/src/openssl31/fuzz/cmp.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | |
10 | | /* |
11 | | * Test CMP DER parsing. |
12 | | */ |
13 | | |
14 | | #include <openssl/bio.h> |
15 | | #include <openssl/cmp.h> |
16 | | #include "../crypto/cmp/cmp_local.h" |
17 | | #include <openssl/err.h> |
18 | | #include "fuzzer.h" |
19 | | |
20 | | int FuzzerInitialize(int *argc, char ***argv) |
21 | 108 | { |
22 | 108 | FuzzerSetRand(); |
23 | 108 | OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); |
24 | 108 | ERR_clear_error(); |
25 | 108 | CRYPTO_free_ex_index(0, -1); |
26 | 108 | return 1; |
27 | 108 | } |
28 | | |
29 | | static int num_responses; |
30 | | |
31 | | static OSSL_CMP_MSG *transfer_cb(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req) |
32 | 0 | { |
33 | 0 | if (num_responses++ > 2) |
34 | 0 | return NULL; /* prevent loops due to repeated pollRep */ |
35 | 0 | return OSSL_CMP_MSG_dup((OSSL_CMP_MSG *) |
36 | 0 | OSSL_CMP_CTX_get_transfer_cb_arg(ctx)); |
37 | 0 | } |
38 | | |
39 | | static int print_noop(const char *func, const char *file, int line, |
40 | | OSSL_CMP_severity level, const char *msg) |
41 | 246k | { |
42 | 246k | return 1; |
43 | 246k | } |
44 | | |
45 | | static int allow_unprotected(const OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *rep, |
46 | | int invalid_protection, int expected_type) |
47 | 13.1k | { |
48 | 13.1k | return 1; |
49 | 13.1k | } |
50 | | |
51 | | static void cmp_client_process_response(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg) |
52 | 28.3k | { |
53 | 28.3k | X509_NAME *name = X509_NAME_new(); |
54 | 28.3k | ASN1_INTEGER *serial = ASN1_INTEGER_new(); |
55 | | |
56 | 28.3k | ctx->unprotectedSend = 1; /* satisfy ossl_cmp_msg_protect() */ |
57 | 28.3k | ctx->disableConfirm = 1; /* check just one response message */ |
58 | 28.3k | ctx->popoMethod = OSSL_CRMF_POPO_NONE; /* satisfy ossl_cmp_certReq_new() */ |
59 | 28.3k | ctx->oldCert = X509_new(); /* satisfy crm_new() and ossl_cmp_rr_new() */ |
60 | 28.3k | if (!OSSL_CMP_CTX_set1_secretValue(ctx, (unsigned char *)"", |
61 | 28.3k | 0) /* prevent too unspecific error */ |
62 | 28.3k | || ctx->oldCert == NULL |
63 | 28.3k | || name == NULL || !X509_set_issuer_name(ctx->oldCert, name) |
64 | 28.3k | || serial == NULL || !X509_set_serialNumber(ctx->oldCert, serial)) |
65 | 0 | goto err; |
66 | | |
67 | 28.3k | (void)OSSL_CMP_CTX_set_transfer_cb(ctx, transfer_cb); |
68 | 28.3k | (void)OSSL_CMP_CTX_set_transfer_cb_arg(ctx, msg); |
69 | 28.3k | (void)OSSL_CMP_CTX_set_log_cb(ctx, print_noop); |
70 | 28.3k | num_responses = 0; |
71 | 28.3k | switch (msg->body != NULL ? msg->body->type : -1) { |
72 | 546 | case OSSL_CMP_PKIBODY_IP: |
73 | 546 | (void)OSSL_CMP_exec_IR_ses(ctx); |
74 | 546 | break; |
75 | 160 | case OSSL_CMP_PKIBODY_CP: |
76 | 160 | (void)OSSL_CMP_exec_CR_ses(ctx); |
77 | 160 | (void)OSSL_CMP_exec_P10CR_ses(ctx); |
78 | 160 | break; |
79 | 56 | case OSSL_CMP_PKIBODY_KUP: |
80 | 56 | (void)OSSL_CMP_exec_KUR_ses(ctx); |
81 | 56 | break; |
82 | 390 | case OSSL_CMP_PKIBODY_POLLREP: |
83 | 390 | ctx->status = OSSL_CMP_PKISTATUS_waiting; |
84 | 390 | (void)OSSL_CMP_try_certreq(ctx, OSSL_CMP_PKIBODY_CR, NULL, NULL); |
85 | 390 | break; |
86 | 204 | case OSSL_CMP_PKIBODY_RP: |
87 | 204 | (void)OSSL_CMP_exec_RR_ses(ctx); |
88 | 204 | break; |
89 | 746 | case OSSL_CMP_PKIBODY_GENP: |
90 | 746 | sk_OSSL_CMP_ITAV_pop_free(OSSL_CMP_exec_GENM_ses(ctx), |
91 | 746 | OSSL_CMP_ITAV_free); |
92 | 746 | break; |
93 | 26.2k | default: |
94 | 26.2k | (void)ossl_cmp_msg_check_update(ctx, msg, allow_unprotected, 0); |
95 | 26.2k | break; |
96 | 28.3k | } |
97 | 28.3k | err: |
98 | 28.3k | X509_NAME_free(name); |
99 | 28.3k | ASN1_INTEGER_free(serial); |
100 | 28.3k | } |
101 | | |
102 | | static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, |
103 | | const OSSL_CMP_MSG *cert_req, |
104 | | int certReqId, |
105 | | const OSSL_CRMF_MSG *crm, |
106 | | const X509_REQ *p10cr, |
107 | | X509 **certOut, |
108 | | STACK_OF(X509) **chainOut, |
109 | | STACK_OF(X509) **caPubs) |
110 | 3.48k | { |
111 | 3.48k | ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); |
112 | 3.48k | return NULL; |
113 | 3.48k | } |
114 | | |
115 | | static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx, |
116 | | const OSSL_CMP_MSG *rr, |
117 | | const X509_NAME *issuer, |
118 | | const ASN1_INTEGER *serial) |
119 | 15 | { |
120 | 15 | ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); |
121 | 15 | return NULL; |
122 | 15 | } |
123 | | |
124 | | static int process_genm(OSSL_CMP_SRV_CTX *srv_ctx, |
125 | | const OSSL_CMP_MSG *genm, |
126 | | const STACK_OF(OSSL_CMP_ITAV) *in, |
127 | | STACK_OF(OSSL_CMP_ITAV) **out) |
128 | 300 | { |
129 | 300 | ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); |
130 | 300 | return 0; |
131 | 300 | } |
132 | | |
133 | | static void process_error(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *error, |
134 | | const OSSL_CMP_PKISI *statusInfo, |
135 | | const ASN1_INTEGER *errorCode, |
136 | | const OSSL_CMP_PKIFREETEXT *errorDetails) |
137 | 278 | { |
138 | 278 | ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); |
139 | 278 | } |
140 | | |
141 | | static int process_certConf(OSSL_CMP_SRV_CTX *srv_ctx, |
142 | | const OSSL_CMP_MSG *certConf, int certReqId, |
143 | | const ASN1_OCTET_STRING *certHash, |
144 | | const OSSL_CMP_PKISI *si) |
145 | 0 | { |
146 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); |
147 | 0 | return 0; |
148 | 0 | } |
149 | | |
150 | | static int process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx, |
151 | | const OSSL_CMP_MSG *pollReq, int certReqId, |
152 | | OSSL_CMP_MSG **certReq, int64_t *check_after) |
153 | 217 | { |
154 | 217 | ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); |
155 | 217 | return 0; |
156 | 217 | } |
157 | | |
158 | | int FuzzerTestOneInput(const uint8_t *buf, size_t len) |
159 | 31.6k | { |
160 | 31.6k | OSSL_CMP_MSG *msg; |
161 | 31.6k | BIO *in; |
162 | | |
163 | 31.6k | if (len == 0) |
164 | 0 | return 0; |
165 | | |
166 | 31.6k | in = BIO_new(BIO_s_mem()); |
167 | 31.6k | OPENSSL_assert((size_t)BIO_write(in, buf, len) == len); |
168 | 31.6k | msg = d2i_OSSL_CMP_MSG_bio(in, NULL); |
169 | 31.6k | if (msg != NULL) { |
170 | 21.4k | BIO *out = BIO_new(BIO_s_null()); |
171 | 21.4k | OSSL_CMP_SRV_CTX *srv_ctx = OSSL_CMP_SRV_CTX_new(NULL, NULL); |
172 | 21.4k | OSSL_CMP_CTX *client_ctx = OSSL_CMP_CTX_new(NULL, NULL); |
173 | | |
174 | 21.4k | i2d_OSSL_CMP_MSG_bio(out, msg); |
175 | 21.4k | ASN1_item_print(out, (ASN1_VALUE *)msg, 4, |
176 | 21.4k | ASN1_ITEM_rptr(OSSL_CMP_MSG), NULL); |
177 | 21.4k | BIO_free(out); |
178 | | |
179 | 21.4k | if (client_ctx != NULL) |
180 | 21.4k | cmp_client_process_response(client_ctx, msg); |
181 | 21.4k | if (srv_ctx != NULL |
182 | 21.4k | && OSSL_CMP_CTX_set_log_cb(OSSL_CMP_SRV_CTX_get0_cmp_ctx(srv_ctx), |
183 | 21.4k | print_noop) |
184 | 21.4k | && OSSL_CMP_SRV_CTX_init(srv_ctx, NULL, process_cert_request, |
185 | 21.4k | process_rr, process_genm, process_error, |
186 | 21.4k | process_certConf, process_pollReq)) |
187 | 21.4k | OSSL_CMP_MSG_free(OSSL_CMP_SRV_process_request(srv_ctx, msg)); |
188 | | |
189 | 21.4k | OSSL_CMP_CTX_free(client_ctx); |
190 | 21.4k | OSSL_CMP_SRV_CTX_free(srv_ctx); |
191 | 21.4k | OSSL_CMP_MSG_free(msg); |
192 | 21.4k | } |
193 | | |
194 | 31.6k | BIO_free(in); |
195 | 31.6k | ERR_clear_error(); |
196 | | |
197 | 31.6k | return 0; |
198 | 31.6k | } |
199 | | |
200 | | void FuzzerCleanup(void) |
201 | 0 | { |
202 | 0 | FuzzerClearRand(); |
203 | 0 | } |