net/http/http_security_headers_hpkp_fuzzer.cc - Issue 2448603002: Add simple HPKP and HSTS header parser fuzzers.

Side by Side Diff

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Keyboard Shortcuts

	File
u :	up to issue
j / k :	jump to file after / before current file
J / K :	jump to next file with a comment after / before current file
	Side-by-side diff
i :	toggle intra-line diffs
e :	expand all comments
c :	collapse all comments
s :	toggle showing all comments
n / p :	next / previous diff chunk or comment
N / P :	next / previous comment
<Up> / <Down> :	next / previous line

	Issue
u :	up to list of issues
j / k :	jump to patch after / before current patch
o / <Enter> :	open current patch in side-by-side view
i :	open current patch in unified diff view

	Issue List
j / k :	jump to issue after / before current issue
o / <Enter> :	open current issue

Side by Side Diff: net/http/http_security_headers_hpkp_fuzzer.cc

Issue 2448603002: Add simple HPKP and HSTS header parser fuzzers. (Closed)

Patch Set: Add HPKP and HSTS header parser fuzzers. Created 4 years, 1 month ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
(Empty)
	1 // Copyright 2016 The Chromium Authors. All rights reserved.

	2 // Use of this source code is governed by a BSD-style license that can be

	3 // found in the LICENSE file.

	4

	5 #include <stddef.h>

	6 #include <stdint.h>

	7 #include <string>

	8

	9 #include "base/time/time.h"

	10 #include "net/base/hash_value.h"

	11 #include "net/http/http_security_headers.h"

	12 #include "net/ssl/ssl_info.h"

	13 #include "url/gurl.h"

	14

	15 extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {

	16 std::string input(data, data + size);

	17 base::TimeDelta max_age;

	18 bool include_subdomains;

	19 net::HashValueVector spki_hashes;

	20 GURL report_uri;

	21

	22 net::HashValue hash;

	23 hash.FromString("sha256/1111111111111111111111111111111111111111111=");
	aizatsky 2016/10/25 19:11:20 does this need to be a valid hash of anything? Wil does this need to be a valid hash of anything? Will the code below try to verify it? martijnc 2016/10/25 19:40:52 The hash is only compared to other hashes. Passing Show quoted text On 2016/10/25 at 19:11:20, aizatsky wrote: > does this need to be a valid hash of anything? Will the code below try to verify it? The hash is only compared to other hashes. Passing in an invalid hash would also work I think. We could pass part of \|data\| to hash::FromString and also fuzz that and ignore the return value. Not sure how useful or representative that would be for HPKP. net::ParseHPKPHeader checks that at least one of the pins matches the ones in SSLInfo::public_key_hashes (which represents the hashes of the certificates in the certificate chain currently in use) and that at least one of the pins does not match. This ensures you don't lock out the user by pinning keys that you aren't currently using and that you pin at least one backup (a key that isn't in use). My thinking was that passing in at least on hash (could) give the fuzzer better coverage because IsPinListValid() returns early otherwise [1]. [1] https://cs.chromium.org/chromium/src/net/http/http_security_headers.cc?sq=pac...
	24

	25 net::SSLInfo ssl_info;

	26 ssl_info.public_key_hashes.push_back(hash);

	27

	28 net::ParseHPKPHeader(input, ssl_info.public_key_hashes, &max_age,

	29 &include_subdomains, &spki_hashes, &report_uri);

	30 return 0;

	31 }

OLD	NEW