Add CMP fuzzing to fuzz/cmp.c, including a couple of helpers in crypto/cmp/

Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11386)
author: Dr. David von Oheimb <David.von.Oheimb@siemens.com> 2020-03-24 10:33:16 +0100
committer: Dr. David von Oheimb <David.von.Oheimb@siemens.com> 2020-04-18 19:54:17 +0200
commit: e599d0aecd3e9419d1558628cb42db9cf0fa5fd0 (patch)
tree: 09744b062a8d0f7f04251f1e13ee7deaee5ccf38 /crypto
parent: a81151bd56d55d52c40865f2f135355a2164062e (diff)
4 files changed, 48 insertions, 9 deletions
diff --git a/crypto/cmp/cmp_client.c b/crypto/cmp/cmp_client.c
index 604b4ce9a1..07535e55bd 100644
--- a/crypto/cmp/cmp_client.c
+++ b/crypto/cmp/cmp_client.c
@@ -764,10 +764,17 @@ X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx)
         goto end;
 
     rrep = rp->body->value.rp;
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
     if (sk_OSSL_CMP_PKISI_num(rrep->status) != num_RevDetails) {
         CMPerr(0, CMP_R_WRONG_RP_COMPONENT_COUNT);
         goto end;
     }
+#else
+    if (sk_OSSL_CMP_PKISI_num(rrep->status) < 1) {
+        CMPerr(0, CMP_R_WRONG_RP_COMPONENT_COUNT);
+        goto end;
+    }
+#endif
 
     /* evaluate PKIStatus field */
     si = ossl_cmp_revrepcontent_get_pkisi(rrep, rsid);
@@ -822,15 +829,19 @@ X509 *OSSL_CMP_exec_RR_ses(OSSL_CMP_CTX *ctx)
             goto err;
         }
         if (X509_NAME_cmp(issuer, OSSL_CRMF_CERTID_get0_issuer(cid)) != 0) {
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
             CMPerr(0, CMP_R_WRONG_CERTID_IN_RP);
             result = NULL;
             goto err;
+#endif
         }
         if (ASN1_INTEGER_cmp(serial,
                              OSSL_CRMF_CERTID_get0_serialNumber(cid)) != 0) {
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
             CMPerr(0, CMP_R_WRONG_SERIAL_IN_RP);
             result = NULL;
             goto err;
+#endif
         }
     }
 
diff --git a/crypto/cmp/cmp_msg.c b/crypto/cmp/cmp_msg.c
index 7fc51596b9..73a9d7a267 100644
--- a/crypto/cmp/cmp_msg.c
+++ b/crypto/cmp/cmp_msg.c
@@ -219,8 +219,13 @@ static OSSL_CRMF_MSG *crm_new(OSSL_CMP_CTX *ctx, int bodytype, int rid)
 
     if (rkey == NULL)
         rkey = ctx->pkey; /* default is independent of ctx->oldClCert */
-    if (rkey == NULL
-            || (bodytype == OSSL_CMP_PKIBODY_KUR && refcert == NULL)) {
+    if (rkey == NULL) {
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+        CMPerr(0, CMP_R_NULL_ARGUMENT);
+        return NULL;
+#endif
+    }
+    if (bodytype == OSSL_CMP_PKIBODY_KUR && refcert == NULL) {
         CMPerr(0, CMP_R_INVALID_ARGS);
         return NULL;
     }
diff --git a/crypto/cmp/cmp_server.c b/crypto/cmp/cmp_server.c
index c5c57fc8b7..ba5d751d92 100644
--- a/crypto/cmp/cmp_server.c
+++ b/crypto/cmp/cmp_server.c
@@ -492,11 +492,13 @@ OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx,
     default:
         /* transactionID should be already initialized */
         if (ctx->transactionID == NULL) {
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
             CMPerr(0, CMP_R_UNEXPECTED_PKIBODY);
             /* ignore any (extra) error in next two function calls: */
             (void)OSSL_CMP_CTX_set1_transactionID(ctx, hdr->transactionID);
             (void)ossl_cmp_ctx_set1_recipNonce(ctx, hdr->senderNonce);
             goto err;
+#endif
         }
     }
 
@@ -547,6 +549,7 @@ OSSL_CMP_MSG *OSSL_CMP_SRV_process_request(OSSL_CMP_SRV_CTX *srv_ctx,
     default:
         /* TODO possibly support further request message types */
         CMPerr(0, CMP_R_UNEXPECTED_PKIBODY);
+        break;
     }
 
  err:
diff --git a/crypto/cmp/cmp_vfy.c b/crypto/cmp/cmp_vfy.c
index 1ee1b3325e..137b65b06b 100644
--- a/crypto/cmp/cmp_vfy.c
+++ b/crypto/cmp/cmp_vfy.c
@@ -700,26 +700,34 @@ int ossl_cmp_msg_check_received(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg,
         /* detect explicitly permitted exceptions for invalid protection */
         if (!OSSL_CMP_validate_msg(ctx, msg)
                 && (cb == NULL || (*cb)(ctx, msg, 1, cb_arg) <= 0)) {
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
             CMPerr(0, CMP_R_ERROR_VALIDATING_PROTECTION);
             return -1;
+#endif
         }
     } else {
         /* detect explicitly permitted exceptions for missing protection */
         if (cb == NULL || (*cb)(ctx, msg, 0, cb_arg) <= 0) {
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
             CMPerr(0, CMP_R_MISSING_PROTECTION);
             return -1;
+#endif
         }
     }
 
     /* check CMP version number in header */
     if (ossl_cmp_hdr_get_pvno(OSSL_CMP_MSG_get0_header(msg)) != OSSL_CMP_PVNO) {
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
         CMPerr(0, CMP_R_UNEXPECTED_PVNO);
         return -1;
+#endif
     }
 
     if ((rcvd_type = ossl_cmp_msg_get_bodytype(msg)) < 0) {
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
         CMPerr(0, CMP_R_PKIBODY_ERROR);
         return -1;
+#endif
     }
 
     /* compare received transactionID with the expected one in previous msg */
@@ -727,8 +735,10 @@ int ossl_cmp_msg_check_received(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg,
             && (msg->header->transactionID == NULL
                 || ASN1_OCTET_STRING_cmp(ctx->transactionID,
                                          msg->header->transactionID) != 0)) {
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
         CMPerr(0, CMP_R_TRANSACTIONID_UNMATCHED);
         return -1;
+#endif
     }
 
     /* compare received nonce with the one we sent */
@@ -736,8 +746,10 @@ int ossl_cmp_msg_check_received(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg,
             && (msg->header->recipNonce == NULL
                 || ASN1_OCTET_STRING_cmp(ctx->senderNonce,
                                          msg->header->recipNonce) != 0)) {
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
         CMPerr(0, CMP_R_RECIPNONCE_UNMATCHED);
         return -1;
+#endif
     }
 
     /*
@@ -776,19 +788,27 @@ int ossl_cmp_verify_popo(const OSSL_CMP_MSG *msg, int accept_RAVerified)
         {
             X509_REQ *req = msg->body->value.p10cr;
 
-            if (X509_REQ_verify(req, X509_REQ_get0_pubkey(req)) > 0)
-                return 1;
-            CMPerr(0, CMP_R_REQUEST_NOT_ACCEPTED);
-            return 0;
+            if (X509_REQ_verify(req, X509_REQ_get0_pubkey(req)) <= 0) {
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+                CMPerr(0, CMP_R_REQUEST_NOT_ACCEPTED);
+                return 0;
+#endif
+            }
         }
+        break;
     case OSSL_CMP_PKIBODY_IR:
     case OSSL_CMP_PKIBODY_CR:
     case OSSL_CMP_PKIBODY_KUR:
-        return OSSL_CRMF_MSGS_verify_popo(msg->body->value.ir,
-                                          OSSL_CMP_CERTREQID,
-                                          accept_RAVerified);
+        if (!OSSL_CRMF_MSGS_verify_popo(msg->body->value.ir, OSSL_CMP_CERTREQID,
+                                        accept_RAVerified)) {
+#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
+            return 0;
+#endif
+        }
+        break;
     default:
         CMPerr(0, CMP_R_PKIBODY_ERROR);
         return 0;
     }
+    return 1;
 }
author	Dr. David von Oheimb <David.von.Oheimb@siemens.com>	2020-03-24 10:33:16 +0100
committer	Dr. David von Oheimb <David.von.Oheimb@siemens.com>	2020-04-18 19:54:17 +0200
commit	e599d0aecd3e9419d1558628cb42db9cf0fa5fd0 (patch)
tree	09744b062a8d0f7f04251f1e13ee7deaee5ccf38 /crypto
parent	a81151bd56d55d52c40865f2f135355a2164062e (diff)