/src/openssl33/fuzz/quic-lcidm.c

Source
/*
 * Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the Apache License 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 * https://www.openssl.org/source/license.html
 * or in the file LICENSE in the source distribution.
 */

#include <openssl/ssl.h>
#include <openssl/err.h>
#include <openssl/bio.h>
#include "fuzzer.h"
#include "internal/quic_lcidm.h"
#include "internal/packet.h"

int FuzzerInitialize(int *argc, char ***argv)
{
    FuzzerSetRand();
    OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS | OPENSSL_INIT_ASYNC, NULL);
    OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
    ERR_clear_error();
    return 1;
}

/*
 * Fuzzer input "protocol":
 *   Big endian
 *   u8(LCID length)
 *   Zero or more of:
 *     ENROL_ODCID          u0(0x00) u64(opaque) u8(cidl):cid
 *     RETIRE_ODCID         u8(0x01) u64(opaque)
 *     GENERATE_INITIAL     u8(0x02) u64(opaque)
 *     GENERATE             u8(0x03) u64(opaque)
 *     RETIRE               u8(0x04) u64(opaque) u64(retire_prior_to)
 *     CULL                 u8(0x05) u64(opaque)
 *     LOOKUP               u8(0x06) u8(cidl):cid
 */

enum {
    CMD_ENROL_ODCID,
    CMD_RETIRE_ODCID,
    CMD_GENERATE_INITIAL,
    CMD_GENERATE,
    CMD_RETIRE,
    CMD_CULL,
    CMD_LOOKUP
};

static int get_cid(PACKET *pkt, QUIC_CONN_ID *cid)
{
    unsigned int cidl;

    if (!PACKET_get_1(pkt, &cidl)
        || cidl > QUIC_MAX_CONN_ID_LEN
        || !PACKET_copy_bytes(pkt, cid->id, cidl))
        return 0;

    cid->id_len = (unsigned char)cidl;
    return 1;
}

int FuzzerTestOneInput(const uint8_t *buf, size_t len)
{
    int rc = 0;
    QUIC_LCIDM *lcidm = NULL;
    PACKET pkt;
    uint64_t arg_opaque, arg_retire_prior_to, seq_num_out;
    unsigned int cmd, lcidl;
    QUIC_CONN_ID arg_cid, cid_out;
    OSSL_QUIC_FRAME_NEW_CONN_ID ncid_frame;
    int did_retire;
    void *opaque_out;

    if (!PACKET_buf_init(&pkt, buf, len))
        goto err;

    if (!PACKET_get_1(&pkt, &lcidl)
        || lcidl > QUIC_MAX_CONN_ID_LEN) {
        rc = -1;
        goto err;
    }

    if ((lcidm = ossl_quic_lcidm_new(NULL, lcidl)) == NULL) {
        rc = -1;
        goto err;
    }

    while (PACKET_remaining(&pkt) > 0) {
        if (!PACKET_get_1(&pkt, &cmd))
            goto err;

        switch (cmd) {
        case CMD_ENROL_ODCID:
            if (!PACKET_get_net_8(&pkt, &arg_opaque)
                || !get_cid(&pkt, &arg_cid)) {
                rc = -1;
                goto err;
            }

            ossl_quic_lcidm_enrol_odcid(lcidm, (void *)(uintptr_t)arg_opaque,
                &arg_cid);
            break;

        case CMD_RETIRE_ODCID:
            if (!PACKET_get_net_8(&pkt, &arg_opaque)) {
                rc = -1;
                goto err;
            }

            ossl_quic_lcidm_retire_odcid(lcidm, (void *)(uintptr_t)arg_opaque);
            break;

        case CMD_GENERATE_INITIAL:
            if (!PACKET_get_net_8(&pkt, &arg_opaque)) {
                rc = -1;
                goto err;
            }

            ossl_quic_lcidm_generate_initial(lcidm, (void *)(uintptr_t)arg_opaque,
                &cid_out);
            break;

        case CMD_GENERATE:
            if (!PACKET_get_net_8(&pkt, &arg_opaque)) {
                rc = -1;
                goto err;
            }

            ossl_quic_lcidm_generate(lcidm, (void *)(uintptr_t)arg_opaque,
                &ncid_frame);
            break;

        case CMD_RETIRE:
            if (!PACKET_get_net_8(&pkt, &arg_opaque)
                || !PACKET_get_net_8(&pkt, &arg_retire_prior_to)) {
                rc = -1;
                goto err;
            }

            ossl_quic_lcidm_retire(lcidm, (void *)(uintptr_t)arg_opaque,
                arg_retire_prior_to,
                NULL, &cid_out,
                &seq_num_out, &did_retire);
            break;

        case CMD_CULL:
            if (!PACKET_get_net_8(&pkt, &arg_opaque)) {
                rc = -1;
                goto err;
            }

            ossl_quic_lcidm_cull(lcidm, (void *)(uintptr_t)arg_opaque);
            break;

        case CMD_LOOKUP:
            if (!get_cid(&pkt, &arg_cid)) {
                rc = -1;
                goto err;
            }

            ossl_quic_lcidm_lookup(lcidm, &arg_cid, &seq_num_out, &opaque_out);
            break;

        default:
            rc = -1;
            goto err;
        }
    }

err:
    ossl_quic_lcidm_free(lcidm);
    return rc;
}

void FuzzerCleanup(void)
{
    FuzzerClearRand();
}

Line	Count	Source
1		/*
2		* Copyright 2016-2022 The OpenSSL Project Authors. All Rights Reserved.
3		*
4		* Licensed under the Apache License 2.0 (the "License");
5		* you may not use this file except in compliance with the License.
6		* You may obtain a copy of the License at
7		* https://www.openssl.org/source/license.html
8		* or in the file LICENSE in the source distribution.
9		*/
10
11		#include <openssl/ssl.h>
12		#include <openssl/err.h>
13		#include <openssl/bio.h>
14		#include "fuzzer.h"
15		#include "internal/quic_lcidm.h"
16		#include "internal/packet.h"
17
18		int FuzzerInitialize(int argc, char **argv)
19	216	{
20	216	FuzzerSetRand();
21	216	OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CRYPTO_STRINGS \| OPENSSL_INIT_ASYNC, NULL);
22	216	OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL);
23	216	ERR_clear_error();
24	216	return 1;
25	216	}
26
27		/*
28		* Fuzzer input "protocol":
29		* Big endian
30		* u8(LCID length)
31		* Zero or more of:
32		* ENROL_ODCID u0(0x00) u64(opaque) u8(cidl):cid
33		* RETIRE_ODCID u8(0x01) u64(opaque)
34		* GENERATE_INITIAL u8(0x02) u64(opaque)
35		* GENERATE u8(0x03) u64(opaque)
36		* RETIRE u8(0x04) u64(opaque) u64(retire_prior_to)
37		* CULL u8(0x05) u64(opaque)
38		* LOOKUP u8(0x06) u8(cidl):cid
39		*/
40
41		enum {
42		CMD_ENROL_ODCID,
43		CMD_RETIRE_ODCID,
44		CMD_GENERATE_INITIAL,
45		CMD_GENERATE,
46		CMD_RETIRE,
47		CMD_CULL,
48		CMD_LOOKUP
49		};
50
51		static int get_cid(PACKET pkt, QUIC_CONN_ID cid)
52	1.12M	{
53	1.12M	unsigned int cidl;
54
55	1.12M	if (!PACKET_get_1(pkt, &cidl)
56	1.12M	\|\| cidl > QUIC_MAX_CONN_ID_LEN
57	1.12M	\|\| !PACKET_copy_bytes(pkt, cid->id, cidl))
58	358	return 0;
59
60	1.12M	cid->id_len = (unsigned char)cidl;
61	1.12M	return 1;
62	1.12M	}
63
64		int FuzzerTestOneInput(const uint8_t *buf, size_t len)
65	1.32k	{
66	1.32k	int rc = 0;
67	1.32k	QUIC_LCIDM *lcidm = NULL;
68	1.32k	PACKET pkt;
69	1.32k	uint64_t arg_opaque, arg_retire_prior_to, seq_num_out;
70	1.32k	unsigned int cmd, lcidl;
71	1.32k	QUIC_CONN_ID arg_cid, cid_out;
72	1.32k	OSSL_QUIC_FRAME_NEW_CONN_ID ncid_frame;
73	1.32k	int did_retire;
74	1.32k	void *opaque_out;
75
76	1.32k	if (!PACKET_buf_init(&pkt, buf, len))
77	0	goto err;
78
79	1.32k	if (!PACKET_get_1(&pkt, &lcidl)
80	1.32k	\|\| lcidl > QUIC_MAX_CONN_ID_LEN) {
81	3	rc = -1;
82	3	goto err;
83	3	}
84
85	1.31k	if ((lcidm = ossl_quic_lcidm_new(NULL, lcidl)) == NULL) {
86	0	rc = -1;
87	0	goto err;
88	0	}
89
90	2.39M	while (PACKET_remaining(&pkt) > 0) {
91	2.39M	if (!PACKET_get_1(&pkt, &cmd))
92	0	goto err;
93
94	2.39M	switch (cmd) {
95	198k	case CMD_ENROL_ODCID:
96	198k	if (!PACKET_get_net_8(&pkt, &arg_opaque)
97	198k	\|\| !get_cid(&pkt, &arg_cid)) {
98	67	rc = -1;
99	67	goto err;
100	67	}
101
102	198k	ossl_quic_lcidm_enrol_odcid(lcidm, (void *)(uintptr_t)arg_opaque,
103	198k	&arg_cid);
104	198k	break;
105
106	11.5k	case CMD_RETIRE_ODCID:
107	11.5k	if (!PACKET_get_net_8(&pkt, &arg_opaque)) {
108	1	rc = -1;
109	1	goto err;
110	1	}
111
112	11.5k	ossl_quic_lcidm_retire_odcid(lcidm, (void *)(uintptr_t)arg_opaque);
113	11.5k	break;
114
115	62.8k	case CMD_GENERATE_INITIAL:
116	62.8k	if (!PACKET_get_net_8(&pkt, &arg_opaque)) {
117	12	rc = -1;
118	12	goto err;
119	12	}
120
121	62.8k	ossl_quic_lcidm_generate_initial(lcidm, (void *)(uintptr_t)arg_opaque,
122	62.8k	&cid_out);
123	62.8k	break;
124
125	2.03M	case CMD_GENERATE:
126	2.03M	if (!PACKET_get_net_8(&pkt, &arg_opaque)) {
127	46	rc = -1;
128	46	goto err;
129	46	}
130
131	2.03M	ossl_quic_lcidm_generate(lcidm, (void *)(uintptr_t)arg_opaque,
132	2.03M	&ncid_frame);
133	2.03M	break;
134
135	27.2k	case CMD_RETIRE:
136	27.2k	if (!PACKET_get_net_8(&pkt, &arg_opaque)
137	27.2k	\|\| !PACKET_get_net_8(&pkt, &arg_retire_prior_to)) {
138	20	rc = -1;
139	20	goto err;
140	20	}
141
142	27.2k	ossl_quic_lcidm_retire(lcidm, (void *)(uintptr_t)arg_opaque,
143	27.2k	arg_retire_prior_to,
144	27.2k	NULL, &cid_out,
145	27.2k	&seq_num_out, &did_retire);
146	27.2k	break;
147
148	34.1k	case CMD_CULL:
149	34.1k	if (!PACKET_get_net_8(&pkt, &arg_opaque)) {
150	9	rc = -1;
151	9	goto err;
152	9	}
153
154	34.1k	ossl_quic_lcidm_cull(lcidm, (void *)(uintptr_t)arg_opaque);
155	34.1k	break;
156
157	20.8k	case CMD_LOOKUP:
158	20.8k	if (!get_cid(&pkt, &arg_cid)) {
159	23	rc = -1;
160	23	goto err;
161	23	}
162
163	20.8k	ossl_quic_lcidm_lookup(lcidm, &arg_cid, &seq_num_out, &opaque_out);
164	20.8k	break;
165
166	108	default:
167	108	rc = -1;
168	108	goto err;
169	2.39M	}
170	2.39M	}
171
172	1.32k	err:
173	1.32k	ossl_quic_lcidm_free(lcidm);
174	1.32k	return rc;
175	1.31k	}
176
177		void FuzzerCleanup(void)
178	0	{
179	0	FuzzerClearRand();
180	0	}

Coverage Report

Created: 2026-04-01 06:39