Make client and server fuzzer support all ciphers
[openssl.git] / fuzz / README.md
1 # I Can Haz Fuzz?
2
3 LibFuzzer
4 =========
5
6 Or, how to fuzz OpenSSL with [libfuzzer](http://llvm.org/docs/LibFuzzer.html).
7
8 Starting from a vanilla+OpenSSH server Ubuntu install.
9
10 Use Chrome's handy recent build of clang. Older versions may also work.
11
12     $ sudo apt-get install git
13     $ mkdir git-work
14     $ git clone https://chromium.googlesource.com/chromium/src/tools/clang
15     $ clang/scripts/update.py
16
17 You may want to git pull and re-run the update from time to time.
18
19 Update your path:
20
21     $ PATH=~/third_party/llvm-build/Release+Asserts/bin/:$PATH
22
23 Get and build libFuzzer (there is a git mirror at
24 https://github.com/llvm-mirror/llvm/tree/master/lib/Fuzzer if you prefer):
25
26     $ cd
27     $ sudo apt-get install subversion
28     $ mkdir svn-work
29     $ cd svn-work
30     $ svn co http://llvm.org/svn/llvm-project/llvm/trunk/lib/Fuzzer
31     $ cd Fuzzer
32     $ clang++ -c -g -O2 -std=c++11 *.cpp
33     $ ar r libFuzzer.a *.o
34     $ ranlib libFuzzer.a
35
36 Configure for fuzzing:
37
38     $ CC=clang ./config enable-fuzz-libfuzzer \
39             --with-fuzzer-include=../../svn-work/Fuzzer \
40             --with-fuzzer-lib=../../svn-work/Fuzzer/libFuzzer \
41             -DPEDANTIC enable-asan enable-ubsan no-shared \
42             -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION \
43             -fsanitize-coverage=edge,indirect-calls,8bit-counters \
44             enable-ec_nistp_64_gcc_128 -fno-sanitize=alignment enable-tls1_3 \
45             enable-weak-ssl-ciphers enable-rc5 enable-md2 \
46             enable-ssl3 enable-ssl3-method enable-nextprotoneg
47     $ sudo apt-get install make
48     $ LDCMD=clang++ make -j
49     $ fuzz/helper.py $FUZZER
50
51 Where $FUZZER is one of the executables in `fuzz/`.
52
53 If you get a crash, you should find a corresponding input file in
54 `fuzz/corpora/$FUZZER-crash/`. You can reproduce the crash with
55
56     $ fuzz/$FUZZER <crashfile>
57
58 AFL
59 ===
60
61 Configure for fuzzing:
62
63     $ sudo apt-get install afl-clang
64     $ CC=afl-clang-fast ./config enable-fuzz-afl no-shared -DPEDANTIC \
65         enable-tls1_3 enable-weak-ssl-ciphers enable-rc5 enable-md2 \
66         enable-ssl3 enable-ssl3-method enable-nextprotoneg \
67         enable-ec_nistp_64_gcc_128
68     $ make
69
70 The following options can also be enabled: enable-asan, enable-ubsan, enable-msan
71
72 Run one of the fuzzers:
73
74     $ afl-fuzz -i fuzz/corpora/$FUZZER -o fuzz/corpora/$FUZZER/out fuzz/$FUZZER
75
76 Where $FUZZER is one of the executables in `fuzz/`.