winscp/libs/openssl/fuzz/ml-dsa.c

/*
 * Copyright 2025 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 * https://www.openssl.org/source/license.html
 * or in the file LICENSE in the source distribution.
 */

/* Test ML-DSA operation.  */
#include <string.h>
#include <openssl/evp.h>
#include <openssl/err.h>
#include <openssl/rand.h>
#include <openssl/byteorder.h>
#include "internal/nelem.h"
#include "fuzzer.h"
#include "crypto/ml_dsa.h"

/**
 * @brief Consumes an 8-bit unsigned integer from a buffer.
 *
 * This function extracts an 8-bit unsigned integer from the provided buffer,
 * updates the buffer pointer, and adjusts the remaining length.
 *
 * @param buf  Pointer to the input buffer.
 * @param len  Pointer to the size of the remaining buffer; updated after consumption.
 * @param val  Pointer to store the extracted 8-bit value.
 *
 * @return Pointer to the updated buffer position after reading the value,
 *         or NULL if the buffer does not contain enough data.
 */
static uint8_t *consume_uint8_t(const uint8_t *buf, size_t *len, uint8_t *val)
{
    if (*len < sizeof(uint8_t))
        return NULL;
    *val = *buf;
    *len -= sizeof(uint8_t);
    return (uint8_t *)buf + 1;
}

/**
 * @brief Consumes a size_t from a buffer.
 *
 * This function extracts a size_t from the provided buffer, updates the buffer
 * pointer, and adjusts the remaining length.
 *
 * @param buf  Pointer to the input buffer.
 * @param len  Pointer to the size of the remaining buffer; updated after consumption.
 * @param val  Pointer to store the extracted size_t value.
 *
 * @return Pointer to the updated buffer position after reading the value,
 *         or NULL if the buffer does not contain enough data.
 */
static uint8_t *consume_size_t(const uint8_t *buf, size_t *len, size_t *val)
{
    if (*len < sizeof(size_t))
        return NULL;
    *val = *buf;
    *len -= sizeof(size_t);
    return (uint8_t *)buf + sizeof(size_t);
}

/**
 * @brief Selects a key type and size from a buffer.
 *
 * This function reads a key size value from the buffer, determines the
 * corresponding key type and length, and updates the buffer pointer
 * accordingly. If `only_valid` is set, it restricts selection to valid key
 * sizes; otherwise, it includes some invalid sizes for testing.
 *
 * @param buf       Pointer to the buffer pointer; updated after reading.
 * @param len       Pointer to the remaining buffer size; updated accordingly.
 * @param keytype   Pointer to store the selected key type string.
 * @param keylen    Pointer to store the selected key length.
 * @param only_valid Flag to restrict selection to valid key sizes.
 *
 * @return 1 if a key type is successfully selected, 0 on failure.
 */
static int select_keytype_and_size(uint8_t **buf, size_t *len,
                                   char **keytype, size_t *keylen,
                                   int only_valid)
{
    uint16_t keysize;
    uint16_t modulus = 6;

    /*
     * Note: We don't really care about endianness here, we just want a random
     * 16 bit value
     */
    *buf = (uint8_t *)OPENSSL_load_u16_le(&keysize, *buf);
    *len -= sizeof(uint16_t);

    if (*buf == NULL)
        return 0;

    /*
     * If `only_valid` is set, select only ML-DSA-44, ML-DSA-65, and ML-DSA-87.
     * Otherwise, include some invalid sizes to trigger error paths.
     */

    if (only_valid)
        modulus = 3;

    /*
     * Note, keylens for valid values (cases 0-2) are taken based on input
     * values from our unit tests
     */
    switch (keysize % modulus) {
    case 0:
        *keytype = "ML-DSA-44";
        *keylen = ML_DSA_44_PUB_LEN;
        break;
    case 1:
        *keytype = "ML-DSA-65";
        *keylen = ML_DSA_65_PUB_LEN;
        break;
    case 2:
        *keytype = "ML-DSA-87";
        *keylen = ML_DSA_87_PUB_LEN;
        break;
    case 3:
        /* select invalid alg */
        *keytype = "ML-DSA-33";
        *keylen = 33;
        break;
    case 4:
        /* Select valid alg, but bogus size */
        *keytype = "ML-DSA-87";
        *buf = (uint8_t *)OPENSSL_load_u16_le(&keysize, *buf);
        *len -= sizeof(uint16_t);
        *keylen = (size_t)keysize;
        *keylen %= ML_DSA_87_PUB_LEN; /* size to our key buffer */
        break;
    default:
        *keytype = NULL;
        *keylen = 0;
        break;
    }
    return 1;
}

/**
 * @brief Creates an ML-DSA raw key from a buffer.
 *
 * This function selects a key type and size from the buffer, generates a random
 * key of the appropriate length, and creates either a public or private ML-DSA
 * key using OpenSSL's EVP_PKEY interface.
 *
 * @param buf   Pointer to the buffer pointer; updated after reading.
 * @param len   Pointer to the remaining buffer size; updated accordingly.
 * @param key1  Pointer to store the generated EVP_PKEY key (public or private).
 * @param key2  Unused parameter (reserved for future use).
 *
 * @note The generated key is allocated using OpenSSL's EVP_PKEY functions
 *       and should be freed appropriately using `EVP_PKEY_free()`.
 */
static void create_ml_dsa_raw_key(uint8_t **buf, size_t *len,
                                  void **key1, void **key2)
{
    EVP_PKEY *pubkey;
    char *keytype = NULL;
    size_t keylen = 0;
    /* MAX_ML_DSA_PRIV_LEN is longer of that and ML_DSA_87_PUB_LEN */
    uint8_t key[MAX_ML_DSA_PRIV_LEN];
    int pub = 0;

    if (!select_keytype_and_size(buf, len, &keytype, &keylen, 0))
        return;

    /*
     * Select public or private key creation based on the low order bit of the
     * next buffer value.
     * Note that keylen as returned from select_keytype_and_size is a public key
     * length, so make the adjustment to private key lengths here.
     */
    if ((*buf)[0] & 0x1) {
        pub = 1;
    } else {
        switch (keylen) {
        case (ML_DSA_44_PUB_LEN):
            keylen = ML_DSA_44_PRIV_LEN;
            break;
        case (ML_DSA_65_PUB_LEN):
            keylen = ML_DSA_65_PRIV_LEN;
            break;
        case (ML_DSA_87_PUB_LEN):
            keylen = ML_DSA_87_PRIV_LEN;
            break;
        default:
            return;
        }
    }

    /*
     * libfuzzer provides by default up to 4096 bit input buffers, but it's
     * typically much less (between 1 and 100 bytes) so use RAND_bytes here
     * instead
     */
    if (!RAND_bytes(key, keylen))
        return;

    /*
     * Try to generate either a raw public or private key using random data
     * Because the input is completely random, it's effectively certain this
     * operation will fail, but it will still exercise the code paths below,
     * which is what we want the fuzzer to do
     */
    if (pub == 1)
        pubkey = EVP_PKEY_new_raw_public_key_ex(NULL, keytype, NULL, key, keylen);
    else
        pubkey = EVP_PKEY_new_raw_private_key_ex(NULL, keytype, NULL, key, keylen);

    *key1 = pubkey;
    return;
}

static int keygen_ml_dsa_real_key_helper(uint8_t **buf, size_t *len,
                                         EVP_PKEY **key)
{
    char *keytype = NULL;
    size_t keylen = 0;
    EVP_PKEY_CTX *ctx = NULL;
    int ret = 0;

    /*
     * Only generate valid key types and lengths. Note, no adjustment is made to
     * keylen here, as the provider is responsible for selecting the keys and
     * sizes for us during the EVP_PKEY_keygen call
     */
    if (!select_keytype_and_size(buf, len, &keytype, &keylen, 1))
        goto err;

    ctx = EVP_PKEY_CTX_new_from_name(NULL, keytype, NULL);
    if (!ctx) {
        fprintf(stderr, "Failed to generate ctx\n");
        goto err;
    }

    if (!EVP_PKEY_keygen_init(ctx)) {
        fprintf(stderr, "Failed to init keygen ctx\n");
        goto err;
    }

    *key = EVP_PKEY_new();
    if (*key == NULL)
        goto err;

    if (!EVP_PKEY_generate(ctx, key)) {
        fprintf(stderr, "Failed to generate new real key\n");
        goto err;
    }

    ret = 1;
err:
    EVP_PKEY_CTX_free(ctx);
    return ret;
}

/**
 * @brief Generates a valid ML-DSA key using OpenSSL.
 *
 * This function selects a valid ML-DSA key type and size from the buffer,
 * initializes an OpenSSL EVP_PKEY context, and generates a cryptographic key
 * accordingly.
 *
 * @param buf    Pointer to the buffer pointer; updated after reading.
 * @param len    Pointer to the remaining buffer size; updated accordingly.
 * @param key1   Pointer to store the first generated EVP_PKEY key.
 * @param key2   Pointer to store the second generated EVP_PKEY key.
 *
 * @note The generated key is allocated using OpenSSL's EVP_PKEY functions
 *       and should be freed using `EVP_PKEY_free()`.
 */
static void keygen_ml_dsa_real_key(uint8_t **buf, size_t *len,
                                   void **key1, void **key2)
{
    if (!keygen_ml_dsa_real_key_helper(buf, len, (EVP_PKEY **)key1)
        || !keygen_ml_dsa_real_key_helper(buf, len, (EVP_PKEY **)key2))
        fprintf(stderr, "Unable to generate valid keys");
}

/**
 * @brief Performs key sign and verify using an EVP_PKEY.
 *
 * This function generates a random key, signs random data using the provided
 * public key, then verifies it. It makes use of OpenSSL's EVP_PKEY API for
 * encryption and decryption.
 *
 * @param[out] buf   Unused output buffer (reserved for future use).
 * @param[out] len   Unused length parameter (reserved for future use).
 * @param[in]  key1  Pointer to an EVP_PKEY structure used for key operations.
 * @param[in]  in2   Unused input parameter (reserved for future use).
 * @param[out] out1  Unused output parameter (reserved for future use).
 * @param[out] out2  Unused output parameter (reserved for future use).
 */
static void ml_dsa_sign_verify(uint8_t **buf, size_t *len, void *key1,
                               void *in2, void **out1, void **out2)
{
    EVP_PKEY *key = (EVP_PKEY *)key1;
    EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_from_pkey(NULL, key, NULL);
    EVP_SIGNATURE *sig_alg = NULL;
    unsigned char *sig = NULL;
    size_t sig_len = 0, tbslen;
    unsigned char *tbs = NULL;
    /* Ownership of alg is retained by the pkey object */
    const char *alg = EVP_PKEY_get0_type_name(key);
    const OSSL_PARAM params[] = {
        OSSL_PARAM_octet_string("context-string",
                                (unsigned char *)"A context string", 16),
        OSSL_PARAM_END
    };

    if (!consume_size_t(*buf, len, &tbslen)) {
        fprintf(stderr, "Failed to set tbslen");
        goto err;
    }
    /* Keep tbslen within a reasonable value we can malloc */
    tbslen = (tbslen % 2048) + 1;

    if ((tbs = OPENSSL_malloc(tbslen)) == NULL
        || ctx == NULL || alg == NULL
        || !RAND_bytes_ex(NULL, tbs, tbslen, 0)) {
        fprintf(stderr, "Failed basic initialization\n");
        goto err;
    }

    /*
     * Because ML-DSA is fundamentally a one-shot algorithm like "pure" Ed25519
     * and Ed448, we don't have any immediate plans to implement intermediate
     * sign/verify functions. Therefore, we only test the one-shot functions.
     */

    if ((sig_alg = EVP_SIGNATURE_fetch(NULL, alg, NULL)) == NULL
        || EVP_PKEY_sign_message_init(ctx, sig_alg, params) <= 0
        || EVP_PKEY_sign(ctx, NULL, &sig_len, tbs, tbslen) <= 0
        || (sig = OPENSSL_zalloc(sig_len)) == NULL
        || EVP_PKEY_sign(ctx, sig, &sig_len, tbs, tbslen) <= 0) {
        fprintf(stderr, "Failed to sign message\n");
        goto err;
    }

    /* Verify signature */
    EVP_PKEY_CTX_free(ctx);
    ctx = NULL;

    if ((ctx = EVP_PKEY_CTX_new_from_pkey(NULL, key, NULL)) == NULL
        || EVP_PKEY_verify_message_init(ctx, sig_alg, params) <= 0
        || EVP_PKEY_verify(ctx, sig, sig_len, tbs, tbslen) <= 0) {
        fprintf(stderr, "Failed to verify message\n");
        goto err;
    }

err:
    OPENSSL_free(tbs);
    EVP_PKEY_CTX_free(ctx);
    EVP_SIGNATURE_free(sig_alg);
    OPENSSL_free(sig);
    return;
}

/**
 * @brief Performs key sign and verify using an EVP_PKEY.
 *
 * This function generates a random key, signs random data using the provided
 * public key, then verifies it. It makes use of OpenSSL's EVP_PKEY API for
 * encryption and decryption.
 *
 * @param[out] buf   Unused output buffer (reserved for future use).
 * @param[out] len   Unused length parameter (reserved for future use).
 * @param[in]  key1  Pointer to an EVP_PKEY structure used for key operations.
 * @param[in]  in2   Unused input parameter (reserved for future use).
 * @param[out] out1  Unused output parameter (reserved for future use).
 * @param[out] out2  Unused output parameter (reserved for future use).
 */
static void ml_dsa_digest_sign_verify(uint8_t **buf, size_t *len, void *key1,
                                      void *in2, void **out1, void **out2)
{
    EVP_PKEY *key = (EVP_PKEY *)key1;
    EVP_MD_CTX *ctx = EVP_MD_CTX_new();
    EVP_SIGNATURE *sig_alg = NULL;
    unsigned char *sig = NULL;
    size_t sig_len, tbslen;
    unsigned char *tbs = NULL;
    const OSSL_PARAM params[] = {
        OSSL_PARAM_octet_string("context-string",
                                (unsigned char *)"A context string", 16),
        OSSL_PARAM_END
    };

    if (!consume_size_t(*buf, len, &tbslen)) {
        fprintf(stderr, "Failed to set tbslen");
        goto err;
    }
    /* Keep tbslen within a reasonable value we can malloc */
    tbslen = (tbslen % 2048) + 1;

    if ((tbs = OPENSSL_malloc(tbslen)) == NULL
        || ctx == NULL
        || !RAND_bytes_ex(NULL, tbs, tbslen, 0)) {
        fprintf(stderr, "Failed basic initialization\n");
        goto err;
    }

    /*
     * Because ML-DSA is fundamentally a one-shot algorithm like "pure" Ed25519
     * and Ed448, we don't have any immediate plans to implement intermediate
     * sign/verify functions. Therefore, we only test the one-shot functions.
     */

    if (!EVP_DigestSignInit_ex(ctx, NULL, NULL, NULL, "?fips=true", key, params)
        || EVP_DigestSign(ctx, NULL, &sig_len, tbs, tbslen) <= 0
        || (sig = OPENSSL_malloc(sig_len)) == NULL
        || EVP_DigestSign(ctx, sig, &sig_len, tbs, tbslen) <= 0) {
        fprintf(stderr, "Failed to sign digest with EVP_DigestSign\n");
        goto err;
    }

    /* Verify signature */
    EVP_MD_CTX_free(ctx);
    ctx = NULL;

    if ((ctx = EVP_MD_CTX_new()) == NULL
        || EVP_DigestVerifyInit_ex(ctx, NULL, NULL, NULL, "?fips=true", key,
                                   params) <= 0
        || EVP_DigestVerify(ctx, sig, sig_len, tbs, tbslen) <= 0) {
        fprintf(stderr, "Failed to verify digest with EVP_DigestVerify\n");
        goto err;
    }

err:
    OPENSSL_free(tbs);
    EVP_MD_CTX_free(ctx);
    EVP_SIGNATURE_free(sig_alg);
    OPENSSL_free(sig);
    return;
}

/**
 * @brief Exports and imports an ML-DSA key.
 *
 * This function extracts key material from the given key (`key1`), exports it
 * as parameters, and then attempts to reconstruct a new key from those
 * parameters. It uses OpenSSL's `EVP_PKEY_todata()` and `EVP_PKEY_fromdata()`
 * functions for this process.
 *
 * @param[out] buf Unused output buffer (reserved for future use).
 * @param[out] len Unused output length (reserved for future use).
 * @param[in] key1 The key to be exported and imported.
 * @param[in] key2 Unused input key (reserved for future use).
 * @param[out] out1 Unused output parameter (reserved for future use).
 * @param[out] out2 Unused output parameter (reserved for future use).
 *
 * @note If any step in the export-import process fails, the function
 *       logs an error and cleans up allocated resources.
 */
static void ml_dsa_export_import(uint8_t **buf, size_t *len, void *key1,
                                 void *key2, void **out1, void **out2)
{
    EVP_PKEY *alice = (EVP_PKEY *)key1;
    EVP_PKEY *new_key = NULL;
    EVP_PKEY_CTX *ctx = NULL;
    OSSL_PARAM *params = NULL;

    if (!EVP_PKEY_todata(alice, EVP_PKEY_KEYPAIR, &params)) {
        fprintf(stderr, "Failed todata\n");
        goto err;
    }

    ctx = EVP_PKEY_CTX_new_from_pkey(NULL, alice, NULL);
    if (ctx == NULL) {
        fprintf(stderr, "Failed new ctx\n");
        goto err;
    }

    if (!EVP_PKEY_fromdata(ctx, &new_key, EVP_PKEY_KEYPAIR, params)) {
        fprintf(stderr, "Failed fromdata\n");
        goto err;
    }

err:
    EVP_PKEY_CTX_free(ctx);
    EVP_PKEY_free(new_key);
    OSSL_PARAM_free(params);
}

/**
 * @brief Compares two cryptographic keys and performs equality checks.
 *
 * This function takes in two cryptographic keys, casts them to `EVP_PKEY`
 * structures, and checks their equality using `EVP_PKEY_eq()`. The purpose of
 * `buf`, `len`, `out1`, and `out2` parameters is not clear from the function's
 * current implementation.
 *
 * @param buf   Unused parameter (purpose unclear).
 * @param len   Unused parameter (purpose unclear).
 * @param key1  First key, expected to be an `EVP_PKEY *`.
 * @param key2  Second key, expected to be an `EVP_PKEY *`.
 * @param out1  Unused parameter (purpose unclear).
 * @param out2  Unused parameter (purpose unclear).
 */
static void ml_dsa_compare(uint8_t **buf, size_t *len, void *key1,
                           void *key2, void **out1, void **out2)
{
    EVP_PKEY *alice = (EVP_PKEY *)key1;
    EVP_PKEY *bob = (EVP_PKEY *)key2;

    EVP_PKEY_eq(alice, alice);
    EVP_PKEY_eq(alice, bob);
}

/**
 * @brief Frees allocated ML-DSA keys.
 *
 * This function releases memory associated with up to four EVP_PKEY objects by
 * calling `EVP_PKEY_free()` on each provided key.
 *
 * @param key1 Pointer to the first key to be freed.
 * @param key2 Pointer to the second key to be freed.
 * @param key3 Pointer to the third key to be freed.
 * @param key4 Pointer to the fourth key to be freed.
 *
 * @note This function assumes that each key is either a valid EVP_PKEY
 *       object or NULL. Passing NULL is safe and has no effect.
 */
static void cleanup_ml_dsa_keys(void *key1, void *key2,
                                void *key3, void *key4)
{
    EVP_PKEY_free((EVP_PKEY *)key1);
    EVP_PKEY_free((EVP_PKEY *)key2);
    EVP_PKEY_free((EVP_PKEY *)key3);
    EVP_PKEY_free((EVP_PKEY *)key4);
}

/**
 * @brief Represents an operation table entry for cryptographic operations.
 *
 * This structure defines a table entry containing function pointers for setting
 * up, executing, and cleaning up cryptographic operations, along with
 * associated metadata such as a name and description.
 *
 * @struct op_table_entry
 */
struct op_table_entry {
    /** Name of the operation. */
    char *name;

    /** Description of the operation. */
    char *desc;

    /**
     * @brief Function pointer for setting up the operation.
     *
     * @param buf   Pointer to the buffer pointer; may be updated.
     * @param len   Pointer to the remaining buffer size; may be updated.
     * @param out1  Pointer to store the first output of the setup function.
     * @param out2  Pointer to store the second output of the setup function.
     */
    void (*setup)(uint8_t **buf, size_t *len, void **out1, void **out2);

    /**
     * @brief Function pointer for executing the operation.
     *
     * @param buf   Pointer to the buffer pointer; may be updated.
     * @param len   Pointer to the remaining buffer size; may be updated.
     * @param in1   First input parameter for the operation.
     * @param in2   Second input parameter for the operation.
     * @param out1  Pointer to store the first output of the operation.
     * @param out2  Pointer to store the second output of the operation.
     */
    void (*doit)(uint8_t **buf, size_t *len, void *in1, void *in2,
                 void **out1, void **out2);

    /**
     * @brief Function pointer for cleaning up after the operation.
     *
     * @param in1   First input parameter to be cleaned up.
     * @param in2   Second input parameter to be cleaned up.
     * @param out1  First output parameter to be cleaned up.
     * @param out2  Second output parameter to be cleaned up.
     */
    void (*cleanup)(void *in1, void *in2, void *out1, void *out2);
};

static struct op_table_entry ops[] = {
    {
        "Generate ML-DSA raw key",
        "Try generate a raw keypair using random data. Usually fails",
        create_ml_dsa_raw_key,
        NULL,
        cleanup_ml_dsa_keys
    }, {
        "Generate ML-DSA keypair, using EVP_PKEY_keygen",
        "Generates a real ML-DSA keypair, should always work",
        keygen_ml_dsa_real_key,
        NULL,
        cleanup_ml_dsa_keys
    }, {
        "Do a sign/verify operation on a key",
        "Generate key, sign random data, verify it, should work",
        keygen_ml_dsa_real_key,
        ml_dsa_sign_verify,
        cleanup_ml_dsa_keys
    }, {
        "Do a digest sign/verify operation on a key",
        "Generate key, digest sign random data, verify it, should work",
        keygen_ml_dsa_real_key,
        ml_dsa_digest_sign_verify,
        cleanup_ml_dsa_keys
    }, {
        "Do an export/import of key data",
        "Exercise EVP_PKEY_todata/fromdata",
        keygen_ml_dsa_real_key,
        ml_dsa_export_import,
        cleanup_ml_dsa_keys
    }, {
        "Compare keys for equality",
        "Compare key1/key1 and key1/key2 for equality",
        keygen_ml_dsa_real_key,
        ml_dsa_compare,
        cleanup_ml_dsa_keys
    }
};

int FuzzerInitialize(int *argc, char ***argv)
{
    return 0;
}

/**
 * @brief Processes a fuzzing input by selecting and executing an operation.
 *
 * This function interprets the first byte of the input buffer to determine an
 * operation to execute. It then follows a setup, execution, and cleanup
 * sequence based on the selected operation.
 *
 * @param buf Pointer to the input buffer.
 * @param len Length of the input buffer.
 *
 * @return 0 on successful execution, -1 if the input is too short.
 *
 * @note The function requires at least 32 bytes in the buffer to proceed.
 *       It utilizes the `ops` operation table to dynamically determine and
 *       execute the selected operation.
 */
int FuzzerTestOneInput(const uint8_t *buf, size_t len)
{
    uint8_t operation;
    uint8_t *buffer_cursor;
    void *in1 = NULL, *in2 = NULL;
    void *out1 = NULL, *out2 = NULL;

    if (len < 32)
        return -1;

    /* Get the first byte of the buffer to tell us what operation to perform */
    buffer_cursor = consume_uint8_t(buf, &len, &operation);
    if (buffer_cursor == NULL)
        return -1;

    /* Adjust for operational array size */
    operation %= OSSL_NELEM(ops);

    /* And run our setup/doit/cleanup sequence */
    if (ops[operation].setup != NULL)
        ops[operation].setup(&buffer_cursor, &len, &in1, &in2);
    if (ops[operation].doit != NULL)
        ops[operation].doit(&buffer_cursor, &len, in1, in2, &out1, &out2);
    if (ops[operation].cleanup != NULL)
        ops[operation].cleanup(in1, in2, out1, out2);

    return 0;
}

void FuzzerCleanup(void)
{
    OPENSSL_cleanup();
}