Coverage Report

Created: 2020-02-14 15:38

/src/botan/src/fuzzer/oaep.cpp
Line
Count
Source (jump to first uncovered line)
1
/*
2
* (C) 2018 Jack Lloyd
3
*
4
* Botan is released under the Simplified BSD License (see license.txt)
5
*/
6
#include "fuzzers.h"
7
8
#include <botan/oaep.h>
9
#include <botan/hex.h>
10
11
namespace {
12
13
Botan::secure_vector<uint8_t>
14
ref_oaep_unpad(uint8_t& valid_mask,
15
               const uint8_t in[], size_t len,
16
               const Botan::secure_vector<uint8_t>& Phash)
17
207
   {
18
207
   const size_t hlen = Phash.size();
19
207
20
207
   if(len < 2*hlen + 1)
21
6
      {
22
6
      return Botan::secure_vector<uint8_t>();
23
6
      }
24
201
25
619
   for(size_t i = hlen; i != 2*hlen; ++i)
26
523
      {
27
523
      if(in[i] != Phash[i-hlen])
28
105
         {
29
105
         return Botan::secure_vector<uint8_t>();
30
105
         }
31
523
      }
32
201
33
941
   for(size_t i = 2*hlen; i != len; ++i)
34
931
      {
35
931
      if(in[i] != 0x00 && in[i] != 0x01)
36
26
         {
37
26
         return Botan::secure_vector<uint8_t>();
38
26
         }
39
905
40
905
      if(in[i] == 0x01)
41
60
         {
42
60
         valid_mask = 0xFF;
43
60
         return Botan::secure_vector<uint8_t>(in + i + 1, in + len);
44
60
         }
45
905
      }
46
96
47
96
   return Botan::secure_vector<uint8_t>();
48
96
   }
49
50
inline bool all_zeros(const Botan::secure_vector<uint8_t>& v)
51
294
   {
52
125k
   for(size_t i = 0; i != v.size(); ++i)
53
125k
      {
54
125k
      if(v[i] != 0)
55
0
         return false;
56
125k
      }
57
294
   return true;
58
294
   }
59
60
}
61
62
void fuzz(const uint8_t in[], size_t len)
63
207
   {
64
207
   static const Botan::secure_vector<uint8_t> Phash = { 1, 2, 3, 4 };
65
207
66
207
   uint8_t lib_valid_mask = 0;
67
207
   const Botan::secure_vector<uint8_t> lib_output = Botan::oaep_find_delim(lib_valid_mask, in, len, Phash);
68
207
   FUZZER_ASSERT_TRUE(lib_valid_mask == 0 || lib_valid_mask == 0xFF);
69
207
70
207
   uint8_t ref_valid_mask = 0;
71
207
   const Botan::secure_vector<uint8_t> ref_output = ref_oaep_unpad(ref_valid_mask, in, len, Phash);
72
207
   FUZZER_ASSERT_TRUE(ref_valid_mask == 0 || ref_valid_mask == 0xFF);
73
207
74
207
   if(ref_valid_mask == 0xFF && lib_valid_mask == 0x00)
75
0
      {
76
0
      FUZZER_WRITE_AND_CRASH("Ref accepted but library rejected, output " << Botan::hex_encode(ref_output) << "\n");
77
0
      }
78
207
   else if(ref_valid_mask == 0x00 && lib_valid_mask == 0xFF)
79
0
      {
80
0
      FUZZER_WRITE_AND_CRASH("Lib accepted but ref rejected, output = " << Botan::hex_encode(lib_output) << "\n");
81
0
      }
82
207
83
207
   if(ref_valid_mask == 0x00)
84
147
      {
85
147
      FUZZER_ASSERT_TRUE(all_zeros(ref_output));
86
147
      }
87
207
88
207
   if(lib_valid_mask == 0x00)
89
147
      {
90
147
      FUZZER_ASSERT_TRUE(all_zeros(lib_output));
91
147
      }
92
207
93
207
   if(ref_valid_mask && lib_valid_mask)
94
60
      {
95
60
      if(ref_output != lib_output)
96
0
         {
97
0
         FUZZER_WRITE_AND_CRASH("Ref and lib both accepted but produced different output:"
98
0
                                << " ref = " << Botan::hex_encode(ref_output)
99
0
                                << " lib = " << Botan::hex_encode(lib_output));
100
0
         }
101
60
      }
102
207
   }