summaryrefslogtreecommitdiffstats
path: root/security/nss/fuzz
diff options
context:
space:
mode:
Diffstat (limited to 'security/nss/fuzz')
-rw-r--r--security/nss/fuzz/config/clone_libfuzzer.sh2
-rw-r--r--security/nss/fuzz/config/git-copy.sh27
-rw-r--r--security/nss/fuzz/mpi_expmod_target.cc9
-rw-r--r--security/nss/fuzz/mpi_helper.cc6
-rw-r--r--security/nss/fuzz/mpi_helper.h1
-rw-r--r--security/nss/fuzz/tls_mutators.cc31
-rw-r--r--security/nss/fuzz/tls_socket.h1
7 files changed, 25 insertions, 52 deletions
diff --git a/security/nss/fuzz/config/clone_libfuzzer.sh b/security/nss/fuzz/config/clone_libfuzzer.sh
index c516057d7..f1dc2e14b 100644
--- a/security/nss/fuzz/config/clone_libfuzzer.sh
+++ b/security/nss/fuzz/config/clone_libfuzzer.sh
@@ -1,6 +1,6 @@
#!/bin/sh
-LIBFUZZER_REVISION=6937e68f927b6aefe526fcb9db8953f497e6e74d
+LIBFUZZER_REVISION=56bd1d43451cca4b6a11d3be316bb77ab159b09d
d=$(dirname $0)
$d/git-copy.sh https://chromium.googlesource.com/chromium/llvm-project/llvm/lib/Fuzzer $LIBFUZZER_REVISION $d/../libFuzzer
diff --git a/security/nss/fuzz/config/git-copy.sh b/security/nss/fuzz/config/git-copy.sh
index a9e817e2a..a5c7d371d 100644
--- a/security/nss/fuzz/config/git-copy.sh
+++ b/security/nss/fuzz/config/git-copy.sh
@@ -7,18 +7,18 @@ if [ $# -lt 3 ]; then
exit 2
fi
-REPO="$1"
-COMMIT="$2"
-DIR="$3"
+REPO=$1
+COMMIT=$2
+DIR=$3
echo "Copy '$COMMIT' from '$REPO' to '$DIR'"
-if [ -f "$DIR"/.git-copy ]; then
- CURRENT=$(cat "$DIR"/.git-copy)
- if [ $(echo -n "$COMMIT" | wc -c) != "40" ]; then
+if [ -f $DIR/.git-copy ]; then
+ CURRENT=$(cat $DIR/.git-copy)
+ if [ $(echo -n $COMMIT | wc -c) != "40" ]; then
# On the off chance that $COMMIT is a remote head.
- ACTUAL=$(git ls-remote "$REPO" "$COMMIT" | cut -c 1-40 -)
+ ACTUAL=$(git ls-remote $REPO $COMMIT | cut -c 1-40 -)
else
- ACTUAL="$COMMIT"
+ ACTUAL=$COMMIT
fi
if [ "$CURRENT" = "$ACTUAL" ]; then
echo "Up to date."
@@ -26,9 +26,8 @@ if [ -f "$DIR"/.git-copy ]; then
fi
fi
-rm -rf "$DIR"
-git init -q "$DIR"
-git -C "$DIR" fetch -q --depth=1 "$REPO" "$COMMIT":git-copy-tmp
-git -C "$DIR" reset --hard git-copy-tmp
-git -C "$DIR" rev-parse --verify HEAD > "$DIR"/.git-copy
-rm -rf "$DIR"/.git
+git init -q $DIR
+git -C $DIR fetch -q --depth=1 $REPO $COMMIT:git-copy-tmp
+git -C $DIR reset --hard git-copy-tmp
+git -C $DIR rev-parse --verify HEAD > $DIR/.git-copy
+rm -rf $DIR/.git
diff --git a/security/nss/fuzz/mpi_expmod_target.cc b/security/nss/fuzz/mpi_expmod_target.cc
index b9be5854f..ed31da354 100644
--- a/security/nss/fuzz/mpi_expmod_target.cc
+++ b/security/nss/fuzz/mpi_expmod_target.cc
@@ -19,15 +19,6 @@ extern "C" int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
auto modulus = get_modulus(data, size, ctx);
// Compare with OpenSSL exp mod
m1 = &std::get<1>(modulus);
- // The exponent b (B) can get really big. Make it smaller if necessary.
- if (MP_USED(&b) > 100) {
- size_t shift = (MP_USED(&b) - 100) * MP_DIGIT_BIT;
- mp_div_2d(&b, shift, &b, nullptr);
- BN_rshift(B, B, shift);
- }
- check_equal(A, &a, max_size);
- check_equal(B, &b, max_size);
- check_equal(std::get<0>(modulus), m1, 3 * max_size);
assert(mp_exptmod(&a, &b, m1, &c) == MP_OKAY);
(void)BN_mod_exp(C, A, B, std::get<0>(modulus), ctx);
check_equal(C, &c, 2 * max_size);
diff --git a/security/nss/fuzz/mpi_helper.cc b/security/nss/fuzz/mpi_helper.cc
index d092fdb11..65cf4b9cd 100644
--- a/security/nss/fuzz/mpi_helper.cc
+++ b/security/nss/fuzz/mpi_helper.cc
@@ -12,12 +12,6 @@ char *to_char(const uint8_t *x) {
return reinterpret_cast<char *>(const_cast<unsigned char *>(x));
}
-void print_bn(std::string label, BIGNUM *x) {
- char *xc = BN_bn2hex(x);
- std::cout << label << ": " << std::hex << xc << std::endl;
- OPENSSL_free(xc);
-}
-
// Check that the two numbers are equal.
void check_equal(BIGNUM *b, mp_int *m, size_t max_size) {
char *bnBc = BN_bn2hex(b);
diff --git a/security/nss/fuzz/mpi_helper.h b/security/nss/fuzz/mpi_helper.h
index ef7041b25..17383744b 100644
--- a/security/nss/fuzz/mpi_helper.h
+++ b/security/nss/fuzz/mpi_helper.h
@@ -23,7 +23,6 @@ void parse_input(const uint8_t *data, size_t size, BIGNUM *A, BIGNUM *B,
void parse_input(const uint8_t *data, size_t size, BIGNUM *A, mp_int *a);
std::tuple<BIGNUM *, mp_int> get_modulus(const uint8_t *data, size_t size,
BN_CTX *ctx);
-void print_bn(std::string label, BIGNUM *x);
// Initialise MPI and BN variables
// XXX: Also silence unused variable warnings for R.
diff --git a/security/nss/fuzz/tls_mutators.cc b/security/nss/fuzz/tls_mutators.cc
index 228bd0bb7..e9770cb39 100644
--- a/security/nss/fuzz/tls_mutators.cc
+++ b/security/nss/fuzz/tls_mutators.cc
@@ -2,14 +2,11 @@
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
-#include <algorithm>
#include "shared.h"
#include "tls_parser.h"
#include "ssl.h"
-extern "C" {
#include "sslimpl.h"
-}
using namespace nss_test;
@@ -42,9 +39,7 @@ class Record {
void truncate(size_t length) {
assert(length >= 5 + gExtraHeaderBytes);
uint8_t *dest = const_cast<uint8_t *>(data_);
- size_t l = length - (5 + gExtraHeaderBytes);
- dest[3] = (l >> 8) & 0xff;
- dest[4] = l & 0xff;
+ (void)ssl_EncodeUintX(length - 5 - gExtraHeaderBytes, 2, &dest[3]);
memmove(dest + length, data_ + size_, remaining_);
}
@@ -227,8 +222,8 @@ size_t FragmentRecord(uint8_t *data, size_t size, size_t max_size,
}
// Pick a record to fragment at random.
- std::uniform_int_distribution<size_t> rand_record(0, records.size() - 1);
- auto &rec = records.at(rand_record(rng));
+ std::uniform_int_distribution<size_t> dist(0, records.size() - 1);
+ auto &rec = records.at(dist(rng));
uint8_t *rdata = const_cast<uint8_t *>(rec->data());
size_t length = rec->size();
size_t content_length = length - 5;
@@ -238,21 +233,17 @@ size_t FragmentRecord(uint8_t *data, size_t size, size_t max_size,
}
// Assign a new length to the first fragment.
- std::uniform_int_distribution<size_t> rand_size(1, content_length - 1);
- size_t first_length = rand_size(rng);
- size_t second_length = content_length - first_length;
- rdata[3] = (first_length >> 8) & 0xff;
- rdata[4] = first_length & 0xff;
- uint8_t *second_record = rdata + 5 + first_length;
+ size_t new_length = content_length / 2;
+ uint8_t *content = ssl_EncodeUintX(new_length, 2, &rdata[3]);
- // Make room for the header of the second record.
- memmove(second_record + 5, second_record,
- rec->remaining() + content_length - first_length);
+ // Make room for one more header.
+ memmove(content + new_length + 5, content + new_length,
+ rec->remaining() + content_length - new_length);
// Write second header.
- memcpy(second_record, rdata, 3);
- second_record[3] = (second_length >> 8) & 0xff;
- second_record[4] = second_length & 0xff;
+ memcpy(content + new_length, rdata, 3);
+ (void)ssl_EncodeUintX(content_length - new_length, 2,
+ &content[new_length + 3]);
return size + 5;
}
diff --git a/security/nss/fuzz/tls_socket.h b/security/nss/fuzz/tls_socket.h
index e30f6fa3c..61fa4b3a8 100644
--- a/security/nss/fuzz/tls_socket.h
+++ b/security/nss/fuzz/tls_socket.h
@@ -10,7 +10,6 @@
class DummyPrSocket : public DummyIOLayerMethods {
public:
DummyPrSocket(const uint8_t *buf, size_t len) : buf_(buf), len_(len) {}
- virtual ~DummyPrSocket() {}
int32_t Read(PRFileDesc *f, void *data, int32_t len) override;
int32_t Write(PRFileDesc *f, const void *buf, int32_t length) override;