[thirdparty/openssl.git] / fuzz / README.md

Fuzzing OpenSSL
===============

OpenSSL can use either LibFuzzer or AFL to do fuzzing.

LibFuzzer
---------

How to fuzz OpenSSL with [libfuzzer](http://llvm.org/docs/LibFuzzer.html),
starting from a vanilla+OpenSSH server Ubuntu install.

With `clang` from a package manager
-----------------------------------

Install `clang`, which [ships with `libfuzzer`](http://llvm.org/docs/LibFuzzer.html#fuzzer-usage)
since version 6.0:

    sudo apt-get install clang

Configure `openssl` for fuzzing. For now, you'll still need to pass in the path
to the `libFuzzer` library file while configuring; this is represented as
`$PATH_TO_LIBFUZZER` below. A typical value would be
`/usr/lib/llvm-7/lib/clang/7.0.1/lib/linux/libclang_rt.fuzzer-x86_64.a`.

    CC=clang ./config enable-fuzz-libfuzzer \
            --with-fuzzer-lib=$PATH_TO_LIBFUZZER \
            -DPEDANTIC enable-asan enable-ubsan no-shared \
            -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION \
            -fsanitize=fuzzer-no-link \
            enable-ec_nistp_64_gcc_128 -fno-sanitize=alignment \
            enable-weak-ssl-ciphers enable-rc5 enable-md2 \
            enable-ssl3 enable-ssl3-method enable-nextprotoneg \
            --debug

Compile:

    sudo apt-get install make
    make clean
    LDCMD=clang++ make -j4

Finally, perform the actual fuzzing:

    fuzz/helper.py $FUZZER

where $FUZZER is one of the executables in `fuzz/`.
It will run until you stop it.

If you get a crash, you should find a corresponding input file in
`fuzz/corpora/$FUZZER-crash/`.

With `clang` from source/pre-built binaries
-------------------------------------------

You may also wish to use a pre-built binary from the [LLVM Download
site](http://releases.llvm.org/download.html), or to [build `clang` from
source](https://clang.llvm.org/get_started.html). After adding `clang` to your
path and locating the `libfuzzer` library file, the procedure for configuring
fuzzing is the same, except that you also need to specify
a `--with-fuzzer-include` option, which should be the parent directory of the
prebuilt fuzzer library. This is represented as `$PATH_TO_LIBFUZZER_DIR` below.

    CC=clang ./config enable-fuzz-libfuzzer \
            --with-fuzzer-include=$PATH_TO_LIBFUZZER_DIR \
            --with-fuzzer-lib=$PATH_TO_LIBFUZZER \
            -DPEDANTIC enable-asan enable-ubsan no-shared \
            -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION \
            -fsanitize=fuzzer-no-link \
            enable-ec_nistp_64_gcc_128 -fno-sanitize=alignment \
            enable-weak-ssl-ciphers enable-rc5 enable-md2 \
            enable-ssl3 enable-ssl3-method enable-nextprotoneg \
            --debug

AFL
---

This is an alternative to using LibFuzzer.

Configure for fuzzing:

    sudo apt-get install afl-clang
    CC=afl-clang-fast ./config enable-fuzz-afl no-shared no-module \
        -DPEDANTIC enable-tls1_3 enable-weak-ssl-ciphers enable-rc5 \
        enable-md2 enable-ssl3 enable-ssl3-method enable-nextprotoneg \
        enable-ec_nistp_64_gcc_128 -fno-sanitize=alignment \
        --debug
    make clean
    make

The following options can also be enabled: enable-asan, enable-ubsan, enable-msan

Run one of the fuzzers:

    afl-fuzz -i fuzz/corpora/$FUZZER -o fuzz/corpora/$FUZZER/out fuzz/$FUZZER

Where $FUZZER is one of the executables in `fuzz/`.

Reproducing issues
------------------

If a fuzzer generates a reproducible error, you can reproduce the problem using
the fuzz/*-test binaries and the file generated by the fuzzer. They binaries
don't need to be built for fuzzing, there is no need to set CC or the call
config with enable-fuzz-* or -fsanitize-coverage, but some of the other options
above might be needed. For instance the enable-asan or enable-ubsan option might
be useful to show you when the problem happens. For the client and server fuzzer
it might be needed to use -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION to
reproduce the generated random numbers.

To reproduce the crash you can run:

    fuzz/$FUZZER-test $file

To do all the tests of a specific fuzzer such as asn1 you can run

    fuzz/asn1-test fuzz/corpora/asn1
or
    make test TESTS=fuzz_test_asn1

To run several fuzz tests you can use for instance:

    make test TESTS='test_fuzz_cmp test_fuzz_cms'

To run all fuzz tests you can use:

    make test TESTS='test_fuzz_*'

Random numbers
--------------

The client and server fuzzer normally generate random numbers as part of the TLS
connection setup. This results in the coverage of the fuzzing corpus changing
depending on the random numbers. This also has an effect for coverage of the
rest of the test suite and you see the coverage change for each commit even when
no code has been modified.

Since we want to maximize the coverage of the fuzzing corpus, the client and
server fuzzer will use predictable numbers instead of the random numbers. This
is controlled by the FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION define.

The coverage depends on the way the numbers are generated. We don't disable any
check of hashes, but the corpus has the correct hash in it for the random
numbers that were generated. For instance the client fuzzer will always generate
the same client hello with the same random number in it, and so the server, as
emulated by the file, can be generated for that client hello.

Coverage changes
----------------

Since the corpus depends on the default behaviour of the client and the server,
changes in what they send by default will have an impact on the coverage. The
corpus will need to be updated in that case.

Updating the corpus
-------------------

The client and server corpus is generated with multiple config options:

- The options as documented above
- Without enable-ec_nistp_64_gcc_128 and without --debug
- With no-asm
- Using 32 bit
- A default config, plus options needed to generate the fuzzer.

The libfuzzer merge option is used to add the additional coverage
from each config to the minimal set.

Minimizing the corpus
---------------------

When you have gathered corpus data from more than one fuzzer run
or for any other reason want to minimize the data
in some corpus subdirectory `fuzz/corpora/DIR` this can be done as follows:

    mkdir fuzz/corpora/NEWDIR
    fuzz/$FUZZER -merge=1 fuzz/corpora/NEWDIR fuzz/corpora/DIR
Commit	Line	Data
257e9d03 RS	1	Fuzzing OpenSSL
	2	===============
	3
	4	OpenSSL can use either LibFuzzer or AFL to do fuzzing.
c38bb727	5
f59d0131	6	LibFuzzer
257e9d03	7	---------
f59d0131	8
639b53ec BC	9	How to fuzz OpenSSL with [libfuzzer](http://llvm.org/docs/LibFuzzer.html),
639b53ec BC	10	starting from a vanilla+OpenSSH server Ubuntu install.
c38bb727	11
639b53ec BC	12	With `clang` from a package manager
639b53ec BC	13	-----------------------------------
c38bb727	14
639b53ec BC	15	Install `clang`, which [ships with `libfuzzer`](http://llvm.org/docs/LibFuzzer.html#fuzzer-usage)
639b53ec BC	16	since version 6.0:
c38bb727	17
a81151bd	18	sudo apt-get install clang
c38bb727	19
639b53ec BC	20	Configure `openssl` for fuzzing. For now, you'll still need to pass in the path
	21	to the `libFuzzer` library file while configuring; this is represented as
	22	`$PATH_TO_LIBFUZZER` below. A typical value would be
a81151bd	23	`/usr/lib/llvm-7/lib/clang/7.0.1/lib/linux/libclang_rt.fuzzer-x86_64.a`.
c38bb727	24
a81151bd	25	CC=clang ./config enable-fuzz-libfuzzer \
639b53ec	26	--with-fuzzer-lib=$PATH_TO_LIBFUZZER \
3a9b9b2d	27	-DPEDANTIC enable-asan enable-ubsan no-shared \
0282aeb6	28	-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION \
639b53ec BC	29	-fsanitize=fuzzer-no-link \
639b53ec BC	30	enable-ec_nistp_64_gcc_128 -fno-sanitize=alignment \
e104d01d	31	enable-weak-ssl-ciphers enable-rc5 enable-md2 \
f8d4b3be KR	32	enable-ssl3 enable-ssl3-method enable-nextprotoneg \
f8d4b3be KR	33	--debug
639b53ec BC	34
	35	Compile:
	36
a81151bd DDO	37	sudo apt-get install make
	38	make clean
	39	LDCMD=clang++ make -j4
639b53ec BC	40
	41	Finally, perform the actual fuzzing:
	42
a81151bd	43	fuzz/helper.py $FUZZER
c38bb727	44
639b53ec	45	where $FUZZER is one of the executables in `fuzz/`.
a81151bd	46	It will run until you stop it.
c38bb727 BL	47
c38bb727 BL	48	If you get a crash, you should find a corresponding input file in
f8d4b3be	49	`fuzz/corpora/$FUZZER-crash/`.
f59d0131	50
639b53ec BC	51	With `clang` from source/pre-built binaries
	52	-------------------------------------------
	53
	54	You may also wish to use a pre-built binary from the [LLVM Download
	55	site](http://releases.llvm.org/download.html), or to [build `clang` from
	56	source](https://clang.llvm.org/get_started.html). After adding `clang` to your
	57	path and locating the `libfuzzer` library file, the procedure for configuring
	58	fuzzing is the same, except that you also need to specify
	59	a `--with-fuzzer-include` option, which should be the parent directory of the
	60	prebuilt fuzzer library. This is represented as `$PATH_TO_LIBFUZZER_DIR` below.
	61
a81151bd	62	CC=clang ./config enable-fuzz-libfuzzer \
639b53ec BC	63	--with-fuzzer-include=$PATH_TO_LIBFUZZER_DIR \
	64	--with-fuzzer-lib=$PATH_TO_LIBFUZZER \
	65	-DPEDANTIC enable-asan enable-ubsan no-shared \
	66	-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION \
	67	-fsanitize=fuzzer-no-link \
	68	enable-ec_nistp_64_gcc_128 -fno-sanitize=alignment \
	69	enable-weak-ssl-ciphers enable-rc5 enable-md2 \
	70	enable-ssl3 enable-ssl3-method enable-nextprotoneg \
	71	--debug
	72
f59d0131	73	AFL
257e9d03	74	---
f59d0131	75
a81151bd DDO	76	This is an alternative to using LibFuzzer.
a81151bd DDO	77
f59d0131 KR	78	Configure for fuzzing:
f59d0131 KR	79
a81151bd DDO	80	sudo apt-get install afl-clang
a81151bd DDO	81	CC=afl-clang-fast ./config enable-fuzz-afl no-shared no-module \
deaaac2c MC	82	-DPEDANTIC enable-tls1_3 enable-weak-ssl-ciphers enable-rc5 \
deaaac2c MC	83	enable-md2 enable-ssl3 enable-ssl3-method enable-nextprotoneg \
f8d4b3be KR	84	enable-ec_nistp_64_gcc_128 -fno-sanitize=alignment \
f8d4b3be KR	85	--debug
a81151bd DDO	86	make clean
a81151bd DDO	87	make
f59d0131	88
e104d01d KR	89	The following options can also be enabled: enable-asan, enable-ubsan, enable-msan
e104d01d KR	90
f59d0131 KR	91	Run one of the fuzzers:
f59d0131 KR	92
a81151bd	93	afl-fuzz -i fuzz/corpora/$FUZZER -o fuzz/corpora/$FUZZER/out fuzz/$FUZZER
f59d0131	94
31b15b9b	95	Where $FUZZER is one of the executables in `fuzz/`.
f8d4b3be KR	96
f8d4b3be KR	97	Reproducing issues
257e9d03	98	------------------
f8d4b3be KR	99
	100	If a fuzzer generates a reproducible error, you can reproduce the problem using
	101	the fuzz/*-test binaries and the file generated by the fuzzer. They binaries
cb9bb735	102	don't need to be built for fuzzing, there is no need to set CC or the call
f8d4b3be KR	103	config with enable-fuzz-* or -fsanitize-coverage, but some of the other options
	104	above might be needed. For instance the enable-asan or enable-ubsan option might
	105	be useful to show you when the problem happens. For the client and server fuzzer
	106	it might be needed to use -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION to
	107	reproduce the generated random numbers.
	108
	109	To reproduce the crash you can run:
	110
a81151bd	111	fuzz/$FUZZER-test $file
f8d4b3be	112
cb9bb735 DDO	113	To do all the tests of a specific fuzzer such as asn1 you can run
	114
	115	fuzz/asn1-test fuzz/corpora/asn1
	116	or
a7da4d48	117	make test TESTS=fuzz_test_asn1
cb9bb735 DDO	118
	119	To run several fuzz tests you can use for instance:
	120
a7da4d48	121	make test TESTS='test_fuzz_cmp test_fuzz_cms'
cb9bb735 DDO	122
	123	To run all fuzz tests you can use:
	124
a7da4d48	125	make test TESTS='test_fuzz_*'
cb9bb735	126
f8d4b3be	127	Random numbers
257e9d03	128	--------------
f8d4b3be KR	129
	130	The client and server fuzzer normally generate random numbers as part of the TLS
	131	connection setup. This results in the coverage of the fuzzing corpus changing
	132	depending on the random numbers. This also has an effect for coverage of the
	133	rest of the test suite and you see the coverage change for each commit even when
	134	no code has been modified.
	135
	136	Since we want to maximize the coverage of the fuzzing corpus, the client and
	137	server fuzzer will use predictable numbers instead of the random numbers. This
	138	is controlled by the FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION define.
	139
	140	The coverage depends on the way the numbers are generated. We don't disable any
	141	check of hashes, but the corpus has the correct hash in it for the random
	142	numbers that were generated. For instance the client fuzzer will always generate
	143	the same client hello with the same random number in it, and so the server, as
	144	emulated by the file, can be generated for that client hello.
	145
	146	Coverage changes
257e9d03	147	----------------
f8d4b3be KR	148
	149	Since the corpus depends on the default behaviour of the client and the server,
	150	changes in what they send by default will have an impact on the coverage. The
	151	corpus will need to be updated in that case.
	152
930aa9ee	153	Updating the corpus
257e9d03	154	-------------------
930aa9ee KR	155
930aa9ee KR	156	The client and server corpus is generated with multiple config options:
257e9d03	157
930aa9ee KR	158	- The options as documented above
	159	- Without enable-ec_nistp_64_gcc_128 and without --debug
	160	- With no-asm
	161	- Using 32 bit
	162	- A default config, plus options needed to generate the fuzzer.
	163
	164	The libfuzzer merge option is used to add the additional coverage
	165	from each config to the minimal set.
a81151bd DDO	166
a81151bd DDO	167	Minimizing the corpus
257e9d03	168	---------------------
a81151bd DDO	169
a81151bd DDO	170	When you have gathered corpus data from more than one fuzzer run
8c1cbc72	171	or for any other reason want to minimize the data
a81151bd DDO	172	in some corpus subdirectory `fuzz/corpora/DIR` this can be done as follows:
	173
	174	mkdir fuzz/corpora/NEWDIR
	175	fuzz/$FUZZER -merge=1 fuzz/corpora/NEWDIR fuzz/corpora/DIR