GitHub/openssl
1
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2026-05-07 20:12:39 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
master
openssl/util/wrap.pl.in
T
Neil Horman 619a0fe718 Fix unit tests when run under fuzz builds 
PR https://github.com/openssl/openssl/pull/30045

Fixed an oss-fuzz failure that occured because we feed random data into
the pkcs12 kdf, which sometimes results in a huge iteration count, that
leads to timeouts in oss-fuzz.

The fix was to simply limit the number of iterations that we go through
during derivation.  This breaks the kdf of course, but it doesn't really
matter during fuzzing, because we don't expect random input data to
produce reasonable results, so no harm, no foul.

except.

We also, in our CI, build our fuzzer tests and run them through our
regular CI unit tests, during which we both provide valid data, and
expect valid results, and pr 30045 breaks that expectation.

The conventional wisdom is to simply skip unit tests that break under
these sorts of conditions (we do this for things like
70-test_quic_record.t already).

however, the tests that broke here are 25_test_x509, 30_test_evp,
80_test_pkcs12, and 90_test_store_cases.  It seems like we would want to
keep testing those unless we absolutely have to skip them.

So instead, lets indicate that we are running the unit tests with an
environment variable, and check that variable when we have an
UNSAFE_FOR_PRODUCTION build, skiping the iteration clamp in pkcs12kdf if
it is.  This allows us to continue running these unit tests, while still
getting the oss-fuzz runs to pass.

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
MergeDate: Thu Feb 19 08:49:56 2026
(Merged from https://github.com/openssl/openssl/pull/30070)
2026-02-19 09:49:54 +01:00

161 lines
4.8 KiB
Plaintext
Raw Permalink Blame History

#! {- $config{HASHBANGPERL} -}
use strict;
use warnings;
use File::Basename;
use File::Spec::Functions;
BEGIN {
# This method corresponds exactly to 'use OpenSSL::Util',
# but allows us to use a platform specific file spec.
require {-
use Cwd qw(abs_path);
"'" . abs_path(catfile($config{sourcedir},
'util', 'perl', 'OpenSSL', 'Util.pm')) . "'";
-};
OpenSSL::Util->import();
}
sub quote_cmd_win32 {
my $cmd = "";
foreach my $arg (@_) {
if ($arg =~ m{\A[\w,-./@]+\z}) {
$cmd .= $arg . q{ };;
} else {
$cmd .= q{"} . quote_arg_win32($arg) . q{" };
}
}
return substr($cmd, 0, -1);
}
sub quote_arg_win32 {
my ($arg) = @_;
my $val = "";
pos($arg) = 0;
while (1) {
return $val if (pos($arg) == length($arg));
if ($arg =~ m{\G((?:(?>[\\]*)[^"\\]+)+)}ogc) {
$val .= $1;
} elsif ($arg =~ m{\G"}ogc) {
$val .= qq{\\"};
} elsif ($arg =~ m{\G((?>[\\]+)(?="|\z))}ogc) {
$val .= qq{\\} x (2 * length($1));
} else {
die sprintf("Internal error quoting: '%s'\n", $arg);
}
}
}
my $there = canonpath(catdir(dirname($0), updir()));
my $std_providers = catdir($there, 'providers');
my $std_openssl_conf = catdir($there, 'apps/openssl.cnf');
my $unix_shlib_wrap = catfile($there, 'util/shlib_wrap.sh');
my $std_openssl_conf_include;
if ($ARGV[0] eq '-fips') {
$std_openssl_conf = {-
use Cwd qw(abs_path);
"'" . abs_path(catfile($config{sourcedir}, 'test/fips-and-base.cnf')) . "'";
-};
shift;
$std_openssl_conf_include = catdir($there, 'providers');
}
if ($ARGV[0] eq '-jitter') {
$std_openssl_conf = {-
use Cwd qw(abs_path);
"'" . abs_path(catfile($config{sourcedir}, 'test/default-and-jitter.cnf')) . "'";
-};
shift;
$std_openssl_conf_include = catdir($there, 'providers');
}
local $ENV{OPENSSL_RUNNING_UNIT_TESTS} = "yes";
local $ENV{OPENSSL_CONF_INCLUDE} = $std_openssl_conf_include
if defined $std_openssl_conf_include
&&($ENV{OPENSSL_CONF_INCLUDE} // '') eq ''
&& -d $std_openssl_conf_include;
local $ENV{OPENSSL_MODULES} = $std_providers
if ($ENV{OPENSSL_MODULES} // '') eq '' && -d $std_providers;
local $ENV{OPENSSL_CONF} = $std_openssl_conf
if ($ENV{OPENSSL_CONF} // '') eq '' && -f $std_openssl_conf;
{-
# For VMS, we define logical names to get the libraries properly
# defined.
use File::Spec::Functions qw(rel2abs);
if ($^O eq "VMS") {
my $bldtop = rel2abs($config{builddir});
my %names =
map { platform->sharedname($_) => $bldtop.platform->sharedlib($_) }
grep { !$unified_info{attributes}->{libraries}->{$_}->{noinst} }
@{$unified_info{libraries}};
foreach (sort keys %names) {
$OUT .= "local \$ENV\{'$_'\} = '$names{$_}';\n";
}
}
-}
my $use_system = 0;
my @cmd;
if ($^O eq 'VMS') {
# VMS needs the command to be appropriately quotified
@cmd = fixup_cmd(@ARGV);
} elsif (-x $unix_shlib_wrap) {
@cmd = ( $unix_shlib_wrap, @ARGV );
} else {
# Hope for the best
@cmd = ( @ARGV );
}
# The exec() statement on MSWin32 doesn't seem to give back the exit code
# from the call, so we resort to using system() instead.
my $waitcode;
if ($^O eq 'MSWin32') {
$waitcode = system(quote_cmd_win32(@cmd));
} else {
$waitcode = system @cmd;
}
# According to documentation, -1 means that system() couldn't run the command,
# otherwise, the value is similar to the Unix wait() status value
# (exitcode << 8 | signalcode)
die "wrap.pl: Failed to execute '", join(' ', @cmd), "': $!\n"
if $waitcode == -1;
# When the subprocess aborted on a signal, we simply raise the same signal.
kill(($? & 255) => $$) if ($? & 255) != 0;
# If that didn't stop this script, mimic what Unix shells do, by
# converting the signal code to an exit code by setting the high bit.
# This only happens on Unix flavored operating systems, the others don't
# have this sort of signaling to date, and simply leave the low byte zero.
exit(($? & 255) | 128) if ($? & 255) != 0;
# When not a signal, just shift down the subprocess exit code and use that.
my $exitcode = $? >> 8;
# For VMS, perl recommendations is to emulate what the C library exit() does
# for all non-zero exit codes, except we set the error severity rather than
# success.
# Ref: https://perldoc.perl.org/perlport#exit
# https://perldoc.perl.org/perlvms#$?
if ($^O eq 'VMS' && $exitcode != 0) {
$exitcode =
0x35a000 # C facility code
+ ($exitcode * 8) # shift up to make space for the 3 severity bits
+ 2 # Severity: E(rror)
+ 0x10000000; # bit 28 set => the shell stays silent
}
exit($exitcode);
Reference in New Issue View Git Blame Copy Permalink