Skip to content

Commit

Permalink
feat: add octet circular shift and some others fuzzing methods
Browse files Browse the repository at this point in the history 
fix: indentation

fix: fuzzing circular bit shifts

test: remove xor test from primitives

fix: add zen fuzzer to new build system

fix: make sure that fuzzing methods change the octets
  • Loading branch information
@FilippoTrotter @jaromil
FilippoTrotter authored and jaromil committed Jan 31, 2025
1 parent b7ee985 commit d80bc23
Show file tree
Hide file tree
Showing 7 changed files with 358 additions and 22 deletions.
2 changes: 1 addition & 1 deletion build/init.mk
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,7 @@ ZEN_SOURCES := \
src/zen_fp12.o src/zen_random.o src/zen_hash.o \
src/zen_ecdh_factory.o src/zen_ecdh.o src/zen_x509.o \
src/zen_aes.o src/zen_qp.o src/zen_ed.o src/zen_float.o src/zen_time.o \
src/api_hash.o src/api_sign.o src/randombytes.o \
src/api_hash.o src/api_sign.o src/randombytes.o src/zen_fuzzer.o \
src/cortex_m.o src/p256-m.o src/zen_p256.o src/zen_rsa.o src/zen_bbs.o

ZEN_INCLUDES += -Isrc -Ilib/lua54/src \
Expand Down
199 changes: 194 additions & 5 deletions src/zen_fuzzer.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -32,29 +32,40 @@

int fuzz_byte_random(lua_State *L) {
BEGIN();
octet *o = o_arg(L,1); SAFE(o);
octet *o = o_arg(L, 1);
SAFE(o);
if(o->len >= INT_MAX) {
o_free(L,o);
THROW("fuzz_byte: octet too big");
END(0);
}
octet *res = o_dup(L,o);
Z(L);
uint8_t rnd = RAND_byte(Z->random_generator);
if(res->len < 256) {
uint8_t point8 = RAND_byte(Z->random_generator);
res->val[point8%res->len] = RAND_byte(Z->random_generator);
while((uint8_t)res->val[point8%res->len] == rnd) {
rnd = RAND_byte(Z->random_generator);
}
res->val[point8 % res->len] = rnd;
} else if(res->len < 65535) {
uint16_t point16 =
RAND_byte(Z->random_generator)
| (uint32_t) RAND_byte(Z->random_generator) << 8;
res->val[point16%res->len] = RAND_byte(Z->random_generator);
} else if(res->len < (int)0xffffffff) {
while ((uint8_t)res->val[point16 % res->len] == rnd) {
rnd = RAND_byte(Z->random_generator);
}
res->val[point16%res->len] = rnd;
} else if(res->len < INT_MAX) {
uint32_t point32 =
RAND_byte(Z->random_generator)
| (uint32_t) RAND_byte(Z->random_generator) << 8
| (uint32_t) RAND_byte(Z->random_generator) << 16
| (uint32_t) RAND_byte(Z->random_generator) << 24;
res->val[point32%res->len] = RAND_byte(Z->random_generator);
while ((uint8_t)res->val[point32 % res->len] == rnd) {
rnd = RAND_byte(Z->random_generator);
}
res->val[point32%res->len] = rnd;
}
o_free(L,o);
END(1);
Expand Down Expand Up @@ -92,3 +103,181 @@ int fuzz_byte_xor(lua_State *L) {
o_free(L,o);
END(1);
}


int fuzz_bit_random(lua_State *L) {
BEGIN();
octet *o = o_arg(L,1); SAFE(o);
if(o->len >= INT_MAX) {
o_free(L,o);
THROW("fuzz_byte: octet too big");
END(0);
}
octet *res = o_dup(L,o);
Z(L);
if(res->len < 256) {
uint8_t point8 = RAND_byte(Z->random_generator);
uint8_t bit_position = RAND_byte(Z->random_generator) % 8;
res->val[point8%res->len] ^= (1 << bit_position);
}
else if(res->len < 65535) {
uint16_t point16 =
RAND_byte(Z->random_generator)
| (uint32_t) RAND_byte(Z->random_generator) << 8;
uint8_t bit_position = RAND_byte(Z->random_generator) % 8;
res->val[point16%res->len] ^= (1 << bit_position);
} else if(res->len < INT_MAX) {
uint32_t point32 =
RAND_byte(Z->random_generator)
| (uint32_t) RAND_byte(Z->random_generator) << 8
| (uint32_t) RAND_byte(Z->random_generator) << 16
| (uint32_t) RAND_byte(Z->random_generator) << 24;
uint8_t bit_position = RAND_byte(Z->random_generator) % 8;
res->val[point32%res->len] ^= (1 << bit_position);
}
o_free(L,o);
END(1);
}

void OCT_circular_shl_bytes(octet *x, int n) {
if (n >= x->len) {
n = n % (x->len);
}

if (n > 0) {
unsigned char temp[x->len];
for (int i = 0; i < x->len; i++) {
temp[i] = x->val[i];
}
for (int i = 0; i < x->len; i++) {
x->val[i] = temp[(i + n) % x->len];
}
}
}

void OCT_circular_shl_bits(octet *x, int n) {
if (n >= 8 * x->len) {
n = n % (8 * x->len);
}
int byte_shift = n / 8;
int bit_shift = n % 8;
int carry_bits = 8 - bit_shift;

if (byte_shift > 0) {
unsigned char temp[x->len];
for (int i = 0; i < x->len; i++) {
temp[i] = x->val[i];
}

for (int i = 0; i < x->len; i++) {
x->val[i] = temp[(i + byte_shift) % x->len];
}
}
if (bit_shift > 0) {
unsigned char carry = 0;
unsigned char first_byte_carry = (x->val[0] >> carry_bits) & ((1 << bit_shift) - 1);

for (int i = x->len - 1; i >= 0; i--) {
unsigned char current = x->val[i];
x->val[i] = (current << bit_shift) | carry;
carry = (current >> carry_bits) & ((1 << bit_shift) - 1);
}
x->val[x->len - 1] |= first_byte_carry;
}
}

int fuzz_byte_circular_shift_random(lua_State *L) {
BEGIN();
octet *o = o_arg(L,1); SAFE(o);
if(o->len >= INT_MAX) {
o_free(L,o);
THROW("fuzz_byte: octet too big");
END(0);
}
octet *res = o_dup(L,o);
Z(L);
if(res->len < 256) {
uint8_t point8 = RAND_byte(Z->random_generator);
while (point8 % res->len == (uint8_t)0) {
point8 = RAND_byte(Z->random_generator);
}
OCT_circular_shl_bytes(res, (point8 % res->len));
} else if(res->len < 65535) {
uint16_t point16 =
RAND_byte(Z->random_generator)
| (uint32_t) RAND_byte(Z->random_generator) << 8;
while (point16 % res->len == (uint16_t) 0) {
point16 =
RAND_byte(Z->random_generator)
| (uint32_t)RAND_byte(Z->random_generator) << 8;
}
OCT_circular_shl_bytes(res, (point16%res->len));
} else if(res->len < INT_MAX) {
uint32_t point32 =
RAND_byte(Z->random_generator)
| (uint32_t) RAND_byte(Z->random_generator) << 8
| (uint32_t) RAND_byte(Z->random_generator) << 16
| (uint32_t) RAND_byte(Z->random_generator) << 24;
while (point32 % res->len == (uint32_t) 0) {
point32 =
RAND_byte(Z->random_generator)
| (uint32_t) RAND_byte(Z->random_generator) << 8
| (uint32_t) RAND_byte(Z->random_generator) << 16
| (uint32_t) RAND_byte(Z->random_generator) << 24;
}
OCT_circular_shl_bytes(res, (point32%res->len));
}
o_free(L,o);
END(1);
}

int fuzz_bit_circular_shift_random(lua_State *L) {
BEGIN();
octet *o = o_arg(L, 1);
SAFE(o);

if (o->len >= INT_MAX) {
o_free(L, o);
THROW("fuzz_byte: octet too big");
END(0);
}

octet *res = o_dup(L, o);
Z(L);

uint32_t total_bits = res->len * 8;
uint32_t shift_bits = 0;

if (res->len < 256) {
shift_bits = (RAND_byte(Z->random_generator) % res->len) * 8 + (RAND_byte(Z->random_generator) % 8);
while (shift_bits % total_bits == (uint32_t) 0) {
shift_bits = (RAND_byte(Z->random_generator) % res->len) * 8 + (RAND_byte(Z->random_generator) % 8);
}
}
else if (res->len < 65535) {
uint16_t point16 =
RAND_byte(Z->random_generator)
| (uint32_t)RAND_byte(Z->random_generator) << 8;
shift_bits = (point16 % res->len) * 8 + (RAND_byte(Z->random_generator) % 8);
while (shift_bits % total_bits == (uint32_t) 0) {
shift_bits = (point16 % res->len) * 8 + (RAND_byte(Z->random_generator) % 8);
}
}
else if (res->len < INT_MAX) {
uint32_t point32 =
RAND_byte(Z->random_generator)
| (uint32_t) RAND_byte(Z->random_generator) << 8
| (uint32_t) RAND_byte(Z->random_generator) << 16
| (uint32_t) RAND_byte(Z->random_generator) << 24;
shift_bits = (point32 % res->len) * 8 + (RAND_byte(Z->random_generator) % 8);
while (shift_bits % total_bits == (uint32_t) 0) {
shift_bits = (point32 % res->len) * 8 + (RAND_byte(Z->random_generator) % 8);
}
}

OCT_circular_shl_bits(res, shift_bits);

o_free(L, o);
END(1);
}

4 changes: 4 additions & 0 deletions src/zen_fuzzer.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,3 +20,7 @@

int fuzz_byte_random(lua_State *L);
int fuzz_byte_xor(lua_State *L);
int fuzz_bit_random(lua_State *L);
int fuzz_byte_circular_shift_random(lua_State *L);
int fuzz_bit_circular_shift_random(lua_State *L);
void OCT_circular_shl_bits(octet *x, int n);
Loading

0 comments on commit d80bc23

Please sign in to comment.