diff options
Diffstat (limited to 'src/fuzz')
-rw-r--r-- | src/fuzz/CMakeLists.txt | 3 | ||||
-rw-r--r-- | src/fuzz/cert.cc | 52 | ||||
-rw-r--r-- | src/fuzz/conf.cc | 1 |
3 files changed, 43 insertions, 13 deletions
diff --git a/src/fuzz/CMakeLists.txt b/src/fuzz/CMakeLists.txt index adf7aa5..36ec9fb 100644 --- a/src/fuzz/CMakeLists.txt +++ b/src/fuzz/CMakeLists.txt @@ -12,8 +12,7 @@ macro(fuzzer name) ${name} PROPERTIES CXX_STANDARD 17 - CXX_STANDARD_REQUIRED YES - COMPILE_FLAGS "-D_BORINGSSL_LIBPKI_") + CXX_STANDARD_REQUIRED YES) endmacro() fuzzer(arm_cpuinfo) diff --git a/src/fuzz/cert.cc b/src/fuzz/cert.cc index 548109e..2f4a547 100644 --- a/src/fuzz/cert.cc +++ b/src/fuzz/cert.cc @@ -16,27 +16,59 @@ #include <openssl/mem.h> #include <openssl/x509.h> -#include "../crypto/x509v3/internal.h" +#include "../crypto/x509/internal.h" extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) { - X509 *x509 = d2i_X509(NULL, &buf, len); - if (x509 != NULL) { + bssl::UniquePtr<X509> x509(d2i_X509(nullptr, &buf, len)); + if (x509 != nullptr) { // Extract the public key. - EVP_PKEY_free(X509_get_pubkey(x509)); + EVP_PKEY_free(X509_get_pubkey(x509.get())); // Fuzz some deferred parsing. - x509v3_cache_extensions(x509); + x509v3_cache_extensions(x509.get()); - // Reserialize the structure. - uint8_t *der = NULL; - i2d_X509(x509, &der); + // Fuzz every supported extension. + for (int i = 0; i < X509_get_ext_count(x509.get()); i++) { + const X509_EXTENSION *ext = X509_get_ext(x509.get(), i); + void *parsed = X509V3_EXT_d2i(ext); + if (parsed != nullptr) { + int nid = OBJ_obj2nid(X509_EXTENSION_get_object(ext)); + BSSL_CHECK(nid != NID_undef); + + // Reserialize the extension. This should succeed if we were able to + // parse it. + // TODO(crbug.com/boringssl/352): Ideally we would also assert that + // |new_ext| is identical to |ext|, but our parser is not strict enough. + bssl::UniquePtr<X509_EXTENSION> new_ext( + X509V3_EXT_i2d(nid, X509_EXTENSION_get_critical(ext), parsed)); + BSSL_CHECK(new_ext != nullptr); + + // This can only fail if |ext| was not a supported type, but then + // |X509V3_EXT_d2i| should have failed. + BSSL_CHECK(X509V3_EXT_free(nid, parsed)); + } + } + + // Reserialize |x509|. This should succeed if we were able to parse it. + // TODO(crbug.com/boringssl/352): Ideally we would also assert the output + // matches the input, but our parser is not strict enough. + uint8_t *der = nullptr; + int der_len = i2d_X509(x509.get(), &der); + BSSL_CHECK(der_len > 0); + OPENSSL_free(der); + + // Reserialize |x509|'s TBSCertificate without reusing the cached encoding. + // TODO(crbug.com/boringssl/352): Ideally we would also assert the output + // matches the input TBSCertificate, but our parser is not strict enough. + der = nullptr; + der_len = i2d_re_X509_tbs(x509.get(), &der); + BSSL_CHECK(der_len > 0); OPENSSL_free(der); BIO *bio = BIO_new(BIO_s_mem()); - X509_print(bio, x509); + X509_print(bio, x509.get()); BIO_free(bio); } - X509_free(x509); ERR_clear_error(); return 0; } diff --git a/src/fuzz/conf.cc b/src/fuzz/conf.cc index 9b810e1..f2bd21b 100644 --- a/src/fuzz/conf.cc +++ b/src/fuzz/conf.cc @@ -15,7 +15,6 @@ #include <openssl/bio.h> #include <openssl/conf.h> #include <openssl/x509.h> -#include <openssl/x509v3.h> #include <algorithm> |