xref: /openssl/fuzz/cmp.c (revision bedffe17)
1 /*
2  * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
3  *
4  * Licensed under the Apache License 2.0 (the "License").  You may not use
5  * this file except in compliance with the License.  You can obtain a copy
6  * in the file LICENSE in the source distribution or at
7  * https://www.openssl.org/source/license.html
8  */
9 
10 /*
11  * Test CMP DER parsing.
12  */
13 
14 #include <openssl/bio.h>
15 #include <openssl/cmp.h>
16 #include "../crypto/cmp/cmp_local.h"
17 #include <openssl/err.h>
18 #include "fuzzer.h"
19 
FuzzerInitialize(int * argc,char *** argv)20 int FuzzerInitialize(int *argc, char ***argv)
21 {
22     FuzzerSetRand();
23     OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
24     ERR_clear_error();
25     CRYPTO_free_ex_index(0, -1);
26     return 1;
27 }
28 
29 static int num_responses;
30 
transfer_cb(OSSL_CMP_CTX * ctx,const OSSL_CMP_MSG * req)31 static OSSL_CMP_MSG *transfer_cb(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req)
32 {
33     if (num_responses++ > 2)
34         return NULL; /* prevent loops due to repeated pollRep */
35     return OSSL_CMP_MSG_dup((OSSL_CMP_MSG *)
36                             OSSL_CMP_CTX_get_transfer_cb_arg(ctx));
37 }
38 
print_noop(const char * func,const char * file,int line,OSSL_CMP_severity level,const char * msg)39 static int print_noop(const char *func, const char *file, int line,
40                       OSSL_CMP_severity level, const char *msg)
41 {
42     return 1;
43 }
44 
allow_unprotected(const OSSL_CMP_CTX * ctx,const OSSL_CMP_MSG * rep,int invalid_protection,int expected_type)45 static int allow_unprotected(const OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *rep,
46                              int invalid_protection, int expected_type)
47 {
48     return 1;
49 }
50 
cmp_client_process_response(OSSL_CMP_CTX * ctx,OSSL_CMP_MSG * msg)51 static void cmp_client_process_response(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg)
52 {
53     X509_NAME *name = X509_NAME_new();
54     ASN1_INTEGER *serial = ASN1_INTEGER_new();
55 
56     ctx->unprotectedSend = 1; /* satisfy ossl_cmp_msg_protect() */
57     ctx->disableConfirm = 1; /* check just one response message */
58     ctx->popoMethod = OSSL_CRMF_POPO_NONE; /* satisfy ossl_cmp_certReq_new() */
59     ctx->oldCert = X509_new(); /* satisfy crm_new() and ossl_cmp_rr_new() */
60     if (!OSSL_CMP_CTX_set1_secretValue(ctx, (unsigned char *)"",
61                                        0) /* prevent too unspecific error */
62             || ctx->oldCert == NULL
63             || name == NULL || !X509_set_issuer_name(ctx->oldCert, name)
64             || serial == NULL || !X509_set_serialNumber(ctx->oldCert, serial))
65         goto err;
66 
67     (void)OSSL_CMP_CTX_set_transfer_cb(ctx, transfer_cb);
68     (void)OSSL_CMP_CTX_set_transfer_cb_arg(ctx, msg);
69     (void)OSSL_CMP_CTX_set_log_cb(ctx, print_noop);
70     num_responses = 0;
71     switch (msg->body != NULL ? msg->body->type : -1) {
72     case OSSL_CMP_PKIBODY_IP:
73         (void)OSSL_CMP_exec_IR_ses(ctx);
74         break;
75     case OSSL_CMP_PKIBODY_CP:
76         (void)OSSL_CMP_exec_CR_ses(ctx);
77         (void)OSSL_CMP_exec_P10CR_ses(ctx);
78         break;
79     case OSSL_CMP_PKIBODY_KUP:
80         (void)OSSL_CMP_exec_KUR_ses(ctx);
81         break;
82     case OSSL_CMP_PKIBODY_POLLREP:
83         ctx->status = OSSL_CMP_PKISTATUS_waiting;
84         (void)OSSL_CMP_try_certreq(ctx, OSSL_CMP_PKIBODY_CR, NULL, NULL);
85         break;
86     case OSSL_CMP_PKIBODY_RP:
87         (void)OSSL_CMP_exec_RR_ses(ctx);
88         break;
89     case OSSL_CMP_PKIBODY_GENP:
90         sk_OSSL_CMP_ITAV_pop_free(OSSL_CMP_exec_GENM_ses(ctx),
91                                   OSSL_CMP_ITAV_free);
92         break;
93     default:
94         (void)ossl_cmp_msg_check_update(ctx, msg, allow_unprotected, 0);
95         break;
96     }
97  err:
98     X509_NAME_free(name);
99     ASN1_INTEGER_free(serial);
100 }
101 
process_cert_request(OSSL_CMP_SRV_CTX * srv_ctx,const OSSL_CMP_MSG * cert_req,int certReqId,const OSSL_CRMF_MSG * crm,const X509_REQ * p10cr,X509 ** certOut,STACK_OF (X509)** chainOut,STACK_OF (X509)** caPubs)102 static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
103                                             const OSSL_CMP_MSG *cert_req,
104                                             int certReqId,
105                                             const OSSL_CRMF_MSG *crm,
106                                             const X509_REQ *p10cr,
107                                             X509 **certOut,
108                                             STACK_OF(X509) **chainOut,
109                                             STACK_OF(X509) **caPubs)
110 {
111     ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
112     return NULL;
113 }
114 
process_rr(OSSL_CMP_SRV_CTX * srv_ctx,const OSSL_CMP_MSG * rr,const X509_NAME * issuer,const ASN1_INTEGER * serial)115 static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
116                                   const OSSL_CMP_MSG *rr,
117                                   const X509_NAME *issuer,
118                                   const ASN1_INTEGER *serial)
119 {
120     ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
121     return NULL;
122 }
123 
process_genm(OSSL_CMP_SRV_CTX * srv_ctx,const OSSL_CMP_MSG * genm,const STACK_OF (OSSL_CMP_ITAV)* in,STACK_OF (OSSL_CMP_ITAV)** out)124 static int process_genm(OSSL_CMP_SRV_CTX *srv_ctx,
125                         const OSSL_CMP_MSG *genm,
126                         const STACK_OF(OSSL_CMP_ITAV) *in,
127                         STACK_OF(OSSL_CMP_ITAV) **out)
128 {
129     ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
130     return 0;
131 }
132 
process_error(OSSL_CMP_SRV_CTX * srv_ctx,const OSSL_CMP_MSG * error,const OSSL_CMP_PKISI * statusInfo,const ASN1_INTEGER * errorCode,const OSSL_CMP_PKIFREETEXT * errorDetails)133 static void process_error(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *error,
134                           const OSSL_CMP_PKISI *statusInfo,
135                           const ASN1_INTEGER *errorCode,
136                           const OSSL_CMP_PKIFREETEXT *errorDetails)
137 {
138     ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
139 }
140 
process_certConf(OSSL_CMP_SRV_CTX * srv_ctx,const OSSL_CMP_MSG * certConf,int certReqId,const ASN1_OCTET_STRING * certHash,const OSSL_CMP_PKISI * si)141 static int process_certConf(OSSL_CMP_SRV_CTX *srv_ctx,
142                             const OSSL_CMP_MSG *certConf, int certReqId,
143                             const ASN1_OCTET_STRING *certHash,
144                             const OSSL_CMP_PKISI *si)
145 {
146     ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
147     return 0;
148 }
149 
process_pollReq(OSSL_CMP_SRV_CTX * srv_ctx,const OSSL_CMP_MSG * pollReq,int certReqId,OSSL_CMP_MSG ** certReq,int64_t * check_after)150 static int process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx,
151                            const OSSL_CMP_MSG *pollReq, int certReqId,
152                            OSSL_CMP_MSG **certReq, int64_t *check_after)
153 {
154     ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
155     return 0;
156 }
157 
clean_transaction(ossl_unused OSSL_CMP_SRV_CTX * srv_ctx,ossl_unused const ASN1_OCTET_STRING * id)158 static int clean_transaction(ossl_unused OSSL_CMP_SRV_CTX *srv_ctx,
159                              ossl_unused const ASN1_OCTET_STRING *id)
160 {
161     return 1;
162 }
163 
delayed_delivery(ossl_unused OSSL_CMP_SRV_CTX * srv_ctx,ossl_unused const OSSL_CMP_MSG * req)164 static int delayed_delivery(ossl_unused OSSL_CMP_SRV_CTX *srv_ctx,
165                             ossl_unused const OSSL_CMP_MSG *req)
166 {
167     return 0;
168 }
169 
FuzzerTestOneInput(const uint8_t * buf,size_t len)170 int FuzzerTestOneInput(const uint8_t *buf, size_t len)
171 {
172     OSSL_CMP_MSG *msg;
173     BIO *in;
174 
175     if (len == 0)
176         return 0;
177 
178     in = BIO_new(BIO_s_mem());
179     OPENSSL_assert((size_t)BIO_write(in, buf, len) == len);
180     msg = d2i_OSSL_CMP_MSG_bio(in, NULL);
181     if (msg != NULL) {
182         BIO *out = BIO_new(BIO_s_null());
183         OSSL_CMP_SRV_CTX *srv_ctx = OSSL_CMP_SRV_CTX_new(NULL, NULL);
184         OSSL_CMP_CTX *client_ctx = OSSL_CMP_CTX_new(NULL, NULL);
185 
186         i2d_OSSL_CMP_MSG_bio(out, msg);
187         ASN1_item_print(out, (ASN1_VALUE *)msg, 4,
188                         ASN1_ITEM_rptr(OSSL_CMP_MSG), NULL);
189         BIO_free(out);
190 
191         if (client_ctx != NULL)
192             cmp_client_process_response(client_ctx, msg);
193         if (srv_ctx != NULL
194             && OSSL_CMP_CTX_set_log_cb(OSSL_CMP_SRV_CTX_get0_cmp_ctx(srv_ctx),
195                                        print_noop)
196             && OSSL_CMP_SRV_CTX_init(srv_ctx, NULL, process_cert_request,
197                                      process_rr, process_genm, process_error,
198                                      process_certConf, process_pollReq)
199             && OSSL_CMP_SRV_CTX_init_trans(srv_ctx, delayed_delivery,
200                                            clean_transaction))
201             OSSL_CMP_MSG_free(OSSL_CMP_SRV_process_request(srv_ctx, msg));
202 
203         OSSL_CMP_CTX_free(client_ctx);
204         OSSL_CMP_SRV_CTX_free(srv_ctx);
205         OSSL_CMP_MSG_free(msg);
206     }
207 
208     BIO_free(in);
209     ERR_clear_error();
210 
211     return 0;
212 }
213 
FuzzerCleanup(void)214 void FuzzerCleanup(void)
215 {
216     FuzzerClearRand();
217 }
218