From a9e6100bc98439ca787aa1fce541550ad1ff3e84 Mon Sep 17 00:00:00 2001
From: Kurt Roeckx <kurt@roeckx.be>
Date: Wed, 11 Jan 2023 21:14:35 +0100
Subject: Add decoder fuzzer

This found CVE-2023-0217

Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20269)
---
 fuzz/build.info | 12 ++++++--
 fuzz/decoder.c  | 86 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 96 insertions(+), 2 deletions(-)
 create mode 100644 fuzz/decoder.c

(limited to 'fuzz')

diff --git a/fuzz/build.info b/fuzz/build.info
index af5f550f00..e20034cfee 100644
--- a/fuzz/build.info
+++ b/fuzz/build.info
@@ -10,7 +10,7 @@
 
 IF[{- !$disabled{"fuzz-afl"} || !$disabled{"fuzz-libfuzzer"} -}]
   PROGRAMS{noinst}=asn1 asn1parse bignum bndiv client conf crl server smime x509
-  PROGRAMS{noinst}=punycode pem
+  PROGRAMS{noinst}=punycode pem decoder
   PROGRAMS{noinst}=v3name
 
   IF[{- !$disabled{"cmp"} -}]
@@ -69,6 +69,10 @@ IF[{- !$disabled{"fuzz-afl"} || !$disabled{"fuzz-libfuzzer"} -}]
   INCLUDE[pem]=../include {- $ex_inc -}
   DEPEND[pem]=../libcrypto.a {- $ex_lib -}
 
+  SOURCE[decoder]=decoder.c driver.c fuzz_rand.c
+  INCLUDE[decoder]=../include {- $ex_inc -}
+  DEPEND[decoder]=../libcrypto {- $ex_lib -}
+
   SOURCE[punycode]=punycode.c driver.c
   INCLUDE[punycode]=../include {- $ex_inc -}
   DEPEND[punycode]=../libcrypto.a {- $ex_lib -}
@@ -92,7 +96,7 @@ ENDIF
 
 IF[{- !$disabled{tests} -}]
   PROGRAMS{noinst}=asn1-test asn1parse-test bignum-test bndiv-test client-test conf-test crl-test server-test smime-test x509-test
-  PROGRAMS{noinst}=punycode-test pem-test
+  PROGRAMS{noinst}=punycode-test pem-test decoder-test
   PROGRAMS{noinst}=v3name-test
 
   IF[{- !$disabled{"cmp"} -}]
@@ -152,6 +156,10 @@ IF[{- !$disabled{tests} -}]
   INCLUDE[pem-test]=../include
   DEPEND[pem-test]=../libcrypto.a
 
+  SOURCE[decoder-test]=decoder.c test-corpus.c fuzz_rand.c
+  INCLUDE[decoder-test]=../include
+  DEPEND[decoder-test]=../libcrypto
+
   SOURCE[punycode-test]=punycode.c test-corpus.c
   INCLUDE[punycode-test]=../include
   DEPEND[punycode-test]=../libcrypto.a
diff --git a/fuzz/decoder.c b/fuzz/decoder.c
new file mode 100644
index 0000000000..1a6558dbb3
--- /dev/null
+++ b/fuzz/decoder.c
@@ -0,0 +1,86 @@
+/*
+ * Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * https://www.openssl.org/source/license.html
+ * or in the file LICENSE in the source distribution.
+ */
+
+#include <openssl/decoder.h>
+#include <openssl/err.h>
+#include <openssl/rand.h>
+#include "fuzzer.h"
+
+static ASN1_PCTX *pctx;
+
+int FuzzerInitialize(int *argc, char ***argv)
+{
+    FuzzerSetRand();
+
+    OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS
+                        | OPENSSL_INIT_ADD_ALL_CIPHERS
+                        | OPENSSL_INIT_ADD_ALL_DIGESTS, NULL);
+
+    pctx = ASN1_PCTX_new();
+    ASN1_PCTX_set_flags(pctx, ASN1_PCTX_FLAGS_SHOW_ABSENT
+                              | ASN1_PCTX_FLAGS_SHOW_SEQUENCE
+                              | ASN1_PCTX_FLAGS_SHOW_SSOF
+                              | ASN1_PCTX_FLAGS_SHOW_TYPE
+                              | ASN1_PCTX_FLAGS_SHOW_FIELD_STRUCT_NAME);
+    ASN1_PCTX_set_str_flags(pctx, ASN1_STRFLGS_UTF8_CONVERT
+                                  | ASN1_STRFLGS_SHOW_TYPE
+                                  | ASN1_STRFLGS_DUMP_ALL);
+
+    ERR_clear_error();
+    CRYPTO_free_ex_index(0, -1);
+    return 1;
+}
+
+int FuzzerTestOneInput(const uint8_t *buf, size_t len)
+{
+    OSSL_DECODER_CTX *dctx;
+    EVP_PKEY *pkey = NULL;
+    EVP_PKEY_CTX *ctx = NULL;
+    BIO *bio;
+
+    bio = BIO_new(BIO_s_null());
+    dctx = OSSL_DECODER_CTX_new_for_pkey(&pkey, NULL, NULL, NULL, 0, NULL,
+                                                NULL);
+    if (dctx == NULL) {
+        return 0;
+    }
+    if (OSSL_DECODER_from_data(dctx, &buf, &len)) {
+        EVP_PKEY *pkey2;
+
+        EVP_PKEY_print_public(bio, pkey, 1, pctx);
+        EVP_PKEY_print_private(bio, pkey, 1, pctx);
+        EVP_PKEY_print_params(bio, pkey, 1, pctx);
+
+        pkey2 = EVP_PKEY_dup(pkey);
+        OPENSSL_assert(pkey2 != NULL);
+        EVP_PKEY_eq(pkey, pkey2);
+        EVP_PKEY_free(pkey2);
+
+        ctx = EVP_PKEY_CTX_new(pkey, NULL);
+        EVP_PKEY_param_check(ctx);
+        EVP_PKEY_public_check(ctx);
+        EVP_PKEY_private_check(ctx);
+        EVP_PKEY_pairwise_check(ctx);
+        OPENSSL_assert(ctx != NULL);
+        EVP_PKEY_CTX_free(ctx);
+        EVP_PKEY_free(pkey);
+    }
+    OSSL_DECODER_CTX_free(dctx);
+
+    BIO_free(bio);
+    ERR_clear_error();
+    return 0;
+}
+
+void FuzzerCleanup(void)
+{
+    ASN1_PCTX_free(pctx);
+    FuzzerClearRand();
+}
-- 
cgit v1.2.3