"engine",
"err",
"filenames",
- "fuzz",
+ "fuzz-libfuzzer",
+ "fuzz-afl",
"gost",
"heartbeats",
"hw(-.+)?",
"asan" => "default",
"ec_nistp_64_gcc_128" => "default",
"egd" => "default",
- "fuzz" => "default",
+ "fuzz-libfuzzer" => "default",
+ "fuzz-afl" => "default",
"md2" => "default",
"rc5" => "default",
"sctp" => "default",
{
$withargs{zlib_include}=$1;
}
+ elsif (/^--with-fuzzer-lib=(.*)$/)
+ {
+ $withargs{fuzzer_lib}=$1;
+ }
+ elsif (/^--with-fuzzer-include=(.*)$/)
+ {
+ $withargs{fuzzer_include}=$1;
+ }
elsif (/^--with-fipslibdir=(.*)$/)
{
$config{fipslibdir}="$1/";
$config{dynamic_engines} = 1;
}
-unless ($disabled{fuzz}) {
+unless ($disabled{"fuzz-libfuzzer"}) {
push @{$config{dirs}}, "fuzz";
$config{cflags} .= "-fsanitize-coverage=edge,indirect-calls ";
}
+unless ($disabled{"fuzz-afl"}) {
+ push @{$config{dirs}}, "fuzz";
+}
+
unless ($disabled{asan}) {
$config{cflags} .= "-fsanitize=address ";
}
$template->fill_in(HASH => { config => \%config,
target => \%target,
disabled => \%disabled,
+ withargs => \%withargs,
builddir => abs2rel($buildd, $blddir),
sourcedir => abs2rel($sourced, $blddir),
buildtop => abs2rel($blddir, $blddir),
# I Can Haz Fuzz?
+LibFuzzer
+=========
+
Or, how to fuzz OpenSSL with [libfuzzer](llvm.org/docs/LibFuzzer.html).
Starting from a vanilla+OpenSSH server Ubuntu install.
Configure for fuzzing:
- $ CC=clang ./config enable-fuzz enable-asan enable-ubsan no-shared
+ $ CC=clang ./config enable-fuzz-libfuzzer \
+ --with-fuzzer-include=../../svn-work/Fuzzer \
+ --with-fuzzer-lib=../../svn-work/Fuzzer/libFuzzer \
+ enable-asan enable-ubsan no-shared
$ sudo apt-get install make
$ LDCMD=clang++ make -j
$ fuzz/helper.py <fuzzer> <arguments>
`fuzz/corpora/<fuzzer>-crash/`. You can reproduce the crash with
$ fuzz/<fuzzer> <crashfile>
+
+AFL
+===
+
+Configure for fuzzing:
+
+ $ sudo apt-get install afl-clang
+ $ CC=afl-clang-fast ./config enable-fuzz-afl no-shared
+ $ make
+
+Run one of the fuzzers:
+
+ $ afl-fuzz fuzz/<fuzzer> -i fuzz/corpora/<fuzzer> -o fuzz/corpora/<fuzzer>/out <fuzzer> <arguments>
+
+Where `<fuzzer>` is one of the executables in `fuzz/`. Most fuzzers do not
+need any command line arguments, but, for example, `asn1` needs the name of a
+data type.
NULL
};
-int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) {
+int FuzzerTestOneInput(const uint8_t *buf, size_t len) {
for (int n = 0; item_type[n] != NULL; ++n) {
const uint8_t *b = buf;
ASN1_VALUE *o = ASN1_item_d2i(NULL, &b, len, item_type[n]);
#include <openssl/x509v3.h>
#include "fuzzer.h"
-int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) {
+int FuzzerTestOneInput(const uint8_t *buf, size_t len) {
static BIO *bio_out;
if (bio_out == NULL)
#include <openssl/bn.h>
#include "fuzzer.h"
-int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) {
+int FuzzerTestOneInput(const uint8_t *buf, size_t len) {
int success = 0;
static BN_CTX *ctx;
static BN_MONT_CTX *mont;
#include <openssl/bn.h>
#include "fuzzer.h"
-int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) {
+int FuzzerTestOneInput(const uint8_t *buf, size_t len) {
int success = 0;
static BN_CTX *ctx;
static BIGNUM *b1;
+{- use File::Spec::Functions;
+ our $ex_inc = $withargs{fuzzer_include} &&
+ (file_name_is_absolute($withargs{fuzzer_include}) ?
+ $withargs{fuzzer_include} : catdir(updir(), $withargs{fuzzer_include}));
+ our $ex_lib = $withargs{fuzzer_lib} &&
+ (file_name_is_absolute($withargs{fuzzer_lib}) ?
+ $withargs{fuzzer_lib} : catfile(updir(), $withargs{fuzzer_lib}));
+ ""
+-}
PROGRAMS=asn1 asn1parse bignum bndiv cms conf ct server
-SOURCE[asn1]=asn1.c
-INCLUDE[asn1]=../include ../../../svn-work/Fuzzer
-DEPEND[asn1]=../libcrypto ../../../svn-work/Fuzzer/libFuzzer
+SOURCE[asn1]=asn1.c driver.c
+INCLUDE[asn1]=../include {- $ex_inc -}
+DEPEND[asn1]=../libcrypto {- $ex_lib -}
-SOURCE[asn1parse]=asn1parse.c
-INCLUDE[asn1parse]=../include ../../../svn-work/Fuzzer
-DEPEND[asn1parse]=../libcrypto ../../../svn-work/Fuzzer/libFuzzer
+SOURCE[asn1parse]=asn1parse.c driver.c
+INCLUDE[asn1parse]=../include {- $ex_inc -}
+DEPEND[asn1parse]=../libcrypto {- $ex_lib -}
-SOURCE[bignum]=bignum.c
-INCLUDE[bignum]=../include ../../../svn-work/Fuzzer
-DEPEND[bignum]=../libcrypto ../../../svn-work/Fuzzer/libFuzzer
+SOURCE[bignum]=bignum.c driver.c
+INCLUDE[bignum]=../include {- $ex_inc -}
+DEPEND[bignum]=../libcrypto {- $ex_lib -}
-SOURCE[bndiv]=bndiv.c
-INCLUDE[bndiv]=../include ../../../svn-work/Fuzzer
-DEPEND[bndiv]=../libcrypto ../../../svn-work/Fuzzer/libFuzzer
+SOURCE[bndiv]=bndiv.c driver.c
+INCLUDE[bndiv]=../include {- $ex_inc -}
+DEPEND[bndiv]=../libcrypto {- $ex_lib -}
-SOURCE[cms]=cms.c
-INCLUDE[cms]=../include ../../../svn-work/Fuzzer
-DEPEND[cms]=../libcrypto ../../../svn-work/Fuzzer/libFuzzer
+SOURCE[cms]=cms.c driver.c
+INCLUDE[cms]=../include {- $ex_inc -}
+DEPEND[cms]=../libcrypto {- $ex_lib -}
-SOURCE[conf]=conf.c
-INCLUDE[conf]=../include ../../../svn-work/Fuzzer
-DEPEND[conf]=../libcrypto ../../../svn-work/Fuzzer/libFuzzer
+SOURCE[conf]=conf.c driver.c
+INCLUDE[conf]=../include {- $ex_inc -}
+DEPEND[conf]=../libcrypto {- $ex_lib -}
-SOURCE[ct]=ct.c
-INCLUDE[ct]=../include ../../../svn-work/Fuzzer
-DEPEND[ct]=../libcrypto ../../../svn-work/Fuzzer/libFuzzer
+SOURCE[ct]=ct.c driver.c
+INCLUDE[ct]=../include {- $ex_inc -}
+DEPEND[ct]=../libcrypto {- $ex_lib -}
-SOURCE[server]=server.c
-INCLUDE[server]=../include ../../../svn-work/Fuzzer
-DEPEND[server]=../libcrypto ../libssl ../../../svn-work/Fuzzer/libFuzzer
+SOURCE[server]=server.c driver.c
+INCLUDE[server]=../include {- $ex_inc -}
+DEPEND[server]=../libcrypto ../libssl {- $ex_lib -}
#include <openssl/cms.h>
#include "fuzzer.h"
-int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) {
+int FuzzerTestOneInput(const uint8_t *buf, size_t len) {
BIO *in = BIO_new(BIO_s_mem());
OPENSSL_assert((size_t)BIO_write(in, buf, len) == len);
CMS_ContentInfo *i = d2i_CMS_bio(in, NULL);
#include <openssl/conf.h>
#include "fuzzer.h"
-int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) {
+int FuzzerTestOneInput(const uint8_t *buf, size_t len) {
CONF *conf = NCONF_new(NULL);
BIO *in = BIO_new(BIO_s_mem());
long eline;
#include <openssl/ct.h>
#include "fuzzer.h"
-int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) {
+int FuzzerTestOneInput(const uint8_t *buf, size_t len) {
const uint8_t **pp = &buf;
STACK_OF(SCT) *scts = d2i_SCT_LIST(NULL, pp, len);
SCT_LIST_free(scts);
--- /dev/null
+/*
+ * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL licenses, (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * https://www.openssl.org/source/license.html
+ * or in the file LICENSE in the source distribution.
+ */
+#include <stdint.h>
+#include <unistd.h>
+#include <openssl/opensslconf.h>
+#include "fuzzer.h"
+
+#ifndef OPENSSL_NO_FUZZ_LIBFUZZER
+
+int LLVMFuzzerInitialize(int *argc, char ***argv)
+{
+ if (FuzzerInitialize)
+ return FuzzerInitialize(argc, argv);
+ return 0;
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) {
+ return FuzzerTestOneInput(buf, len);
+}
+
+#elif !defined(OPENSSL_NO_FUZZ_AFL)
+
+#define BUF_SIZE 65536
+
+int main(int argc, char** argv)
+{
+ if (FuzzerInitialize)
+ FuzzerInitialize(&argc, &argv);
+
+ while (__AFL_LOOP(10000)) {
+ uint8_t *buf = malloc(BUF_SIZE);
+ size_t size = read(0, buf, BUF_SIZE);
+
+ FuzzerTestOneInput(buf, size);
+ free(buf);
+ }
+ return 0;
+}
+
+#else
+
+#error "Unsupported fuzzer"
+
+#endif
* or in the file LICENSE in the source distribution.
*/
-int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len);
-int LLVMFuzzerInitialize(int *argc, char ***argv);
+int FuzzerTestOneInput(const uint8_t *buf, size_t len);
+__attribute__((weak)) int FuzzerInitialize(int *argc, char ***argv);
X509_free(cert);
}
-int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) {
+int FuzzerTestOneInput(const uint8_t *buf, size_t len) {
if (ctx == NULL)
Init();
// TODO: make this work for OpenSSL. There's a PREDICT define that may do