/src/nss/fuzz/targets/tls_client.cc

Source (jump to first uncovered line)
/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

#include <cassert>
#include <cstddef>
#include <cstdint>
#include <iostream>

#include "blapi.h"
#include "seccomon.h"
#include "ssl.h"
#include "sslimpl.h"

#include "base/database.h"
#include "base/mutate.h"
#include "tls/client_config.h"
#include "tls/common.h"
#include "tls/mutators.h"
#include "tls/socket.h"

#ifdef IS_DTLS_FUZZ
#define ImportFD DTLS_ImportFD
#else
#define ImportFD SSL_ImportFD
#endif  // IS_DTLS_FUZZ

extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
  static NSSDatabase db = NSSDatabase();
  static PRDescIdentity id = PR_GetUniqueIdentity("fuzz-client");

  // Create and import dummy socket.
  TlsSocket::DummyPrSocket socket = TlsSocket::DummyPrSocket(data, size);
  ScopedPRFileDesc prFd(DummyIOLayerMethods::CreateFD(id, &socket));
  PRFileDesc* sslFd = ImportFD(nullptr, prFd.get());
  assert(sslFd == prFd.get());

  // Derive client config from input data.
  TlsClient::Config config = TlsClient::Config(data, size);

  if (ssl_trace >= 90) {
    std::cerr << config << "\n";
  }

  // Reset the RNG state.
  assert(RNG_RandomUpdate(NULL, 0) == SECSuccess);
  assert(SSL_SetURL(sslFd, "fuzz.client") == SECSuccess);

  TlsCommon::EnableAllProtocolVersions();
  TlsCommon::EnableAllCipherSuites(sslFd);
  TlsCommon::FixTime(sslFd);

  // Set socket callbacks & options from client config.
  config.SetCallbacks(sslFd);
  config.SetSocketOptions(sslFd);

  // Perform the acutal handshake.
  TlsCommon::DoHandshake(sslFd, false);

  // Release all SIDs.
  SSL_ClearSessionCache();

  return 0;
}

extern "C" size_t LLVMFuzzerCustomMutator(uint8_t* data, size_t size,
                                          size_t maxSize, unsigned int seed) {
  Mutators mutators = {TlsMutators::DropRecord, TlsMutators::ShuffleRecords,
                       TlsMutators::DuplicateRecord,
                       TlsMutators::TruncateRecord,
                       TlsMutators::FragmentRecord};
  return CustomMutate(mutators, data, size, maxSize, seed);
}

extern "C" size_t LLVMFuzzerCustomCrossOver(const uint8_t* data1, size_t size1,
                                            const uint8_t* data2, size_t size2,
                                            uint8_t* out, size_t maxOutSize,
                                            unsigned int seed) {
  return TlsMutators::CrossOver(data1, size1, data2, size2, out, maxOutSize,
                                seed);
}

Line	Count	Source (jump to first uncovered line)
1		/* This Source Code Form is subject to the terms of the Mozilla Public
2		* License, v. 2.0. If a copy of the MPL was not distributed with this
3		* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4
5		#include <cassert>
6		#include <cstddef>
7		#include <cstdint>
8		#include <iostream>
9
10		#include "blapi.h"
11		#include "seccomon.h"
12		#include "ssl.h"
13		#include "sslimpl.h"
14
15		#include "base/database.h"
16		#include "base/mutate.h"
17		#include "tls/client_config.h"
18		#include "tls/common.h"
19		#include "tls/mutators.h"
20		#include "tls/socket.h"
21
22		#ifdef IS_DTLS_FUZZ
23	34.7k	#define ImportFD DTLS_ImportFD
24		#else
25		#define ImportFD SSL_ImportFD
26		#endif // IS_DTLS_FUZZ
27
28	34.7k	extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
29	34.7k	static NSSDatabase db = NSSDatabase();
30	34.7k	static PRDescIdentity id = PR_GetUniqueIdentity("fuzz-client");
31
32		// Create and import dummy socket.
33	34.7k	TlsSocket::DummyPrSocket socket = TlsSocket::DummyPrSocket(data, size);
34	34.7k	ScopedPRFileDesc prFd(DummyIOLayerMethods::CreateFD(id, &socket));
35	34.7k	PRFileDesc* sslFd = ImportFD(nullptr, prFd.get());
36	34.7k	assert(sslFd == prFd.get());
37
38		// Derive client config from input data.
39	34.7k	TlsClient::Config config = TlsClient::Config(data, size);
40
41	34.7k	if (ssl_trace >= 90) {
42	0	std::cerr << config << "\n";
43	0	}
44
45		// Reset the RNG state.
46	34.7k	assert(RNG_RandomUpdate(NULL, 0) == SECSuccess);
47	34.7k	assert(SSL_SetURL(sslFd, "fuzz.client") == SECSuccess);
48
49	34.7k	TlsCommon::EnableAllProtocolVersions();
50	34.7k	TlsCommon::EnableAllCipherSuites(sslFd);
51	34.7k	TlsCommon::FixTime(sslFd);
52
53		// Set socket callbacks & options from client config.
54	34.7k	config.SetCallbacks(sslFd);
55	34.7k	config.SetSocketOptions(sslFd);
56
57		// Perform the acutal handshake.
58	34.7k	TlsCommon::DoHandshake(sslFd, false);
59
60		// Release all SIDs.
61	34.7k	SSL_ClearSessionCache();
62
63	34.7k	return 0;
64	34.7k	}
65
66		extern "C" size_t LLVMFuzzerCustomMutator(uint8_t* data, size_t size,
67	0	size_t maxSize, unsigned int seed) {
68	0	Mutators mutators = {TlsMutators::DropRecord, TlsMutators::ShuffleRecords,
69	0	TlsMutators::DuplicateRecord,
70	0	TlsMutators::TruncateRecord,
71	0	TlsMutators::FragmentRecord};
72	0	return CustomMutate(mutators, data, size, maxSize, seed);
73	0	}
74
75		extern "C" size_t LLVMFuzzerCustomCrossOver(const uint8_t* data1, size_t size1,
76		const uint8_t* data2, size_t size2,
77		uint8_t* out, size_t maxOutSize,
78	0	unsigned int seed) {
79	0	return TlsMutators::CrossOver(data1, size1, data2, size2, out, maxOutSize,
80	0	seed);
81	0	}

Coverage Report

Created: 2025-06-24 06:49