.zip
mbedtls-6d2479516c8373ed8a335f664ee4e05c4d12dd62.tar.gz
mbedtls-6d2479516c8373ed8a335f664ee4e05c4d12dd62.tar.bz2
3 files changed, 34 insertions, 13 deletions
diff --git a/programs/fuzz/common.c b/programs/fuzz/common.c
index e12ee3b..4d58402 100644
--- a/programs/fuzz/common.c
+++ b/programs/fuzz/common.c
@@ -60,8 +60,14 @@ int dummy_random( void *p_rng, unsigned char *output, size_t output_len )
     size_t i;
 
 #if defined(MBEDTLS_CTR_DRBG_C)
-    //use mbedtls_ctr_drbg_random to find bugs in it
-    ret = mbedtls_ctr_drbg_random(p_rng, output, output_len);
+    //mbedtls_ctr_drbg_random requires a valid mbedtls_ctr_drbg_context in p_rng
+    if( p_rng != NULL ) {
+        //use mbedtls_ctr_drbg_random to find bugs in it
+        ret = mbedtls_ctr_drbg_random(p_rng, output, output_len);
+    } else {
+        //fall through to pseudo-random
+        ret = 0;
+    }
 #else
     (void) p_rng;
     ret = 0;
diff --git a/programs/fuzz/fuzz_dtlsserver.c b/programs/fuzz/fuzz_dtlsserver.c
index 9a6e894..1aa757c 100644
--- a/programs/fuzz/fuzz_dtlsserver.c
+++ b/programs/fuzz/fuzz_dtlsserver.c
@@ -44,6 +44,13 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
     unsigned char buf[4096];
     fuzzBufferOffset_t biomemfuzz;
 
+    mbedtls_ctr_drbg_init( &ctr_drbg );
+    mbedtls_entropy_init( &entropy );
+
+    if( mbedtls_ctr_drbg_seed( &ctr_drbg, dummy_entropy, &entropy,
+                               ( const unsigned char * ) pers, strlen( pers ) ) != 0 )
+        goto exit;
+
     if (initialized == 0) {
 #if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
         mbedtls_x509_crt_init( &srvcert );
@@ -56,7 +63,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
             return 1;
         if (mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_srv_key,
                                  mbedtls_test_srv_key_len, NULL, 0,
-                                 dummy_random, NULL ) != 0)
+                                 dummy_random, &ctr_drbg ) != 0)
             return 1;
 #endif
         dummy_init();
@@ -65,15 +72,8 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
     }
     mbedtls_ssl_init( &ssl );
     mbedtls_ssl_config_init( &conf );
-    mbedtls_ctr_drbg_init( &ctr_drbg );
-    mbedtls_entropy_init( &entropy );
     mbedtls_ssl_cookie_init( &cookie_ctx );
 
-    if( mbedtls_ctr_drbg_seed( &ctr_drbg, dummy_entropy, &entropy,
-                              (const unsigned char *) pers, strlen( pers ) ) != 0 )
-        goto exit;
-
-
     if( mbedtls_ssl_config_defaults( &conf,
                                     MBEDTLS_SSL_IS_SERVER,
                                     MBEDTLS_SSL_TRANSPORT_DATAGRAM,
diff --git a/programs/fuzz/fuzz_privkey.c b/programs/fuzz/fuzz_privkey.c
index b9a160e..e8e1d44 100644
--- a/programs/fuzz/fuzz_privkey.c
+++ b/programs/fuzz/fuzz_privkey.c
@@ -2,26 +2,41 @@
 
 #include <stdint.h>
 #include <stdlib.h>
+#include <string.h>
 #include "mbedtls/pk.h"
+#include "mbedtls/entropy.h"
+#include "mbedtls/ctr_drbg.h"
 #include "common.h"
 
 //4 Kb should be enough for every bug ;-)
 #define MAX_LEN 0x1000
 
+#if defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_CTR_DRBG_C)
+const char *pers = "fuzz_privkey";
+#endif // MBEDTLS_PK_PARSE_C && MBEDTLS_CTR_DRBG_C
 
 int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
-#ifdef MBEDTLS_PK_PARSE_C
+#if defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_CTR_DRBG_C)
     int ret;
     mbedtls_pk_context pk;
+    mbedtls_ctr_drbg_context ctr_drbg;
+    mbedtls_entropy_context entropy;
 
     if (Size > MAX_LEN) {
         //only work on small inputs
         Size = MAX_LEN;
     }
 
+    mbedtls_ctr_drbg_init( &ctr_drbg );
+    mbedtls_entropy_init( &entropy );
+
+    if( mbedtls_ctr_drbg_seed( &ctr_drbg, dummy_entropy, &entropy,
+                               ( const unsigned char * ) pers, strlen( pers ) ) != 0 )
+        return 1;
+
     mbedtls_pk_init( &pk );
     ret = mbedtls_pk_parse_key( &pk, Data, Size, NULL, 0,
-                                dummy_random, NULL );
+                                dummy_random, &ctr_drbg );
     if (ret == 0) {
 #if defined(MBEDTLS_RSA_C)
         if( mbedtls_pk_get_type( &pk ) == MBEDTLS_PK_RSA )
@@ -73,7 +88,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
 #else
     (void) Data;
     (void) Size;
-#endif //MBEDTLS_PK_PARSE_C
+#endif // MBEDTLS_PK_PARSE_C && MBEDTLS_CTR_DRBG_C
 
     return 0;
 }
author	Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>	2022-02-16 09:55:01 +0100
committer	GitHub <noreply@github.com>	2022-02-16 09:55:01 +0100
commit	6d2479516c8373ed8a335f664ee4e05c4d12dd62 (patch)
tree	108bae5ffe39fba9316dbb704207d7c457f4583e /programs/fuzz
parent	a7a1deabf8537e7f13b99025727480155b2adcba (diff)
parent	5d7e61fb61b1ca174827b0a71a6cef1fec0c91af (diff)
download	mbedtls-6d2479516c8373ed8a335f664ee4e05c4d12dd62.zip mbedtls-6d2479516c8373ed8a335f664ee4e05c4d12dd62.tar.gz mbedtls-6d2479516c8373ed8a335f664ee4e05c4d12dd62.tar.bz2