diff options
| author | Matt Caswell <matt@openssl.org> | 2023-10-06 17:32:14 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2023-10-23 10:08:12 +0100 |
| commit | 5415383d2c7e8ee8147eb01361f3f952ceec3761 (patch) | |
| tree | 0a001d38329cb34932b26a243a5ca32c517fabba /ssl | |
| parent | ee7729ed4cfcfb95a3fc0aaa184ed624f3fb7eaa (diff) | |
Don't encrypt/decrypt packet data during fuzzing
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22368)
Diffstat (limited to 'ssl')
| -rw-r--r-- | ssl/quic/quic_record_rx.c | 13 | ||||
| -rw-r--r-- | ssl/quic/quic_record_tx.c | 5 | ||||
| -rw-r--r-- | ssl/quic/quic_wire_pkt.c | 5 |
3 files changed, 23 insertions, 0 deletions
diff --git a/ssl/quic/quic_record_rx.c b/ssl/quic/quic_record_rx.c index 31c1f8fffd..6756ddb151 100644 --- a/ssl/quic/quic_record_rx.c +++ b/ssl/quic/quic_record_rx.c @@ -757,12 +757,25 @@ static int qrx_decrypt_pkt_body(OSSL_QRX *qrx, unsigned char *dst, if (EVP_CipherUpdate(cctx, dst, &l, src, src_len - el->tag_len) != 1) return 0; +#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION + /* + * Throw away what we just decrypted and just use the ciphertext instead + * (which should be unencrypted) + */ + memcpy(dst, src, l); + + /* Pretend to authenticate the tag but ignore it */ + if (EVP_CipherFinal_ex(cctx, NULL, &l2) != 1) { + /* We don't care */ + } +#else /* Ensure authentication succeeded. */ if (EVP_CipherFinal_ex(cctx, NULL, &l2) != 1) { /* Authentication failed, increment failed auth counter. */ ++qrx->forged_pkt_count; return 0; } +#endif *dec_len = l; return 1; diff --git a/ssl/quic/quic_record_tx.c b/ssl/quic/quic_record_tx.c index d450470366..4f86c68e17 100644 --- a/ssl/quic/quic_record_tx.c +++ b/ssl/quic/quic_record_tx.c @@ -543,6 +543,11 @@ static int qtx_encrypt_into_txe(OSSL_QTX *qtx, struct iovec_cur *cur, TXE *txe, return 0; } +#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION + /* Ignore what we just encrypted and overwrite it with the plaintext */ + memcpy(txe_data(txe) + txe->data_len, src, l); +#endif + assert(l > 0 && src_len == (size_t)l); txe->data_len += src_len; } diff --git a/ssl/quic/quic_wire_pkt.c b/ssl/quic/quic_wire_pkt.c index 136c40e7ad..acb926ad38 100644 --- a/ssl/quic/quic_wire_pkt.c +++ b/ssl/quic/quic_wire_pkt.c @@ -115,6 +115,11 @@ static int hdr_generate_mask(QUIC_HDR_PROTECTOR *hpr, return 0; } +#ifdef FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION + /* No matter what we did above we use the same mask in fuzzing mode */ + memset(mask, 0, 5); +#endif + return 1; } |