boringssl/fuzz/client.cc

#include <assert.h>

#include <openssl/rand.h>
#include <openssl/ssl.h>

struct GlobalState {
  GlobalState() : ctx(SSL_CTX_new(SSLv23_method())) {}

  ~GlobalState() {
    SSL_CTX_free(ctx);
  }

  SSL_CTX *const ctx;
};

static GlobalState g_state;

extern "C" int LLVMFuzzerTestOneInput(uint8_t *buf, size_t len) {
  RAND_reset_for_fuzzing();

  // This only fuzzes the initial flow from the server so far.
  SSL *client = SSL_new(g_state.ctx);
  BIO *in = BIO_new(BIO_s_mem());
  BIO *out = BIO_new(BIO_s_mem());
  SSL_set_bio(client, in, out);
  SSL_set_connect_state(client);

  BIO_write(in, buf, len);
  SSL_do_handshake(client);
  SSL_free(client);

  return 0;
}
Add four, basic fuzz tests. This change adds fuzzing tests for: ∙ Certificate parsing ∙ Private key parsing ∙ ClientHello parsing ∙ Server first flow (ServerHello, Certificate, etc) parsing. Change-Id: I5f53282263eaaff69b1a03c819cca73750433653 Reviewed-on: https://boringssl-review.googlesource.com/6460 Reviewed-by: Adam Langley <agl@google.com> 2015-11-09 21:57:26 +00:00			`#include <assert.h>`

Add a deterministic PRNG for fuzzing. If running the stack through a fuzzer, we would like execution to be completely deterministic. This is gated on a BORINGSSL_UNSAFE_FUZZER_MODE #ifdef. For now, this just uses the zero ChaCha20 key and a global counter. As needed, we can extend this to a thread-local counter and a separate ChaCha20 stream and counter per input length. Change-Id: Ic6c9d8a25e70d68e5dc6804e2c234faf48e51395 Reviewed-on: https://boringssl-review.googlesource.com/7286 Reviewed-by: Adam Langley <agl@google.com> 2016-03-02 03:57:32 +00:00			`#include <openssl/rand.h>`
Add four, basic fuzz tests. This change adds fuzzing tests for: ∙ Certificate parsing ∙ Private key parsing ∙ ClientHello parsing ∙ Server first flow (ServerHello, Certificate, etc) parsing. Change-Id: I5f53282263eaaff69b1a03c819cca73750433653 Reviewed-on: https://boringssl-review.googlesource.com/6460 Reviewed-by: Adam Langley <agl@google.com> 2015-11-09 21:57:26 +00:00			`#include <openssl/ssl.h>`

			`struct GlobalState {`
			`GlobalState() : ctx(SSL_CTX_new(SSLv23_method())) {}`

			`~GlobalState() {`
			`SSL_CTX_free(ctx);`
			`}`

			`SSL_CTX *const ctx;`
			`};`

			`static GlobalState g_state;`

			`extern "C" int LLVMFuzzerTestOneInput(uint8_t *buf, size_t len) {`
Add a deterministic PRNG for fuzzing. If running the stack through a fuzzer, we would like execution to be completely deterministic. This is gated on a BORINGSSL_UNSAFE_FUZZER_MODE #ifdef. For now, this just uses the zero ChaCha20 key and a global counter. As needed, we can extend this to a thread-local counter and a separate ChaCha20 stream and counter per input length. Change-Id: Ic6c9d8a25e70d68e5dc6804e2c234faf48e51395 Reviewed-on: https://boringssl-review.googlesource.com/7286 Reviewed-by: Adam Langley <agl@google.com> 2016-03-02 03:57:32 +00:00			`RAND_reset_for_fuzzing();`

Add four, basic fuzz tests. This change adds fuzzing tests for: ∙ Certificate parsing ∙ Private key parsing ∙ ClientHello parsing ∙ Server first flow (ServerHello, Certificate, etc) parsing. Change-Id: I5f53282263eaaff69b1a03c819cca73750433653 Reviewed-on: https://boringssl-review.googlesource.com/6460 Reviewed-by: Adam Langley <agl@google.com> 2015-11-09 21:57:26 +00:00			`// This only fuzzes the initial flow from the server so far.`
			`SSL *client = SSL_new(g_state.ctx);`
			`BIO *in = BIO_new(BIO_s_mem());`
			`BIO *out = BIO_new(BIO_s_mem());`
			`SSL_set_bio(client, in, out);`
			`SSL_set_connect_state(client);`

			`BIO_write(in, buf, len);`
			`SSL_do_handshake(client);`
			`SSL_free(client);`

			`return 0;`
			`}`