1 /* 2 * Copyright 2007-2021 The OpenSSL Project Authors. All Rights Reserved. 3 * 4 * Licensed under the Apache License 2.0 (the "License"). You may not use 5 * this file except in compliance with the License. You can obtain a copy 6 * in the file LICENSE in the source distribution or at 7 * https://www.openssl.org/source/license.html 8 */ 9 10 /* 11 * Test CMP DER parsing. 12 */ 13 14 #include <openssl/bio.h> 15 #include <openssl/cmp.h> 16 #include "../crypto/cmp/cmp_local.h" 17 #include <openssl/err.h> 18 #include "fuzzer.h" 19 20 int FuzzerInitialize(int *argc, char ***argv) 21 { 22 FuzzerSetRand(); 23 OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); 24 ERR_clear_error(); 25 CRYPTO_free_ex_index(0, -1); 26 return 1; 27 } 28 29 static int num_responses; 30 31 static OSSL_CMP_MSG *transfer_cb(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *req) 32 { 33 if (num_responses++ > 2) 34 return NULL; /* prevent loops due to repeated pollRep */ 35 return OSSL_CMP_MSG_dup((OSSL_CMP_MSG *) 36 OSSL_CMP_CTX_get_transfer_cb_arg(ctx)); 37 } 38 39 static int print_noop(const char *func, const char *file, int line, 40 OSSL_CMP_severity level, const char *msg) 41 { 42 return 1; 43 } 44 45 static int allow_unprotected(const OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *rep, 46 int invalid_protection, int expected_type) 47 { 48 return 1; 49 } 50 51 static void cmp_client_process_response(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg) 52 { 53 X509_NAME *name = X509_NAME_new(); 54 ASN1_INTEGER *serial = ASN1_INTEGER_new(); 55 56 ctx->unprotectedSend = 1; /* satisfy ossl_cmp_msg_protect() */ 57 ctx->disableConfirm = 1; /* check just one response message */ 58 ctx->popoMethod = OSSL_CRMF_POPO_NONE; /* satisfy ossl_cmp_certReq_new() */ 59 ctx->oldCert = X509_new(); /* satisfy crm_new() and ossl_cmp_rr_new() */ 60 if (!OSSL_CMP_CTX_set1_secretValue(ctx, (unsigned char *)"", 61 0) /* prevent too unspecific error */ 62 || ctx->oldCert == NULL 63 || name == NULL || !X509_set_issuer_name(ctx->oldCert, name) 64 || serial == NULL || !X509_set_serialNumber(ctx->oldCert, serial)) 65 goto err; 66 67 (void)OSSL_CMP_CTX_set_transfer_cb(ctx, transfer_cb); 68 (void)OSSL_CMP_CTX_set_transfer_cb_arg(ctx, msg); 69 (void)OSSL_CMP_CTX_set_log_cb(ctx, print_noop); 70 num_responses = 0; 71 switch (msg->body != NULL ? msg->body->type : -1) { 72 case OSSL_CMP_PKIBODY_IP: 73 (void)OSSL_CMP_exec_IR_ses(ctx); 74 break; 75 case OSSL_CMP_PKIBODY_CP: 76 (void)OSSL_CMP_exec_CR_ses(ctx); 77 (void)OSSL_CMP_exec_P10CR_ses(ctx); 78 break; 79 case OSSL_CMP_PKIBODY_KUP: 80 (void)OSSL_CMP_exec_KUR_ses(ctx); 81 break; 82 case OSSL_CMP_PKIBODY_POLLREP: 83 ctx->status = OSSL_CMP_PKISTATUS_waiting; 84 (void)OSSL_CMP_try_certreq(ctx, OSSL_CMP_PKIBODY_CR, NULL, NULL); 85 break; 86 case OSSL_CMP_PKIBODY_RP: 87 (void)OSSL_CMP_exec_RR_ses(ctx); 88 break; 89 case OSSL_CMP_PKIBODY_GENP: 90 sk_OSSL_CMP_ITAV_pop_free(OSSL_CMP_exec_GENM_ses(ctx), 91 OSSL_CMP_ITAV_free); 92 break; 93 default: 94 (void)ossl_cmp_msg_check_update(ctx, msg, allow_unprotected, 0); 95 break; 96 } 97 err: 98 X509_NAME_free(name); 99 ASN1_INTEGER_free(serial); 100 } 101 102 static OSSL_CMP_PKISI *process_cert_request(OSSL_CMP_SRV_CTX *srv_ctx, 103 const OSSL_CMP_MSG *cert_req, 104 int certReqId, 105 const OSSL_CRMF_MSG *crm, 106 const X509_REQ *p10cr, 107 X509 **certOut, 108 STACK_OF(X509) **chainOut, 109 STACK_OF(X509) **caPubs) 110 { 111 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); 112 return NULL; 113 } 114 115 static OSSL_CMP_PKISI *process_rr(OSSL_CMP_SRV_CTX *srv_ctx, 116 const OSSL_CMP_MSG *rr, 117 const X509_NAME *issuer, 118 const ASN1_INTEGER *serial) 119 { 120 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); 121 return NULL; 122 } 123 124 static int process_genm(OSSL_CMP_SRV_CTX *srv_ctx, 125 const OSSL_CMP_MSG *genm, 126 const STACK_OF(OSSL_CMP_ITAV) *in, 127 STACK_OF(OSSL_CMP_ITAV) **out) 128 { 129 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); 130 return 0; 131 } 132 133 static void process_error(OSSL_CMP_SRV_CTX *srv_ctx, const OSSL_CMP_MSG *error, 134 const OSSL_CMP_PKISI *statusInfo, 135 const ASN1_INTEGER *errorCode, 136 const OSSL_CMP_PKIFREETEXT *errorDetails) 137 { 138 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); 139 } 140 141 static int process_certConf(OSSL_CMP_SRV_CTX *srv_ctx, 142 const OSSL_CMP_MSG *certConf, int certReqId, 143 const ASN1_OCTET_STRING *certHash, 144 const OSSL_CMP_PKISI *si) 145 { 146 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); 147 return 0; 148 } 149 150 static int process_pollReq(OSSL_CMP_SRV_CTX *srv_ctx, 151 const OSSL_CMP_MSG *pollReq, int certReqId, 152 OSSL_CMP_MSG **certReq, int64_t *check_after) 153 { 154 ERR_raise(ERR_LIB_CMP, CMP_R_ERROR_PROCESSING_MESSAGE); 155 return 0; 156 } 157 158 static int clean_transaction(ossl_unused OSSL_CMP_SRV_CTX *srv_ctx, 159 ossl_unused const ASN1_OCTET_STRING *id) 160 { 161 return 1; 162 } 163 164 static int delayed_delivery(ossl_unused OSSL_CMP_SRV_CTX *srv_ctx, 165 ossl_unused const OSSL_CMP_MSG *req) 166 { 167 return 0; 168 } 169 170 int FuzzerTestOneInput(const uint8_t *buf, size_t len) 171 { 172 OSSL_CMP_MSG *msg; 173 BIO *in; 174 175 if (len == 0) 176 return 0; 177 178 in = BIO_new(BIO_s_mem()); 179 OPENSSL_assert((size_t)BIO_write(in, buf, len) == len); 180 msg = d2i_OSSL_CMP_MSG_bio(in, NULL); 181 if (msg != NULL) { 182 BIO *out = BIO_new(BIO_s_null()); 183 OSSL_CMP_SRV_CTX *srv_ctx = OSSL_CMP_SRV_CTX_new(NULL, NULL); 184 OSSL_CMP_CTX *client_ctx = OSSL_CMP_CTX_new(NULL, NULL); 185 186 i2d_OSSL_CMP_MSG_bio(out, msg); 187 ASN1_item_print(out, (ASN1_VALUE *)msg, 4, 188 ASN1_ITEM_rptr(OSSL_CMP_MSG), NULL); 189 BIO_free(out); 190 191 if (client_ctx != NULL) 192 cmp_client_process_response(client_ctx, msg); 193 if (srv_ctx != NULL 194 && OSSL_CMP_CTX_set_log_cb(OSSL_CMP_SRV_CTX_get0_cmp_ctx(srv_ctx), 195 print_noop) 196 && OSSL_CMP_SRV_CTX_init(srv_ctx, NULL, process_cert_request, 197 process_rr, process_genm, process_error, 198 process_certConf, process_pollReq) 199 && OSSL_CMP_SRV_CTX_init_trans(srv_ctx, delayed_delivery, 200 clean_transaction)) 201 OSSL_CMP_MSG_free(OSSL_CMP_SRV_process_request(srv_ctx, msg)); 202 203 OSSL_CMP_CTX_free(client_ctx); 204 OSSL_CMP_SRV_CTX_free(srv_ctx); 205 OSSL_CMP_MSG_free(msg); 206 } 207 208 BIO_free(in); 209 ERR_clear_error(); 210 211 return 0; 212 } 213 214 void FuzzerCleanup(void) 215 { 216 FuzzerClearRand(); 217 } 218
Indexes created Sat Feb 28 05:31:39 UTC 2026