Add fuzz testing for PKCS7_verify (#2051)

crypto/pkcs7/pkcs7.c

@@ -1206,6 +1206,12 @@ static BIO *pkcs7_data_decode(PKCS7 *p7, EVP_PKEY *pkey, X509 *pcert) {
     case NID_pkcs7_enveloped:
       rsk = p7->d.enveloped->recipientinfo;
       enc_alg = p7->d.enveloped->enc_data->algorithm;
+      if (enc_alg == NULL || enc_alg->parameter == NULL ||
+          enc_alg->parameter->value.octet_string == NULL ||
+          enc_alg->algorithm == NULL) {
+        OPENSSL_PUT_ERROR(PKCS7, ERR_R_PKCS7_LIB);
+        goto err;
+      }
       // |data_body| is NULL if the optional EncryptedContent is missing.
       data_body = p7->d.enveloped->enc_data->enc_data;
       cipher = EVP_get_cipherbynid(OBJ_obj2nid(enc_alg->algorithm));
@@ -1294,9 +1300,7 @@ static BIO *pkcs7_data_decode(PKCS7 *p7, EVP_PKEY *pkey, X509 *pcert) {
     goto err;
   }
   const int expected_iv_len = EVP_CIPHER_CTX_iv_length(evp_ctx);
-  if (enc_alg == NULL || enc_alg->parameter == NULL ||
-      enc_alg->parameter->value.octet_string == NULL ||
-      enc_alg->parameter->value.octet_string->length != expected_iv_len) {
+  if (enc_alg->parameter->value.octet_string->length != expected_iv_len) {
     OPENSSL_PUT_ERROR(PKCS7, ERR_R_PKCS7_LIB);
     goto err;
   }
@@ -1598,8 +1602,11 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
     }
     // NOTE: unlike most of our functions, |X509_verify_cert| can return <= 0
     if (X509_verify_cert(cert_ctx) <= 0) {
+#if !defined(BORINGSSL_UNSAFE_FUZZER_MODE)
+      // For fuzz testing, we do not want to bail out early.
       OPENSSL_PUT_ERROR(PKCS7, PKCS7_R_CERTIFICATE_VERIFY_ERROR);
       goto out;
+#endif
     }
   }
 
@@ -1615,8 +1622,11 @@ int PKCS7_verify(PKCS7 *p7, STACK_OF(X509) *certs, X509_STORE *store,
     PKCS7_SIGNER_INFO *si = sk_PKCS7_SIGNER_INFO_value(sinfos, ii);
     X509 *signer = sk_X509_value(signers, ii);
     if (!pkcs7_signature_verify(p7bio, p7, si, signer)) {
+#if !defined(BORINGSSL_UNSAFE_FUZZER_MODE)
+      // For fuzz testing, we do not want to bail out early.
       OPENSSL_PUT_ERROR(PKCS7, PKCS7_R_SIGNATURE_FAILURE);
       goto out;
+#endif
     }
   }
 

fuzz/CMakeLists.txt

@@ -30,6 +30,7 @@ fuzzer(ocsp_http)
 fuzzer(ocsp_parse_url)
 fuzzer(pkcs12)
 fuzzer(pkcs7_decrypt)
+fuzzer(pkcs7_verify)
 fuzzer(pkcs8)
 fuzzer(pkcs8_v2)
 fuzzer(privkey)

fuzz/pkcs7_verify.cc

@@ -0,0 +1,104 @@
+// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0 OR ISC
+
+#include <cstdint>
+#include <cstring>
+
+#include <openssl/bio.h>
+#include <openssl/err.h>
+#include <openssl/pem.h>
+#include <openssl/pkcs7.h>
+#include <openssl/rsa.h>
+#include <openssl/x509.h>
+
+static const char kCert[] = R"(
+-----BEGIN CERTIFICATE-----
+MIIFazCCA1OgAwIBAgIURVkPzF/4dwy7419Qk75uhIuyf0EwDQYJKoZIhvcNAQEL
+BQAwRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM
+GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yMTA5MjExOTIyMTJaFw0yMjA5
+MjExOTIyMTJaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
+HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggIiMA0GCSqGSIb3DQEB
+AQUAA4ICDwAwggIKAoICAQC1+MOn+BopcEVR4QMvjXdAxGkWFllXyQFDToL+qOiP
+RU1yN7C8KCtkbOAFttJIO4O/i0iZ7KqYbnmB6YUA/ONAcakocnrdoESgRJcVMeAx
+Dk/11OtMF5yIfeOOO/TUeVNmAUaT63gFbKy/adpqhzJtOv9BBl5VcYNGGSE+0wtb
+mjpmNsxunEQR1KLDc97fGYHeRfKoSyrCIEE8IaAEpKGR2Sku3v9Jwh7RpjupgiUA
+kH6pJk7VMZm5vl2wFjYvfysgjeN5ZtsxFDMaPYZStpxMxpNd5C9DsO2Ljp5NMpGf
+NGmG4ZqiaQg8z2cIM6ESmN1zDJdUh5IXed1fOxBZD/poUFH0wDRFWnvzlaPmjJEF
+rYLMK8svnE5nEQp9vu93ISFBx7cofs+niMaUXPEqaRSqruifN2M1it3kOf/8YZl1
+vurs+VtHD6nOJo6bd11+37aBidIB/BaWnzLrDmSTcPFa1tkTHwoLqc9+jThTq9jZ
+6w3lAMPpsoenyD19UmQB589+4kNp2SIO/TtzVQCGgQPXE2jDCl6G9aIPMkfvpPZK
+4THVil3WQRCFYnYdDO4HQXo2ZuC4RiqgY5ygfeoL+fa9k383lgxxAHQLS7xsbaVB
+40RmfdbdevgPYIwZNNO78ddRmMdSv6IknSW9gydGzY//btY+t1SWcBZWzn1Ewq8g
+2QIDAQABo1MwUTAdBgNVHQ4EFgQUotZD9ajEvnQYVezIWzcW4pzvMcUwHwYDVR0j
+BBgwFoAUotZD9ajEvnQYVezIWzcW4pzvMcUwDwYDVR0TAQH/BAUwAwEB/zANBgkq
+hkiG9w0BAQsFAAOCAgEAqCe42PIWoyLDx9bR+5cSp99N5xo5lLiSLtWx2emDbZB2
+AunqKYeEgIV+TWNF2w1SZ/ckFgV7SlL2Yl73N/veSNRfNAnpjLksGDFpdJb7YXrx
+cUvxdy1mr8oau6J7PC9JGjBTBrnhqwCQX1FtcAxODKll2Lsfuj6+bdC3rCK7KBEo
+ENamMJZIeo8lRP9qFF2xwCEzZjRv2zvB6O5o9045aTUcdCrwUfKE2sqY6EXRzFTC
+waK0HRCd1FLv9omhz/Ug5PMHP4d6MZfnAbFm+AzAhnpkrk/9TJYSOoNTNLWsuqhp
+dN0rKqiFWv1zIwfknXvTh1P1Ap+G5jffAca0zWUH1oKjE7ZZioSsaZ6gySnD8+WQ
+TPbOYtG+n0mhCH1TrU8Dqi3rd8g5IbC8loYLRH94QtodOnevD4Qo9Orfrsr8hGOW
+ABespanZArhoQ03DAtpNhtHm2NWJQF2uHNqcTrkq0omqZBTbMD1GKMBujoNooAUu
+w51U9r+RycPJTFqEGHb0nd7EjoyXEXtuX1Ld5fTZjQ9SszmQKQ8w3lHqRGNlkSiO
+e3IOOq2ruXmq1jykxpmi82IcTRUE8TZBfL/yz0nxpHKAYC1VwMezrkgZDGz4npxf
+1z2+qd58xU6/jsf7/+3xdPFubeEJujdbCkWQsQC5Rzm48zDWGq/pyzFji44K3TA=
+-----END CERTIFICATE-----
+)";
+
+class SharedData {
+public:
+  X509_STORE *store = nullptr;
+  STACK_OF(X509) *certs = nullptr;
+
+  SharedData() {
+    X509 *cert = nullptr;
+    {
+      BIO *cert_bio = BIO_new_mem_buf(const_cast<char *>(kCert), sizeof(kCert) - 1);
+      cert = PEM_read_bio_X509(cert_bio, nullptr, nullptr, nullptr);
+      BIO_free(cert_bio);
+    }
+    store = X509_STORE_new();
+    if (!store) {
+      abort();
+    }
+    if (!X509_STORE_add_cert(store, cert)) {
+      abort();
+    }
+    certs = sk_X509_new_null();
+    if (!certs || !sk_X509_unshift(certs, cert)) {
+      abort();
+    }
+    X509_free(cert);
+  }
+
+  ~SharedData() {
+    X509_STORE_free(store);
+    sk_X509_free(certs);
+  }
+};
+
+static SharedData sharedData;
+
+OPENSSL_BEGIN_ALLOW_DEPRECATED
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) {
+  BIO* data_bio = nullptr;
+
+  PKCS7 *pkcs7 = d2i_PKCS7(nullptr, &buf, len);
+  if (!pkcs7) {
+    goto end;
+  }
+
+  static const char kSignedData[] = "signed data";
+  data_bio = BIO_new_mem_buf(kSignedData, strlen(kSignedData));
+  if (!data_bio) {
+    goto end;
+  }
+
+  PKCS7_verify(pkcs7, sharedData.certs, sharedData.store, data_bio, nullptr, 0);
+
+end:
+  BIO_free(data_bio);
+  PKCS7_free(pkcs7);
+  return 0;
+}
+OPENSSL_END_ALLOW_DEPRECATED

fuzz/pkcs7_verify_corpus/0232d6504fe16172b86cacaa0ebb822cf0c22fda

@@ -0,0 +1 @@
+>�

fuzz/pkcs7_verify_corpus/0641b103a7c5af87ab2ca3967a04ca3773388750

@@ -0,0 +1 @@
+05 0��

fuzz/pkcs7_verify_corpus/0a9bd6dbca87059e46b2fed7973fc02644f72b91

@@ -0,0 +1 @@
+�2�

fuzz/pkcs7_verify_corpus/0f865bca631f7a001ee4e8c254caaafedb011a7c

@@ -0,0 +1 @@
+��Á
5

fuzz/pkcs7_verify_corpus/217f2e451d7c8557679b980ff14426c86eb8713a

@@ -0,0 +1 @@
+;�

fuzz/pkcs7_verify_corpus/2c51f3479b2cf87daf298b3f7e5fe93cb8359266

@@ -0,0 +1 @@
+9�

fuzz/pkcs7_verify_corpus/2ec052144de4196eba980a45618e7b0c8790a72d

@@ -0,0 +1 @@
+�

fuzz/pkcs7_verify_corpus/2efd07909f95d84de40ebb8b2bc8f3d734939f2d

@@ -0,0 +1 @@
+0	*�H��


fuzz/pkcs7_verify_corpus/342a3f726ac4760ad4b9d444e8a3a9bbdeade8d4

@@ -0,0 +1 @@
+%

fuzz/pkcs7_verify_corpus/40e89aec926a5d4cc19463466efcb3c1debf42ee

@@ -0,0 +1 @@
+$�

fuzz/pkcs7_verify_corpus/41790e805080a69a21fb63e4e09ae9d0cc6a6aeb

@@ -0,0 +1 @@
+_2

fuzz/pkcs7_verify_corpus/418348e67f9bec057a33fcde20402ef0985b8e01

@@ -0,0 +1 @@
+9�9�

fuzz/pkcs7_verify_corpus/65cc90263dec0020ceabc727d33aa587e57fc175

@@ -0,0 +1 @@
+��

fuzz/pkcs7_verify_corpus/6eb294114a1b0e6ce73d7e5cd98a47c939660551

@@ -0,0 +1 @@
+:�

fuzz/pkcs7_verify_corpus/766520c5db2c787520b2b596e92e91c527b8b140

@@ -0,0 +1 @@
+0%	1;�������0���C��ľtU��[6��1�

fuzz/pkcs7_verify_corpus/78726b03706a3922f47866d7e7dabf9368730518

@@ -0,0 +1 @@
+:
�