changeset 1772:0cc85b4a4abb

Move fuzzer-kex initialisation into a constructor function Hopefully this can avoid hitting AFL timeouts https://github.com/google/oss-fuzz/pull/2474
author Matt Johnston <matt@ucc.asn.au>
date Thu, 29 Oct 2020 23:00:52 +0800
parents af9ed0815818
children c3ca130d193a
files fuzz/fuzzer-kexcurve25519.c fuzz/fuzzer-kexdh.c fuzz/fuzzer-kexecdh.c
diffstat 3 files changed, 67 insertions(+), 74 deletions(-) [+]
line wrap: on
line diff
--- a/fuzz/fuzzer-kexcurve25519.c	Thu Oct 29 22:41:37 2020 +0800
+++ b/fuzz/fuzzer-kexcurve25519.c	Thu Oct 29 23:00:52 2020 +0800
@@ -6,33 +6,30 @@
 #include "algo.h"
 #include "bignum.h"
 
-int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
-	static int once = 0;
-	static struct key_context* keep_newkeys = NULL;
-	/* number of generated parameters is limited by the timeout for the first run.
-	   TODO move this to the libfuzzer initialiser function instead if the timeout
-	   doesn't apply there */
-	#define NUM_PARAMS 20
-	static struct kex_curve25519_param *curve25519_params[NUM_PARAMS];
+static struct key_context* keep_newkeys = NULL;
+/* An arbitrary limit */
+#define NUM_PARAMS 80
+static struct kex_curve25519_param *curve25519_params[NUM_PARAMS];
 
-	if (!once) {
-		fuzz_common_setup();
-		fuzz_svr_setup();
+static void setup() __attribute__((constructor));
+// Perform initial setup here to avoid hitting timeouts on first run
+static void setup() {
+	fuzz_common_setup();
+	fuzz_svr_setup();
 
-		keep_newkeys = (struct key_context*)m_malloc(sizeof(struct key_context));
-		keep_newkeys->algo_kex = fuzz_get_algo(sshkex, "curve25519-sha256");
-		keep_newkeys->algo_hostkey = DROPBEAR_SIGNKEY_ED25519;
-		ses.newkeys = keep_newkeys;
+	keep_newkeys = (struct key_context*)m_malloc(sizeof(struct key_context));
+	keep_newkeys->algo_kex = fuzz_get_algo(sshkex, "curve25519-sha256");
+	keep_newkeys->algo_hostkey = DROPBEAR_SIGNKEY_ED25519;
+	ses.newkeys = keep_newkeys;
 
-		/* Pre-generate parameters */
-		int i;
-		for (i = 0; i < NUM_PARAMS; i++) {
-			curve25519_params[i] = gen_kexcurve25519_param();
-		}
+	/* Pre-generate parameters */
+	int i;
+	for (i = 0; i < NUM_PARAMS; i++) {
+		curve25519_params[i] = gen_kexcurve25519_param();
+	}
+}
 
-		once = 1;
-	}
-
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
 	if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) {
 		return 0;
 	}
--- a/fuzz/fuzzer-kexdh.c	Thu Oct 29 22:41:37 2020 +0800
+++ b/fuzz/fuzzer-kexdh.c	Thu Oct 29 23:00:52 2020 +0800
@@ -6,33 +6,29 @@
 #include "algo.h"
 #include "bignum.h"
 
-int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
-	static int once = 0;
-	static struct key_context* keep_newkeys = NULL;
-	/* number of generated parameters is limited by the timeout for the first run.
-	   TODO move this to the libfuzzer initialiser function instead if the timeout
-	   doesn't apply there */
-	#define NUM_PARAMS 20
-	static struct kex_dh_param *dh_params[NUM_PARAMS];
+static struct key_context* keep_newkeys = NULL;
+#define NUM_PARAMS 80
+static struct kex_dh_param *dh_params[NUM_PARAMS];
 
-	if (!once) {
-		fuzz_common_setup();
-		fuzz_svr_setup();
+static void setup() __attribute__((constructor));
+// Perform initial setup here to avoid hitting timeouts on first run
+static void setup() {
+	fuzz_common_setup();
+	fuzz_svr_setup();
 
-		keep_newkeys = (struct key_context*)m_malloc(sizeof(struct key_context));
-		keep_newkeys->algo_kex = fuzz_get_algo(sshkex, "diffie-hellman-group14-sha256");
-		keep_newkeys->algo_hostkey = DROPBEAR_SIGNKEY_ECDSA_NISTP256;
-		ses.newkeys = keep_newkeys;
+	keep_newkeys = (struct key_context*)m_malloc(sizeof(struct key_context));
+	keep_newkeys->algo_kex = fuzz_get_algo(sshkex, "diffie-hellman-group14-sha256");
+	keep_newkeys->algo_hostkey = DROPBEAR_SIGNKEY_ECDSA_NISTP256;
+	ses.newkeys = keep_newkeys;
 
-		/* Pre-generate parameters */
-		int i;
-		for (i = 0; i < NUM_PARAMS; i++) {
-			dh_params[i] = gen_kexdh_param();
-		}
+	/* Pre-generate parameters */
+	int i;
+	for (i = 0; i < NUM_PARAMS; i++) {
+		dh_params[i] = gen_kexdh_param();
+	}
+}
 
-		once = 1;
-	}
-
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
 	if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) {
 		return 0;
 	}
--- a/fuzz/fuzzer-kexecdh.c	Thu Oct 29 22:41:37 2020 +0800
+++ b/fuzz/fuzzer-kexecdh.c	Thu Oct 29 23:00:52 2020 +0800
@@ -6,38 +6,38 @@
 #include "algo.h"
 #include "bignum.h"
 
-int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
-	static int once = 0;
-	static const struct dropbear_kex *ecdh[3]; /* 256, 384, 521 */
-	static struct key_context* keep_newkeys = NULL;
-	/* number of generated parameters is limited by the timeout for the first run */
-	#define NUM_PARAMS 80
-	static struct kex_ecdh_param *ecdh_params[NUM_PARAMS];
+static const struct dropbear_kex *ecdh[3]; /* 256, 384, 521 */
+static struct key_context* keep_newkeys = NULL;
+/* number of generated parameters. An arbitrary limit, but will delay startup */
+#define NUM_PARAMS 80
+static struct kex_ecdh_param *ecdh_params[NUM_PARAMS];
 
-	if (!once) {
-		fuzz_common_setup();
-		fuzz_svr_setup();
+static void setup() __attribute__((constructor));
+// Perform initial setup here to avoid hitting timeouts on first run
+static void setup() {
+	fuzz_common_setup();
+	fuzz_svr_setup();
 
-		/* ses gets zeroed by fuzz_set_input */
-		keep_newkeys = (struct key_context*)m_malloc(sizeof(struct key_context));
-		ecdh[0] = fuzz_get_algo(sshkex, "ecdh-sha2-nistp256");
-		ecdh[1] = fuzz_get_algo(sshkex, "ecdh-sha2-nistp384");
-		ecdh[2] = fuzz_get_algo(sshkex, "ecdh-sha2-nistp521");
-		assert(ecdh[0]);
-		assert(ecdh[1]);
-		assert(ecdh[2]);
-		keep_newkeys->algo_hostkey = DROPBEAR_SIGNKEY_ECDSA_NISTP256;
-		ses.newkeys = keep_newkeys;
+	/* ses gets zeroed by fuzz_set_input */
+	keep_newkeys = (struct key_context*)m_malloc(sizeof(struct key_context));
+	ecdh[0] = fuzz_get_algo(sshkex, "ecdh-sha2-nistp256");
+	ecdh[1] = fuzz_get_algo(sshkex, "ecdh-sha2-nistp384");
+	ecdh[2] = fuzz_get_algo(sshkex, "ecdh-sha2-nistp521");
+	assert(ecdh[0]);
+	assert(ecdh[1]);
+	assert(ecdh[2]);
+	keep_newkeys->algo_hostkey = DROPBEAR_SIGNKEY_ECDSA_NISTP256;
+	ses.newkeys = keep_newkeys;
 
-		/* Pre-generate parameters */
-		int i;
-		for (i = 0; i < NUM_PARAMS; i++) {
-			ses.newkeys->algo_kex = ecdh[i % 3];
-			ecdh_params[i] = gen_kexecdh_param();
-		}
+	/* Pre-generate parameters */
+	int i;
+	for (i = 0; i < NUM_PARAMS; i++) {
+		ses.newkeys->algo_kex = ecdh[i % 3];
+		ecdh_params[i] = gen_kexecdh_param();
+	}
+}
 
-		once = 1;
-	}
+int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) {
 
 	if (fuzz_set_input(Data, Size) == DROPBEAR_FAILURE) {
 		return 0;