openssl/fuzz
Kurt Roeckx 5579eab9ef Update fuzz corpora
This is a new minimal corpus with the following changes:
- asn1: files: 1135 (+474), tuples: 27236 (+7496)
- asn1parse: files: 305 (-3), tuples: 8758 (+11)
- bignum: files: 370 (-1), tuples: 9547 (+10)
- bndiv: files: 160 (+0), tuples: 2416 (+6)
- cms: files: 155 (-1), tuples: 3408 (+0)
- conf: files: 231 (-11), tuples: 4668 (+3)
- crl: files: 905 (+188), tuples: 22876 (+4096)
- ct: files: 117 (+35), tuples: 3557 (+908)
- x509: files: 920, tuples: 28334

Note that tuple count depends on the binary and is random.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-23 20:01:54 +01:00
..
corpora Update fuzz corpora 2016-08-23 20:01:54 +01:00
asn1.c Include what we use. 2016-08-01 11:30:33 +01:00
asn1parse.c Run the fuzzing corpora as tests. 2016-07-01 13:45:45 +01:00
bignum.c fix 'set but not used' warning 2016-07-01 16:05:37 +01:00
bndiv.c Run the fuzzing corpora as tests. 2016-07-01 13:45:45 +01:00
build.info Fix no-ct 2016-07-25 08:18:14 +01:00
cms.c Run the fuzzing corpora as tests. 2016-07-01 13:45:45 +01:00
conf.c Run the fuzzing corpora as tests. 2016-07-01 13:45:45 +01:00
crl.c Re-add x509 and crl fuzzer 2016-07-01 17:02:33 +02:00
ct.c Fix strict-warnings build 2016-07-18 10:28:45 +01:00
driver.c
fuzzer.h Run the fuzzing corpora as tests. 2016-07-01 13:45:45 +01:00
helper.py
README.md Some minor tweaks to the fuzzing docs 2016-08-01 22:07:04 +01:00
server.c Don't rely on implicit rsa.h inclusion 2016-07-10 21:09:38 -04:00
test-corpus.c Skip non-existing files. 2016-07-26 21:01:05 +02:00
x509.c Re-add x509 and crl fuzzer 2016-07-01 17:02:33 +02:00

I Can Haz Fuzz?

LibFuzzer

Or, how to fuzz OpenSSL with libfuzzer.

Starting from a vanilla+OpenSSH server Ubuntu install.

Use Chrome's handy recent build of clang. Older versions may also work.

$ sudo apt-get install git
$ mkdir git-work
$ git clone https://chromium.googlesource.com/chromium/src/tools/clang
$ clang/scripts/update.py

You may want to git pull and re-run the update from time to time.

Update your path:

$ PATH=~/third_party/llvm-build/Release+Asserts/bin/:$PATH

Get and build libFuzzer (there is a git mirror at https://github.com/llvm-mirror/llvm/tree/master/lib/Fuzzer if you prefer):

$ cd
$ sudo apt-get install subversion
$ mkdir svn-work
$ cd svn-work
$ svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer
$ cd Fuzzer
$ clang++ -c -g -O2 -std=c++11 *.cpp
$ ar r libFuzzer.a *.o
$ ranlib libFuzzer.a

Configure for fuzzing:

$ CC=clang ./config enable-fuzz-libfuzzer \
        --with-fuzzer-include=../../svn-work/Fuzzer \
        --with-fuzzer-lib=../../svn-work/Fuzzer/libFuzzer \
        -DPEDANTIC enable-asan enable-ubsan no-shared
$ sudo apt-get install make
$ LDCMD=clang++ make -j
$ fuzz/helper.py $FUZZER

Where $FUZZER is one of the executables in fuzz/.

If you get a crash, you should find a corresponding input file in fuzz/corpora/$FUZZER-crash/. You can reproduce the crash with

$ fuzz/$FUZZER <crashfile>

AFL

Configure for fuzzing:

$ sudo apt-get install afl-clang
$ CC=afl-clang-fast ./config enable-fuzz-afl no-shared
$ make

Run one of the fuzzers:

$ afl-fuzz -i fuzz/corpora/$FUZZER -o fuzz/corpora/$FUZZER/out fuzz/$FUZZER

Where $FUZZER is one of the executables in fuzz/.