1
/*
2
 * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved.
3
 *
4
 * Licensed under the Apache License 2.0 (the "License").  You may not use
5
 * this file except in compliance with the License.  You can obtain a copy
6
 * in the file LICENSE in the source distribution or at
7
 * https://www.openssl.org/source/license.html
8
 */
9

10
/*
11
 * Test CMP DER parsing.
12
 */
13

14
#include <openssl/bio.h>
15
#include <openssl/cmp.h>
16
#include "../crypto/cmp/cmp_local.h"
17
#include <openssl/err.h>
18
#include "fuzzer.h"
19

20
int FuzzerInitialize(int *argc, char ***argv)
21
{
22
    FuzzerSetRand();
23
    OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
24
    ERR_clear_error();
25
    CRYPTO_free_ex_index(0, -1);
26
    return 1;
27
}
28

29
static int num_responses;
30

31
static OSSL_CMP_MSG *transfer_cb(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req)
32
{
33
    if (num_responses++ > 2)
34
        return NULL; /* prevent loops due to repeated pollRep */
35
    return OSSL_CMP_MSG_dup((OSSL_CMP_MSG *)
36
                            OSSL_CMP_CTX_get_transfer_cb_arg(ctx));
37
}
38

39
static int print_noop(const char *func, const char *file, int line,
40
                      OSSL_CMP_severity level, const char *msg)
41
{
42
    return 1;
43
}
44

45
static int allow_unprotected(const OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *rep,
46
                             int invalid_protection, int expected_type)
47
{
48
    return 1;
49
}
50

51
static void cmp_client_process_response(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg)
52
{
53
    X509_NAME *name = X509_NAME_new();
54
    ASN1_INTEGER *serial = ASN1_INTEGER_new();
55

56
    ctx->unprotectedSend = 1; /* satisfy ossl_cmp_msg_protect() */
57
    ctx->disableConfirm = 1; /* check just one response message */
58
    ctx->popoMethod = OSSL_CRMF_POPO_NONE; /* satisfy ossl_cmp_certReq_new() */
59
    ctx->oldCert = X509_new(); /* satisfy crm_new() and ossl_cmp_rr_new() */
60
    if (!OSSL_CMP_CTX_set1_secretValue(ctx, (unsigned char *)"",
61
                                       0) /* prevent too unspecific error */
62
            || ctx->oldCert == NULL
63
            || name == NULL || !X509_set_issuer_name(ctx->oldCert, name)
64
            || serial == NULL || !X509_set_serialNumber(ctx->oldCert, serial))
65
        goto err;
66

67
    (void)OSSL_CMP_CTX_set_transfer_cb(ctx, transfer_cb);
68
    (void)OSSL_CMP_CTX_set_transfer_cb_arg(ctx, msg);
69
    (void)OSSL_CMP_CTX_set_log_cb(ctx, print_noop);
70
    num_responses = 0;
71
    switch (msg->body != NULL ? msg->body->type : -1) {
72
    case OSSL_CMP_PKIBODY_IP:
73
        (void)OSSL_CMP_exec_IR_ses(ctx);
74
        break;
75
    case OSSL_CMP_PKIBODY_CP:
76
        (void)OSSL_CMP_exec_CR_ses(ctx);
77
        (void)OSSL_CMP_exec_P10CR_ses(ctx);
78
        break;
79
    case OSSL_CMP_PKIBODY_KUP:
80
        (void)OSSL_CMP_exec_KUR_ses(ctx);
81
        break;
82
    case OSSL_CMP_PKIBODY_POLLREP:
83
        ctx->status = OSSL_CMP_PKISTATUS_waiting;
84
        (void)OSSL_CMP_try_certreq(ctx, OSSL_CMP_PKIBODY_CR, NULL, NULL);
85
        break;
86
    case OSSL_CMP_PKIBODY_RP:
87
        (void)OSSL_CMP_exec_RR_ses(ctx);
88
        break;
89
    case OSSL_CMP_PKIBODY_GENP:
90
        sk_OSSL_CMP_ITAV_pop_free(OSSL_CMP_exec_GENM_ses(ctx),
91
                                  OSSL_CMP_ITAV_free);
92
        break;
93
    default:
94
        (void)ossl_cmp_msg_check_update(ctx, msg, allow_unprotected, 0);
95
        break;
96
    }
97
 err:
98
    X509_NAME_free(name);
99
    ASN1_INTEGER_free(serial);
100
}
101

102
static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx,
103
                                            const OSSL_CMP_MSG *cert_req,
104
                                            int certReqId,
105
                                            const OSSL_CRMF_MSG *crm,
106
                                            const X509_REQ *p10cr,
107
                                            X509 **certOut,
108
                                            STACK_OF(X509) **chainOut,
109
                                            STACK_OF(X509) **caPubs)
110
{
111
    ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
112
    return NULL;
113
}
114

115
static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx,
116
                                  const OSSL_CMP_MSG *rr,
117
                                  const X509_NAME *issuer,
118
                                  const ASN1_INTEGER *serial)
119
{
120
    ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
121
    return NULL;
122
}
123

124
static int process_genm(OSSL_CMP_SRV_CTX *srv_ctx,
125
                        const OSSL_CMP_MSG *genm,
126
                        const STACK_OF(OSSL_CMP_ITAV) *in,
127
                        STACK_OF(OSSL_CMP_ITAV) **out)
128
{
129
    ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
130
    return 0;
131
}
132

133
static void process_error(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *error,
134
                          const OSSL_CMP_PKISI *statusInfo,
135
                          const ASN1_INTEGER *errorCode,
136
                          const OSSL_CMP_PKIFREETEXT *errorDetails)
137
{
138
    ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
139
}
140

141
static int process_certConf(OSSL_CMP_SRV_CTX *srv_ctx,
142
                            const OSSL_CMP_MSG *certConf, int certReqId,
143
                            const ASN1_OCTET_STRING *certHash,
144
                            const OSSL_CMP_PKISI *si)
145
{
146
    ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
147
    return 0;
148
}
149

150
static int process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx,
151
                           const OSSL_CMP_MSG *pollReq, int certReqId,
152
                           OSSL_CMP_MSG **certReq, int64_t *check_after)
153
{
154
    ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE);
155
    return 0;
156
}
157

158
static int clean_transaction(ossl_unused OSSL_CMP_SRV_CTX *srv_ctx,
159
                             ossl_unused const ASN1_OCTET_STRING *id)
160
{
161
    return 1;
162
}
163

164
static int delayed_delivery(ossl_unused OSSL_CMP_SRV_CTX *srv_ctx,
165
                            ossl_unused const OSSL_CMP_MSG *req)
166
{
167
    return 0;
168
}
169

170
int FuzzerTestOneInput(const uint8_t *buf, size_t len)
171
{
172
    OSSL_CMP_MSG *msg;
173
    BIO *in;
174

175
    if (len == 0)
176
        return 0;
177

178
    in = BIO_new(BIO_s_mem());
179
    OPENSSL_assert((size_t)BIO_write(in, buf, len) == len);
180
    msg = d2i_OSSL_CMP_MSG_bio(in, NULL);
181
    if (msg != NULL) {
182
        BIO *out = BIO_new(BIO_s_null());
183
        OSSL_CMP_SRV_CTX *srv_ctx = OSSL_CMP_SRV_CTX_new(NULL, NULL);
184
        OSSL_CMP_CTX *client_ctx = OSSL_CMP_CTX_new(NULL, NULL);
185

186
        i2d_OSSL_CMP_MSG_bio(out, msg);
187
        ASN1_item_print(out, (ASN1_VALUE *)msg, 4,
188
                        ASN1_ITEM_rptr(OSSL_CMP_MSG), NULL);
189
        BIO_free(out);
190

191
        if (client_ctx != NULL)
192
            cmp_client_process_response(client_ctx, msg);
193
        if (srv_ctx != NULL
194
            && OSSL_CMP_CTX_set_log_cb(OSSL_CMP_SRV_CTX_get0_cmp_ctx(srv_ctx),
195
                                       print_noop)
196
            && OSSL_CMP_SRV_CTX_init(srv_ctx, NULL, process_cert_request,
197
                                     process_rr, process_genm, process_error,
198
                                     process_certConf, process_pollReq)
199
            && OSSL_CMP_SRV_CTX_init_trans(srv_ctx, delayed_delivery,
200
                                           clean_transaction))
201
            OSSL_CMP_MSG_free(OSSL_CMP_SRV_process_request(srv_ctx, msg));
202

203
        OSSL_CMP_CTX_free(client_ctx);
204
        OSSL_CMP_SRV_CTX_free(srv_ctx);
205
        OSSL_CMP_MSG_free(msg);
206
    }
207

208
    BIO_free(in);
209
    ERR_clear_error();
210

211
    return 0;
212
}
213

214
void FuzzerCleanup(void)
215
{
216
    FuzzerClearRand();
217
}
218

219