Fuzz more extension parsers in the cert parser
If we're going to rewrite the parsers later, let's cover them more
thoroughly.
Change-Id: Iab4bbb886da5e42caf4a6eff77cfedca8a33f085
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/64629
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Auto-Submit: David Benjamin <davidben@google.com>
diff --git a/fuzz/cert.cc b/fuzz/cert.cc
index e433450..2f4a547 100644
--- a/fuzz/cert.cc
+++ b/fuzz/cert.cc
@@ -19,24 +19,56 @@
#include "../crypto/x509/internal.h"
extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) {
- X509 *x509 = d2i_X509(NULL, &buf, len);
- if (x509 != NULL) {
+ bssl::UniquePtr<X509> x509(d2i_X509(nullptr, &buf, len));
+ if (x509 != nullptr) {
// Extract the public key.
- EVP_PKEY_free(X509_get_pubkey(x509));
+ EVP_PKEY_free(X509_get_pubkey(x509.get()));
// Fuzz some deferred parsing.
- x509v3_cache_extensions(x509);
+ x509v3_cache_extensions(x509.get());
- // Reserialize the structure.
- uint8_t *der = NULL;
- i2d_X509(x509, &der);
+ // Fuzz every supported extension.
+ for (int i = 0; i < X509_get_ext_count(x509.get()); i++) {
+ const X509_EXTENSION *ext = X509_get_ext(x509.get(), i);
+ void *parsed = X509V3_EXT_d2i(ext);
+ if (parsed != nullptr) {
+ int nid = OBJ_obj2nid(X509_EXTENSION_get_object(ext));
+ BSSL_CHECK(nid != NID_undef);
+
+ // Reserialize the extension. This should succeed if we were able to
+ // parse it.
+ // TODO(crbug.com/boringssl/352): Ideally we would also assert that
+ // |new_ext| is identical to |ext|, but our parser is not strict enough.
+ bssl::UniquePtr<X509_EXTENSION> new_ext(
+ X509V3_EXT_i2d(nid, X509_EXTENSION_get_critical(ext), parsed));
+ BSSL_CHECK(new_ext != nullptr);
+
+ // This can only fail if |ext| was not a supported type, but then
+ // |X509V3_EXT_d2i| should have failed.
+ BSSL_CHECK(X509V3_EXT_free(nid, parsed));
+ }
+ }
+
+ // Reserialize |x509|. This should succeed if we were able to parse it.
+ // TODO(crbug.com/boringssl/352): Ideally we would also assert the output
+ // matches the input, but our parser is not strict enough.
+ uint8_t *der = nullptr;
+ int der_len = i2d_X509(x509.get(), &der);
+ BSSL_CHECK(der_len > 0);
+ OPENSSL_free(der);
+
+ // Reserialize |x509|'s TBSCertificate without reusing the cached encoding.
+ // TODO(crbug.com/boringssl/352): Ideally we would also assert the output
+ // matches the input TBSCertificate, but our parser is not strict enough.
+ der = nullptr;
+ der_len = i2d_re_X509_tbs(x509.get(), &der);
+ BSSL_CHECK(der_len > 0);
OPENSSL_free(der);
BIO *bio = BIO_new(BIO_s_mem());
- X509_print(bio, x509);
+ X509_print(bio, x509.get());
BIO_free(bio);
}
- X509_free(x509);
ERR_clear_error();
return 0;
}
