Add fuzz files (#189)

Signed-off-by: He, Jing J <[email protected]>

fuzz/Makefile

@@ -0,0 +1,44 @@
+# Compiler and linker
+CC := afl-clang-fast
+CXX := afl-clang-fast++
+LD := afl-clang-fast++
+
+BIN := $(FUZZER)
+
+# Compiler and linker flags
+CFLAGS := -I../Linux/package/include -Iinclude -pthread -m64 -fno-omit-frame-pointer -g -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -fno-sanitize=alignment -DOPENSSL_BUILDING_OPENSSL -DPEDANTIC
+CPPFLAGS := $(CFLAGS) -std=c++11
+CFLAGS := $(CFLAGS) -std=c11
+LDFLAGS := -pthread -m64 -fno-omit-frame-pointer -g -Wa,--noexecstack -Qunused-arguments -Wall -O0 -g -fno-sanitize=alignment
+
+# Source files
+SOURCES := driver.c $(BIN).c
+
+# Object files
+OBJECTS := $(SOURCES:.c=.o)
+
+# Executable name
+EXECUTABLE := $(BIN)
+
+# Default target
+all: $(EXECUTABLE)
+
+# Link the executable
+$(EXECUTABLE): $(OBJECTS) sgxssl_fuzz_common.o
+	$(LD) $(LDFLAGS) -o $@ $^ -L../Linux/package/lib64/ -Wl,--no-whole-archive -Wl,--start-group  -lsgx_tsgxssl_crypto -lsgx_tsgxssl -Wl,--end-group  -ldl -pthread -L/usr/lib/gcc/x86_64-linux-gnu/11/ -lstdc++ -Wl,--defsym,__errno=0
+
+# Compile source files into object files
+%.o: %.c
+	$(CC) $(CFLAGS) -MMD -MF $*.d.tmp -MT $@ -c -o $@ $<
+
+sgxssl_fuzz_common.o: sgxssl_fuzz_common.cpp
+	$(CXX) $(CPPFLAGS) -MMD -MF $*.d.tmp -MT $@ -c -o $@ $<
+
+# Include dependency files
+-include $(SOURCES:.c=.d)
+
+# Clean target
+clean:
+	 rm -f *.o *.d *.tmp $(EXECUTABLE) *_fuzz
+
+.PHONY: all clean

fuzz/README.md

@@ -0,0 +1,42 @@
+Fuzzing Intel SGX SSL
+=====================
+
+Do fuzzing with AFL in Linux
+
+AFL
+---
+
+Install AFL
+
+```
+sudo apt-get install afl-clang
+```
+
+Build SGX SSL in Linux first, and go to the `fuzz/`:
+
+```
+make clean
+for i in $(ls *_fuzz.c); do make FUZZER=`echo $i | awk '{print substr($0, 1, length($0)-2)}'`; done
+```
+
+Run one of the fuzzers:
+
+```
+rm -rf $FUZZER\_out
+mkdir $FUZZER\_out
+afl-fuzz -i corpora//$FUZZER -o $FUZZER\_out .//$FUZZER
+```
+
+Where $FUZZER is one of the executables in `fuzz/`.
+
+Reproducing issues
+------------------
+
+If a fuzzer generates a reproducible error, you can reproduce the problem using
+the fuzz/*_fuzz binaries and the file generated by the fuzzer. 
+
+To reproduce the crash you can run:
+
+```
+fuzz/$FUZZER $file
+```

fuzz/driver.c

@@ -0,0 +1,61 @@
+/*
+ * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * https://www.openssl.org/source/license.html
+ * or in the file LICENSE in the source distribution.
+ */
+#include <stdint.h>
+#include <unistd.h>
+#include <stdlib.h>
+#include <stdio.h>
+#include <errno.h>
+#include <openssl/opensslconf.h>
+#include <fcntl.h>
+#include "fuzzer.h"
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+int LLVMFuzzerInitialize(int *argc, char ***argv);
+int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len);
+
+int LLVMFuzzerInitialize(int *argc, char ***argv)
+{
+    return FuzzerInitialize(argc, argv);
+}
+
+int LLVMFuzzerTestOneInput(const uint8_t *buf, size_t len)
+{
+    return FuzzerTestOneInput(buf, len);
+}
+
+#define BUF_SIZE 65536
+
+int main(int argc, char** argv)
+{
+    FuzzerInitialize(&argc, &argv);
+    int fd = open(argv[1], O_RDONLY);
+    if ( fd == -1 ) {
+	perror("open");
+	exit(EXIT_FAILURE);
+    }
+
+    while (__AFL_LOOP(10000)) {
+        uint8_t *buf = malloc(BUF_SIZE);
+        size_t size = read(fd, buf, BUF_SIZE);
+
+        FuzzerTestOneInput(buf, size);
+        free(buf);
+    }
+
+    FuzzerCleanup();
+    return 0;
+}
+
+#if defined(__cplusplus)
+}
+#endif

fuzz/ecdsa_keygen_fuzz.c

@@ -0,0 +1,62 @@
+/*
+ * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * https://www.openssl.org/source/license.html
+ * or in the file LICENSE in the source distribution.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/evp.h>
+#include <openssl/ec.h>
+#include <openssl/err.h>
+#include "fuzzer.h"
+
+int FuzzerInitialize(int *argc, char ***argv)
+{
+    return 1;
+}
+
+int FuzzerTestOneInput(const uint8_t *buf, size_t len)
+{
+    (void)len;
+    int n = atoi((const char *)buf);
+    if ( n < 0 ) return -1;
+    EVP_PKEY_CTX* ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_EC, NULL);
+    if (!ctx) {
+        fprintf(stderr, "Error creating context for EC key generation.\n");
+        return -1;
+    }
+
+    // Set the curve (prime256v1)
+    if (EVP_PKEY_paramgen_init(ctx) <= 0 ||
+        EVP_PKEY_CTX_set_ec_paramgen_curve_nid(ctx, n) <= 0) {
+        fprintf(stderr, "Error setting curve parameters.\n");
+        EVP_PKEY_CTX_free(ctx);
+        return -1;
+    }
+
+    // Generate the key pair
+    EVP_PKEY* pkey = NULL;
+    if (EVP_PKEY_generate(ctx, &pkey) <= 0) {
+        fprintf(stderr, "Error generating EC key pair.\n");
+        EVP_PKEY_CTX_free(ctx);
+        return -1;
+    }
+
+    // Clean up
+    EVP_PKEY_CTX_free(ctx);
+    EVP_PKEY_free(pkey);
+
+    printf("ECDSA key pair generated successfully!\n");
+    return 0;
+}
+
+void FuzzerCleanup(void)
+{
+    return;
+}

fuzz/fuzzer.h

@@ -0,0 +1,16 @@
+/*
+ * Copyright 2016-2021 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * https://www.openssl.org/source/license.html
+ * or in the file LICENSE in the source distribution.
+ */
+
+int FuzzerTestOneInput(const uint8_t *buf, size_t len);
+int FuzzerInitialize(int *argc, char ***argv);
+void FuzzerCleanup(void);
+
+void FuzzerSetRand(void);
+void FuzzerClearRand(void);

fuzz/sgxssl_fuzz_common.cpp

@@ -0,0 +1,85 @@
+#include <stdint.h>
+#include <stdlib.h>
+#include <pthread.h>
+#include <emmintrin.h>
+#ifndef UINT32_MAX
+#define UINT32_MAX 0xFFFFFFFFU
+#endif
+
+
+namespace std {
+        class bad_alloc
+        {
+        public:
+		bad_alloc(const bad_alloc&) throw();
+	};
+	bad_alloc::bad_alloc(const bad_alloc&) throw() {}
+
+}
+
+typedef volatile unsigned long sgx_spinlock_t;
+
+#if defined(__cplusplus)
+extern "C" {
+#endif
+
+int sgx_read_rand(unsigned int *buf,  unsigned long size)
+{
+    if(buf == NULL || size == 0 || size> UINT32_MAX )
+    {
+        return -1;
+    }
+    unsigned long i;
+    for(i=0;i<(unsigned long)size;++i)
+    {
+            buf[i]=(unsigned int)rand();
+    }
+    return 0;
+}
+
+static inline int _InterlockedExchange(int volatile * dst, int val)
+{
+    int res;
+
+    __asm __volatile(
+        "lock xchg %2, %1;"
+        "mov %2, %0"
+        : "=m" (res)
+        : "m" (*dst),
+        "r" (val) 
+        : "memory"
+    );
+
+    return (res);
+
+}
+
+#define MIN_BACKOFF 2
+#define MAX_BACKOFF 1024
+unsigned long sgx_spin_lock(sgx_spinlock_t *lock)
+{
+    while(_InterlockedExchange((volatile int *)lock, 1) != 0) {
+        int b = MIN_BACKOFF;
+        do
+        {    /* tell cpu we are spinning */
+            for (int i=0; i < b; i++) {
+                _mm_pause();
+            }
+            b <<= 1;
+            if (b > MAX_BACKOFF) {
+                b = MAX_BACKOFF;
+            }
+        } while (*lock);
+    }
+    return (0);
+}
+
+unsigned long sgx_spin_unlock(sgx_spinlock_t *lock)
+{
+	*lock = 0;
+	return 0;
+}
+
+#if defined(__cplusplus)
+}
+#endif

fuzz/sha256_fuzz.c

@@ -0,0 +1,44 @@
+/*
+ * Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * https://www.openssl.org/source/license.html
+ * or in the file LICENSE in the source distribution.
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <openssl/evp.h>
+#include <openssl/err.h>
+#include <openssl/sha.h>
+#include "fuzzer.h"
+
+int FuzzerInitialize(int *argc, char ***argv)
+{
+    return 1;
+}
+
+int FuzzerTestOneInput(const uint8_t *buf, size_t len)
+{
+    unsigned char hash[SHA256_DIGEST_LENGTH];
+    EVP_MD_CTX *mdctx;
+    const EVP_MD *md;
+    unsigned int hash_len;
+
+    md = EVP_sha256();
+    mdctx = EVP_MD_CTX_new();
+    EVP_DigestInit_ex(mdctx, md, NULL);
+    EVP_DigestUpdate(mdctx, (const unsigned char *)buf, len);
+    EVP_DigestFinal_ex(mdctx, hash, &hash_len);
+    EVP_MD_CTX_free(mdctx);
+
+    return 0;
+}
+
+void FuzzerCleanup(void)
+{
+    return;
+}