/src/openssl34/fuzz/cmp.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"). You may not use |
5 | | * this file except in compliance with the License. You can obtain a copy |
6 | | * in the file LICENSE in the source distribution or at |
7 | | * https://www.openssl.org/source/license.html |
8 | | */ |
9 | | |
10 | | /* |
11 | | * Test CMP DER parsing. |
12 | | */ |
13 | | |
14 | | #include <openssl/bio.h> |
15 | | #include <openssl/cmp.h> |
16 | | #include "../crypto/cmp/cmp_local.h" |
17 | | #include <openssl/err.h> |
18 | | #include "fuzzer.h" |
19 | | |
20 | | int FuzzerInitialize(int *argc, char ***argv) |
21 | 200 | { |
22 | 200 | FuzzerSetRand(); |
23 | 200 | OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); |
24 | 200 | ERR_clear_error(); |
25 | 200 | CRYPTO_free_ex_index(0, -1); |
26 | 200 | return 1; |
27 | 200 | } |
28 | | |
29 | | static int num_responses; |
30 | | |
31 | | static OSSL_CMP_MSG *transfer_cb(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req) |
32 | 0 | { |
33 | 0 | if (num_responses++ > 2) |
34 | 0 | return NULL; /* prevent loops due to repeated pollRep */ |
35 | 0 | return OSSL_CMP_MSG_dup((OSSL_CMP_MSG *) |
36 | 0 | OSSL_CMP_CTX_get_transfer_cb_arg(ctx)); |
37 | 0 | } |
38 | | |
39 | | static int print_noop(const char *func, const char *file, int line, |
40 | | OSSL_CMP_severity level, const char *msg) |
41 | 380k | { |
42 | 380k | return 1; |
43 | 380k | } |
44 | | |
45 | | static int allow_unprotected(const OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *rep, |
46 | | int invalid_protection, int expected_type) |
47 | 27.0k | { |
48 | 27.0k | return 1; |
49 | 27.0k | } |
50 | | |
51 | | static void cmp_client_process_response(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg) |
52 | 37.8k | { |
53 | 37.8k | X509_NAME *name = X509_NAME_new(); |
54 | 37.8k | ASN1_INTEGER *serial = ASN1_INTEGER_new(); |
55 | | |
56 | 37.8k | ctx->unprotectedSend = 1; /* satisfy ossl_cmp_msg_protect() */ |
57 | 37.8k | ctx->disableConfirm = 1; /* check just one response message */ |
58 | 37.8k | ctx->popoMethod = OSSL_CRMF_POPO_NONE; /* satisfy ossl_cmp_certReq_new() */ |
59 | 37.8k | ctx->oldCert = X509_new(); /* satisfy crm_new() and ossl_cmp_rr_new() */ |
60 | 37.8k | if (!OSSL_CMP_CTX_set1_secretValue(ctx, (unsigned char *)"", |
61 | 37.8k | 0) /* prevent too unspecific error */ |
62 | 37.8k | || ctx->oldCert == NULL |
63 | 37.8k | || name == NULL || !X509_set_issuer_name(ctx->oldCert, name) |
64 | 37.8k | || serial == NULL || !X509_set_serialNumber(ctx->oldCert, serial)) |
65 | 0 | goto err; |
66 | | |
67 | 37.8k | (void)OSSL_CMP_CTX_set_transfer_cb(ctx, transfer_cb); |
68 | 37.8k | (void)OSSL_CMP_CTX_set_transfer_cb_arg(ctx, msg); |
69 | 37.8k | (void)OSSL_CMP_CTX_set_log_cb(ctx, print_noop); |
70 | 37.8k | num_responses = 0; |
71 | 37.8k | switch (msg->body != NULL ? msg->body->type : -1) { |
72 | 989 | case OSSL_CMP_PKIBODY_IP: |
73 | 989 | (void)OSSL_CMP_exec_IR_ses(ctx); |
74 | 989 | break; |
75 | 139 | case OSSL_CMP_PKIBODY_CP: |
76 | 139 | (void)OSSL_CMP_exec_CR_ses(ctx); |
77 | 139 | (void)OSSL_CMP_exec_P10CR_ses(ctx); |
78 | 139 | break; |
79 | 59 | case OSSL_CMP_PKIBODY_KUP: |
80 | 59 | (void)OSSL_CMP_exec_KUR_ses(ctx); |
81 | 59 | break; |
82 | 345 | case OSSL_CMP_PKIBODY_POLLREP: |
83 | 345 | ctx->status = OSSL_CMP_PKISTATUS_waiting; |
84 | 345 | (void)OSSL_CMP_try_certreq(ctx, OSSL_CMP_PKIBODY_CR, NULL, NULL); |
85 | 345 | break; |
86 | 198 | case OSSL_CMP_PKIBODY_RP: |
87 | 198 | (void)OSSL_CMP_exec_RR_ses(ctx); |
88 | 198 | break; |
89 | 1.11k | case OSSL_CMP_PKIBODY_GENP: |
90 | 1.11k | sk_OSSL_CMP_ITAV_pop_free(OSSL_CMP_exec_GENM_ses(ctx), |
91 | 1.11k | OSSL_CMP_ITAV_free); |
92 | 1.11k | break; |
93 | 35.0k | default: |
94 | 35.0k | (void)ossl_cmp_msg_check_update(ctx, msg, allow_unprotected, 0); |
95 | 35.0k | break; |
96 | 37.8k | } |
97 | 37.8k | err: |
98 | 37.8k | X509_NAME_free(name); |
99 | 37.8k | ASN1_INTEGER_free(serial); |
100 | 37.8k | } |
101 | | |
102 | | static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, |
103 | | const OSSL_CMP_MSG *cert_req, |
104 | | int certReqId, |
105 | | const OSSL_CRMF_MSG *crm, |
106 | | const X509_REQ *p10cr, |
107 | | X509 **certOut, |
108 | | STACK_OF(X509) **chainOut, |
109 | | STACK_OF(X509) **caPubs) |
110 | 5.91k | { |
111 | 5.91k | ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); |
112 | 5.91k | return NULL; |
113 | 5.91k | } |
114 | | |
115 | | static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx, |
116 | | const OSSL_CMP_MSG *rr, |
117 | | const X509_NAME *issuer, |
118 | | const ASN1_INTEGER *serial) |
119 | 44 | { |
120 | 44 | ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); |
121 | 44 | return NULL; |
122 | 44 | } |
123 | | |
124 | | static int process_genm(OSSL_CMP_SRV_CTX *srv_ctx, |
125 | | const OSSL_CMP_MSG *genm, |
126 | | const STACK_OF(OSSL_CMP_ITAV) *in, |
127 | | STACK_OF(OSSL_CMP_ITAV) **out) |
128 | 376 | { |
129 | 376 | ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); |
130 | 376 | return 0; |
131 | 376 | } |
132 | | |
133 | | static void process_error(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *error, |
134 | | const OSSL_CMP_PKISI *statusInfo, |
135 | | const ASN1_INTEGER *errorCode, |
136 | | const OSSL_CMP_PKIFREETEXT *errorDetails) |
137 | 768 | { |
138 | 768 | ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); |
139 | 768 | } |
140 | | |
141 | | static int process_certConf(OSSL_CMP_SRV_CTX *srv_ctx, |
142 | | const OSSL_CMP_MSG *certConf, int certReqId, |
143 | | const ASN1_OCTET_STRING *certHash, |
144 | | const OSSL_CMP_PKISI *si) |
145 | 0 | { |
146 | 0 | ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); |
147 | 0 | return 0; |
148 | 0 | } |
149 | | |
150 | | static int process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx, |
151 | | const OSSL_CMP_MSG *pollReq, int certReqId, |
152 | | OSSL_CMP_MSG **certReq, int64_t *check_after) |
153 | 144 | { |
154 | 144 | ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); |
155 | 144 | return 0; |
156 | 144 | } |
157 | | |
158 | | static int clean_transaction(ossl_unused OSSL_CMP_SRV_CTX *srv_ctx, |
159 | | ossl_unused const ASN1_OCTET_STRING *id) |
160 | 29.9k | { |
161 | 29.9k | return 1; |
162 | 29.9k | } |
163 | | |
164 | | static int delayed_delivery(ossl_unused OSSL_CMP_SRV_CTX *srv_ctx, |
165 | | ossl_unused const OSSL_CMP_MSG *req) |
166 | 7.86k | { |
167 | 7.86k | return 0; |
168 | 7.86k | } |
169 | | |
170 | | int FuzzerTestOneInput(const uint8_t *buf, size_t len) |
171 | 25.5k | { |
172 | 25.5k | OSSL_CMP_MSG *msg; |
173 | 25.5k | BIO *in; |
174 | | |
175 | 25.5k | if (len == 0) |
176 | 0 | return 0; |
177 | | |
178 | 25.5k | in = BIO_new(BIO_s_mem()); |
179 | 25.5k | OPENSSL_assert((size_t)BIO_write(in, buf, len) == len); |
180 | 25.5k | msg = d2i_OSSL_CMP_MSG_bio(in, NULL); |
181 | 25.5k | if (msg != NULL) { |
182 | 17.9k | BIO *out = BIO_new(BIO_s_null()); |
183 | 17.9k | OSSL_CMP_SRV_CTX *srv_ctx = OSSL_CMP_SRV_CTX_new(NULL, NULL); |
184 | 17.9k | OSSL_CMP_CTX *client_ctx = OSSL_CMP_CTX_new(NULL, NULL); |
185 | | |
186 | 17.9k | i2d_OSSL_CMP_MSG_bio(out, msg); |
187 | 17.9k | ASN1_item_print(out, (ASN1_VALUE *)msg, 4, |
188 | 17.9k | ASN1_ITEM_rptr(OSSL_CMP_MSG), NULL); |
189 | 17.9k | BIO_free(out); |
190 | | |
191 | 17.9k | if (client_ctx != NULL) |
192 | 17.9k | cmp_client_process_response(client_ctx, msg); |
193 | 17.9k | if (srv_ctx != NULL |
194 | 17.9k | && OSSL_CMP_CTX_set_log_cb(OSSL_CMP_SRV_CTX_get0_cmp_ctx(srv_ctx), |
195 | 17.9k | print_noop) |
196 | 17.9k | && OSSL_CMP_SRV_CTX_init(srv_ctx, NULL, process_cert_request, |
197 | 17.9k | process_rr, process_genm, process_error, |
198 | 17.9k | process_certConf, process_pollReq) |
199 | 17.9k | && OSSL_CMP_SRV_CTX_init_trans(srv_ctx, delayed_delivery, |
200 | 17.9k | clean_transaction)) |
201 | 17.9k | OSSL_CMP_MSG_free(OSSL_CMP_SRV_process_request(srv_ctx, msg)); |
202 | | |
203 | 17.9k | OSSL_CMP_CTX_free(client_ctx); |
204 | 17.9k | OSSL_CMP_SRV_CTX_free(srv_ctx); |
205 | 17.9k | OSSL_CMP_MSG_free(msg); |
206 | 17.9k | } |
207 | | |
208 | 25.5k | BIO_free(in); |
209 | 25.5k | ERR_clear_error(); |
210 | | |
211 | 25.5k | return 0; |
212 | 25.5k | } |
213 | | |
214 | | void FuzzerCleanup(void) |
215 | 0 | { |
216 | 0 | FuzzerClearRand(); |
217 | 0 | } |