# I Can Haz Fuzz?
-Or, how to fuzz OpenSSL with libfuzzer.
+LibFuzzer
+=========
+
+Or, how to fuzz OpenSSL with [libfuzzer](http://llvm.org/docs/LibFuzzer.html).
Starting from a vanilla+OpenSSH server Ubuntu install.
Configure for fuzzing:
- $ CC=clang ./config enable-fuzz enable-asan enable-ubsan no-shared
+ $ CC=clang ./config enable-fuzz-libfuzzer \
+ --with-fuzzer-include=../../svn-work/Fuzzer \
+ --with-fuzzer-lib=../../svn-work/Fuzzer/libFuzzer \
+ -DPEDANTIC enable-asan enable-ubsan no-shared \
+ -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION \
+ -fsanitize-coverage=edge,indirect-calls,8bit-counters \
+ enable-ec_nistp_64_gcc_128 -fno-sanitize=alignment enable-tls1_3 \
+ enable-weak-ssl-ciphers enable-rc5 enable-md2 \
+ enable-ssl3 enable-ssl3-method enable-nextprotoneg
$ sudo apt-get install make
$ LDCMD=clang++ make -j
- $ fuzz/helper.py <fuzzer> <arguments>
+ $ fuzz/helper.py $FUZZER
-Where `<fuzzer>` is one of the executables in `fuzz/`. Most fuzzers do not
-need any command line arguments, but, for example, `asn1` needs the name of a
-data type.
+Where $FUZZER is one of the executables in `fuzz/`.
If you get a crash, you should find a corresponding input file in
-`fuzz/corpora/<fuzzer>-crash/`. You can reproduce the crash with
+`fuzz/corpora/$FUZZER-crash/`. You can reproduce the crash with
+
+ $ fuzz/$FUZZER <crashfile>
+
+AFL
+===
+
+Configure for fuzzing:
+
+ $ sudo apt-get install afl-clang
+ $ CC=afl-clang-fast ./config enable-fuzz-afl no-shared -DPEDANTIC \
+ enable-tls1_3 enable-weak-ssl-ciphers enable-rc5 enable-md2 \
+ enable-ssl3 enable-ssl3-method enable-nextprotoneg \
+ enable-ec_nistp_64_gcc_128
+ $ make
+
+The following options can also be enabled: enable-asan, enable-ubsan, enable-msan
+
+Run one of the fuzzers:
+
+ $ afl-fuzz -i fuzz/corpora/$FUZZER -o fuzz/corpora/$FUZZER/out fuzz/$FUZZER
- $ fuzz/<fuzzer> <crashfile>
+Where $FUZZER is one of the executables in `fuzz/`.