diff --git a/programs/fuzz/common.c b/programs/fuzz/common.c index e12ee3b8a0..4d58402283 100644 --- a/programs/fuzz/common.c +++ b/programs/fuzz/common.c @@ -60,8 +60,14 @@ int dummy_random( void *p_rng, unsigned char *output, size_t output_len ) size_t i; #if defined(MBEDTLS_CTR_DRBG_C) - //use mbedtls_ctr_drbg_random to find bugs in it - ret = mbedtls_ctr_drbg_random(p_rng, output, output_len); + //mbedtls_ctr_drbg_random requires a valid mbedtls_ctr_drbg_context in p_rng + if( p_rng != NULL ) { + //use mbedtls_ctr_drbg_random to find bugs in it + ret = mbedtls_ctr_drbg_random(p_rng, output, output_len); + } else { + //fall through to pseudo-random + ret = 0; + } #else (void) p_rng; ret = 0; diff --git a/programs/fuzz/fuzz_dtlsserver.c b/programs/fuzz/fuzz_dtlsserver.c index 9a6e894a88..1aa757c376 100644 --- a/programs/fuzz/fuzz_dtlsserver.c +++ b/programs/fuzz/fuzz_dtlsserver.c @@ -44,6 +44,13 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { unsigned char buf[4096]; fuzzBufferOffset_t biomemfuzz; + mbedtls_ctr_drbg_init( &ctr_drbg ); + mbedtls_entropy_init( &entropy ); + + if( mbedtls_ctr_drbg_seed( &ctr_drbg, dummy_entropy, &entropy, + ( const unsigned char * ) pers, strlen( pers ) ) != 0 ) + goto exit; + if (initialized == 0) { #if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C) mbedtls_x509_crt_init( &srvcert ); @@ -56,7 +63,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { return 1; if (mbedtls_pk_parse_key( &pkey, (const unsigned char *) mbedtls_test_srv_key, mbedtls_test_srv_key_len, NULL, 0, - dummy_random, NULL ) != 0) + dummy_random, &ctr_drbg ) != 0) return 1; #endif dummy_init(); @@ -65,15 +72,8 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { } mbedtls_ssl_init( &ssl ); mbedtls_ssl_config_init( &conf ); - mbedtls_ctr_drbg_init( &ctr_drbg ); - mbedtls_entropy_init( &entropy ); mbedtls_ssl_cookie_init( &cookie_ctx ); - if( mbedtls_ctr_drbg_seed( &ctr_drbg, dummy_entropy, &entropy, - (const unsigned char *) pers, strlen( pers ) ) != 0 ) - goto exit; - - if( mbedtls_ssl_config_defaults( &conf, MBEDTLS_SSL_IS_SERVER, MBEDTLS_SSL_TRANSPORT_DATAGRAM, diff --git a/programs/fuzz/fuzz_privkey.c b/programs/fuzz/fuzz_privkey.c index b9a160e1e1..e8e1d442ea 100644 --- a/programs/fuzz/fuzz_privkey.c +++ b/programs/fuzz/fuzz_privkey.c @@ -2,26 +2,41 @@ #include #include +#include #include "mbedtls/pk.h" +#include "mbedtls/entropy.h" +#include "mbedtls/ctr_drbg.h" #include "common.h" //4 Kb should be enough for every bug ;-) #define MAX_LEN 0x1000 +#if defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_CTR_DRBG_C) +const char *pers = "fuzz_privkey"; +#endif // MBEDTLS_PK_PARSE_C && MBEDTLS_CTR_DRBG_C int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { -#ifdef MBEDTLS_PK_PARSE_C +#if defined(MBEDTLS_PK_PARSE_C) && defined(MBEDTLS_CTR_DRBG_C) int ret; mbedtls_pk_context pk; + mbedtls_ctr_drbg_context ctr_drbg; + mbedtls_entropy_context entropy; if (Size > MAX_LEN) { //only work on small inputs Size = MAX_LEN; } + mbedtls_ctr_drbg_init( &ctr_drbg ); + mbedtls_entropy_init( &entropy ); + + if( mbedtls_ctr_drbg_seed( &ctr_drbg, dummy_entropy, &entropy, + ( const unsigned char * ) pers, strlen( pers ) ) != 0 ) + return 1; + mbedtls_pk_init( &pk ); ret = mbedtls_pk_parse_key( &pk, Data, Size, NULL, 0, - dummy_random, NULL ); + dummy_random, &ctr_drbg ); if (ret == 0) { #if defined(MBEDTLS_RSA_C) if( mbedtls_pk_get_type( &pk ) == MBEDTLS_PK_RSA ) @@ -73,7 +88,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { #else (void) Data; (void) Size; -#endif //MBEDTLS_PK_PARSE_C +#endif // MBEDTLS_PK_PARSE_C && MBEDTLS_CTR_DRBG_C return 0; }