Only bypass the signature verification itself in fuzzer mode. Keep the setup_ctx logic, which, among other things, checks if the signature algorithm is valid. This cuts down on some unnecessary fuzzer-mode suppressions. Change-Id: I644f75630791c9741a1b372e5f83ae7ff9f01c2f Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/36766 Commit-Queue: David Benjamin <davidben@google.com> Reviewed-by: Adam Langley <agl@google.com>
diff --git a/ssl/handshake_client.cc b/ssl/handshake_client.cc index b0de670..a53e430 100644 --- a/ssl/handshake_client.cc +++ b/ssl/handshake_client.cc
@@ -1071,13 +1071,8 @@ return ssl_hs_error; } - bool sig_ok = ssl_public_key_verify(ssl, signature, signature_algorithm, - hs->peer_pubkey.get(), transcript_data); -#if defined(BORINGSSL_UNSAFE_FUZZER_MODE) - sig_ok = true; - ERR_clear_error(); -#endif - if (!sig_ok) { + if (!ssl_public_key_verify(ssl, signature, signature_algorithm, + hs->peer_pubkey.get(), transcript_data)) { // bad signature OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE); ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR);
diff --git a/ssl/handshake_server.cc b/ssl/handshake_server.cc index f7e5df7..8ee39a2 100644 --- a/ssl/handshake_server.cc +++ b/ssl/handshake_server.cc
@@ -1410,14 +1410,8 @@ return ssl_hs_error; } - bool sig_ok = - ssl_public_key_verify(ssl, signature, signature_algorithm, - hs->peer_pubkey.get(), hs->transcript.buffer()); -#if defined(BORINGSSL_UNSAFE_FUZZER_MODE) - sig_ok = true; - ERR_clear_error(); -#endif - if (!sig_ok) { + if (!ssl_public_key_verify(ssl, signature, signature_algorithm, + hs->peer_pubkey.get(), hs->transcript.buffer())) { OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE); ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR); return ssl_hs_error;
diff --git a/ssl/ssl_privkey.cc b/ssl/ssl_privkey.cc index 1ddb1b1..23f8d12 100644 --- a/ssl/ssl_privkey.cc +++ b/ssl/ssl_privkey.cc
@@ -236,9 +236,16 @@ uint16_t sigalg, EVP_PKEY *pkey, Span<const uint8_t> in) { ScopedEVP_MD_CTX ctx; - return setup_ctx(ssl, ctx.get(), pkey, sigalg, true /* verify */) && - EVP_DigestVerify(ctx.get(), signature.data(), signature.size(), - in.data(), in.size()); + if (!setup_ctx(ssl, ctx.get(), pkey, sigalg, true /* verify */)) { + return false; + } + bool ok = EVP_DigestVerify(ctx.get(), signature.data(), signature.size(), + in.data(), in.size()); +#if defined(BORINGSSL_UNSAFE_FUZZER_MODE) + ok = true; + ERR_clear_error(); +#endif + return ok; } enum ssl_private_key_result_t ssl_private_key_decrypt(SSL_HANDSHAKE *hs,
diff --git a/ssl/test/runner/fuzzer_mode.json b/ssl/test/runner/fuzzer_mode.json index 20e2d3f..0a50722 100644 --- a/ssl/test/runner/fuzzer_mode.json +++ b/ssl/test/runner/fuzzer_mode.json
@@ -18,9 +18,6 @@ "BadECDSA-*": "Fuzzer mode always accepts a signature.", "*-InvalidSignature-*": "Fuzzer mode always accepts a signature.", - "*Auth-Verify-RSA_PKCS1_*-TLS13*": "Fuzzer mode always accepts a signature.", - "*Auth-Verify-ECDSA_SHA1-TLS13*": "Fuzzer mode always accepts a signature.", - "*Auth-Verify-ECDSA_P224_*-TLS13*": "Fuzzer mode always accepts a signature.", "Verify-*Auth-SignatureType*": "Fuzzer mode always accepts a signature.", "ECDSACurveMismatch-Verify-TLS13*": "Fuzzer mode always accepts a signature.", "InvalidChannelIDSignature-*": "Fuzzer mode always accepts a signature.",
diff --git a/ssl/tls13_both.cc b/ssl/tls13_both.cc index 2a290f4..1a49e4c 100644 --- a/ssl/tls13_both.cc +++ b/ssl/tls13_both.cc
@@ -370,13 +370,8 @@ return false; } - bool sig_ok = ssl_public_key_verify(ssl, signature, signature_algorithm, - hs->peer_pubkey.get(), input); -#if defined(BORINGSSL_UNSAFE_FUZZER_MODE) - sig_ok = true; - ERR_clear_error(); -#endif - if (!sig_ok) { + if (!ssl_public_key_verify(ssl, signature, signature_algorithm, + hs->peer_pubkey.get(), input)) { OPENSSL_PUT_ERROR(SSL, SSL_R_BAD_SIGNATURE); ssl_send_alert(ssl, SSL3_AL_FATAL, SSL_AD_DECRYPT_ERROR); return false;