提交 d69d8f90 编写于 作者: K Kurt Roeckx

Make the fuzzers more reproducible

We want to be in the same global state each time we come in
FuzzerTestOneInput(). There are various reasons why we might not be that
include:
- Initialization that happens on first use. This is mostly the
  RUN_ONCE() things, or loading of error strings.
- Results that get cached. For instance a stack that is sorted, RSA
  blinding that has been set up, ...

So I try to trigger as much as possible in FuzzerInitialize(), and for
things I didn't find out how to trigger this it needs to happen in
FuzzerTestOneInput().
Reviewed-by: NRich Salz <rsalz@openssl.org>
GH: #2023
上级 0282aeb6
......@@ -16,6 +16,7 @@
#include <openssl/asn1.h>
#include <openssl/x509.h>
#include <openssl/x509v3.h>
#include <openssl/err.h>
#include "fuzzer.h"
static BIO *bio_out;
......@@ -23,12 +24,16 @@ static BIO *bio_out;
int FuzzerInitialize(int *argc, char ***argv)
{
bio_out = BIO_new_file("/dev/null", "w");
OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
ERR_get_state();
CRYPTO_free_ex_index(0, -1);
return 1;
}
int FuzzerTestOneInput(const uint8_t *buf, size_t len)
{
(void)ASN1_parse_dump(bio_out, buf, len, 0, 0);
ERR_clear_error();
return 0;
}
......
......@@ -15,6 +15,7 @@
#include <stdio.h>
#include <openssl/bn.h>
#include <openssl/err.h>
#include "fuzzer.h"
static BN_CTX *ctx;
......@@ -33,6 +34,9 @@ int FuzzerInitialize(int *argc, char ***argv)
b5 = BN_new();
ctx = BN_CTX_new();
OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
ERR_get_state();
return 1;
}
......@@ -104,6 +108,7 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
done:
OPENSSL_assert(success);
ERR_clear_error();
return 0;
}
......
......@@ -14,10 +14,14 @@
#include <openssl/bio.h>
#include <openssl/cms.h>
#include <openssl/err.h>
#include "fuzzer.h"
int FuzzerInitialize(int *argc, char ***argv)
{
OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
ERR_get_state();
CRYPTO_free_ex_index(0, -1);
return 1;
}
......@@ -41,6 +45,7 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
}
BIO_free(in);
ERR_clear_error();
return 0;
}
......
......@@ -13,10 +13,13 @@
*/
#include <openssl/conf.h>
#include <openssl/err.h>
#include "fuzzer.h"
int FuzzerInitialize(int *argc, char ***argv)
{
OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
ERR_get_state();
return 1;
}
......@@ -35,6 +38,7 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
NCONF_load_bio(conf, in, &eline);
NCONF_free(conf);
BIO_free(in);
ERR_clear_error();
return 0;
}
......
......@@ -10,10 +10,14 @@
#include <openssl/x509.h>
#include <openssl/bio.h>
#include <openssl/err.h>
#include "fuzzer.h"
int FuzzerInitialize(int *argc, char ***argv)
{
OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
ERR_get_state();
CRYPTO_free_ex_index(0, -1);
return 1;
}
......@@ -33,6 +37,8 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
X509_CRL_free(crl);
}
ERR_clear_error();
return 0;
}
......
......@@ -14,10 +14,14 @@
#include <stdio.h>
#include <openssl/ct.h>
#include <openssl/err.h>
#include "fuzzer.h"
int FuzzerInitialize(int *argc, char ***argv)
{
OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
CRYPTO_free_ex_index(0, -1);
ERR_get_state();
return 1;
}
......@@ -38,6 +42,7 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
SCT_LIST_free(scts);
}
ERR_clear_error();
return 0;
}
......
......@@ -16,6 +16,7 @@
#include <openssl/rand.h>
#include <openssl/ssl.h>
#include <openssl/rsa.h>
#include <openssl/err.h>
#include "fuzzer.h"
static const uint8_t kCertificateDER[] = {
......@@ -189,34 +190,29 @@ static const uint8_t kRSAPrivateKeyDER[] = {
0x98, 0x46, 0x89, 0x82, 0x40,
};
static SSL_CTX *ctx;
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
extern int rand_predictable;
#endif
#define ENTROPY_NEEDED 32
/* unused, to avoid warning. */
static int idx;
int FuzzerInitialize(int *argc, char ***argv)
{
const uint8_t *bufp = kRSAPrivateKeyDER;
RSA *privkey;
EVP_PKEY *pkey;
int ret;
X509 *cert;
STACK_OF(SSL_COMP) *comp_methods;
OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS | OPENSSL_INIT_ASYNC, NULL);
OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
ERR_get_state();
CRYPTO_free_ex_index(0, -1);
idx = SSL_get_ex_data_X509_STORE_CTX_idx();
RAND_add("", 1, ENTROPY_NEEDED);
RAND_status();
RSA_get_default_method();
comp_methods = SSL_COMP_get_compression_methods();
OPENSSL_sk_sort((OPENSSL_STACK *)comp_methods);
ctx = SSL_CTX_new(SSLv23_method());
privkey = d2i_RSAPrivateKey(NULL, &bufp, sizeof(kRSAPrivateKeyDER));
OPENSSL_assert(privkey != NULL);
pkey = EVP_PKEY_new();
EVP_PKEY_assign_RSA(pkey, privkey);
ret = SSL_CTX_use_PrivateKey(ctx, pkey);
OPENSSL_assert(ret == 1);
EVP_PKEY_free(pkey);
bufp = kCertificateDER;
cert = d2i_X509(NULL, &bufp, sizeof(kCertificateDER));
OPENSSL_assert(cert != NULL);
ret = SSL_CTX_use_certificate(ctx, cert);
OPENSSL_assert(ret == 1);
X509_free(cert);
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
rand_predictable = 1;
......@@ -230,16 +226,37 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
SSL *server;
BIO *in;
BIO *out;
if (!len) {
SSL_CTX *ctx;
int ret;
RSA *privkey;
const uint8_t *bufp = kRSAPrivateKeyDER;
EVP_PKEY *pkey;
X509 *cert;
if (len == 0)
return 0;
}
/* TODO: make this work for OpenSSL. There's a PREDICT define that may do
* the job.
/*
* TODO: use the ossltest engine (optionally?) to disable crypto checks.
* RAND_reset_for_fuzzing();
*/
/* This only fuzzes the initial flow from the client so far. */
ctx = SSL_CTX_new(SSLv23_method());
privkey = d2i_RSAPrivateKey(NULL, &bufp, sizeof(kRSAPrivateKeyDER));
OPENSSL_assert(privkey != NULL);
pkey = EVP_PKEY_new();
EVP_PKEY_assign_RSA(pkey, privkey);
ret = SSL_CTX_use_PrivateKey(ctx, pkey);
OPENSSL_assert(ret == 1);
EVP_PKEY_free(pkey);
bufp = kCertificateDER;
cert = d2i_X509(NULL, &bufp, sizeof(kCertificateDER));
OPENSSL_assert(cert != NULL);
ret = SSL_CTX_use_certificate(ctx, cert);
OPENSSL_assert(ret == 1);
X509_free(cert);
server = SSL_new(ctx);
in = BIO_new(BIO_s_mem());
out = BIO_new(BIO_s_mem());
......@@ -256,10 +273,12 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
}
}
SSL_free(server);
ERR_clear_error();
SSL_CTX_free(ctx);
return 0;
}
void FuzzerCleanup(void)
{
SSL_CTX_free(ctx);
}
......@@ -10,10 +10,14 @@
#include <openssl/x509.h>
#include <openssl/bio.h>
#include <openssl/err.h>
#include "fuzzer.h"
int FuzzerInitialize(int *argc, char ***argv)
{
OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
ERR_get_state();
CRYPTO_free_ex_index(0, -1);
return 1;
}
......@@ -34,6 +38,7 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
X509_free(x509);
}
ERR_clear_error();
return 0;
}
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册