Bug 1332652 - Replace SPKI and Cert tests with a single QuickDER fuzzing target r=franziskus
authorTim Taubert <ttaubert@mozilla.com>
Fri, 20 Jan 2017 17:17:31 +0100
changeset 13046 5d588f0d1b1f94afb55e904ba755363a90e2dce1
parent 13045 6e1980cb796560b0c459d210b80cdfbb2f487394
child 13047 55e275ca464d45f0d6b0ad1c6859ebc43ffeda19
push id1946
push userttaubert@mozilla.com
push dateFri, 20 Jan 2017 16:20:12 +0000
reviewersfranziskus
bugs1332652
Bug 1332652 - Replace SPKI and Cert tests with a single QuickDER fuzzing target r=franziskus Differential Revision: https://nss-review.dev.mozaws.net/D166
automation/taskcluster/graph/src/extend.js
fuzz/fuzz.gyp
fuzz/quickder_target.cc
fuzz/shared.h
--- a/automation/taskcluster/graph/src/extend.js
+++ b/automation/taskcluster/graph/src/extend.js
@@ -316,41 +316,26 @@ async function scheduleFuzzing() {
     tests: "ssl_gtests gtests",
     cycle: "standard",
     symbol: "Gtest",
     kind: "test"
   }));
 
   queue.scheduleTask(merge(base, {
     parent: task_build,
-    name: "Cert",
+    name: "QuickDER",
     command: [
       "/bin/bash",
       "-c",
       "bin/checkout.sh && nss/automation/taskcluster/scripts/fuzz.sh " +
-        "cert nss/fuzz/corpus/cert -max_total_time=300"
+        "quickder nss/fuzz/corpus/quickder -max_total_time=300"
     ],
     // Need a privileged docker container to remove this.
     env: {ASAN_OPTIONS: "detect_leaks=0"},
-    symbol: "SCert",
-    kind: "test"
-  }));
-
-  queue.scheduleTask(merge(base, {
-    parent: task_build,
-    name: "SPKI",
-    command: [
-      "/bin/bash",
-      "-c",
-      "bin/checkout.sh && nss/automation/taskcluster/scripts/fuzz.sh " +
-        "spki nss/fuzz/corpus/spki -max_total_time=300"
-    ],
-    // Need a privileged docker container to remove this.
-    env: {ASAN_OPTIONS: "detect_leaks=0"},
-    symbol: "SPKI",
+    symbol: "QuickDER",
     kind: "test"
   }));
 
   return queue.submit();
 }
 
 /*****************************************************************************/
 
--- a/fuzz/fuzz.gyp
+++ b/fuzz/fuzz.gyp
@@ -33,16 +33,17 @@
         '<(DEPTH)/lib/certhigh/certhigh.gyp:certhi',
         '<(DEPTH)/lib/cryptohi/cryptohi.gyp:cryptohi',
         '<(DEPTH)/lib/base/base.gyp:nssb',
         '<(DEPTH)/lib/dev/dev.gyp:nssdev',
         '<(DEPTH)/lib/pki/pki.gyp:nsspki',
         '<(DEPTH)/lib/util/util.gyp:nssutil',
         '<(DEPTH)/lib/nss/nss.gyp:nss_static',
         '<(DEPTH)/lib/pk11wrap/pk11wrap.gyp:pk11wrap',
+        '<(DEPTH)/lib/pkcs7/pkcs7.gyp:pkcs7',
       ],
       'conditions': [
         ['use_fuzzing_engine==0', {
           'type': 'static_library',
           'sources': [
             'libFuzzer/FuzzerCrossOver.cpp',
             'libFuzzer/FuzzerDriver.cpp',
             'libFuzzer/FuzzerExtFunctionsDlsym.cpp',
@@ -81,48 +82,35 @@
           'type': 'none',
           'direct_dependent_settings': {
             'libraries': ['-lFuzzingEngine'],
           }
         }]
       ],
     },
     {
-      'target_name': 'nssfuzz-cert',
+      'target_name': 'nssfuzz-pkcs8',
       'type': 'executable',
       'sources': [
         'asn1_mutators.cc',
-        'cert_target.cc',
         'initialize.cc',
+        'pkcs8_target.cc',
       ],
       'dependencies': [
         '<(DEPTH)/exports.gyp:nss_exports',
         'fuzz_base',
       ],
     },
     {
-      'target_name': 'nssfuzz-spki',
-      'type': 'executable',
-      'sources': [
-        'asn1_mutators.cc',
-        'spki_target.cc',
-        'initialize.cc',
-      ],
-      'dependencies': [
-        '<(DEPTH)/exports.gyp:nss_exports',
-        'fuzz_base',
-      ],
-    },
-    {
-      'target_name': 'nssfuzz-pkcs8',
+      'target_name': 'nssfuzz-quickder',
       'type': 'executable',
       'sources': [
         'asn1_mutators.cc',
         'initialize.cc',
-        'pkcs8_target.cc',
+        'quickder_target.cc',
       ],
       'dependencies': [
         '<(DEPTH)/exports.gyp:nss_exports',
         'fuzz_base',
       ],
     },
     {
       'target_name': 'nssfuzz-hash',
@@ -135,16 +123,15 @@
         '<(DEPTH)/exports.gyp:nss_exports',
         'fuzz_base',
       ],
     },
     {
       'target_name': 'nssfuzz',
       'type': 'none',
       'dependencies': [
-        'nssfuzz-cert',
         'nssfuzz-hash',
         'nssfuzz-pkcs8',
-        'nssfuzz-spki',
-      ]
+        'nssfuzz-quickder',
+      ],
     }
   ],
 }
new file mode 100644
--- /dev/null
+++ b/fuzz/quickder_target.cc
@@ -0,0 +1,83 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "FuzzerInternal.h"
+#include "asn1_mutators.h"
+#include "shared.h"
+
+const std::vector<const SEC_ASN1Template *> templates = {
+    CERT_AttributeTemplate,
+    CERT_CertExtensionTemplate,
+    CERT_CertificateRequestTemplate,
+    CERT_CertificateTemplate,
+    CERT_CrlTemplate,
+    CERT_IssuerAndSNTemplate,
+    CERT_NameTemplate,
+    CERT_PublicKeyAndChallengeTemplate,
+    CERT_RDNTemplate,
+    CERT_SequenceOfCertExtensionTemplate,
+    CERT_SetOfAttributeTemplate,
+    CERT_SetOfSignedCrlTemplate,
+    CERT_SignedCrlTemplate,
+    CERT_SignedDataTemplate,
+    CERT_SubjectPublicKeyInfoTemplate,
+    CERT_TimeChoiceTemplate,
+    CERT_ValidityTemplate,
+    SEC_AnyTemplate,
+    SEC_BitStringTemplate,
+    SEC_BMPStringTemplate,
+    SEC_BooleanTemplate,
+    SEC_CertSequenceTemplate,
+    SEC_EnumeratedTemplate,
+    SEC_GeneralizedTimeTemplate,
+    SEC_IA5StringTemplate,
+    SEC_IntegerTemplate,
+    SEC_NullTemplate,
+    SEC_ObjectIDTemplate,
+    SEC_OctetStringTemplate,
+    SEC_PointerToAnyTemplate,
+    SEC_PointerToEnumeratedTemplate,
+    SEC_PointerToGeneralizedTimeTemplate,
+    SEC_PointerToOctetStringTemplate,
+    SEC_PrintableStringTemplate,
+    SEC_SetOfAnyTemplate,
+    SEC_SetOfEnumeratedTemplate,
+    SEC_SequenceOfAnyTemplate,
+    SEC_SequenceOfObjectIDTemplate,
+    SEC_SignedCertificateTemplate,
+    SEC_SkipTemplate,
+    SEC_T61StringTemplate,
+    SEC_UniversalStringTemplate,
+    SEC_UTCTimeTemplate,
+    SEC_UTF8StringTemplate,
+    SEC_VisibleStringTemplate,
+    SECKEY_DHParamKeyTemplate,
+    SECKEY_DHPublicKeyTemplate,
+    SECKEY_DSAPrivateKeyExportTemplate,
+    SECKEY_DSAPublicKeyTemplate,
+    SECKEY_PQGParamsTemplate,
+    SECKEY_PrivateKeyInfoTemplate,
+    SECKEY_RSAPSSParamsTemplate,
+    SECKEY_RSAPublicKeyTemplate,
+    SECOID_AlgorithmIDTemplate};
+
+extern const uint16_t DEFAULT_MAX_LENGTH = 10000U;
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+  char *dest[2048];
+
+  for (auto tpl : templates) {
+     PORTCheapArenaPool pool;
+     SECItem buf = {siBuffer, const_cast<unsigned char *>(Data),
+                     static_cast<unsigned int>(Size)};
+
+     PORT_InitCheapArena(&pool, DER_DEFAULT_CHUNKSIZE);
+     (void)SEC_QuickDERDecodeItem(&pool.arena, dest, tpl, &buf);
+     PORT_DestroyCheapArena(&pool);
+  }
+
+  return 0;
+}
+
+ADD_CUSTOM_MUTATORS({&ASN1MutatorFlipConstructed, &ASN1MutatorChangeType})
--- a/fuzz/shared.h
+++ b/fuzz/shared.h
@@ -12,27 +12,16 @@
 #include "nss.h"
 
 class NSSDatabase {
  public:
   NSSDatabase() { NSS_NoDB_Init(nullptr); }
   ~NSSDatabase() { NSS_Shutdown(); }
 };
 
-void QuickDERDecode(void *dst, const SEC_ASN1Template *tpl, const uint8_t *buf,
-                    size_t len) {
-  PORTCheapArenaPool pool;
-  SECItem data = {siBuffer, const_cast<unsigned char *>(buf),
-                  static_cast<unsigned int>(len)};
-
-  PORT_InitCheapArena(&pool, DER_DEFAULT_CHUNKSIZE);
-  (void)SEC_QuickDERDecodeItem(&pool.arena, dst, tpl, &data);
-  PORT_DestroyCheapArena(&pool);
-}
-
 size_t CustomMutate(std::vector<decltype(LLVMFuzzerCustomMutator) *> mutators,
                     uint8_t *Data, size_t Size, size_t MaxSize,
                     unsigned int Seed) {
   fuzzer::Random R(Seed);
 
   if (R.RandBool()) {
     auto idx = R(mutators.size());
     return mutators.at(idx)(Data, Size, MaxSize, Seed);