Conversation
|
Adding CMP (and CRMF) types to Is this already sufficient, or what should be done in addition? @kroeckx mentioned adding a file that implements a |
|
I think that adding it to asn1 isn't actually useful. The coverage
will ge up, the fuzzer will slow down, but it's really just
fuzzing duplicates of the same code.
(I actually had modified asn1.c here like that in November.)
One like cms, crl and x509 might be more useful.
But I think as part of your CMP work, you added things like an
HTTP client. I would like to see something that does something
with HTTP.
I don't know if there are other protocols involved. If there are,
it would be useful to test them.
|
So shall I remove that addition?
I've just added Yet when invoking I only get I suspect I need to set up A documentation/HOWTO for the OpenSSL fuzzing facility would be helpful here. |
CMP, like CMS, is actually independent of the transfer protocol - HTTP is just the default. HTTP is not an ASN.1-based protocol, and I have no clue how to fuzz that.
CMP itself does not involve any further protocols (while its data structures make use of CRMF and X509, which are formats, not protocols, so AFAICS do not play a direct role here). |
|
On Tue, Mar 24, 2020 at 03:07:08AM -0700, David von Oheimb wrote:
A documentation/HOWTO for the OpenSSL fuzzing facility would be helpful here.
Have you looked at fuzz/README.md?
Kurt
|
|
Thanks @kroeckx for pointing at Yet |
|
Yet `fuzz/helper.py cmp` has already been running for more than two days (on one CPU core), so far producing 13 MB data. Is there a way to see a forecast how much longer/more this is going to take?
It will until run until you stop it. So just stop it, and add the
corpus.
|
Oh! This important detail seems not mentioned in the README. Actually I have data from two runs: 13.2 MB from the long run I mentioned, which I just stopped, Which one is preferred? I presume there should be a balance between completeness and data size. Here is a comparison with the data sizes of the already included fuzzers: |
|
On Mon, Mar 30, 2020 at 12:41:10AM -0700, David von Oheimb wrote:
> It will until run until you stop it. So just stop it, and add the corpus.
Oh! This important detail seems not mentioned in the README.
Actually I have data from two runs: 13.2 MB from the long run I mentioned, which I just stopped,
and 3.6 MB from an earlier run which I had cancelled for other reasons.
Which one is preferred?
I recommend that you try to minimize it, that is run:
./cmp x509 -merge=1 new-dir old-dir
Where new-dir is an empty directory. You can put all the files you
have in the old-dir.
Kurt
|
Good to know, will do. BTW, the copy of my last response was a mistake - my browser view of this page was inconsistent. |
|
Should I also run AFL mentioned in the README?
No, libfuzzer alone is fine.
Once it's merged, Google will run that fuzzer with multiple
fuzzers including AFL. I will then download their corpus as some
point and merge it.
|
This took about a day to complete, but apparently had no effect - Why to use the Should I better use, e.g., this? |
|
On Tue, Mar 31, 2020 at 11:44:35PM -0700, David von Oheimb wrote:
> I recommend that you try to minimize it, that is run:
> ./cmp x509 -merge=1 new-dir old-dir
> Where new-dir is an empty directory.
> You can put all the files you have in the old-dir.
This took about a day to complete, but apparently had no effect - `new-dir` is still empty :-(
Why to use the `x509` parameter here? Maybe this is wrong.
Should I better use, e.g., this? `./cmp new-dir -merge=1 old-dir`
It clearly should just have been:
./cmp -merge=1 new-dir old-dir
I assume you have an x509 dir, and it put things in the x509 dir.
Kurt
|
I'm running this now, let's see how this goes ...
Yes, |
|
Also did not give any output and apparently terminated immediately, without effect. |
|
In the meantime I've tentatively added the manually combined but non-merged/minimized data to now does include |
|
The cmp data added just about 2.5 seconds to the overall time (which is some 80 seconds on my machine) the fuzz tests took. |
|
I just did a quick look at your fuzzer. Maybe you can pass
the msg to functions like:
- OSSL_CMP_SRV_process_request()
- OSSL_CMP_CTX_server_perform()
That is, write some basic applications that does something with
such a file.
I tried to minimize the corpus, and I had no problem with it:
$ ./fuzz/cmp -merge=1 fuzz/new/cmp fuzz/corpora/cmp/
INFO: Seed: 3695945473
INFO: Loaded 1 modules (183405 inline 8-bit counters): 183405 [0x1d99ea0, 0x1dc6b0d),
INFO: Loaded 1 PC tables (183405 PCs): 183405 [0x1dc6b10,0x20931e0),
MERGE-OUTER: 4136 files, 0 in the initial corpus
MERGE-OUTER: attempt 1
INFO: Seed: 3696161283
INFO: Loaded 1 modules (183405 inline 8-bit counters): 183405 [0x1d99ea0, 0x1dc6b0d),
INFO: Loaded 1 PC tables (183405 PCs): 183405 [0x1dc6b10,0x20931e0),
INFO: -max_len is not provided; libFuzzer will not generate inputs larger than 1048576 bytes
MERGE-INNER: using the control file '/tmp/libFuzzerTemp.1357149.txt'
MERGE-INNER: 4136 total files; 0 processed earlier; will process 4136 files now
#1 pulse cov: 438 exec/s: 0 rss: 48Mb
#2 pulse cov: 438 exec/s: 0 rss: 50Mb
#4 pulse cov: 439 exec/s: 0 rss: 50Mb
#8 pulse cov: 439 exec/s: 0 rss: 50Mb
#16 pulse cov: 527 exec/s: 0 rss: 50Mb
#32 pulse cov: 655 exec/s: 0 rss: 50Mb
#64 pulse cov: 696 exec/s: 0 rss: 51Mb
#128 pulse cov: 752 exec/s: 0 rss: 52Mb
#256 pulse cov: 1462 exec/s: 0 rss: 56Mb
#512 pulse cov: 1828 exec/s: 512 rss: 61Mb
#1024 pulse cov: 1863 exec/s: 1024 rss: 69Mb
#2048 pulse cov: 1987 exec/s: 409 rss: 87Mb
#4096 pulse cov: 1987 exec/s: 341 rss: 162Mb
#4136 DONE cov: 1987 exec/s: 344 rss: 166Mb
MERGE-OUTER: succesfull in 1 attempt(s)
MERGE-OUTER: the control file has 448086 bytes
MERGE-OUTER: consumed 0Mb (53Mb rss) to parse the control file
MERGE-OUTER: 1268 new files with 8138 new features added; 1987 new coverage edges
I've put that at https://www.roeckx.be/cmp.tar.gz
Kurt
|
Argh, meanwhile I found that in my builds of those excecutables like I suspect they were (wrongly) produced by my experiments with AFL or the like. |
|
BTW, would be generally very helpful in my view if |
Thanks! I've replaced |
|
On Wed, Apr 01, 2020 at 03:47:57AM -0700, David von Oheimb wrote:
> I tried to minimize the corpus, and I had no problem with it:
> $ ./fuzz/cmp -merge=1 fuzz/new/cmp fuzz/corpora/cmp/
Argh, meanwhile I found that in my builds of those excecutables like `fuzz/cmp` were garbled,
which explains their weird behavior.
I suspect they were (wrongly) produced by my experiments with AFL or the like.
How can one produce them correctly, as you did?
With a normal configuration they do not show up as make targets.
I did:
CC=clang-9 ./config enable-fuzz-libfuzzer --with-fuzzer-lib=/usr/lib/llvm-9/lib/clang/9.0.1/lib/linux/libclang_rt.fuzzer-x86_64.a -DPEDANTIC enable-asan enable-ubsan no-shared -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION -fsanitize=fuzzer-no-link enable-ec_nistp_64_gcc_128 -fno-sanitize=alignment enable-weak-ssl-ciphers enable-rc5 enable-md2 enable-ssl3 enable-ssl3-method enable-nextprotoneg --debug
LDCMD=clang++-9 make -j4
You might need to change the version of clang.
The "enable-fuzz-libfuzzer" will change the Makefile to generate the
fuzz/cmp file.
Kurt
|
|
I see. I tried your new version of the config invocation Now I get on Yet maybe I won't strictly need that |
|
(.text+0x20): undefined reference to `main'
Are you sure you passed the --with-fuzzer-lib? The library
provides the main function.
|
|
Now the corpora data merging works, with very similar result as yours :-) |
|
24 hours has passed since 'approval: done' was set, but this PR has failing CI tests. Once the tests pass it will get moved to 'approval: ready to merge' automatically, alternatively please review and set the label manually. |
|
Merged - thanks @kroeckx and @mattcaswell |
Reviewed-by: Kurt Roeckx <[email protected]> Reviewed-by: Matt Caswell <[email protected]> (Merged from #11386)
Reviewed-by: Kurt Roeckx <[email protected]> Reviewed-by: Matt Caswell <[email protected]> (Merged from #11386)
…o/cmp/ Reviewed-by: Kurt Roeckx <[email protected]> Reviewed-by: Matt Caswell <[email protected]> (Merged from #11386)
Reviewed-by: Kurt Roeckx <[email protected]> Reviewed-by: Matt Caswell <[email protected]> (Merged from #11386)
…erialNumber Reviewed-by: Kurt Roeckx <[email protected]> Reviewed-by: Matt Caswell <[email protected]> (Merged from #11386)
|
This PR seems to have broken Travis. All master builds have been red since it was merged. |
|
Hmm, are you sure the Travis failures are due to merging this PR? For instance, #4277 which I rebased to master today, |
|
I'm looking at this build: Which fails in cmp_vfy_test: This is from the first build after commit e0331e - and is the first point that travis goes red. I think there are some subsequent other problems from later commits that are unrelated to this. |
|
I see test failures locally in cmp_vfy_test if I use |
|
Thx for the details; now I understand what's going on. |
|
Please run the extended tests in your fixup PR - the failing job only gets run when extended tests are enabled. |
|
How to run the extended tests? |
|
Add a line in the commit message of the last commit that says:
[extended tests]
|
|
Done in #11585 |
This solves #11301 by adding fuzzing of all public CMP and CRMF data types.