/src/openssl/fuzz/quic-server.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * Copyright 2025 The OpenSSL Project Authors. All Rights Reserved. |
3 | | * |
4 | | * Licensed under the Apache License 2.0 (the "License"); |
5 | | * you may not use this file except in compliance with the License. |
6 | | * You may obtain a copy of the License at |
7 | | * https://www.openssl.org/source/license.html |
8 | | * or in the file LICENSE in the source distribution. |
9 | | */ |
10 | | |
11 | | #include <openssl/ssl.h> |
12 | | #include <openssl/err.h> |
13 | | #include <openssl/bio.h> |
14 | | #include "fuzzer.h" |
15 | | #include "internal/sockets.h" |
16 | | #include "internal/time.h" |
17 | | #include "internal/quic_ssl.h" |
18 | | |
19 | | /* unused, to avoid warning. */ |
20 | | static int idx; |
21 | | |
22 | | static OSSL_TIME fake_now; |
23 | | |
24 | | static OSSL_TIME fake_now_cb(void *arg) |
25 | 0 | { |
26 | 0 | return fake_now; |
27 | 0 | } |
28 | | |
29 | | int FuzzerInitialize(int *argc, char ***argv) |
30 | 26 | { |
31 | 26 | STACK_OF(SSL_COMP) *comp_methods; |
32 | | |
33 | 26 | FuzzerSetRand(); |
34 | 26 | OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS | OPENSSL_INIT_ASYNC, NULL); |
35 | 26 | OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL); |
36 | 26 | ERR_clear_error(); |
37 | 26 | CRYPTO_free_ex_index(0, -1); |
38 | 26 | idx = SSL_get_ex_data_X509_STORE_CTX_idx(); |
39 | 26 | comp_methods = SSL_COMP_get_compression_methods(); |
40 | 26 | if (comp_methods != NULL) |
41 | 26 | sk_SSL_COMP_sort(comp_methods); |
42 | | |
43 | 26 | return 1; |
44 | 26 | } |
45 | | |
46 | 158 | #define HANDSHAKING 0 |
47 | 3 | #define READING 1 |
48 | 0 | #define WRITING 2 |
49 | 0 | #define ACCEPTING_STREAM 3 |
50 | 0 | #define CREATING_STREAM 4 |
51 | 0 | #define SWAPPING_STREAM 5 |
52 | | |
53 | | /* |
54 | | * This callback validates and negotiates the desired ALPN on the server side. |
55 | | * Accept any ALPN. |
56 | | */ |
57 | | static int select_alpn(SSL *ssl, const unsigned char **out, |
58 | | unsigned char *out_len, const unsigned char *in, |
59 | | unsigned int in_len, void *arg) |
60 | 0 | { |
61 | 0 | return SSL_TLSEXT_ERR_OK; |
62 | 0 | } |
63 | | |
64 | | int FuzzerTestOneInput(const uint8_t *buf, size_t len) |
65 | 79 | { |
66 | 79 | SSL *server = NULL, *stream = NULL; |
67 | 79 | SSL *allstreams[] = {NULL, NULL, NULL, NULL}; |
68 | 79 | size_t i, thisstream = 0, numstreams = 1; |
69 | 79 | BIO *in; |
70 | 79 | BIO *out; |
71 | 79 | SSL_CTX *ctx; |
72 | 79 | struct timeval tv; |
73 | 79 | int state = HANDSHAKING; |
74 | 79 | uint8_t tmp[1024]; |
75 | 79 | int writelen = 0; |
76 | | |
77 | 79 | if (len == 0) |
78 | 0 | return 0; |
79 | | |
80 | 79 | ctx = SSL_CTX_new(OSSL_QUIC_server_method()); |
81 | 79 | if (ctx == NULL) |
82 | 0 | goto end; |
83 | | |
84 | 79 | SSL_CTX_set_alpn_select_cb(ctx, select_alpn, NULL); |
85 | | |
86 | 79 | server = SSL_new_listener(ctx, 0); |
87 | 79 | allstreams[0] = stream = server; |
88 | 79 | if (server == NULL) |
89 | 0 | goto end; |
90 | | |
91 | 79 | fake_now = ossl_ms2time(1); |
92 | 79 | if (!ossl_quic_set_override_now_cb(server, fake_now_cb, NULL)) |
93 | 0 | goto end; |
94 | | |
95 | 79 | in = BIO_new(BIO_s_dgram_mem()); |
96 | 79 | if (in == NULL) |
97 | 0 | goto end; |
98 | 79 | out = BIO_new(BIO_s_dgram_mem()); |
99 | 79 | if (out == NULL) { |
100 | 0 | BIO_free(in); |
101 | 0 | goto end; |
102 | 0 | } |
103 | 79 | if (!BIO_dgram_set_caps(out, BIO_DGRAM_CAP_HANDLES_DST_ADDR)) { |
104 | 0 | BIO_free(in); |
105 | 0 | BIO_free(out); |
106 | 0 | goto end; |
107 | 0 | } |
108 | 79 | SSL_set_bio(server, in, out); |
109 | 79 | SSL_set_accept_state(server); |
110 | | |
111 | 79 | for (;;) { |
112 | 79 | size_t size; |
113 | 79 | uint64_t nxtpktms = 0; |
114 | 79 | OSSL_TIME nxtpkt = ossl_time_zero(), nxttimeout; |
115 | 79 | int isinf, ret = 0; |
116 | | |
117 | 79 | if (len >= 2) { |
118 | 77 | if (len >= 5 && buf[0] == 0xff && buf[1] == 0xff) { |
119 | 4 | switch (buf[2]) { |
120 | 1 | case 0x00: |
121 | 1 | if (state == READING) |
122 | 0 | state = ACCEPTING_STREAM; |
123 | 1 | break; |
124 | 1 | case 0x01: |
125 | 1 | if (state == READING) |
126 | 0 | state = CREATING_STREAM; |
127 | 1 | break; |
128 | 1 | case 0x02: |
129 | 1 | if (state == READING) |
130 | 0 | state = SWAPPING_STREAM; |
131 | 1 | break; |
132 | 1 | default: |
133 | | /* ignore */ |
134 | 1 | break; |
135 | 4 | } |
136 | 4 | len -= 3; |
137 | 4 | buf += 3; |
138 | 4 | } |
139 | 77 | nxtpktms = buf[0] + (buf[1] << 8); |
140 | 77 | nxtpkt = ossl_time_add(fake_now, ossl_ms2time(nxtpktms)); |
141 | 77 | len -= 2; |
142 | 77 | buf += 2; |
143 | 77 | } |
144 | | |
145 | 79 | for (;;) { |
146 | 79 | switch (state) { |
147 | 79 | case HANDSHAKING: |
148 | 79 | ret = SSL_accept_connection(stream, 0) != NULL; |
149 | 79 | if (ret == 1) |
150 | 0 | state = READING; |
151 | 79 | break; |
152 | | |
153 | 0 | case READING: |
154 | 0 | ret = SSL_read(stream, tmp, sizeof(tmp)); |
155 | 0 | if (ret > 0) { |
156 | 0 | state = WRITING; |
157 | 0 | writelen = ret; |
158 | 0 | assert(writelen <= (int)sizeof(tmp)); |
159 | 0 | } |
160 | 0 | break; |
161 | | |
162 | 0 | case WRITING: |
163 | 0 | ret = SSL_write(stream, tmp, writelen); |
164 | 0 | if (ret > 0) |
165 | 0 | state = READING; |
166 | 0 | break; |
167 | | |
168 | 0 | case ACCEPTING_STREAM: |
169 | 0 | state = READING; |
170 | 0 | ret = 1; |
171 | 0 | if (numstreams == OSSL_NELEM(allstreams) |
172 | 0 | || SSL_get_accept_stream_queue_len(server) == 0) |
173 | 0 | break; |
174 | 0 | thisstream = numstreams; |
175 | 0 | stream = allstreams[numstreams++] = SSL_accept_stream(server, 0); |
176 | 0 | if (stream == NULL) |
177 | 0 | goto end; |
178 | 0 | break; |
179 | | |
180 | 0 | case CREATING_STREAM: |
181 | 0 | state = READING; |
182 | 0 | ret = 1; |
183 | 0 | if (numstreams == OSSL_NELEM(allstreams)) |
184 | 0 | break; |
185 | 0 | stream = SSL_new_stream(server, 0); |
186 | 0 | if (stream == NULL) { |
187 | | /* Ignore, and go back to the previous stream */ |
188 | 0 | stream = allstreams[thisstream]; |
189 | 0 | break; |
190 | 0 | } |
191 | 0 | thisstream = numstreams; |
192 | 0 | allstreams[numstreams++] = stream; |
193 | 0 | break; |
194 | | |
195 | 0 | case SWAPPING_STREAM: |
196 | 0 | state = READING; |
197 | 0 | ret = 1; |
198 | 0 | if (numstreams == 1) |
199 | 0 | break; |
200 | 0 | if (++thisstream == numstreams) |
201 | 0 | thisstream = 0; |
202 | 0 | stream = allstreams[thisstream]; |
203 | 0 | break; |
204 | 79 | } |
205 | 79 | assert(stream != NULL); |
206 | 79 | assert(thisstream < numstreams); |
207 | 79 | if (ret <= 0) { |
208 | 79 | switch (SSL_get_error(stream, ret)) { |
209 | 0 | case SSL_ERROR_WANT_READ: |
210 | 0 | case SSL_ERROR_WANT_WRITE: |
211 | 0 | break; |
212 | 79 | default: |
213 | 79 | goto end; |
214 | 79 | } |
215 | 79 | } |
216 | | |
217 | 0 | if (!SSL_get_event_timeout(server, &tv, &isinf)) |
218 | 0 | goto end; |
219 | | |
220 | 0 | if (isinf) { |
221 | 0 | fake_now = nxtpkt; |
222 | 0 | break; |
223 | 0 | } else { |
224 | 0 | nxttimeout = ossl_time_add(fake_now, |
225 | 0 | ossl_time_from_timeval(tv)); |
226 | 0 | if (len > 3 && ossl_time_compare(nxttimeout, nxtpkt) >= 0) { |
227 | 0 | fake_now = nxtpkt; |
228 | 0 | break; |
229 | 0 | } |
230 | 0 | fake_now = nxttimeout; |
231 | 0 | } |
232 | 0 | } |
233 | | |
234 | 0 | if (len <= 3) |
235 | 0 | break; |
236 | | |
237 | 0 | size = buf[0] + (buf[1] << 8); |
238 | 0 | if (size > len - 2) |
239 | 0 | break; |
240 | | |
241 | 0 | if (size > 0) |
242 | 0 | BIO_write(in, buf + 2, size); |
243 | 0 | len -= size + 2; |
244 | 0 | buf += size + 2; |
245 | 0 | } |
246 | 79 | end: |
247 | 158 | for (i = 0; i < numstreams; i++) |
248 | 79 | SSL_free(allstreams[i]); |
249 | 79 | ERR_clear_error(); |
250 | 79 | SSL_CTX_free(ctx); |
251 | | |
252 | 79 | return 0; |
253 | 79 | } |
254 | | |
255 | | void FuzzerCleanup(void) |
256 | 0 | { |
257 | 0 | FuzzerClearRand(); |
258 | 0 | } |