X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=test%2Fcmp_vfy_test.c;h=646d1a9aa1f148ae3fed1f679a29fe1b51350ee2;hp=41ddad86ba8a4abc629bcf8bb447bb87c7f29d5b;hb=HEAD;hpb=31b28ad96aa841ae39d4009ebb15d90f2a2afdab diff --git a/test/cmp_vfy_test.c b/test/cmp_vfy_test.c index 41ddad86ba..4ce309992f 100644 --- a/test/cmp_vfy_test.c +++ b/test/cmp_vfy_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2007-2019 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2007-2023 The OpenSSL Project Authors. All Rights Reserved. * Copyright Nokia 2007-2019 * Copyright Siemens AG 2015-2019 * @@ -9,7 +9,7 @@ * https://www.openssl.org/source/license.html */ -#include "cmp_testlib.h" +#include "helpers/cmp_testlib.h" #include "../crypto/crmf/crmf_local.h" /* for manipulating POPO signature */ static const char *server_f; @@ -37,6 +37,9 @@ typedef struct test_fixture { int additional_arg; } CMP_VFY_TEST_FIXTURE; +static OSSL_LIB_CTX *libctx = NULL; +static OSSL_PROVIDER *default_null_provider = NULL, *provider = NULL; + static void tear_down(CMP_VFY_TEST_FIXTURE *fixture) { OSSL_CMP_MSG_free(fixture->msg); @@ -44,32 +47,28 @@ static void tear_down(CMP_VFY_TEST_FIXTURE *fixture) OPENSSL_free(fixture); } -static int print_to_bio_out(const char *func, const char *file, int line, - OSSL_CMP_severity level, const char *msg) -{ - return OSSL_CMP_print_to_bio(bio_out, func, file, line, level, msg); -} - static time_t test_time_valid = 0, test_time_after_expiration = 0; static CMP_VFY_TEST_FIXTURE *set_up(const char *const test_case_name) { - X509_STORE *ts = X509_STORE_new(); + X509_STORE *ts; CMP_VFY_TEST_FIXTURE *fixture; if (!TEST_ptr(fixture = OPENSSL_zalloc(sizeof(*fixture)))) return NULL; + + ts = X509_STORE_new(); fixture->test_case_name = test_case_name; if (ts == NULL - || !TEST_ptr(fixture->cmp_ctx = OSSL_CMP_CTX_new()) - || !OSSL_CMP_CTX_set0_trustedStore(fixture->cmp_ctx, ts) + || !TEST_ptr(fixture->cmp_ctx = OSSL_CMP_CTX_new(libctx, NULL)) + || !OSSL_CMP_CTX_set0_trusted(fixture->cmp_ctx, ts) || !OSSL_CMP_CTX_set_log_cb(fixture->cmp_ctx, print_to_bio_out)) { tear_down(fixture); X509_STORE_free(ts); return NULL; } X509_VERIFY_PARAM_set_time(X509_STORE_get0_param(ts), test_time_valid); - X509_STORE_set_verify_cb(ts, OSSL_CMP_print_cert_verify_cb); + X509_STORE_set_verify_cb(ts, X509_STORE_CTX_print_verify_cb); return fixture; } @@ -84,6 +83,12 @@ static X509 *insta_cert = NULL, *instaca_cert = NULL; static unsigned char rand_data[OSSL_CMP_TRANSACTIONID_LENGTH]; static OSSL_CMP_MSG *ir_unprotected, *ir_rmprotection; +/* secret value used for IP_waitingStatus_PBM.der */ +static const unsigned char sec_1[] = { + '9', 'p', 'p', '8', '-', 'b', '3', '5', 'i', '-', 'X', 'd', '3', + 'Q', '-', 'u', 'd', 'N', 'R' +}; + static int flip_bit(ASN1_BIT_STRING *bitstr) { int bit_num = 7; @@ -94,16 +99,17 @@ static int flip_bit(ASN1_BIT_STRING *bitstr) static int execute_verify_popo_test(CMP_VFY_TEST_FIXTURE *fixture) { - if ((fixture->msg = load_pkimsg(ir_protected_f)) == NULL) + if ((fixture->msg = load_pkimsg(ir_protected_f, libctx)) == NULL) return 0; if (fixture->expected == 0) { const OSSL_CRMF_MSGS *reqs = fixture->msg->body->value.ir; const OSSL_CRMF_MSG *req = sk_OSSL_CRMF_MSG_value(reqs, 0); + if (req == NULL || !flip_bit(req->popo->value.signature->signature)) return 0; } return TEST_int_eq(fixture->expected, - ossl_cmp_verify_popo(fixture->msg, + ossl_cmp_verify_popo(fixture->cmp_ctx, fixture->msg, fixture->additional_arg)); } @@ -115,6 +121,7 @@ static int test_verify_popo(void) return result; } +#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION static int test_verify_popo_bad(void) { SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); @@ -122,16 +129,22 @@ static int test_verify_popo_bad(void) EXECUTE_TEST(execute_verify_popo_test, tear_down); return result; } +#endif +/* indirectly checks also OSSL_CMP_validate_msg() */ static int execute_validate_msg_test(CMP_VFY_TEST_FIXTURE *fixture) { - return TEST_int_eq(fixture->expected, - OSSL_CMP_validate_msg(fixture->cmp_ctx, fixture->msg)); + int res = TEST_int_eq(fixture->expected, + ossl_cmp_msg_check_update(fixture->cmp_ctx, + fixture->msg, NULL, 0)); + X509 *validated = OSSL_CMP_CTX_get0_validatedSrvCert(fixture->cmp_ctx); + + return res && (!fixture->expected || TEST_ptr_eq(validated, fixture->cert)); } static int execute_validate_cert_path_test(CMP_VFY_TEST_FIXTURE *fixture) { - X509_STORE *ts = OSSL_CMP_CTX_get0_trustedStore(fixture->cmp_ctx); + X509_STORE *ts = OSSL_CMP_CTX_get0_trusted(fixture->cmp_ctx); int res = TEST_int_eq(fixture->expected, OSSL_CMP_validate_cert_path(fixture->cmp_ctx, ts, fixture->cert)); @@ -140,19 +153,16 @@ static int execute_validate_cert_path_test(CMP_VFY_TEST_FIXTURE *fixture) return res; } -static int test_validate_msg_mac_alg_protection(void) +static int test_validate_msg_mac_alg_protection(int miss, int wrong) { SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); - /* secret value belonging to cmp-test/CMP_IP_waitingStatus_PBM.der */ - const unsigned char sec_1[] = { - '9', 'p', 'p', '8', '-', 'b', '3', '5', 'i', '-', 'X', 'd', '3', - 'Q', '-', 'u', 'd', 'N', 'R' - }; + fixture->cert = NULL; - fixture->expected = 1; - if (!TEST_true(OSSL_CMP_CTX_set1_secretValue(fixture->cmp_ctx, sec_1, - sizeof(sec_1))) - || !TEST_ptr(fixture->msg = load_pkimsg(ip_waiting_f))) { + fixture->expected = !miss && !wrong; + if (!TEST_true(miss ? OSSL_CMP_CTX_set0_trusted(fixture->cmp_ctx, NULL) + : OSSL_CMP_CTX_set1_secretValue(fixture->cmp_ctx, sec_1, + wrong ? 4 : sizeof(sec_1))) + || !TEST_ptr(fixture->msg = load_pkimsg(ip_waiting_f, libctx))) { tear_down(fixture); fixture = NULL; } @@ -160,49 +170,72 @@ static int test_validate_msg_mac_alg_protection(void) return result; } +static int test_validate_msg_mac_alg_protection_ok(void) +{ + return test_validate_msg_mac_alg_protection(0, 0); +} + +#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION +static int test_validate_msg_mac_alg_protection_missing(void) +{ + return test_validate_msg_mac_alg_protection(1, 0); +} + +static int test_validate_msg_mac_alg_protection_wrong(void) +{ + return test_validate_msg_mac_alg_protection(0, 1); +} + static int test_validate_msg_mac_alg_protection_bad(void) { - SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); const unsigned char sec_bad[] = { '9', 'p', 'p', '8', '-', 'b', '3', '5', 'i', '-', 'X', 'd', '3', 'Q', '-', 'u', 'd', 'N', 'r' }; + + SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); + fixture->cert = NULL; fixture->expected = 0; if (!TEST_true(OSSL_CMP_CTX_set1_secretValue(fixture->cmp_ctx, sec_bad, sizeof(sec_bad))) - || !TEST_ptr(fixture->msg = load_pkimsg(ip_waiting_f))) { + || !TEST_ptr(fixture->msg = load_pkimsg(ip_waiting_f, libctx))) { tear_down(fixture); fixture = NULL; } EXECUTE_TEST(execute_validate_msg_test, tear_down); return result; } +#endif static int add_trusted(OSSL_CMP_CTX *ctx, X509 *cert) { - return X509_STORE_add_cert(OSSL_CMP_CTX_get0_trustedStore(ctx), cert); + return X509_STORE_add_cert(OSSL_CMP_CTX_get0_trusted(ctx), cert); } static int add_untrusted(OSSL_CMP_CTX *ctx, X509 *cert) { - return ossl_cmp_sk_X509_add1_cert(OSSL_CMP_CTX_get0_untrusted_certs(ctx), - cert, 0, 0); + return X509_add_cert(OSSL_CMP_CTX_get0_untrusted(ctx), cert, + X509_ADD_FLAG_UP_REF); } static int test_validate_msg_signature_partial_chain(int expired) { + X509_STORE *ts; + SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); - X509_STORE *ts = OSSL_CMP_CTX_get0_trustedStore(fixture->cmp_ctx); + fixture->cert = srvcert; + ts = OSSL_CMP_CTX_get0_trusted(fixture->cmp_ctx); fixture->expected = !expired; if (ts == NULL - || !TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f)) + || !TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f, libctx)) || !add_trusted(fixture->cmp_ctx, srvcert)) { tear_down(fixture); fixture = NULL; } else { X509_VERIFY_PARAM *vpm = X509_STORE_get0_param(ts); + X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_PARTIAL_CHAIN); if (expired) X509_VERIFY_PARAM_set_time(vpm, test_time_after_expiration); @@ -216,17 +249,24 @@ static int test_validate_msg_signature_trusted_ok(void) return test_validate_msg_signature_partial_chain(0); } +#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION static int test_validate_msg_signature_trusted_expired(void) { return test_validate_msg_signature_partial_chain(1); } +#endif -static int test_validate_msg_signature_srvcert_wrong(void) +static int test_validate_msg_signature_srvcert(int bad_sig, int miss, int wrong) { SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); - fixture->expected = 0; - if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f)) - || !TEST_true(OSSL_CMP_CTX_set1_srvCert(fixture->cmp_ctx, clcert))) { + fixture->cert = srvcert; + fixture->expected = !bad_sig && !wrong && !miss; + if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f, libctx)) + || !TEST_true(miss ? OSSL_CMP_CTX_set1_secretValue(fixture->cmp_ctx, + sec_1, sizeof(sec_1)) + : OSSL_CMP_CTX_set1_srvCert(fixture->cmp_ctx, + wrong? clcert : srvcert)) + || (bad_sig && !flip_bit(fixture->msg->protection))) { tear_down(fixture); fixture = NULL; } @@ -234,35 +274,36 @@ static int test_validate_msg_signature_srvcert_wrong(void) return result; } -static int test_validate_msg_signature_srvcert(int bad_sig) +#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION +static int test_validate_msg_signature_srvcert_missing(void) { - SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); - fixture->expected = !bad_sig; - if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f)) - || !TEST_true(OSSL_CMP_CTX_set1_srvCert(fixture->cmp_ctx, srvcert)) - || (bad_sig && !flip_bit(fixture->msg->protection))) { - tear_down(fixture); - fixture = NULL; - } - EXECUTE_TEST(execute_validate_msg_test, tear_down); - return result; + return test_validate_msg_signature_srvcert(0, 1, 0); +} +#endif + +static int test_validate_msg_signature_srvcert_wrong(void) +{ + return test_validate_msg_signature_srvcert(0, 0, 1); } +#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION static int test_validate_msg_signature_bad(void) { - return test_validate_msg_signature_srvcert(1); + return test_validate_msg_signature_srvcert(1, 0, 0); } +#endif static int test_validate_msg_signature_sender_cert_srvcert(void) { - return test_validate_msg_signature_srvcert(0); + return test_validate_msg_signature_srvcert(0, 0, 0); } static int test_validate_msg_signature_sender_cert_untrusted(void) { SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); + fixture->cert = insta_cert; fixture->expected = 1; - if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_0_extracerts)) + if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_0_extracerts, libctx)) || !add_trusted(fixture->cmp_ctx, instaca_cert) || !add_untrusted(fixture->cmp_ctx, insta_cert)) { tear_down(fixture); @@ -275,8 +316,9 @@ static int test_validate_msg_signature_sender_cert_untrusted(void) static int test_validate_msg_signature_sender_cert_trusted(void) { SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); + fixture->cert = insta_cert; fixture->expected = 1; - if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_0_extracerts)) + if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_0_extracerts, libctx)) || !add_trusted(fixture->cmp_ctx, instaca_cert) || !add_trusted(fixture->cmp_ctx, insta_cert)) { tear_down(fixture); @@ -290,34 +332,37 @@ static int test_validate_msg_signature_sender_cert_extracert(void) { SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); fixture->expected = 1; - if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_2_extracerts)) + if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_2_extracerts, libctx)) || !add_trusted(fixture->cmp_ctx, instaca_cert)) { tear_down(fixture); fixture = NULL; } + fixture->cert = sk_X509_value(fixture->msg->extraCerts, 1); /* Insta CA */ EXECUTE_TEST(execute_validate_msg_test, tear_down); return result; } - +#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION static int test_validate_msg_signature_sender_cert_absent(void) { SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); fixture->expected = 0; - if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_0_extracerts))) { + if (!TEST_ptr(fixture->msg = + load_pkimsg(ir_protected_0_extracerts, libctx))) { tear_down(fixture); fixture = NULL; } EXECUTE_TEST(execute_validate_msg_test, tear_down); return result; } +#endif - -static int test_validate_with_sender(X509_NAME *name, int expected) +static int test_validate_with_sender(const X509_NAME *name, int expected) { SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); + fixture->cert = srvcert; fixture->expected = expected; - if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f)) + if (!TEST_ptr(fixture->msg = load_pkimsg(ir_protected_f, libctx)) || !TEST_true(OSSL_CMP_CTX_set1_expected_sender(fixture->cmp_ctx, name)) || !TEST_true(OSSL_CMP_CTX_set1_srvCert(fixture->cmp_ctx, srvcert))) { tear_down(fixture); @@ -337,25 +382,28 @@ static int test_validate_msg_signature_unexpected_sender(void) return test_validate_with_sender(X509_get_subject_name(root), 0); } +#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION static int test_validate_msg_unprotected_request(void) { SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); fixture->expected = 0; - if (!TEST_ptr(fixture->msg = load_pkimsg(ir_unprotected_f))) { + if (!TEST_ptr(fixture->msg = load_pkimsg(ir_unprotected_f, libctx))) { tear_down(fixture); fixture = NULL; } EXECUTE_TEST(execute_validate_msg_test, tear_down); return result; } +#endif static void setup_path(CMP_VFY_TEST_FIXTURE **fixture, X509 *wrong, int expired) { (*fixture)->cert = endentity2; (*fixture)->expected = wrong == NULL && !expired; if (expired) { - X509_STORE *ts = OSSL_CMP_CTX_get0_trustedStore((*fixture)->cmp_ctx); + X509_STORE *ts = OSSL_CMP_CTX_get0_trusted((*fixture)->cmp_ctx); X509_VERIFY_PARAM *vpm = X509_STORE_get0_param(ts); + X509_VERIFY_PARAM_set_time(vpm, test_time_after_expiration); } if (!add_trusted((*fixture)->cmp_ctx, wrong == NULL ? root : wrong) @@ -390,19 +438,19 @@ static int test_validate_cert_path_expired(void) return result; } -static int execute_MSG_check_received_test(CMP_VFY_TEST_FIXTURE *fixture) +static int execute_msg_check_test(CMP_VFY_TEST_FIXTURE *fixture) { const OSSL_CMP_PKIHEADER *hdr = OSSL_CMP_MSG_get0_header(fixture->msg); const ASN1_OCTET_STRING *tid = OSSL_CMP_HDR_get0_transactionID(hdr); if (!TEST_int_eq(fixture->expected, - ossl_cmp_msg_check_received(fixture->cmp_ctx, - fixture->msg, - fixture->allow_unprotected_cb, - fixture->additional_arg))) + ossl_cmp_msg_check_update(fixture->cmp_ctx, + fixture->msg, + fixture->allow_unprotected_cb, + fixture->additional_arg))) return 0; - if (fixture->expected < 0) /* error expected aready during above check */ + if (fixture->expected == 0) /* error expected already during above check */ return 1; return TEST_int_eq(0, @@ -419,10 +467,10 @@ static int allow_unprotected(const OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg, return allow; } -static void setup_check_received(CMP_VFY_TEST_FIXTURE **fixture, int expected, - ossl_cmp_allow_unprotected_cb_t cb, int arg, - const unsigned char *trid_data, - const unsigned char *nonce_data) +static void setup_check_update(CMP_VFY_TEST_FIXTURE **fixture, int expected, + ossl_cmp_allow_unprotected_cb_t cb, int arg, + const unsigned char *trid_data, + const unsigned char *nonce_data) { OSSL_CMP_CTX *ctx = (*fixture)->cmp_ctx; int nonce_len = OSSL_CMP_SENDERNONCE_LENGTH; @@ -437,9 +485,9 @@ static void setup_check_received(CMP_VFY_TEST_FIXTURE **fixture, int expected, nonce_data, nonce_len))) { tear_down((*fixture)); (*fixture) = NULL; - } - else if (trid_data != NULL) { + } else if (trid_data != NULL) { ASN1_OCTET_STRING *trid = ASN1_OCTET_STRING_new(); + if (trid == NULL || !ASN1_OCTET_STRING_set(trid, trid_data, OSSL_CMP_TRANSACTIONID_LENGTH) @@ -451,32 +499,33 @@ static void setup_check_received(CMP_VFY_TEST_FIXTURE **fixture, int expected, } } -static int test_MSG_check_received_no_protection_no_cb(void) +#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION +static int test_msg_check_no_protection_no_cb(void) { SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); - setup_check_received(&fixture, -1, NULL, 0, NULL, NULL); - EXECUTE_TEST(execute_MSG_check_received_test, tear_down); + setup_check_update(&fixture, 0, NULL, 0, NULL, NULL); + EXECUTE_TEST(execute_msg_check_test, tear_down); return result; } -static int test_MSG_check_received_no_protection_restrictive_cb(void) +static int test_msg_check_no_protection_restrictive_cb(void) { SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); - setup_check_received(&fixture, -1, allow_unprotected, 0, NULL, NULL); - EXECUTE_TEST(execute_MSG_check_received_test, tear_down); + setup_check_update(&fixture, 0, allow_unprotected, 0, NULL, NULL); + EXECUTE_TEST(execute_msg_check_test, tear_down); return result; } +#endif -static int test_MSG_check_received_no_protection_permissive_cb(void) +static int test_msg_check_no_protection_permissive_cb(void) { SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); - setup_check_received(&fixture, OSSL_CMP_PKIBODY_IP, allow_unprotected, 1, - NULL, NULL); - EXECUTE_TEST(execute_MSG_check_received_test, tear_down); + setup_check_update(&fixture, 1, allow_unprotected, 1, NULL, NULL); + EXECUTE_TEST(execute_msg_check_test, tear_down); return result; } -static int test_MSG_check_received_check_transaction_id(void) +static int test_msg_check_transaction_id(void) { /* Transaction id belonging to CMP_IR_rmprotection.der */ const unsigned char trans_id[OSSL_CMP_TRANSACTIONID_LENGTH] = { @@ -485,21 +534,22 @@ static int test_MSG_check_received_check_transaction_id(void) }; SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); - setup_check_received(&fixture, OSSL_CMP_PKIBODY_IP, allow_unprotected, 1, - trans_id, NULL); - EXECUTE_TEST(execute_MSG_check_received_test, tear_down); + setup_check_update(&fixture, 1, allow_unprotected, 1, trans_id, NULL); + EXECUTE_TEST(execute_msg_check_test, tear_down); return result; } -static int test_MSG_check_received_check_transaction_id_bad(void) +#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION +static int test_msg_check_transaction_id_bad(void) { SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); - setup_check_received(&fixture, -1, allow_unprotected, 1, rand_data, NULL); - EXECUTE_TEST(execute_MSG_check_received_test, tear_down); + setup_check_update(&fixture, 0, allow_unprotected, 1, rand_data, NULL); + EXECUTE_TEST(execute_msg_check_test, tear_down); return result; } +#endif -static int test_MSG_check_received_check_recipient_nonce(void) +static int test_msg_check_recipient_nonce(void) { /* Recipient nonce belonging to CMP_IP_ir_rmprotection.der */ const unsigned char rec_nonce[OSSL_CMP_SENDERNONCE_LENGTH] = { @@ -508,19 +558,20 @@ static int test_MSG_check_received_check_recipient_nonce(void) }; SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); - setup_check_received(&fixture, OSSL_CMP_PKIBODY_IP, allow_unprotected, 1, - NULL, rec_nonce); - EXECUTE_TEST(execute_MSG_check_received_test, tear_down); + setup_check_update(&fixture, 1, allow_unprotected, 1, NULL, rec_nonce); + EXECUTE_TEST(execute_msg_check_test, tear_down); return result; } -static int test_MSG_check_received_check_recipient_nonce_bad(void) +#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION +static int test_msg_check_recipient_nonce_bad(void) { SETUP_TEST_FIXTURE(CMP_VFY_TEST_FIXTURE, set_up); - setup_check_received(&fixture, -1, allow_unprotected, 1, NULL, rand_data); - EXECUTE_TEST(execute_MSG_check_received_test, tear_down); + setup_check_update(&fixture, 0, allow_unprotected, 1, NULL, rand_data); + EXECUTE_TEST(execute_msg_check_test, tear_down); return result; } +#endif void cleanup_tests(void) { @@ -534,9 +585,22 @@ void cleanup_tests(void) X509_free(instaca_cert); OSSL_CMP_MSG_free(ir_unprotected); OSSL_CMP_MSG_free(ir_rmprotection); + OSSL_PROVIDER_unload(default_null_provider); + OSSL_PROVIDER_unload(provider); + OSSL_LIB_CTX_free(libctx); return; } +#define USAGE "server.crt client.crt " \ + "EndEntity1.crt EndEntity2.crt " \ + "Root_CA.crt Intermediate_CA.crt " \ + "CMP_IR_protected.der CMP_IR_unprotected.der " \ + "IP_waitingStatus_PBM.der IR_rmprotection.der " \ + "insta.cert.pem insta_ca.cert.pem " \ + "IR_protected_0_extraCerts.der " \ + "IR_protected_2_extraCerts.der module_name [module_conf_file]\n" +OPT_TEST_DECLARE_USAGE(USAGE) + int setup_tests(void) { /* Set test time stamps */ @@ -549,6 +613,11 @@ int setup_tests(void) ts.tm_year += 10; /* February 18th 2028 */ test_time_after_expiration = mktime(&ts); + if (!test_skip_common_options()) { + TEST_error("Error parsing test options\n"); + return 0; + } + RAND_bytes(rand_data, OSSL_CMP_TRANSACTIONID_LENGTH); if (!TEST_ptr(server_f = test_get_argument(0)) || !TEST_ptr(client_f = test_get_argument(1)) @@ -564,68 +633,86 @@ int setup_tests(void) || !TEST_ptr(instaca_f = test_get_argument(11)) || !TEST_ptr(ir_protected_0_extracerts = test_get_argument(12)) || !TEST_ptr(ir_protected_2_extracerts = test_get_argument(13))) { - TEST_error("usage: cmp_vfy_test server.crt client.crt " - "EndEntity1.crt EndEntity2.crt " - "Root_CA.crt Intermediate_CA.crt " - "CMP_IR_protected.der CMP_IR_unprotected.der " - "IP_waitingStatus_PBM.der IR_rmprotection.der " - "insta.cert.pem insta_ca.cert.pem " - "IR_protected_0_extraCerts.der " - "IR_protected_2_extraCerts.der\n"); + TEST_error("usage: cmp_vfy_test %s", USAGE); return 0; } + if (!test_arg_libctx(&libctx, &default_null_provider, &provider, 14, USAGE)) + return 0; + /* Load certificates for cert chain */ - if (!TEST_ptr(endentity1 = load_pem_cert(endentity1_f)) - || !TEST_ptr(endentity2 = load_pem_cert(endentity2_f)) - || !TEST_ptr(root = load_pem_cert(root_f)) - || !TEST_ptr(intermediate = load_pem_cert(intermediate_f))) + if (!TEST_ptr(endentity1 = load_cert_pem(endentity1_f, libctx)) + || !TEST_ptr(endentity2 = load_cert_pem(endentity2_f, libctx)) + || !TEST_ptr(root = load_cert_pem(root_f, NULL)) + || !TEST_ptr(intermediate = load_cert_pem(intermediate_f, libctx))) goto err; - if (!TEST_ptr(insta_cert = load_pem_cert(instacert_f)) - || !TEST_ptr(instaca_cert = load_pem_cert(instaca_f))) + if (!TEST_ptr(insta_cert = load_cert_pem(instacert_f, libctx)) + || !TEST_ptr(instaca_cert = load_cert_pem(instaca_f, libctx))) goto err; /* Load certificates for message validation */ - if (!TEST_ptr(srvcert = load_pem_cert(server_f)) - || !TEST_ptr(clcert = load_pem_cert(client_f))) + if (!TEST_ptr(srvcert = load_cert_pem(server_f, libctx)) + || !TEST_ptr(clcert = load_cert_pem(client_f, libctx))) goto err; if (!TEST_int_eq(1, RAND_bytes(rand_data, OSSL_CMP_TRANSACTIONID_LENGTH))) goto err; - if (!TEST_ptr(ir_unprotected = load_pkimsg(ir_unprotected_f)) - || !TEST_ptr(ir_rmprotection = load_pkimsg(ir_rmprotection_f))) + if (!TEST_ptr(ir_unprotected = load_pkimsg(ir_unprotected_f, libctx)) + || !TEST_ptr(ir_rmprotection = load_pkimsg(ir_rmprotection_f, + libctx))) goto err; /* Message validation tests */ ADD_TEST(test_verify_popo); +#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION ADD_TEST(test_verify_popo_bad); +#endif ADD_TEST(test_validate_msg_signature_trusted_ok); +#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION ADD_TEST(test_validate_msg_signature_trusted_expired); + ADD_TEST(test_validate_msg_signature_srvcert_missing); +#endif ADD_TEST(test_validate_msg_signature_srvcert_wrong); +#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION ADD_TEST(test_validate_msg_signature_bad); +#endif ADD_TEST(test_validate_msg_signature_sender_cert_srvcert); ADD_TEST(test_validate_msg_signature_sender_cert_untrusted); ADD_TEST(test_validate_msg_signature_sender_cert_trusted); ADD_TEST(test_validate_msg_signature_sender_cert_extracert); +#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION ADD_TEST(test_validate_msg_signature_sender_cert_absent); +#endif ADD_TEST(test_validate_msg_signature_expected_sender); ADD_TEST(test_validate_msg_signature_unexpected_sender); +#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION ADD_TEST(test_validate_msg_unprotected_request); - ADD_TEST(test_validate_msg_mac_alg_protection); +#endif + ADD_TEST(test_validate_msg_mac_alg_protection_ok); +#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION + ADD_TEST(test_validate_msg_mac_alg_protection_missing); + ADD_TEST(test_validate_msg_mac_alg_protection_wrong); ADD_TEST(test_validate_msg_mac_alg_protection_bad); +#endif /* Cert path validation tests */ ADD_TEST(test_validate_cert_path_ok); ADD_TEST(test_validate_cert_path_expired); ADD_TEST(test_validate_cert_path_wrong_anchor); - ADD_TEST(test_MSG_check_received_no_protection_no_cb); - ADD_TEST(test_MSG_check_received_no_protection_restrictive_cb); - ADD_TEST(test_MSG_check_received_no_protection_permissive_cb); - ADD_TEST(test_MSG_check_received_check_transaction_id); - ADD_TEST(test_MSG_check_received_check_transaction_id_bad); - ADD_TEST(test_MSG_check_received_check_recipient_nonce); - ADD_TEST(test_MSG_check_received_check_recipient_nonce_bad); +#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION + ADD_TEST(test_msg_check_no_protection_no_cb); + ADD_TEST(test_msg_check_no_protection_restrictive_cb); +#endif + ADD_TEST(test_msg_check_no_protection_permissive_cb); + ADD_TEST(test_msg_check_transaction_id); +#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION + ADD_TEST(test_msg_check_transaction_id_bad); +#endif + ADD_TEST(test_msg_check_recipient_nonce); +#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION + ADD_TEST(test_msg_check_recipient_nonce_bad); +#endif return 1;