Run the fuzzing corpora as tests.

Reviewed-by: Richard Levitte <[email protected]> Reviewed-by: Rich Salz <[email protected]>
johnshajiang · Jul 1, 2016 · 90d28f0 · 90d28f0
1 parent 2c12f22
commit 90d28f0
Show file tree

Hide file tree

Showing 16 changed files with 298 additions and 129 deletions.
diff --git a/.gitignore b/.gitignore
@@ -60,14 +60,21 @@ Makefile
 # Executables
 /apps/openssl
 /fuzz/asn1
+/fuzz/asn1-test
 /fuzz/asn1parse
+/fuzz/asn1parse-test
 /fuzz/bignum
+/fuzz/bignum-test
 /fuzz/bndiv
+/fuzz/bndiv-test
 /fuzz/conf
+/fuzz/conf-test
 /fuzz/cms
+/fuzz/cms-test
 /fuzz/ct
+/fuzz/ct-test
 /fuzz/server
-/fuzz/x509
+/fuzz/server-test
 /test/sha256t
 /test/sha512t
 /test/gost2814789t

diff --git a/Configure b/Configure
@@ -245,7 +245,7 @@ my $default_ranlib;
 $config{fips}=0;
 
 # Top level directories to build
-$config{dirs} = [ "crypto", "ssl", "engines", "apps", "test", "tools" ];
+$config{dirs} = [ "crypto", "ssl", "engines", "apps", "test", "tools", "fuzz" ];
 # crypto/ subdirectories to build
 $config{sdirs} = [
     "objects",
@@ -1046,14 +1046,9 @@ if ($disabled{"dynamic-engine"}) {
 }
 
 unless ($disabled{"fuzz-libfuzzer"}) {
-    push @{$config{dirs}}, "fuzz";
     $config{cflags} .= "-fsanitize-coverage=edge,indirect-calls ";
 }
 
-unless ($disabled{"fuzz-afl"}) {
-    push @{$config{dirs}}, "fuzz";
-}
-
 unless ($disabled{asan}) {
     $config{cflags} .= "-fsanitize=address ";
 }
@@ -1337,6 +1332,9 @@ if ($builder eq "unified") {
     }
 
     my @build_infos = ( [ ".", "build.info" ] );
+    push @build_infos, [ "fuzz", "build.info.fuzz" ]
+        unless $disabled{"fuzz-afl"} && $disabled{"fuzz-libfuzzer"};
+
     foreach (@{$config{dirs}}) {
         push @build_infos, [ $_, "build.info" ]
             if (-f catfile($srcdir, $_, "build.info"));

diff --git a/fuzz/asn1.c b/fuzz/asn1.c
@@ -26,45 +26,52 @@
 #include <openssl/x509v3.h>
 #include "fuzzer.h"
 
-static const ASN1_ITEM *item_type[] = {
-    ASN1_ITEM_rptr(ASN1_SEQUENCE),
-    ASN1_ITEM_rptr(AUTHORITY_INFO_ACCESS),
-    ASN1_ITEM_rptr(BIGNUM),
-    ASN1_ITEM_rptr(ECPARAMETERS),
-    ASN1_ITEM_rptr(ECPKPARAMETERS),
-    ASN1_ITEM_rptr(GENERAL_NAME),
-    ASN1_ITEM_rptr(GENERAL_SUBTREE),
-    ASN1_ITEM_rptr(NAME_CONSTRAINTS),
-    ASN1_ITEM_rptr(OCSP_BASICRESP),
-    ASN1_ITEM_rptr(OCSP_RESPONSE),
-    ASN1_ITEM_rptr(PKCS12),
-    ASN1_ITEM_rptr(PKCS12_AUTHSAFES),
-    ASN1_ITEM_rptr(PKCS12_SAFEBAGS),
-    ASN1_ITEM_rptr(PKCS7),
-    ASN1_ITEM_rptr(PKCS7_ATTR_SIGN),
-    ASN1_ITEM_rptr(PKCS7_ATTR_VERIFY),
-    ASN1_ITEM_rptr(PKCS7_DIGEST),
-    ASN1_ITEM_rptr(PKCS7_ENC_CONTENT),
-    ASN1_ITEM_rptr(PKCS7_ENCRYPT),
-    ASN1_ITEM_rptr(PKCS7_ENVELOPE),
-    ASN1_ITEM_rptr(PKCS7_RECIP_INFO),
-    ASN1_ITEM_rptr(PKCS7_SIGN_ENVELOPE),
-    ASN1_ITEM_rptr(PKCS7_SIGNED),
-    ASN1_ITEM_rptr(PKCS7_SIGNER_INFO),
-    ASN1_ITEM_rptr(POLICY_CONSTRAINTS),
-    ASN1_ITEM_rptr(POLICY_MAPPINGS),
-    ASN1_ITEM_rptr(SXNET),
-    //ASN1_ITEM_rptr(TS_RESP),  want to do this, but type is hidden, however d2i exists...
-    ASN1_ITEM_rptr(X509),
-    ASN1_ITEM_rptr(X509_CRL),
+static ASN1_ITEM_EXP *item_type[] = {
+    ASN1_ITEM_ref(ASN1_SEQUENCE),
+    ASN1_ITEM_ref(AUTHORITY_INFO_ACCESS),
+    ASN1_ITEM_ref(BIGNUM),
+    ASN1_ITEM_ref(ECPARAMETERS),
+    ASN1_ITEM_ref(ECPKPARAMETERS),
+    ASN1_ITEM_ref(GENERAL_NAME),
+    ASN1_ITEM_ref(GENERAL_SUBTREE),
+    ASN1_ITEM_ref(NAME_CONSTRAINTS),
+    ASN1_ITEM_ref(OCSP_BASICRESP),
+    ASN1_ITEM_ref(OCSP_RESPONSE),
+    ASN1_ITEM_ref(PKCS12),
+    ASN1_ITEM_ref(PKCS12_AUTHSAFES),
+    ASN1_ITEM_ref(PKCS12_SAFEBAGS),
+    ASN1_ITEM_ref(PKCS7),
+    ASN1_ITEM_ref(PKCS7_ATTR_SIGN),
+    ASN1_ITEM_ref(PKCS7_ATTR_VERIFY),
+    ASN1_ITEM_ref(PKCS7_DIGEST),
+    ASN1_ITEM_ref(PKCS7_ENC_CONTENT),
+    ASN1_ITEM_ref(PKCS7_ENCRYPT),
+    ASN1_ITEM_ref(PKCS7_ENVELOPE),
+    ASN1_ITEM_ref(PKCS7_RECIP_INFO),
+    ASN1_ITEM_ref(PKCS7_SIGN_ENVELOPE),
+    ASN1_ITEM_ref(PKCS7_SIGNED),
+    ASN1_ITEM_ref(PKCS7_SIGNER_INFO),
+    ASN1_ITEM_ref(POLICY_CONSTRAINTS),
+    ASN1_ITEM_ref(POLICY_MAPPINGS),
+    ASN1_ITEM_ref(SXNET),
+    /*ASN1_ITEM_ref(TS_RESP),  want to do this, but type is hidden, however d2i exists... */
+    ASN1_ITEM_ref(X509),
+    ASN1_ITEM_ref(X509_CRL),
     NULL
 };
 
+int FuzzerInitialize(int *argc, char ***argv) {
+    return 1;
+}
+
 int FuzzerTestOneInput(const uint8_t *buf, size_t len) {
-    for (int n = 0; item_type[n] != NULL; ++n) {
+    int n;
+
+    for (n = 0; item_type[n] != NULL; ++n) {
         const uint8_t *b = buf;
-        ASN1_VALUE *o = ASN1_item_d2i(NULL, &b, len, item_type[n]);
-        ASN1_item_free(o, item_type[n]);
+        const ASN1_ITEM *i = ASN1_ITEM_ptr(item_type[n]);
+        ASN1_VALUE *o = ASN1_item_d2i(NULL, &b, len, i);
+        ASN1_item_free(o, i);
     }
     return 0;
 }
diff --git a/fuzz/asn1parse.c b/fuzz/asn1parse.c
@@ -18,6 +18,10 @@
 #include <openssl/x509v3.h>
 #include "fuzzer.h"
 
+int FuzzerInitialize(int *argc, char ***argv) {
+    return 1;
+}
+
 int FuzzerTestOneInput(const uint8_t *buf, size_t len) {
     static BIO *bio_out;
 

diff --git a/fuzz/bignum.c b/fuzz/bignum.c
@@ -17,15 +17,21 @@
 #include <openssl/bn.h>
 #include "fuzzer.h"
 
+int FuzzerInitialize(int *argc, char ***argv) {
+    return 1;
+}
+
 int FuzzerTestOneInput(const uint8_t *buf, size_t len) {
-    int success = 0;
     static BN_CTX *ctx;
     static BN_MONT_CTX *mont;
     static BIGNUM *b1;
     static BIGNUM *b2;
     static BIGNUM *b3;
     static BIGNUM *b4;
     static BIGNUM *b5;
+    int success = 0;
+    size_t l1 = 0, l2 = 0, l3 = 0;
+    int s1 = 0, s2 = 0, s3 = 0;
 
     if (ctx == NULL) {
         b1 = BN_new();
@@ -36,11 +42,10 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len) {
         ctx = BN_CTX_new();
         mont = BN_MONT_CTX_new();
     }
-    // Divide the input into three parts, using the values of the first two
-    // bytes to choose lengths, which generate b1, b2 and b3. Use three bits
-    // of the third byte to choose signs for the three numbers.
-    size_t l1 = 0, l2 = 0, l3 = 0;
-    int s1 = 0, s2 = 0, s3 = 0;
+    /* Divide the input into three parts, using the values of the first two
+     * bytes to choose lengths, which generate b1, b2 and b3. Use three bits
+     * of the third byte to choose signs for the three numbers.
+     */
     if (len > 2) {
         len -= 3;
         l1 = (buf[0] * len) / 255;
@@ -61,7 +66,7 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len) {
     OPENSSL_assert(BN_bin2bn(buf + l1 + l2, l3, b3) == b3);
     BN_set_negative(b3, s3);
 
-    // mod 0 is undefined
+    /* mod 0 is undefined */
     if (BN_is_zero(b3)) {
         success = 1;
         goto done;

diff --git a/fuzz/bndiv.c b/fuzz/bndiv.c
@@ -17,14 +17,21 @@
 #include <openssl/bn.h>
 #include "fuzzer.h"
 
+int FuzzerInitialize(int *argc, char ***argv) {
+    return 1;
+}
+
 int FuzzerTestOneInput(const uint8_t *buf, size_t len) {
-    int success = 0;
     static BN_CTX *ctx;
     static BIGNUM *b1;
     static BIGNUM *b2;
     static BIGNUM *b3;
     static BIGNUM *b4;
     static BIGNUM *b5;
+    int success = 0;
+    size_t l1 = 0, l2 = 0;
+    /* s1 and s2 will be the signs for b1 and b2. */
+    int s1 = 0, s2 = 0;
 
     if (ctx == NULL) {
         b1 = BN_new();
@@ -34,16 +41,15 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len) {
         b5 = BN_new();
         ctx = BN_CTX_new();
     }
-    // We are going to split the buffer in two, sizes l1 and l2, giving b1 and
-    // b2.
-    size_t l1 = 0, l2 = 0;
-    // s1 and s2 will be the signs for b1 and b2.
-    int s1 = 0, s2 = 0;
+    /* We are going to split the buffer in two, sizes l1 and l2, giving b1 and
+     * b2.
+     */
     if (len > 0) {
         --len;
-        // Use first byte to divide the remaining buffer into 3Fths. I admit
-        // this disallows some number sizes. If it matters, better ideas are
-        // welcome (Ben).
+        /* Use first byte to divide the remaining buffer into 3Fths. I admit
+         * this disallows some number sizes. If it matters, better ideas are
+         * welcome (Ben).
+         */
         l1 = ((buf[0] & 0x3f) * len) / 0x3f;
         s1 = buf[0] & 0x40;
         s2 = buf[0] & 0x80;
@@ -55,7 +61,7 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len) {
     OPENSSL_assert(BN_bin2bn(buf + l1, l2, b2) == b2);
     BN_set_negative(b2, s2);
 
-    // divide by 0 is an error
+    /* divide by 0 is an error */
     if (BN_is_zero(b2)) {
         success = 1;
         goto done;

diff --git a/fuzz/build.info b/fuzz/build.info
@@ -1,50 +1,34 @@
-{- use File::Spec::Functions;
-   our $ex_inc = $withargs{fuzzer_include} &&
-       (file_name_is_absolute($withargs{fuzzer_include}) ?
-        $withargs{fuzzer_include} : catdir(updir(), $withargs{fuzzer_include}));
-   our $ex_lib = $withargs{fuzzer_lib} &&
-       (file_name_is_absolute($withargs{fuzzer_lib}) ?
-        $withargs{fuzzer_lib} : catfile(updir(), $withargs{fuzzer_lib}));
-   ""
--}
-PROGRAMS=asn1 asn1parse bignum bndiv cms conf crl ct server x509
-
-SOURCE[asn1]=asn1.c driver.c
-INCLUDE[asn1]=../include {- $ex_inc -}
-DEPEND[asn1]=../libcrypto {- $ex_lib -}
-
-SOURCE[asn1parse]=asn1parse.c driver.c
-INCLUDE[asn1parse]=../include {- $ex_inc -}
-DEPEND[asn1parse]=../libcrypto {- $ex_lib -}
-
-SOURCE[bignum]=bignum.c driver.c
-INCLUDE[bignum]=../include {- $ex_inc -}
-DEPEND[bignum]=../libcrypto {- $ex_lib -}
-
-SOURCE[bndiv]=bndiv.c driver.c
-INCLUDE[bndiv]=../include {- $ex_inc -}
-DEPEND[bndiv]=../libcrypto {- $ex_lib -}
-
-SOURCE[cms]=cms.c driver.c
-INCLUDE[cms]=../include {- $ex_inc -}
-DEPEND[cms]=../libcrypto {- $ex_lib -}
-
-SOURCE[conf]=conf.c driver.c
-INCLUDE[conf]=../include {- $ex_inc -}
-DEPEND[conf]=../libcrypto {- $ex_lib -}
-
-SOURCE[crl]=crl.c driver.c
-INCLUDE[crl]=../include {- $ex_inc -}
-DEPEND[crl]=../libcrypto {- $ex_lib -}
-
-SOURCE[ct]=ct.c driver.c
-INCLUDE[ct]=../include {- $ex_inc -}
-DEPEND[ct]=../libcrypto {- $ex_lib -}
-
-SOURCE[server]=server.c driver.c
-INCLUDE[server]=../include {- $ex_inc -}
-DEPEND[server]=../libcrypto ../libssl {- $ex_lib -}
-
-SOURCE[x509]=x509.c driver.c
-INCLUDE[x509]=../include {- $ex_inc -}
-DEPEND[x509]=../libcrypto ../libssl {- $ex_lib -}
+{- use File::Spec::Functions qw/catdir rel2abs/; -}
+PROGRAMS=asn1-test asn1parse-test bignum-test bndiv-test cms-test conf-test ct-test server-test
+
+SOURCE[asn1-test]=asn1.c test-corpus.c
+INCLUDE[asn1-test]="{- rel2abs(catdir($builddir,"../include")) -}" ../include
+DEPEND[asn1-test]=../libcrypto
+
+SOURCE[asn1parse-test]=asn1parse.c test-corpus.c
+INCLUDE[asn1parse-test]="{- rel2abs(catdir($builddir,"../include")) -}" ../include
+DEPEND[asn1parse-test]=../libcrypto
+
+SOURCE[bignum-test]=bignum.c test-corpus.c
+INCLUDE[bignum-test]="{- rel2abs(catdir($builddir,"../include")) -}" ../include
+DEPEND[bignum-test]=../libcrypto
+
+SOURCE[bndiv-test]=bndiv.c test-corpus.c
+INCLUDE[bndiv-test]="{- rel2abs(catdir($builddir,"../include")) -}" ../include
+DEPEND[bndiv-test]=../libcrypto
+
+SOURCE[cms-test]=cms.c test-corpus.c
+INCLUDE[cms-test]="{- rel2abs(catdir($builddir,"../include")) -}" ../include
+DEPEND[cms-test]=../libcrypto
+
+SOURCE[conf-test]=conf.c test-corpus.c
+INCLUDE[conf-test]="{- rel2abs(catdir($builddir,"../include")) -}" ../include
+DEPEND[conf-test]=../libcrypto
+
+SOURCE[ct-test]=ct.c test-corpus.c
+INCLUDE[ct-test]="{- rel2abs(catdir($builddir,"../include")) -}" ../include
+DEPEND[ct-test]=../libcrypto
+
+SOURCE[server-test]=server.c test-corpus.c
+INCLUDE[server-test]="{- rel2abs(catdir($builddir,"../include")) -}" ../include
+DEPEND[server-test]=../libcrypto ../libssl
diff --git a/fuzz/build.info.fuzz b/fuzz/build.info.fuzz
@@ -0,0 +1,43 @@
+{- use File::Spec::Functions;
+   our $ex_inc = $withargs{fuzzer_include} &&
+       (file_name_is_absolute($withargs{fuzzer_include}) ?
+        $withargs{fuzzer_include} : catdir(updir(), $withargs{fuzzer_include}));
+   our $ex_lib = $withargs{fuzzer_lib} &&
+       (file_name_is_absolute($withargs{fuzzer_lib}) ?
+        $withargs{fuzzer_lib} : catfile(updir(), $withargs{fuzzer_lib}));
+   ""
+-}
+
+PROGRAMS=asn1 asn1parse bignum bndiv cms conf ct server
+
+SOURCE[asn1]=asn1.c driver.c
+INCLUDE[asn1]="{- rel2abs(catdir($builddir,"../include")) -}" ../include {- $ex_inc -}
+DEPEND[asn1]=../libcrypto {- $ex_lib -}
+
+SOURCE[asn1parse]=asn1parse.c driver.c
+INCLUDE[asn1parse]="{- rel2abs(catdir($builddir,"../include")) -}" ../include {- $ex_inc -}
+DEPEND[asn1parse]=../libcrypto {- $ex_lib -}
+
+SOURCE[bignum]=bignum.c driver.c
+INCLUDE[bignum]="{- rel2abs(catdir($builddir,"../include")) -}" ../include {- $ex_inc -}
+DEPEND[bignum]=../libcrypto {- $ex_lib -}
+
+SOURCE[bndiv]=bndiv.c driver.c
+INCLUDE[bndiv]="{- rel2abs(catdir($builddir,"../include")) -}" ../include {- $ex_inc -}
+DEPEND[bndiv]=../libcrypto {- $ex_lib -}
+
+SOURCE[cms]=cms.c driver.c
+INCLUDE[cms]="{- rel2abs(catdir($builddir,"../include")) -}" ../include {- $ex_inc -}
+DEPEND[cms]=../libcrypto {- $ex_lib -}
+
+SOURCE[conf]=conf.c driver.c
+INCLUDE[conf]="{- rel2abs(catdir($builddir,"../include")) -}" ../include {- $ex_inc -}
+DEPEND[conf]=../libcrypto {- $ex_lib -}
+
+SOURCE[ct]=ct.c driver.c
+INCLUDE[ct]="{- rel2abs(catdir($builddir,"../include")) -}" ../include {- $ex_inc -}
+DEPEND[ct]=../libcrypto {- $ex_lib -}
+
+SOURCE[server]=server.c driver.c
+INCLUDE[server]="{- rel2abs(catdir($builddir,"../include")) -}" ../include {- $ex_inc -}
+DEPEND[server]=../libcrypto ../libssl {- $ex_lib -}