diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-03-24 10:33:16 +0100 |
---|---|---|
committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-04-18 19:54:17 +0200 |
commit | e599d0aecd3e9419d1558628cb42db9cf0fa5fd0 (patch) | |
tree | 09744b062a8d0f7f04251f1e13ee7deaee5ccf38 /fuzz/cmp.c | |
parent | a81151bd56d55d52c40865f2f135355a2164062e (diff) | |
download | openssl-e599d0aecd3e9419d1558628cb42db9cf0fa5fd0.zip openssl-e599d0aecd3e9419d1558628cb42db9cf0fa5fd0.tar.gz openssl-e599d0aecd3e9419d1558628cb42db9cf0fa5fd0.tar.bz2 |
Add CMP fuzzing to fuzz/cmp.c, including a couple of helpers in crypto/cmp/
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11386)
Diffstat (limited to 'fuzz/cmp.c')
-rw-r--r-- | fuzz/cmp.c | 203 |
1 files changed, 203 insertions, 0 deletions
diff --git a/fuzz/cmp.c b/fuzz/cmp.c new file mode 100644 index 0000000..0088dd9 --- /dev/null +++ b/fuzz/cmp.c @@ -0,0 +1,203 @@ +/* + * Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +/* + * Test CMP DER parsing. + */ + +#include <openssl/bio.h> +#include <openssl/cmp.h> +#include "../crypto/cmp/cmp_local.h" +#include <openssl/err.h> +#include "fuzzer.h" +#include "rand.inc" + +int FuzzerInitialize(int *argc, char ***argv) +{ + OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); + ERR_clear_error(); + CRYPTO_free_ex_index(0, -1); + FuzzerSetRand(); + return 1; +} + +static int num_responses; + +static OSSL_CMP_MSG *transfer_cb(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req) +{ + if (num_responses++ > 2) + return NULL; /* prevent loops due to repeated pollRep */ + return OSSL_CMP_MSG_dup((OSSL_CMP_MSG *) + OSSL_CMP_CTX_get_transfer_cb_arg(ctx)); +} + +static int print_noop(const char *func, const char *file, int line, + OSSL_CMP_severity level, const char *msg) +{ + return 1; +} + +static int allow_unprotected(const OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *rep, + int invalid_protection, int expected_type) +{ + return 1; +} + +static void cmp_client_process_response(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg) +{ + X509_NAME *name = X509_NAME_new(); + ASN1_INTEGER *serial = ASN1_INTEGER_new(); + + ctx->unprotectedSend = 1; /* satisfy ossl_cmp_msg_protect() */ + ctx->disableConfirm = 1; /* check just one response message */ + ctx->popoMethod = OSSL_CRMF_POPO_NONE; /* satisfy ossl_cmp_certReq_new() */ + ctx->oldCert = X509_new(); /* satisfy crm_new() and ossl_cmp_rr_new() */ + if (!OSSL_CMP_CTX_set1_secretValue(ctx, (unsigned char *)"", + 0) /* prevent too unspecific error */ + || ctx->oldCert == NULL + || name == NULL || !X509_set_issuer_name(ctx->oldCert, name) + || serial == NULL || !X509_set_serialNumber(ctx->oldCert, serial)) + goto err; + + (void)OSSL_CMP_CTX_set_transfer_cb(ctx, transfer_cb); + (void)OSSL_CMP_CTX_set_transfer_cb_arg(ctx, msg); + (void)OSSL_CMP_CTX_set_log_cb(ctx, print_noop); + num_responses = 0; + switch (msg->body != NULL ? msg->body->type : -1) { + case OSSL_CMP_PKIBODY_IP: + (void)OSSL_CMP_exec_IR_ses(ctx); + break; + case OSSL_CMP_PKIBODY_CP: + (void)OSSL_CMP_exec_CR_ses(ctx); + (void)OSSL_CMP_exec_P10CR_ses(ctx); + break; + case OSSL_CMP_PKIBODY_KUP: + (void)OSSL_CMP_exec_KUR_ses(ctx); + break; + case OSSL_CMP_PKIBODY_POLLREP: + ctx->status = OSSL_CMP_PKISTATUS_waiting; + (void)OSSL_CMP_try_certreq(ctx, OSSL_CMP_PKIBODY_CR, NULL); + break; + case OSSL_CMP_PKIBODY_RP: + (void)OSSL_CMP_exec_RR_ses(ctx); + break; + case OSSL_CMP_PKIBODY_GENP: + sk_OSSL_CMP_ITAV_pop_free(OSSL_CMP_exec_GENM_ses(ctx), + OSSL_CMP_ITAV_free); + break; + default: + (void)ossl_cmp_msg_check_received(ctx, msg, allow_unprotected, 0); + break; + } + err: + X509_NAME_free(name); + ASN1_INTEGER_free(serial); +} + +static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, + const OSSL_CMP_MSG *cert_req, + int certReqId, + const OSSL_CRMF_MSG *crm, + const X509_REQ *p10cr, + X509 **certOut, + STACK_OF(X509) **chainOut, + STACK_OF(X509) **caPubs) +{ + CMPerr(0, CMP_R_ERROR_PROCESSING_MESSAGE); + return NULL; +} + +static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx, + const OSSL_CMP_MSG *rr, + const X509_NAME *issuer, + const ASN1_INTEGER *serial) +{ + CMPerr(0, CMP_R_ERROR_PROCESSING_MESSAGE); + return NULL; +} + +static int process_genm(OSSL_CMP_SRV_CTX *srv_ctx, + const OSSL_CMP_MSG *genm, + const STACK_OF(OSSL_CMP_ITAV) *in, + STACK_OF(OSSL_CMP_ITAV) **out) +{ + CMPerr(0, CMP_R_ERROR_PROCESSING_MESSAGE); + return 0; +} + +static void process_error(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *error, + const OSSL_CMP_PKISI *statusInfo, + const ASN1_INTEGER *errorCode, + const OSSL_CMP_PKIFREETEXT *errorDetails) +{ + CMPerr(0, CMP_R_ERROR_PROCESSING_MESSAGE); +} + +static int process_certConf(OSSL_CMP_SRV_CTX *srv_ctx, + const OSSL_CMP_MSG *certConf, int certReqId, + const ASN1_OCTET_STRING *certHash, + const OSSL_CMP_PKISI *si) +{ + CMPerr(0, CMP_R_ERROR_PROCESSING_MESSAGE); + return 0; +} + +static int process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx, + const OSSL_CMP_MSG *pollReq, int certReqId, + OSSL_CMP_MSG **certReq, int64_t *check_after) +{ + CMPerr(0, CMP_R_ERROR_PROCESSING_MESSAGE); + return 0; +} + +int FuzzerTestOneInput(const uint8_t *buf, size_t len) +{ + OSSL_CMP_MSG *msg; + BIO *in; + + if (len == 0) + return 0; + + in = BIO_new(BIO_s_mem()); + OPENSSL_assert((size_t)BIO_write(in, buf, len) == len); + msg = d2i_OSSL_CMP_MSG_bio(in, NULL); + if (msg != NULL) { + BIO *out = BIO_new(BIO_s_null()); + OSSL_CMP_SRV_CTX *srv_ctx = OSSL_CMP_SRV_CTX_new(); + OSSL_CMP_CTX *client_ctx = OSSL_CMP_CTX_new(); + + i2d_OSSL_CMP_MSG_bio(out, msg); + ASN1_item_print(out, (ASN1_VALUE *)msg, 4, + ASN1_ITEM_rptr(OSSL_CMP_MSG), NULL); + BIO_free(out); + + if (client_ctx != NULL) + cmp_client_process_response(client_ctx, msg); + if (srv_ctx != NULL + && OSSL_CMP_CTX_set_log_cb(OSSL_CMP_SRV_CTX_get0_cmp_ctx(srv_ctx), + print_noop) + && OSSL_CMP_SRV_CTX_init(srv_ctx, NULL, process_cert_request, + process_rr, process_genm, process_error, + process_certConf, process_pollReq)) + OSSL_CMP_MSG_free(OSSL_CMP_SRV_process_request(srv_ctx, msg)); + + OSSL_CMP_CTX_free(client_ctx); + OSSL_CMP_SRV_CTX_free(srv_ctx); + OSSL_CMP_MSG_free(msg); + } + + BIO_free(in); + ERR_clear_error(); + + return 0; +} + +void FuzzerCleanup(void) +{ +} |