summaryrefslogtreecommitdiff
path: root/security/nss/fuzz
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/fuzz')
-rw-r--r--security/nss/fuzz/config/clone_libfuzzer.sh2
-rw-r--r--security/nss/fuzz/config/git-copy.sh27
-rw-r--r--security/nss/fuzz/mpi_expmod_target.cc9
-rw-r--r--security/nss/fuzz/mpi_helper.cc6
-rw-r--r--security/nss/fuzz/mpi_helper.h1
-rw-r--r--security/nss/fuzz/tls_mutators.cc31
-rw-r--r--security/nss/fuzz/tls_socket.h1
7 files changed, 52 insertions, 25 deletions
diff --git a/security/nss/fuzz/config/clone_libfuzzer.sh b/security/nss/fuzz/config/clone_libfuzzer.sh
index f1dc2e14bb..c516057d78 100644
--- a/security/nss/fuzz/config/clone_libfuzzer.sh
+++ b/security/nss/fuzz/config/clone_libfuzzer.sh
@@ -1,6 +1,6 @@
#!/bin/sh
-LIBFUZZER_REVISION=56bd1d43451cca4b6a11d3be316bb77ab159b09d
+LIBFUZZER_REVISION=6937e68f927b6aefe526fcb9db8953f497e6e74d
d=$(dirname $0)
$d/git-copy.sh https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer $LIBFUZZER_REVISION $d/../libFuzzer
diff --git a/security/nss/fuzz/config/git-copy.sh b/security/nss/fuzz/config/git-copy.sh
index a5c7d371da..a9e817e2a6 100644
--- a/security/nss/fuzz/config/git-copy.sh
+++ b/security/nss/fuzz/config/git-copy.sh
@@ -7,18 +7,18 @@ if [ $# -lt 3 ]; then
exit 2
fi
-REPO=$1
-COMMIT=$2
-DIR=$3
+REPO="$1"
+COMMIT="$2"
+DIR="$3"
echo "Copy '$COMMIT' from '$REPO' to '$DIR'"
-if [ -f $DIR/.git-copy ]; then
- CURRENT=$(cat $DIR/.git-copy)
- if [ $(echo -n $COMMIT | wc -c) != "40" ]; then
+if [ -f "$DIR"/.git-copy ]; then
+ CURRENT=$(cat "$DIR"/.git-copy)
+ if [ $(echo -n "$COMMIT" | wc -c) != "40" ]; then
# On the off chance that $COMMIT is a remote head.
- ACTUAL=$(git ls-remote $REPO $COMMIT | cut -c 1-40 -)
+ ACTUAL=$(git ls-remote "$REPO" "$COMMIT" | cut -c 1-40 -)
else
- ACTUAL=$COMMIT
+ ACTUAL="$COMMIT"
fi
if [ "$CURRENT" = "$ACTUAL" ]; then
echo "Up to date."
@@ -26,8 +26,9 @@ if [ -f $DIR/.git-copy ]; then
fi
fi
-git init -q $DIR
-git -C $DIR fetch -q --depth=1 $REPO $COMMIT:git-copy-tmp
-git -C $DIR reset --hard git-copy-tmp
-git -C $DIR rev-parse --verify HEAD > $DIR/.git-copy
-rm -rf $DIR/.git
+rm -rf "$DIR"
+git init -q "$DIR"
+git -C "$DIR" fetch -q --depth=1 "$REPO" "$COMMIT":git-copy-tmp
+git -C "$DIR" reset --hard git-copy-tmp
+git -C "$DIR" rev-parse --verify HEAD > "$DIR"/.git-copy
+rm -rf "$DIR"/.git
diff --git a/security/nss/fuzz/mpi_expmod_target.cc b/security/nss/fuzz/mpi_expmod_target.cc
index ed31da354b..b9be5854fb 100644
--- a/security/nss/fuzz/mpi_expmod_target.cc
+++ b/security/nss/fuzz/mpi_expmod_target.cc
@@ -19,6 +19,15 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
auto modulus = get_modulus(data, size, ctx);
// Compare with OpenSSL exp mod
m1 = &std::get<1>(modulus);
+ // The exponent b (B) can get really big. Make it smaller if necessary.
+ if (MP_USED(&b) > 100) {
+ size_t shift = (MP_USED(&b) - 100) * MP_DIGIT_BIT;
+ mp_div_2d(&b, shift, &b, nullptr);
+ BN_rshift(B, B, shift);
+ }
+ check_equal(A, &a, max_size);
+ check_equal(B, &b, max_size);
+ check_equal(std::get<0>(modulus), m1, 3 * max_size);
assert(mp_exptmod(&a, &b, m1, &c) == MP_OKAY);
(void)BN_mod_exp(C, A, B, std::get<0>(modulus), ctx);
check_equal(C, &c, 2 * max_size);
diff --git a/security/nss/fuzz/mpi_helper.cc b/security/nss/fuzz/mpi_helper.cc
index 65cf4b9cd0..d092fdb119 100644
--- a/security/nss/fuzz/mpi_helper.cc
+++ b/security/nss/fuzz/mpi_helper.cc
@@ -12,6 +12,12 @@ char *to_char(const uint8_t *x) {
return reinterpret_cast<char *>(const_cast<unsigned char *>(x));
}
+void print_bn(std::string label, BIGNUM *x) {
+ char *xc = BN_bn2hex(x);
+ std::cout << label << ": " << std::hex << xc << std::endl;
+ OPENSSL_free(xc);
+}
+
// Check that the two numbers are equal.
void check_equal(BIGNUM *b, mp_int *m, size_t max_size) {
char *bnBc = BN_bn2hex(b);
diff --git a/security/nss/fuzz/mpi_helper.h b/security/nss/fuzz/mpi_helper.h
index 17383744ba..ef7041b257 100644
--- a/security/nss/fuzz/mpi_helper.h
+++ b/security/nss/fuzz/mpi_helper.h
@@ -23,6 +23,7 @@ void parse_input(const uint8_t *data, size_t size, BIGNUM *A, BIGNUM *B,
void parse_input(const uint8_t *data, size_t size, BIGNUM *A, mp_int *a);
std::tuple<BIGNUM *, mp_int> get_modulus(const uint8_t *data, size_t size,
BN_CTX *ctx);
+void print_bn(std::string label, BIGNUM *x);
// Initialise MPI and BN variables
// XXX: Also silence unused variable warnings for R.
diff --git a/security/nss/fuzz/tls_mutators.cc b/security/nss/fuzz/tls_mutators.cc
index e9770cb39f..228bd0bb7a 100644
--- a/security/nss/fuzz/tls_mutators.cc
+++ b/security/nss/fuzz/tls_mutators.cc
@@ -2,11 +2,14 @@
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+#include <algorithm>
#include "shared.h"
#include "tls_parser.h"
#include "ssl.h"
+extern "C" {
#include "sslimpl.h"
+}
using namespace nss_test;
@@ -39,7 +42,9 @@ class Record {
void truncate(size_t length) {
assert(length >= 5 + gExtraHeaderBytes);
uint8_t *dest = const_cast<uint8_t *>(data_);
- (void)ssl_EncodeUintX(length - 5 - gExtraHeaderBytes, 2, &dest[3]);
+ size_t l = length - (5 + gExtraHeaderBytes);
+ dest[3] = (l >> 8) & 0xff;
+ dest[4] = l & 0xff;
memmove(dest + length, data_ + size_, remaining_);
}
@@ -222,8 +227,8 @@ size_t FragmentRecord(uint8_t *data, size_t size, size_t max_size,
}
// Pick a record to fragment at random.
- std::uniform_int_distribution<size_t> dist(0, records.size() - 1);
- auto &rec = records.at(dist(rng));
+ std::uniform_int_distribution<size_t> rand_record(0, records.size() - 1);
+ auto &rec = records.at(rand_record(rng));
uint8_t *rdata = const_cast<uint8_t *>(rec->data());
size_t length = rec->size();
size_t content_length = length - 5;
@@ -233,17 +238,21 @@ size_t FragmentRecord(uint8_t *data, size_t size, size_t max_size,
}
// Assign a new length to the first fragment.
- size_t new_length = content_length / 2;
- uint8_t *content = ssl_EncodeUintX(new_length, 2, &rdata[3]);
+ std::uniform_int_distribution<size_t> rand_size(1, content_length - 1);
+ size_t first_length = rand_size(rng);
+ size_t second_length = content_length - first_length;
+ rdata[3] = (first_length >> 8) & 0xff;
+ rdata[4] = first_length & 0xff;
+ uint8_t *second_record = rdata + 5 + first_length;
- // Make room for one more header.
- memmove(content + new_length + 5, content + new_length,
- rec->remaining() + content_length - new_length);
+ // Make room for the header of the second record.
+ memmove(second_record + 5, second_record,
+ rec->remaining() + content_length - first_length);
// Write second header.
- memcpy(content + new_length, rdata, 3);
- (void)ssl_EncodeUintX(content_length - new_length, 2,
- &content[new_length + 3]);
+ memcpy(second_record, rdata, 3);
+ second_record[3] = (second_length >> 8) & 0xff;
+ second_record[4] = second_length & 0xff;
return size + 5;
}
diff --git a/security/nss/fuzz/tls_socket.h b/security/nss/fuzz/tls_socket.h
index 61fa4b3a88..e30f6fa3ca 100644
--- a/security/nss/fuzz/tls_socket.h
+++ b/security/nss/fuzz/tls_socket.h
@@ -10,6 +10,7 @@
class DummyPrSocket : public DummyIOLayerMethods {
public:
DummyPrSocket(const uint8_t *buf, size_t len) : buf_(buf), len_(len) {}
+ virtual ~DummyPrSocket() {}
int32_t Read(PRFileDesc *f, void *data, int32_t len) override;
int32_t Write(PRFileDesc *f, const void *buf, int32_t length) override;