diff options
author | Tim Taubert <ttaubert@mozilla.com> | 2017-03-31 16:32:54 +0200 |
---|---|---|
committer | Tim Taubert <ttaubert@mozilla.com> | 2017-03-31 16:32:54 +0200 |
commit | a1d6082c30f4bfea3f08a1c698a3e39adfd2f94a (patch) | |
tree | 5ea43964710e494b3f9f45b2da86b8bdf5234695 /fuzz/tls_mutators.cc | |
parent | 6f031f8434c7a2406a69d972e1414caa23e08ad4 (diff) | |
download | nss-hg-a1d6082c30f4bfea3f08a1c698a3e39adfd2f94a.tar.gz |
Bug 1351600 - Add DTLS client and server fuzzers r=franziskus
Differential Revision: https://nss-review.dev.mozaws.net/D282
Diffstat (limited to 'fuzz/tls_mutators.cc')
-rw-r--r-- | fuzz/tls_mutators.cc | 65 |
1 files changed, 39 insertions, 26 deletions
diff --git a/fuzz/tls_mutators.cc b/fuzz/tls_mutators.cc index ccf1935bf..e9770cb39 100644 --- a/fuzz/tls_mutators.cc +++ b/fuzz/tls_mutators.cc @@ -10,6 +10,10 @@ using namespace nss_test; +// Number of additional bytes in the TLS header. +// Used to properly skip DTLS seqnums. +static size_t gExtraHeaderBytes = 0; + // Helper class to simplify TLS record manipulation. class Record { public: @@ -33,9 +37,9 @@ class Record { } void truncate(size_t length) { - assert(length >= 5); + assert(length >= 5 + gExtraHeaderBytes); uint8_t *dest = const_cast<uint8_t *>(data_); - (void)ssl_EncodeUintX(length - 5, 2, &dest[3]); + (void)ssl_EncodeUintX(length - 5 - gExtraHeaderBytes, 2, &dest[3]); memmove(dest + length, data_ + size_, remaining_); } @@ -66,13 +70,8 @@ std::vector<std::unique_ptr<Record>> ParseRecords(const uint8_t *data, while (parser.remaining()) { size_t offset = parser.consumed(); - uint32_t type; - if (!parser.Read(&type, 1)) { - break; - } - - uint32_t version; - if (!parser.Read(&version, 2)) { + // Skip type, version, and DTLS seqnums. + if (!parser.Skip(3 + gExtraHeaderBytes)) { break; } @@ -81,16 +80,22 @@ std::vector<std::unique_ptr<Record>> ParseRecords(const uint8_t *data, break; } - records.push_back( - Record::Create(data + offset, fragment.len() + 5, parser.remaining())); + records.push_back(Record::Create(data + offset, + fragment.len() + 5 + gExtraHeaderBytes, + parser.remaining())); } return records; } +namespace TlsMutators { + +// Handle seqnums in DTLS transcripts. +void SetIsDTLS() { gExtraHeaderBytes = 8; } + // Mutator that drops whole TLS records. -size_t TlsMutatorDropRecord(uint8_t *data, size_t size, size_t max_size, - unsigned int seed) { +size_t DropRecord(uint8_t *data, size_t size, size_t max_size, + unsigned int seed) { std::mt19937 rng(seed); // Find TLS records in the corpus. @@ -111,8 +116,8 @@ size_t TlsMutatorDropRecord(uint8_t *data, size_t size, size_t max_size, } // Mutator that shuffles TLS records in a transcript. -size_t TlsMutatorShuffleRecords(uint8_t *data, size_t size, size_t max_size, - unsigned int seed) { +size_t ShuffleRecords(uint8_t *data, size_t size, size_t max_size, + unsigned int seed) { std::mt19937 rng(seed); // Store the original corpus. @@ -142,8 +147,8 @@ size_t TlsMutatorShuffleRecords(uint8_t *data, size_t size, size_t max_size, } // Mutator that duplicates a single TLS record and randomly inserts it. -size_t TlsMutatorDuplicateRecord(uint8_t *data, size_t size, size_t max_size, - unsigned int seed) { +size_t DuplicateRecord(uint8_t *data, size_t size, size_t max_size, + unsigned int seed) { std::mt19937 rng(seed); // Find TLS records in the corpus. @@ -167,8 +172,8 @@ size_t TlsMutatorDuplicateRecord(uint8_t *data, size_t size, size_t max_size, } // Mutator that truncates a TLS record. -size_t TlsMutatorTruncateRecord(uint8_t *data, size_t size, size_t max_size, - unsigned int seed) { +size_t TruncateRecord(uint8_t *data, size_t size, size_t max_size, + unsigned int seed) { std::mt19937 rng(seed); // Find TLS records in the corpus. @@ -182,12 +187,13 @@ size_t TlsMutatorTruncateRecord(uint8_t *data, size_t size, size_t max_size, auto &rec = records.at(dist(rng)); // Need a record with data. - if (rec->size() <= 5) { + if (rec->size() <= 5 + gExtraHeaderBytes) { return 0; } // Truncate. - std::uniform_int_distribution<size_t> dist2(5, rec->size() - 1); + std::uniform_int_distribution<size_t> dist2(5 + gExtraHeaderBytes, + rec->size() - 1); size_t new_length = dist2(rng); rec->truncate(new_length); @@ -196,10 +202,15 @@ size_t TlsMutatorTruncateRecord(uint8_t *data, size_t size, size_t max_size, } // Mutator that splits a TLS record in two. -size_t TlsMutatorFragmentRecord(uint8_t *data, size_t size, size_t max_size, - unsigned int seed) { +size_t FragmentRecord(uint8_t *data, size_t size, size_t max_size, + unsigned int seed) { std::mt19937 rng(seed); + // We can't deal with DTLS yet. + if (gExtraHeaderBytes > 0) { + return 0; + } + if (size + 5 > max_size) { return 0; } @@ -238,9 +249,9 @@ size_t TlsMutatorFragmentRecord(uint8_t *data, size_t size, size_t max_size, } // Cross-over function that merges and shuffles two transcripts. -size_t TlsCrossOver(const uint8_t *data1, size_t size1, const uint8_t *data2, - size_t size2, uint8_t *out, size_t max_out_size, - unsigned int seed) { +size_t CrossOver(const uint8_t *data1, size_t size1, const uint8_t *data2, + size_t size2, uint8_t *out, size_t max_out_size, + unsigned int seed) { std::mt19937 rng(seed); // Find TLS records in the corpus. @@ -274,3 +285,5 @@ size_t TlsCrossOver(const uint8_t *data1, size_t size1, const uint8_t *data2, return total; } + +} // namespace TlsMutators |