[WIP] Add libnss build and 15 fuzzers from crrev.com/1677803002. (#12)

* Add libnss build and 15 fuzzers from crrev.com/1677803002.

* Added missing $LDFLAGS and used /out/*.a.

* Another attempt to link statically. The best one so far.

* Manually linking with nspr/Linux*/pr/src/misc/prlog2.o.

* Cleanup nss/buil.sh script and disable 2 of 15 nss fuzzers for now.

* Fix comments.

Author: Dor1s

nss/Dockerfile

@@ -0,0 +1,23 @@
+# Copyright 2016 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+FROM ossfuzz/base-libfuzzer
+MAINTAINER mmoroz@chromium.org
+RUN apt-get install -y make autoconf automake libtool mercurial zlib1g-dev
+
+COPY build.sh /src/
+
+ENV LD_LIBRARY_PATH "$LD_LIBRARY_PATH:/out"

nss/Jenkinsfile

@@ -0,0 +1,25 @@
+// Copyright 2016 Google Inc.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+////////////////////////////////////////////////////////////////////////////////
+
+def libfuzzerBuild = fileLoader.fromGit('infra/libfuzzer-pipeline.groovy',
+                                        'https://github.com/google/oss-fuzz.git',
+                                        'master', null, '')
+
+libfuzzerBuild {
+  // We can't use git. We need to use mercurial (hg) and checkout 2 repos.
+  // build.sh does the checkout with hg. The below is just a dummy.
+  git = "https://github.com/google/oss-fuzz"
+}

nss/build.sh

@@ -0,0 +1,71 @@
+#!/bin/bash -eu
+# Copyright 2016 Google Inc.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+################################################################################
+
+cd /src/nss
+
+# Check out the code using mercurial.
+rm -rf nspr
+rm -rf nss
+hg clone https://hg.mozilla.org/projects/nspr
+hg clone https://hg.mozilla.org/projects/nss
+
+# Build the library.
+mkdir -p /work/nss
+cp -u -r /src/nss/* /work/nss/
+cd /work/nss/nss
+make BUILD_OPT=1 USE_64=1 NSS_DISABLE_GTESTS=1 CC="$CC $CFLAGS" \
+    CXX="$CXX $CXXFLAGS" LD="$CC $CFLAGS" ZDEFS_FLAG= clean nss_build_all
+cd ..
+
+# Copy libraries and some objects to /work/nss/lib.
+mkdir -p /work/nss/lib
+cp dist/Linux*/lib/*.a /work/nss/lib
+cp nspr/Linux*/pr/src/misc/prlog2.o /work/nss/lib
+
+# Copy includes to /work/nss/include.
+mkdir -p /work/nss/include
+cp -rL dist/Linux*/include/* /work/nss/include
+cp -rL dist/{public,private}/nss/* /work/nss/include
+
+
+# Build the fuzzers.
+FUZZERS="asn1_algorithmid_fuzzer \
+  asn1_any_fuzzer \
+  asn1_bitstring_fuzzer \
+  asn1_bmpstring_fuzzer \
+  asn1_boolean_fuzzer \
+  asn1_generalizedtime_fuzzer \
+  asn1_ia5string_fuzzer \
+  asn1_integer_fuzzer \
+  asn1_null_fuzzer \
+  asn1_objectid_fuzzer \
+  asn1_octetstring_fuzzer \
+  asn1_utctime_fuzzer \
+  asn1_utf8string_fuzzer"
+
+# The following fuzzers are currently disabled due to linking issues:
+#  cert_certificate_fuzzer, seckey_privatekeyinfo_fuzzer
+
+
+for fuzzer in $FUZZERS; do
+  $CXX $CXXFLAGS -std=c++11 /src/oss-fuzz/nss/fuzzers/$fuzzer.cc \
+     -I/work/nss/include \
+     /work/libfuzzer/*.o \
+     /work/nss/lib/libnss.a /work/nss/lib/libnssutil.a \
+     /work/nss/lib/libnspr4.a /work/nss/lib/libplc4.a /work/nss/lib/libplds4.a \
+     /work/nss/lib/prlog2.o -o /out/$fuzzer $LDFLAGS
+done

nss/fuzzers/asn1_algorithmid_fuzzer.cc

@@ -0,0 +1,19 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <secoid.h>
+#include <stddef.h>
+#include <stdint.h>
+
+#include "asn1_fuzzer_template.h"
+
+// Entry point for LibFuzzer.
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  NSSFuzzOneInput<SECAlgorithmID, SEC_QuickDERDecodeItem>(
+      SEC_ASN1_GET(SECOID_AlgorithmIDTemplate), data, size);
+  NSSFuzzOneInput<SECAlgorithmID, SEC_ASN1DecodeItem>(
+      SEC_ASN1_GET(SECOID_AlgorithmIDTemplate), data, size);
+
+  return 0;
+}

nss/fuzzers/asn1_any_fuzzer.cc

@@ -0,0 +1,18 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "asn1_fuzzer_template.h"
+
+// Entry point for LibFuzzer.
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  NSSFuzzOneInput<SECItem, SEC_QuickDERDecodeItem>(
+      SEC_ASN1_GET(SEC_AnyTemplate), data, size);
+  NSSFuzzOneInput<SECItem, SEC_ASN1DecodeItem>(
+      SEC_ASN1_GET(SEC_AnyTemplate), data, size);
+
+  return 0;
+}

nss/fuzzers/asn1_bitstring_fuzzer.cc

@@ -0,0 +1,18 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "asn1_fuzzer_template.h"
+
+// Entry point for LibFuzzer.
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  NSSFuzzOneInput<SECItem, SEC_QuickDERDecodeItem>(
+      SEC_ASN1_GET(SEC_BitStringTemplate), data, size);
+  NSSFuzzOneInput<SECItem, SEC_ASN1DecodeItem>(
+      SEC_ASN1_GET(SEC_BitStringTemplate), data, size);
+
+  return 0;
+}

nss/fuzzers/asn1_bmpstring_fuzzer.cc

@@ -0,0 +1,18 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "asn1_fuzzer_template.h"
+
+// Entry point for LibFuzzer.
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  NSSFuzzOneInput<SECItem, SEC_QuickDERDecodeItem>(
+      SEC_ASN1_GET(SEC_BMPStringTemplate), data, size);
+  NSSFuzzOneInput<SECItem, SEC_ASN1DecodeItem>(
+      SEC_ASN1_GET(SEC_BMPStringTemplate), data, size);
+
+  return 0;
+}

nss/fuzzers/asn1_boolean_fuzzer.cc

@@ -0,0 +1,18 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "asn1_fuzzer_template.h"
+
+// Entry point for LibFuzzer.
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  NSSFuzzOneInput<SECItem, SEC_QuickDERDecodeItem>(
+      SEC_ASN1_GET(SEC_BooleanTemplate), data, size);
+  NSSFuzzOneInput<SECItem, SEC_ASN1DecodeItem>(
+      SEC_ASN1_GET(SEC_BooleanTemplate), data, size);
+
+  return 0;
+}

nss/fuzzers/asn1_fuzzer_template.h

@@ -0,0 +1,45 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#ifndef ASN1_FUZZER_TEMPLATE_H_
+#define ASN1_FUZZER_TEMPLATE_H_
+
+#include <nspr.h>
+#include <nss.h>
+#include <secasn1.h>
+#include <secder.h>
+#include <secitem.h>
+#include <secport.h>
+#include <stddef.h>
+#include <stdint.h>
+
+template <typename DestinationType,
+          SECStatus (*DecodeFunction)(PLArenaPool*,
+                                      void*,
+                                      const SEC_ASN1Template*,
+                                      const SECItem*)>
+void NSSFuzzOneInput(const SEC_ASN1Template* the_template,
+                     const uint8_t* data,
+                     size_t size) {
+  DestinationType* destination = new DestinationType();
+  memset(destination, 0, sizeof(DestinationType));
+
+  PLArenaPool* arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
+  if (!arena) {
+    delete destination;
+    return;
+  }
+
+  SECItem source;
+  source.type = siBuffer;
+  source.data = static_cast<unsigned char*>(const_cast<uint8_t*>(data));
+  source.len = static_cast<unsigned int>(size);
+
+  DecodeFunction(arena, destination, the_template, &source);
+
+  PORT_FreeArena(arena, PR_FALSE);
+  delete destination;
+}
+
+#endif  // ASN1_FUZZER_TEMPLATE_H_

nss/fuzzers/asn1_generalizedtime_fuzzer.cc

@@ -0,0 +1,18 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "asn1_fuzzer_template.h"
+
+// Entry point for LibFuzzer.
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  NSSFuzzOneInput<SECItem, SEC_QuickDERDecodeItem>(
+      SEC_ASN1_GET(SEC_GeneralizedTimeTemplate), data, size);
+  NSSFuzzOneInput<SECItem, SEC_ASN1DecodeItem>(
+      SEC_ASN1_GET(SEC_GeneralizedTimeTemplate), data, size);
+
+  return 0;
+}

nss/fuzzers/asn1_ia5string_fuzzer.cc

@@ -0,0 +1,18 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "asn1_fuzzer_template.h"
+
+// Entry point for LibFuzzer.
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  NSSFuzzOneInput<SECItem, SEC_QuickDERDecodeItem>(
+      SEC_ASN1_GET(SEC_IA5StringTemplate), data, size);
+  NSSFuzzOneInput<SECItem, SEC_ASN1DecodeItem>(
+      SEC_ASN1_GET(SEC_IA5StringTemplate), data, size);
+
+  return 0;
+}

nss/fuzzers/asn1_integer_fuzzer.cc

@@ -0,0 +1,18 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "asn1_fuzzer_template.h"
+
+// Entry point for LibFuzzer.
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  NSSFuzzOneInput<SECItem, SEC_QuickDERDecodeItem>(
+      SEC_ASN1_GET(SEC_IntegerTemplate), data, size);
+  NSSFuzzOneInput<SECItem, SEC_ASN1DecodeItem>(
+      SEC_ASN1_GET(SEC_IntegerTemplate), data, size);
+
+  return 0;
+}

nss/fuzzers/asn1_null_fuzzer.cc

@@ -0,0 +1,18 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "asn1_fuzzer_template.h"
+
+// Entry point for LibFuzzer.
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  NSSFuzzOneInput<SECItem, SEC_QuickDERDecodeItem>(
+      SEC_ASN1_GET(SEC_NullTemplate), data, size);
+  NSSFuzzOneInput<SECItem, SEC_ASN1DecodeItem>(
+      SEC_ASN1_GET(SEC_NullTemplate), data, size);
+
+  return 0;
+}

nss/fuzzers/asn1_objectid_fuzzer.cc

@@ -0,0 +1,18 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "asn1_fuzzer_template.h"
+
+// Entry point for LibFuzzer.
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  NSSFuzzOneInput<SECItem, SEC_QuickDERDecodeItem>(
+      SEC_ASN1_GET(SEC_ObjectIDTemplate), data, size);
+  NSSFuzzOneInput<SECItem, SEC_ASN1DecodeItem>(
+      SEC_ASN1_GET(SEC_ObjectIDTemplate), data, size);
+
+  return 0;
+}

nss/fuzzers/asn1_octetstring_fuzzer.cc

@@ -0,0 +1,18 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "asn1_fuzzer_template.h"
+
+// Entry point for LibFuzzer.
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  NSSFuzzOneInput<SECItem, SEC_QuickDERDecodeItem>(
+      SEC_ASN1_GET(SEC_OctetStringTemplate), data, size);
+  NSSFuzzOneInput<SECItem, SEC_ASN1DecodeItem>(
+      SEC_ASN1_GET(SEC_OctetStringTemplate), data, size);
+
+  return 0;
+}

nss/fuzzers/asn1_utctime_fuzzer.cc

@@ -0,0 +1,18 @@
+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <stddef.h>
+#include <stdint.h>
+
+#include "asn1_fuzzer_template.h"
+
+// Entry point for LibFuzzer.
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  NSSFuzzOneInput<SECItem, SEC_QuickDERDecodeItem>(
+      SEC_ASN1_GET(SEC_UTCTimeTemplate), data, size);
+  NSSFuzzOneInput<SECItem, SEC_ASN1DecodeItem>(
+      SEC_ASN1_GET(SEC_UTCTimeTemplate), data, size);
+
+  return 0;
+}