Add a fuzzer to check CBS is a DER parser.

ECDSA_verify does a runtime check that our parser round-trips, but that
should already be true. Add a fuzzer to ensure it.

Change-Id: I396863b8f9ed66c6296cfb16f7197a63ae99e156
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/52733
Reviewed-by: Adam Langley <agl@google.com>

fuzz/CMakeLists.txt

@@ -30,3 +30,4 @@ fuzzer(dtls_client ssl)
 fuzzer(ssl_ctx_api ssl)
 fuzzer(session ssl)
 fuzzer(decode_client_hello_inner ssl)
+fuzzer(der_roundtrip)

fuzz/der_roundtrip.cc

@@ -0,0 +1,57 @@
+/* Copyright (c) 2022, Google Inc.
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
+ * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
+ * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
+ * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */
+
+#include <stdlib.h>
+#include <string.h>
+
+#include <openssl/bytestring.h>
+#include <openssl/ecdsa.h>
+#include <openssl/mem.h>
+
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) {
+  CBS cbs, body;
+  unsigned tag;
+  CBS_init(&cbs, buf, len);
+  if (CBS_get_any_asn1(&cbs, &body, &tag)) {
+    // DER has a unique encoding, so any parsed input should round-trip
+    // correctly.
+    size_t consumed = len - CBS_len(&cbs);
+    bssl::ScopedCBB cbb;
+    CBB body_cbb;
+    if (!CBB_init(cbb.get(), consumed) ||
+        !CBB_add_asn1(cbb.get(), &body_cbb, tag) ||
+        !CBB_add_bytes(&body_cbb, CBS_data(&body), CBS_len(&body)) ||
+        !CBB_flush(cbb.get()) ||
+        CBB_len(cbb.get()) != consumed ||
+        memcmp(CBB_data(cbb.get()), buf, consumed) != 0) {
+      abort();
+    }
+  }
+
+  ECDSA_SIG *sig = ECDSA_SIG_from_bytes(buf, len);
+  if (sig != NULL) {
+    uint8_t *enc;
+    size_t enc_len;
+    if (!ECDSA_SIG_to_bytes(&enc, &enc_len, sig) ||
+        enc_len != len ||
+        memcmp(buf, enc, len) != 0) {
+      abort();
+    }
+    OPENSSL_free(enc);
+    ECDSA_SIG_free(sig);
+  }
+
+  return 0;
+}

fuzz/der_roundtrip_corpus/082a991742f652549e4b207100ee521f474e0a99

@@ -0,0 +1 @@
+0
<EFBFBD>

fuzz/der_roundtrip_corpus/13e484c406efe97dc9d91f8b80a27b0e597c34da

@@ -0,0 +1 @@
+<EFBFBD><EFBFBD>3

fuzz/der_roundtrip_corpus/163605136e22f5b5302fe60d1f17837bee6b6b2b

@@ -0,0 +1 @@
+0



fuzz/der_roundtrip_corpus/1a96ec99b487b93052cd860c447e6d126dcc36d4

@@ -0,0 +1 @@
+<EFBFBD><EFBFBD><EFBFBD>

fuzz/der_roundtrip_corpus/1cc9ad96fcee279e8589b7071c7a0ccd111098f2

@@ -0,0 +1 @@
+0
]

fuzz/der_roundtrip_corpus/229b8e1825512868e0e11a199ed71231dd41bb4f

@@ -0,0 +1 @@
+0;-:<EFBFBD><EFBFBD><EFBFBD>

fuzz/der_roundtrip_corpus/396d197005432accf99bf0f483286e459eb24063

@@ -0,0 +1 @@
+<EFBFBD>鋿<EFBFBD>ﾔﾔ

fuzz/der_roundtrip_corpus/3c75fe79266cf639f2180722a3f03f8fc3e25685

@@ -0,0 +1 @@
+0+H[<EFBFBD>

fuzz/der_roundtrip_corpus/3fbb104fb0eb6cae4af34d8a516998336b3a6778

@@ -0,0 +1 @@
+<EFBFBD><EFBFBD><EFBFBD>3

fuzz/der_roundtrip_corpus/4bd69e424b6fa38f9e63e58b8d0e95ac2d38d598

@@ -0,0 +1 @@
+0
0

fuzz/der_roundtrip_corpus/52d2c7efcd7da0eb7463829e05a598e36729bfae

@@ -0,0 +1 @@
+3

fuzz/der_roundtrip_corpus/53ea84c48a5792281a46eb5a9c896d54ea3f1838

@@ -0,0 +1 @@
+n<EFBFBD>

fuzz/der_roundtrip_corpus/5bab61eb53176449e25c2c82f172b82cb13ffb9d

@@ -0,0 +1 @@
+?

fuzz/der_roundtrip_corpus/6cad8b2a41194372ec897bece6512fe8331e274d

@@ -0,0 +1 @@
+;<EFBFBD>

fuzz/der_roundtrip_corpus/77de68daecd823babbb58edb1c8e14d7106e83bb

@@ -0,0 +1 @@
+3

fuzz/der_roundtrip_corpus/872ba8af52a8c1380c388bab0e20bec2e729db80

@@ -0,0 +1 @@
+<EFBFBD><EFBFBD>

fuzz/der_roundtrip_corpus/935a69e9f3bfa1dd3bf058fa3e1b953e82195de6

@@ -0,0 +1 @@
+0<EFBFBD><EFBFBD><EFBFBD>

fuzz/der_roundtrip_corpus/a457945cb86ec812235f407ed70fe72fbaf694a1

@@ -0,0 +1 @@
+<EFBFBD><EFBFBD><EFBFBD>ﾔﾔﾔﾔ

fuzz/der_roundtrip_corpus/a4fc609a6546fc0061f499f0faed9054fd388c9a

@@ -0,0 +1 @@
+00E 

fuzz/der_roundtrip_corpus/a7c13e6fe60eee08b9aac00a095a9301ea1a9824

@@ -0,0 +1 @@
+@@

fuzz/der_roundtrip_corpus/b37e0f6fa42840c773747c4cb608c278ab65021d

@@ -0,0 +1 @@
+wはｳ

fuzz/der_roundtrip_corpus/b95311782071c4d9182c0effe32487fc5cdbd33d

@@ -0,0 +1 @@
+0<<EFBFBD>

fuzz/der_roundtrip_corpus/bc26b8c794ac0adf948cbca02e88b3901824ef17

@@ -0,0 +1 @@
+0<EFBFBD>

fuzz/der_roundtrip_corpus/bc7b23c2c68e4ad33ecea493ff6e60d423371cd0

@@ -0,0 +1 @@
+<EFBFBD>胲呍性栽<EFBFBD>

fuzz/der_roundtrip_corpus/ceee46f04a09ef5d3342ef25d9f483e861727575

@@ -0,0 +1 @@
+0€€

fuzz/der_roundtrip_corpus/d18c30ba21e0d085dd983ad528f2c9001285d3d2

@@ -0,0 +1 @@
+0<EFBFBD>e

fuzz/der_roundtrip_corpus/d2c00146b2f2bcb4c6cecb731d2062273523d8c8

@@ -0,0 +1 @@
+0<EFBFBD>€

fuzz/der_roundtrip_corpus/defce76f0d3c3e057bb623986bacee7bbd07d1a1

@@ -0,0 +1 @@
+?<EFBFBD>

fuzz/der_roundtrip_corpus/e5b420f71cf412bd9fdebdd46245fabd1f3462e5

@@ -0,0 +1 @@
+0<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>_