diff options
author | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-03-24 10:33:16 +0100 |
---|---|---|
committer | Dr. David von Oheimb <David.von.Oheimb@siemens.com> | 2020-04-18 19:54:17 +0200 |
commit | e599d0aecd3e9419d1558628cb42db9cf0fa5fd0 (patch) | |
tree | 09744b062a8d0f7f04251f1e13ee7deaee5ccf38 /crypto | |
parent | a81151bd56d55d52c40865f2f135355a2164062e (diff) |
Add CMP fuzzing to fuzz/cmp.c, including a couple of helpers in crypto/cmp/
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11386)
Diffstat (limited to 'crypto')
-rw-r--r-- | crypto/cmp/cmp_client.c | 11 | ||||
-rw-r--r-- | crypto/cmp/cmp_msg.c | 9 | ||||
-rw-r--r-- | crypto/cmp/cmp_server.c | 3 | ||||
-rw-r--r-- | crypto/cmp/cmp_vfy.c | 34 |
4 files changed, 48 insertions, 9 deletions
diff --git a/crypto/cmp/cmp_client.c b/crypto/cmp/cmp_client.c index 604b4ce9a1..07535e55bd 100644 --- a/crypto/cmp/cmp_client.c +++ b/crypto/cmp/cmp_client.c @@ -764,10 +764,17 @@ X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx) goto end; rrep = rp->body->value.rp; +#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION if (sk_OSSL_CMP_PKISI_num(rrep->status) != num_RevDetails) { CMPerr(0, CMP_R_WRONG_RP_COMPONENT_COUNT); goto end; } +#else + if (sk_OSSL_CMP_PKISI_num(rrep->status) < 1) { + CMPerr(0, CMP_R_WRONG_RP_COMPONENT_COUNT); + goto end; + } +#endif /* evaluate PKIStatus field */ si = ossl_cmp_revrepcontent_get_pkisi(rrep, rsid); @@ -822,15 +829,19 @@ X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx) goto err; } if (X509_NAME_cmp(issuer, OSSL_CRMF_CERTID_get0_issuer(cid)) != 0) { +#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION CMPerr(0, CMP_R_WRONG_CERTID_IN_RP); result = NULL; goto err; +#endif } if (ASN1_INTEGER_cmp(serial, OSSL_CRMF_CERTID_get0_serialNumber(cid)) != 0) { +#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION CMPerr(0, CMP_R_WRONG_SERIAL_IN_RP); result = NULL; goto err; +#endif } } diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c index 7fc51596b9..73a9d7a267 100644 --- a/crypto/cmp/cmp_msg.c +++ b/crypto/cmp/cmp_msg.c @@ -219,8 +219,13 @@ static OSSL_CRMF_MSG *crm_new(OSSL_CMP_CTX *ctx, int bodytype, int rid) if (rkey == NULL) rkey = ctx->pkey; /* default is independent of ctx->oldClCert */ - if (rkey == NULL - || (bodytype == OSSL_CMP_PKIBODY_KUR && refcert == NULL)) { + if (rkey == NULL) { +#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION + CMPerr(0, CMP_R_NULL_ARGUMENT); + return NULL; +#endif + } + if (bodytype == OSSL_CMP_PKIBODY_KUR && refcert == NULL) { CMPerr(0, CMP_R_INVALID_ARGS); return NULL; } diff --git a/crypto/cmp/cmp_server.c b/crypto/cmp/cmp_server.c index c5c57fc8b7..ba5d751d92 100644 --- a/crypto/cmp/cmp_server.c +++ b/crypto/cmp/cmp_server.c @@ -492,11 +492,13 @@ OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx, default: /* transactionID should be already initialized */ if (ctx->transactionID == NULL) { +#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION CMPerr(0, CMP_R_UNEXPECTED_PKIBODY); /* ignore any (extra) error in next two function calls: */ (void)OSSL_CMP_CTX_set1_transactionID(ctx, hdr->transactionID); (void)ossl_cmp_ctx_set1_recipNonce(ctx, hdr->senderNonce); goto err; +#endif } } @@ -547,6 +549,7 @@ OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx, default: /* TODO possibly support further request message types */ CMPerr(0, CMP_R_UNEXPECTED_PKIBODY); + break; } err: diff --git a/crypto/cmp/cmp_vfy.c b/crypto/cmp/cmp_vfy.c index 1ee1b3325e..137b65b06b 100644 --- a/crypto/cmp/cmp_vfy.c +++ b/crypto/cmp/cmp_vfy.c @@ -700,26 +700,34 @@ int ossl_cmp_msg_check_received(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg, /* detect explicitly permitted exceptions for invalid protection */ if (!OSSL_CMP_validate_msg(ctx, msg) && (cb == NULL || (*cb)(ctx, msg, 1, cb_arg) <= 0)) { +#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION CMPerr(0, CMP_R_ERROR_VALIDATING_PROTECTION); return -1; +#endif } } else { /* detect explicitly permitted exceptions for missing protection */ if (cb == NULL || (*cb)(ctx, msg, 0, cb_arg) <= 0) { +#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION CMPerr(0, CMP_R_MISSING_PROTECTION); return -1; +#endif } } /* check CMP version number in header */ if (ossl_cmp_hdr_get_pvno(OSSL_CMP_MSG_get0_header(msg)) != OSSL_CMP_PVNO) { +#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION CMPerr(0, CMP_R_UNEXPECTED_PVNO); return -1; +#endif } if ((rcvd_type = ossl_cmp_msg_get_bodytype(msg)) < 0) { +#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION CMPerr(0, CMP_R_PKIBODY_ERROR); return -1; +#endif } /* compare received transactionID with the expected one in previous msg */ @@ -727,8 +735,10 @@ int ossl_cmp_msg_check_received(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg, && (msg->header->transactionID == NULL || ASN1_OCTET_STRING_cmp(ctx->transactionID, msg->header->transactionID) != 0)) { +#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION CMPerr(0, CMP_R_TRANSACTIONID_UNMATCHED); return -1; +#endif } /* compare received nonce with the one we sent */ @@ -736,8 +746,10 @@ int ossl_cmp_msg_check_received(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg, && (msg->header->recipNonce == NULL || ASN1_OCTET_STRING_cmp(ctx->senderNonce, msg->header->recipNonce) != 0)) { +#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION CMPerr(0, CMP_R_RECIPNONCE_UNMATCHED); return -1; +#endif } /* @@ -776,19 +788,27 @@ int ossl_cmp_verify_popo(const OSSL_CMP_MSG *msg, int accept_RAVerified) { X509_REQ *req = msg->body->value.p10cr; - if (X509_REQ_verify(req, X509_REQ_get0_pubkey(req)) > 0) - return 1; - CMPerr(0, CMP_R_REQUEST_NOT_ACCEPTED); - return 0; + if (X509_REQ_verify(req, X509_REQ_get0_pubkey(req)) <= 0) { +#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION + CMPerr(0, CMP_R_REQUEST_NOT_ACCEPTED); + return 0; +#endif + } } + break; case OSSL_CMP_PKIBODY_IR: case OSSL_CMP_PKIBODY_CR: case OSSL_CMP_PKIBODY_KUR: - return OSSL_CRMF_MSGS_verify_popo(msg->body->value.ir, - OSSL_CMP_CERTREQID, - accept_RAVerified); + if (!OSSL_CRMF_MSGS_verify_popo(msg->body->value.ir, OSSL_CMP_CERTREQID, + accept_RAVerified)) { +#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION + return 0; +#endif + } + break; default: CMPerr(0, CMP_R_PKIBODY_ERROR); return 0; } + return 1; } |