Bug 1315622 - Fuzzing mode: Check that TLS connection transcripts are…

… deterministic r=franziskus Differential Revision: https://nss-review.dev.mozaws.net/D35
sailfishos-mirror · Nov 7, 2016 · ee2b9ba · ee2b9ba
1 parent febb81c
commit ee2b9ba
Show file tree

Hide file tree

Showing 4 changed files with 51 additions and 1 deletion.
diff --git a/gtests/ssl_gtest/databuffer.h b/gtests/ssl_gtest/databuffer.h
@@ -132,7 +132,9 @@ class DataBuffer {
     data_ = new uint8_t[len_ ? len_ : 1];
 
     // The head of the old.
-    Write(0, old_value, std::min(old_len, index));
+    if (old_value) {
+      Write(0, old_value, std::min(old_len, index));
+    }
     // Maybe a gap.
     if (index > old_len) {
       memset(old_value + index, 0, index - old_len);

diff --git a/gtests/ssl_gtest/ssl_fuzz_unittest.cc b/gtests/ssl_gtest/ssl_fuzz_unittest.cc
@@ -68,5 +68,34 @@ TEST_P(TlsConnectGeneric, Fuzz_DeterministicExporter) {
   EXPECT_EQ(out1, out2);
 }
 
+// Check that due to the deterministic RNG two consecutive
+// TLS sessions will have the exact same transcript.
+TEST_P(TlsConnectGeneric, Fuzz_DeterministicTranscript) {
+  // Connect a few times and compare the transcripts byte-by-byte.
+  DataBuffer last;
+  for (size_t i = 0; i < 5; i++) {
+    Reset();
+    ConfigureSessionCache(RESUME_NONE, RESUME_NONE);
+    DisableECDHEServerKeyReuse();
+
+    DataBuffer buffer;
+    client_->SetPacketFilter(new TlsConversationRecorder(buffer));
+    server_->SetPacketFilter(new TlsConversationRecorder(buffer));
+
+    ResetState();
+    Connect();
+
+    // Ensure the filters go away before |buffer| does.
+    client_->SetPacketFilter(nullptr);
+    server_->SetPacketFilter(nullptr);
+
+    if (last.len() > 0) {
+      EXPECT_EQ(last, buffer);
+    }
+
+    last = buffer;
+  }
+}
+
 #endif
 }
diff --git a/gtests/ssl_gtest/tls_filter.cc b/gtests/ssl_gtest/tls_filter.cc
@@ -243,6 +243,12 @@ PacketFilter::Action TlsInspectorReplaceHandshakeMessage::FilterHandshake(
   return KEEP;
 }
 
+PacketFilter::Action TlsConversationRecorder::FilterRecord(
+    const RecordHeader& header, const DataBuffer& input, DataBuffer* output) {
+  buffer_.Append(input);
+  return KEEP;
+}
+
 PacketFilter::Action TlsAlertRecorder::FilterRecord(const RecordHeader& header,
                                                     const DataBuffer& input,
                                                     DataBuffer* output) {

diff --git a/gtests/ssl_gtest/tls_filter.h b/gtests/ssl_gtest/tls_filter.h
@@ -162,6 +162,19 @@ class TlsInspectorReplaceHandshakeMessage : public TlsHandshakeFilter {
   DataBuffer buffer_;
 };
 
+// Make a copy of the complete conversation.
+class TlsConversationRecorder : public TlsRecordFilter {
+ public:
+  TlsConversationRecorder(DataBuffer &buffer) : buffer_(buffer) {}
+
+  virtual PacketFilter::Action FilterRecord(const RecordHeader& header,
+                                            const DataBuffer& input,
+                                            DataBuffer* output);
+
+ private:
+  DataBuffer &buffer_;
+};
+
 // Records an alert.  If an alert has already been recorded, it won't save the
 // new alert unless the old alert is a warning and the new one is fatal.
 class TlsAlertRecorder : public TlsRecordFilter {