root
/
openssl
mirror of https://github.com/openssl/openssl.git
1
0
Fork 0
Code Issues Actions 7 Packages Projects Releases Wiki Activity

Update X509 fuzzer to verify a chain 

It add supports for verifying that it's been signed by a CA, and
checks the CRL and OCSP status

Can find CVE-2022-4203 and CVE-2023-0286

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/20243)

(cherry picked from commit 399c2da08a)
This commit is contained in:
Kurt Roeckx 2022-12-18 20:54:15 +01:00 committed by Hugo Landau
parent 63cecc23e1
commit 869d95b00e
No known key found for this signature in database
GPG Key ID: 3D30A3A9FF1360DC
3 changed files with 125 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
fuzz/build.info
View File

@ -9,7 +9,7 @@
-} -}
IF[{- !$disabled{"fuzz-afl"} || !$disabled{"fuzz-libfuzzer"} -}] IF[{- !$disabled{"fuzz-afl"} || !$disabled{"fuzz-libfuzzer"} -}]
PROGRAMS{noinst}=asn1 asn1parse bignum bndiv client conf crl server x509 PROGRAMS{noinst}=asn1 asn1parse bignum bndiv client conf crl server
PROGRAMS{noinst}=punycode PROGRAMS{noinst}=punycode
IF[{- !$disabled{"cmp"} -}] IF[{- !$disabled{"cmp"} -}]
@ -24,6 +24,10 @@ IF[{- !$disabled{"fuzz-afl"} || !$disabled{"fuzz-libfuzzer"} -}]
PROGRAMS{noinst}=ct PROGRAMS{noinst}=ct
ENDIF ENDIF
IF[{- !$disabled{"ocsp"} -}]
PROGRAMS{noinst}=x509
ENDIF
SOURCE[asn1]=asn1.c driver.c fuzz_rand.c SOURCE[asn1]=asn1.c driver.c fuzz_rand.c
INCLUDE[asn1]=../include {- $ex_inc -} INCLUDE[asn1]=../include {- $ex_inc -}
DEPEND[asn1]=../libcrypto ../libssl {- $ex_lib -} DEPEND[asn1]=../libcrypto ../libssl {- $ex_lib -}
@ -78,7 +82,7 @@ IF[{- !$disabled{"fuzz-afl"} || !$disabled{"fuzz-libfuzzer"} -}]
ENDIF ENDIF
IF[{- !$disabled{tests} -}] IF[{- !$disabled{tests} -}]
PROGRAMS{noinst}=asn1-test asn1parse-test bignum-test bndiv-test client-test conf-test crl-test server-test x509-test PROGRAMS{noinst}=asn1-test asn1parse-test bignum-test bndiv-test client-test conf-test crl-test server-test
PROGRAMS{noinst}=punycode-test PROGRAMS{noinst}=punycode-test
IF[{- !$disabled{"cmp"} -}] IF[{- !$disabled{"cmp"} -}]
@ -93,6 +97,10 @@ IF[{- !$disabled{tests} -}]
PROGRAMS{noinst}=ct-test PROGRAMS{noinst}=ct-test
ENDIF ENDIF
IF[{- !$disabled{"ocsp"} -}]
PROGRAMS{noinst}=x509-test
ENDIF
SOURCE[asn1-test]=asn1.c test-corpus.c fuzz_rand.c SOURCE[asn1-test]=asn1.c test-corpus.c fuzz_rand.c
INCLUDE[asn1-test]=../include INCLUDE[asn1-test]=../include
DEPEND[asn1-test]=../libcrypto ../libssl DEPEND[asn1-test]=../libcrypto ../libssl

123
fuzz/x509.c
View File

@ -9,6 +9,7 @@
*/ */
#include <openssl/x509.h> #include <openssl/x509.h>
#include <openssl/ocsp.h>
#include <openssl/bio.h> #include <openssl/bio.h>
#include <openssl/err.h> #include <openssl/err.h>
#include <openssl/rand.h> #include <openssl/rand.h>
@ -17,31 +18,131 @@
int FuzzerInitialize(int *argc, char ***argv) int FuzzerInitialize(int *argc, char ***argv)
{ {
FuzzerSetRand(); FuzzerSetRand();
OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL); OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS
| OPENSSL_INIT_ADD_ALL_CIPHERS | OPENSSL_INIT_ADD_ALL_DIGESTS, NULL);
ERR_clear_error(); ERR_clear_error();
CRYPTO_free_ex_index(0, -1); CRYPTO_free_ex_index(0, -1);
return 1; return 1;
} }
static int cb(int ok, X509_STORE_CTX *ctx)
{
return 1;
}
int FuzzerTestOneInput(const uint8_t *buf, size_t len) int FuzzerTestOneInput(const uint8_t *buf, size_t len)
{ {
const unsigned char *p = buf; const unsigned char *p = buf;
size_t orig_len = len;
unsigned char *der = NULL; unsigned char *der = NULL;
BIO *bio = NULL;
X509 *x509_1 = NULL, *x509_2 = NULL;
X509_STORE *store = NULL;
X509_VERIFY_PARAM *param = NULL;
X509_STORE_CTX *ctx = NULL;
X509_CRL *crl = NULL;
STACK_OF(X509_CRL) *crls = NULL;
STACK_OF(X509) *certs = NULL;
OCSP_RESPONSE *resp = NULL;
OCSP_BASICRESP *bs = NULL;
OCSP_CERTID *id = NULL;
X509 *x509 = d2i_X509(NULL, &p, len); x509_1 = d2i_X509(NULL, &p, len);
if (x509 != NULL) { if (x509_1 == NULL)
BIO *bio = BIO_new(BIO_s_null()); goto err;
/* This will load and print the public key as well as extensions */
X509_print(bio, x509);
BIO_free(bio);
X509_issuer_and_serial_hash(x509); bio = BIO_new(BIO_s_null());
if (bio == NULL)
goto err;
i2d_X509(x509, &der); /* This will load and print the public key as well as extensions */
OPENSSL_free(der); X509_print(bio, x509_1);
BIO_free(bio);
X509_free(x509); X509_issuer_and_serial_hash(x509_1);
i2d_X509(x509_1, &der);
OPENSSL_free(der);
len = orig_len - (p - buf);
x509_2 = d2i_X509(NULL, &p, len);
if (x509_2 == NULL)
goto err;
len = orig_len - (p - buf);
crl = d2i_X509_CRL(NULL, &p, len);
if (crl == NULL)
goto err;
len = orig_len - (p - buf);
resp = d2i_OCSP_RESPONSE(NULL, &p, len);
store = X509_STORE_new();
X509_STORE_add_cert(store, x509_2);
param = X509_VERIFY_PARAM_new();
X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_NO_CHECK_TIME);
X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_X509_STRICT);
X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_PARTIAL_CHAIN);
X509_VERIFY_PARAM_set_flags(param, X509_V_FLAG_CRL_CHECK);
X509_STORE_set1_param(store, param);
X509_STORE_set_verify_cb(store, cb);
ctx = X509_STORE_CTX_new();
if (ctx == NULL)
goto err;
X509_STORE_CTX_init(ctx, store, x509_1, NULL);
if (crl != NULL) {
crls = sk_X509_CRL_new_null();
if (crls == NULL)
goto err;
sk_X509_CRL_push(crls, crl);
X509_STORE_CTX_set0_crls(ctx, crls);
} }
X509_verify_cert(ctx);
if (resp != NULL)
bs = OCSP_response_get1_basic(resp);
if (bs != NULL) {
int status, reason;
ASN1_GENERALIZEDTIME *revtime, *thisupd, *nextupd;
certs = sk_X509_new_null();
if (certs == NULL)
goto err;
sk_X509_push(certs, x509_1);
sk_X509_push(certs, x509_2);
OCSP_basic_verify(bs, certs, store, OCSP_PARTIAL_CHAIN);
id = OCSP_cert_to_id(NULL, x509_1, x509_2);
if (id == NULL)
goto err;
OCSP_resp_find_status(bs, id, &status, &reason, &revtime, &thisupd,
&nextupd);
}
err:
X509_STORE_CTX_free(ctx);
X509_VERIFY_PARAM_free(param);
X509_STORE_free(store);
X509_free(x509_1);
X509_free(x509_2);
X509_CRL_free(crl);
OCSP_CERTID_free(id);
OCSP_BASICRESP_free(bs);
OCSP_RESPONSE_free(resp);
sk_X509_CRL_free(crls);
sk_X509_free(certs);
ERR_clear_error(); ERR_clear_error();
return 0; return 0;
} }

3
test/recipes/99-test_fuzz_x509.t
View File

@ -15,6 +15,9 @@ use OpenSSL::Test::Utils;
my $fuzzer = "x509"; my $fuzzer = "x509";
setup("test_fuzz_${fuzzer}"); setup("test_fuzz_${fuzzer}");
plan skip_all => "This test requires ocsp support"
if disabled("ocsp");
plan tests => 2; # one more due to below require_ok(...) plan tests => 2; # one more due to below require_ok(...)
require_ok(srctop_file('test','recipes','fuzz.pl')); require_ok(srctop_file('test','recipes','fuzz.pl'));