Adding CMP (and CRMF) types to fuzz/asn1.c, as suggested by @richsalz was straightforward,
except that it turned out that for visibility reasons this can be done only for the public ones.

Is this already sufficient, or what should be done in addition?

@kroeckx mentioned adding a file that implements a FuzzerTestOneInput() function,
yet asn1.c already does so generically for the given ASN.1 types.

I think that adding it to asn1 isn't actually useful. The coverage will ge up, the fuzzer will slow down, but it's really just fuzzing duplicates of the same code. (I actually had modified asn1.c here like that in November.)

So shall I remove that addition?

One like cms, crl and x509 might be more useful.

I've just added fuzz/cmp.c according to the model of fuzz/cms.c because it is most closely related, but this is suspiciously simple (like adding types to fuzz/asn1.c was).
I also found that fuzz/build.info and test/recipes/99-test_fuzz.t need to be extended accordingly.

Yet when invoking

make tests TESTS="test_fuzz" V=1

I only get

    1..1
../../util/wrap.pl ../../fuzz/cmp-test ../../fuzz/corpora/cmp => 0
    ok 1
ok 1 - Fuzzing cmp

I suspect I need to set up fuzz/corpora/cmp/ with all those hash-named files, but how?

A documentation/HOWTO for the OpenSSL fuzzing facility would be helpful here.

But I think as part of your CMP work, you added things like an HTTP client. I would like to see something that does something with HTTP.

CMP, like CMS, is actually independent of the transfer protocol - HTTP is just the default.
So I think they are better tested independently.

HTTP is not an ASN.1-based protocol, and I have no clue how to fuzz that.
When adding the generic HTTP client support I've already added non-fuzzing tests for it:

test/http_test.c
test/recipes/80-test_http.t

I don't know if there are other protocols involved. If there are, it would be useful to test them.

CMP itself does not involve any further protocols (while its data structures make use of CRMF and X509, which are formats, not protocols, so AFAICS do not play a direct role here).

Thanks @kroeckx for pointing at fuzz/README.md, which I had not noticed.
This explains how to fill fuzz/corpora/cmp/.

Yet fuzz/helper.py cmp has already been running for more than two days (on one CPU core), so far producing 13 MB data. Is there a way to see a forecast how much longer/more this is going to take?

It will until run until you stop it. So just stop it, and add the corpus.

Oh! This important detail seems not mentioned in the README.

Actually I have data from two runs: 13.2 MB from the long run I mentioned, which I just stopped,
and 3.6 MB from an earlier run which I had cancelled for other reasons.

Which one is preferred? I presume there should be a balance between completeness and data size. Here is a comparison with the data sizes of the already included fuzzers:

du fuzz/corpora/* | sort -n

960	fuzz/corpora/ct
1928	fuzz/corpora/conf
1996	fuzz/corpora/bndiv
2184	fuzz/corpora/asn1parse
2196	fuzz/corpora/bignum
3600	fuzz/corpora/cmp_old
7152	fuzz/corpora/cms
8208	fuzz/corpora/server
9128	fuzz/corpora/crl
9816	fuzz/corpora/client
10168	fuzz/corpora/x509
13284	fuzz/corpora/cmp
15836	fuzz/corpora/asn1

I recommend that you try to minimize it, that is run: ./cmp x509 -merge=1 new-dir old-dir Where new-dir is an empty directory. You can put all the files you have in the old-dir.

Good to know, will do.
Should I also run AFL mentioned in the README?

 afl-fuzz -i fuzz/corpora/$FUZZER -o fuzz/corpora/$FUZZER/out fuzz/$FUZZER

BTW, the copy of my last response was a mistake - my browser view of this page was inconsistent.

I recommend that you try to minimize it, that is run:
./cmp x509 -merge=1 new-dir old-dir

Where new-dir is an empty directory.
You can put all the files you have in the old-dir.

This took about a day to complete, but apparently had no effect - new-dir is still empty :-(

Why to use the x509 parameter here? Maybe this is wrong.

Should I better use, e.g., this? ./cmp new-dir -merge=1 old-dir

./cmp -merge=1 new-dir old-dir

I'm running this now, let's see how this goes ...

I assume you have an x509 dir, and it put things in the x509 dir.

Yes, fuzz/corpora/x509/ exists also over here,
but I had already checked: nothing changed there, neither.

Also

./cmp -merge=1 new-dir old-dir`

did not give any output and apparently terminated immediately, without effect.

In the meantime I've tentatively added the manually combined but non-merged/minimized data to fuzz/corpora/cmp/.

make tests TESTS="test_fuzz" V=1

now does include fuzz/corpora/cmp/ and passes.

The cmp data added just about 2.5 seconds to the overall time (which is some 80 seconds on my machine) the fuzz tests took.
I cannot judge if this is a good sign or not.

I tried to minimize the corpus, and I had no problem with it:
$ ./fuzz/cmp -merge=1 fuzz/new/cmp fuzz/corpora/cmp/

Argh, meanwhile I found that in my builds of those excecutables like fuzz/cmp were garbled,
which explains their weird behavior.

I suspect they were (wrongly) produced by my experiments with AFL or the like.
How can one produce them correctly, as you did?
With a normal configuration they do not show up as make targets.

BTW, would be generally very helpful in my view if Configure (and thus also config) automatically did a make clean or the like to avoid inconsistencies with artifacts of earlier builds in the same directory.

I've put that at https://www.roeckx.be/cmp.tar.gz Kurt

Thanks! I've replaced fuzz/corpora/cmp/* with that compressed data.
The fuzz tests also succeed with this data over here.

I see. I tried your new version of the config invocation
and found that I had to remove -Wa,--noexecstack.
My clang(++) version is 7.

Now I get on LDCMD=clang++ make fuzz/cmp:

rm -f fuzz/cmp
${LDCMD:-gcc} -pthread -m64 -fno-omit-frame-pointer -g  -Wall -O0 -g -DDEBUG_UNUSED -DPEDANTIC -pedantic -Wno-long-long -Wall -Wextra -Wno-unused-parameter -Wno-missing-field-initializers -Wswitch -Wsign-compare -Wshadow -Wformat -Wtype-limits -Wundef -Werror -Wmissing-prototypes -Wstrict-prototypes -fstack-protector -fno-omit-frame-pointer -std=gnu90 -L.   \
	-o fuzz/cmp \
	fuzz/cmp-bin-cmp.o fuzz/cmp-bin-driver.o \
	-lcrypto -ldl -pthread 
/usr/bin/ld: /usr/bin/../lib/gcc/x86_64-linux-gnu/8/../../../x86_64-linux-gnu/crt1.o: in function `_start':
(.text+0x20): undefined reference to `main'

Yet maybe I won't strictly need that fuzz/cmp executable.

Now the corpora data merging works, with very similar result as yours :-)

24 hours has passed since 'approval: done' was set, but this PR has failing CI tests. Once the tests pass it will get moved to 'approval: ready to merge' automatically, alternatively please review and set the label manually.

Merged - thanks @kroeckx and @mattcaswell

This PR seems to have broken Travis. All master builds have been red since it was merged.

Hmm, are you sure the Travis failures are due to merging this PR?
Can you please provide more detail supporting this?

For instance, #4277 which I rebased to master today,
fails at a point unrelated to CMP and fuzzing:

 Looks like you failed 40 tests of 54.
30-test_evp_fetch_prov.t ........... 
Dubious, test returned 40 (wstat 10240, 0x2800)

according to https://travis-ci.org/github/openssl/openssl/jobs/677138716

I'm looking at this build:

https://travis-ci.org/github/openssl/openssl/jobs/676658702

Which fails in cmp_vfy_test:

    # ERROR: (int) 'fixture->expected == ossl_cmp_verify_popo(fixture->msg, fixture->additional_arg)' failed @ test/cmp_vfy_test.c:101
    # [0] compared to [1]
    not ok 2 - test_verify_popo_bad

This is from the first build after commit e0331e - and is the first point that travis goes red. I think there are some subsequent other problems from later commits that are unrelated to this.

I see test failures locally in cmp_vfy_test if I use -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION, as is done in the build in question. Although, strangely, the errors I see are slightly different to the ones in the failing build.

Thx for the details; now I understand what's going on.
I need to disable at least the above test in case -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
(while I wouldn't have expected that the normal tests are run while that symbol is defined).
I'll provided a fixup PR shortly...

Please run the extended tests in your fixup PR - the failing job only gets run when extended tests are enabled.

How to run the extended tests?

Done in #11585