diff options
Diffstat (limited to 'src/extra_tests')
29 files changed, 0 insertions, 1212 deletions
diff --git a/src/extra_tests/fuzzers/.gitignore b/src/extra_tests/fuzzers/.gitignore deleted file mode 100644 index f7ce206a2..000000000 --- a/src/extra_tests/fuzzers/.gitignore +++ /dev/null @@ -1,10 +0,0 @@ -*.log - -/libFuzzer -libFuzzer.a - -/output -/botan -/bin -callgrind.out.* -/corpus/ diff --git a/src/extra_tests/fuzzers/GNUmakefile b/src/extra_tests/fuzzers/GNUmakefile deleted file mode 100644 index 32b353d17..000000000 --- a/src/extra_tests/fuzzers/GNUmakefile +++ /dev/null @@ -1,88 +0,0 @@ - -FUZZERS=$(patsubst jigs/%.cpp,%,$(wildcard jigs/*.cpp)) - -AFL_SAN_FLAGS=-fsanitize=address,undefined -fno-sanitize-recover=undefined -CLANG_SAN_FLAGS=-fsanitize=address,undefined -fno-sanitize-recover=undefined -#CLANG_SAN_FLAGS=-fsanitize=address - -CLANG_COV_FLAGS=-fsanitize-coverage=edge,indirect-calls,8bit-counters -SHARED_FLAGS=-O3 -g -std=c++11 -pthread -CFG_FLAGS=--with-debug-info --unsafe-fuzzer-mode - -LIBFUZZER_FLAGS=-Illvm-build/build/include $(SHARED_FLAGS) $(CLANG_COV_FLAGS) $(CLANG_SAN_FLAGS) -AFL_FLAGS=-Iafl-build/build/include $(SHARED_FLAGS) -DINCLUDE_AFL_MAIN - -LIBFUZZER_LIBS=llvm-build/libbotan-2.a libFuzzer.a -AFL_LIBS=afl-build/libbotan-2.a - -#AFL_CXX=AFL_USE_ASAN=1 afl-g++ -m32 -AFL_CXX=afl-g++ -AFL_CXX_TYPE=gcc -CLANG_CXX=clang++ - -LIBFUZZER_PROGS=$(patsubst %,bin/llvm_fuzz_%,$(FUZZERS)) -AFL_PROGS=$(patsubst %,bin/afl_fuzz_%,$(FUZZERS)) - -all: - @echo "make afl for AFL, llvm for libFuzzer" - -afl: dirs afl-build $(AFL_PROGS) - -llvm: dirs llvm-build $(LIBFUZZER_PROGS) - -bin/llvm_fuzz_%: jigs/%.cpp $(LIBFUZZER_LIBS) - $(CLANG_CXX) $(LIBFUZZER_FLAGS) $< $(LIBFUZZER_LIBS) -o $@ - -bin/afl_fuzz_%: jigs/%.cpp $(AFL_LIBS) - $(AFL_CXX) $(AFL_FLAGS) $< $(AFL_LIBS) -o $@ - - -dirs: - mkdir -p bin - mkdir -p output - mkdir -p corpus - -afl-build: - ../../../configure.py $(CFG_FLAGS) --with-build-dir=afl-build --cc=$(AFL_CXX_TYPE) --cc-bin=$(AFL_CXX) - make -j2 -f afl-build/Makefile afl-build/libbotan-2.a - -llvm-build: - ../../../configure.py $(CFG_FLAGS) --with-build-dir=llvm-build --cc=clang --cc-bin=$(CLANG_CXX) --cc-abi-flags="$(CLANG_COV_FLAGS) $(CLANG_SAN_FLAGS)" - make -j2 -f llvm-build/Makefile llvm-build/libbotan-2.a - -# libFuzzer default is max_len 64 this sets 140 but allows override via args= -run_llvm_%: bin/llvm_fuzz_% - $(eval FUZZER = $(subst bin/llvm_fuzz_,,$<)) - mkdir -p output/$(FUZZER)/llvm/queue - mkdir -p output/$(FUZZER)/llvm/outputs - $< -max_len=140 -artifact_prefix=output/$(FUZZER)/llvm/outputs/ output/$(FUZZER)/llvm/queue corpus/$(FUZZER) $(args) - -run_afl_%: bin/afl_fuzz_% - $(eval FUZZER = $(subst bin/afl_fuzz_,,$<)) - mkdir -p output/$(FUZZER)/afl - afl-fuzz $(args) -o output/$(FUZZER)/afl -i corpus/$(FUZZER) $< - -cmin_%: bin/afl_fuzz_% - $(eval FUZZER = $(subst bin/afl_fuzz_,,$<)) - rm -rf cmin-dir - mv corpus/$(FUZZER) cmin-dir - -cp -n output/$(FUZZER)/afl/queue/* cmin-dir - -cp -n output/$(FUZZER)/llvm/queue/* cmin-dir - afl-cmin -i cmin-dir -o corpus/$(FUZZER) $< - rm -rf cmin-dir - -clean: - rm -f $(LIBFUZZER_PROGS) $(AFL_PROGS) - -clean_builds: clean - rm -rf afl-build llvm-build - -libFuzzer: - svn co http://llvm.org/svn/llvm-project/compiler-rt/trunk/lib/fuzzer libFuzzer - -libFuzzer.a: libFuzzer - cd libFuzzer && clang -c -g -O2 -std=c++11 *.cpp - ar cr libFuzzer.a libFuzzer/*.o - -update: - svn co http://llvm.org/svn/llvm-project/compiler-rt/trunk/lib/fuzzer libFuzzer diff --git a/src/extra_tests/fuzzers/jigs/ber_decode.cpp b/src/extra_tests/fuzzers/jigs/ber_decode.cpp deleted file mode 100644 index 6ec9cadba..000000000 --- a/src/extra_tests/fuzzers/jigs/ber_decode.cpp +++ /dev/null @@ -1,27 +0,0 @@ -/* -* (C) 2016 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ -#include "driver.h" - -#include <botan/ber_dec.h> - -void fuzz(const uint8_t in[], size_t len) - { - if(len > 4096) - return; - - try - { - DataSource_Memory input(in, len); - BER_Decoder dec(input); - - while(dec.more_items()) - { - BER_Object obj; - dec.get_next(obj); - } - } - catch(Botan::Exception& e) { } - } diff --git a/src/extra_tests/fuzzers/jigs/bn_sqr.cpp b/src/extra_tests/fuzzers/jigs/bn_sqr.cpp deleted file mode 100644 index aa76067f7..000000000 --- a/src/extra_tests/fuzzers/jigs/bn_sqr.cpp +++ /dev/null @@ -1,24 +0,0 @@ -/* -* (C) 2015,2016 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#include "driver.h" - -#include <botan/bigint.h> -#include <botan/numthry.h> - -void fuzz(const uint8_t in[], size_t len) - { - if(len > 8192/8) - return; - - Botan::BigInt x = Botan::BigInt::decode(in, len); - - Botan::BigInt x_sqr = square(x); - Botan::BigInt x_mul = x * x; - - FUZZER_ASSERT_EQUAL(x_sqr, x_mul); - } - diff --git a/src/extra_tests/fuzzers/jigs/cert.cpp b/src/extra_tests/fuzzers/jigs/cert.cpp deleted file mode 100644 index 5620a4700..000000000 --- a/src/extra_tests/fuzzers/jigs/cert.cpp +++ /dev/null @@ -1,21 +0,0 @@ -/* -* (C) 2015,2016 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ -#include "driver.h" - -#include <botan/x509cert.h> - -void fuzz(const uint8_t in[], size_t len) - { - if(len > 8192) - return; - - try - { - DataSource_Memory input(in, len); - X509_Certificate cert(input); - } - catch(Botan::Exception& e) { } - } diff --git a/src/extra_tests/fuzzers/jigs/crl.cpp b/src/extra_tests/fuzzers/jigs/crl.cpp deleted file mode 100644 index b3157e5fe..000000000 --- a/src/extra_tests/fuzzers/jigs/crl.cpp +++ /dev/null @@ -1,21 +0,0 @@ -/* -* (C) 2015,2016 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ -#include "driver.h" - -#include <botan/x509_crl.h> - -void fuzz(const uint8_t in[], size_t len) - { - if(len > 4096) - return; - - try - { - DataSource_Memory input(in, len); - X509_CRL crl(input); - } - catch(Botan::Exception& e) { } - } diff --git a/src/extra_tests/fuzzers/jigs/divide.cpp b/src/extra_tests/fuzzers/jigs/divide.cpp deleted file mode 100644 index 4ff50a680..000000000 --- a/src/extra_tests/fuzzers/jigs/divide.cpp +++ /dev/null @@ -1,29 +0,0 @@ -/* -* (C) 2015,2016 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ -#include "driver.h" -#include <botan/divide.h> - -void fuzz(const uint8_t in[], size_t len) - { - if(len % 2 == 1 || len > 2*4096/8) - return; - - const BigInt x = BigInt::decode(in, len / 2); - const BigInt y = BigInt::decode(in + len / 2, len / 2); - - if(y == 0) - return; - - BigInt q, r; - Botan::divide(x, y, q, r); - - FUZZER_ASSERT_TRUE(r < y); - - BigInt z = q*y + r; - - FUZZER_ASSERT_EQUAL(z, x); - } - diff --git a/src/extra_tests/fuzzers/jigs/driver.h b/src/extra_tests/fuzzers/jigs/driver.h deleted file mode 100644 index 08fffd0c1..000000000 --- a/src/extra_tests/fuzzers/jigs/driver.h +++ /dev/null @@ -1,115 +0,0 @@ -/* -* (C) 2015,2016 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#ifndef FUZZER_DRIVER_H_ -#define FUZZER_DRIVER_H_ - -#include <stdint.h> -#include <iostream> -#include <vector> -#include <stdlib.h> // for setenv -#include <botan/exceptn.h> -#include <botan/rng.h> -#include <botan/chacha.h> - -using namespace Botan; - -extern void fuzz(const uint8_t in[], size_t len); - -extern "C" int LLVMFuzzerInitialize(int *argc, char ***argv) - { - /* - * This disables the mlock pool, as overwrites within the pool are - * opaque to ASan or other instrumentation. - */ - ::setenv("BOTAN_MLOCK_POOL_SIZE", "0", 1); - return 0; - } - -// Called by main() in libFuzzer or in main for AFL below -extern "C" int LLVMFuzzerTestOneInput(const uint8_t in[], size_t len) - { - fuzz(in, len); - return 0; - } - -#if defined(INCLUDE_AFL_MAIN) - -// Read stdin for AFL - -int main(int argc, char* argv[]) - { - const size_t max_read = 4096; - - LLVMFuzzerInitialize(&argc, &argv); - -#if defined(__AFL_LOOP) - while(__AFL_LOOP(1000)) -#endif - { - std::vector<uint8_t> buf(max_read); - std::cin.read((char*)buf.data(), buf.size()); - size_t got = std::cin.gcount(); - - buf.resize(got); - buf.shrink_to_fit(); - - fuzz(buf.data(), got); - } - } - -#endif - -// Some helpers for the fuzzer jigs - -inline Botan::RandomNumberGenerator& fuzzer_rng() - { - class ChaCha20_RNG : public Botan::RandomNumberGenerator - { - public: - std::string name() const override { return "ChaCha20_RNG"; } - void clear() override { /* ignored */ } - - void randomize(uint8_t out[], size_t len) override - { - Botan::clear_mem(out, len); - m_chacha.cipher1(out, len); - } - - bool is_seeded() const override { return true; } - - void add_entropy(const uint8_t[], size_t) override { /* ignored */ } - - ChaCha20_RNG() - { - std::vector<uint8_t> seed(32, 0x82); - m_chacha.set_key(seed); - } - - private: - Botan::ChaCha m_chacha; - }; - - static ChaCha20_RNG rng; - return rng; - } - -#define FUZZER_ASSERT_EQUAL(x, y) do { \ - if(x != y) { \ - std::cerr << #x << " = " << x << " !=\n" << #y << " = " << y \ - << " at " << __LINE__ << ":" << __FILE__ << std::endl; \ - abort(); \ -} } while(0) - -#define FUZZER_ASSERT_TRUE(e) \ - do { \ - if(!(e)) { \ - std::cerr << "Expression " << #e << " was false at " \ - << __LINE__ << ":" << __FILE__ << std::endl; \ - abort(); \ - } } while(0) - -#endif diff --git a/src/extra_tests/fuzzers/jigs/ecc_bp256.cpp b/src/extra_tests/fuzzers/jigs/ecc_bp256.cpp deleted file mode 100644 index 07833c639..000000000 --- a/src/extra_tests/fuzzers/jigs/ecc_bp256.cpp +++ /dev/null @@ -1,16 +0,0 @@ -/* -* (C) 2015,2016 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ -#include "driver.h" -#include "ecc_helper.h" - -void fuzz(const uint8_t in[], size_t len) - { - if(len > 2*256/8) - return; - - static EC_Group bp256("brainpool256r1"); - return check_ecc_math(bp256, in, len); - } diff --git a/src/extra_tests/fuzzers/jigs/ecc_helper.h b/src/extra_tests/fuzzers/jigs/ecc_helper.h deleted file mode 100644 index fb502452a..000000000 --- a/src/extra_tests/fuzzers/jigs/ecc_helper.h +++ /dev/null @@ -1,69 +0,0 @@ -/* -* (C) 2015,2016 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ -#ifndef ECC_HELPERS_H__ -#define ECC_HELPERS_H__ - -#include "driver.h" -#include <botan/curve_gfp.h> -#include <botan/ec_group.h> -#include <botan/reducer.h> - -void check_redc(std::function<void (BigInt&, secure_vector<word>&)> redc_fn, - const Modular_Reducer& redc, - const BigInt& prime, - const BigInt& x) - { - const Botan::BigInt v1 = x % prime; - const Botan::BigInt v2 = redc.reduce(x); - - Botan::secure_vector<Botan::word> ws; - Botan::BigInt v3 = x; - redc_fn(v3, ws); - - FUZZER_ASSERT_EQUAL(v1, v2); - FUZZER_ASSERT_EQUAL(v2, v3); - } - -inline std::ostream& operator<<(std::ostream& o, const PointGFp& point) - { - o << point.get_affine_x() << "," << point.get_affine_y(); - return o; - } - -void check_ecc_math(const EC_Group& group, - const uint8_t in[], size_t len) - { - // These depend only on the group, which is also static - static const Botan::PointGFp base_point = group.get_base_point(); - static Botan::Blinded_Point_Multiply blind(base_point, group.get_order(), 4); - - const size_t hlen = len / 2; - const BigInt a = BigInt::decode(in, hlen); - const BigInt b = BigInt::decode(in + hlen, len - hlen); - - const Botan::BigInt c = a + b; - - const Botan::PointGFp P = base_point * a; - const Botan::PointGFp Q = base_point * b; - const Botan::PointGFp R = base_point * c; - - const Botan::PointGFp A1 = P + Q; - const Botan::PointGFp A2 = Q + P; - - FUZZER_ASSERT_EQUAL(A1, A2); - - const Botan::PointGFp P1 = blind.blinded_multiply(a, fuzzer_rng()); - const Botan::PointGFp Q1 = blind.blinded_multiply(b, fuzzer_rng()); - const Botan::PointGFp R1 = blind.blinded_multiply(c, fuzzer_rng()); - - const Botan::PointGFp S1 = P1 + Q1; - const Botan::PointGFp S2 = Q1 + P1; - - FUZZER_ASSERT_EQUAL(S1, S2); - FUZZER_ASSERT_EQUAL(S1, A1); - } - -#endif diff --git a/src/extra_tests/fuzzers/jigs/ecc_p256.cpp b/src/extra_tests/fuzzers/jigs/ecc_p256.cpp deleted file mode 100644 index f13104fda..000000000 --- a/src/extra_tests/fuzzers/jigs/ecc_p256.cpp +++ /dev/null @@ -1,15 +0,0 @@ -/* -* (C) 2015,2016 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ -#include "driver.h" -#include "ecc_helper.h" - -void fuzz(const uint8_t in[], size_t len) - { - if(len > 2*256/8) - return; - static EC_Group p256("secp256r1"); - return check_ecc_math(p256, in, len); - } diff --git a/src/extra_tests/fuzzers/jigs/ecc_p384.cpp b/src/extra_tests/fuzzers/jigs/ecc_p384.cpp deleted file mode 100644 index 47826e1d6..000000000 --- a/src/extra_tests/fuzzers/jigs/ecc_p384.cpp +++ /dev/null @@ -1,15 +0,0 @@ -/* -* (C) 2015,2016 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ -#include "driver.h" -#include "ecc_helper.h" - -void fuzz(const uint8_t in[], size_t len) - { - if(len > 2*384/8) - return; - static EC_Group p384("secp384r1"); - return check_ecc_math(p384, in, len); - } diff --git a/src/extra_tests/fuzzers/jigs/ecc_p521.cpp b/src/extra_tests/fuzzers/jigs/ecc_p521.cpp deleted file mode 100644 index c2d1e36bb..000000000 --- a/src/extra_tests/fuzzers/jigs/ecc_p521.cpp +++ /dev/null @@ -1,15 +0,0 @@ -/* -* (C) 2015,2016 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ -#include "driver.h" -#include "ecc_helper.h" - -void fuzz(const uint8_t in[], size_t len) - { - if(len > 2*(521+7)/8) - return; - static EC_Group p521("secp521r1"); - return check_ecc_math(p521, in, len); - } diff --git a/src/extra_tests/fuzzers/jigs/invert.cpp b/src/extra_tests/fuzzers/jigs/invert.cpp deleted file mode 100644 index 63c140139..000000000 --- a/src/extra_tests/fuzzers/jigs/invert.cpp +++ /dev/null @@ -1,84 +0,0 @@ -/* -* (C) 2015,2016 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ -#include "driver.h" -#include <botan/numthry.h> - -BigInt inverse_mod_ref(const BigInt& n, const BigInt& mod) - { - if(n == 0) - return 0; - - BigInt u = mod, v = n; - BigInt B = 0, D = 1; - - while(u.is_nonzero()) - { - const size_t u_zero_bits = low_zero_bits(u); - u >>= u_zero_bits; - for(size_t i = 0; i != u_zero_bits; ++i) - { - //B.cond_sub(B.is_odd(), mod); - if(B.is_odd()) - { B -= mod; } - B >>= 1; - } - - const size_t v_zero_bits = low_zero_bits(v); - v >>= v_zero_bits; - for(size_t i = 0; i != v_zero_bits; ++i) - { - if(D.is_odd()) - { D -= mod; } - D >>= 1; - } - - if(u >= v) { u -= v; B -= D; } - else { v -= u; D -= B; } - } - - if(v != 1) - return 0; // no modular inverse - - while(D.is_negative()) D += mod; - while(D >= mod) D -= mod; - - return D; - } - - -void fuzz(const uint8_t in[], size_t len) - { - if(len % 2 == 1 || len > 2*4096/8) - return; - - const BigInt x = BigInt::decode(in, len / 2); - BigInt mod = BigInt::decode(in + len / 2, len / 2); - - mod.set_bit(0); - - if(mod < 3 || x >= mod) - return; - - BigInt ref = inverse_mod_ref(x, mod); - BigInt ct = ct_inverse_mod_odd_modulus(x, mod); - //BigInt mon = normalized_montgomery_inverse(x, mod); - - if(ref != ct) - { - std::cout << "X = " << x << "\n"; - std::cout << "P = " << mod << "\n"; - std::cout << "GCD = " << gcd(x, mod) << "\n"; - std::cout << "Ref = " << ref << "\n"; - std::cout << "CT = " << ct << "\n"; - //std::cout << "Mon = " << mon << "\n"; - - std::cout << "RefCheck = " << (ref*ref)%mod << "\n"; - std::cout << "CTCheck = " << (ct*ct)%mod << "\n"; - //std::cout << "MonCheck = " << (mon*mon)%mod << "\n"; - abort(); - } - } - diff --git a/src/extra_tests/fuzzers/jigs/ocsp.cpp b/src/extra_tests/fuzzers/jigs/ocsp.cpp deleted file mode 100644 index 7cf2d91b0..000000000 --- a/src/extra_tests/fuzzers/jigs/ocsp.cpp +++ /dev/null @@ -1,17 +0,0 @@ -/* -* (C) 2015,2016 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ -#include "driver.h" - -#include <botan/ocsp.h> - -void fuzz(const uint8_t in[], size_t len) - { - try - { - OCSP::Response response(in, len); - } - catch(Botan::Exception& e) { } - } diff --git a/src/extra_tests/fuzzers/jigs/os2ecp.cpp b/src/extra_tests/fuzzers/jigs/os2ecp.cpp deleted file mode 100644 index 61ce1bd7b..000000000 --- a/src/extra_tests/fuzzers/jigs/os2ecp.cpp +++ /dev/null @@ -1,40 +0,0 @@ -/* -* (C) 2015,2016 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ -#include "driver.h" -#include <botan/ec_group.h> -#include <botan/point_gfp.h> - -void check_os2ecp(const EC_Group& group, const uint8_t in[], size_t len) - { - try - { - PointGFp point = OS2ECP(in, len, group.get_curve()); - } - catch(Botan::Exception& e) {} - } - -void fuzz(const uint8_t in[], size_t len) - { - if(len >= 256) - return; - - static EC_Group p192("secp192r1"); - static EC_Group p224("secp224r1"); - static EC_Group p256("secp256r1"); - static EC_Group p384("secp384r1"); - static EC_Group p521("secp521r1"); - static EC_Group bp256("brainpool256r1"); - static EC_Group bp512("brainpool512r1"); - - check_os2ecp(p192, in, len); - check_os2ecp(p224, in, len); - check_os2ecp(p256, in, len); - check_os2ecp(p384, in, len); - check_os2ecp(p521, in, len); - check_os2ecp(p521, in, len); - check_os2ecp(bp256, in, len); - check_os2ecp(bp512, in, len); - } diff --git a/src/extra_tests/fuzzers/jigs/pkcs1.cpp b/src/extra_tests/fuzzers/jigs/pkcs1.cpp deleted file mode 100644 index 8a16d17e5..000000000 --- a/src/extra_tests/fuzzers/jigs/pkcs1.cpp +++ /dev/null @@ -1,77 +0,0 @@ -/* -* (C) 2015,2016 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ -#include "driver.h" - -#include <botan/eme_pkcs.h> -#include <botan/hex.h> - -secure_vector<byte> simple_pkcs1_unpad(const byte in[], size_t len) - { - if(len < 10) - throw Botan::Decoding_Error("bad len"); - - if(in[0] != 0 || in[1] != 2) - throw Botan::Decoding_Error("bad header field"); - - for(size_t i = 2; i < len; ++i) - { - if(in[i] == 0) - { - if(i < 10) // at least 8 padding bytes required - throw Botan::Decoding_Error("insufficient padding bytes"); - return secure_vector<byte>(in + i + 1, in + len); - } - } - - throw Botan::Decoding_Error("delim not found"); - } - -void fuzz(const uint8_t in[], size_t len) - { - static EME_PKCS1v15 pkcs1; - - secure_vector<byte> lib_result, ref_result; - bool lib_rejected = false, ref_rejected = false; - - try - { - byte valid_mask = 0; - secure_vector<byte> decoded = ((EME*)&pkcs1)->unpad(valid_mask, in, len); - - if(valid_mask == 0) - lib_rejected = true; - else if(valid_mask == 0xFF) - lib_rejected = false; - else - abort(); - } - catch(Botan::Decoding_Error&) { lib_rejected = true; } - - try - { - ref_result = simple_pkcs1_unpad(in, len); - } - catch(Botan::Decoding_Error& e) { ref_rejected = true; /*printf("%s\n", e.what());*/ } - - if(lib_rejected == ref_rejected) - { - return; // ok, they agree - } - - // otherwise: incorrect result, log info and crash - if(lib_rejected == true && ref_rejected == false) - { - std::cerr << "Library rejected input accepted by ref\n"; - std::cerr << "Ref decoded " << hex_encode(ref_result) << "\n"; - } - else if(ref_rejected == true && lib_rejected == false) - { - std::cerr << "Library accepted input reject by ref\n"; - std::cerr << "Lib decoded " << hex_encode(lib_result) << "\n"; - } - - abort(); - } diff --git a/src/extra_tests/fuzzers/jigs/pkcs8.cpp b/src/extra_tests/fuzzers/jigs/pkcs8.cpp deleted file mode 100644 index 47c0068ad..000000000 --- a/src/extra_tests/fuzzers/jigs/pkcs8.cpp +++ /dev/null @@ -1,18 +0,0 @@ -/* -* (C) 2015,2016 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ -#include "driver.h" - -#include <botan/pkcs8.h> - -void fuzz(const uint8_t in[], size_t len) - { - try - { - DataSource_Memory input(in, len); - std::unique_ptr<Private_Key> key(PKCS8::load_key(input, fuzzer_rng())); - } - catch(Botan::Exception& e) { } - } diff --git a/src/extra_tests/fuzzers/jigs/pow_mod.cpp b/src/extra_tests/fuzzers/jigs/pow_mod.cpp deleted file mode 100644 index c97dd78cd..000000000 --- a/src/extra_tests/fuzzers/jigs/pow_mod.cpp +++ /dev/null @@ -1,63 +0,0 @@ -/* -* (C) 2016 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#include "driver.h" -#include <botan/numthry.h> -#include <botan/reducer.h> -#include <botan/pow_mod.h> - -BigInt simple_power_mod(BigInt x, BigInt n, const BigInt& p, const Modular_Reducer& mod_p) - { - if(n == 0) - { - if(p == 1) - return 0; - return 1; - } - - BigInt y = 1; - - while(n > 1) - { - if(n.is_odd()) - { - y = mod_p.multiply(x, y); - } - x = mod_p.square(x); - n >>= 1; - } - return mod_p.multiply(x, y); - } - -void fuzz(const uint8_t in[], size_t len) - { - static const size_t p_bits = 1024; - static const BigInt p = random_prime(fuzzer_rng(), p_bits); - static Modular_Reducer mod_p(p); - - if(len == 0 || len > p_bits/8) - return; - - try - { - const BigInt g = BigInt::decode(in, len / 2); - const BigInt x = BigInt::decode(in + len / 2, len / 2); - - const BigInt ref = simple_power_mod(g, x, p, mod_p); - const BigInt z = Botan::power_mod(g, x, p); - - if(ref != z) - { - std::cout << "G = " << g << "\n" - << "X = " << x << "\n" - << "P = " << p << "\n" - << "Z = " << z << "\n" - << "R = " << ref << "\n"; - abort(); - } - } - catch(Botan::Exception& e) {} - } diff --git a/src/extra_tests/fuzzers/jigs/redc_p192.cpp b/src/extra_tests/fuzzers/jigs/redc_p192.cpp deleted file mode 100644 index 9bece4595..000000000 --- a/src/extra_tests/fuzzers/jigs/redc_p192.cpp +++ /dev/null @@ -1,26 +0,0 @@ -/* -* (C) 2015,2016 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#include "driver.h" -#include "ecc_helper.h" -#include <botan/curve_nistp.h> - -void fuzz(const uint8_t in[], size_t len) - { - if(len > 2*192/8) - return; - - static const BigInt& prime = Botan::prime_p192(); - static const BigInt prime_2 = prime * prime; - static Botan::Modular_Reducer prime_redc(prime); - - Botan::BigInt x = Botan::BigInt::decode(in, len); - - if(x < prime_2) - { - check_redc(Botan::redc_p192, prime_redc, prime, x); - } - } diff --git a/src/extra_tests/fuzzers/jigs/redc_p224.cpp b/src/extra_tests/fuzzers/jigs/redc_p224.cpp deleted file mode 100644 index 637d9e6fd..000000000 --- a/src/extra_tests/fuzzers/jigs/redc_p224.cpp +++ /dev/null @@ -1,23 +0,0 @@ -/* -* (C) 2015,2016 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#include "driver.h" -#include "ecc_helper.h" -#include <botan/curve_nistp.h> - -void fuzz(const uint8_t in[], size_t len) - { - static const BigInt& prime = Botan::prime_p224(); - static const BigInt prime_2 = prime * prime; - static Botan::Modular_Reducer prime_redc(prime); - - Botan::BigInt x = Botan::BigInt::decode(in, len); - - if(x < prime_2) - { - check_redc(Botan::redc_p224, prime_redc, prime, x); - } - } diff --git a/src/extra_tests/fuzzers/jigs/redc_p256.cpp b/src/extra_tests/fuzzers/jigs/redc_p256.cpp deleted file mode 100644 index cbb7f4fef..000000000 --- a/src/extra_tests/fuzzers/jigs/redc_p256.cpp +++ /dev/null @@ -1,26 +0,0 @@ -/* -* (C) 2015,2016 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#include "driver.h" -#include "ecc_helper.h" -#include <botan/curve_nistp.h> - -void fuzz(const uint8_t in[], size_t len) - { - if(len > 2*256/8) - return; - - static const BigInt& prime = Botan::prime_p256(); - static const BigInt prime_2 = prime * prime; - static Botan::Modular_Reducer prime_redc(prime); - - Botan::BigInt x = Botan::BigInt::decode(in, len); - - if(x < prime_2) - { - check_redc(Botan::redc_p256, prime_redc, prime, x); - } - } diff --git a/src/extra_tests/fuzzers/jigs/redc_p384.cpp b/src/extra_tests/fuzzers/jigs/redc_p384.cpp deleted file mode 100644 index 3b990fb63..000000000 --- a/src/extra_tests/fuzzers/jigs/redc_p384.cpp +++ /dev/null @@ -1,26 +0,0 @@ -/* -* (C) 2015,2016 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#include "driver.h" -#include "ecc_helper.h" -#include <botan/curve_nistp.h> - -void fuzz(const uint8_t in[], size_t len) - { - if(len > 2*384/8) - return; - - static const BigInt& prime = Botan::prime_p384(); - static const BigInt prime_2 = prime * prime; - static Botan::Modular_Reducer prime_redc(prime); - - Botan::BigInt x = Botan::BigInt::decode(in, len); - - if(x < prime_2) - { - check_redc(Botan::redc_p384, prime_redc, prime, x); - } - } diff --git a/src/extra_tests/fuzzers/jigs/redc_p521.cpp b/src/extra_tests/fuzzers/jigs/redc_p521.cpp deleted file mode 100644 index 5142a44c2..000000000 --- a/src/extra_tests/fuzzers/jigs/redc_p521.cpp +++ /dev/null @@ -1,26 +0,0 @@ -/* -* (C) 2015,2016 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#include "driver.h" -#include "ecc_helper.h" -#include <botan/curve_nistp.h> - -void fuzz(const uint8_t in[], size_t len) - { - if(len > 2*(521+7)/8) - return; - - static const BigInt& prime = Botan::prime_p521(); - static const BigInt prime_2 = prime * prime; - static Botan::Modular_Reducer prime_redc(prime); - - Botan::BigInt x = Botan::BigInt::decode(in, len); - - if(x < prime_2) - { - check_redc(Botan::redc_p521, prime_redc, prime, x); - } - } diff --git a/src/extra_tests/fuzzers/jigs/ressol.cpp b/src/extra_tests/fuzzers/jigs/ressol.cpp deleted file mode 100644 index 6fbb85690..000000000 --- a/src/extra_tests/fuzzers/jigs/ressol.cpp +++ /dev/null @@ -1,45 +0,0 @@ -/* -* (C) 2015,2016 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#include "driver.h" -#include <botan/numthry.h> -#include <botan/reducer.h> - -void fuzz(const uint8_t in[], size_t len) - { - // Ressol is mostly used for ECC point decompression so best to test smaller sizes - static const size_t p_bits = 256; - static const BigInt p = random_prime(fuzzer_rng(), p_bits); - static const Modular_Reducer mod_p(p); - - if(len > p_bits / 8) - return; - - try - { - const BigInt a = BigInt::decode(in, len); - BigInt a_sqrt = Botan::ressol(a, p); - - if(a_sqrt > 0) - { - const BigInt a_redc = mod_p.reduce(a); - const BigInt z = mod_p.square(a_sqrt); - - if(z != a_redc) - { - std::cout << "A = " << a << "\n"; - std::cout << "P = " << p << "\n"; - std::cout << "R = " << a_sqrt << "\n"; - std::cout << "Z = " << z << "\n"; - abort(); - } - } - } - catch(Botan::Exception& e) {} - - return; - } - diff --git a/src/extra_tests/fuzzers/jigs/tls_client.cpp b/src/extra_tests/fuzzers/jigs/tls_client.cpp deleted file mode 100644 index d3fbd069c..000000000 --- a/src/extra_tests/fuzzers/jigs/tls_client.cpp +++ /dev/null @@ -1,57 +0,0 @@ -/* -* (C) 2015,2016 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#include "driver.h" -#include <botan/tls_client.h> - -class Fuzzer_TLS_Client_Creds : public Credentials_Manager - { - public: - std::string psk_identity_hint(const std::string&, const std::string&) override { return "psk_hint"; } - std::string psk_identity(const std::string&, const std::string&, const std::string&) override { return "psk_id"; } - SymmetricKey psk(const std::string&, const std::string&, const std::string&) override - { - return SymmetricKey("AABBCCDDEEFF00112233445566778899"); - } - }; - -void fuzz(const uint8_t in[], size_t len) - { - if(len == 0) - return; - - auto dev_null = [](const byte[], size_t) {}; - - auto ignore_alerts = [](TLS::Alert, const byte[], size_t) {}; - auto ignore_hs = [](const TLS::Session&) { abort(); return true; }; - - TLS::Session_Manager_Noop session_manager; - TLS::Policy policy; - TLS::Protocol_Version client_offer = TLS::Protocol_Version::TLS_V12; - TLS::Server_Information info("server.name", 443); - Fuzzer_TLS_Client_Creds creds; - - TLS::Client client(dev_null, - dev_null, - ignore_alerts, - ignore_hs, - session_manager, - creds, - policy, - fuzzer_rng(), - info, - client_offer); - - try - { - client.received_data(in, len); - } - catch(std::exception& e) - { - } - - } - diff --git a/src/extra_tests/fuzzers/jigs/tls_client_hello.cpp b/src/extra_tests/fuzzers/jigs/tls_client_hello.cpp deleted file mode 100644 index 7c95c7db3..000000000 --- a/src/extra_tests/fuzzers/jigs/tls_client_hello.cpp +++ /dev/null @@ -1,17 +0,0 @@ -/* -* (C) 2015,2016 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ -#include "driver.h" -#include <botan/tls_messages.h> - -void fuzz(const uint8_t in[], size_t len) - { - try - { - std::vector<uint8_t> v(in, in + len); - Botan::TLS::Client_Hello ch(v); - } - catch(Botan::Exception& e) {} - } diff --git a/src/extra_tests/fuzzers/jigs/tls_server.cpp b/src/extra_tests/fuzzers/jigs/tls_server.cpp deleted file mode 100644 index a4e0d5f00..000000000 --- a/src/extra_tests/fuzzers/jigs/tls_server.cpp +++ /dev/null @@ -1,153 +0,0 @@ -/* -* (C) 2015,2016 Jack Lloyd -* -* Botan is released under the Simplified BSD License (see license.txt) -*/ - -#include "driver.h" -#include <botan/tls_server.h> - -const char* fixed_rsa_key = - "-----BEGIN PRIVATE KEY-----\n" - "MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCe6qqpMQVJ7zCJ\n" - "oSnpxia0yO6M7Ie3FGqPcd0DzueC+kWPvuHQ+PpP5vfO6qqRaDVII37PFX5NUZQm\n" - "GK/rAm7spjIHTCMgqSZ8pN13LU8m1gDwIdu9al16LXN9zZjB67uLlFn2trtLi234\n" - "i0cnyeF8IC0cz7tgCOzMSVEBcqJjkdgGrZ3WUgOXecVm2lXVrYlEiaSxFp4VOE9k\n" - "RFeVrELCjmNtc4hRd1yJsF+vObCtvyqGYQE1Qcb0MVSQDBHMkiUVmO6zuW7td5ef\n" - "O/1OyntQJGyVa+SnWbkSLCybta2J7MreHENrF5GA0K1KL140SNRHeWifRMuNQua7\n" - "qmKXMBTFAgMBAAECggEAIk3fxyQI0zvpy1vZ01ft1QqmzA7nAPNMSWi33/GS8iga\n" - "SfxXfKeySPs/tQ/dAARxs//NiOBH4mLgyxR7LQzaawU5OXALCSraXv+ruuUx990s\n" - "WKnGaG4EfbJAAwEVn47Gbkv425P4fEc91vAhzQn8PbIoatbAyOtESpjs/pYDTeC/\n" - "mnJId8gqO90cqyRECEMjk9sQ8iEjWPlik4ayGlUVbeeMu6/pJ9F8IZEgkLZiNDAB\n" - "4anmOFaT7EmqUjI4IlcaqfbbXyDXlvWUYukidEss+CNvPuqbQHBDnpFVvBxdDR2N\n" - "Uj2D5Xd5blcIe2/+1IVRnznjoQ5zvutzb7ThBmMehQKBgQDOITKG0ht2kXLxjVoR\n" - "r/pVpx+f3hs3H7wE0+vrLHoQgkVjpMWXQ47YuZTT9rCOOYNI2cMoH2D27t1j78/B\n" - "9kGYABUVpvQQ+6amqJDI1eYI6e68TPueEDjeALfSCdmPNiI3lZZrCIK9XLpkoy8K\n" - "tGYBRRJ+JJxjj1zPXj9SGshPgwKBgQDFXUtoxY3mCStH3+0b1qxGG9r1L5goHEmd\n" - "Am8WBYDheNpL0VqPNzouhuM/ZWMGyyAs/py6aLATe+qhR1uX5vn7LVZwjCSONZ4j\n" - "7ieEEUh1BHetPI1oI5PxgokRYfVuckotqVseanI/536Er3Yf2FXNQ1/ceVp9WykX\n" - "3mYTKMhQFwKBgQDKakcXpZNaZ5IcKdZcsBZ/rdGcR5sqEnursf9lvRNQytwg8Vkn\n" - "JSxNHlBLpV/TCh8lltHRwJ6TXhUBYij+KzhWbx5FWOErHDOWTMmArqtp7W6GcoJT\n" - "wVJWjxXzp8CApYQMWVSQXpckJL7UvHohZO0WKiHyxTjde5aD++TqV2qEyQKBgBbD\n" - "jvoTpy08K4DLxCZs2Uvw1I1pIuylbpwsdrGciuP2s38BM6fHH+/T4Qwj3osfDKQD\n" - "7gHWJ1Dn/wUBHQBlRLoC3bB3iZPZfVb5lhc2gxv0GvWhQVIcoGi/vJ2DpfJKPmIL\n" - "4ZWdg3X5dm9JaZ98rVDSj5D3ckd5J0E4hp95GbmbAoGBAJJHM4O9lx60tIjw9Sf/\n" - "QmKWyUk0NLnt8DcgRMW7fVxtzPNDy9DBKGIkDdWZ2s+ForICA3C9WSxBC1EOEHGG\n" - "xkg2xKt66CeutGroP6M191mHQrRClt1VbEYzQFX21BCk5kig9i/BURyoTHtFiV+t\n" - "kbf4VLg8Vk9u/R3RU1HsYWhe\n" - "-----END PRIVATE KEY-----\n"; - -const char* fixed_rsa_cert = - "-----BEGIN CERTIFICATE-----\n" - "MIIDUDCCAjgCCQD7pIb1ZsoafjANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJW\n" - "VDEQMA4GA1UECAwHVmVybW9udDEWMBQGA1UEBwwNVGhlIEludGVybmV0czEUMBIG\n" - "A1UECgwLTWFuZ29zIFIgVXMxGzAZBgNVBAMMEnNlcnZlci5leGFtcGxlLmNvbTAe\n" - "Fw0xNjAxMDYxNzQ3MjNaFw0yNjAxMDMxNzQ3MjNaMGoxCzAJBgNVBAYTAlZUMRAw\n" - "DgYDVQQIDAdWZXJtb250MRYwFAYDVQQHDA1UaGUgSW50ZXJuZXRzMRQwEgYDVQQK\n" - "DAtNYW5nb3MgUiBVczEbMBkGA1UEAwwSc2VydmVyLmV4YW1wbGUuY29tMIIBIjAN\n" - "BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAnuqqqTEFSe8wiaEp6cYmtMjujOyH\n" - "txRqj3HdA87ngvpFj77h0Pj6T+b3zuqqkWg1SCN+zxV+TVGUJhiv6wJu7KYyB0wj\n" - "IKkmfKTddy1PJtYA8CHbvWpdei1zfc2Yweu7i5RZ9ra7S4tt+ItHJ8nhfCAtHM+7\n" - "YAjszElRAXKiY5HYBq2d1lIDl3nFZtpV1a2JRImksRaeFThPZERXlaxCwo5jbXOI\n" - "UXdcibBfrzmwrb8qhmEBNUHG9DFUkAwRzJIlFZjus7lu7XeXnzv9Tsp7UCRslWvk\n" - "p1m5Eiwsm7WtiezK3hxDaxeRgNCtSi9eNEjUR3lon0TLjULmu6pilzAUxQIDAQAB\n" - "MA0GCSqGSIb3DQEBCwUAA4IBAQA1eZGc/4V7z/E/6eG0hVkzoAZeuTcSP7WqBSx+\n" - "OP2yh0163UYjoa6nehmkKYQQ9PbYPZGzIcl+dBFyYzy6jcp0NdtzpWnTFrjl4rMq\n" - "akcQ1D0LTYjJXVP9G/vF/SvatOFeVTnQmLlLt/a8ZtRUINqejeZZPzH8ifzFW6tu\n" - "mlhTVIEKyPHpxClh5Y3ubw/mZYygekFTqMkTx3FwJxKU8J6rYGZxanWAODUIvCUo\n" - "Fxer1qC5Love3uWl3vXPLEZWZdORnExSRByzz2immBP2vX4zYZoeZRhTQ9ae1TIV\n" - "Dk02a/1AOJZdZReDbgXhlqaUx5pk/rzo4mDzvu5HSCeXmClz\n" - "-----END CERTIFICATE-----\n"; - -class Fuzzer_TLS_Server_Creds : public Credentials_Manager - { - public: - Fuzzer_TLS_Server_Creds() - { - DataSource_Memory cert_in(fixed_rsa_cert); - DataSource_Memory key_in(fixed_rsa_key); - - m_rsa_cert.reset(new Botan::X509_Certificate(cert_in)); - //m_rsa_key.reset(Botan::PKCS8::load_key(key_in, fuzzer_rng()); - } - - std::vector<Botan::X509_Certificate> cert_chain( - const std::vector<std::string>& algos, - const std::string& type, - const std::string& hostname) override - { - std::vector<Botan::X509_Certificate> v; - - for(auto algo : algos) - { - if(algo == "RSA") - { - v.push_back(*m_rsa_cert); - break; - } - } - - return v; - } - - Botan::Private_Key* private_key_for(const Botan::X509_Certificate& cert, - const std::string& /*type*/, - const std::string& /*context*/) override - { - return m_rsa_key.get(); - } - - std::string psk_identity_hint(const std::string&, const std::string&) override { return "psk_hint"; } - std::string psk_identity(const std::string&, const std::string&, const std::string&) override { return "psk_id"; } - SymmetricKey psk(const std::string&, const std::string&, const std::string&) override - { - return SymmetricKey("AABBCCDDEEFF00112233445566778899"); - } - private: - std::unique_ptr<Botan::X509_Certificate> m_rsa_cert; - std::unique_ptr<Botan::Private_Key> m_rsa_key; - }; - -void fuzz(const uint8_t in[], size_t len) - { - if(len == 0) - return; - - auto dev_null = [](const byte[], size_t) {}; - - auto ignore_alerts = [](TLS::Alert, const byte[], size_t) {}; - auto ignore_hs = [](const TLS::Session&) { return true; }; - - TLS::Session_Manager_Noop session_manager; - TLS::Policy policy; - TLS::Server_Information info("server.name", 443); - Fuzzer_TLS_Server_Creds creds; - - auto next_proto_fn = [](const std::vector<std::string>& protos) -> std::string { - if(protos.size() > 1) - return protos[0]; - else - return "fuzzed"; - }; - - const bool is_datagram = (len % 2 == 0); - - TLS::Server server(dev_null, - dev_null, - ignore_alerts, - ignore_hs, - session_manager, - creds, - policy, - fuzzer_rng(), - next_proto_fn, - is_datagram); - - try - { - server.received_data(in, len); - } - catch(std::exception& e) - { - } - } diff --git a/src/extra_tests/fuzzers/readme.txt b/src/extra_tests/fuzzers/readme.txt deleted file mode 100644 index 1bee1a785..000000000 --- a/src/extra_tests/fuzzers/readme.txt +++ /dev/null @@ -1,49 +0,0 @@ - -The code in this directory is for testing various message decoders and -math functions using the fuzzers AFL (http://lcamtuf.coredump.cx/afl/) -and libFuzzer (http://llvm.org/docs/LibFuzzer.html). - -To build for AFL, run - - make afl - -For libFuzzer - - make llvm - -To add a new fuzzer, create a new file in jigs/, include "driver.h", -and implement the function with the signature - -void fuzz(const uint8_t buf[], size_t len); - -This function should abort/crash if something is incorrect. - -Run it with - -make run_{llvm,afl}_{what} - -like in - -make run_llvm_crl -make run_afl_tls_client - -You can pass args to the fuzzer process using args= - -make args=-max_len=4000 run_llvm_tls_client - -The fuzzer entry point assumes no more than 4K of input. The base -libFuzzer default max len is 64 bytes, the makefile sets it to 140 as -default. - -Use - -make cmin_redc_p384 - -to run afl-cmin to minimize and merge the LLVM and AFL outputs back to -the corpus directory. - -TODO: - -- KLEE (https://klee.github.io) -- DFSan (http://clang.llvm.org/docs/DataFlowSanitizer.html) -- More jigs |