[thirdparty/openssl.git] / fuzz / cmp.c

/*
 * Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

/*
 * Test CMP DER parsing.
 */

#include <openssl/bio.h>
#include <openssl/cmp.h>
#include "../crypto/cmp/cmp_local.h"
#include <openssl/err.h>
#include "fuzzer.h"
#include "rand.inc"

int FuzzerInitialize(int *argc, char ***argv)
{
    OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
    ERR_clear_error();
    CRYPTO_free_ex_index(0, -1);
    FuzzerSetRand();
    return 1;
}

static int num_responses;

static OSSL_CMP_MSG *transfer_cb(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req)
{
    if (num_responses++ > 2)
        return NULL; /* prevent loops due to repeated pollRep */
    return OSSL_CMP_MSG_dup((OSSL_CMP_MSG *)
                            OSSL_CMP_CTX_get_transfer_cb_arg(ctx));
}

static int print_noop(const char *func, const char *file, int line,
                      OSSL_CMP_severity level, const char *msg)
{
    return 1;
}

static int allow_unprotected(const OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *rep,
                             int invalid_protection, int expected_type)
{
    return 1;
}

static void cmp_client_process_response(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg)
{
    X509_NAME *name = X509_NAME_new();
    ASN1_INTEGER *serial = ASN1_INTEGER_new();

    ctx->unprotectedSend = 1; /* satisfy ossl_cmp_msg_protect() */
    ctx->disableConfirm = 1; /* check just one response message */
    ctx->popoMethod = OSSL_CRMF_POPO_NONE; /* satisfy ossl_cmp_certReq_new() */
    ctx->oldCert = X509_new(); /* satisfy crm_new() and ossl_cmp_rr_new() */
    if (!OSSL_CMP_CTX_set1_secretValue(ctx, (unsigned char *)"",
                                       0) /* prevent too unspecific error */
            || ctx->oldCert == NULL
            || name == NULL || !X509_set_issuer_name(ctx->oldCert, name)
            || serial == NULL || !X509_set_serialNumber(ctx->oldCert, serial))
        goto err;

    (void)OSSL_CMP_CTX_set_transfer_cb(ctx, transfer_cb);
    (void)OSSL_CMP_CTX_set_transfer_cb_arg(ctx, msg);
    (void)OSSL_CMP_CTX_set_log_cb(ctx, print_noop);
    num_responses = 0;
    switch (msg->body != NULL ? msg->body->type : -1) {
    case OSSL_CMP_PKIBODY_IP:
        (void)OSSL_CMP_exec_IR_ses(ctx);
        break;
    case OSSL_CMP_PKIBODY_CP:
        (void)OSSL_CMP_exec_CR_ses(ctx);
        (void)OSSL_CMP_exec_P10CR_ses(ctx);
        break;
    case OSSL_CMP_PKIBODY_KUP:
        (void)OSSL_CMP_exec_KUR_ses(ctx);
        break;
    case OSSL_CMP_PKIBODY_POLLREP:
        ctx->status = OSSL_CMP_PKISTATUS_waiting;
        (void)OSSL_CMP_try_certreq(ctx, OSSL_CMP_PKIBODY_CR, NULL, NULL);
        break;
    case OSSL_CMP_PKIBODY_RP:
        (void)OSSL_CMP_exec_RR_ses(ctx);
        break;
    case OSSL_CMP_PKIBODY_GENP:
        sk_OSSL_CMP_ITAV_pop_free(OSSL_CMP_exec_GENM_ses(ctx),
                                  OSSL_CMP_ITAV_free);
        break;
    default:
        (void)ossl_cmp_msg_check_update(ctx, msg, allow_unprotected, 0);
        break;
    }
 err:
    X509_NAME_free(name);
    ASN1_INTEGER_free(serial);
}

static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
                                            const OSSL_CMP_MSG *cert_req,
                                            int certReqId,
                                            const OSSL_CRMF_MSG *crm,
                                            const X509_REQ *p10cr,
                                            X509 **certOut,
                                            STACK_OF(X509) **chainOut,
                                            STACK_OF(X509) **caPubs)
{
    CMPerr(0, CMP_R_ERROR_PROCESSING_MESSAGE);
    return NULL;
}

static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
                                  const OSSL_CMP_MSG *rr,
                                  const X509_NAME *issuer,
                                  const ASN1_INTEGER *serial)
{
    CMPerr(0, CMP_R_ERROR_PROCESSING_MESSAGE);
    return NULL;
}

static int process_genm(OSSL_CMP_SRV_CTX *srv_ctx,
                        const OSSL_CMP_MSG *genm,
                        const STACK_OF(OSSL_CMP_ITAV) *in,
                        STACK_OF(OSSL_CMP_ITAV) **out)
{
    CMPerr(0, CMP_R_ERROR_PROCESSING_MESSAGE);
    return 0;
}

static void process_error(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *error,
                          const OSSL_CMP_PKISI *statusInfo,
                          const ASN1_INTEGER *errorCode,
                          const OSSL_CMP_PKIFREETEXT *errorDetails)
{
    CMPerr(0, CMP_R_ERROR_PROCESSING_MESSAGE);
}

static int process_certConf(OSSL_CMP_SRV_CTX *srv_ctx,
                            const OSSL_CMP_MSG *certConf, int certReqId,
                            const ASN1_OCTET_STRING *certHash,
                            const OSSL_CMP_PKISI *si)
{
    CMPerr(0, CMP_R_ERROR_PROCESSING_MESSAGE);
    return 0;
}

static int process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx,
                           const OSSL_CMP_MSG *pollReq, int certReqId,
                           OSSL_CMP_MSG **certReq, int64_t *check_after)
{
    CMPerr(0, CMP_R_ERROR_PROCESSING_MESSAGE);
    return 0;
}

int FuzzerTestOneInput(const uint8_t *buf, size_t len)
{
    OSSL_CMP_MSG *msg;
    BIO *in;

    if (len == 0)
        return 0;

    in = BIO_new(BIO_s_mem());
    OPENSSL_assert((size_t)BIO_write(in, buf, len) == len);
    msg = d2i_OSSL_CMP_MSG_bio(in, NULL);
    if (msg != NULL) {
        BIO *out = BIO_new(BIO_s_null());
        OSSL_CMP_SRV_CTX *srv_ctx = OSSL_CMP_SRV_CTX_new(NULL, NULL);
        OSSL_CMP_CTX *client_ctx = OSSL_CMP_CTX_new(NULL, NULL);

        i2d_OSSL_CMP_MSG_bio(out, msg);
        ASN1_item_print(out, (ASN1_VALUE *)msg, 4,
                        ASN1_ITEM_rptr(OSSL_CMP_MSG), NULL);
        BIO_free(out);

        if (client_ctx != NULL)
            cmp_client_process_response(client_ctx, msg);
        if (srv_ctx != NULL
            && OSSL_CMP_CTX_set_log_cb(OSSL_CMP_SRV_CTX_get0_cmp_ctx(srv_ctx),
                                       print_noop)
            && OSSL_CMP_SRV_CTX_init(srv_ctx, NULL, process_cert_request,
                                     process_rr, process_genm, process_error,
                                     process_certConf, process_pollReq))
            OSSL_CMP_MSG_free(OSSL_CMP_SRV_process_request(srv_ctx, msg));

        OSSL_CMP_CTX_free(client_ctx);
        OSSL_CMP_SRV_CTX_free(srv_ctx);
        OSSL_CMP_MSG_free(msg);
    }

    BIO_free(in);
    ERR_clear_error();

    return 0;
}

void FuzzerCleanup(void)
{
}
Commit	Line	Data
e599d0ae DDO	1	/*
	2	* Copyright 2007-2020 The OpenSSL Project Authors. All Rights Reserved.
	3	*
	4	* Licensed under the Apache License 2.0 (the "License"). You may not use
	5	* this file except in compliance with the License. You can obtain a copy
	6	* in the file LICENSE in the source distribution or at
	7	* https://www.openssl.org/source/license.html
	8	*/
	9
	10	/*
	11	* Test CMP DER parsing.
	12	*/
	13
	14	#include <openssl/bio.h>
	15	#include <openssl/cmp.h>
	16	#include "../crypto/cmp/cmp_local.h"
	17	#include <openssl/err.h>
	18	#include "fuzzer.h"
	19	#include "rand.inc"
	20
	21	int FuzzerInitialize(int argc, char **argv)
	22	{
	23	OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
	24	ERR_clear_error();
	25	CRYPTO_free_ex_index(0, -1);
	26	FuzzerSetRand();
	27	return 1;
	28	}
	29
	30	static int num_responses;
	31
	32	static OSSL_CMP_MSG transfer_cb(OSSL_CMP_CTX ctx, const OSSL_CMP_MSG *req)
	33	{
	34	if (num_responses++ > 2)
	35	return NULL; /* prevent loops due to repeated pollRep */
	36	return OSSL_CMP_MSG_dup((OSSL_CMP_MSG *)
	37	OSSL_CMP_CTX_get_transfer_cb_arg(ctx));
	38	}
	39
	40	static int print_noop(const char func, const char file, int line,
	41	OSSL_CMP_severity level, const char *msg)
	42	{
	43	return 1;
	44	}
	45
	46	static int allow_unprotected(const OSSL_CMP_CTX ctx, const OSSL_CMP_MSG rep,
	47	int invalid_protection, int expected_type)
	48	{
	49	return 1;
	50	}
	51
	52	static void cmp_client_process_response(OSSL_CMP_CTX ctx, OSSL_CMP_MSG msg)
	53	{
	54	X509_NAME *name = X509_NAME_new();
	55	ASN1_INTEGER *serial = ASN1_INTEGER_new();
	56
	57	ctx->unprotectedSend = 1; /* satisfy ossl_cmp_msg_protect() */
	58	ctx->disableConfirm = 1; /* check just one response message */
	59	ctx->popoMethod = OSSL_CRMF_POPO_NONE; /* satisfy ossl_cmp_certReq_new() */
	60	ctx->oldCert = X509_new(); /* satisfy crm_new() and ossl_cmp_rr_new() */
	61	if (!OSSL_CMP_CTX_set1_secretValue(ctx, (unsigned char *)"",
	62	0) /* prevent too unspecific error */
	63	\|\| ctx->oldCert == NULL
	64	\|\| name == NULL \|\| !X509_set_issuer_name(ctx->oldCert, name)
65	\|\| serial == NULL \|\| !X509_set_serialNumber(ctx->oldCert, serial))
66	goto err;
67
68	(void)OSSL_CMP_CTX_set_transfer_cb(ctx, transfer_cb);
69	(void)OSSL_CMP_CTX_set_transfer_cb_arg(ctx, msg);
70	(void)OSSL_CMP_CTX_set_log_cb(ctx, print_noop);
71	num_responses = 0;
72	switch (msg->body != NULL ? msg->body->type : -1) {
73	case OSSL_CMP_PKIBODY_IP:
74	(void)OSSL_CMP_exec_IR_ses(ctx);
75	break;
76	case OSSL_CMP_PKIBODY_CP:
77	(void)OSSL_CMP_exec_CR_ses(ctx);
78	(void)OSSL_CMP_exec_P10CR_ses(ctx);
79	break;
80	case OSSL_CMP_PKIBODY_KUP:
81	(void)OSSL_CMP_exec_KUR_ses(ctx);
82	break;
83	case OSSL_CMP_PKIBODY_POLLREP:
84	ctx->status = OSSL_CMP_PKISTATUS_waiting;
299e0f1e	85	(void)OSSL_CMP_try_certreq(ctx, OSSL_CMP_PKIBODY_CR, NULL, NULL);
e599d0ae DDO	86	break;
	87	case OSSL_CMP_PKIBODY_RP:
	88	(void)OSSL_CMP_exec_RR_ses(ctx);
	89	break;
	90	case OSSL_CMP_PKIBODY_GENP:
	91	sk_OSSL_CMP_ITAV_pop_free(OSSL_CMP_exec_GENM_ses(ctx),
	92	OSSL_CMP_ITAV_free);
	93	break;
	94	default:
430efff1	95	(void)ossl_cmp_msg_check_update(ctx, msg, allow_unprotected, 0);
e599d0ae DDO	96	break;
	97	}
	98	err:
	99	X509_NAME_free(name);
	100	ASN1_INTEGER_free(serial);
	101	}
	102
	103	static OSSL_CMP_PKISI process_cert_request(OSSL_CMP_SRV_CTX srv_ctx,
	104	const OSSL_CMP_MSG *cert_req,
	105	int certReqId,
	106	const OSSL_CRMF_MSG *crm,
	107	const X509_REQ *p10cr,
	108	X509 **certOut,
	109	STACK_OF(X509) **chainOut,
	110	STACK_OF(X509) **caPubs)
	111	{
	112	CMPerr(0, CMP_R_ERROR_PROCESSING_MESSAGE);
	113	return NULL;
	114	}
	115
	116	static OSSL_CMP_PKISI process_rr(OSSL_CMP_SRV_CTX srv_ctx,
	117	const OSSL_CMP_MSG *rr,
	118	const X509_NAME *issuer,
	119	const ASN1_INTEGER *serial)
	120	{
	121	CMPerr(0, CMP_R_ERROR_PROCESSING_MESSAGE);
	122	return NULL;
	123	}
	124
	125	static int process_genm(OSSL_CMP_SRV_CTX *srv_ctx,
	126	const OSSL_CMP_MSG *genm,
	127	const STACK_OF(OSSL_CMP_ITAV) *in,
	128	STACK_OF(OSSL_CMP_ITAV) **out)
	129	{
	130	CMPerr(0, CMP_R_ERROR_PROCESSING_MESSAGE);
	131	return 0;
	132	}
	133
	134	static void process_error(OSSL_CMP_SRV_CTX srv_ctx, const OSSL_CMP_MSG error,
	135	const OSSL_CMP_PKISI *statusInfo,
	136	const ASN1_INTEGER *errorCode,
	137	const OSSL_CMP_PKIFREETEXT *errorDetails)
	138	{
	139	CMPerr(0, CMP_R_ERROR_PROCESSING_MESSAGE);
	140	}
	141
	142	static int process_certConf(OSSL_CMP_SRV_CTX *srv_ctx,
	143	const OSSL_CMP_MSG *certConf, int certReqId,
	144	const ASN1_OCTET_STRING *certHash,
	145	const OSSL_CMP_PKISI *si)
	146	{
	147	CMPerr(0, CMP_R_ERROR_PROCESSING_MESSAGE);
	148	return 0;
	149	}
	150
	151	static int process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx,
	152	const OSSL_CMP_MSG *pollReq, int certReqId,
	153	OSSL_CMP_MSG *certReq, int64_t check_after)
	154	{
	155	CMPerr(0, CMP_R_ERROR_PROCESSING_MESSAGE);
	156	return 0;
	157	}
	158
	159	int FuzzerTestOneInput(const uint8_t *buf, size_t len)
160	{
161	OSSL_CMP_MSG *msg;
162	BIO *in;
163
164	if (len == 0)
165	return 0;
166
167	in = BIO_new(BIO_s_mem());
168	OPENSSL_assert((size_t)BIO_write(in, buf, len) == len);
169	msg = d2i_OSSL_CMP_MSG_bio(in, NULL);
170	if (msg != NULL) {
171	BIO *out = BIO_new(BIO_s_null());
1a7cd250 DDO	172	OSSL_CMP_SRV_CTX *srv_ctx = OSSL_CMP_SRV_CTX_new(NULL, NULL);
1a7cd250 DDO	173	OSSL_CMP_CTX *client_ctx = OSSL_CMP_CTX_new(NULL, NULL);
e599d0ae DDO	174
	175	i2d_OSSL_CMP_MSG_bio(out, msg);
	176	ASN1_item_print(out, (ASN1_VALUE *)msg, 4,
	177	ASN1_ITEM_rptr(OSSL_CMP_MSG), NULL);
	178	BIO_free(out);
	179
	180	if (client_ctx != NULL)
	181	cmp_client_process_response(client_ctx, msg);
	182	if (srv_ctx != NULL
	183	&& OSSL_CMP_CTX_set_log_cb(OSSL_CMP_SRV_CTX_get0_cmp_ctx(srv_ctx),
	184	print_noop)
	185	&& OSSL_CMP_SRV_CTX_init(srv_ctx, NULL, process_cert_request,
	186	process_rr, process_genm, process_error,
	187	process_certConf, process_pollReq))
	188	OSSL_CMP_MSG_free(OSSL_CMP_SRV_process_request(srv_ctx, msg));
	189
	190	OSSL_CMP_CTX_free(client_ctx);
	191	OSSL_CMP_SRV_CTX_free(srv_ctx);
	192	OSSL_CMP_MSG_free(msg);
	193	}
	194
	195	BIO_free(in);
	196	ERR_clear_error();
	197
	198	return 0;
	199	}
	200
	201	void FuzzerCleanup(void)
	202	{
	203	}