Teach the quic-client fuzzer about time

We allow the fuzzer to influence the time between different packets using the fake time capability. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22368)
author: Matt Caswell <matt@openssl.org> 2023-10-16 13:10:33 +0100
committer: Matt Caswell <matt@openssl.org> 2023-10-23 10:08:22 +0100
commit: 9252efdb8d1b21ef05aedef2cc40eee46dd72b96 (patch)
tree: 1c75d9e0fd02fb521b49ab0f93a7652aa90f05de /fuzz
parent: d8a4451fa76c83ba08b42b38848ba9705fbe71a2 (diff)
2 files changed, 65 insertions, 20 deletions
diff --git a/fuzz/build.info b/fuzz/build.info
index a068c2f230..de7cadc79e 100644
--- a/fuzz/build.info
+++ b/fuzz/build.info
@@ -95,7 +95,7 @@ IF[{- !$disabled{"fuzz-afl"} || !$disabled{"fuzz-libfuzzer"} -}]
 
   SOURCE[quic-client]=quic-client.c driver.c fuzz_rand.c
   INCLUDE[quic-client]=../include {- $ex_inc -}
-  DEPEND[quic-client]=../libcrypto ../libssl {- $ex_lib -}
+  DEPEND[quic-client]=../libcrypto.a ../libssl.a {- $ex_lib -}
 
   SOURCE[server]=server.c driver.c fuzz_rand.c
   INCLUDE[server]=../include {- $ex_inc -}
@@ -194,7 +194,7 @@ IF[{- !$disabled{tests} -}]
 
   SOURCE[quic-client-test]=quic-client.c test-corpus.c fuzz_rand.c
   INCLUDE[quic-client-test]=../include
-  DEPEND[quic-client-test]=../libcrypto ../libssl
+  DEPEND[quic-client-test]=../libcrypto.a ../libssl.a
 
   SOURCE[server-test]=server.c test-corpus.c fuzz_rand.c
   INCLUDE[server-test]=../include
diff --git a/fuzz/quic-client.c b/fuzz/quic-client.c
index 0d319d1c34..2dc2b3c9b2 100644
--- a/fuzz/quic-client.c
+++ b/fuzz/quic-client.c
@@ -13,10 +13,19 @@
 #include <openssl/bio.h>
 #include "fuzzer.h"
 #include "internal/sockets.h"
+#include "internal/time.h"
+#include "internal/quic_ssl.h"
 
 /* unused, to avoid warning. */
 static int idx;
 
+static OSSL_TIME fake_now;
+
+static OSSL_TIME fake_now_cb(void *arg)
+{
+    return fake_now;
+}
+
 int FuzzerInitialize(int *argc, char ***argv)
 {
     STACK_OF(SSL_COMP) *comp_methods;
@@ -42,6 +51,7 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
     SSL_CTX *ctx;
     BIO_ADDR *peer_addr = NULL;
     struct in_addr ina = {0};
+    struct timeval tv;
 
     if (len == 0)
         return 0;
@@ -55,6 +65,10 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
     if (client == NULL)
         goto end;
 
+    fake_now = ossl_ms2time(1);
+    if (!ossl_quic_conn_set_override_now_cb(client, fake_now_cb, NULL))
+        goto end;
+
     peer_addr = BIO_ADDR_new();
     if (peer_addr == NULL)
         goto end;
@@ -84,27 +98,30 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
     if (SSL_set1_initial_peer_addr(client, peer_addr) != 1)
         goto end;
     SSL_set_connect_state(client);
-    while (len > 3)
-    {
-        size_t size = buf[0] + (buf[1] << 8);
 
-        if (size > len - 2)
-            break;
-
-        if (size > 0)
-            BIO_write(in, buf+2, size);
-        len -= size + 2;
-        buf += size + 2;
+    for (;;) {
+        size_t size;
+        uint64_t nxtpktms = 0;
+        OSSL_TIME nxtpkt = ossl_time_zero(), nxttimeout;
+        int isinf, ret;
+
+        if (len >= 2) {
+            nxtpktms = buf[0] + (buf[1] << 8);
+            nxtpkt = ossl_time_add(fake_now, ossl_ms2time(nxtpktms));
+            len -= 2;
+            buf += 2;
+        }
 
-        if (SSL_do_handshake(client) == 1) {
-            /*
-             * Keep reading application data until there are no more datagrams
-             * to inject or a fatal error occurs
-             */
-            uint8_t tmp[1024];
-            int ret;
+        for (;;) {
+            if ((ret = SSL_do_handshake(client)) == 1) {
+                /*
+                * Keep reading application data until there are no more
+                * datagrams to inject or a fatal error occurs
+                */
+                uint8_t tmp[1024];
 
-            ret = SSL_read(client, tmp, sizeof(tmp));
+                ret = SSL_read(client, tmp, sizeof(tmp));
+            }
             if (ret <= 0) {
                 switch (SSL_get_error(client, ret)) {
                 case SSL_ERROR_WANT_READ:
@@ -114,7 +131,35 @@ int FuzzerTestOneInput(const uint8_t *buf, size_t len)
                     goto end;
                 }
             }
+
+            if (!SSL_get_event_timeout(client, &tv, &isinf))
+                goto end;
+
+            if (isinf) {
+                fake_now = nxtpkt;
+                break;
+            } else {
+                nxttimeout = ossl_time_add(fake_now,
+                                           ossl_time_from_timeval(tv));
+                if (len > 3 && ossl_time_compare(nxttimeout, nxtpkt) >= 0) {
+                    fake_now = nxtpkt;
+                    break;
+                }
+                fake_now = nxttimeout;
+            }
         }
+
+        if (len <= 3)
+            break;
+
+        size = buf[0] + (buf[1] << 8);
+        if (size > len - 2)
+            break;
+
+        if (size > 0)
+            BIO_write(in, buf+2, size);
+        len -= size + 2;
+        buf += size + 2;
     }
  end:
     SSL_free(client);
author	Matt Caswell <matt@openssl.org>	2023-10-16 13:10:33 +0100
committer	Matt Caswell <matt@openssl.org>	2023-10-23 10:08:22 +0100
commit	9252efdb8d1b21ef05aedef2cc40eee46dd72b96 (patch)
tree	1c75d9e0fd02fb521b49ab0f93a7652aa90f05de /fuzz
parent	d8a4451fa76c83ba08b42b38848ba9705fbe71a2 (diff)