diff --git a/fuzz/build.info b/fuzz/build.info index a068c2f230..de7cadc79e 100644 --- a/fuzz/build.info +++ b/fuzz/build.info @@ -95,7 +95,7 @@ IF[{- !$disabled{"fuzz-afl"} || !$disabled{"fuzz-libfuzzer"} -}] SOURCE[quic-client]=quic-client.c driver.c fuzz_rand.c INCLUDE[quic-client]=../include {- $ex_inc -} - DEPEND[quic-client]=../libcrypto ../libssl {- $ex_lib -} + DEPEND[quic-client]=../libcrypto.a ../libssl.a {- $ex_lib -} SOURCE[server]=server.c driver.c fuzz_rand.c INCLUDE[server]=../include {- $ex_inc -} @@ -194,7 +194,7 @@ IF[{- !$disabled{tests} -}] SOURCE[quic-client-test]=quic-client.c test-corpus.c fuzz_rand.c INCLUDE[quic-client-test]=../include - DEPEND[quic-client-test]=../libcrypto ../libssl + DEPEND[quic-client-test]=../libcrypto.a ../libssl.a SOURCE[server-test]=server.c test-corpus.c fuzz_rand.c INCLUDE[server-test]=../include diff --git a/fuzz/quic-client.c b/fuzz/quic-client.c index 0d319d1c34..2dc2b3c9b2 100644 --- a/fuzz/quic-client.c +++ b/fuzz/quic-client.c @@ -13,10 +13,19 @@ #include #include "fuzzer.h" #include "internal/sockets.h" +#include "internal/time.h" +#include "internal/quic_ssl.h" /* unused, to avoid warning. */ static int idx; +static OSSL_TIME fake_now; + +static OSSL_TIME fake_now_cb(void *arg) +{ + return fake_now; +} + int FuzzerInitialize(int *argc, char ***argv) { STACK_OF(SSL_COMP) *comp_methods; @@ -42,6 +51,7 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len) SSL_CTX *ctx; BIO_ADDR *peer_addr = NULL; struct in_addr ina = {0}; + struct timeval tv; if (len == 0) return 0; @@ -55,6 +65,10 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len) if (client == NULL) goto end; + fake_now = ossl_ms2time(1); + if (!ossl_quic_conn_set_override_now_cb(client, fake_now_cb, NULL)) + goto end; + peer_addr = BIO_ADDR_new(); if (peer_addr == NULL) goto end; @@ -84,27 +98,30 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len) if (SSL_set1_initial_peer_addr(client, peer_addr) != 1) goto end; SSL_set_connect_state(client); - while (len > 3) - { - size_t size = buf[0] + (buf[1] << 8); - if (size > len - 2) - break; + for (;;) { + size_t size; + uint64_t nxtpktms = 0; + OSSL_TIME nxtpkt = ossl_time_zero(), nxttimeout; + int isinf, ret; - if (size > 0) - BIO_write(in, buf+2, size); - len -= size + 2; - buf += size + 2; + if (len >= 2) { + nxtpktms = buf[0] + (buf[1] << 8); + nxtpkt = ossl_time_add(fake_now, ossl_ms2time(nxtpktms)); + len -= 2; + buf += 2; + } - if (SSL_do_handshake(client) == 1) { - /* - * Keep reading application data until there are no more datagrams - * to inject or a fatal error occurs - */ - uint8_t tmp[1024]; - int ret; + for (;;) { + if ((ret = SSL_do_handshake(client)) == 1) { + /* + * Keep reading application data until there are no more + * datagrams to inject or a fatal error occurs + */ + uint8_t tmp[1024]; - ret = SSL_read(client, tmp, sizeof(tmp)); + ret = SSL_read(client, tmp, sizeof(tmp)); + } if (ret <= 0) { switch (SSL_get_error(client, ret)) { case SSL_ERROR_WANT_READ: @@ -114,7 +131,35 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len) goto end; } } + + if (!SSL_get_event_timeout(client, &tv, &isinf)) + goto end; + + if (isinf) { + fake_now = nxtpkt; + break; + } else { + nxttimeout = ossl_time_add(fake_now, + ossl_time_from_timeval(tv)); + if (len > 3 && ossl_time_compare(nxttimeout, nxtpkt) >= 0) { + fake_now = nxtpkt; + break; + } + fake_now = nxttimeout; + } } + + if (len <= 3) + break; + + size = buf[0] + (buf[1] << 8); + if (size > len - 2) + break; + + if (size > 0) + BIO_write(in, buf+2, size); + len -= size + 2; + buf += size + 2; } end: SSL_free(client);