Migrate static transport security state fuzzer to LibFuzzer.

BUG=599523

Review-Url: https://codereview.chromium.org/2582323004
Cr-Commit-Position: refs/heads/master@{#440922}

net/BUILD.gn

@@ -2076,6 +2076,18 @@ fuzzer_test("net_http_security_headers_hpkp_report_only_fuzzer") {
   dict = "data/fuzzer_dictionaries/net_http_security_headers_fuzzer.dict"
 }
 
+fuzzer_test("net_http_transport_security_state_static_fuzzer") {
+  sources = [
+    "http/transport_security_state_static_fuzzer.cc",
+  ]
+  deps = [
+    ":net_fuzzer_test_support",
+    "//net",
+  ]
+  dict =
+      "data/fuzzer_dictionaries/net_http_transport_security_state_fuzzer.dict"
+}
+
 if (host_toolchain == current_toolchain) {
   executable("domain_security_preload_generator") {
     sources = gypi_values.net_domain_security_state_generator_sources

net/data/fuzzer_dictionaries/net_http_transport_security_state_fuzzer.dict

+# Copyright 2016 The Chromium Authors. All rights reserved.
+# Use of this source code is governed by a BSD-style license that can be
+# found in the LICENSE file.
+
+# Fuzzer dictionary targetting (static) transport security state lookups.
+
+"xn--"
+
+# Common preloaded TLDs
+"com"
+"org"
+"org"
+"de"
+"cn"
+"net"
+"eu"
+"nl"
+"net"
+"us"
+"co.uk"
+
+# Characters in the Huffman Tree
+"\x00"
+"-"
+"."
+"0"
+"1"
+"2"
+"3"
+"4"
+"5"
+"6"
+"7"
+"8"
+"9"
+"a"
+"b"
+"c"
+"d"
+"e"
+"f"
+"g"
+"h"
+"i"
+"j"
+"k"
+"l"
+"m"
+"n"
+"o"
+"p"
+"q"
+"r"
+"s"
+"t"
+"u"
+"v"
+"w"
+"x"
+"y"
+"z"
+"\x7F"

net/http/transport_security_state.h

@@ -477,6 +477,7 @@ class NET_EXPORT TransportSecurityState
 
  private:
   friend class TransportSecurityStateTest;
+  friend class TransportSecurityStateStaticFuzzer;
   FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPOnly);
   FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, UpdateDynamicPKPMaxAge0);
   FRIEND_TEST_ALL_PREFIXES(HttpSecurityHeadersTest, NoClobberPins);

net/http/transport_security_state_static_fuzzer.cc

+// Copyright 2016 The Chromium Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style license that can be
+// found in the LICENSE file.
+
+#include <string>
+
+#include "net/http/transport_security_state.h"
+
+namespace net {
+
+class TransportSecurityStateStaticFuzzer {
+ public:
+  bool FuzzStaticDomainState(TransportSecurityState* state,
+                             const std::string& input) {
+    state->enable_static_pins_ = true;
+    TransportSecurityState::STSState sts_result;
+    TransportSecurityState::PKPState pkp_result;
+    return state->GetStaticDomainState(input, &sts_result, &pkp_result);
+  }
+
+  bool FuzzStaticExpectCTState(TransportSecurityState* state,
+                               const std::string& input) {
+    state->enable_static_expect_ct_ = true;
+    TransportSecurityState::ExpectCTState result;
+    return state->GetStaticExpectCTState(input, &result);
+  }
+
+  bool FuzzStaticExpectStapleState(TransportSecurityState* state,
+                                   const std::string& input) {
+    state->enable_static_expect_staple_ = true;
+    TransportSecurityState::ExpectStapleState result;
+    return state->GetStaticExpectStapleState(input, &result);
+  }
+};
+
+}  // namespace net
+
+extern "C" int LLVMFuzzerTestOneInput(const uint8_t* data, size_t size) {
+  std::string input(reinterpret_cast<const char*>(data), size);
+
+  net::TransportSecurityStateStaticFuzzer helper;
+  net::TransportSecurityState state;
+
+  helper.FuzzStaticDomainState(&state, input);
+  helper.FuzzStaticExpectCTState(&state, input);
+  helper.FuzzStaticExpectStapleState(&state, input);
+
+  return 0;
+}

net/http/transport_security_state_unittest.cc

@@ -486,29 +486,6 @@ TEST_F(TransportSecurityStateTest, MatchesCase1) {
   EXPECT_TRUE(state.ShouldUpgradeToSSL("example.com"));
 }
 
-TEST_F(TransportSecurityStateTest, Fuzz) {
-  TransportSecurityState state;
-  TransportSecurityState::STSState sts_state;
-  TransportSecurityState::PKPState pkp_state;
-
-  EnableStaticPins(&state);
-
-  for (size_t i = 0; i < 128; i++) {
-    std::string hostname;
-
-    for (;;) {
-      if (base::RandInt(0, 16) == 7) {
-        break;
-      }
-      if (i > 0 && base::RandInt(0, 7) == 7) {
-        hostname.append(1, '.');
-      }
-      hostname.append(1, 'a' + base::RandInt(0, 25));
-    }
-    state.GetStaticDomainState(hostname, &sts_state, &pkp_state);
-  }
-}
-
 TEST_F(TransportSecurityStateTest, MatchesCase2) {
   TransportSecurityState state;
   const base::Time current_time(base::Time::Now());