openssl/fuzz
Kurt Roeckx 4e9954799a Make client and server fuzzer support all ciphers
Also send a SNI extension in the client so the fuzzer can react to it.

Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #2088
2016-12-16 01:08:22 +01:00
..
corpora Update client fuzz corpus 2016-12-09 23:35:06 +01:00
asn1.c Make asn1 fuzzer more reproducible 2016-12-08 19:06:17 +01:00
asn1parse.c Make the fuzzers more reproducible 2016-12-03 00:14:15 +01:00
bignum.c bignum fuzzer: move new and free calls to the init and cleanup function. 2016-12-03 00:14:14 +01:00
bndiv.c Make the fuzzers more reproducible 2016-12-03 00:14:15 +01:00
build.info And client fuzzer 2016-12-08 19:06:18 +01:00
client.c Make client and server fuzzer support all ciphers 2016-12-16 01:08:22 +01:00
cms.c Make the fuzzers more reproducible 2016-12-03 00:14:15 +01:00
conf.c Make the fuzzers more reproducible 2016-12-03 00:14:15 +01:00
crl.c Make the fuzzers more reproducible 2016-12-03 00:14:15 +01:00
ct.c Make the fuzzers more reproducible 2016-12-03 00:14:15 +01:00
driver.c Add a FuzzerClean() function 2016-12-03 00:14:14 +01:00
fuzzer.h Add a FuzzerClean() function 2016-12-03 00:14:14 +01:00
helper.py Add final(?) set of copyrights. 2016-06-01 11:27:25 -04:00
README.md Document the recommended parameters for fuzzing 2016-12-16 01:08:22 +01:00
server.c Make client and server fuzzer support all ciphers 2016-12-16 01:08:22 +01:00
test-corpus.c Add a FuzzerClean() function 2016-12-03 00:14:14 +01:00
x509.c Make the fuzzers more reproducible 2016-12-03 00:14:15 +01:00

I Can Haz Fuzz?

LibFuzzer

Or, how to fuzz OpenSSL with libfuzzer.

Starting from a vanilla+OpenSSH server Ubuntu install.

Use Chrome's handy recent build of clang. Older versions may also work.

$ sudo apt-get install git
$ mkdir git-work
$ git clone https://chromium.googlesource.com/chromium/src/tools/clang
$ clang/scripts/update.py

You may want to git pull and re-run the update from time to time.

Update your path:

$ PATH=~/third_party/llvm-build/Release+Asserts/bin/:$PATH

Get and build libFuzzer (there is a git mirror at https://github.com/llvm-mirror/llvm/tree/master/lib/Fuzzer if you prefer):

$ cd
$ sudo apt-get install subversion
$ mkdir svn-work
$ cd svn-work
$ svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer
$ cd Fuzzer
$ clang++ -c -g -O2 -std=c++11 *.cpp
$ ar r libFuzzer.a *.o
$ ranlib libFuzzer.a

Configure for fuzzing:

$ CC=clang ./config enable-fuzz-libfuzzer \
        --with-fuzzer-include=../../svn-work/Fuzzer \
        --with-fuzzer-lib=../../svn-work/Fuzzer/libFuzzer \
        -DPEDANTIC enable-asan enable-ubsan no-shared \
        -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION \
        -fsanitize-coverage=edge,indirect-calls,8bit-counters \
        enable-ec_nistp_64_gcc_128 -fno-sanitize=alignment enable-tls1_3 \
        enable-weak-ssl-ciphers enable-rc5 enable-md2 \
        enable-ssl3 enable-ssl3-method enable-nextprotoneg
$ sudo apt-get install make
$ LDCMD=clang++ make -j
$ fuzz/helper.py $FUZZER

Where $FUZZER is one of the executables in fuzz/.

If you get a crash, you should find a corresponding input file in fuzz/corpora/$FUZZER-crash/. You can reproduce the crash with

$ fuzz/$FUZZER <crashfile>

AFL

Configure for fuzzing:

$ sudo apt-get install afl-clang
$ CC=afl-clang-fast ./config enable-fuzz-afl no-shared -DPEDANTIC \
    enable-tls1_3 enable-weak-ssl-ciphers enable-rc5 enable-md2 \
    enable-ssl3 enable-ssl3-method enable-nextprotoneg \
    enable-ec_nistp_64_gcc_128
$ make

The following options can also be enabled: enable-asan, enable-ubsan, enable-msan

Run one of the fuzzers:

$ afl-fuzz -i fuzz/corpora/$FUZZER -o fuzz/corpora/$FUZZER/out fuzz/$FUZZER

Where $FUZZER is one of the executables in fuzz/.