/src/boringssl/fuzz/bn_mod_exp.cc
Line | Count | Source (jump to first uncovered line) |
1 | | /* Copyright (c) 2017, Google Inc. |
2 | | * |
3 | | * Permission to use, copy, modify, and/or distribute this software for any |
4 | | * purpose with or without fee is hereby granted, provided that the above |
5 | | * copyright notice and this permission notice appear in all copies. |
6 | | * |
7 | | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
8 | | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
9 | | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY |
10 | | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
11 | | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION |
12 | | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN |
13 | | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ |
14 | | |
15 | | #include <openssl/bn.h> |
16 | | #include <openssl/bytestring.h> |
17 | | #include <openssl/mem.h> |
18 | | |
19 | | #define CHECK(expr) \ |
20 | 24.2k | do { \ |
21 | 24.2k | if (!(expr)) { \ |
22 | 0 | printf("%s failed\n", #expr); \ |
23 | 0 | abort(); \ |
24 | 0 | } \ |
25 | 24.2k | } while (false) |
26 | | |
27 | | // Basic implementation of mod_exp using square and multiple method. |
28 | | int mod_exp(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, const BIGNUM *m, |
29 | 2.81k | BN_CTX *ctx) { |
30 | 2.81k | if (BN_is_one(m)) { |
31 | 21 | BN_zero(r); |
32 | 21 | return 1; |
33 | 21 | } |
34 | | |
35 | 2.79k | bssl::UniquePtr<BIGNUM> exp(BN_dup(p)); |
36 | 2.79k | bssl::UniquePtr<BIGNUM> base(BN_new()); |
37 | 2.79k | if (!exp || !base) { |
38 | 0 | return 0; |
39 | 0 | } |
40 | 2.79k | if (!BN_one(r) || !BN_nnmod(base.get(), a, m, ctx)) { |
41 | 0 | return 0; |
42 | 0 | } |
43 | | |
44 | 441k | while (!BN_is_zero(exp.get())) { |
45 | 438k | if (BN_is_odd(exp.get())) { |
46 | 181k | if (!BN_mul(r, r, base.get(), ctx) || !BN_nnmod(r, r, m, ctx)) { |
47 | 0 | return 0; |
48 | 0 | } |
49 | 181k | } |
50 | 438k | if (!BN_rshift1(exp.get(), exp.get()) || |
51 | 438k | !BN_mul(base.get(), base.get(), base.get(), ctx) || |
52 | 438k | !BN_nnmod(base.get(), base.get(), m, ctx)) { |
53 | 0 | return 0; |
54 | 0 | } |
55 | 438k | } |
56 | | |
57 | 2.79k | return 1; |
58 | 2.79k | } |
59 | | |
60 | 2.93k | extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) { |
61 | 2.93k | CBS cbs, child0, child1, child2; |
62 | 2.93k | uint8_t sign; |
63 | 2.93k | CBS_init(&cbs, buf, len); |
64 | 2.93k | if (!CBS_get_u16_length_prefixed(&cbs, &child0) || |
65 | 2.93k | !CBS_get_u8(&child0, &sign) || |
66 | 2.93k | CBS_len(&child0) == 0 || |
67 | 2.93k | !CBS_get_u16_length_prefixed(&cbs, &child1) || |
68 | 2.93k | CBS_len(&child1) == 0 || |
69 | 2.93k | !CBS_get_u16_length_prefixed(&cbs, &child2) || |
70 | 2.93k | CBS_len(&child2) == 0) { |
71 | 86 | return 0; |
72 | 86 | } |
73 | | |
74 | | // Don't fuzz inputs larger than 512 bytes (4096 bits). This isn't ideal, but |
75 | | // the naive |mod_exp| above is somewhat slow, so this otherwise causes the |
76 | | // fuzzers to spend a lot of time exploring timeouts. |
77 | 2.84k | if (CBS_len(&child0) > 512 || |
78 | 2.84k | CBS_len(&child1) > 512 || |
79 | 2.84k | CBS_len(&child2) > 512) { |
80 | 27 | return 0; |
81 | 27 | } |
82 | | |
83 | 2.81k | bssl::UniquePtr<BIGNUM> base( |
84 | 2.81k | BN_bin2bn(CBS_data(&child0), CBS_len(&child0), nullptr)); |
85 | 2.81k | BN_set_negative(base.get(), sign % 2); |
86 | 2.81k | bssl::UniquePtr<BIGNUM> power( |
87 | 2.81k | BN_bin2bn(CBS_data(&child1), CBS_len(&child1), nullptr)); |
88 | 2.81k | bssl::UniquePtr<BIGNUM> modulus( |
89 | 2.81k | BN_bin2bn(CBS_data(&child2), CBS_len(&child2), nullptr)); |
90 | | |
91 | 2.81k | if (BN_is_zero(modulus.get())) { |
92 | 2 | return 0; |
93 | 2 | } |
94 | | |
95 | 2.81k | bssl::UniquePtr<BN_CTX> ctx(BN_CTX_new()); |
96 | 2.81k | bssl::UniquePtr<BIGNUM> result(BN_new()); |
97 | 2.81k | bssl::UniquePtr<BIGNUM> expected(BN_new()); |
98 | 2.81k | CHECK(ctx); |
99 | 2.81k | CHECK(result); |
100 | 2.81k | CHECK(expected); |
101 | | |
102 | 2.81k | CHECK(mod_exp(expected.get(), base.get(), power.get(), modulus.get(), |
103 | 2.81k | ctx.get())); |
104 | 2.81k | CHECK(BN_mod_exp(result.get(), base.get(), power.get(), modulus.get(), |
105 | 2.81k | ctx.get())); |
106 | 2.81k | CHECK(BN_cmp(result.get(), expected.get()) == 0); |
107 | | |
108 | 2.81k | if (BN_is_odd(modulus.get())) { |
109 | 1.22k | bssl::UniquePtr<BN_MONT_CTX> mont( |
110 | 1.22k | BN_MONT_CTX_new_for_modulus(modulus.get(), ctx.get())); |
111 | 1.22k | CHECK(mont); |
112 | | // |BN_mod_exp_mont| and |BN_mod_exp_mont_consttime| require reduced inputs. |
113 | 1.22k | CHECK(BN_nnmod(base.get(), base.get(), modulus.get(), ctx.get())); |
114 | 1.22k | CHECK(BN_mod_exp_mont(result.get(), base.get(), power.get(), modulus.get(), |
115 | 1.22k | ctx.get(), mont.get())); |
116 | 1.22k | CHECK(BN_cmp(result.get(), expected.get()) == 0); |
117 | 1.22k | CHECK(BN_mod_exp_mont_consttime(result.get(), base.get(), power.get(), |
118 | 1.22k | modulus.get(), ctx.get(), mont.get())); |
119 | 1.22k | CHECK(BN_cmp(result.get(), expected.get()) == 0); |
120 | 1.22k | } |
121 | | |
122 | 2.81k | uint8_t *data = (uint8_t *)OPENSSL_malloc(BN_num_bytes(result.get())); |
123 | 2.81k | BN_bn2bin(result.get(), data); |
124 | 2.81k | OPENSSL_free(data); |
125 | | |
126 | 2.81k | return 0; |
127 | 2.81k | } |