1*e0c4386eSCy Schubert /* 2*e0c4386eSCy Schubert * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. 3*e0c4386eSCy Schubert * 4*e0c4386eSCy Schubert * Licensed under the Apache License 2.0 (the "License"). You may not use 5*e0c4386eSCy Schubert * this file except in compliance with the License. You can obtain a copy 6*e0c4386eSCy Schubert * in the file LICENSE in the source distribution or at 7*e0c4386eSCy Schubert * https://www.openssl.org/source/license.html 8*e0c4386eSCy Schubert */ 9*e0c4386eSCy Schubert 10*e0c4386eSCy Schubert /* 11*e0c4386eSCy Schubert * Test CMP DER parsing. 12*e0c4386eSCy Schubert */ 13*e0c4386eSCy Schubert 14*e0c4386eSCy Schubert #include <openssl/bio.h> 15*e0c4386eSCy Schubert #include <openssl/cmp.h> 16*e0c4386eSCy Schubert #include "../crypto/cmp/cmp_local.h" 17*e0c4386eSCy Schubert #include <openssl/err.h> 18*e0c4386eSCy Schubert #include "fuzzer.h" 19*e0c4386eSCy Schubert 20*e0c4386eSCy Schubert int FuzzerInitialize(int *argc, char ***argv) 21*e0c4386eSCy Schubert { 22*e0c4386eSCy Schubert FuzzerSetRand(); 23*e0c4386eSCy Schubert OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); 24*e0c4386eSCy Schubert ERR_clear_error(); 25*e0c4386eSCy Schubert CRYPTO_free_ex_index(0, -1); 26*e0c4386eSCy Schubert return 1; 27*e0c4386eSCy Schubert } 28*e0c4386eSCy Schubert 29*e0c4386eSCy Schubert static int num_responses; 30*e0c4386eSCy Schubert 31*e0c4386eSCy Schubert static OSSL_CMP_MSG *transfer_cb(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req) 32*e0c4386eSCy Schubert { 33*e0c4386eSCy Schubert if (num_responses++ > 2) 34*e0c4386eSCy Schubert return NULL; /* prevent loops due to repeated pollRep */ 35*e0c4386eSCy Schubert return OSSL_CMP_MSG_dup((OSSL_CMP_MSG *) 36*e0c4386eSCy Schubert OSSL_CMP_CTX_get_transfer_cb_arg(ctx)); 37*e0c4386eSCy Schubert } 38*e0c4386eSCy Schubert 39*e0c4386eSCy Schubert static int print_noop(const char *func, const char *file, int line, 40*e0c4386eSCy Schubert OSSL_CMP_severity level, const char *msg) 41*e0c4386eSCy Schubert { 42*e0c4386eSCy Schubert return 1; 43*e0c4386eSCy Schubert } 44*e0c4386eSCy Schubert 45*e0c4386eSCy Schubert static int allow_unprotected(const OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *rep, 46*e0c4386eSCy Schubert int invalid_protection, int expected_type) 47*e0c4386eSCy Schubert { 48*e0c4386eSCy Schubert return 1; 49*e0c4386eSCy Schubert } 50*e0c4386eSCy Schubert 51*e0c4386eSCy Schubert static void cmp_client_process_response(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg) 52*e0c4386eSCy Schubert { 53*e0c4386eSCy Schubert X509_NAME *name = X509_NAME_new(); 54*e0c4386eSCy Schubert ASN1_INTEGER *serial = ASN1_INTEGER_new(); 55*e0c4386eSCy Schubert 56*e0c4386eSCy Schubert ctx->unprotectedSend = 1; /* satisfy ossl_cmp_msg_protect() */ 57*e0c4386eSCy Schubert ctx->disableConfirm = 1; /* check just one response message */ 58*e0c4386eSCy Schubert ctx->popoMethod = OSSL_CRMF_POPO_NONE; /* satisfy ossl_cmp_certReq_new() */ 59*e0c4386eSCy Schubert ctx->oldCert = X509_new(); /* satisfy crm_new() and ossl_cmp_rr_new() */ 60*e0c4386eSCy Schubert if (!OSSL_CMP_CTX_set1_secretValue(ctx, (unsigned char *)"", 61*e0c4386eSCy Schubert 0) /* prevent too unspecific error */ 62*e0c4386eSCy Schubert || ctx->oldCert == NULL 63*e0c4386eSCy Schubert || name == NULL || !X509_set_issuer_name(ctx->oldCert, name) 64*e0c4386eSCy Schubert || serial == NULL || !X509_set_serialNumber(ctx->oldCert, serial)) 65*e0c4386eSCy Schubert goto err; 66*e0c4386eSCy Schubert 67*e0c4386eSCy Schubert (void)OSSL_CMP_CTX_set_transfer_cb(ctx, transfer_cb); 68*e0c4386eSCy Schubert (void)OSSL_CMP_CTX_set_transfer_cb_arg(ctx, msg); 69*e0c4386eSCy Schubert (void)OSSL_CMP_CTX_set_log_cb(ctx, print_noop); 70*e0c4386eSCy Schubert num_responses = 0; 71*e0c4386eSCy Schubert switch (msg->body != NULL ? msg->body->type : -1) { 72*e0c4386eSCy Schubert case OSSL_CMP_PKIBODY_IP: 73*e0c4386eSCy Schubert (void)OSSL_CMP_exec_IR_ses(ctx); 74*e0c4386eSCy Schubert break; 75*e0c4386eSCy Schubert case OSSL_CMP_PKIBODY_CP: 76*e0c4386eSCy Schubert (void)OSSL_CMP_exec_CR_ses(ctx); 77*e0c4386eSCy Schubert (void)OSSL_CMP_exec_P10CR_ses(ctx); 78*e0c4386eSCy Schubert break; 79*e0c4386eSCy Schubert case OSSL_CMP_PKIBODY_KUP: 80*e0c4386eSCy Schubert (void)OSSL_CMP_exec_KUR_ses(ctx); 81*e0c4386eSCy Schubert break; 82*e0c4386eSCy Schubert case OSSL_CMP_PKIBODY_POLLREP: 83*e0c4386eSCy Schubert ctx->status = OSSL_CMP_PKISTATUS_waiting; 84*e0c4386eSCy Schubert (void)OSSL_CMP_try_certreq(ctx, OSSL_CMP_PKIBODY_CR, NULL, NULL); 85*e0c4386eSCy Schubert break; 86*e0c4386eSCy Schubert case OSSL_CMP_PKIBODY_RP: 87*e0c4386eSCy Schubert (void)OSSL_CMP_exec_RR_ses(ctx); 88*e0c4386eSCy Schubert break; 89*e0c4386eSCy Schubert case OSSL_CMP_PKIBODY_GENP: 90*e0c4386eSCy Schubert sk_OSSL_CMP_ITAV_pop_free(OSSL_CMP_exec_GENM_ses(ctx), 91*e0c4386eSCy Schubert OSSL_CMP_ITAV_free); 92*e0c4386eSCy Schubert break; 93*e0c4386eSCy Schubert default: 94*e0c4386eSCy Schubert (void)ossl_cmp_msg_check_update(ctx, msg, allow_unprotected, 0); 95*e0c4386eSCy Schubert break; 96*e0c4386eSCy Schubert } 97*e0c4386eSCy Schubert err: 98*e0c4386eSCy Schubert X509_NAME_free(name); 99*e0c4386eSCy Schubert ASN1_INTEGER_free(serial); 100*e0c4386eSCy Schubert } 101*e0c4386eSCy Schubert 102*e0c4386eSCy Schubert static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, 103*e0c4386eSCy Schubert const OSSL_CMP_MSG *cert_req, 104*e0c4386eSCy Schubert int certReqId, 105*e0c4386eSCy Schubert const OSSL_CRMF_MSG *crm, 106*e0c4386eSCy Schubert const X509_REQ *p10cr, 107*e0c4386eSCy Schubert X509 **certOut, 108*e0c4386eSCy Schubert STACK_OF(X509) **chainOut, 109*e0c4386eSCy Schubert STACK_OF(X509) **caPubs) 110*e0c4386eSCy Schubert { 111*e0c4386eSCy Schubert ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); 112*e0c4386eSCy Schubert return NULL; 113*e0c4386eSCy Schubert } 114*e0c4386eSCy Schubert 115*e0c4386eSCy Schubert static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx, 116*e0c4386eSCy Schubert const OSSL_CMP_MSG *rr, 117*e0c4386eSCy Schubert const X509_NAME *issuer, 118*e0c4386eSCy Schubert const ASN1_INTEGER *serial) 119*e0c4386eSCy Schubert { 120*e0c4386eSCy Schubert ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); 121*e0c4386eSCy Schubert return NULL; 122*e0c4386eSCy Schubert } 123*e0c4386eSCy Schubert 124*e0c4386eSCy Schubert static int process_genm(OSSL_CMP_SRV_CTX *srv_ctx, 125*e0c4386eSCy Schubert const OSSL_CMP_MSG *genm, 126*e0c4386eSCy Schubert const STACK_OF(OSSL_CMP_ITAV) *in, 127*e0c4386eSCy Schubert STACK_OF(OSSL_CMP_ITAV) **out) 128*e0c4386eSCy Schubert { 129*e0c4386eSCy Schubert ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); 130*e0c4386eSCy Schubert return 0; 131*e0c4386eSCy Schubert } 132*e0c4386eSCy Schubert 133*e0c4386eSCy Schubert static void process_error(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *error, 134*e0c4386eSCy Schubert const OSSL_CMP_PKISI *statusInfo, 135*e0c4386eSCy Schubert const ASN1_INTEGER *errorCode, 136*e0c4386eSCy Schubert const OSSL_CMP_PKIFREETEXT *errorDetails) 137*e0c4386eSCy Schubert { 138*e0c4386eSCy Schubert ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); 139*e0c4386eSCy Schubert } 140*e0c4386eSCy Schubert 141*e0c4386eSCy Schubert static int process_certConf(OSSL_CMP_SRV_CTX *srv_ctx, 142*e0c4386eSCy Schubert const OSSL_CMP_MSG *certConf, int certReqId, 143*e0c4386eSCy Schubert const ASN1_OCTET_STRING *certHash, 144*e0c4386eSCy Schubert const OSSL_CMP_PKISI *si) 145*e0c4386eSCy Schubert { 146*e0c4386eSCy Schubert ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); 147*e0c4386eSCy Schubert return 0; 148*e0c4386eSCy Schubert } 149*e0c4386eSCy Schubert 150*e0c4386eSCy Schubert static int process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx, 151*e0c4386eSCy Schubert const OSSL_CMP_MSG *pollReq, int certReqId, 152*e0c4386eSCy Schubert OSSL_CMP_MSG **certReq, int64_t *check_after) 153*e0c4386eSCy Schubert { 154*e0c4386eSCy Schubert ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); 155*e0c4386eSCy Schubert return 0; 156*e0c4386eSCy Schubert } 157*e0c4386eSCy Schubert 158*e0c4386eSCy Schubert int FuzzerTestOneInput(const uint8_t *buf, size_t len) 159*e0c4386eSCy Schubert { 160*e0c4386eSCy Schubert OSSL_CMP_MSG *msg; 161*e0c4386eSCy Schubert BIO *in; 162*e0c4386eSCy Schubert 163*e0c4386eSCy Schubert if (len == 0) 164*e0c4386eSCy Schubert return 0; 165*e0c4386eSCy Schubert 166*e0c4386eSCy Schubert in = BIO_new(BIO_s_mem()); 167*e0c4386eSCy Schubert OPENSSL_assert((size_t)BIO_write(in, buf, len) == len); 168*e0c4386eSCy Schubert msg = d2i_OSSL_CMP_MSG_bio(in, NULL); 169*e0c4386eSCy Schubert if (msg != NULL) { 170*e0c4386eSCy Schubert BIO *out = BIO_new(BIO_s_null()); 171*e0c4386eSCy Schubert OSSL_CMP_SRV_CTX *srv_ctx = OSSL_CMP_SRV_CTX_new(NULL, NULL); 172*e0c4386eSCy Schubert OSSL_CMP_CTX *client_ctx = OSSL_CMP_CTX_new(NULL, NULL); 173*e0c4386eSCy Schubert 174*e0c4386eSCy Schubert i2d_OSSL_CMP_MSG_bio(out, msg); 175*e0c4386eSCy Schubert ASN1_item_print(out, (ASN1_VALUE *)msg, 4, 176*e0c4386eSCy Schubert ASN1_ITEM_rptr(OSSL_CMP_MSG), NULL); 177*e0c4386eSCy Schubert BIO_free(out); 178*e0c4386eSCy Schubert 179*e0c4386eSCy Schubert if (client_ctx != NULL) 180*e0c4386eSCy Schubert cmp_client_process_response(client_ctx, msg); 181*e0c4386eSCy Schubert if (srv_ctx != NULL 182*e0c4386eSCy Schubert && OSSL_CMP_CTX_set_log_cb(OSSL_CMP_SRV_CTX_get0_cmp_ctx(srv_ctx), 183*e0c4386eSCy Schubert print_noop) 184*e0c4386eSCy Schubert && OSSL_CMP_SRV_CTX_init(srv_ctx, NULL, process_cert_request, 185*e0c4386eSCy Schubert process_rr, process_genm, process_error, 186*e0c4386eSCy Schubert process_certConf, process_pollReq)) 187*e0c4386eSCy Schubert OSSL_CMP_MSG_free(OSSL_CMP_SRV_process_request(srv_ctx, msg)); 188*e0c4386eSCy Schubert 189*e0c4386eSCy Schubert OSSL_CMP_CTX_free(client_ctx); 190*e0c4386eSCy Schubert OSSL_CMP_SRV_CTX_free(srv_ctx); 191*e0c4386eSCy Schubert OSSL_CMP_MSG_free(msg); 192*e0c4386eSCy Schubert } 193*e0c4386eSCy Schubert 194*e0c4386eSCy Schubert BIO_free(in); 195*e0c4386eSCy Schubert ERR_clear_error(); 196*e0c4386eSCy Schubert 197*e0c4386eSCy Schubert return 0; 198*e0c4386eSCy Schubert } 199*e0c4386eSCy Schubert 200*e0c4386eSCy Schubert void FuzzerCleanup(void) 201*e0c4386eSCy Schubert { 202*e0c4386eSCy Schubert FuzzerClearRand(); 203*e0c4386eSCy Schubert } 204