Merge 0ff5949 into 80b2f61

BUILD.gn

@@ -55,9 +55,11 @@ if (current_toolchain != "${dir_pw_toolchain}/default:default") {
     group("fuzz_tests") {
       deps = [
         "${chip_root}/src/credentials/tests:fuzz-chip-cert",
+        "${chip_root}/src/credentials/tests:fuzz-der-cert",
         "${chip_root}/src/lib/core/tests:fuzz-tlv-reader",
         "${chip_root}/src/lib/dnssd/minimal_mdns/tests:fuzz-minmdns-packet-parsing",
         "${chip_root}/src/lib/format/tests:fuzz-payload-decoder",
+        "${chip_root}/src/setup_payload/tests:fuzz-qrcode-setup-payload-parsing",
       ]
     }
   }

docs/guides/BUILDING.md

@@ -360,6 +360,41 @@ To compile, use:
 After which tests should be located in
 `out/linux-x64-tests-clang-asan-libfuzzer/tests/`.
 
+#### unit test execution
+
+After compiling the `libfuzzer` unit tests above, they can be run by simply
+executing the produced binary(s).
+
+For example:
+
+```
+./out/linux-x64-tests-clang-asan-libfuzzer/tests/fuzz-tlv-reader
+```
+
+In addition to the raw binaries, Matter provides sample
+[input seed corpera](https://github.com/google/fuzzing/blob/master/docs/glossary.md#seed-corpus)
+and
+[fuzzing dictionaries](https://github.com/google/fuzzing/blob/master/docs/glossary.md#dictionary)
+located in the `integrations/fuzz` directory. These can be used to increase
+fuzzing efficiency.
+
+Example usage of input seed corpus and dictionary for the fuzz-tlv-reader
+target:
+
+```
+# Fuzz target: fuzz-tlv-reader
+# Output (generated corpus) directory: ./output-tlv-corpus
+# Input seed corpus: ./integrations/fuzz/fuzz-tlv-reader-corpus
+# Fuzzing dictionary: ./integrations/fuzz/fuzz-tlv-reader.dict
+mkdir output-tlv-corpus
+./out/linux-x64-tests-clang-asan-libfuzzer/tests/fuzz-tlv-reader ./output-tlv-corpus \
+    ./integrations/fuzz/fuzz-tlv-reader-corpus \
+    -dict=./integrations/fuzz/fuzz-tlv-reader.dict 1> /dev/null
+```
+
+Note that the fuzz-chip-cert driver is based on Matter / CHIP binary certificate
+formats, so the `tlv` dictionary can be re-used for that driver as well.
+
 #### `ossfuzz` configurations
 
 `ossfuzz` configurations are not stand-alone fuzzing and instead serve as an

integrations/fuzz/fuzz-chip-cert-corpus/sChipTest_RCAC_Subject_MatterId_Missing_Cert_CHIP

@@ -0,0 +1,3 @@
+0
,j�c) `�$
7&�'&n��L7$
$
0	Am�C,"�X�w�j�#���Op�9>���
+��J���"��	�u��3��YJ8����:wD����ì�7
+5
)
$`0�%���]�g�R4������0�%���]�g�R4������0@�g���[+~o�-�Z?!�=����H�RݸsТyi�n��Vߌ+R��8F7HDs?b�ݺ�>�\

integrations/fuzz/fuzz-der-cert.dict

@@ -0,0 +1,36 @@
+# ASN1 constants extracted from src/lib/asn1/ASN1.h
+
+# ASN1TagClasses
+kASN1TagClass_Universal       = "\x00"
+kASN1TagClass_Application     = "\x40"
+kASN1TagClass_ContextSpecific = "\x80"
+kASN1TagClass_Private         = "\xC0"
+
+# ASN1UniversalTags
+kASN1UniversalTag_Boolean         = "\x01"
+kASN1UniversalTag_Integer         = "\x02"
+kASN1UniversalTag_BitString       = "\x03"
+kASN1UniversalTag_OctetString     = "\x04"
+kASN1UniversalTag_Null            = "\x05"
+kASN1UniversalTag_ObjectId        = "\x06"
+kASN1UniversalTag_ObjectDesc      = "\x07"
+kASN1UniversalTag_External        = "\x08"
+kASN1UniversalTag_Real            = "\x09"
+kASN1UniversalTag_Enumerated      = "\x0A"
+kASN1UniversalTag_UTF8String      = "\x0C"
+kASN1UniversalTag_Sequence        = "\x10"
+kASN1UniversalTag_Set             = "\x11"
+kASN1UniversalTag_NumericString   = "\x12"
+kASN1UniversalTag_PrintableString = "\x13"
+kASN1UniversalTag_T61String       = "\x14"
+kASN1UniversalTag_VideotexString  = "\x15"
+kASN1UniversalTag_IA5String       = "\x16"
+kASN1UniversalTag_UTCTime         = "\x17"
+kASN1UniversalTag_GeneralizedTime = "\x18"
+kASN1UniversalTag_GraphicString   = "\x19"
+kASN1UniversalTag_VisibleString   = "\x1A"
+kASN1UniversalTag_GeneralString   = "\x1B"
+kASN1UniversalTag_UniversalString = "\x1C"
+
+kASN1UniversalTag_Sequence_Constructed = "\x30"
+kASN1UniversalTag_Set_Constructed = "\x31"

integrations/fuzz/fuzz-minmdns-packet-parsing.dict

@@ -0,0 +1,28 @@
+# MDNS Dictionary Constants extracted from connectedhomeip/src/lib/dnssd/minimal_mdns/core/Constants.h
+
+# QType
+A         = "\x01"
+NS        = "\x02"
+CNAME     = "\x05"
+SOA       = "\x06"
+NULLVALUE = "\x0A"
+WKS       = "\x0B"
+PTR       = "\x0C"
+HINFO     = "\x0D"
+MINFO     = "\x0E"
+MX        = "\x0F"
+TXT       = "\x10"
+ISDN      = "\x14"
+AAAA      = "\x1C"
+SRV       = "\x21"
+DNAM      = "\x27"
+ANY       = "\xFF"
+
+# QClass
+IN_UNICAST  = "\x80\x01"
+IN_FLUSH    = "\x80\x01"
+
+# ResourceType
+kAnswer     = "\x01"
+kAuthority  = "\x02"
+kAdditional = "\x03"

integrations/fuzz/fuzz-qrcode-setup-payload-parsing-corpus/a

@@ -0,0 +1 @@
+MT:ABC

integrations/fuzz/fuzz-qrcode-setup-payload-parsing-corpus/b

@@ -0,0 +1 @@
+MT:

integrations/fuzz/fuzz-qrcode-setup-payload-parsing-corpus/c

@@ -0,0 +1 @@
+H:

integrations/fuzz/fuzz-qrcode-setup-payload-parsing-corpus/d

@@ -0,0 +1 @@
+ASMT:

integrations/fuzz/fuzz-qrcode-setup-payload-parsing-corpus/default

@@ -0,0 +1 @@
+MT:M5L90MP500K64J00000

integrations/fuzz/fuzz-qrcode-setup-payload-parsing-corpus/e

@@ -0,0 +1 @@
+Z%MT:ABC%

integrations/fuzz/fuzz-qrcode-setup-payload-parsing-corpus/f

@@ -0,0 +1 @@
+Z%MT:ABC

integrations/fuzz/fuzz-qrcode-setup-payload-parsing-corpus/g

@@ -0,0 +1 @@
+%Z%MT:ABC

integrations/fuzz/fuzz-qrcode-setup-payload-parsing-corpus/h

@@ -0,0 +1 @@
+%Z%MT:ABC%

integrations/fuzz/fuzz-qrcode-setup-payload-parsing-corpus/i

@@ -0,0 +1 @@
+%Z%MT:ABC%DDD

integrations/fuzz/fuzz-qrcode-setup-payload-parsing-corpus/j

@@ -0,0 +1 @@
+MT:ABC%DDD

integrations/fuzz/fuzz-qrcode-setup-payload-parsing-corpus/k

@@ -0,0 +1 @@
+MT:ABC%

integrations/fuzz/fuzz-qrcode-setup-payload-parsing-corpus/l

@@ -0,0 +1 @@
+%MT:

integrations/fuzz/fuzz-qrcode-setup-payload-parsing-corpus/m

@@ -0,0 +1 @@
+%MT:%

integrations/fuzz/fuzz-qrcode-setup-payload-parsing-corpus/n

@@ -0,0 +1 @@
+A%

integrations/fuzz/fuzz-qrcode-setup-payload-parsing-corpus/o

@@ -0,0 +1 @@
+MT:%

integrations/fuzz/fuzz-qrcode-setup-payload-parsing-corpus/optional

@@ -0,0 +1 @@
+Z%MT:-24J0AFN00KA064IJ3P0JFQB7TZZL15PKP1CD5T1VFSK1S3DO1ZTZR1UNMJ1DK5N1K8SQ1RYCU1--ZL15PKP1CD5T1VFSK1S3DO1ZTZR1UNMJ1DK5N1K8SQ1RYCU1--ZL15PKP1CD5T1VFSK1S3DO1ZTZR1UNMJ1DK5N1K8SQ1RYCU1--ZL15PKP1CD5T1VFSK1S3DO1ZTZR1UNMJ1DK5N1K8SQ1RYCU1--ZL15PKP1CD5T1VFSK1S3DO1ZTZR1UNMJ1DK5N1K8SQ1RYCU1--ZL15PKP1CD5T1VFSK1S3DO1ZTZR1UNMJ1DK5N1K8SQ1RYCU1--ZL15PKP1CD5T1VFSK1S3DO1ZTZR1UNMJ1DK5N1K8SQ1RYCU1--ZL15PKP1CD5T1VFSK1S3DO1ZTZR1UNMJ1DK5N1K8SQ1RYCU1--ZL15PKP1CD5T1VFSK1S3DO1ZTZR1UNMJ1DK5N1K8SQ1RYCU1--ZL15PKP1CD5T1VFSK1S3DO1ZTZR1UNMJ1DK5N1K8SQ1RYCU1--ZL15PKP1CD5T1VFSK1S3DO1ZTZR1UNMJ1DK5N1K8SQ1RYCU1--ZL15PKP1CD5T1VFSK1S3DO1ZTZR1UNMJ1DK5N1K8SQ1RYCU1--ZL15PKP1CD5T1VFSK1S3DO1ZTZR1UNMJ1DK5N1K8SQ1RYCU1--ZL15PKP1CD5T1VFSK1S3DO1ZTZR1UNMJ1DK5N1K8SQ1RYCU1--ZL15PKP1CD5T1VFSK1S3DO1ZTZR1UNMJ1DK5N1K8SQ1RYCU1--ZL15PKP1CD5T1VFSK1S3DO1ZTZR1UNMJ1DK5N1K8SQ1RYCU1--ZL15PKP1CD5T1VFSK1S3DO1ZTZR1UNMJ1DK5N1K8SQ1RYCU1--ZL15PKP1CD5T1VFSK1S3DO1ZTZR1UNMJ1DK5N1K8SQ1RYCU1--ZL15PKP1CD5T1VFSK1S3DO1ZTZR1UNMJ1DK5N1K8SQ1RYCU1--ZL15PKP1CD5T1VFSK1S3DO1ZTZR1UNMJ1DK5N1K8SQ1RYCU1--ZL15PKP1CD5T1VFSK1S3DO1ZTZR1UNMJ1DK5N1K8SQ1RYCU1--ZL15PKP1CD5T1VFSK1S3DO1ZTZR1UNMJ1DK5N1K8SQ1RYCU1--ZL15PKP1CD5T1VFSK1S3DO1ZTZR1UNMJ1DK5N1K8SQ1RYCU1--ZL15PKP1CD5T1VFSK1S3DO1ZTZR1UNMJ1DK5N1K8SQ1RYCU1--ZL15PKP1CD5T1VFSK1S3DO1ZTZR1UNMJ1DK5N1K8SQ1RYCU1--ZL15PKP1CD5T1VFSK1S3DO1ZTZR1UNMJ1DK5N1K8SQ1RYCU1--ZL15PKP1CD5T1VFSK1S3DO1ZTZR1UNMJ1DK5N1K8SQ1RYCU1--ZL15PKP1CD5T1VFSK1S3DO1ZTZR1UNMJ1DK5N1K8SQ1RYCU1--ZL15PKP1CD5T1VFSK1S3DO1ZTZR1UNMJ1DK5N1K8SQ1RYCU1--ZL15PKP1CD5T1VFSK1S3DO1ZTZR1UNMJ1DK5N1K8SQ1RYCU1--ZL15PKP1CD5T1VFSK1S3DO1ZTZR1UNMJ1DK5N1K8SQ1RYCU1--ZL15PKP1CD5T1VFSK1S3DO1ZTZR1UNMJ1DK5N1K8SQ1RYCU1--ZL15PKP1CD5T1VFSK1S3DO1ZTZR1UNMJ1DK5N1K8SQ1RYCU1--ZL15PKP1CD5T11UXS0%Z

integrations/fuzz/fuzz-qrcode-setup-payload-parsing-corpus/p

@@ -0,0 +1 @@
+%MT:ABC

integrations/fuzz/fuzz-qrcode-setup-payload-parsing-corpus/padded

@@ -0,0 +1 @@
+Z%MT:M5L90MP500K64J00000%Z

integrations/fuzz/fuzz-qrcode-setup-payload-parsing-corpus/q

@@ -0,0 +1 @@
+ABC

integrations/fuzz/fuzz-qrcode-setup-payload-parsing.dict

@@ -0,0 +1,55 @@
+"MT:"
+"%"
+"*"
+"-"
+"--"
+"1518"
+"153000120A00D00561E77A68A9FD975057375B9283A818"
+"153000FF0A001998AB7130E38B7E9A401CFE9F7B79AF18"
+"153000130A00191998AB7130E38B7E9A401CFE9F7B79AF18"
+"153000110A001998AB7130E38B7E9A401CFE9F7B7918"
+"0A00D00561E77A68A9FD975057375B9283A8"
+"0A001998AB7130E38B7E9A401CFE9F7B79"
+"15300012FFFF8BEA0C775F001981365D6362E1C0665A18"
+"76553581916553565535"
+"A0"
+"OT10"
+"-N.B0"
+"OT100"
+"Y6V91"
+"KL0B1"
+"Q-M08"
+"Z0"
+"R600"
+"81000"
+"R6"
+"NE71"
+"PLS18"
+"KKHF3W2S013OPM3EJX11"
+"0\\001"
+"\\0010"
+"[0"
+"0["
+" 0"
+"!0"
+"\"0"
+"#0"
+"$0"
+"%0"
+"&0"
+"'0"
+"(0"
+")0"
+"*0"
+"+0"
+",0"
+";0"
+"<0"
+"=0"
+">0"
+"@0"
+"S6"
+"S600"
+"OE71"
+"OE710"
+"QLS18"

integrations/fuzz/fuzz-tlv-reader.dict

@@ -0,0 +1,53 @@
+# Anonymous tag control bytes
+anon_control_signed_int_1octet="\x00"
+anon_control_signed_int_2octet="\x01"
+anon_control_signed_int_4octet="\x02"
+anon_control_signed_int_8octet="\x03"
+anon_control_unsigned_int_1octet="\x04"
+anon_control_unsigned_int_2octet="\x05"
+anon_control_unsigned_int_4octet="\x06"
+anon_control_unsigned_int_8octet="\x07"
+anon_control_boolean_false="\x08"
+anon_control_boolean_true="\x09"
+anon_control_float_4octet="\x0A"
+anon_control_float_8octet="\x0B"
+anon_control_utf8_string_1octet="\x0C"
+anon_control_utf8_string_2octet="\x0D"
+anon_control_utf8_string_4octet="\x0E"
+anon_control_utf8_string_8octet="\x0F"
+anon_control_octet_string_1octet="\x10"
+anon_control_octet_string_2octet="\x11"
+anon_control_octet_string_4octet="\x12"
+anon_control_octet_string_8octet="\x13"
+anon_control_null="\x14"
+anon_control_structure="\x15"
+anon_control_array="\x16"
+anon_control_list="\x17"
+anon_control_end_container="\x18"
+
+# Context-specific tag control bytes
+ctx_control_signed_int_1octet="\x20"
+ctx_control_signed_int_2octet="\x21"
+ctx_control_signed_int_4octet="\x22"
+ctx_control_signed_int_8octet="\x23"
+ctx_control_unsigned_int_1octet="\x24"
+ctx_control_unsigned_int_2octet="\x25"
+ctx_control_unsigned_int_4octet="\x26"
+ctx_control_unsigned_int_8octet="\x27"
+ctx_control_boolean_false="\x28"
+ctx_control_boolean_true="\x29"
+ctx_control_float_4octet="\x2A"
+ctx_control_float_8octet="\x2B"
+ctx_control_utf8_string_1octet="\x2C"
+ctx_control_utf8_string_2octet="\x2D"
+ctx_control_utf8_string_4octet="\x2E"
+ctx_control_utf8_string_8octet="\x2F"
+ctx_control_octet_string_1octet="\x30"
+ctx_control_octet_string_2octet="\x31"
+ctx_control_octet_string_4octet="\x32"
+ctx_control_octet_string_8octet="\x33"
+ctx_control_null="\x34"
+ctx_control_structure="\x35"
+ctx_control_array="\x36"
+ctx_control_list="\x37"
+ctx_control_end_container="\x38"

src/credentials/tests/BUILD.gn

@@ -81,4 +81,8 @@ if (enable_fuzz_test_targets) {
     sources = [ "FuzzChipCert.cpp" ]
     public_deps = [ "${chip_root}/src/credentials" ]
   }
+  chip_fuzz_target("fuzz-der-cert") {
+    sources = [ "FuzzDERCert.cpp" ]
+    public_deps = [ "${chip_root}/src/credentials" ]
+  }
 }

src/credentials/tests/FuzzChipCert.cpp

@@ -8,29 +8,50 @@ using namespace chip::Credentials;
 
 extern "C" int LLVMFuzzerTestOneInput(const uint8_t * data, size_t len)
 {
-
-    NodeId nodeId;
-    FabricId fabricId;
-
     ByteSpan span(data, len);
 
-    (void) ExtractFabricIdFromCert(span, &fabricId);
-    (void) ExtractNodeIdFabricIdFromOpCert(span, &nodeId, &fabricId);
+    {
+        NodeId nodeId;
+        FabricId fabricId;
+        (void) ExtractFabricIdFromCert(span, &fabricId);
+        (void) ExtractNodeIdFabricIdFromOpCert(span, &nodeId, &fabricId);
+    }
 
     {
-        ChipDN dn;
-        (void) ExtractSubjectDNFromX509Cert(span, dn);
+        CATValues cats;
+        (void) ExtractCATsFromOpCert(span, cats);
     }
 
     {
         Credentials::P256PublicKeySpan key;
         (void) ExtractPublicKeyFromChipCert(span, key);
     }
 
+    {
+        chip::System::Clock::Seconds32 rcacNotBefore;
+        (void) ExtractNotBeforeFromChipCert(span, rcacNotBefore);
+    }
+
+    {
+        Credentials::CertificateKeyId skid;
+        (void) ExtractSKIDFromChipCert(span, skid);
+    }
+
+    {
+        ChipDN subjectDN;
+        (void) ExtractSubjectDNFromChipCert(span, subjectDN);
+    }
+
     {
         ChipCertificateData certData;
         (void) DecodeChipCert(span, certData);
     }
 
+    {
+        uint8_t outCertBuf[kMaxDERCertLength];
+        MutableByteSpan outCert(outCertBuf);
+        (void) ConvertChipCertToX509Cert(span, outCert);
+    }
+
     return 0;
 }

src/credentials/tests/FuzzDERCert.cpp

@@ -0,0 +1,25 @@
+#include <cstddef>
+#include <cstdint>
+
+#include "credentials/CHIPCert.h"
+
+using namespace chip;
+using namespace chip::Credentials;
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t * data, size_t len)
+{
+    ByteSpan span(data, len);
+
+    {
+        ChipDN dn;
+        (void) ExtractSubjectDNFromX509Cert(span, dn);
+    }
+
+    {
+        uint8_t outCertBuf[kMaxCHIPCertLength];
+        MutableByteSpan outCert(outCertBuf);
+        (void) ConvertX509CertToChipCert(span, outCert);
+    }
+
+    return 0;
+}

src/lib/core/tests/FuzzTlvReader.cpp

@@ -4,10 +4,17 @@
 #include "lib/core/TLV.h"
 #include "lib/core/TLVUtilities.h"
 
+using namespace chip;
+using namespace chip::TLV;
+
 using chip::TLV::TLVReader;
 
 static CHIP_ERROR FuzzIterator(const TLVReader & aReader, size_t aDepth, void * aContext)
 {
+    aReader.GetLength();
+    aReader.GetTag();
+    aReader.GetType();
+
     return CHIP_NO_ERROR;
 }