/src/openssl35/fuzz/quic-rcidm.c

Source
/*
 * Copyright 2023-2024 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 * https://www.openssl.org/source/license.html
 * or in the file LICENSE in the source distribution.
 */

#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/bio.h>
#include "fuzzer.h"
#include "internal/quic_rcidm.h"
#include "internal/packet.h"

int FuzzerInitialize(int *argc, char ***argv)
{
    FuzzerSetRand();
    OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS | OPENSSL_INIT_ASYNC, NULL);
    OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
    ERR_clear_error();
    return 1;
}

/*
 * Fuzzer input "protocol":
 *   Big endian
 *   Zero or more of:
 *     RESET_WITH_ODCID                 u8(0x00) u8(cidl):cid
 *     RESET_WITHOUT_ODCID              u8(0x01)
 *       (free and reallocate)
 *     ADD_FROM_INITIAL                 u8(0x02) u8(cidl):cid
 *     ADD_FROM_SERVER_RETRY            u8(0x03) u8(cidl):cid
 *     ADD_FROM_NCID                    u8(0x04) u64(seq_num)
 *                                        u64(retire_prior_to) u8(cidl):cid
 *     ON_HANDSHAKE_COMPLETE            u8(0x05)
 *     ON_PACKET_SENT                   u8(0x06) u64(num_pkt)
 *     REQUEST_ROLL                     u8(0x07)
 *     POP_RETIRE_SEQ_NUM               u8(0x08)
 *     PEEK_RETIRE_SEQ_NUM              u8(0x09)
 *     GET_PREFERRED_TX_DCID            u8(0x0A)
 *     GET_PREFERRED_TX_DCID_CHANGED    u8(0x0B) u8(clear)
 */

enum {
    CMD_RESET_WITH_ODCID,
    CMD_RESET_WITHOUT_ODCID,
    CMD_ADD_FROM_INITIAL,
    CMD_ADD_FROM_SERVER_RETRY,
    CMD_ADD_FROM_NCID,
    CMD_ON_HANDSHAKE_COMPLETE,
    CMD_ON_PACKET_SENT,
    CMD_REQUEST_ROLL,
    CMD_POP_RETIRE_SEQ_NUM,
    CMD_PEEK_RETIRE_SEQ_NUM,
    CMD_GET_PREFERRED_TX_DCID,
    CMD_GET_PREFERRED_TX_DCID_CHANGED
};

static int get_cid(PACKET *pkt, QUIC_CONN_ID *cid)
{
    unsigned int cidl;

    if (!PACKET_get_1(pkt, &cidl)
        || cidl > QUIC_MAX_CONN_ID_LEN
        || !PACKET_copy_bytes(pkt, cid->id, cidl))
        return 0;

    cid->id_len = (unsigned char)cidl;
    return 1;
}

int FuzzerTestOneInput(const uint8_t *buf, size_t len)
{
    int rc = 0;
    QUIC_RCIDM *rcidm = NULL;
    PACKET pkt;
    uint64_t seq_num_out, arg_num_pkt;
    unsigned int cmd, arg_clear;
    QUIC_CONN_ID arg_cid, cid_out;
    OSSL_QUIC_FRAME_NEW_CONN_ID ncid_frame;

    if (!PACKET_buf_init(&pkt, buf, len))
        goto err;

    if ((rcidm = ossl_quic_rcidm_new(NULL)) == NULL)
        goto err;

    while (PACKET_remaining(&pkt) > 0) {
        if (!PACKET_get_1(&pkt, &cmd))
            goto err;

        switch (cmd) {
        case CMD_RESET_WITH_ODCID:
            if (!get_cid(&pkt, &arg_cid)) {
                rc = -1;
                goto err;
            }

            ossl_quic_rcidm_free(rcidm);

            if ((rcidm = ossl_quic_rcidm_new(&arg_cid)) == NULL)
                goto err;

            break;

        case CMD_RESET_WITHOUT_ODCID:
            ossl_quic_rcidm_free(rcidm);

            if ((rcidm = ossl_quic_rcidm_new(NULL)) == NULL)
                goto err;

            break;

        case CMD_ADD_FROM_INITIAL:
            if (!get_cid(&pkt, &arg_cid)) {
                rc = -1;
                goto err;
            }

            ossl_quic_rcidm_add_from_initial(rcidm, &arg_cid);
            break;

        case CMD_ADD_FROM_SERVER_RETRY:
            if (!get_cid(&pkt, &arg_cid)) {
                rc = -1;
                goto err;
            }

            ossl_quic_rcidm_add_from_server_retry(rcidm, &arg_cid);
            break;

        case CMD_ADD_FROM_NCID:
            if (!PACKET_get_net_8(&pkt, &ncid_frame.seq_num)
                || !PACKET_get_net_8(&pkt, &ncid_frame.retire_prior_to)
                || !get_cid(&pkt, &ncid_frame.conn_id)) {
                rc = -1;
                goto err;
            }

            ossl_quic_rcidm_add_from_ncid(rcidm, &ncid_frame);
            break;

        case CMD_ON_HANDSHAKE_COMPLETE:
            ossl_quic_rcidm_on_handshake_complete(rcidm);
            break;

        case CMD_ON_PACKET_SENT:
            if (!PACKET_get_net_8(&pkt, &arg_num_pkt)) {
                rc = -1;
                goto err;
            }

            ossl_quic_rcidm_on_packet_sent(rcidm, arg_num_pkt);
            break;

        case CMD_REQUEST_ROLL:
            ossl_quic_rcidm_request_roll(rcidm);
            break;

        case CMD_POP_RETIRE_SEQ_NUM:
            ossl_quic_rcidm_pop_retire_seq_num(rcidm, &seq_num_out);
            break;

        case CMD_PEEK_RETIRE_SEQ_NUM:
            ossl_quic_rcidm_peek_retire_seq_num(rcidm, &seq_num_out);
            break;

        case CMD_GET_PREFERRED_TX_DCID:
            ossl_quic_rcidm_get_preferred_tx_dcid(rcidm, &cid_out);
            break;

        case CMD_GET_PREFERRED_TX_DCID_CHANGED:
            if (!PACKET_get_1(&pkt, &arg_clear)) {
                rc = -1;
                goto err;
            }

            ossl_quic_rcidm_get_preferred_tx_dcid_changed(rcidm, arg_clear);
            break;

        default:
            rc = -1;
            goto err;
        }
    }

err:
    ossl_quic_rcidm_free(rcidm);
    return rc;
}

void FuzzerCleanup(void)
{
    FuzzerClearRand();
}

Line	Count	Source
1		/*
2		* Copyright 2023-2024 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License");
5		* you may not use this file except in compliance with the License.
6		* You may obtain a copy of the License at
7		* https://www.openssl.org/source/license.html
8		* or in the file LICENSE in the source distribution.
9		*/
10
11		#include <openssl/ssl.h>
12		#include <openssl/err.h>
13		#include <openssl/bio.h>
14		#include "fuzzer.h"
15		#include "internal/quic_rcidm.h"
16		#include "internal/packet.h"
17
18		int FuzzerInitialize(int argc, char **argv)
19	214	{
20	214	FuzzerSetRand();
21	214	OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS \| OPENSSL_INIT_ASYNC, NULL);
22	214	OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
23	214	ERR_clear_error();
24	214	return 1;
25	214	}
26
27		/*
28		* Fuzzer input "protocol":
29		* Big endian
30		* Zero or more of:
31		* RESET_WITH_ODCID u8(0x00) u8(cidl):cid
32		* RESET_WITHOUT_ODCID u8(0x01)
33		* (free and reallocate)
34		* ADD_FROM_INITIAL u8(0x02) u8(cidl):cid
35		* ADD_FROM_SERVER_RETRY u8(0x03) u8(cidl):cid
36		* ADD_FROM_NCID u8(0x04) u64(seq_num)
37		* u64(retire_prior_to) u8(cidl):cid
38		* ON_HANDSHAKE_COMPLETE u8(0x05)
39		* ON_PACKET_SENT u8(0x06) u64(num_pkt)
40		* REQUEST_ROLL u8(0x07)
41		* POP_RETIRE_SEQ_NUM u8(0x08)
42		* PEEK_RETIRE_SEQ_NUM u8(0x09)
43		* GET_PREFERRED_TX_DCID u8(0x0A)
44		* GET_PREFERRED_TX_DCID_CHANGED u8(0x0B) u8(clear)
45		*/
46
47		enum {
48		CMD_RESET_WITH_ODCID,
49		CMD_RESET_WITHOUT_ODCID,
50		CMD_ADD_FROM_INITIAL,
51		CMD_ADD_FROM_SERVER_RETRY,
52		CMD_ADD_FROM_NCID,
53		CMD_ON_HANDSHAKE_COMPLETE,
54		CMD_ON_PACKET_SENT,
55		CMD_REQUEST_ROLL,
56		CMD_POP_RETIRE_SEQ_NUM,
57		CMD_PEEK_RETIRE_SEQ_NUM,
58		CMD_GET_PREFERRED_TX_DCID,
59		CMD_GET_PREFERRED_TX_DCID_CHANGED
60		};
61
62		static int get_cid(PACKET pkt, QUIC_CONN_ID cid)
63	10.1M	{
64	10.1M	unsigned int cidl;
65
66	10.1M	if (!PACKET_get_1(pkt, &cidl)
67	10.1M	\|\| cidl > QUIC_MAX_CONN_ID_LEN
68	10.1M	\|\| !PACKET_copy_bytes(pkt, cid->id, cidl))
69	510	return 0;
70
71	10.1M	cid->id_len = (unsigned char)cidl;
72	10.1M	return 1;
73	10.1M	}
74
75		int FuzzerTestOneInput(const uint8_t *buf, size_t len)
76	11.4k	{
77	11.4k	int rc = 0;
78	11.4k	QUIC_RCIDM *rcidm = NULL;
79	11.4k	PACKET pkt;
80	11.4k	uint64_t seq_num_out, arg_num_pkt;
81	11.4k	unsigned int cmd, arg_clear;
82	11.4k	QUIC_CONN_ID arg_cid, cid_out;
83	11.4k	OSSL_QUIC_FRAME_NEW_CONN_ID ncid_frame;
84
85	11.4k	if (!PACKET_buf_init(&pkt, buf, len))
86	0	goto err;
87
88	11.4k	if ((rcidm = ossl_quic_rcidm_new(NULL)) == NULL)
89	0	goto err;
90
91	14.9M	while (PACKET_remaining(&pkt) > 0) {
92	14.9M	if (!PACKET_get_1(&pkt, &cmd))
93	0	goto err;
94
95	14.9M	switch (cmd) {
96	2.77M	case CMD_RESET_WITH_ODCID:
97	2.77M	if (!get_cid(&pkt, &arg_cid)) {
98	117	rc = -1;
99	117	goto err;
100	117	}
101
102	2.77M	ossl_quic_rcidm_free(rcidm);
103
104	2.77M	if ((rcidm = ossl_quic_rcidm_new(&arg_cid)) == NULL)
105	0	goto err;
106
107	2.77M	break;
108
109	2.77M	case CMD_RESET_WITHOUT_ODCID:
110	116k	ossl_quic_rcidm_free(rcidm);
111
112	116k	if ((rcidm = ossl_quic_rcidm_new(NULL)) == NULL)
113	0	goto err;
114
115	116k	break;
116
117	257k	case CMD_ADD_FROM_INITIAL:
118	257k	if (!get_cid(&pkt, &arg_cid)) {
119	87	rc = -1;
120	87	goto err;
121	87	}
122
123	257k	ossl_quic_rcidm_add_from_initial(rcidm, &arg_cid);
124	257k	break;
125
126	312k	case CMD_ADD_FROM_SERVER_RETRY:
127	312k	if (!get_cid(&pkt, &arg_cid)) {
128	82	rc = -1;
129	82	goto err;
130	82	}
131
132	312k	ossl_quic_rcidm_add_from_server_retry(rcidm, &arg_cid);
133	312k	break;
134
135	6.80M	case CMD_ADD_FROM_NCID:
136	6.80M	if (!PACKET_get_net_8(&pkt, &ncid_frame.seq_num)
137	6.80M	\|\| !PACKET_get_net_8(&pkt, &ncid_frame.retire_prior_to)
138	6.80M	\|\| !get_cid(&pkt, &ncid_frame.conn_id)) {
139	507	rc = -1;
140	507	goto err;
141	507	}
142
143	6.80M	ossl_quic_rcidm_add_from_ncid(rcidm, &ncid_frame);
144	6.80M	break;
145
146	504k	case CMD_ON_HANDSHAKE_COMPLETE:
147	504k	ossl_quic_rcidm_on_handshake_complete(rcidm);
148	504k	break;
149
150	794k	case CMD_ON_PACKET_SENT:
151	794k	if (!PACKET_get_net_8(&pkt, &arg_num_pkt)) {
152	54	rc = -1;
153	54	goto err;
154	54	}
155
156	794k	ossl_quic_rcidm_on_packet_sent(rcidm, arg_num_pkt);
157	794k	break;
158
159	2.81M	case CMD_REQUEST_ROLL:
160	2.81M	ossl_quic_rcidm_request_roll(rcidm);
161	2.81M	break;
162
163	86.0k	case CMD_POP_RETIRE_SEQ_NUM:
164	86.0k	ossl_quic_rcidm_pop_retire_seq_num(rcidm, &seq_num_out);
165	86.0k	break;
166
167	109k	case CMD_PEEK_RETIRE_SEQ_NUM:
168	109k	ossl_quic_rcidm_peek_retire_seq_num(rcidm, &seq_num_out);
169	109k	break;
170
171	82.9k	case CMD_GET_PREFERRED_TX_DCID:
172	82.9k	ossl_quic_rcidm_get_preferred_tx_dcid(rcidm, &cid_out);
173	82.9k	break;
174
175	303k	case CMD_GET_PREFERRED_TX_DCID_CHANGED:
176	303k	if (!PACKET_get_1(&pkt, &arg_clear)) {
177	10	rc = -1;
178	10	goto err;
179	10	}
180
181	303k	ossl_quic_rcidm_get_preferred_tx_dcid_changed(rcidm, arg_clear);
182	303k	break;
183
184	278	default:
185	278	rc = -1;
186	278	goto err;
187	14.9M	}
188	14.9M	}
189
190	11.4k	err:
191	11.4k	ossl_quic_rcidm_free(rcidm);
192	11.4k	return rc;
193	11.4k	}
194
195		void FuzzerCleanup(void)
196	0	{
197	0	FuzzerClearRand();
198	0	}

Coverage Report

Created: 2025-12-31 06:58