This directory contains code and test data for fuzz testing picotls with LLVM's LibFuzzer.
To build the fuzz test drivers (AKA “fuzz targets”), pass -DBUILD_FUZZER=ON to cmake. This this will instrument the binary and build fuzz targets. Note that you must have a version of LLVM Clang installed that supports LibFuzzer in order for this build to succeed.
There are seed test corpuses for some fuzz targets included. They are stored in the fuzz directory in a subdirectory corresponding to the fuzz target binary name. See the LibFuzzer docs for more information on using seed test corpuses.
This project welcomes seed files that exercise new paths in the target programs. Before submitting new seed files, please ensure they add coverage to the existing corpus via the driver -merge flag. For example:
$ ./fuzz-client-hello-merge=1 ./fuzz/fuzz-client-hello-corpus ./fuzz/my-new-seeds
See the LibFuzzer docs for more information on minimizing test corpuses.
You will likely want to tailor fuzzer options to your execution environment, but here is a basic example of running a fuzzer:
./fuzz-client-hello fuzz/fuzz-client-hello-corpus