bc5b2a2e22
If running the stack through a fuzzer, we would like execution to be completely deterministic. This is gated on a BORINGSSL_UNSAFE_FUZZER_MODE #ifdef. For now, this just uses the zero ChaCha20 key and a global counter. As needed, we can extend this to a thread-local counter and a separate ChaCha20 stream and counter per input length. Change-Id: Ic6c9d8a25e70d68e5dc6804e2c234faf48e51395 Reviewed-on: https://boringssl-review.googlesource.com/7286 Reviewed-by: Adam Langley <agl@google.com>
34 lines
673 B
C++
34 lines
673 B
C++
#include <assert.h>
|
|
|
|
#include <openssl/rand.h>
|
|
#include <openssl/ssl.h>
|
|
|
|
struct GlobalState {
|
|
GlobalState() : ctx(SSL_CTX_new(SSLv23_method())) {}
|
|
|
|
~GlobalState() {
|
|
SSL_CTX_free(ctx);
|
|
}
|
|
|
|
SSL_CTX *const ctx;
|
|
};
|
|
|
|
static GlobalState g_state;
|
|
|
|
extern "C" int LLVMFuzzerTestOneInput(uint8_t *buf, size_t len) {
|
|
RAND_reset_for_fuzzing();
|
|
|
|
// This only fuzzes the initial flow from the server so far.
|
|
SSL *client = SSL_new(g_state.ctx);
|
|
BIO *in = BIO_new(BIO_s_mem());
|
|
BIO *out = BIO_new(BIO_s_mem());
|
|
SSL_set_bio(client, in, out);
|
|
SSL_set_connect_state(client);
|
|
|
|
BIO_write(in, buf, len);
|
|
SSL_do_handshake(client);
|
|
SSL_free(client);
|
|
|
|
return 0;
|
|
}
|