1 // Copyright 2016 The BoringSSL Authors
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     https://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 
15 #include <openssl/err.h>
16 #include <openssl/mem.h>
17 #include <openssl/x509.h>
18 
19 #include "../crypto/x509/internal.h"
20 
LLVMFuzzerTestOneInput(const uint8_t * buf,size_t len)21 extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) {
22   bssl::UniquePtr<X509> x509(d2i_X509(nullptr, &buf, len));
23   if (x509 != nullptr) {
24     // Extract the public key.
25     EVP_PKEY_free(X509_get_pubkey(x509.get()));
26 
27     // Fuzz some deferred parsing.
28     x509v3_cache_extensions(x509.get());
29 
30     // Fuzz every supported extension.
31     for (int i = 0; i < X509_get_ext_count(x509.get()); i++) {
32       const X509_EXTENSION *ext = X509_get_ext(x509.get(), i);
33       void *parsed = X509V3_EXT_d2i(ext);
34       if (parsed != nullptr) {
35         int nid = OBJ_obj2nid(X509_EXTENSION_get_object(ext));
36         BSSL_CHECK(nid != NID_undef);
37 
38         // Reserialize the extension. This should succeed if we were able to
39         // parse it.
40         // TODO(crbug.com/boringssl/352): Ideally we would also assert that
41         // |new_ext| is identical to |ext|, but our parser is not strict enough.
42         bssl::UniquePtr<X509_EXTENSION> new_ext(
43             X509V3_EXT_i2d(nid, X509_EXTENSION_get_critical(ext), parsed));
44         BSSL_CHECK(new_ext != nullptr);
45 
46         // This can only fail if |ext| was not a supported type, but then
47         // |X509V3_EXT_d2i| should have failed.
48         BSSL_CHECK(X509V3_EXT_free(nid, parsed));
49       }
50     }
51 
52     // Reserialize |x509|. This should succeed if we were able to parse it.
53     // TODO(crbug.com/boringssl/352): Ideally we would also assert the output
54     // matches the input, but our parser is not strict enough.
55     uint8_t *der = nullptr;
56     int der_len = i2d_X509(x509.get(), &der);
57     BSSL_CHECK(der_len > 0);
58     OPENSSL_free(der);
59 
60     // Reserialize |x509|'s TBSCertificate without reusing the cached encoding.
61     // TODO(crbug.com/boringssl/352): Ideally we would also assert the output
62     // matches the input TBSCertificate, but our parser is not strict enough.
63     der = nullptr;
64     der_len = i2d_re_X509_tbs(x509.get(), &der);
65     BSSL_CHECK(der_len > 0);
66     OPENSSL_free(der);
67 
68     BIO *bio = BIO_new(BIO_s_mem());
69     X509_print(bio, x509.get());
70     BIO_free(bio);
71   }
72   ERR_clear_error();
73   return 0;
74 }
75