提交 f59d0131 编写于 作者: K Kurt Roeckx

Add support for fuzzing with AFL

Reviewed-by: NBen Laurie <ben@links.org>

MR: #2740
上级 255cf605
...@@ -301,7 +301,8 @@ my @disablables = ( ...@@ -301,7 +301,8 @@ my @disablables = (
"engine", "engine",
"err", "err",
"filenames", "filenames",
"fuzz", "fuzz-libfuzzer",
"fuzz-afl",
"gost", "gost",
"heartbeats", "heartbeats",
"hw(-.+)?", "hw(-.+)?",
...@@ -365,7 +366,8 @@ our %disabled = ( # "what" => "comment" ...@@ -365,7 +366,8 @@ our %disabled = ( # "what" => "comment"
"asan" => "default", "asan" => "default",
"ec_nistp_64_gcc_128" => "default", "ec_nistp_64_gcc_128" => "default",
"egd" => "default", "egd" => "default",
"fuzz" => "default", "fuzz-libfuzzer" => "default",
"fuzz-afl" => "default",
"md2" => "default", "md2" => "default",
"rc5" => "default", "rc5" => "default",
"sctp" => "default", "sctp" => "default",
...@@ -698,6 +700,14 @@ foreach (@argvcopy) ...@@ -698,6 +700,14 @@ foreach (@argvcopy)
{ {
$withargs{zlib_include}=$1; $withargs{zlib_include}=$1;
} }
elsif (/^--with-fuzzer-lib=(.*)$/)
{
$withargs{fuzzer_lib}=$1;
}
elsif (/^--with-fuzzer-include=(.*)$/)
{
$withargs{fuzzer_include}=$1;
}
elsif (/^--with-fipslibdir=(.*)$/) elsif (/^--with-fipslibdir=(.*)$/)
{ {
$config{fipslibdir}="$1/"; $config{fipslibdir}="$1/";
...@@ -1042,11 +1052,15 @@ if ($disabled{"dynamic-engine"}) { ...@@ -1042,11 +1052,15 @@ if ($disabled{"dynamic-engine"}) {
$config{dynamic_engines} = 1; $config{dynamic_engines} = 1;
} }
unless ($disabled{fuzz}) { unless ($disabled{"fuzz-libfuzzer"}) {
push @{$config{dirs}}, "fuzz"; push @{$config{dirs}}, "fuzz";
$config{cflags} .= "-fsanitize-coverage=edge,indirect-calls "; $config{cflags} .= "-fsanitize-coverage=edge,indirect-calls ";
} }
unless ($disabled{"fuzz-afl"}) {
push @{$config{dirs}}, "fuzz";
}
unless ($disabled{asan}) { unless ($disabled{asan}) {
$config{cflags} .= "-fsanitize=address "; $config{cflags} .= "-fsanitize=address ";
} }
...@@ -1379,6 +1393,7 @@ if ($builder eq "unified") { ...@@ -1379,6 +1393,7 @@ if ($builder eq "unified") {
$template->fill_in(HASH => { config => \%config, $template->fill_in(HASH => { config => \%config,
target => \%target, target => \%target,
disabled => \%disabled, disabled => \%disabled,
withargs => \%withargs,
builddir => abs2rel($buildd, $blddir), builddir => abs2rel($buildd, $blddir),
sourcedir => abs2rel($sourced, $blddir), sourcedir => abs2rel($sourced, $blddir),
buildtop => abs2rel($blddir, $blddir), buildtop => abs2rel($blddir, $blddir),
......
# I Can Haz Fuzz? # I Can Haz Fuzz?
LibFuzzer
=========
Or, how to fuzz OpenSSL with [libfuzzer](llvm.org/docs/LibFuzzer.html). Or, how to fuzz OpenSSL with [libfuzzer](llvm.org/docs/LibFuzzer.html).
Starting from a vanilla+OpenSSH server Ubuntu install. Starting from a vanilla+OpenSSH server Ubuntu install.
...@@ -32,7 +35,10 @@ https://github.com/llvm-mirror/llvm/tree/master/lib/Fuzzer if you prefer): ...@@ -32,7 +35,10 @@ https://github.com/llvm-mirror/llvm/tree/master/lib/Fuzzer if you prefer):
Configure for fuzzing: Configure for fuzzing:
$ CC=clang ./config enable-fuzz enable-asan enable-ubsan no-shared $ CC=clang ./config enable-fuzz-libfuzzer \
--with-fuzzer-include=../../svn-work/Fuzzer \
--with-fuzzer-lib=../../svn-work/Fuzzer/libFuzzer \
enable-asan enable-ubsan no-shared
$ sudo apt-get install make $ sudo apt-get install make
$ LDCMD=clang++ make -j $ LDCMD=clang++ make -j
$ fuzz/helper.py <fuzzer> <arguments> $ fuzz/helper.py <fuzzer> <arguments>
...@@ -45,3 +51,20 @@ If you get a crash, you should find a corresponding input file in ...@@ -45,3 +51,20 @@ If you get a crash, you should find a corresponding input file in
`fuzz/corpora/<fuzzer>-crash/`. You can reproduce the crash with `fuzz/corpora/<fuzzer>-crash/`. You can reproduce the crash with
$ fuzz/<fuzzer> <crashfile> $ fuzz/<fuzzer> <crashfile>
AFL
===
Configure for fuzzing:
$ sudo apt-get install afl-clang
$ CC=afl-clang-fast ./config enable-fuzz-afl no-shared
$ make
Run one of the fuzzers:
$ afl-fuzz fuzz/<fuzzer> -i fuzz/corpora/<fuzzer> -o fuzz/corpora/<fuzzer>/out <fuzzer> <arguments>
Where `<fuzzer>` is one of the executables in `fuzz/`. Most fuzzers do not
need any command line arguments, but, for example, `asn1` needs the name of a
data type.
...@@ -60,7 +60,7 @@ static const ASN1_ITEM *item_type[] = { ...@@ -60,7 +60,7 @@ static const ASN1_ITEM *item_type[] = {
NULL NULL
}; };
int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) { int FuzzerTestOneInput(const uint8_t *buf, size_t len) {
for (int n = 0; item_type[n] != NULL; ++n) { for (int n = 0; item_type[n] != NULL; ++n) {
const uint8_t *b = buf; const uint8_t *b = buf;
ASN1_VALUE *o = ASN1_item_d2i(NULL, &b, len, item_type[n]); ASN1_VALUE *o = ASN1_item_d2i(NULL, &b, len, item_type[n]);
......
...@@ -18,7 +18,7 @@ ...@@ -18,7 +18,7 @@
#include <openssl/x509v3.h> #include <openssl/x509v3.h>
#include "fuzzer.h" #include "fuzzer.h"
int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) { int FuzzerTestOneInput(const uint8_t *buf, size_t len) {
static BIO *bio_out; static BIO *bio_out;
if (bio_out == NULL) if (bio_out == NULL)
......
...@@ -17,7 +17,7 @@ ...@@ -17,7 +17,7 @@
#include <openssl/bn.h> #include <openssl/bn.h>
#include "fuzzer.h" #include "fuzzer.h"
int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) { int FuzzerTestOneInput(const uint8_t *buf, size_t len) {
int success = 0; int success = 0;
static BN_CTX *ctx; static BN_CTX *ctx;
static BN_MONT_CTX *mont; static BN_MONT_CTX *mont;
......
...@@ -17,7 +17,7 @@ ...@@ -17,7 +17,7 @@
#include <openssl/bn.h> #include <openssl/bn.h>
#include "fuzzer.h" #include "fuzzer.h"
int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) { int FuzzerTestOneInput(const uint8_t *buf, size_t len) {
int success = 0; int success = 0;
static BN_CTX *ctx; static BN_CTX *ctx;
static BIGNUM *b1; static BIGNUM *b1;
......
{- use File::Spec::Functions;
our $ex_inc = $withargs{fuzzer_include} &&
(file_name_is_absolute($withargs{fuzzer_include}) ?
$withargs{fuzzer_include} : catdir(updir(), $withargs{fuzzer_include}));
our $ex_lib = $withargs{fuzzer_lib} &&
(file_name_is_absolute($withargs{fuzzer_lib}) ?
$withargs{fuzzer_lib} : catfile(updir(), $withargs{fuzzer_lib}));
""
-}
PROGRAMS=asn1 asn1parse bignum bndiv cms conf ct server PROGRAMS=asn1 asn1parse bignum bndiv cms conf ct server
SOURCE[asn1]=asn1.c SOURCE[asn1]=asn1.c driver.c
INCLUDE[asn1]=../include ../../../svn-work/Fuzzer INCLUDE[asn1]=../include {- $ex_inc -}
DEPEND[asn1]=../libcrypto ../../../svn-work/Fuzzer/libFuzzer DEPEND[asn1]=../libcrypto {- $ex_lib -}
SOURCE[asn1parse]=asn1parse.c SOURCE[asn1parse]=asn1parse.c driver.c
INCLUDE[asn1parse]=../include ../../../svn-work/Fuzzer INCLUDE[asn1parse]=../include {- $ex_inc -}
DEPEND[asn1parse]=../libcrypto ../../../svn-work/Fuzzer/libFuzzer DEPEND[asn1parse]=../libcrypto {- $ex_lib -}
SOURCE[bignum]=bignum.c SOURCE[bignum]=bignum.c driver.c
INCLUDE[bignum]=../include ../../../svn-work/Fuzzer INCLUDE[bignum]=../include {- $ex_inc -}
DEPEND[bignum]=../libcrypto ../../../svn-work/Fuzzer/libFuzzer DEPEND[bignum]=../libcrypto {- $ex_lib -}
SOURCE[bndiv]=bndiv.c SOURCE[bndiv]=bndiv.c driver.c
INCLUDE[bndiv]=../include ../../../svn-work/Fuzzer INCLUDE[bndiv]=../include {- $ex_inc -}
DEPEND[bndiv]=../libcrypto ../../../svn-work/Fuzzer/libFuzzer DEPEND[bndiv]=../libcrypto {- $ex_lib -}
SOURCE[cms]=cms.c SOURCE[cms]=cms.c driver.c
INCLUDE[cms]=../include ../../../svn-work/Fuzzer INCLUDE[cms]=../include {- $ex_inc -}
DEPEND[cms]=../libcrypto ../../../svn-work/Fuzzer/libFuzzer DEPEND[cms]=../libcrypto {- $ex_lib -}
SOURCE[conf]=conf.c SOURCE[conf]=conf.c driver.c
INCLUDE[conf]=../include ../../../svn-work/Fuzzer INCLUDE[conf]=../include {- $ex_inc -}
DEPEND[conf]=../libcrypto ../../../svn-work/Fuzzer/libFuzzer DEPEND[conf]=../libcrypto {- $ex_lib -}
SOURCE[ct]=ct.c SOURCE[ct]=ct.c driver.c
INCLUDE[ct]=../include ../../../svn-work/Fuzzer INCLUDE[ct]=../include {- $ex_inc -}
DEPEND[ct]=../libcrypto ../../../svn-work/Fuzzer/libFuzzer DEPEND[ct]=../libcrypto {- $ex_lib -}
SOURCE[server]=server.c SOURCE[server]=server.c driver.c
INCLUDE[server]=../include ../../../svn-work/Fuzzer INCLUDE[server]=../include {- $ex_inc -}
DEPEND[server]=../libcrypto ../libssl ../../../svn-work/Fuzzer/libFuzzer DEPEND[server]=../libcrypto ../libssl {- $ex_lib -}
...@@ -16,7 +16,7 @@ ...@@ -16,7 +16,7 @@
#include <openssl/cms.h> #include <openssl/cms.h>
#include "fuzzer.h" #include "fuzzer.h"
int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) { int FuzzerTestOneInput(const uint8_t *buf, size_t len) {
BIO *in = BIO_new(BIO_s_mem()); BIO *in = BIO_new(BIO_s_mem());
OPENSSL_assert((size_t)BIO_write(in, buf, len) == len); OPENSSL_assert((size_t)BIO_write(in, buf, len) == len);
CMS_ContentInfo *i = d2i_CMS_bio(in, NULL); CMS_ContentInfo *i = d2i_CMS_bio(in, NULL);
......
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
#include <openssl/conf.h> #include <openssl/conf.h>
#include "fuzzer.h" #include "fuzzer.h"
int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) { int FuzzerTestOneInput(const uint8_t *buf, size_t len) {
CONF *conf = NCONF_new(NULL); CONF *conf = NCONF_new(NULL);
BIO *in = BIO_new(BIO_s_mem()); BIO *in = BIO_new(BIO_s_mem());
long eline; long eline;
......
...@@ -16,7 +16,7 @@ ...@@ -16,7 +16,7 @@
#include <openssl/ct.h> #include <openssl/ct.h>
#include "fuzzer.h" #include "fuzzer.h"
int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) { int FuzzerTestOneInput(const uint8_t *buf, size_t len) {
const uint8_t **pp = &buf; const uint8_t **pp = &buf;
STACK_OF(SCT) *scts = d2i_SCT_LIST(NULL, pp, len); STACK_OF(SCT) *scts = d2i_SCT_LIST(NULL, pp, len);
SCT_LIST_free(scts); SCT_LIST_free(scts);
......
/*
* Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the OpenSSL licenses, (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
* https://www.openssl.org/source/license.html
* or in the file LICENSE in the source distribution.
*/
#include <stdint.h>
#include <unistd.h>
#include <openssl/opensslconf.h>
#include "fuzzer.h"
#ifndef OPENSSL_NO_FUZZ_LIBFUZZER
int LLVMFuzzerInitialize(int *argc, char ***argv)
{
if (FuzzerInitialize)
return FuzzerInitialize(argc, argv);
return 0;
}
int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) {
return FuzzerTestOneInput(buf, len);
}
#elif !defined(OPENSSL_NO_FUZZ_AFL)
#define BUF_SIZE 65536
int main(int argc, char** argv)
{
if (FuzzerInitialize)
FuzzerInitialize(&argc, &argv);
while (__AFL_LOOP(10000)) {
uint8_t *buf = malloc(BUF_SIZE);
size_t size = read(0, buf, BUF_SIZE);
FuzzerTestOneInput(buf, size);
free(buf);
}
return 0;
}
#else
#error "Unsupported fuzzer"
#endif
...@@ -8,5 +8,5 @@ ...@@ -8,5 +8,5 @@
* or in the file LICENSE in the source distribution. * or in the file LICENSE in the source distribution.
*/ */
int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len); int FuzzerTestOneInput(const uint8_t *buf, size_t len);
int LLVMFuzzerInitialize(int *argc, char ***argv); __attribute__((weak)) int FuzzerInitialize(int *argc, char ***argv);
...@@ -208,7 +208,7 @@ static void Init() { ...@@ -208,7 +208,7 @@ static void Init() {
X509_free(cert); X509_free(cert);
} }
int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len) { int FuzzerTestOneInput(const uint8_t *buf, size_t len) {
if (ctx == NULL) if (ctx == NULL)
Init(); Init();
// TODO: make this work for OpenSSL. There's a PREDICT define that may do // TODO: make this work for OpenSSL. There's a PREDICT define that may do
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册