Google Git
Sign in
flutter/third_party/openssl/refs/heads/upstream/openssl-3.5/./fuzz/ml-kem.c
blob: a3184e8f3218005d0596a6418f54b596bc27723a [file] [edit]
/*
* Copyright 2025 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
* https://www.openssl.org/source/license.html
* or in the file LICENSE in the source distribution.
*/
/*
* Test ml-kem operation.
*/
#include <string.h>
#include <openssl/evp.h>
#include <openssl/err.h>
#include <openssl/rand.h>
#include <openssl/byteorder.h>
#include <openssl/ml_kem.h>
#include "internal/nelem.h"
#include "fuzzer.h"
/**
* @brief Consumes an 8-bit unsigned integer from a buffer.
*
* This function extracts an 8-bit unsigned integer from the provided buffer,
* updates the buffer pointer, and adjusts the remaining length.
*
* @param buf Pointer to the input buffer.
* @param len Pointer to the size of the remaining buffer; updated after consumption.
* @param val Pointer to store the extracted 8-bit value.
*
* @return Pointer to the updated buffer position after reading the value,
* or NULL if the buffer does not contain enough data.
*/
static uint8_t *consume_uint8t(const uint8_t *buf, size_t *len, uint8_t *val)
{
if (*len < sizeof(uint8_t))
return NULL;
*val = *buf;
*len -= sizeof(uint8_t);
return (uint8_t *)buf + 1;
}
/**
* @brief Selects a key type and size from a buffer.
*
* This function reads a key size value from the buffer, determines the
* corresponding key type and length, and updates the buffer pointer
* accordingly. If `only_valid` is set, it restricts selection to valid
* key sizes; otherwise, it includes some invalid sizes for testing.
*
* @param buf Pointer to the buffer pointer; updated after reading.
* @param len Pointer to the remaining buffer size; updated accordingly.
* @param keytype Pointer to store the selected key type string.
* @param keylen Pointer to store the selected key length.
* @param only_valid Flag to restrict selection to valid key sizes.
*
* @return 1 if a key type is successfully selected, 0 on failure.
*/
static int select_keytype_and_size(uint8_t **buf, size_t *len,
char **keytype, size_t *keylen,
int only_valid)
{
uint16_t keysize;
uint16_t modulus = 6;
/*
* Note: We don't really care about endianess here, we just
* want a random 16 bit value
*/
*buf = (uint8_t *)OPENSSL_load_u16_le(&keysize, *buf);
*len -= sizeof(uint16_t);
if (*buf == NULL)
return 0;
/*
* select from sizes
* ML-KEM-512, ML-KEM-768, and ML-KEM-1024
* also select some invalid sizes to trigger
* error paths
*/
if (only_valid)
modulus = 3;
/*
* Note, keylens for valid values (cases 0-2)
* are taken based on input values from our unit tests
*/
switch (keysize % modulus) {
case 0:
*keytype = "ML-KEM-512";
*keylen = OSSL_ML_KEM_512_PUBLIC_KEY_BYTES;
break;
case 1:
*keytype = "ML-KEM-768";
*keylen = OSSL_ML_KEM_768_PUBLIC_KEY_BYTES;
break;
case 2:
*keytype = "ML-KEM-1024";
*keylen = OSSL_ML_KEM_1024_PUBLIC_KEY_BYTES;
break;
case 3:
/* select invalid alg */
*keytype = "ML-KEM-13";
*keylen = 13;
break;
case 4:
/* Select valid alg, but bogus size */
*keytype = "ML-KEM-1024";
*buf = (uint8_t *)OPENSSL_load_u16_le(&keysize, *buf);
*len -= sizeof(uint16_t);
*keylen = (size_t)keysize;
*keylen %= 1024; /* size to our key buffer */
break;
default:
*keytype = NULL;
*keylen = 0;
break;
}
return 1;
}
/**
* @brief Creates an ML-KEM raw key from a buffer.
*
* This function selects a key type and size from the buffer, generates
* a random key of the appropriate length, and creates either a public
* or private ML-KEM key using OpenSSL's EVP_PKEY interface.
*
* @param buf Pointer to the buffer pointer; updated after reading.
* @param len Pointer to the remaining buffer size; updated accordingly.
* @param key1 Pointer to store the generated EVP_PKEY key (public or private).
* @param key2 Unused parameter (reserved for future use).
*
* @note The generated key is allocated using OpenSSL's EVP_PKEY functions
* and should be freed appropriately using `EVP_PKEY_free()`.
*/
static void create_mlkem_raw_key(uint8_t **buf, size_t *len,
void **key1, void **key2)
{
EVP_PKEY *pubkey;
char *keytype = NULL;
size_t keylen = 0;
uint8_t key[4096];
int pub = 0;
if (!select_keytype_and_size(buf, len, &keytype, &keylen, 0))
return;
/*
* Select public or private key creation based on the low order
* bit of the next buffer value
* Note that keylen as returned from select_keytype_and_size is
* a public key length, private keys for ML-KEM are always double
* the size plus 32, so make that adjustment here
*/
if ((*buf)[0] & 0x1)
pub = 1;
else
keylen = (keylen * 2) + 32;
/*
* libfuzzer provides by default up to 4096 bit input
* buffers, but its typically much less (between 1 and 100 bytes)
* so use RAND_bytes here instead
*/
if (!RAND_bytes(key, keylen))
return;
/*
* Try to generate either a raw public or private key using random data
* Because the input is completely random, its effectively certain this
* operation will fail, but it will still exercise the code paths below,
* which is what we want the fuzzer to do
*/
if (pub == 1)
pubkey = EVP_PKEY_new_raw_public_key_ex(NULL, keytype, NULL, key, keylen);
else
pubkey = EVP_PKEY_new_raw_private_key_ex(NULL, keytype, NULL, key, keylen);
*key1 = pubkey;
return;
}
/**
* @brief Generates a valid ML-KEM key using OpenSSL.
*
* This function selects a valid ML-KEM key type and size from the buffer,
* initializes an OpenSSL EVP_PKEY context, and generates a cryptographic
* key accordingly.
*
* @param buf Pointer to the buffer pointer; updated after reading.
* @param len Pointer to the remaining buffer size; updated accordingly.
* @param key1 Pointer to store the generated EVP_PKEY key.
* @param unused Unused parameter (reserved for future use).
*
* @note The generated key is allocated using OpenSSL's EVP_PKEY functions
* and should be freed using `EVP_PKEY_free()`.
*/
static void keygen_mlkem_real_key(uint8_t **buf, size_t *len,
void **key1, void **key2)
{
char *keytype = NULL;
size_t keylen = 0;
EVP_PKEY_CTX *ctx = NULL;
EVP_PKEY **key;
*key1 = *key2 = NULL;
key = (EVP_PKEY **)key1;
again:
/*
* Only generate valid key types and lengths
* Note, no adjustment is made to keylen here, as
* the provider is responsible for selecting the keys and sizes
* for us during the EVP_PKEY_keygen call
*/
if (!select_keytype_and_size(buf, len, &keytype, &keylen, 1))
return;
ctx = EVP_PKEY_CTX_new_from_name(NULL, keytype, NULL);
if (!ctx) {
fprintf(stderr, "Failed to generate ctx\n");
return;
}
if (!EVP_PKEY_keygen_init(ctx)) {
fprintf(stderr, "Failed to init keygen ctx\n");
goto err;
}
*key = EVP_PKEY_new();
if (*key == NULL)
goto err;
if (!EVP_PKEY_generate(ctx, key)) {
fprintf(stderr, "Failed to generate new real key\n");
goto err;
}
if (key == (EVP_PKEY **)key1) {
EVP_PKEY_CTX_free(ctx);
key = (EVP_PKEY **)key2;
goto again;
}
err:
EVP_PKEY_CTX_free(ctx);
return;
}
/**
* @brief Performs key encapsulation and decapsulation using an EVP_PKEY.
*
* This function generates a random key, encapsulates it using the provided
* public key, then decapsulates it to retrieve the original key. It makes
* use of OpenSSL's EVP_PKEY API for encryption and decryption.
*
* @param[out] buf Unused output buffer (reserved for future use).
* @param[out] len Unused length parameter (reserved for future use).
* @param[in] key1 Pointer to an EVP_PKEY structure used for key operations.
* @param[in] in2 Unused input parameter (reserved for future use).
* @param[out] out1 Unused output parameter (reserved for future use).
* @param[out] out2 Unused output parameter (reserved for future use).
*/
static void mlkem_encap_decap(uint8_t **buf, size_t *len, void *key1, void *in2,
void **out1, void **out2)
{
EVP_PKEY *key = (EVP_PKEY *)key1;
EVP_PKEY_CTX *ctx;
unsigned char genkey[32];
size_t genkey_len = 32;
unsigned char unwrappedkey[32];
size_t unwrappedkey_len = 32;
unsigned char wrapkey[1568];
size_t wrapkey_len = 1568;
ctx = EVP_PKEY_CTX_new_from_pkey(NULL, key, NULL);
if (ctx == NULL) {
fprintf(stderr, "Failed to allocate ctx\n");
goto err;
}
if (!EVP_PKEY_encapsulate_init(ctx, NULL)) {
fprintf(stderr, "Failed to init encap context\n");
goto err;
}
if (!RAND_bytes(genkey, genkey_len))
goto err;
if (EVP_PKEY_encapsulate(ctx, wrapkey, &wrapkey_len, genkey, &genkey_len) <= 0) {
fprintf(stderr, "Failed to encapsulate key\n");
goto err;
}
EVP_PKEY_CTX_free(ctx);
ctx = EVP_PKEY_CTX_new_from_pkey(NULL, key, NULL);
if (ctx == NULL) {
fprintf(stderr, "Failed to create context\n");
goto err;
}
if (!EVP_PKEY_decapsulate_init(ctx, NULL)) {
fprintf(stderr, "Failed to init decap\n");
goto err;
}
if (EVP_PKEY_decapsulate(ctx, unwrappedkey, &unwrappedkey_len,
wrapkey, wrapkey_len)
<= 0) {
fprintf(stderr, "Failed to decap key\n");
goto err;
}
if (memcmp(unwrappedkey, genkey, genkey_len))
fprintf(stderr, "mismatch on secret comparison\n");
err:
EVP_PKEY_CTX_free(ctx);
return;
}
/**
* @brief Derives a shared secret using the provided key and peer key.
*
* This function performs a key derivation operation using the given
* private key and peer public key. The resulting shared secret is
* allocated dynamically and must be freed by the caller.
*
* @param[in] key The private key used for derivation.
* @param[in] peer The peer's public key.
* @param[out] shared Pointer to the derived shared secret (allocated).
* @param[out] shared_len Length of the derived shared secret.
*
* @note The caller is responsible for freeing the memory allocated
* for `shared` using `OPENSSL_free()`.
*/
static void do_derive(EVP_PKEY *key, EVP_PKEY *peer, uint8_t **shared, size_t *shared_len)
{
EVP_PKEY_CTX *ctx = NULL;
*shared = NULL;
*shared_len = 0;
ctx = EVP_PKEY_CTX_new_from_pkey(NULL, key, NULL);
if (ctx == NULL) {
fprintf(stderr, "failed to create keygen context\n");
goto err;
}
if (!EVP_PKEY_derive_init(ctx)) {
fprintf(stderr, "failed to init derive context\n");
goto err;
}
if (!EVP_PKEY_derive_set_peer(ctx, peer)) {
fprintf(stderr, "failed to set peer\n");
goto err;
}
if (!EVP_PKEY_derive(ctx, NULL, shared_len)) {
fprintf(stderr, "Derive failed 1\n");
goto err;
}
if (*shared_len == 0)
goto err;
*shared = OPENSSL_zalloc(*shared_len);
if (*shared == NULL) {
fprintf(stderr, "Failed to alloc\n");
goto err;
}
if (!EVP_PKEY_derive(ctx, *shared, shared_len)) {
fprintf(stderr, "Derive failed 2\n");
OPENSSL_free(*shared);
*shared = NULL;
*shared_len = 0;
goto err;
}
err:
EVP_PKEY_CTX_free(ctx);
}
/**
* @brief Performs a key exchange using ML-KEM.
*
* This function derives shared secrets using the provided key pairs.
* It calls `do_derive()` to compute shared secrets for both participants
* and frees the allocated memory for the shared secrets.
*
* @param[out] buf Unused output buffer (reserved for future use).
* @param[out] len Unused output length (reserved for future use).
* @param[in] key1 First key (typically Alice's key).
* @param[in] key2 Second key (typically Bob's key).
* @param[out] out1 Unused output parameter (reserved for future use).
* @param[out] out2 Unused output parameter (reserved for future use).
*
* @note Currently, this function does not validate whether the derived
* shared secrets match. A check should be added when ML-KEM
* supports this.
*/
static void mlkem_kex(uint8_t **buf, size_t *len, void *key1, void *key2,
void **out1, void **out2)
{
EVP_PKEY *alice = (EVP_PKEY *)key1;
EVP_PKEY *bob = (EVP_PKEY *)key2;
size_t boblen, alicelen;
uint8_t *bobshare = NULL;
uint8_t *aliceshare = NULL;
do_derive(alice, bob, &aliceshare, &alicelen);
do_derive(bob, alice, &bobshare, &boblen);
/*
* TODO add check of shared secrets here when ML-KEM supports this
*/
OPENSSL_free(bobshare);
OPENSSL_free(aliceshare);
}
/**
* @brief Exports and imports an ML-KEM key.
*
* This function extracts key material from the given key (`key1`),
* exports it as parameters, and then attempts to reconstruct a new
* key from those parameters. It uses OpenSSL's `EVP_PKEY_todata()`
* and `EVP_PKEY_fromdata()` functions for this process.
*
* @param[out] buf Unused output buffer (reserved for future use).
* @param[out] len Unused output length (reserved for future use).
* @param[in] key1 The key to be exported and imported.
* @param[in] key2 Unused input key (reserved for future use).
* @param[out] out1 Unused output parameter (reserved for future use).
* @param[out] out2 Unused output parameter (reserved for future use).
*
* @note If any step in the export-import process fails, the function
* logs an error and cleans up allocated resources.
*/
static void mlkem_export_import(uint8_t **buf, size_t *len, void *key1,
void *key2, void **out1, void **out2)
{
EVP_PKEY *alice = (EVP_PKEY *)key1;
EVP_PKEY *new = NULL;
EVP_PKEY_CTX *ctx = NULL;
OSSL_PARAM *params = NULL;
if (!EVP_PKEY_todata(alice, EVP_PKEY_KEYPAIR, &params)) {
fprintf(stderr, "Failed todata\n");
goto err;
}
ctx = EVP_PKEY_CTX_new_from_pkey(NULL, alice, NULL);
if (ctx == NULL) {
fprintf(stderr, "Failed new ctx\n");
goto err;
}
if (!EVP_PKEY_fromdata(ctx, &new, EVP_PKEY_KEYPAIR, params)) {
fprintf(stderr, "Failed fromdata\n");
goto err;
}
err:
EVP_PKEY_CTX_free(ctx);
EVP_PKEY_free(new);
OSSL_PARAM_free(params);
}
/**
* @brief Compares two cryptographic keys and performs equality checks.
*
* This function takes in two cryptographic keys, casts them to `EVP_PKEY`
* structures, and checks their equality using `EVP_PKEY_eq()`. The purpose
* of `buf`, `len`, `out1`, and `out2` parameters is not clear from the
* function's current implementation.
*
* @param buf Unused parameter (purpose unclear).
* @param len Unused parameter (purpose unclear).
* @param key1 First key, expected to be an `EVP_PKEY *`.
* @param key2 Second key, expected to be an `EVP_PKEY *`.
* @param out1 Unused parameter (purpose unclear).
* @param out2 Unused parameter (purpose unclear).
*/
static void mlkem_compare(uint8_t **buf, size_t *len, void *key1,
void *key2, void **out1, void **out2)
{
EVP_PKEY *alice = (EVP_PKEY *)key1;
EVP_PKEY *bob = (EVP_PKEY *)key2;
EVP_PKEY_eq(alice, alice);
EVP_PKEY_eq(alice, bob);
}
/**
* @brief Frees allocated ML-KEM keys.
*
* This function releases memory associated with up to four EVP_PKEY
* objects by calling `EVP_PKEY_free()` on each provided key.
*
* @param key1 Pointer to the first key to be freed.
* @param key2 Pointer to the second key to be freed.
* @param key3 Pointer to the third key to be freed.
* @param key4 Pointer to the fourth key to be freed.
*
* @note This function assumes that each key is either a valid EVP_PKEY
* object or NULL. Passing NULL is safe and has no effect.
*/
static void cleanup_mlkem_keys(void *key1, void *key2,
void *key3, void *key4)
{
EVP_PKEY_free((EVP_PKEY *)key1);
EVP_PKEY_free((EVP_PKEY *)key2);
EVP_PKEY_free((EVP_PKEY *)key3);
EVP_PKEY_free((EVP_PKEY *)key4);
return;
}
/**
* @brief Represents an operation table entry for cryptographic operations.
*
* This structure defines a table entry containing function pointers for
* setting up, executing, and cleaning up cryptographic operations, along
* with associated metadata such as a name and description.
*
* @struct op_table_entry
*/
struct op_table_entry {
/** Name of the operation. */
char *name;
/** Description of the operation. */
char *desc;
/**
* @brief Function pointer for setting up the operation.
*
* @param buf Pointer to the buffer pointer; may be updated.
* @param len Pointer to the remaining buffer size; may be updated.
* @param out1 Pointer to store the first output of the setup function.
* @param out2 Pointer to store the second output of the setup function.
*/
void (*setup)(uint8_t **buf, size_t *len, void **out1, void **out2);
/**
* @brief Function pointer for executing the operation.
*
* @param buf Pointer to the buffer pointer; may be updated.
* @param len Pointer to the remaining buffer size; may be updated.
* @param in1 First input parameter for the operation.
* @param in2 Second input parameter for the operation.
* @param out1 Pointer to store the first output of the operation.
* @param out2 Pointer to store the second output of the operation.
*/
void (*doit)(uint8_t **buf, size_t *len, void *in1, void *in2,
void **out1, void **out2);
/**
* @brief Function pointer for cleaning up after the operation.
*
* @param in1 First input parameter to be cleaned up.
* @param in2 Second input parameter to be cleaned up.
* @param out1 First output parameter to be cleaned up.
* @param out2 Second output parameter to be cleaned up.
*/
void (*cleanup)(void *in1, void *in2, void *out1, void *out2);
};
static struct op_table_entry ops[] = {
{ "Generate ML-KEM raw key",
"Try generate a raw keypair using random data. Usually fails",
create_mlkem_raw_key,
NULL,
cleanup_mlkem_keys },
{ "Generate ML-KEM keypair, using EVP_PKEY_keygen",
"Generates a real ML-KEM keypair, should always work",
keygen_mlkem_real_key,
NULL,
cleanup_mlkem_keys },
{ "Do a key encap/decap operation on a key",
"Generate key, encap it, decap it and compare, should work",
keygen_mlkem_real_key,
mlkem_encap_decap,
cleanup_mlkem_keys },
{ "Do a key exchange operation on two keys",
"Gen keys, do a key exchange both ways and compare",
keygen_mlkem_real_key,
mlkem_kex,
cleanup_mlkem_keys },
{ "Do an export/import of key data",
"Exercise EVP_PKEY_todata/fromdata",
keygen_mlkem_real_key,
mlkem_export_import,
cleanup_mlkem_keys },
{ "Compare keys for equality",
"Compare key1/key1 and key1/key2 for equality",
keygen_mlkem_real_key,
mlkem_compare,
cleanup_mlkem_keys }
};
int FuzzerInitialize(int *argc, char ***argv)
{
return 0;
}
/**
* @brief Processes a fuzzing input by selecting and executing an operation.
*
* This function interprets the first byte of the input buffer to determine
* an operation to execute. It then follows a setup, execution, and cleanup
* sequence based on the selected operation.
*
* @param buf Pointer to the input buffer.
* @param len Length of the input buffer.
*
* @return 0 on successful execution, -1 if the input is too short.
*
* @note The function requires at least 32 bytes in the buffer to proceed.
* It utilizes the `ops` operation table to dynamically determine and
* execute the selected operation.
*/
int FuzzerTestOneInput(const uint8_t *buf, size_t len)
{
uint8_t operation;
uint8_t *buffer_cursor;
void *in1 = NULL, *in2 = NULL;
void *out1 = NULL, *out2 = NULL;
if (len < 32)
return -1;
/*
* Get the first byte of the buffer to tell us what operation
* to perform
*/
buffer_cursor = consume_uint8t(buf, &len, &operation);
if (buffer_cursor == NULL)
return -1;
/*
* Adjust for operational array size
*/
operation %= OSSL_NELEM(ops);
/*
* And run our setup/doit/cleanup sequence
*/
if (ops[operation].setup != NULL)
ops[operation].setup(&buffer_cursor, &len, &in1, &in2);
if (ops[operation].doit != NULL)
ops[operation].doit(&buffer_cursor, &len, in1, in2, &out1, &out2);
if (ops[operation].cleanup != NULL)
ops[operation].cleanup(in1, in2, out1, out2);
return 0;
}
void FuzzerCleanup(void)
{
OPENSSL_cleanup();
}