Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Make it harder to use fuzztarget #90

Closed
real-or-random opened this issue Jan 9, 2019 · 5 comments
Closed

Make it harder to use fuzztarget #90

real-or-random opened this issue Jan 9, 2019 · 5 comments
Assignees
@real-or-random

Comments

@real-or-random
Copy link
Collaborator

I fear that someone just enables fuzztarget (it seems undocumented) or uses all-features, and people leak their private keys... It's inconvenient but maybe we can comment out the feature in Cargo.toml (will rustc complain?), maintain a separate branch or do something else to make it harder to shoot yourself in the foot.
@TheBlueMatt
Copy link
Member

Agreed, but I'm not sure what the right answer is. Most of the point is to make it easier to run fuzzing as otherwise you have to recursively replace dependencies until you have everything running with fuzztarget enabled. I suppose at least documenting what it does is useful, maybe there is some hack with can do with requiring fuzzers set an undocumented static global setinal before the fuzztarget-mode functions will run?

@real-or-random
Copy link
Collaborator Author

maybe there is some hack with can do with requiring fuzzers set an undocumented static global setinal before the fuzztarget-mode functions will run?
This sounds reasonable.

Another idea, maybe simpler: fail the build and/or the program unless some special environment variable is set. That's kind of global, and we can use it for the build and the actual execution.

@TheBlueMatt
Copy link
Member

IRC discussion:

<BlueMatt> real_or_random: as for fuzztarget, the only obvious thing I can come up with is a #[doc_hidden]pub static REALLY_ENABLE_BROKEN_CRYPTO: bool = false; that fuzzers have to set
<BlueMatt> and then just assert it in the fuzztarget functions
<real_or_random> have you seen my latest comment?
<BlueMatt> oh, no, i hadnt
<BlueMatt> hmm, i guess we could do that, too, you mean in the build script?
<BlueMatt> I'm game with either, just as long as we can include it in the crates version and it gives a reasonable "you forgot to do X" result when you dont do it
<BlueMatt> env var in build.rs may actually generate a better error message

@real-or-random real-or-random self-assigned this Jan 9, 2019
@elichai elichai mentioned this issue Aug 23, 2019
Closed
@real-or-random
Copy link
Collaborator Author

@apoelstra You mentioned somewhere else that this issue has been solved but I don't think that's true. Or what were you referring to?

@apoelstra
Copy link
Member

Yes, it is fixed by #263

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@real-or-random real-or-random

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@TheBlueMatt @real-or-random @apoelstra