Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fuzzer test #433

Merged
merged 8 commits into from
Oct 1, 2024
Merged

Fuzzer test #433

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
c1a00f0
Fuzzer: Adjust function declaration
aveenismail Sep 27, 2024
9dd9afc
Revert change
aveenismail Sep 29, 2024
b42bfcb
Revert change back
aveenismail Sep 29, 2024
084431f
Fuzzer: Fix pkcs11 include file
aveenismail Sep 30, 2024
b50ac2a
Install dependency in the fuzzer workflow
aveenismail Sep 30, 2024
c2b23d3
fuzz: msan fixes
alexgeana Oct 1, 2024
4f6af41
fuzz: more initialized memory
alexgeana Oct 1, 2024
59f6bf1
Fuzzer: Run the fuzzer on a schedule again
aveenismail Oct 1, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions .github/workflows/build_and_fuzz.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,8 @@ jobs:

- name: run harness for fuzz_get_attribute_value
working-directory: yubihsm-shell
env:
LD_LIBRARY_PATH: /llvm-msan/install-runtimes-msan/lib;/openssl-msan/install/lib
run: ./build-msan/pkcs11/fuzz_get_attribute_value -max_total_time=1800

fuzz_asan:
Expand Down
2 changes: 1 addition & 1 deletion .github/workflows/release.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -268,7 +268,7 @@ jobs:
curl -o checksec.sh-2.5.0.tar.gz -L https://github.com/slimm609/checksec.sh/archive/refs/tags/2.5.0.tar.gz
tar xfz checksec.sh-2.5.0.tar.gz
cs() {
checksec.sh-2.5.0/checksec --file=/usr/bin/yubihsm-shell --format=json | jq -r ".[] | .$1"
checksec-2.5.0/checksec --file=/usr/bin/yubihsm-shell --format=json | jq -r ".[] | .$1"
}
if [ "`cs relro`" != "full" ]; then echo "relro is `cs relro`"; exit 1; fi
if [ "`cs canary`" != "yes" ]; then echo "canary is `cs canary`"; exit 1; fi
Expand Down
30 changes: 12 additions & 18 deletions lib/fuzz/yubihsm_fuzz.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,18 +66,16 @@ static int is_session_slot_initialized(int slot) {

static bool compute_mac(Scp_ctx *s, uint8_t *key, Msg *msg, size_t raw_msg_len,
int host_order_len, uint8_t *mac) {
aes_context aes_ctx;
aes_cmac_context_t cmac_ctx;
aes_context aes_ctx = {0};
aes_cmac_context_t cmac_ctx = {0};

#pragma pack(push, 1)
struct {
uint8_t mac_chaining_value[SCP_PRF_LEN];
Msg msg;
} mac_msg;
} mac_msg = {0};
#pragma pack(pop)

memset(&mac_msg, 0, sizeof(mac_msg));

if (raw_msg_len > sizeof(Msg)) {
return false;
}
Expand All @@ -95,6 +93,7 @@ static bool compute_mac(Scp_ctx *s, uint8_t *key, Msg *msg, size_t raw_msg_len,
memset(&aes_ctx, 0, sizeof(aes_ctx));
aes_set_key(key, SCP_KEY_LEN, &aes_ctx);
aes_cmac_init(&aes_ctx, &cmac_ctx);

aes_cmac_encrypt(&cmac_ctx, (uint8_t *) &mac_msg, macced_data_len, mac);

aes_cmac_destroy(&cmac_ctx);
Expand All @@ -104,8 +103,7 @@ static bool compute_mac(Scp_ctx *s, uint8_t *key, Msg *msg, size_t raw_msg_len,
}

static void process_msg(Msg *msg, Msg *response) {
aes_context aes_ctx;
memset(&aes_ctx, 0, sizeof(aes_ctx));
aes_context aes_ctx = {0};

msg->st.len = ntohs(msg->st.len);

Expand All @@ -130,8 +128,9 @@ static void process_msg(Msg *msg, Msg *response) {
break;
}

uint16_t host_challenge_len;
host_challenge_len = msg->st.len - SCP_AUTHKEY_ID_LEN;
memset(&sessions[session_id], 0, sizeof(Scp_ctx));

uint16_t host_challenge_len = msg->st.len - SCP_AUTHKEY_ID_LEN;

/* Setting up the session context used later on to calculate the card
* cryptogram. See also yh_begin_create_session(). The session context
Expand Down Expand Up @@ -161,7 +160,7 @@ static void process_msg(Msg *msg, Msg *response) {
* L = SCP_CARD_CRYPTO_LEN * 8
* context = the session context
*/
uint8_t calculated_card_cryptogram[SCP_PRF_LEN];
uint8_t calculated_card_cryptogram[SCP_PRF_LEN] = {0};
compute_cryptogram(sessions[session_id].s_mac, SCP_KEY_LEN,
SCP_CARD_CRYPTOGRAM, session_context,
SCP_CARD_CRYPTO_LEN * 8, calculated_card_cryptogram);
Expand Down Expand Up @@ -233,13 +232,10 @@ static void process_msg(Msg *msg, Msg *response) {

case YHC_SESSION_MESSAGE: {
uint8_t encrypted_ctr[AES_BLOCK_SIZE] = {0};
Msg inner_msg, inner_response;
Msg inner_msg = {0}, inner_response = {0};
uint8_t mac[SCP_PRF_LEN] = {0};
uint16_t inner_response_padded_len = {0};

memset(&inner_msg, 0, sizeof(inner_msg));
memset(&inner_response, 0, sizeof(inner_response));

current_session_id = msg->st.data[0];
if (is_session_slot_initialized(current_session_id) == 0) {
response->st.cmd = YHC_ERROR;
Expand Down Expand Up @@ -277,8 +273,6 @@ static void process_msg(Msg *msg, Msg *response) {
* for that situation, we should cache the session object before
* processing the YHC_CLOSE_SESSION command.
*/
Scp_ctx saved_session;
memcpy(&saved_session, s, sizeof(Scp_ctx));
process_msg(&inner_msg, &inner_response);

// set the response type
Expand All @@ -305,7 +299,7 @@ static void process_msg(Msg *msg, Msg *response) {
break;
}

if (compute_mac(&saved_session, saved_session.s_rmac, response,
if (compute_mac(s, s->s_rmac, response,
3 + response->st.len - SCP_MAC_LEN, 1, mac) == false) {
response->st.cmd = YHC_ERROR;
break;
Expand Down Expand Up @@ -359,7 +353,7 @@ static void fuzz_backend_set_verbosity(uint8_t verbosity, FILE *output) {
static yh_rc fuzz_backend_init(uint8_t verbosity, FILE *output) {
fuzz_backend_set_verbosity(verbosity, output);

uint8_t keys[2 * SCP_KEY_LEN];
uint8_t keys[2 * SCP_KEY_LEN] = {0};
pkcs5_pbkdf2_hmac((const uint8_t *) FUZZ_BACKEND_PASSWORD,
strlen(FUZZ_BACKEND_PASSWORD),
(const uint8_t *) YH_DEFAULT_SALT, strlen(YH_DEFAULT_SALT),
Expand Down
11 changes: 4 additions & 7 deletions pkcs11/fuzz/fuzz_get_attribute_value.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@
#include "yubihsm_fuzz.h"

extern "C" {
#include "pkcs11.h"
#include "pkcs11y.h"
#include "yubihsm_pkcs11.h"

uint8_t *backend_data;
Expand Down Expand Up @@ -47,10 +47,7 @@ static void deinit_session() {
CK_RV rv;

rv = p11->C_Logout(session);
assert(rv == CKR_OK);

rv = p11->C_CloseSession(session);
assert(rv == CKR_OK);
}

static void init_session() {
Expand Down Expand Up @@ -139,9 +136,9 @@ void derive_ecdh_session_keys(uint8_t derived_key_count,
}

for (int i = 0; i < derived_key_count; i++) {
CK_OBJECT_HANDLE ecdh;
CK_OBJECT_HANDLE ecdh = {0};

CK_ECDH1_DERIVE_PARAMS params;
CK_ECDH1_DERIVE_PARAMS params = {0};
memset(&params, 0, sizeof(params));
params.kdf = CKD_NULL;
params.pSharedData = NULL;
Expand All @@ -150,7 +147,7 @@ void derive_ecdh_session_keys(uint8_t derived_key_count,
params.pPublicData = new uint8_t[50];
params.ulPublicDataLen = 50;

CK_MECHANISM mechanism;
CK_MECHANISM mechanism = {0};
memset(&mechanism, 0, sizeof(mechanism));
mechanism.mechanism = CKM_ECDH1_DERIVE;
mechanism.pParameter = (void *) &params;
Expand Down
2 changes: 2 additions & 0 deletions pkcs11/util_pkcs11.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6092,13 +6092,15 @@ bool match_meta_attributes(yubihsm_pkcs11_session *session,
return true;
}

#ifndef FUZZING
static void increment_ctr(uint8_t *ctr, size_t len) {
while (len > 0) {
if (++ctr[--len]) {
break;
}
}
}
#endif

CK_RV ecdh_with_kdf(ecdh_session_key *shared_secret, uint8_t *fixed_info,
size_t fixed_len, CK_ULONG kdf, size_t value_len) {
Expand Down
Loading