Bug 1332652 - Replace SPKI and Cert tests with a single QuickDER fuzzing target r=franziskus

Differential Revision: https://nss-review.dev.mozaws.net/D166

3 files changed, 90 insertions, 31 deletions

diff --git a/fuzz/fuzz.gyp b/fuzz/fuzz.gyp
index deb1c6fee..94dac8b3f 100644
--- a/fuzz/fuzz.gyp
+++ b/fuzz/fuzz.gyp
@@ -38,6 +38,7 @@
         '<(DEPTH)/lib/util/util.gyp:nssutil',
         '<(DEPTH)/lib/nss/nss.gyp:nss_static',
         '<(DEPTH)/lib/pk11wrap/pk11wrap.gyp:pk11wrap',
+        '<(DEPTH)/lib/pkcs7/pkcs7.gyp:pkcs7',
       ],
       'conditions': [
         ['use_fuzzing_engine==0', {
@@ -86,25 +87,12 @@
       ],
     },
     {
-      'target_name': 'nssfuzz-cert',
-      'type': 'executable',
-      'sources': [
-        'asn1_mutators.cc',
-        'cert_target.cc',
-        'initialize.cc',
-      ],
-      'dependencies': [
-        '<(DEPTH)/exports.gyp:nss_exports',
-        'fuzz_base',
-      ],
-    },
-    {
-      'target_name': 'nssfuzz-spki',
+      'target_name': 'nssfuzz-pkcs8',
       'type': 'executable',
       'sources': [
         'asn1_mutators.cc',
-        'spki_target.cc',
         'initialize.cc',
+        'pkcs8_target.cc',
       ],
       'dependencies': [
         '<(DEPTH)/exports.gyp:nss_exports',
@@ -112,12 +100,12 @@
       ],
     },
     {
-      'target_name': 'nssfuzz-pkcs8',
+      'target_name': 'nssfuzz-quickder',
       'type': 'executable',
       'sources': [
         'asn1_mutators.cc',
         'initialize.cc',
-        'pkcs8_target.cc',
+        'quickder_target.cc',
       ],
       'dependencies': [
         '<(DEPTH)/exports.gyp:nss_exports',
@@ -140,11 +128,10 @@
       'target_name': 'nssfuzz',
       'type': 'none',
       'dependencies': [
-        'nssfuzz-cert',
         'nssfuzz-hash',
         'nssfuzz-pkcs8',
-        'nssfuzz-spki',
-      ]
+        'nssfuzz-quickder',
+      ],
     }
   ],
 }
diff --git a/fuzz/quickder_target.cc b/fuzz/quickder_target.cc
new file mode 100644
index 000000000..d77baf04c
--- /dev/null
+++ b/fuzz/quickder_target.cc
@@ -0,0 +1,83 @@
+/* This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
+
+#include "FuzzerInternal.h"
+#include "asn1_mutators.h"
+#include "shared.h"
+
+const std::vector<const SEC_ASN1Template *> templates = {
+    CERT_AttributeTemplate,
+    CERT_CertExtensionTemplate,
+    CERT_CertificateRequestTemplate,
+    CERT_CertificateTemplate,
+    CERT_CrlTemplate,
+    CERT_IssuerAndSNTemplate,
+    CERT_NameTemplate,
+    CERT_PublicKeyAndChallengeTemplate,
+    CERT_RDNTemplate,
+    CERT_SequenceOfCertExtensionTemplate,
+    CERT_SetOfAttributeTemplate,
+    CERT_SetOfSignedCrlTemplate,
+    CERT_SignedCrlTemplate,
+    CERT_SignedDataTemplate,
+    CERT_SubjectPublicKeyInfoTemplate,
+    CERT_TimeChoiceTemplate,
+    CERT_ValidityTemplate,
+    SEC_AnyTemplate,
+    SEC_BitStringTemplate,
+    SEC_BMPStringTemplate,
+    SEC_BooleanTemplate,
+    SEC_CertSequenceTemplate,
+    SEC_EnumeratedTemplate,
+    SEC_GeneralizedTimeTemplate,
+    SEC_IA5StringTemplate,
+    SEC_IntegerTemplate,
+    SEC_NullTemplate,
+    SEC_ObjectIDTemplate,
+    SEC_OctetStringTemplate,
+    SEC_PointerToAnyTemplate,
+    SEC_PointerToEnumeratedTemplate,
+    SEC_PointerToGeneralizedTimeTemplate,
+    SEC_PointerToOctetStringTemplate,
+    SEC_PrintableStringTemplate,
+    SEC_SetOfAnyTemplate,
+    SEC_SetOfEnumeratedTemplate,
+    SEC_SequenceOfAnyTemplate,
+    SEC_SequenceOfObjectIDTemplate,
+    SEC_SignedCertificateTemplate,
+    SEC_SkipTemplate,
+    SEC_T61StringTemplate,
+    SEC_UniversalStringTemplate,
+    SEC_UTCTimeTemplate,
+    SEC_UTF8StringTemplate,
+    SEC_VisibleStringTemplate,
+    SECKEY_DHParamKeyTemplate,
+    SECKEY_DHPublicKeyTemplate,
+    SECKEY_DSAPrivateKeyExportTemplate,
+    SECKEY_DSAPublicKeyTemplate,
+    SECKEY_PQGParamsTemplate,
+    SECKEY_PrivateKeyInfoTemplate,
+    SECKEY_RSAPSSParamsTemplate,
+    SECKEY_RSAPublicKeyTemplate,
+    SECOID_AlgorithmIDTemplate};
+
+extern const uint16_t DEFAULT_MAX_LENGTH = 10000U;
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
+  char *dest[2048];
+
+  for (auto tpl : templates) {
+     PORTCheapArenaPool pool;
+     SECItem buf = {siBuffer, const_cast<unsigned char *>(Data),
+                     static_cast<unsigned int>(Size)};
+
+     PORT_InitCheapArena(&pool, DER_DEFAULT_CHUNKSIZE);
+     (void)SEC_QuickDERDecodeItem(&pool.arena, dest, tpl, &buf);
+     PORT_DestroyCheapArena(&pool);
+  }
+
+  return 0;
+}
+
+ADD_CUSTOM_MUTATORS({&ASN1MutatorFlipConstructed, &ASN1MutatorChangeType})
diff --git a/fuzz/shared.h b/fuzz/shared.h
index 69e429824..142058069 100644
--- a/fuzz/shared.h
+++ b/fuzz/shared.h
@@ -17,17 +17,6 @@ class NSSDatabase {
   ~NSSDatabase() { NSS_Shutdown(); }
 };
 
-void QuickDERDecode(void *dst, const SEC_ASN1Template *tpl, const uint8_t *buf,
-                    size_t len) {
-  PORTCheapArenaPool pool;
-  SECItem data = {siBuffer, const_cast<unsigned char *>(buf),
-                  static_cast<unsigned int>(len)};
-
-  PORT_InitCheapArena(&pool, DER_DEFAULT_CHUNKSIZE);
-  (void)SEC_QuickDERDecodeItem(&pool.arena, dst, tpl, &data);
-  PORT_DestroyCheapArena(&pool);
-}
-
 size_t CustomMutate(std::vector<decltype(LLVMFuzzerCustomMutator) *> mutators,
                     uint8_t *Data, size_t Size, size_t MaxSize,
                     unsigned int Seed) {