diff options
author | Ben Laurie <ben@links.org> | 2016-03-26 18:19:14 +0100 |
---|---|---|
committer | Ben Laurie <ben@links.org> | 2016-05-07 19:13:54 +0200 |
commit | c38bb72797916f2a0ab9906aad29162ca8d53546 (patch) | |
tree | e3df72e2e4c4d14a822cd0a3101d005a8923a929 /fuzz/bndiv.c | |
parent | Constify PKCS12_newpass() (diff) | |
download | openssl-c38bb72797916f2a0ab9906aad29162ca8d53546.tar.xz openssl-c38bb72797916f2a0ab9906aad29162ca8d53546.zip |
Add fuzzing!
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Diffstat (limited to 'fuzz/bndiv.c')
-rw-r--r-- | fuzz/bndiv.c | 101 |
1 files changed, 101 insertions, 0 deletions
diff --git a/fuzz/bndiv.c b/fuzz/bndiv.c new file mode 100644 index 0000000000..c897de99b5 --- /dev/null +++ b/fuzz/bndiv.c @@ -0,0 +1,101 @@ +/* + * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL licenses, (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * https://www.openssl.org/source/license.html + * or in the file LICENSE in the source distribution. + */ + +/* + * Confirm that if (d, r) = a / b, then b * d + r == a, and that sign(d) == + * sign(a), and 0 <= r <= b + */ + +#include <stdio.h> +#include <openssl/bn.h> +#include "fuzzer.h" + +int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) { + int success = 0; + static BN_CTX *ctx; + static BIGNUM *b1; + static BIGNUM *b2; + static BIGNUM *b3; + static BIGNUM *b4; + static BIGNUM *b5; + + if (ctx == NULL) { + b1 = BN_new(); + b2 = BN_new(); + b3 = BN_new(); + b4 = BN_new(); + b5 = BN_new(); + ctx = BN_CTX_new(); + } + // We are going to split the buffer in two, sizes l1 and l2, giving b1 and + // b2. + size_t l1 = 0, l2 = 0; + // s1 and s2 will be the signs for b1 and b2. + int s1 = 0, s2 = 0; + if (len > 0) { + --len; + // Use first byte to divide the remaining buffer into 3Fths. I admit + // this disallows some number sizes. If it matters, better ideas are + // welcome (Ben). + l1 = ((buf[0] & 0x3f) * len) / 0x3f; + s1 = buf[0] & 0x40; + s2 = buf[0] & 0x80; + ++buf; + l2 = len - l1; + } + OPENSSL_assert(BN_bin2bn(buf, l1, b1) == b1); + BN_set_negative(b1, s1); + OPENSSL_assert(BN_bin2bn(buf + l1, l2, b2) == b2); + BN_set_negative(b2, s2); + + // divide by 0 is an error + if (BN_is_zero(b2)) { + success = 1; + goto done; + } + + OPENSSL_assert(BN_div(b3, b4, b1, b2, ctx)); + if (BN_is_zero(b1)) + success = BN_is_zero(b3) && BN_is_zero(b4); + else if (BN_is_negative(b1)) + success = (BN_is_negative(b3) != BN_is_negative(b2) || BN_is_zero(b3)) + && (BN_is_negative(b4) || BN_is_zero(b4)); + else + success = (BN_is_negative(b3) == BN_is_negative(b2) || BN_is_zero(b3)) + && (!BN_is_negative(b4) || BN_is_zero(b4)); + OPENSSL_assert(BN_mul(b5, b3, b2, ctx)); + OPENSSL_assert(BN_add(b5, b5, b4)); + + success = success && BN_cmp(b5, b1) == 0; + if (!success) { + BN_print_fp(stdout, b1); + putchar('\n'); + BN_print_fp(stdout, b2); + putchar('\n'); + BN_print_fp(stdout, b3); + putchar('\n'); + BN_print_fp(stdout, b4); + putchar('\n'); + BN_print_fp(stdout, b5); + putchar('\n'); + printf("%d %d %d %d %d %d %d\n", BN_is_negative(b1), + BN_is_negative(b2), + BN_is_negative(b3), BN_is_negative(b4), BN_is_zero(b4), + BN_is_negative(b3) != BN_is_negative(b2) + && (BN_is_negative(b4) || BN_is_zero(b4)), + BN_cmp(b5, b1)); + puts("----\n"); + } + + done: + OPENSSL_assert(success); + + return 0; +} |