fuzz/cmp.c

   1 /*
   2  * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
   3  *
   4  * Licensed under the Apache License 2.0 (the "License").  You may not use
   5  * this file except in compliance with the License.  You can obtain a copy
   6  * in the file LICENSE in the source distribution or at
   7  * https://www.openssl.org/source/license.html
   8  */
   9
  10 /*
  11  * Test CMP DER parsing.
  12  */
  13
  14 #include <openssl/bio.h>
  15 #include <openssl/cmp.h>
  16 #include "../crypto/cmp/cmp_local.h"
  17 #include <openssl/err.h>
  18 #include "fuzzer.h"
  19
  20 int FuzzerInitialize(int *argc, char ***argv)
  21 {
  22     FuzzerSetRand();
  23     OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
  24     ERR_clear_error();
  25     CRYPTO_free_ex_index(0, -1);
  26     return 1;
  27 }
  28
  29 static int num_responses;
  30
  31 static OSSL_CMP_MSG *transfer_cb(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req)
  32 {
  33     if (num_responses++ > 2)
  34         return NULL; /* prevent loops due to repeated pollRep */
  35     return OSSL_CMP_MSG_dup((OSSL_CMP_MSG *)
  36                             OSSL_CMP_CTX_get_transfer_cb_arg(ctx));
  37 }
  38
  39 static int print_noop(const char *func, const char *file, int line,
  40                       OSSL_CMP_severity level, const char *msg)
  41 {
  42     return 1;
  43 }
  44
  45 static int allow_unprotected(const OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *rep,
  46                              int invalid_protection, int expected_type)
  47 {
  48     return 1;
  49 }
  50
  51 static void cmp_client_process_response(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg)
  52 {
  53     X509_NAME *name = X509_NAME_new();
  54     ASN1_INTEGER *serial = ASN1_INTEGER_new();
  55
  56     ctx->unprotectedSend = 1; /* satisfy ossl_cmp_msg_protect() */
  57     ctx->disableConfirm = 1; /* check just one response message */
  58     ctx->popoMethod = OSSL_CRMF_POPO_NONE; /* satisfy ossl_cmp_certReq_new() */
  59     ctx->oldCert = X509_new(); /* satisfy crm_new() and ossl_cmp_rr_new() */
  60     if (!OSSL_CMP_CTX_set1_secretValue(ctx, (unsigned char *)"",
  61                                        0) /* prevent too unspecific error */
  62             || ctx->oldCert == NULL
  63             || name == NULL || !X509_set_issuer_name(ctx->oldCert, name)
  64             || serial == NULL || !X509_set_serialNumber(ctx->oldCert, serial))
  65         goto err;
  66
  67     (void)OSSL_CMP_CTX_set_transfer_cb(ctx, transfer_cb);
  68     (void)OSSL_CMP_CTX_set_transfer_cb_arg(ctx, msg);
  69     (void)OSSL_CMP_CTX_set_log_cb(ctx, print_noop);
  70     num_responses = 0;
  71     switch (msg->body != NULL ? msg->body->type : -1) {
  72     case OSSL_CMP_PKIBODY_IP:
  73         (void)OSSL_CMP_exec_IR_ses(ctx);
  74         break;
  75     case OSSL_CMP_PKIBODY_CP:
  76         (void)OSSL_CMP_exec_CR_ses(ctx);
  77         (void)OSSL_CMP_exec_P10CR_ses(ctx);
  78         break;
  79     case OSSL_CMP_PKIBODY_KUP:
  80         (void)OSSL_CMP_exec_KUR_ses(ctx);
  81         break;
  82     case OSSL_CMP_PKIBODY_POLLREP:
  83         ctx->status = OSSL_CMP_PKISTATUS_waiting;
  84         (void)OSSL_CMP_try_certreq(ctx, OSSL_CMP_PKIBODY_CR, NULL, NULL);
  85         break;
  86     case OSSL_CMP_PKIBODY_RP:
  87         (void)OSSL_CMP_exec_RR_ses(ctx);
  88         break;
  89     case OSSL_CMP_PKIBODY_GENP:
  90         sk_OSSL_CMP_ITAV_pop_free(OSSL_CMP_exec_GENM_ses(ctx),
  91                                   OSSL_CMP_ITAV_free);
  92         break;
  93     default:
  94         (void)ossl_cmp_msg_check_update(ctx, msg, allow_unprotected, 0);
  95         break;
  96     }
  97  err:
  98     X509_NAME_free(name);
  99     ASN1_INTEGER_free(serial);
 100 }
 101
 102 static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
 103                                             const OSSL_CMP_MSG *cert_req,
 104                                             int certReqId,
 105                                             const OSSL_CRMF_MSG *crm,
 106                                             const X509_REQ *p10cr,
 107                                             X509 **certOut,
 108                                             STACK_OF(X509) **chainOut,
 109                                             STACK_OF(X509) **caPubs)
 110 {
 111     ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
 112     return NULL;
 113 }
 114
 115 static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
 116                                   const OSSL_CMP_MSG *rr,
 117                                   const X509_NAME *issuer,
 118                                   const ASN1_INTEGER *serial)
 119 {
 120     ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
 121     return NULL;
 122 }
 123
 124 static int process_genm(OSSL_CMP_SRV_CTX *srv_ctx,
 125                         const OSSL_CMP_MSG *genm,
 126                         const STACK_OF(OSSL_CMP_ITAV) *in,
 127                         STACK_OF(OSSL_CMP_ITAV) **out)
 128 {
 129     ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
 130     return 0;
 131 }
 132
 133 static void process_error(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *error,
 134                           const OSSL_CMP_PKISI *statusInfo,
 135                           const ASN1_INTEGER *errorCode,
 136                           const OSSL_CMP_PKIFREETEXT *errorDetails)
 137 {
 138     ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
 139 }
 140
 141 static int process_certConf(OSSL_CMP_SRV_CTX *srv_ctx,
 142                             const OSSL_CMP_MSG *certConf, int certReqId,
 143                             const ASN1_OCTET_STRING *certHash,
 144                             const OSSL_CMP_PKISI *si)
 145 {
 146     ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
 147     return 0;
 148 }
 149
 150 static int process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx,
 151                            const OSSL_CMP_MSG *pollReq, int certReqId,
 152                            OSSL_CMP_MSG **certReq, int64_t *check_after)
 153 {
 154     ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
 155     return 0;
 156 }
 157
 158 static int clean_transaction(ossl_unused OSSL_CMP_SRV_CTX *srv_ctx,
 159                              ossl_unused const ASN1_OCTET_STRING *id)
 160 {
 161     return 1;
 162 }
 163
 164 static int delayed_delivery(ossl_unused OSSL_CMP_SRV_CTX *srv_ctx,
 165                             ossl_unused const OSSL_CMP_MSG *req)
 166 {
 167     return 0;
 168 }
 169
 170 int FuzzerTestOneInput(const uint8_t *buf, size_t len)
 171 {
 172     OSSL_CMP_MSG *msg;
 173     BIO *in;
 174
 175     if (len == 0)
 176         return 0;
 177
 178     in = BIO_new(BIO_s_mem());
 179     OPENSSL_assert((size_t)BIO_write(in, buf, len) == len);
 180     msg = d2i_OSSL_CMP_MSG_bio(in, NULL);
 181     if (msg != NULL) {
 182         BIO *out = BIO_new(BIO_s_null());
 183         OSSL_CMP_SRV_CTX *srv_ctx = OSSL_CMP_SRV_CTX_new(NULL, NULL);
 184         OSSL_CMP_CTX *client_ctx = OSSL_CMP_CTX_new(NULL, NULL);
 185
 186         i2d_OSSL_CMP_MSG_bio(out, msg);
 187         ASN1_item_print(out, (ASN1_VALUE *)msg, 4,
 188                         ASN1_ITEM_rptr(OSSL_CMP_MSG), NULL);
 189         BIO_free(out);
 190
 191         if (client_ctx != NULL)
 192             cmp_client_process_response(client_ctx, msg);
 193         if (srv_ctx != NULL
 194             && OSSL_CMP_CTX_set_log_cb(OSSL_CMP_SRV_CTX_get0_cmp_ctx(srv_ctx),
 195                                        print_noop)
 196             && OSSL_CMP_SRV_CTX_init(srv_ctx, NULL, process_cert_request,
 197                                      process_rr, process_genm, process_error,
 198                                      process_certConf, process_pollReq)
 199             && OSSL_CMP_SRV_CTX_init_trans(srv_ctx, delayed_delivery,
 200                                            clean_transaction))
 201             OSSL_CMP_MSG_free(OSSL_CMP_SRV_process_request(srv_ctx, msg));
 202
 203         OSSL_CMP_CTX_free(client_ctx);
 204         OSSL_CMP_SRV_CTX_free(srv_ctx);
 205         OSSL_CMP_MSG_free(msg);
 206     }
 207
 208     BIO_free(in);
 209     ERR_clear_error();
 210
 211     return 0;
 212 }
 213
 214 void FuzzerCleanup(void)
 215 {
 216     FuzzerClearRand();
 217 }