Matt Caswell 6244f53177 Update copyright year 6 vuotta sitten
..
corpora e25aef64a5 Add fuzz corpora file that found the ASN.1 stack depth issue 6 vuotta sitten
README.md 0d72c6c66f Fix link to LibFuzzer 8 vuotta sitten
asn1.c 68e71e9d00 Include what we use. 8 vuotta sitten
asn1parse.c 90d28f0519 Run the fuzzing corpora as tests. 8 vuotta sitten
bignum.c 352dbbaf4c fix 'set but not used' warning 8 vuotta sitten
bndiv.c 90d28f0519 Run the fuzzing corpora as tests. 8 vuotta sitten
build.info 49dadc1cb7 Fix no-ct 8 vuotta sitten
cms.c a1aa038608 [fuzzers] do not fail fuzzers with empty input 8 vuotta sitten
conf.c 3a3f9ed140 conf fuzzer: also check for an empty file 8 vuotta sitten
crl.c a05b0bcf87 Re-add x509 and crl fuzzer 8 vuotta sitten
ct.c 33e49fda96 Fix strict-warnings build 8 vuotta sitten
driver.c 0a3206539a include stdlib for malloc() and free() 8 vuotta sitten
fuzzer.h 90d28f0519 Run the fuzzing corpora as tests. 8 vuotta sitten
helper.py 44c8a5e2b9 Add final(?) set of copyrights. 8 vuotta sitten
server.c a1aa038608 [fuzzers] do not fail fuzzers with empty input 8 vuotta sitten
test-corpus.c 6244f53177 Update copyright year 6 vuotta sitten
x509.c a05b0bcf87 Re-add x509 and crl fuzzer 8 vuotta sitten

README.md

I Can Haz Fuzz?

LibFuzzer

Or, how to fuzz OpenSSL with libfuzzer.

Starting from a vanilla+OpenSSH server Ubuntu install.

Use Chrome's handy recent build of clang. Older versions may also work.

$ sudo apt-get install git
$ mkdir git-work
$ git clone https://chromium.googlesource.com/chromium/src/tools/clang
$ clang/scripts/update.py

You may want to git pull and re-run the update from time to time.

Update your path:

$ PATH=~/third_party/llvm-build/Release+Asserts/bin/:$PATH

Get and build libFuzzer (there is a git mirror at https://github.com/llvm-mirror/llvm/tree/master/lib/Fuzzer if you prefer):

$ cd
$ sudo apt-get install subversion
$ mkdir svn-work
$ cd svn-work
$ svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer
$ cd Fuzzer
$ clang++ -c -g -O2 -std=c++11 *.cpp
$ ar r libFuzzer.a *.o
$ ranlib libFuzzer.a

Configure for fuzzing:

$ CC=clang ./config enable-fuzz-libfuzzer \
        --with-fuzzer-include=../../svn-work/Fuzzer \
        --with-fuzzer-lib=../../svn-work/Fuzzer/libFuzzer \
        -DPEDANTIC enable-asan enable-ubsan no-shared
$ sudo apt-get install make
$ LDCMD=clang++ make -j
$ fuzz/helper.py $FUZZER

Where $FUZZER is one of the executables in fuzz/.

If you get a crash, you should find a corresponding input file in fuzz/corpora/$FUZZER-crash/. You can reproduce the crash with

$ fuzz/$FUZZER <crashfile>

AFL

Configure for fuzzing:

$ sudo apt-get install afl-clang
$ CC=afl-clang-fast ./config enable-fuzz-afl no-shared
$ make

Run one of the fuzzers:

$ afl-fuzz -i fuzz/corpora/$FUZZER -o fuzz/corpora/$FUZZER/out fuzz/$FUZZER

Where $FUZZER is one of the executables in fuzz/.