Loading Configure +18 −3 Original line number Diff line number Diff line Loading @@ -301,7 +301,8 @@ my @disablables = ( "engine", "err", "filenames", "fuzz", "fuzz-libfuzzer", "fuzz-afl", "gost", "heartbeats", "hw(-.+)?", Loading Loading @@ -365,7 +366,8 @@ our %disabled = ( # "what" => "comment" "asan" => "default", "ec_nistp_64_gcc_128" => "default", "egd" => "default", "fuzz" => "default", "fuzz-libfuzzer" => "default", "fuzz-afl" => "default", "md2" => "default", "rc5" => "default", "sctp" => "default", Loading Loading @@ -698,6 +700,14 @@ foreach (@argvcopy) { $withargs{zlib_include}=$1; } elsif (/^--with-fuzzer-lib=(.*)$/) { $withargs{fuzzer_lib}=$1; } elsif (/^--with-fuzzer-include=(.*)$/) { $withargs{fuzzer_include}=$1; } elsif (/^--with-fipslibdir=(.*)$/) { $config{fipslibdir}="$1/"; Loading Loading @@ -1042,11 +1052,15 @@ if ($disabled{"dynamic-engine"}) { $config{dynamic_engines} = 1; } unless ($disabled{fuzz}) { unless ($disabled{"fuzz-libfuzzer"}) { push @{$config{dirs}}, "fuzz"; $config{cflags} .= "-fsanitize-coverage=edge,indirect-calls "; } unless ($disabled{"fuzz-afl"}) { push @{$config{dirs}}, "fuzz"; } unless ($disabled{asan}) { $config{cflags} .= "-fsanitize=address "; } Loading Loading @@ -1379,6 +1393,7 @@ if ($builder eq "unified") { $template->fill_in(HASH => { config => \%config, target => \%target, disabled => \%disabled, withargs => \%withargs, builddir => abs2rel($buildd, $blddir), sourcedir => abs2rel($sourced, $blddir), buildtop => abs2rel($blddir, $blddir), Loading fuzz/README.md +24 −1 Original line number Diff line number Diff line # I Can Haz Fuzz? LibFuzzer ========= Or, how to fuzz OpenSSL with [libfuzzer](llvm.org/docs/LibFuzzer.html). Starting from a vanilla+OpenSSH server Ubuntu install. Loading Loading @@ -32,7 +35,10 @@ https://github.com/llvm-mirror/llvm/tree/master/lib/Fuzzer if you prefer): Configure for fuzzing: $ CC=clang ./config enable-fuzz enable-asan enable-ubsan no-shared $ CC=clang ./config enable-fuzz-libfuzzer \ --with-fuzzer-include=../../svn-work/Fuzzer \ --with-fuzzer-lib=../../svn-work/Fuzzer/libFuzzer \ enable-asan enable-ubsan no-shared $ sudo apt-get install make $ LDCMD=clang++ make -j $ fuzz/helper.py <fuzzer> <arguments> Loading @@ -45,3 +51,20 @@ If you get a crash, you should find a corresponding input file in `fuzz/corpora/<fuzzer>-crash/`. You can reproduce the crash with $ fuzz/<fuzzer> <crashfile> AFL === Configure for fuzzing: $ sudo apt-get install afl-clang $ CC=afl-clang-fast ./config enable-fuzz-afl no-shared $ make Run one of the fuzzers: $ afl-fuzz fuzz/<fuzzer> -i fuzz/corpora/<fuzzer> -o fuzz/corpora/<fuzzer>/out <fuzzer> <arguments> Where `<fuzzer>` is one of the executables in `fuzz/`. Most fuzzers do not need any command line arguments, but, for example, `asn1` needs the name of a data type. fuzz/asn1.c +1 −1 Original line number Diff line number Diff line Loading @@ -60,7 +60,7 @@ static const ASN1_ITEM *item_type[] = { NULL }; int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) { int FuzzerTestOneInput(const uint8_t *buf, size_t len) { for (int n = 0; item_type[n] != NULL; ++n) { const uint8_t *b = buf; ASN1_VALUE *o = ASN1_item_d2i(NULL, &b, len, item_type[n]); Loading fuzz/asn1parse.c +1 −1 Original line number Diff line number Diff line Loading @@ -18,7 +18,7 @@ #include <openssl/x509v3.h> #include "fuzzer.h" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) { int FuzzerTestOneInput(const uint8_t *buf, size_t len) { static BIO *bio_out; if (bio_out == NULL) Loading fuzz/bignum.c +1 −1 Original line number Diff line number Diff line Loading @@ -17,7 +17,7 @@ #include <openssl/bn.h> #include "fuzzer.h" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) { int FuzzerTestOneInput(const uint8_t *buf, size_t len) { int success = 0; static BN_CTX *ctx; static BN_MONT_CTX *mont; Loading Loading
Configure +18 −3 Original line number Diff line number Diff line Loading @@ -301,7 +301,8 @@ my @disablables = ( "engine", "err", "filenames", "fuzz", "fuzz-libfuzzer", "fuzz-afl", "gost", "heartbeats", "hw(-.+)?", Loading Loading @@ -365,7 +366,8 @@ our %disabled = ( # "what" => "comment" "asan" => "default", "ec_nistp_64_gcc_128" => "default", "egd" => "default", "fuzz" => "default", "fuzz-libfuzzer" => "default", "fuzz-afl" => "default", "md2" => "default", "rc5" => "default", "sctp" => "default", Loading Loading @@ -698,6 +700,14 @@ foreach (@argvcopy) { $withargs{zlib_include}=$1; } elsif (/^--with-fuzzer-lib=(.*)$/) { $withargs{fuzzer_lib}=$1; } elsif (/^--with-fuzzer-include=(.*)$/) { $withargs{fuzzer_include}=$1; } elsif (/^--with-fipslibdir=(.*)$/) { $config{fipslibdir}="$1/"; Loading Loading @@ -1042,11 +1052,15 @@ if ($disabled{"dynamic-engine"}) { $config{dynamic_engines} = 1; } unless ($disabled{fuzz}) { unless ($disabled{"fuzz-libfuzzer"}) { push @{$config{dirs}}, "fuzz"; $config{cflags} .= "-fsanitize-coverage=edge,indirect-calls "; } unless ($disabled{"fuzz-afl"}) { push @{$config{dirs}}, "fuzz"; } unless ($disabled{asan}) { $config{cflags} .= "-fsanitize=address "; } Loading Loading @@ -1379,6 +1393,7 @@ if ($builder eq "unified") { $template->fill_in(HASH => { config => \%config, target => \%target, disabled => \%disabled, withargs => \%withargs, builddir => abs2rel($buildd, $blddir), sourcedir => abs2rel($sourced, $blddir), buildtop => abs2rel($blddir, $blddir), Loading
fuzz/README.md +24 −1 Original line number Diff line number Diff line # I Can Haz Fuzz? LibFuzzer ========= Or, how to fuzz OpenSSL with [libfuzzer](llvm.org/docs/LibFuzzer.html). Starting from a vanilla+OpenSSH server Ubuntu install. Loading Loading @@ -32,7 +35,10 @@ https://github.com/llvm-mirror/llvm/tree/master/lib/Fuzzer if you prefer): Configure for fuzzing: $ CC=clang ./config enable-fuzz enable-asan enable-ubsan no-shared $ CC=clang ./config enable-fuzz-libfuzzer \ --with-fuzzer-include=../../svn-work/Fuzzer \ --with-fuzzer-lib=../../svn-work/Fuzzer/libFuzzer \ enable-asan enable-ubsan no-shared $ sudo apt-get install make $ LDCMD=clang++ make -j $ fuzz/helper.py <fuzzer> <arguments> Loading @@ -45,3 +51,20 @@ If you get a crash, you should find a corresponding input file in `fuzz/corpora/<fuzzer>-crash/`. You can reproduce the crash with $ fuzz/<fuzzer> <crashfile> AFL === Configure for fuzzing: $ sudo apt-get install afl-clang $ CC=afl-clang-fast ./config enable-fuzz-afl no-shared $ make Run one of the fuzzers: $ afl-fuzz fuzz/<fuzzer> -i fuzz/corpora/<fuzzer> -o fuzz/corpora/<fuzzer>/out <fuzzer> <arguments> Where `<fuzzer>` is one of the executables in `fuzz/`. Most fuzzers do not need any command line arguments, but, for example, `asn1` needs the name of a data type.
fuzz/asn1.c +1 −1 Original line number Diff line number Diff line Loading @@ -60,7 +60,7 @@ static const ASN1_ITEM *item_type[] = { NULL }; int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) { int FuzzerTestOneInput(const uint8_t *buf, size_t len) { for (int n = 0; item_type[n] != NULL; ++n) { const uint8_t *b = buf; ASN1_VALUE *o = ASN1_item_d2i(NULL, &b, len, item_type[n]); Loading
fuzz/asn1parse.c +1 −1 Original line number Diff line number Diff line Loading @@ -18,7 +18,7 @@ #include <openssl/x509v3.h> #include "fuzzer.h" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) { int FuzzerTestOneInput(const uint8_t *buf, size_t len) { static BIO *bio_out; if (bio_out == NULL) Loading
fuzz/bignum.c +1 −1 Original line number Diff line number Diff line Loading @@ -17,7 +17,7 @@ #include <openssl/bn.h> #include "fuzzer.h" int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) { int FuzzerTestOneInput(const uint8_t *buf, size_t len) { int success = 0; static BN_CTX *ctx; static BN_MONT_CTX *mont; Loading
Ben Laurie <ben@links.org>
MR: #2740Ben Laurie <ben@links.org>
MR: #2740