1258945Sroberto/* 2258945Sroberto * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. 3258945Sroberto * 4258945Sroberto * Licensed under the OpenSSL licenses, (the "License"); 5258945Sroberto * you may not use this file except in compliance with the License. 6258945Sroberto * You may obtain a copy of the License at 7258945Sroberto * https://www.openssl.org/source/license.html 8258945Sroberto * or in the file LICENSE in the source distribution. 9258945Sroberto */ 10258945Sroberto 11258945Sroberto/* 12258945Sroberto * Fuzz ASN.1 parsing for various data structures. Specify which on the 13258945Sroberto * command line: 14258945Sroberto * 15258945Sroberto * asn1 <data structure> 16258945Sroberto */ 17258945Sroberto 18258945Sroberto#include <stdio.h> 19258945Sroberto#include <string.h> 20258945Sroberto#include <openssl/asn1.h> 21258945Sroberto#include <openssl/asn1t.h> 22258945Sroberto#include <openssl/dh.h> 23258945Sroberto#include <openssl/dsa.h> 24258945Sroberto#include <openssl/ec.h> 25258945Sroberto#include <openssl/ocsp.h> 26258945Sroberto#include <openssl/pkcs12.h> 27258945Sroberto#include <openssl/rsa.h> 28258945Sroberto#include <openssl/ts.h> 29258945Sroberto#include <openssl/x509v3.h> 30258945Sroberto#include <openssl/cms.h> 31258945Sroberto#include <openssl/err.h> 32258945Sroberto#include <openssl/rand.h> 33258945Sroberto#include <openssl/bio.h> 34258945Sroberto#include <openssl/evp.h> 35258945Sroberto#include <openssl/ssl.h> 36258945Sroberto#include "fuzzer.h" 37258945Sroberto 38258945Sroberto#include "rand.inc" 39258945Sroberto 40258945Srobertostatic ASN1_ITEM_EXP *item_type[] = { 41258945Sroberto ASN1_ITEM_ref(ACCESS_DESCRIPTION), 42258945Sroberto#ifndef OPENSSL_NO_RFC3779 43258945Sroberto ASN1_ITEM_ref(ASIdentifierChoice), 44258945Sroberto ASN1_ITEM_ref(ASIdentifiers), 45258945Sroberto ASN1_ITEM_ref(ASIdOrRange), 46258945Sroberto#endif 47258945Sroberto ASN1_ITEM_ref(ASN1_ANY), 48258945Sroberto ASN1_ITEM_ref(ASN1_BIT_STRING), 49258945Sroberto ASN1_ITEM_ref(ASN1_BMPSTRING), 50258945Sroberto ASN1_ITEM_ref(ASN1_BOOLEAN), 51258945Sroberto ASN1_ITEM_ref(ASN1_ENUMERATED), 52258945Sroberto ASN1_ITEM_ref(ASN1_FBOOLEAN), 53258945Sroberto ASN1_ITEM_ref(ASN1_GENERALIZEDTIME), 54258945Sroberto ASN1_ITEM_ref(ASN1_GENERALSTRING), 55258945Sroberto ASN1_ITEM_ref(ASN1_IA5STRING), 56258945Sroberto ASN1_ITEM_ref(ASN1_INTEGER), 57258945Sroberto ASN1_ITEM_ref(ASN1_NULL), 58258945Sroberto ASN1_ITEM_ref(ASN1_OBJECT), 59258945Sroberto ASN1_ITEM_ref(ASN1_OCTET_STRING), 60258945Sroberto ASN1_ITEM_ref(ASN1_OCTET_STRING_NDEF), 61258945Sroberto ASN1_ITEM_ref(ASN1_PRINTABLE), 62258945Sroberto ASN1_ITEM_ref(ASN1_PRINTABLESTRING), 63258945Sroberto ASN1_ITEM_ref(ASN1_SEQUENCE), 64258945Sroberto ASN1_ITEM_ref(ASN1_SEQUENCE_ANY), 65258945Sroberto ASN1_ITEM_ref(ASN1_SET_ANY), 66258945Sroberto ASN1_ITEM_ref(ASN1_T61STRING), 67258945Sroberto ASN1_ITEM_ref(ASN1_TBOOLEAN), 68258945Sroberto ASN1_ITEM_ref(ASN1_TIME), 69258945Sroberto ASN1_ITEM_ref(ASN1_UNIVERSALSTRING), 70258945Sroberto ASN1_ITEM_ref(ASN1_UTCTIME), 71258945Sroberto ASN1_ITEM_ref(ASN1_UTF8STRING), 72258945Sroberto ASN1_ITEM_ref(ASN1_VISIBLESTRING), 73258945Sroberto#ifndef OPENSSL_NO_RFC3779 74258945Sroberto ASN1_ITEM_ref(ASRange), 75258945Sroberto#endif 76258945Sroberto ASN1_ITEM_ref(AUTHORITY_INFO_ACCESS), 77258945Sroberto ASN1_ITEM_ref(AUTHORITY_KEYID), 78258945Sroberto ASN1_ITEM_ref(BASIC_CONSTRAINTS), 79258945Sroberto ASN1_ITEM_ref(BIGNUM), 80258945Sroberto ASN1_ITEM_ref(CBIGNUM), 81258945Sroberto ASN1_ITEM_ref(CERTIFICATEPOLICIES), 82258945Sroberto#ifndef OPENSSL_NO_CMS 83258945Sroberto ASN1_ITEM_ref(CMS_ContentInfo), 84258945Sroberto ASN1_ITEM_ref(CMS_ReceiptRequest), 85258945Sroberto ASN1_ITEM_ref(CRL_DIST_POINTS), 86258945Sroberto#endif 87258945Sroberto#ifndef OPENSSL_NO_DH 88258945Sroberto ASN1_ITEM_ref(DHparams), 89258945Sroberto#endif 90258945Sroberto ASN1_ITEM_ref(DIRECTORYSTRING), 91258945Sroberto ASN1_ITEM_ref(DISPLAYTEXT), 92258945Sroberto ASN1_ITEM_ref(DIST_POINT), 93258945Sroberto ASN1_ITEM_ref(DIST_POINT_NAME), 94258945Sroberto#ifndef OPENSSL_NO_EC 95258945Sroberto ASN1_ITEM_ref(ECPARAMETERS), 96258945Sroberto ASN1_ITEM_ref(ECPKPARAMETERS), 97258945Sroberto#endif 98258945Sroberto ASN1_ITEM_ref(EDIPARTYNAME), 99258945Sroberto ASN1_ITEM_ref(EXTENDED_KEY_USAGE), 100258945Sroberto ASN1_ITEM_ref(GENERAL_NAME), 101258945Sroberto ASN1_ITEM_ref(GENERAL_NAMES), 102258945Sroberto ASN1_ITEM_ref(GENERAL_SUBTREE), 103258945Sroberto#ifndef OPENSSL_NO_RFC3779 104258945Sroberto ASN1_ITEM_ref(IPAddressChoice), 105258945Sroberto ASN1_ITEM_ref(IPAddressFamily), 106258945Sroberto ASN1_ITEM_ref(IPAddressOrRange), 107258945Sroberto ASN1_ITEM_ref(IPAddressRange), 108258945Sroberto#endif 109258945Sroberto ASN1_ITEM_ref(ISSUING_DIST_POINT), 110258945Sroberto#if OPENSSL_API_COMPAT < 0x10200000L 111258945Sroberto ASN1_ITEM_ref(LONG), 112258945Sroberto#endif 113258945Sroberto ASN1_ITEM_ref(NAME_CONSTRAINTS), 114258945Sroberto ASN1_ITEM_ref(NETSCAPE_CERT_SEQUENCE), 115258945Sroberto ASN1_ITEM_ref(NETSCAPE_SPKAC), 116258945Sroberto ASN1_ITEM_ref(NETSCAPE_SPKI), 117258945Sroberto ASN1_ITEM_ref(NOTICEREF), 118258945Sroberto#ifndef OPENSSL_NO_OCSP 119258945Sroberto ASN1_ITEM_ref(OCSP_BASICRESP), 120258945Sroberto ASN1_ITEM_ref(OCSP_CERTID), 121258945Sroberto ASN1_ITEM_ref(OCSP_CERTSTATUS), 122258945Sroberto ASN1_ITEM_ref(OCSP_CRLID), 123258945Sroberto ASN1_ITEM_ref(OCSP_ONEREQ), 124258945Sroberto ASN1_ITEM_ref(OCSP_REQINFO), 125258945Sroberto ASN1_ITEM_ref(OCSP_REQUEST), 126258945Sroberto ASN1_ITEM_ref(OCSP_RESPBYTES), 127258945Sroberto ASN1_ITEM_ref(OCSP_RESPDATA), 128258945Sroberto ASN1_ITEM_ref(OCSP_RESPID), 129258945Sroberto ASN1_ITEM_ref(OCSP_RESPONSE), 130258945Sroberto ASN1_ITEM_ref(OCSP_REVOKEDINFO), 131258945Sroberto ASN1_ITEM_ref(OCSP_SERVICELOC), 132258945Sroberto ASN1_ITEM_ref(OCSP_SIGNATURE), 133258945Sroberto ASN1_ITEM_ref(OCSP_SINGLERESP), 134258945Sroberto#endif 135258945Sroberto ASN1_ITEM_ref(OTHERNAME), 136258945Sroberto ASN1_ITEM_ref(PBE2PARAM), 137258945Sroberto ASN1_ITEM_ref(PBEPARAM), 138258945Sroberto ASN1_ITEM_ref(PBKDF2PARAM), 139258945Sroberto ASN1_ITEM_ref(PKCS12), 140258945Sroberto ASN1_ITEM_ref(PKCS12_AUTHSAFES), 141258945Sroberto ASN1_ITEM_ref(PKCS12_BAGS), 142258945Sroberto ASN1_ITEM_ref(PKCS12_MAC_DATA), 143258945Sroberto ASN1_ITEM_ref(PKCS12_SAFEBAG), 144258945Sroberto ASN1_ITEM_ref(PKCS12_SAFEBAGS), 145258945Sroberto ASN1_ITEM_ref(PKCS7), 146258945Sroberto ASN1_ITEM_ref(PKCS7_ATTR_SIGN), 147258945Sroberto ASN1_ITEM_ref(PKCS7_ATTR_VERIFY), 148258945Sroberto ASN1_ITEM_ref(PKCS7_DIGEST), 149258945Sroberto ASN1_ITEM_ref(PKCS7_ENC_CONTENT), 150258945Sroberto ASN1_ITEM_ref(PKCS7_ENCRYPT), 151258945Sroberto ASN1_ITEM_ref(PKCS7_ENVELOPE), 152258945Sroberto ASN1_ITEM_ref(PKCS7_ISSUER_AND_SERIAL), 153258945Sroberto ASN1_ITEM_ref(PKCS7_RECIP_INFO), 154258945Sroberto ASN1_ITEM_ref(PKCS7_SIGNED), 155258945Sroberto ASN1_ITEM_ref(PKCS7_SIGN_ENVELOPE), 156258945Sroberto ASN1_ITEM_ref(PKCS7_SIGNER_INFO), 157258945Sroberto ASN1_ITEM_ref(PKCS8_PRIV_KEY_INFO), 158258945Sroberto ASN1_ITEM_ref(PKEY_USAGE_PERIOD), 159258945Sroberto ASN1_ITEM_ref(POLICY_CONSTRAINTS), 160258945Sroberto ASN1_ITEM_ref(POLICYINFO), 161258945Sroberto ASN1_ITEM_ref(POLICY_MAPPING), 162258945Sroberto ASN1_ITEM_ref(POLICY_MAPPINGS), 163258945Sroberto ASN1_ITEM_ref(POLICYQUALINFO), 164258945Sroberto ASN1_ITEM_ref(PROXY_CERT_INFO_EXTENSION), 165258945Sroberto ASN1_ITEM_ref(PROXY_POLICY), 166258945Sroberto ASN1_ITEM_ref(RSA_OAEP_PARAMS), 167258945Sroberto ASN1_ITEM_ref(RSAPrivateKey), 168258945Sroberto ASN1_ITEM_ref(RSA_PSS_PARAMS), 169258945Sroberto ASN1_ITEM_ref(RSAPublicKey), 170258945Sroberto ASN1_ITEM_ref(SXNET), 171258945Sroberto ASN1_ITEM_ref(SXNETID), 172258945Sroberto ASN1_ITEM_ref(USERNOTICE), 173258945Sroberto ASN1_ITEM_ref(X509), 174258945Sroberto ASN1_ITEM_ref(X509_ALGOR), 175258945Sroberto ASN1_ITEM_ref(X509_ALGORS), 176258945Sroberto ASN1_ITEM_ref(X509_ATTRIBUTE), 177258945Sroberto ASN1_ITEM_ref(X509_CERT_AUX), 178258945Sroberto ASN1_ITEM_ref(X509_CINF), 179258945Sroberto ASN1_ITEM_ref(X509_CRL), 180258945Sroberto ASN1_ITEM_ref(X509_CRL_INFO), 181258945Sroberto ASN1_ITEM_ref(X509_EXTENSION), 182258945Sroberto ASN1_ITEM_ref(X509_EXTENSIONS), 183258945Sroberto ASN1_ITEM_ref(X509_NAME), 184258945Sroberto ASN1_ITEM_ref(X509_NAME_ENTRY), 185258945Sroberto ASN1_ITEM_ref(X509_PUBKEY), 186258945Sroberto ASN1_ITEM_ref(X509_REQ), 187258945Sroberto ASN1_ITEM_ref(X509_REQ_INFO), 188258945Sroberto ASN1_ITEM_ref(X509_REVOKED), 189258945Sroberto ASN1_ITEM_ref(X509_SIG), 190258945Sroberto ASN1_ITEM_ref(X509_VAL), 191258945Sroberto#if OPENSSL_API_COMPAT < 0x10200000L 192258945Sroberto ASN1_ITEM_ref(ZLONG), 193258945Sroberto#endif 194258945Sroberto ASN1_ITEM_ref(INT32), 195258945Sroberto ASN1_ITEM_ref(ZINT32), 196258945Sroberto ASN1_ITEM_ref(UINT32), 197258945Sroberto ASN1_ITEM_ref(ZUINT32), 198258945Sroberto ASN1_ITEM_ref(INT64), 199258945Sroberto ASN1_ITEM_ref(ZINT64), 200258945Sroberto ASN1_ITEM_ref(UINT64), 201258945Sroberto ASN1_ITEM_ref(ZUINT64), 202258945Sroberto NULL 203258945Sroberto}; 204258945Sroberto 205258945Srobertostatic ASN1_PCTX *pctx; 206258945Sroberto 207258945Sroberto#define DO_TEST(TYPE, D2I, I2D, PRINT) { \ 208258945Sroberto const unsigned char *p = buf; \ 209258945Sroberto unsigned char *der = NULL; \ 210258945Sroberto TYPE *type = D2I(NULL, &p, len); \ 211258945Sroberto \ 212258945Sroberto if (type != NULL) { \ 213258945Sroberto int len2; \ 214258945Sroberto BIO *bio = BIO_new(BIO_s_null()); \ 215258945Sroberto \ 216258945Sroberto PRINT(bio, type); \ 217258945Sroberto BIO_free(bio); \ 218289997Sglebius len2 = I2D(type, &der); \ 219289997Sglebius if (len2 != 0) {} \ 220289997Sglebius OPENSSL_free(der); \ 221258945Sroberto TYPE ## _free(type); \ 222258945Sroberto } \ 223258945Sroberto} 224258945Sroberto 225258945Sroberto#define DO_TEST_PRINT_OFFSET(TYPE, D2I, I2D, PRINT) { \ 226258945Sroberto const unsigned char *p = buf; \ 227258945Sroberto unsigned char *der = NULL; \ 228258945Sroberto TYPE *type = D2I(NULL, &p, len); \ 229258945Sroberto \ 230258945Sroberto if (type != NULL) { \ 231258945Sroberto BIO *bio = BIO_new(BIO_s_null()); \ 232258945Sroberto \ 233258945Sroberto PRINT(bio, type, 0); \ 234258945Sroberto BIO_free(bio); \ 235258945Sroberto I2D(type, &der); \ 236258945Sroberto OPENSSL_free(der); \ 237258945Sroberto TYPE ## _free(type); \ 238258945Sroberto } \ 239258945Sroberto} 240258945Sroberto 241258945Sroberto#define DO_TEST_PRINT_PCTX(TYPE, D2I, I2D, PRINT) { \ 242258945Sroberto const unsigned char *p = buf; \ 243258945Sroberto unsigned char *der = NULL; \ 244258945Sroberto TYPE *type = D2I(NULL, &p, len); \ 245258945Sroberto \ 246258945Sroberto if (type != NULL) { \ 247258945Sroberto BIO *bio = BIO_new(BIO_s_null()); \ 248258945Sroberto \ 249258945Sroberto PRINT(bio, type, 0, pctx); \ 250258945Sroberto BIO_free(bio); \ 251258945Sroberto I2D(type, &der); \ 252258945Sroberto OPENSSL_free(der); \ 253258945Sroberto TYPE ## _free(type); \ 254258945Sroberto } \ 255258945Sroberto} 256258945Sroberto 257258945Sroberto 258258945Sroberto#define DO_TEST_NO_PRINT(TYPE, D2I, I2D) { \ 259258945Sroberto const unsigned char *p = buf; \ 260258945Sroberto unsigned char *der = NULL; \ 261258945Sroberto TYPE *type = D2I(NULL, &p, len); \ 262258945Sroberto \ 263258945Sroberto if (type != NULL) { \ 264258945Sroberto BIO *bio = BIO_new(BIO_s_null()); \ 265258945Sroberto \ 266258945Sroberto BIO_free(bio); \ 267258945Sroberto I2D(type, &der); \ 268258945Sroberto OPENSSL_free(der); \ 269258945Sroberto TYPE ## _free(type); \ 270258945Sroberto } \ 271258945Sroberto} 272258945Sroberto 273258945Sroberto 274258945Srobertoint FuzzerInitialize(int *argc, char ***argv) 275258945Sroberto{ 276258945Sroberto pctx = ASN1_PCTX_new(); 277258945Sroberto ASN1_PCTX_set_flags(pctx, ASN1_PCTX_FLAGS_SHOW_ABSENT | 278258945Sroberto ASN1_PCTX_FLAGS_SHOW_SEQUENCE | ASN1_PCTX_FLAGS_SHOW_SSOF | 279258945Sroberto ASN1_PCTX_FLAGS_SHOW_TYPE | ASN1_PCTX_FLAGS_SHOW_FIELD_STRUCT_NAME); 280258945Sroberto ASN1_PCTX_set_str_flags(pctx, ASN1_STRFLGS_UTF8_CONVERT | 281258945Sroberto ASN1_STRFLGS_SHOW_TYPE | ASN1_STRFLGS_DUMP_ALL); 282258945Sroberto 283258945Sroberto OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); 284258945Sroberto OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL); 285258945Sroberto ERR_get_state(); 286258945Sroberto CRYPTO_free_ex_index(0, -1); 287258945Sroberto FuzzerSetRand(); 288258945Sroberto 289258945Sroberto return 1; 290258945Sroberto} 291258945Sroberto 292258945Srobertoint FuzzerTestOneInput(const uint8_t *buf, size_t len) 293258945Sroberto{ 294258945Sroberto int n; 295258945Sroberto 296258945Sroberto 297258945Sroberto for (n = 0; item_type[n] != NULL; ++n) { 298258945Sroberto const uint8_t *b = buf; 299258945Sroberto unsigned char *der = NULL; 300258945Sroberto const ASN1_ITEM *i = ASN1_ITEM_ptr(item_type[n]); 301258945Sroberto ASN1_VALUE *o = ASN1_item_d2i(NULL, &b, len, i); 302258945Sroberto 303258945Sroberto if (o != NULL) { 304258945Sroberto BIO *bio = BIO_new(BIO_s_null()); 305258945Sroberto 306258945Sroberto ASN1_item_print(bio, o, 4, i, pctx); 307258945Sroberto BIO_free(bio); 308258945Sroberto ASN1_item_i2d(o, &der, i); 309258945Sroberto OPENSSL_free(der); 310258945Sroberto ASN1_item_free(o, i); 311258945Sroberto } 312258945Sroberto } 313258945Sroberto 314258945Sroberto#ifndef OPENSSL_NO_TS 315258945Sroberto DO_TEST(TS_REQ, d2i_TS_REQ, i2d_TS_REQ, TS_REQ_print_bio); 316258945Sroberto DO_TEST(TS_MSG_IMPRINT, d2i_TS_MSG_IMPRINT, i2d_TS_MSG_IMPRINT, TS_MSG_IMPRINT_print_bio); 317258945Sroberto DO_TEST(TS_RESP, d2i_TS_RESP, i2d_TS_RESP, TS_RESP_print_bio); 318258945Sroberto DO_TEST(TS_STATUS_INFO, d2i_TS_STATUS_INFO, i2d_TS_STATUS_INFO, TS_STATUS_INFO_print_bio); 319258945Sroberto DO_TEST(TS_TST_INFO, d2i_TS_TST_INFO, i2d_TS_TST_INFO, TS_TST_INFO_print_bio); 320258945Sroberto DO_TEST_NO_PRINT(TS_ACCURACY, d2i_TS_ACCURACY, i2d_TS_ACCURACY); 321258945Sroberto DO_TEST_NO_PRINT(ESS_ISSUER_SERIAL, d2i_ESS_ISSUER_SERIAL, i2d_ESS_ISSUER_SERIAL); 322258945Sroberto DO_TEST_NO_PRINT(ESS_CERT_ID, d2i_ESS_CERT_ID, i2d_ESS_CERT_ID); 323258945Sroberto DO_TEST_NO_PRINT(ESS_SIGNING_CERT, d2i_ESS_SIGNING_CERT, i2d_ESS_SIGNING_CERT); 324258945Sroberto#endif 325258945Sroberto#ifndef OPENSSL_NO_DH 326258945Sroberto DO_TEST(DH, d2i_DHparams, i2d_DHparams, DHparams_print); 327258945Sroberto DO_TEST(DH, d2i_DHxparams, i2d_DHxparams, DHparams_print); 328258945Sroberto#endif 329258945Sroberto#ifndef OPENSSL_NO_DSA 330258945Sroberto DO_TEST_NO_PRINT(DSA_SIG, d2i_DSA_SIG, i2d_DSA_SIG); 331258945Sroberto DO_TEST_PRINT_OFFSET(DSA, d2i_DSAPrivateKey, i2d_DSAPrivateKey, DSA_print); 332258945Sroberto DO_TEST_PRINT_OFFSET(DSA, d2i_DSAPublicKey, i2d_DSAPublicKey, DSA_print); 333258945Sroberto DO_TEST(DSA, d2i_DSAparams, i2d_DSAparams, DSAparams_print); 334258945Sroberto#endif 335258945Sroberto DO_TEST_PRINT_OFFSET(RSA, d2i_RSAPublicKey, i2d_RSAPublicKey, RSA_print); 336258945Sroberto#ifndef OPENSSL_NO_EC 337258945Sroberto DO_TEST_PRINT_OFFSET(EC_GROUP, d2i_ECPKParameters, i2d_ECPKParameters, ECPKParameters_print); 338258945Sroberto DO_TEST_PRINT_OFFSET(EC_KEY, d2i_ECPrivateKey, i2d_ECPrivateKey, EC_KEY_print); 339258945Sroberto DO_TEST(EC_KEY, d2i_ECParameters, i2d_ECParameters, ECParameters_print); 340258945Sroberto DO_TEST_NO_PRINT(ECDSA_SIG, d2i_ECDSA_SIG, i2d_ECDSA_SIG); 341258945Sroberto#endif 342258945Sroberto DO_TEST_PRINT_PCTX(EVP_PKEY, d2i_AutoPrivateKey, i2d_PrivateKey, EVP_PKEY_print_private); 343258945Sroberto DO_TEST(SSL_SESSION, d2i_SSL_SESSION, i2d_SSL_SESSION, SSL_SESSION_print); 344258945Sroberto 345258945Sroberto ERR_clear_error(); 346258945Sroberto 347258945Sroberto return 0; 348258945Sroberto} 349258945Sroberto 350258945Srobertovoid FuzzerCleanup(void) 351258945Sroberto{ 352258945Sroberto ASN1_PCTX_free(pctx); 353258945Sroberto} 354258945Sroberto