1 /*
2 * Copyright 2016-2025 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License");
5 * you may not use this file except in compliance with the License.
6 * You may obtain a copy of the License at
7 * https://www.openssl.org/source/license.html
8 * or in the file LICENSE in the source distribution.
9 */
10
11 #include <openssl/x509.h>
12 #include <openssl/ocsp.h>
13 #include <openssl/bio.h>
14 #include <openssl/err.h>
15 #include <openssl/rand.h>
16 #include "fuzzer.h"
17
FuzzerInitialize(int * argc,char *** argv)18 int FuzzerInitialize(int *argc, char ***argv)
19 {
20 FuzzerSetRand();
21 OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS
22 | OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS,
23 NULL);
24 ERR_clear_error();
25 CRYPTO_free_ex_index(0, -1);
26 return 1;
27 }
28
cb(int ok,X509_STORE_CTX * ctx)29 static int cb(int ok, X509_STORE_CTX *ctx)
30 {
31 return 1;
32 }
33
FuzzerTestOneInput(const uint8_t * buf,size_t len)34 int FuzzerTestOneInput(const uint8_t *buf, size_t len)
35 {
36 const unsigned char *p = buf;
37 size_t orig_len = len;
38 unsigned char *der = NULL;
39 BIO *bio = NULL;
40 X509 *x509_1 = NULL, *x509_2 = NULL;
41 X509_STORE *store = NULL;
42 X509_VERIFY_PARAM *param = NULL;
43 X509_STORE_CTX *ctx = NULL;
44 X509_CRL *crl = NULL;
45 STACK_OF(X509_CRL) *crls = NULL;
46 STACK_OF(X509) *certs = NULL;
47 OCSP_RESPONSE *resp = NULL;
48 OCSP_BASICRESP *bs = NULL;
49 OCSP_CERTID *id = NULL;
50
51 x509_1 = d2i_X509(NULL, &p, len);
52 if (x509_1 == NULL)
53 goto err;
54
55 bio = BIO_new(BIO_s_null());
56 if (bio == NULL)
57 goto err;
58
59 /* This will load and print the public key as well as extensions */
60 X509_print(bio, x509_1);
61 BIO_free(bio);
62
63 X509_issuer_and_serial_hash(x509_1);
64
65 i2d_X509(x509_1, &der);
66 OPENSSL_free(der);
67
68 len = orig_len - (p - buf);
69 x509_2 = d2i_X509(NULL, &p, len);
70 if (x509_2 == NULL)
71 goto err;
72
73 len = orig_len - (p - buf);
74 crl = d2i_X509_CRL(NULL, &p, len);
75 if (crl == NULL)
76 goto err;
77
78 len = orig_len - (p - buf);
79 resp = d2i_OCSP_RESPONSE(NULL, &p, len);
80
81 store = X509_STORE_new();
82 if (store == NULL)
83 goto err;
84 X509_STORE_add_cert(store, x509_2);
85
86 param = X509_VERIFY_PARAM_new();
87 if (param == NULL)
88 goto err;
89 X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_NO_CHECK_TIME);
90 X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_X509_STRICT);
91 X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_PARTIAL_CHAIN);
92 X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
93
94 X509_STORE_set1_param(store, param);
95
96 X509_STORE_set_verify_cb(store, cb);
97
98 ctx = X509_STORE_CTX_new();
99 if (ctx == NULL)
100 goto err;
101
102 X509_STORE_CTX_init(ctx, store, x509_1, NULL);
103
104 if (crl != NULL) {
105 crls = sk_X509_CRL_new_null();
106 if (crls == NULL
107 || !sk_X509_CRL_push(crls, crl))
108 goto err;
109
110 X509_STORE_CTX_set0_crls(ctx, crls);
111 }
112
113 X509_verify_cert(ctx);
114
115 if (resp != NULL)
116 bs = OCSP_response_get1_basic(resp);
117
118 if (bs != NULL) {
119 int status, reason;
120 ASN1_GENERALIZEDTIME *revtime, *thisupd, *nextupd;
121
122 certs = sk_X509_new_null();
123 if (certs == NULL
124 || !sk_X509_push(certs, x509_1)
125 || !sk_X509_push(certs, x509_2))
126 goto err;
127
128 OCSP_basic_verify(bs, certs, store, OCSP_PARTIAL_CHAIN);
129
130 id = OCSP_cert_to_id(NULL, x509_1, x509_2);
131 if (id == NULL)
132 goto err;
133 OCSP_resp_find_status(bs, id, &status, &reason, &revtime, &thisupd,
134 &nextupd);
135 }
136
137 err:
138 X509_STORE_CTX_free(ctx);
139 X509_VERIFY_PARAM_free(param);
140 X509_STORE_free(store);
141 X509_free(x509_1);
142 X509_free(x509_2);
143 X509_CRL_free(crl);
144 OCSP_CERTID_free(id);
145 OCSP_BASICRESP_free(bs);
146 OCSP_RESPONSE_free(resp);
147 sk_X509_CRL_free(crls);
148 sk_X509_free(certs);
149
150 ERR_clear_error();
151 return 0;
152 }
153
FuzzerCleanup(void)154 void FuzzerCleanup(void)
155 {
156 FuzzerClearRand();
157 }
158