Commit Graph

16 Commits

Author SHA1 Message Date
David Benjamin
2ad3c989e8 Merge in upstream's certificate corpus.
This was done by running:

  ./fuzz/cert -merge=1 ../fuzz/cert_corpus ~/openssl/fuzz/corpora/x509

I bumped the max_len while doing so because some of those are rather
large.

Change-Id: Ic2caa09d5ff9ab05b46363940a91a03f270cbad8
Reviewed-on: https://boringssl-review.googlesource.com/12682
Reviewed-by: Adam Langley <agl@google.com>
2016-12-12 21:41:00 +00:00
Robert Sloan
15073af5b7 Adding a fuzzer for Sessions
Change-Id: I69cbb0679e1dbb6292a8f4737851736e58c17508
Reviewed-on: https://boringssl-review.googlesource.com/12481
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-12-01 20:22:56 +00:00
David Benjamin
fd06601340 Add a script to refresh fuzzer corpora.
This is getting to be a nuisance to do by hand.

Change-Id: If3aa7c666c4cc0bf97615564f258ff740a561766
Reviewed-on: https://boringssl-review.googlesource.com/12281
Reviewed-by: David Benjamin <davidben@google.com>
2016-11-15 07:01:34 +00:00
David Benjamin
ec978dd812 Add corpora for fuzzers with fuzzer mode disabled.
Fuzzer mode explores the handshake, but at the cost of losing coverage
on the record layer. Add a separate build flag and client/server
corpora for this mode.

Note this requires tweaks in consumers' fuzzer build definitions.

BUG=111

Change-Id: I1026dc7301645e165a761068a1daad6eedc9271e
Reviewed-on: https://boringssl-review.googlesource.com/12108
Commit-Queue: David Benjamin <davidben@google.com>
Reviewed-by: Adam Langley <agl@google.com>
2016-11-09 16:53:37 +00:00
Adam Langley
3871dc9e39 Add a fuzzer for the SSL_CTX API.
This is not a complete fuzzer, even for SSL_CTX, but it's a start.

Written in memory of c-ares[1].

[1] https://twitter.com/hanno/status/781506296906444800

Change-Id: I64b02c60f35b9057201df2cc325ebb7a84a0229d
Reviewed-on: https://boringssl-review.googlesource.com/11423
Reviewed-by: Adam Langley <alangley@gmail.com>
Commit-Queue: Adam Langley <alangley@gmail.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-10-04 23:07:09 +00:00
David Benjamin
fbc45d7228 No-op ticket encryption in fuzzer mode.
This allows the fuzzer to discover server-side resumption paths by
simply supplying what we'd like the ticket to decrypt to in the clear.
We also have a natural way to get transcripts out of runner. We record
the runner-side transcripts, so all resumption handshakes will replay
the shim-created unencrypted tickets.

BUG=104

Change-Id: Icf9cbf4af520077d38e2c8c2766b6f8bfa3c9ab5
Reviewed-on: https://boringssl-review.googlesource.com/11224
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-09-22 21:26:23 +00:00
David Benjamin
1e663e8f39 Document how to refresh the TLS corpora.
Change-Id: I9165357ca6c20b964ed13dc4e1f336c7b747033e
Reviewed-on: https://boringssl-review.googlesource.com/11223
Reviewed-by: Adam Langley <agl@google.com>
2016-09-22 21:18:16 +00:00
David Benjamin
01a905717c Fix remaining non-determinism in fuzzer transcripts.
Both the C and Go code were sampling the real clock. With this, two
successive iterations of runner transcripts give the same output.

Change-Id: I4d9e219e863881bf518c5ac199dce938a49cdfaa
Reviewed-on: https://boringssl-review.googlesource.com/11222
Commit-Queue: David Benjamin <davidben@google.com>
Commit-Queue: Adam Langley <agl@google.com>
Reviewed-by: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
2016-09-22 21:14:00 +00:00
Adam Langley
d09175ffe3 Replace base64 decoding.
This code has caused a long history of problems. This change rewrites it
completely with something that is, hopefully, much simplier and robust
and adds more testing.

Change-Id: Ibeef51f9386afd95d5b73316e451eb3a2d7ec4e0
Reviewed-on: https://boringssl-review.googlesource.com/8033
Reviewed-by: Adam Langley <agl@google.com>
2016-05-26 17:59:10 +00:00
David Benjamin
1fc7564ba7 Add standalone PKCS#8 and SPKI fuzzers.
We already had coverage for our new EVP_PKEY parsers, but it's good to have
some that cover them directly. The initial corpus was generated manually with
der-ascii and should cover most of the insanity around EC key serialization.

BUG=15

Change-Id: I7aaf56876680bfd5a89f5e365c5052eee03ba862
Reviewed-on: https://boringssl-review.googlesource.com/7728
Reviewed-by: Adam Langley <agl@google.com>
2016-04-25 21:57:28 +00:00
Max Moroz
188487faad Remove .options files for libFuzzers and update FUZZING.md documentation.
Due to https://codereview.chromium.org/1867833002/ replacing .options files.

Change-Id: I17f0d5b8b1784fdcf163791e72f6b58b29657e95
Reviewed-on: https://boringssl-review.googlesource.com/7640
Reviewed-by: David Benjamin <davidben@google.com>
2016-04-12 14:56:57 +00:00
David Benjamin
9539ebbf70 Update FUZZING documentation about max_len.
Maintain the max_len values in foo.options files which ClusterFuzz can process.
Also recompute the recommended client and server lengths as they've since
gotten much more extensive.

Change-Id: Ie87a80d8a4a0c41e215f0537c8ccf82b38c4de09
Reviewed-on: https://boringssl-review.googlesource.com/7509
Reviewed-by: Mike Aizatsky <aizatsky@chromium.org>
Reviewed-by: David Benjamin <davidben@google.com>
2016-03-22 18:46:35 +00:00
David Benjamin
e11988f511 Tweak FUZZING.md and minimise_corpuses.sh.
Change-Id: If312ce3783bcc39ebd2047470251334aa0897d3d
Reviewed-on: https://boringssl-review.googlesource.com/7508
Reviewed-by: David Benjamin <davidben@google.com>
2016-03-21 20:23:15 +00:00
Adam Langley
ddcc186ef1 Document how to minimise corpuses.
Change-Id: Ie487163787d78d867e34709fb34b4c6a836f668d
Reviewed-on: https://boringssl-review.googlesource.com/7275
Reviewed-by: David Benjamin <davidben@google.com>
2016-03-03 18:05:34 +00:00
Adam Langley
7104cc96b7 Update and fix fuzzing instructions.
It's easier to put libFuzzer.a into the source directory than to install
it globally.

Change-Id: I4dc7b56f81c7aa0371475c68d23368b025186505
Reviewed-on: https://boringssl-review.googlesource.com/6461
Reviewed-by: Adam Langley <agl@google.com>
2015-11-10 23:37:36 +00:00
Adam Langley
9a4beb8ad8 Add four, basic fuzz tests.
This change adds fuzzing tests for:
  ∙ Certificate parsing
  ∙ Private key parsing
  ∙ ClientHello parsing
  ∙ Server first flow (ServerHello, Certificate, etc) parsing.

Change-Id: I5f53282263eaaff69b1a03c819cca73750433653
Reviewed-on: https://boringssl-review.googlesource.com/6460
Reviewed-by: Adam Langley <agl@google.com>
2015-11-10 19:14:01 +00:00