/src/openssl36/fuzz/quic-lcidm.c

Source
/*
 * Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 * https://www.openssl.org/source/license.html
 * or in the file LICENSE in the source distribution.
 */

#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/bio.h>
#include "fuzzer.h"
#include "internal/quic_lcidm.h"
#include "internal/packet.h"

int FuzzerInitialize(int *argc, char ***argv)
{
    FuzzerSetRand();
    OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS | OPENSSL_INIT_ASYNC, NULL);
    OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
    ERR_clear_error();
    return 1;
}

/*
 * Fuzzer input "protocol":
 *   Big endian
 *   u8(LCID length)
 *   Zero or more of:
 *     ENROL_ODCID          u0(0x00) u64(opaque) u8(cidl):cid
 *     RETIRE_ODCID         u8(0x01) u64(opaque)
 *     GENERATE_INITIAL     u8(0x02) u64(opaque)
 *     GENERATE             u8(0x03) u64(opaque)
 *     RETIRE               u8(0x04) u64(opaque) u64(retire_prior_to)
 *     CULL                 u8(0x05) u64(opaque)
 *     LOOKUP               u8(0x06) u8(cidl):cid
 */

enum {
    CMD_ENROL_ODCID,
    CMD_RETIRE_ODCID,
    CMD_GENERATE_INITIAL,
    CMD_GENERATE,
    CMD_RETIRE,
    CMD_CULL,
    CMD_LOOKUP
};

#define MAX_CMDS 5000

static int get_cid(PACKET *pkt, QUIC_CONN_ID *cid)
{
    unsigned int cidl;

    if (!PACKET_get_1(pkt, &cidl)
        || cidl > QUIC_MAX_CONN_ID_LEN
        || !PACKET_copy_bytes(pkt, cid->id, cidl))
        return 0;

    cid->id_len = (unsigned char)cidl;
    return 1;
}

int FuzzerTestOneInput(const uint8_t *buf, size_t len)
{
    int rc = 0;
    QUIC_LCIDM *lcidm = NULL;
    PACKET pkt;
    uint64_t arg_opaque, arg_retire_prior_to, seq_num_out;
    unsigned int cmd, lcidl;
    QUIC_CONN_ID arg_cid, cid_out;
    OSSL_QUIC_FRAME_NEW_CONN_ID ncid_frame;
    int did_retire;
    void *opaque_out;
    size_t limit = 0;

    if (!PACKET_buf_init(&pkt, buf, len))
        goto err;

    if (!PACKET_get_1(&pkt, &lcidl)
        || lcidl > QUIC_MAX_CONN_ID_LEN) {
        rc = -1;
        goto err;
    }

    if ((lcidm = ossl_quic_lcidm_new(NULL, lcidl)) == NULL) {
        rc = -1;
        goto err;
    }

    while (PACKET_remaining(&pkt) > 0) {
        if (!PACKET_get_1(&pkt, &cmd))
            goto err;

        if (++limit > MAX_CMDS)
            goto err;

        switch (cmd) {
        case CMD_ENROL_ODCID:
            if (!PACKET_get_net_8(&pkt, &arg_opaque)
                || !get_cid(&pkt, &arg_cid)) {
                rc = -1;
                goto err;
            }

            ossl_quic_lcidm_enrol_odcid(lcidm, (void *)(uintptr_t)arg_opaque,
                &arg_cid);
            break;

        case CMD_RETIRE_ODCID:
            if (!PACKET_get_net_8(&pkt, &arg_opaque)) {
                rc = -1;
                goto err;
            }

            ossl_quic_lcidm_retire_odcid(lcidm, (void *)(uintptr_t)arg_opaque);
            break;

        case CMD_GENERATE_INITIAL:
            if (!PACKET_get_net_8(&pkt, &arg_opaque)) {
                rc = -1;
                goto err;
            }

            ossl_quic_lcidm_generate_initial(lcidm, (void *)(uintptr_t)arg_opaque,
                &cid_out);
            break;

        case CMD_GENERATE:
            if (!PACKET_get_net_8(&pkt, &arg_opaque)) {
                rc = -1;
                goto err;
            }

            ossl_quic_lcidm_generate(lcidm, (void *)(uintptr_t)arg_opaque,
                &ncid_frame);
            break;

        case CMD_RETIRE:
            if (!PACKET_get_net_8(&pkt, &arg_opaque)
                || !PACKET_get_net_8(&pkt, &arg_retire_prior_to)) {
                rc = -1;
                goto err;
            }

            ossl_quic_lcidm_retire(lcidm, (void *)(uintptr_t)arg_opaque,
                arg_retire_prior_to,
                NULL, &cid_out,
                &seq_num_out, &did_retire);
            break;

        case CMD_CULL:
            if (!PACKET_get_net_8(&pkt, &arg_opaque)) {
                rc = -1;
                goto err;
            }

            ossl_quic_lcidm_cull(lcidm, (void *)(uintptr_t)arg_opaque);
            break;

        case CMD_LOOKUP:
            if (!get_cid(&pkt, &arg_cid)) {
                rc = -1;
                goto err;
            }

            ossl_quic_lcidm_lookup(lcidm, &arg_cid, &seq_num_out, &opaque_out);
            break;

        default:
            rc = -1;
            goto err;
        }
    }

err:
    ossl_quic_lcidm_free(lcidm);
    return rc;
}

void FuzzerCleanup(void)
{
    FuzzerClearRand();
}

Line	Count	Source
1		/*
2		* Copyright 2016-2024 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License");
5		* you may not use this file except in compliance with the License.
6		* You may obtain a copy of the License at
7		* https://www.openssl.org/source/license.html
8		* or in the file LICENSE in the source distribution.
9		*/
10
11		#include <openssl/ssl.h>
12		#include <openssl/err.h>
13		#include <openssl/bio.h>
14		#include "fuzzer.h"
15		#include "internal/quic_lcidm.h"
16		#include "internal/packet.h"
17
18		int FuzzerInitialize(int argc, char **argv)
19	214	{
20	214	FuzzerSetRand();
21	214	OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS \| OPENSSL_INIT_ASYNC, NULL);
22	214	OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
23	214	ERR_clear_error();
24	214	return 1;
25	214	}
26
27		/*
28		* Fuzzer input "protocol":
29		* Big endian
30		* u8(LCID length)
31		* Zero or more of:
32		* ENROL_ODCID u0(0x00) u64(opaque) u8(cidl):cid
33		* RETIRE_ODCID u8(0x01) u64(opaque)
34		* GENERATE_INITIAL u8(0x02) u64(opaque)
35		* GENERATE u8(0x03) u64(opaque)
36		* RETIRE u8(0x04) u64(opaque) u64(retire_prior_to)
37		* CULL u8(0x05) u64(opaque)
38		* LOOKUP u8(0x06) u8(cidl):cid
39		*/
40
41		enum {
42		CMD_ENROL_ODCID,
43		CMD_RETIRE_ODCID,
44		CMD_GENERATE_INITIAL,
45		CMD_GENERATE,
46		CMD_RETIRE,
47		CMD_CULL,
48		CMD_LOOKUP
49		};
50
51	2.01M	#define MAX_CMDS 5000
52
53		static int get_cid(PACKET pkt, QUIC_CONN_ID cid)
54	1.07M	{
55	1.07M	unsigned int cidl;
56
57	1.07M	if (!PACKET_get_1(pkt, &cidl)
58	1.07M	\|\| cidl > QUIC_MAX_CONN_ID_LEN
59	1.07M	\|\| !PACKET_copy_bytes(pkt, cid->id, cidl))
60	305	return 0;
61
62	1.07M	cid->id_len = (unsigned char)cidl;
63	1.07M	return 1;
64	1.07M	}
65
66		int FuzzerTestOneInput(const uint8_t *buf, size_t len)
67	4.66k	{
68	4.66k	int rc = 0;
69	4.66k	QUIC_LCIDM *lcidm = NULL;
70	4.66k	PACKET pkt;
71	4.66k	uint64_t arg_opaque, arg_retire_prior_to, seq_num_out;
72	4.66k	unsigned int cmd, lcidl;
73	4.66k	QUIC_CONN_ID arg_cid, cid_out;
74	4.66k	OSSL_QUIC_FRAME_NEW_CONN_ID ncid_frame;
75	4.66k	int did_retire;
76	4.66k	void *opaque_out;
77	4.66k	size_t limit = 0;
78
79	4.66k	if (!PACKET_buf_init(&pkt, buf, len))
80	0	goto err;
81
82	4.66k	if (!PACKET_get_1(&pkt, &lcidl)
83	4.66k	\|\| lcidl > QUIC_MAX_CONN_ID_LEN) {
84	15	rc = -1;
85	15	goto err;
86	15	}
87
88	4.65k	if ((lcidm = ossl_quic_lcidm_new(NULL, lcidl)) == NULL) {
89	0	rc = -1;
90	0	goto err;
91	0	}
92
93	2.01M	while (PACKET_remaining(&pkt) > 0) {
94	2.01M	if (!PACKET_get_1(&pkt, &cmd))
95	0	goto err;
96
97	2.01M	if (++limit > MAX_CMDS)
98	187	goto err;
99
100	2.01M	switch (cmd) {
101	563k	case CMD_ENROL_ODCID:
102	563k	if (!PACKET_get_net_8(&pkt, &arg_opaque)
103	563k	\|\| !get_cid(&pkt, &arg_cid)) {
104	234	rc = -1;
105	234	goto err;
106	234	}
107
108	562k	ossl_quic_lcidm_enrol_odcid(lcidm, (void *)(uintptr_t)arg_opaque,
109	562k	&arg_cid);
110	562k	break;
111
112	28.6k	case CMD_RETIRE_ODCID:
113	28.6k	if (!PACKET_get_net_8(&pkt, &arg_opaque)) {
114	24	rc = -1;
115	24	goto err;
116	24	}
117
118	28.5k	ossl_quic_lcidm_retire_odcid(lcidm, (void *)(uintptr_t)arg_opaque);
119	28.5k	break;
120
121	107k	case CMD_GENERATE_INITIAL:
122	107k	if (!PACKET_get_net_8(&pkt, &arg_opaque)) {
123	31	rc = -1;
124	31	goto err;
125	31	}
126
127	107k	ossl_quic_lcidm_generate_initial(lcidm, (void *)(uintptr_t)arg_opaque,
128	107k	&cid_out);
129	107k	break;
130
131	894k	case CMD_GENERATE:
132	894k	if (!PACKET_get_net_8(&pkt, &arg_opaque)) {
133	79	rc = -1;
134	79	goto err;
135	79	}
136
137	894k	ossl_quic_lcidm_generate(lcidm, (void *)(uintptr_t)arg_opaque,
138	894k	&ncid_frame);
139	894k	break;
140
141	61.5k	case CMD_RETIRE:
142	61.5k	if (!PACKET_get_net_8(&pkt, &arg_opaque)
143	61.5k	\|\| !PACKET_get_net_8(&pkt, &arg_retire_prior_to)) {
144	83	rc = -1;
145	83	goto err;
146	83	}
147
148	61.4k	ossl_quic_lcidm_retire(lcidm, (void *)(uintptr_t)arg_opaque,
149	61.4k	arg_retire_prior_to,
150	61.4k	NULL, &cid_out,
151	61.4k	&seq_num_out, &did_retire);
152	61.4k	break;
153
154	20.5k	case CMD_CULL:
155	20.5k	if (!PACKET_get_net_8(&pkt, &arg_opaque)) {
156	23	rc = -1;
157	23	goto err;
158	23	}
159
160	20.5k	ossl_quic_lcidm_cull(lcidm, (void *)(uintptr_t)arg_opaque);
161	20.5k	break;
162
163	336k	case CMD_LOOKUP:
164	336k	if (!get_cid(&pkt, &arg_cid)) {
165	94	rc = -1;
166	94	goto err;
167	94	}
168
169	336k	ossl_quic_lcidm_lookup(lcidm, &arg_cid, &seq_num_out, &opaque_out);
170	336k	break;
171
172	263	default:
173	263	rc = -1;
174	263	goto err;
175	2.01M	}
176	2.01M	}
177
178	4.66k	err:
179	4.66k	ossl_quic_lcidm_free(lcidm);
180	4.66k	return rc;
181	4.65k	}
182
183		void FuzzerCleanup(void)
184	0	{
185	0	FuzzerClearRand();
186	0	}

Coverage Report

Created: 2025-12-31 06:58