I recently configured several projects to use a stable source archive of
libgmp, instead of cloning from the repository, because the certificate
gmplib.org had expired: https://github.com/google/oss-fuzz/pull/9314
gmplib.org have fixed their certificate so with this PR I'm cloning from
the repo again.
The certificate of https://gmplib.org/ has expired. The website displays
the following message:
```
YES, THE CERTIFICATE IS EXPIRED. Sorry about that. We're working on the renewal process. Unfortunately, our SSL provider changes the renewal interface each year, and it is always a challenge to figure out what to do. Now the only actions are REGENERATE (actiually not, as the cert is expired), REVOKE (well, not desirable) and INTERMEDIATE CERTIFICATE (which is not an action but a thing, oh well.
```
But this is breaking a lot of builds and this still hasn't been fixed
after a few days, so with this PR I'm instead downloading the libgmp
source archive and bypass the certificate check and manually verify the
sha256 hash of the downloaded file.
Only the `cryptofuzz` and `bignum-fuzzer` projects ideally need to use
the latest repository checkout, instead of a versioned source archive,
because with these projects the aim is to find bugs in libgmp. In all
other projects, libgmp only serves as an oracle, and using the latest
stable version is fine.
Once gmp fixes their certificate, I will revert `cryptofuzz` and
`bignum-fuzzer` to use the repository again. For now it's ok to use the
latest stable version.
Replace references to ARMmbed organisation with the new
org, Mbed-TLS, following project migration. The new home
for Mbed TLS is:
https://github.com/Mbed-TLS
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
The default branch of https://github.com/ARMmbed/mbedtls is about to
change to point to the work on the next major release (3.0). We expect
frequent API changes during that time. Switch fuzzers to run on the
stable major version of Mbed TLS (2.x) during the transition period.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
* [cryptofuzz, bignum-fuzzer] Fix AFL++ builds
* [cryptofuzz, bignum-fuzzer] Don't build Golang
Because it's already part of the base image.
* [cryptofuzz, bignum-fuzzer] Retrigger CI
Update the primary contact addresss and website in the Mbed TLS
project file.
Also update the Mbed TLS cc address in the bignum-fuzzer project
file.
Signed-off-by: Dan Handley <dan.handley@arm.com>
[bignum-fuzzer] Mbed TLS no longer has an mbed-crypto submodule
Mbed TLS has gone back to being self-contained, without a separate
submodule for the cryptography part of the library. Revert the
bignum-fuzzer build scripts accordingly.
This reverts commit 54733ddc84.
* [presubmit] Enforce language attribute in projectt.yaml to be always set.
* Update documentation, better presubmit check, new project template.
* add docstring to templates.py
* Add example values in the project.yaml template and remove python value for now
* Add "project: c++" to 256 projects
* format
* Add labels and selective_unpack sections to the presubmit check
* fix incorrect auto_ccs format in three projects
* fix nss emails after rebase
* [bignum-fuzzer] Clone Mbed TLS recursively
The cryptography library of Mbed TLS has been moved to a separate
repository. It is now included into the project as a git submodule and
therefore we need to clone Mbed TLS recursively.
* [bignum-fuzzer] Use new Mbed TLS library location
The bignum module in Mbed TLS as part of the cryptography library has
been moved to a new location. This commit sets the corresponding paths
to their new values.
* [cryptofuzz] EverCrypt: Don't explicitly allow AVX instructions
Recent crashes involving EverCrypt were found to be caused by
AVX instructions in the EverCrypt library. The Makefile explicitly
allowed the use of AVX instructions via hardcoded CFLAGS. The authors
have released a new version that should resolve this problem.
* [cryptofuzz, bignum-fuzzer] Revert to default OpenSSL build method
Reverts the workaround for OpenSSL broken build script, which is
now fixed.
* [cryptofuzz] Compile with -D_GLIBCXX_DEBUG (runtime C++ UB checks)
This activates assert()s across the library that might help to detect
issues that other safeguards (sanitizers, differential testing)
aren't capable of.
Guido Vranken