Make the fuzzers more reproducible

We want to be in the same global state each time we come in FuzzerTestOneInput(). There are various reasons why we might not be that include: - Initialization that happens on first use. This is mostly the RUN_ONCE() things, or loading of error strings. - Results that get cached. For instance a stack that is sorted, RSA blinding that has been set up, ... So I try to trigger as much as possible in FuzzerInitialize(), and for things I didn't find out how to trigger this it needs to happen in FuzzerTestOneInput(). Reviewed-by: Rich Salz <rsalz@openssl.org> GH: #2023
author: Kurt Roeckx <kurt@roeckx.be> 2016-12-02 19:34:54 +0100
committer: Kurt Roeckx <kurt@roeckx.be> 2016-12-03 00:14:15 +0100
commit: d69d8f904c9c558c7a9455ee816e494690d80ca8 (patch)
tree: 727e69f282ae7e060371ed0d0cff2d22e4fec7c4 /fuzz
parent: Move libfuzzer sanitizer options to README (diff)
download: openssl-d69d8f904c9c558c7a9455ee816e494690d80ca8.tar.xz
openssl-d69d8f904c9c558c7a9455ee816e494690d80ca8.zip
8 files changed, 81 insertions, 27 deletions
diff --git a/fuzz/asn1parse.c b/fuzz/asn1parse.c
index 3e11d350c1..cf5ef72a13 100644
--- a/fuzz/asn1parse.c
+++ b/fuzz/asn1parse.c
@@ -16,6 +16,7 @@
 #include <openssl/asn1.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#include <openssl/err.h>
 #include "fuzzer.h"
 
 static BIO *bio_out;
@@ -23,12 +24,16 @@ static BIO *bio_out;
 int FuzzerInitialize(int *argc, char ***argv)
 {
     bio_out = BIO_new_file("/dev/null", "w");
+    OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
+    ERR_get_state();
+    CRYPTO_free_ex_index(0, -1);
     return 1;
 }
 
 int FuzzerTestOneInput(const uint8_t *buf, size_t len)
 {
     (void)ASN1_parse_dump(bio_out, buf, len, 0, 0);
+    ERR_clear_error();
     return 0;
 }
 
diff --git a/fuzz/bndiv.c b/fuzz/bndiv.c
index dd6d9cfafe..30d84482a6 100644
--- a/fuzz/bndiv.c
+++ b/fuzz/bndiv.c
@@ -15,6 +15,7 @@
 
 #include <stdio.h>
 #include <openssl/bn.h>
+#include <openssl/err.h>
 #include "fuzzer.h"
 
 static BN_CTX *ctx;
@@ -33,6 +34,9 @@ int FuzzerInitialize(int *argc, char ***argv)
     b5 = BN_new();
     ctx = BN_CTX_new();
 
+    OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
+    ERR_get_state();
+
     return 1;
 }
 
@@ -104,6 +108,7 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
 
  done:
     OPENSSL_assert(success);
+    ERR_clear_error();
 
     return 0;
 }
diff --git a/fuzz/cms.c b/fuzz/cms.c
index b57a6de96a..959ef9365a 100644
--- a/fuzz/cms.c
+++ b/fuzz/cms.c
@@ -14,10 +14,14 @@
 
 #include <openssl/bio.h>
 #include <openssl/cms.h>
+#include <openssl/err.h>
 #include "fuzzer.h"
 
 int FuzzerInitialize(int *argc, char ***argv)
 {
+    OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
+    ERR_get_state();
+    CRYPTO_free_ex_index(0, -1);
     return 1;
 }
 
@@ -41,6 +45,7 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
     }
 
     BIO_free(in);
+    ERR_clear_error();
 
     return 0;
 }
diff --git a/fuzz/conf.c b/fuzz/conf.c
index 27429c570f..87fe857099 100644
--- a/fuzz/conf.c
+++ b/fuzz/conf.c
@@ -13,10 +13,13 @@
  */
 
 #include <openssl/conf.h>
+#include <openssl/err.h>
 #include "fuzzer.h"
 
 int FuzzerInitialize(int *argc, char ***argv)
 {
+    OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
+    ERR_get_state();
     return 1;
 }
 
@@ -35,6 +38,7 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
     NCONF_load_bio(conf, in, &eline);
     NCONF_free(conf);
     BIO_free(in);
+    ERR_clear_error();
 
     return 0;
 }
diff --git a/fuzz/crl.c b/fuzz/crl.c
index decf19e9d3..e4b0192f05 100644
--- a/fuzz/crl.c
+++ b/fuzz/crl.c
@@ -10,10 +10,14 @@
 
 #include <openssl/x509.h>
 #include <openssl/bio.h>
+#include <openssl/err.h>
 #include "fuzzer.h"
 
 int FuzzerInitialize(int *argc, char ***argv)
 {
+    OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
+    ERR_get_state();
+    CRYPTO_free_ex_index(0, -1);
     return 1;
 }
 
@@ -33,6 +37,8 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
 
         X509_CRL_free(crl);
     }
+    ERR_clear_error();
+
     return 0;
 }
 
diff --git a/fuzz/ct.c b/fuzz/ct.c
index 47b0fc3f78..72dd798711 100644
--- a/fuzz/ct.c
+++ b/fuzz/ct.c
@@ -14,10 +14,14 @@
 
 #include <stdio.h>
 #include <openssl/ct.h>
+#include <openssl/err.h>
 #include "fuzzer.h"
 
 int FuzzerInitialize(int *argc, char ***argv)
 {
+    OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
+    CRYPTO_free_ex_index(0, -1);
+    ERR_get_state();
     return 1;
 }
 
@@ -38,6 +42,7 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
 
         SCT_LIST_free(scts);
     }
+    ERR_clear_error();
     return 0;
 }
 
diff --git a/fuzz/server.c b/fuzz/server.c
index 4f2c794a4c..3b5df9dc42 100644
--- a/fuzz/server.c
+++ b/fuzz/server.c
@@ -16,6 +16,7 @@
 #include <openssl/rand.h>
 #include <openssl/ssl.h>
 #include <openssl/rsa.h>
+#include <openssl/err.h>
 #include "fuzzer.h"
 
 static const uint8_t kCertificateDER[] = {
@@ -189,34 +190,29 @@ static const uint8_t kRSAPrivateKeyDER[] = {
     0x98, 0x46, 0x89, 0x82, 0x40,
 };
 
-static SSL_CTX *ctx;
-
 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
 extern int rand_predictable;
 #endif
+#define ENTROPY_NEEDED 32
+
+/* unused, to avoid warning. */
+static int idx;
 
 int FuzzerInitialize(int *argc, char ***argv)
 {
-    const uint8_t *bufp = kRSAPrivateKeyDER;
-    RSA *privkey;
-    EVP_PKEY *pkey;
-    int ret;
-    X509 *cert;
+    STACK_OF(SSL_COMP) *comp_methods;
+
+    OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS | OPENSSL_INIT_ASYNC, NULL);
+    OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
+    ERR_get_state();
+    CRYPTO_free_ex_index(0, -1);
+    idx = SSL_get_ex_data_X509_STORE_CTX_idx();
+    RAND_add("", 1, ENTROPY_NEEDED);
+    RAND_status();
+    RSA_get_default_method();
+    comp_methods = SSL_COMP_get_compression_methods();
+    OPENSSL_sk_sort((OPENSSL_STACK *)comp_methods);
 
-    ctx = SSL_CTX_new(SSLv23_method());
-    privkey = d2i_RSAPrivateKey(NULL, &bufp, sizeof(kRSAPrivateKeyDER));
-    OPENSSL_assert(privkey != NULL);
-    pkey = EVP_PKEY_new();
-    EVP_PKEY_assign_RSA(pkey, privkey);
-    ret = SSL_CTX_use_PrivateKey(ctx, pkey);
-    OPENSSL_assert(ret == 1);
-    EVP_PKEY_free(pkey);
-    bufp = kCertificateDER;
-    cert = d2i_X509(NULL, &bufp, sizeof(kCertificateDER));
-    OPENSSL_assert(cert != NULL);
-    ret = SSL_CTX_use_certificate(ctx, cert);
-    OPENSSL_assert(ret == 1);
-    X509_free(cert);
 
 #ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
     rand_predictable = 1;
@@ -230,16 +226,37 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
     SSL *server;
     BIO *in;
     BIO *out;
-    if (!len) {
+    SSL_CTX *ctx;
+    int ret;
+    RSA *privkey;
+    const uint8_t *bufp = kRSAPrivateKeyDER;
+    EVP_PKEY *pkey;
+    X509 *cert;
+
+    if (len == 0)
         return 0;
-    }
-    /* TODO: make this work for OpenSSL. There's a PREDICT define that may do
-     * the job.
+
+    /*
      * TODO: use the ossltest engine (optionally?) to disable crypto checks.
-     * RAND_reset_for_fuzzing();
      */
 
     /* This only fuzzes the initial flow from the client so far. */
+    ctx = SSL_CTX_new(SSLv23_method());
+    privkey = d2i_RSAPrivateKey(NULL, &bufp, sizeof(kRSAPrivateKeyDER));
+    OPENSSL_assert(privkey != NULL);
+    pkey = EVP_PKEY_new();
+    EVP_PKEY_assign_RSA(pkey, privkey);
+    ret = SSL_CTX_use_PrivateKey(ctx, pkey);
+    OPENSSL_assert(ret == 1);
+    EVP_PKEY_free(pkey);
+
+    bufp = kCertificateDER;
+    cert = d2i_X509(NULL, &bufp, sizeof(kCertificateDER));
+    OPENSSL_assert(cert != NULL);
+    ret = SSL_CTX_use_certificate(ctx, cert);
+    OPENSSL_assert(ret == 1);
+    X509_free(cert);
+
     server = SSL_new(ctx);
     in = BIO_new(BIO_s_mem());
     out = BIO_new(BIO_s_mem());
@@ -256,10 +273,12 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
         }
     }
     SSL_free(server);
+    ERR_clear_error();
+    SSL_CTX_free(ctx);
+
     return 0;
 }
 
 void FuzzerCleanup(void)
 {
-    SSL_CTX_free(ctx);
 }
diff --git a/fuzz/x509.c b/fuzz/x509.c
index 78fef6c3ff..8d383e4aba 100644
--- a/fuzz/x509.c
+++ b/fuzz/x509.c
@@ -10,10 +10,14 @@
 
 #include <openssl/x509.h>
 #include <openssl/bio.h>
+#include <openssl/err.h>
 #include "fuzzer.h"
 
 int FuzzerInitialize(int *argc, char ***argv)
 {
+    OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
+    ERR_get_state();
+    CRYPTO_free_ex_index(0, -1);
     return 1;
 }
 
@@ -34,6 +38,7 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
 
         X509_free(x509);
     }
+    ERR_clear_error();
     return 0;
 }
author	Kurt Roeckx <kurt@roeckx.be>	2016-12-02 19:34:54 +0100
committer	Kurt Roeckx <kurt@roeckx.be>	2016-12-03 00:14:15 +0100
commit	d69d8f904c9c558c7a9455ee816e494690d80ca8 (patch)
tree	727e69f282ae7e060371ed0d0cff2d22e4fec7c4 /fuzz
parent	Move libfuzzer sanitizer options to README (diff)
download	openssl-d69d8f904c9c558c7a9455ee816e494690d80ca8.tar.xz openssl-d69d8f904c9c558c7a9455ee816e494690d80ca8.zip