From 760373aff43a289c11492955a08fca2b555284e0 Mon Sep 17 00:00:00 2001 From: David Korczynski Date: Sun, 3 Apr 2022 23:08:31 +0100 Subject: [PATCH 1/4] ecdsa-python: initial integration --- projects/ecdsa-python/Dockerfile | 21 ++++++++++ projects/ecdsa-python/build.sh | 24 +++++++++++ projects/ecdsa-python/fuzz_private_key.py | 51 +++++++++++++++++++++++ projects/ecdsa-python/project.yaml | 8 ++++ 4 files changed, 104 insertions(+) create mode 100644 projects/ecdsa-python/Dockerfile create mode 100644 projects/ecdsa-python/build.sh create mode 100644 projects/ecdsa-python/fuzz_private_key.py create mode 100644 projects/ecdsa-python/project.yaml diff --git a/projects/ecdsa-python/Dockerfile b/projects/ecdsa-python/Dockerfile new file mode 100644 index 000000000000..7aac78872b44 --- /dev/null +++ b/projects/ecdsa-python/Dockerfile @@ -0,0 +1,21 @@ +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +FROM gcr.io/oss-fuzz-base/base-builder-python +RUN git clone https://github.com/starkbank/ecdsa-python/ +WORKDIR $SRC +COPY build.sh $SRC/ +COPY fuzz_* $SRC/ diff --git a/projects/ecdsa-python/build.sh b/projects/ecdsa-python/build.sh new file mode 100644 index 000000000000..e7e7cf1a308b --- /dev/null +++ b/projects/ecdsa-python/build.sh @@ -0,0 +1,24 @@ +#!/bin/bash -eu +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +################################################################################ + +cd ecdsa-python +python3 ./setup.py install + +# Build fuzzers in $OUT. +for fuzzer in $(find $SRC -name 'fuzz_*.py'); do + compile_python_fuzzer $fuzzer +done diff --git a/projects/ecdsa-python/fuzz_private_key.py b/projects/ecdsa-python/fuzz_private_key.py new file mode 100644 index 000000000000..ac3fc5a6136d --- /dev/null +++ b/projects/ecdsa-python/fuzz_private_key.py @@ -0,0 +1,51 @@ +#!/usr/bin/python3 +# Copyright 2022 Google LLC +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import sys +import atheris + +with atheris.instrument_imports(): + from ellipticcurve import Ecdsa, Signature, PublicKey, PrivateKey + + +@atheris.instrument_func +def TestOneInput(input_bytes): + fdp = atheris.FuzzedDataProvider(input_bytes) + + privateKey1 = PrivateKey() + publicKey1 = privateKey1.publicKey() + + privateKeyPem = privateKey1.toPem() + publicKeyPem = publicKey1.toPem() + + privateKey2 = PrivateKey.fromPem(privateKeyPem) + publicKey2 = PublicKey.fromPem(publicKeyPem) + + message = fdp.ConsumeUnicode(sys.maxsize) + + signatureBase64 = Ecdsa.sign(message=message, + privateKey=privateKey2).toBase64() + + signature = Signature.fromBase64(signatureBase64) + assert(Ecdsa.verify(message=message, signature=signature, publicKey=publicKey2)) + + +def main(): + atheris.Setup(sys.argv, TestOneInput, enable_python_coverage=True) + atheris.Fuzz() + + +if __name__ == "__main__": + main() diff --git a/projects/ecdsa-python/project.yaml b/projects/ecdsa-python/project.yaml new file mode 100644 index 000000000000..db97f6d1e30c --- /dev/null +++ b/projects/ecdsa-python/project.yaml @@ -0,0 +1,8 @@ +homepage: "https://github.com/starkbank/ecdsa-python" +language: python +primary_contact: "david@adalogics.com" +fuzzing_engines: + - libfuzzer +sanitizers: + - address +main_repo: "https://github.com/starkbank/ecdsa-python/" From c86d943b640c17f82961d2311f84674c64d77ea0 Mon Sep 17 00:00:00 2001 From: David Korczynski Date: Wed, 6 Apr 2022 10:50:34 +0100 Subject: [PATCH 2/4] revert to old compilation style atm --- projects/ecdsa-python/build.sh | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/projects/ecdsa-python/build.sh b/projects/ecdsa-python/build.sh index e7e7cf1a308b..9ae4b3c8e111 100644 --- a/projects/ecdsa-python/build.sh +++ b/projects/ecdsa-python/build.sh @@ -20,5 +20,16 @@ python3 ./setup.py install # Build fuzzers in $OUT. for fuzzer in $(find $SRC -name 'fuzz_*.py'); do - compile_python_fuzzer $fuzzer + fuzzer_basename=$(basename -s .py $fuzzer) + fuzzer_package=${fuzzer_basename}.pkg + pyinstaller --distpath $OUT --onefile --name $fuzzer_package $fuzzer + + # Create execution wrapper. + echo "#!/bin/sh +# LLVMFuzzerTestOneInput for fuzzer detection. +this_dir=\$(dirname \"\$0\") +LD_PRELOAD=\$this_dir/sanitizer_with_fuzzer.so \ +ASAN_OPTIONS=\$ASAN_OPTIONS:symbolize=1:external_symbolizer_path=\$this_dir/llvm-symbolizer:detect_leaks=0 \ +\$this_dir/$fuzzer_package \$@" > $OUT/$fuzzer_basename + chmod +x $OUT/$fuzzer_basename done From 5f7cf29c93b2e086e158f7f083f15db3a69c6d25 Mon Sep 17 00:00:00 2001 From: David Korczynski Date: Tue, 3 May 2022 10:02:22 +0100 Subject: [PATCH 3/4] use latest build set up --- projects/ecdsa-python/build.sh | 15 ++------------- 1 file changed, 2 insertions(+), 13 deletions(-) diff --git a/projects/ecdsa-python/build.sh b/projects/ecdsa-python/build.sh index 9ae4b3c8e111..9fed50068645 100644 --- a/projects/ecdsa-python/build.sh +++ b/projects/ecdsa-python/build.sh @@ -18,18 +18,7 @@ cd ecdsa-python python3 ./setup.py install -# Build fuzzers in $OUT. +# Build fuzzers for fuzzer in $(find $SRC -name 'fuzz_*.py'); do - fuzzer_basename=$(basename -s .py $fuzzer) - fuzzer_package=${fuzzer_basename}.pkg - pyinstaller --distpath $OUT --onefile --name $fuzzer_package $fuzzer - - # Create execution wrapper. - echo "#!/bin/sh -# LLVMFuzzerTestOneInput for fuzzer detection. -this_dir=\$(dirname \"\$0\") -LD_PRELOAD=\$this_dir/sanitizer_with_fuzzer.so \ -ASAN_OPTIONS=\$ASAN_OPTIONS:symbolize=1:external_symbolizer_path=\$this_dir/llvm-symbolizer:detect_leaks=0 \ -\$this_dir/$fuzzer_package \$@" > $OUT/$fuzzer_basename - chmod +x $OUT/$fuzzer_basename + compile_python_fuzer $fuzzer done From 4d99a7f1e3f4c8384f1b239ee3747e8da80138a1 Mon Sep 17 00:00:00 2001 From: David Korczynski Date: Tue, 3 May 2022 10:05:33 +0100 Subject: [PATCH 4/4] fix typo --- projects/ecdsa-python/build.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/projects/ecdsa-python/build.sh b/projects/ecdsa-python/build.sh index 9fed50068645..7549c52397e8 100644 --- a/projects/ecdsa-python/build.sh +++ b/projects/ecdsa-python/build.sh @@ -20,5 +20,5 @@ python3 ./setup.py install # Build fuzzers for fuzzer in $(find $SRC -name 'fuzz_*.py'); do - compile_python_fuzer $fuzzer + compile_python_fuzzer $fuzzer done