diff options
Diffstat (limited to 'security/nss/fuzz')
-rw-r--r-- | security/nss/fuzz/config/clone_libfuzzer.sh | 2 | ||||
-rw-r--r-- | security/nss/fuzz/config/git-copy.sh | 27 | ||||
-rw-r--r-- | security/nss/fuzz/mpi_expmod_target.cc | 9 | ||||
-rw-r--r-- | security/nss/fuzz/mpi_helper.cc | 6 | ||||
-rw-r--r-- | security/nss/fuzz/mpi_helper.h | 1 | ||||
-rw-r--r-- | security/nss/fuzz/tls_mutators.cc | 31 | ||||
-rw-r--r-- | security/nss/fuzz/tls_socket.h | 1 |
7 files changed, 52 insertions, 25 deletions
diff --git a/security/nss/fuzz/config/clone_libfuzzer.sh b/security/nss/fuzz/config/clone_libfuzzer.sh index f1dc2e14b..c516057d7 100644 --- a/security/nss/fuzz/config/clone_libfuzzer.sh +++ b/security/nss/fuzz/config/clone_libfuzzer.sh @@ -1,6 +1,6 @@ #!/bin/sh -LIBFUZZER_REVISION=56bd1d43451cca4b6a11d3be316bb77ab159b09d +LIBFUZZER_REVISION=6937e68f927b6aefe526fcb9db8953f497e6e74d d=$(dirname $0) $d/git-copy.sh https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer $LIBFUZZER_REVISION $d/../libFuzzer diff --git a/security/nss/fuzz/config/git-copy.sh b/security/nss/fuzz/config/git-copy.sh index a5c7d371d..a9e817e2a 100644 --- a/security/nss/fuzz/config/git-copy.sh +++ b/security/nss/fuzz/config/git-copy.sh @@ -7,18 +7,18 @@ if [ $# -lt 3 ]; then exit 2 fi -REPO=$1 -COMMIT=$2 -DIR=$3 +REPO="$1" +COMMIT="$2" +DIR="$3" echo "Copy '$COMMIT' from '$REPO' to '$DIR'" -if [ -f $DIR/.git-copy ]; then - CURRENT=$(cat $DIR/.git-copy) - if [ $(echo -n $COMMIT | wc -c) != "40" ]; then +if [ -f "$DIR"/.git-copy ]; then + CURRENT=$(cat "$DIR"/.git-copy) + if [ $(echo -n "$COMMIT" | wc -c) != "40" ]; then # On the off chance that $COMMIT is a remote head. - ACTUAL=$(git ls-remote $REPO $COMMIT | cut -c 1-40 -) + ACTUAL=$(git ls-remote "$REPO" "$COMMIT" | cut -c 1-40 -) else - ACTUAL=$COMMIT + ACTUAL="$COMMIT" fi if [ "$CURRENT" = "$ACTUAL" ]; then echo "Up to date." @@ -26,8 +26,9 @@ if [ -f $DIR/.git-copy ]; then fi fi -git init -q $DIR -git -C $DIR fetch -q --depth=1 $REPO $COMMIT:git-copy-tmp -git -C $DIR reset --hard git-copy-tmp -git -C $DIR rev-parse --verify HEAD > $DIR/.git-copy -rm -rf $DIR/.git +rm -rf "$DIR" +git init -q "$DIR" +git -C "$DIR" fetch -q --depth=1 "$REPO" "$COMMIT":git-copy-tmp +git -C "$DIR" reset --hard git-copy-tmp +git -C "$DIR" rev-parse --verify HEAD > "$DIR"/.git-copy +rm -rf "$DIR"/.git diff --git a/security/nss/fuzz/mpi_expmod_target.cc b/security/nss/fuzz/mpi_expmod_target.cc index ed31da354..b9be5854f 100644 --- a/security/nss/fuzz/mpi_expmod_target.cc +++ b/security/nss/fuzz/mpi_expmod_target.cc @@ -19,6 +19,15 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) { auto modulus = get_modulus(data, size, ctx); // Compare with OpenSSL exp mod m1 = &std::get<1>(modulus); + // The exponent b (B) can get really big. Make it smaller if necessary. + if (MP_USED(&b) > 100) { + size_t shift = (MP_USED(&b) - 100) * MP_DIGIT_BIT; + mp_div_2d(&b, shift, &b, nullptr); + BN_rshift(B, B, shift); + } + check_equal(A, &a, max_size); + check_equal(B, &b, max_size); + check_equal(std::get<0>(modulus), m1, 3 * max_size); assert(mp_exptmod(&a, &b, m1, &c) == MP_OKAY); (void)BN_mod_exp(C, A, B, std::get<0>(modulus), ctx); check_equal(C, &c, 2 * max_size); diff --git a/security/nss/fuzz/mpi_helper.cc b/security/nss/fuzz/mpi_helper.cc index 65cf4b9cd..d092fdb11 100644 --- a/security/nss/fuzz/mpi_helper.cc +++ b/security/nss/fuzz/mpi_helper.cc @@ -12,6 +12,12 @@ char *to_char(const uint8_t *x) { return reinterpret_cast<char *>(const_cast<unsigned char *>(x)); } +void print_bn(std::string label, BIGNUM *x) { + char *xc = BN_bn2hex(x); + std::cout << label << ": " << std::hex << xc << std::endl; + OPENSSL_free(xc); +} + // Check that the two numbers are equal. void check_equal(BIGNUM *b, mp_int *m, size_t max_size) { char *bnBc = BN_bn2hex(b); diff --git a/security/nss/fuzz/mpi_helper.h b/security/nss/fuzz/mpi_helper.h index 17383744b..ef7041b25 100644 --- a/security/nss/fuzz/mpi_helper.h +++ b/security/nss/fuzz/mpi_helper.h @@ -23,6 +23,7 @@ void parse_input(const uint8_t *data, size_t size, BIGNUM *A, BIGNUM *B, void parse_input(const uint8_t *data, size_t size, BIGNUM *A, mp_int *a); std::tuple<BIGNUM *, mp_int> get_modulus(const uint8_t *data, size_t size, BN_CTX *ctx); +void print_bn(std::string label, BIGNUM *x); // Initialise MPI and BN variables // XXX: Also silence unused variable warnings for R. diff --git a/security/nss/fuzz/tls_mutators.cc b/security/nss/fuzz/tls_mutators.cc index e9770cb39..228bd0bb7 100644 --- a/security/nss/fuzz/tls_mutators.cc +++ b/security/nss/fuzz/tls_mutators.cc @@ -2,11 +2,14 @@ * License, v. 2.0. If a copy of the MPL was not distributed with this * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ +#include <algorithm> #include "shared.h" #include "tls_parser.h" #include "ssl.h" +extern "C" { #include "sslimpl.h" +} using namespace nss_test; @@ -39,7 +42,9 @@ class Record { void truncate(size_t length) { assert(length >= 5 + gExtraHeaderBytes); uint8_t *dest = const_cast<uint8_t *>(data_); - (void)ssl_EncodeUintX(length - 5 - gExtraHeaderBytes, 2, &dest[3]); + size_t l = length - (5 + gExtraHeaderBytes); + dest[3] = (l >> 8) & 0xff; + dest[4] = l & 0xff; memmove(dest + length, data_ + size_, remaining_); } @@ -222,8 +227,8 @@ size_t FragmentRecord(uint8_t *data, size_t size, size_t max_size, } // Pick a record to fragment at random. - std::uniform_int_distribution<size_t> dist(0, records.size() - 1); - auto &rec = records.at(dist(rng)); + std::uniform_int_distribution<size_t> rand_record(0, records.size() - 1); + auto &rec = records.at(rand_record(rng)); uint8_t *rdata = const_cast<uint8_t *>(rec->data()); size_t length = rec->size(); size_t content_length = length - 5; @@ -233,17 +238,21 @@ size_t FragmentRecord(uint8_t *data, size_t size, size_t max_size, } // Assign a new length to the first fragment. - size_t new_length = content_length / 2; - uint8_t *content = ssl_EncodeUintX(new_length, 2, &rdata[3]); + std::uniform_int_distribution<size_t> rand_size(1, content_length - 1); + size_t first_length = rand_size(rng); + size_t second_length = content_length - first_length; + rdata[3] = (first_length >> 8) & 0xff; + rdata[4] = first_length & 0xff; + uint8_t *second_record = rdata + 5 + first_length; - // Make room for one more header. - memmove(content + new_length + 5, content + new_length, - rec->remaining() + content_length - new_length); + // Make room for the header of the second record. + memmove(second_record + 5, second_record, + rec->remaining() + content_length - first_length); // Write second header. - memcpy(content + new_length, rdata, 3); - (void)ssl_EncodeUintX(content_length - new_length, 2, - &content[new_length + 3]); + memcpy(second_record, rdata, 3); + second_record[3] = (second_length >> 8) & 0xff; + second_record[4] = second_length & 0xff; return size + 5; } diff --git a/security/nss/fuzz/tls_socket.h b/security/nss/fuzz/tls_socket.h index 61fa4b3a8..e30f6fa3c 100644 --- a/security/nss/fuzz/tls_socket.h +++ b/security/nss/fuzz/tls_socket.h @@ -10,6 +10,7 @@ class DummyPrSocket : public DummyIOLayerMethods { public: DummyPrSocket(const uint8_t *buf, size_t len) : buf_(buf), len_(len) {} + virtual ~DummyPrSocket() {} int32_t Read(PRFileDesc *f, void *data, int32_t len) override; int32_t Write(PRFileDesc *f, const void *buf, int32_t length) override; |