openssl
/
openssl
mirror of https://github.com/openssl/openssl
1
0
Fork 0
Code Issues Releases Wiki Activity

QUIC LCIDM: Add fuzzer 

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22673)
This commit is contained in:
Hugo Landau 2023-11-03 17:16:23 +00:00
parent 8489a0a1f2
commit 3d7f83ebdc
4 changed files with 235 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
fuzz/build.info
View File

@ -30,7 +30,7 @@ IF[{- !$disabled{"fuzz-afl"} || !$disabled{"fuzz-libfuzzer"} -}]
ENDIF
IF[{- !$disabled{"quic"} -}]
PROGRAMS{noinst}=quic-client quic-srtm
PROGRAMS{noinst}=quic-client quic-srtm quic-lcidm
ENDIF
SOURCE[asn1]=asn1.c driver.c fuzz_rand.c
@ -101,6 +101,10 @@ IF[{- !$disabled{"fuzz-afl"} || !$disabled{"fuzz-libfuzzer"} -}]
INCLUDE[quic-srtm]=../include {- $ex_inc -}
DEPEND[quic-srtm]=../libcrypto.a ../libssl.a {- $ex_lib -}
SOURCE[quic-lcidm]=quic-lcidm.c driver.c fuzz_rand.c
INCLUDE[quic-lcidm]=../include {- $ex_inc -}
DEPEND[quic-lcidm]=../libcrypto.a ../libssl.a {- $ex_lib -}
SOURCE[server]=server.c driver.c fuzz_rand.c
INCLUDE[server]=../include {- $ex_inc -}
DEPEND[server]=../libcrypto ../libssl {- $ex_lib -}
@ -132,7 +136,7 @@ IF[{- !$disabled{tests} -}]
ENDIF
IF[{- !$disabled{"quic"} -}]
PROGRAMS{noinst}=quic-client-test quic-srtm-test
PROGRAMS{noinst}=quic-client-test quic-srtm-test quic-lcidm-test
ENDIF
SOURCE[asn1-test]=asn1.c test-corpus.c fuzz_rand.c
@ -204,6 +208,10 @@ IF[{- !$disabled{tests} -}]
INCLUDE[quic-srtm-test]=../include
DEPEND[quic-srtm-test]=../libcrypto.a ../libssl.a
SOURCE[quic-lcidm-test]=quic-lcidm.c test-corpus.c fuzz_rand.c
INCLUDE[quic-lcidm-test]=../include
DEPEND[quic-lcidm-test]=../libcrypto.a ../libssl.a
SOURCE[server-test]=server.c test-corpus.c fuzz_rand.c
INCLUDE[server-test]=../include
DEPEND[server-test]=../libcrypto ../libssl

180
fuzz/quic-lcidm.c Normal file
View File

@ -0,0 +1,180 @@
/*
* Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
* https://www.openssl.org/source/license.html
* or in the file LICENSE in the source distribution.
*/
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/bio.h>
#include "fuzzer.h"
#include "internal/quic_lcidm.h"
#include "internal/packet.h"
int FuzzerInitialize(int *argc, char ***argv)
{
FuzzerSetRand();
OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS | OPENSSL_INIT_ASYNC, NULL);
OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
ERR_clear_error();
return 1;
}
/*
* Fuzzer input "protocol":
* Big endian
* u8(LCID length)
* Zero or more of:
* ENROL_ODCID u0(0x00) u64(opaque) u8(cidl):cid
* RETIRE_ODCID u8(0x01) u64(opaque)
* GENERATE_INITIAL u8(0x02) u64(opaque)
* GENERATE u8(0x03) u64(opaque)
* RETIRE u8(0x04) u64(opaque) u64(retire_prior_to)
* CULL u8(0x05) u64(opaque)
* LOOKUP u8(0x06) u8(cidl):cid
*/
enum {
CMD_ENROL_ODCID,
CMD_RETIRE_ODCID,
CMD_GENERATE_INITIAL,
CMD_GENERATE,
CMD_RETIRE,
CMD_CULL,
CMD_LOOKUP
};
static int get_cid(PACKET *pkt, QUIC_CONN_ID *cid)
{
unsigned int cidl;
if (!PACKET_get_1(pkt, &cidl)
|| cidl > QUIC_MAX_CONN_ID_LEN
|| !PACKET_copy_bytes(pkt, cid->id, cidl))
return 0;
cid->id_len = (unsigned char)cidl;
return 1;
}
int FuzzerTestOneInput(const uint8_t *buf, size_t len)
{
int rc = 0;
QUIC_LCIDM *lcidm = NULL;
PACKET pkt;
uint64_t arg_opaque, arg_retire_prior_to, seq_num_out;
unsigned int cmd, lcidl;
QUIC_CONN_ID arg_cid, cid_out;
OSSL_QUIC_FRAME_NEW_CONN_ID ncid_frame;
int did_retire;
void *opaque_out;
if (!PACKET_buf_init(&pkt, buf, len))
goto err;
if (!PACKET_get_1(&pkt, &lcidl)
|| lcidl > QUIC_MAX_CONN_ID_LEN) {
rc = -1;
goto err;
}
if ((lcidm = ossl_quic_lcidm_new(NULL, lcidl)) == NULL) {
rc = -1;
goto err;
}
while (PACKET_remaining(&pkt) > 0) {
if (!PACKET_get_1(&pkt, &cmd))
goto err;
switch (cmd) {
case CMD_ENROL_ODCID:
if (!PACKET_get_net_8(&pkt, &arg_opaque)
|| !get_cid(&pkt, &arg_cid)) {
rc = -1;
goto err;
}
ossl_quic_lcidm_enrol_odcid(lcidm, (void *)(uintptr_t)arg_opaque,
&arg_cid);
break;
case CMD_RETIRE_ODCID:
if (!PACKET_get_net_8(&pkt, &arg_opaque)) {
rc = -1;
goto err;
}
ossl_quic_lcidm_retire_odcid(lcidm, (void *)(uintptr_t)arg_opaque);
break;
case CMD_GENERATE_INITIAL:
if (!PACKET_get_net_8(&pkt, &arg_opaque)) {
rc = -1;
goto err;
}
ossl_quic_lcidm_generate_initial(lcidm, (void *)(uintptr_t)arg_opaque,
&cid_out);
break;
case CMD_GENERATE:
if (!PACKET_get_net_8(&pkt, &arg_opaque)) {
rc = -1;
goto err;
}
ossl_quic_lcidm_generate(lcidm, (void *)(uintptr_t)arg_opaque,
&ncid_frame);
break;
case CMD_RETIRE:
if (!PACKET_get_net_8(&pkt, &arg_opaque)
|| !PACKET_get_net_8(&pkt, &arg_retire_prior_to)) {
rc = -1;
goto err;
}
ossl_quic_lcidm_retire(lcidm, (void *)(uintptr_t)arg_opaque,
arg_retire_prior_to,
NULL, &cid_out,
&seq_num_out, &did_retire);
break;
case CMD_CULL:
if (!PACKET_get_net_8(&pkt, &arg_opaque)) {
rc = -1;
goto err;
}
ossl_quic_lcidm_cull(lcidm, (void *)(uintptr_t)arg_opaque);
break;
case CMD_LOOKUP:
if (!get_cid(&pkt, &arg_cid)) {
rc = -1;
goto err;
}
ossl_quic_lcidm_lookup(lcidm, &arg_cid, &seq_num_out, &opaque_out);
break;
default:
rc = -1;
goto err;
}
}
err:
ossl_quic_lcidm_free(lcidm);
return rc;
}
void FuzzerCleanup(void)
{
FuzzerClearRand();
}

20
ssl/quic/quic_lcidm.c
View File

@ -58,6 +58,9 @@ struct quic_lcidm_st {
LHASH_OF(QUIC_LCID) *lcids; /* (QUIC_CONN_ID) -> (QUIC_LCID *) */
LHASH_OF(QUIC_LCIDM_CONN) *conns; /* (void *opaque) -> (QUIC_LCIDM_CONN *) */
size_t lcid_len; /* Length in bytes for all LCIDs */
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
QUIC_CONN_ID next_lcid;
#endif
};
static unsigned long bin_hash(const unsigned char *buf, size_t buf_len)
@ -233,6 +236,8 @@ size_t ossl_quic_lcidm_get_num_active_lcid(const QUIC_LCIDM *lcidm,
return conn->num_active_lcid;
}
#ifndef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
static int gen_rand_conn_id(OSSL_LIB_CTX *libctx, size_t len, QUIC_CONN_ID *cid)
{
if (len > QUIC_MAX_CONN_ID_LEN)
@ -249,10 +254,25 @@ static int gen_rand_conn_id(OSSL_LIB_CTX *libctx, size_t len, QUIC_CONN_ID *cid)
return 1;
}
#endif
static int lcidm_generate_cid(QUIC_LCIDM *lcidm,
QUIC_CONN_ID *cid)
{
#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION
int i;
lcidm->next_lcid.id_len = (unsigned char)lcidm->lcid_len;
*cid = lcidm->next_lcid;
for (i = lcidm->lcid_len - 1; i >= 0; --i)
if (++lcidm->next_lcid.id[i] != 0)
break;
return 1;
#else
return gen_rand_conn_id(lcidm->libctx, lcidm->lcid_len, cid);
#endif
}
static int lcidm_generate(QUIC_LCIDM *lcidm,

25
test/recipes/99-test_fuzz_quic_lcidm.t Normal file
View File

@ -0,0 +1,25 @@
#!/usr/bin/env perl
# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved.
#
# Licensed under the Apache License 2.0 (the "License"). You may not use
# this file except in compliance with the License. You can obtain a copy
# in the file LICENSE in the source distribution or at
# https://www.openssl.org/source/license.html
use strict;
use warnings;
use OpenSSL::Test qw/:DEFAULT srctop_file/;
use OpenSSL::Test::Utils;
my $fuzzer = "quic-lcidm";
setup("test_fuzz_${fuzzer}");
plan skip_all => "This test requires quic support"
if disabled("quic");
plan tests => 2; # one more due to below require_ok(...)
require_ok(srctop_file('test','recipes','fuzz.pl'));
fuzz_ok($fuzzer);