Merge pull request #5533 from paul-elliott-arm/fix_fuzz_privkey_null_ctx

Fix null context when using dummy_rand with mbedtls_pk_parse_key()
This commit is contained in:
Manuel Pégourié-Gonnard 2022-02-16 09:55:01 +01:00 committed by GitHub
commit 6d2479516c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 34 additions and 13 deletions

View file

@ -60,8 +60,14 @@ int dummy_random( void *p_rng, unsigned char *output, size_t output_len )
size_t i;
#if defined(MBEDTLS_CTR_DRBG_C)
//use mbedtls_ctr_drbg_random to find bugs in it
ret = mbedtls_ctr_drbg_random(p_rng, output, output_len);
//mbedtls_ctr_drbg_random requires a valid mbedtls_ctr_drbg_context in p_rng
if( p_rng != NULL ) {
//use mbedtls_ctr_drbg_random to find bugs in it
ret = mbedtls_ctr_drbg_random(p_rng, output, output_len);
} else {
//fall through to pseudo-random
ret = 0;
}
#else
(void) p_rng;
ret = 0;

View file

@ -44,6 +44,13 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
unsigned char buf[4096];
fuzzBufferOffset_t biomemfuzz;
mbedtls_ctr_drbg_init( &ctr_drbg );
mbedtls_entropy_init( &entropy );
if( mbedtls_ctr_drbg_seed( &ctr_drbg, dummy_entropy, &entropy,
( const unsigned char * ) pers, strlen( pers ) ) != 0 )
goto exit;
if (initialized == 0) {
#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
mbedtls_x509_crt_init( &srvcert );
@ -56,7 +63,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
return 1;
if (mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_srv_key,
mbedtls_test_srv_key_len, NULL, 0,
dummy_random, NULL ) != 0)
dummy_random, &ctr_drbg ) != 0)
return 1;
#endif
dummy_init();
@ -65,15 +72,8 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
}
mbedtls_ssl_init( &ssl );
mbedtls_ssl_config_init( &conf );
mbedtls_ctr_drbg_init( &ctr_drbg );
mbedtls_entropy_init( &entropy );
mbedtls_ssl_cookie_init( &cookie_ctx );
if( mbedtls_ctr_drbg_seed( &ctr_drbg, dummy_entropy, &entropy,
(const unsigned char *) pers, strlen( pers ) ) != 0 )
goto exit;
if( mbedtls_ssl_config_defaults( &conf,
MBEDTLS_SSL_IS_SERVER,
MBEDTLS_SSL_TRANSPORT_DATAGRAM,

View file

@ -2,26 +2,41 @@
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include "mbedtls/pk.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "common.h"
//4 Kb should be enough for every bug ;-)
#define MAX_LEN 0x1000
#if defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_CTR_DRBG_C)
const char *pers = "fuzz_privkey";
#endif // MBEDTLS_PK_PARSE_C && MBEDTLS_CTR_DRBG_C
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
#ifdef MBEDTLS_PK_PARSE_C
#if defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_CTR_DRBG_C)
int ret;
mbedtls_pk_context pk;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_entropy_context entropy;
if (Size > MAX_LEN) {
//only work on small inputs
Size = MAX_LEN;
}
mbedtls_ctr_drbg_init( &ctr_drbg );
mbedtls_entropy_init( &entropy );
if( mbedtls_ctr_drbg_seed( &ctr_drbg, dummy_entropy, &entropy,
( const unsigned char * ) pers, strlen( pers ) ) != 0 )
return 1;
mbedtls_pk_init( &pk );
ret = mbedtls_pk_parse_key( &pk, Data, Size, NULL, 0,
dummy_random, NULL );
dummy_random, &ctr_drbg );
if (ret == 0) {
#if defined(MBEDTLS_RSA_C)
if( mbedtls_pk_get_type( &pk ) == MBEDTLS_PK_RSA )
@ -73,7 +88,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
#else
(void) Data;
(void) Size;
#endif //MBEDTLS_PK_PARSE_C
#endif // MBEDTLS_PK_PARSE_C && MBEDTLS_CTR_DRBG_C
return 0;
}