Add HTTP/3 fuzzing harness

.github/workflows/ci.yml

@@ -51,6 +51,7 @@ jobs:
  - curl_fuzzer_gopher
  - curl_fuzzer_http
  - curl_fuzzer_https
+ - curl_fuzzer_http3
  - curl_fuzzer_imap
  - curl_fuzzer_ldap
  - curl_fuzzer_mqtt

.gitignore

@@ -40,6 +40,8 @@ missing
 /curl_fuzzer_http_seed_corpus.zip
 /curl_fuzzer_https
 /curl_fuzzer_https_seed_corpus.zip
+/curl_fuzzer_http3
+/curl_fuzzer_http3_seed_corpus.zip
 /curl_fuzzer_imap
 /curl_fuzzer_imap_seed_corpus.zip
 /curl_fuzzer_ldap
@@ -62,3 +64,7 @@ missing
 /curl_fuzzer_smtp_seed_corpus.zip
 /curl_fuzzer_tftp
 /curl_fuzzer_tftp_seed_corpus.zip
+/curl_fuzzer_ws
+/curl_fuzzer_ws_seed_corpus.zip
+/fuzz_url
+/fuzz_url.zip

Makefile.am

@@ -42,6 +42,7 @@ FUZZPROGS = curl_fuzzer \
  curl_fuzzer_gopher \
  curl_fuzzer_http \
  curl_fuzzer_https \
+ curl_fuzzer_http3 \
  curl_fuzzer_imap \
  curl_fuzzer_ldap \
  curl_fuzzer_mqtt \
@@ -89,6 +90,9 @@ curl_fuzzer_http_LDADD = $(COMMON_LDADD)
 curl_fuzzer_https_SOURCES = $(COMMON_SOURCES)
 curl_fuzzer_https_CXXFLAGS = $(COMMON_FLAGS) -DFUZZ_PROTOCOLS_HTTPS
 curl_fuzzer_https_LDADD = $(COMMON_LDADD)
+curl_fuzzer_http3_SOURCES = $(COMMON_SOURCES)
+curl_fuzzer_http3_CXXFLAGS = $(COMMON_FLAGS) -DFUZZ_PROTOCOLS_HTTP3 -DFUZZ_PROTOCOLS_HTTPS
+curl_fuzzer_http3_LDADD = $(COMMON_LDADD)
 curl_fuzzer_imap_SOURCES = $(COMMON_SOURCES)
 curl_fuzzer_imap_CXXFLAGS = $(COMMON_FLAGS) -DFUZZ_PROTOCOLS_IMAP
 curl_fuzzer_imap_LDADD = $(COMMON_LDADD)

curl_fuzzer.cc

@@ -207,8 +207,10 @@ int fuzz_set_easy_options(FUZZ_DATA *fuzz)
  /* Set the hsts header cache filepath so that it can be fuzzed. */
  FTRY(curl_easy_setopt(fuzz->easy, CURLOPT_HSTS, FUZZ_HSTS_HEADER_CACHE_PATH));
 
+#ifndef FUZZ_PROTOCOLS_HTTPS
  /* Set the Certificate Revocation List file path so it can be fuzzed */
  FTRY(curl_easy_setopt(fuzz->easy, CURLOPT_CRLFILE, FUZZ_CRL_FILE_PATH));
+#endif
 
  /* Set the .netrc file path so it can be fuzzed */
  FTRY(curl_easy_setopt(fuzz->easy, CURLOPT_NETRC_FILE, FUZZ_NETRC_FILE_PATH));
@@ -571,6 +573,16 @@ int fuzz_set_allowed_protocols(FUZZ_DATA *fuzz)
 
  FTRY(curl_easy_setopt(fuzz->easy, CURLOPT_PROTOCOLS_STR, allowed_protocols));
 
+ #ifdef FUZZ_PROTOCOLS_HTTP3
+ /* If we are fuzzing HTTP3, then we must be fuzzing the HTTPS protocol */
+ #ifndef FUZZ_PROTOCOLS_HTTPS
+ rc = 255;
+ goto EXIT_LABEL;
+ #endif
+
+ FTRY(curl_easy_setopt(fuzz->easy, CURLOPT_HTTP_VERSION, CURL_HTTP_VERSION_3ONLY));
+ #endif 
+
 EXIT_LABEL:
 
  return rc;

curl_fuzzer_callback.cc

@@ -69,7 +69,14 @@ curl_socket_t fuzz_open_socket(void *ptr,
  sman->index,
  sman->index);
 
- if(socketpair(AF_UNIX, SOCK_STREAM, 0, fds)) {
+
+ #ifdef FUZZ_PROTOCOLS_HTTP3
+ const int socket_type = SOCK_DGRAM;
+ #else
+ const int socket_type = SOCK_STREAM;
+ #endif
+
+ if(socketpair(AF_UNIX, socket_type, 0, fds)) {
  /* Failed to create a pair of sockets. */
  return CURL_SOCKET_BAD;
  }

mainline.sh

@@ -8,21 +8,26 @@ SCRIPTDIR=${BUILD_ROOT}/scripts
 
 CURLDIR=/tmp/curl
 OPENSSLDIR=/tmp/openssl
-NGHTTPDIR=/tmp/nghttp2
+NGHTTP2DIR=/tmp/nghttp2
+NGHTTP3DIR=/tmp/nghttp3
+NGTCP2DIR=/tmp/ngtcp2
+OPENSLLQUICDIR=/tmp/openssl_quic
 INSTALLDIR=/tmp/curl_install
 
 # Parse the options.
 OPTIND=1
 
-while getopts "c:n:o:" opt
+while getopts "c:n:o:t:" opt
 do
  case "$opt" in
  c) CURLDIR=$OPTARG
  ;;
- n) NGHTTPDIR=$OPTARG
+ n) NGHTTP2DIR=$OPTARG
  ;;
  o) OPENSSLDIR=$OPTARG
  ;;
+ t) NGTCP2DIR=$OPTARG
+ ;;
  esac
 done
 shift $((OPTIND-1))
@@ -34,13 +39,22 @@ FUZZ_FLAG="-DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION"
 export CFLAGS="-fsanitize=address"
 export CXXFLAGS="-fsanitize=address -stdlib=libstdc++ $FUZZ_FLAG"
 export CPPFLAGS="$FUZZ_FLAG"
-export OPENSSLFLAGS="-fno-sanitize=alignment"
+export OPENSSLFLAGS="-fno-sanitize=alignment -lstdc++"
+
+# Install openssl_quic (need openssl_quic, nghttp3, and ngtcp2 for HTTP3 support)
+${SCRIPTDIR}/handle_x.sh openssl_quic ${OPENSLLQUICDIR} ${INSTALLDIR} || exit 1
 
 # Install openssl
-${SCRIPTDIR}/handle_x.sh openssl ${OPENSSLDIR} ${INSTALLDIR} || exit 1
+# ${SCRIPTDIR}/handle_x.sh openssl ${OPENSSLDIR} ${INSTALLDIR} || exit 1
 
 # Install nghttp2
-${SCRIPTDIR}/handle_x.sh nghttp2 ${NGHTTPDIR} ${INSTALLDIR} || exit 1
+${SCRIPTDIR}/handle_x.sh nghttp2 ${NGHTTP2DIR} ${INSTALLDIR} || exit 1
+
+# Install nghttp3
+${SCRIPTDIR}/handle_x.sh nghttp3 ${NGHTTP3DIR} ${INSTALLDIR} || exit 1
+
+# Install ngtcp2
+${SCRIPTDIR}/handle_x.sh ngtcp2 ${NGTCP2DIR} ${INSTALLDIR} || exit 1
 
 # Install curl after all other dependencies
 ${SCRIPTDIR}/handle_x.sh curl ${CURLDIR} ${INSTALLDIR} || exit 1

ossfuzz.sh

@@ -29,7 +29,9 @@ SCRIPTDIR=${BUILD_ROOT}/scripts
 
 ZLIBDIR=/src/zlib
 OPENSSLDIR=/src/openssl
-NGHTTPDIR=/src/nghttp2
+NGHTTP2DIR=/src/nghttp2
+NGHTTP3DIR=/src/nghttp3
+NGTCP2DIR=/src/ngtcp2
 GDBDIR=/src/gdb
 
 # Check for GDB-specific behaviour by checking for the GDBMODE flag.
@@ -74,13 +76,20 @@ ${SCRIPTDIR}/handle_x.sh zlib ${ZLIBDIR} ${INSTALLDIR} || exit 1
 # affect (see 16697, 17624)
 if [[ ${SANITIZER} != "memory" ]]
 then
- # Install openssl
+ # Install openssl_quic (need openssl_quic, nghttp3, and ngtcp2 for HTTP3 support)
  export OPENSSLFLAGS="-fno-sanitize=alignment"
- ${SCRIPTDIR}/handle_x.sh openssl ${OPENSSLDIR} ${INSTALLDIR} || exit 1
+ ${SCRIPTDIR}/handle_x.sh openssl_quic ${OPENSSLDIR} ${INSTALLDIR} || exit 1
+
+ # HTTP3 requires SSL, so we also install it here
+ # Install nghttp3
+ ${SCRIPTDIR}/handle_x.sh nghttp3 ${NGHTTP3DIR} ${INSTALLDIR} || exit 1
+
+ # Install ngtcp2
+ ${SCRIPTDIR}/handle_x.sh ngtcp2 ${NGTCP2DIR} ${INSTALLDIR} || exit 1
 fi
 
 # Install nghttp2
-${SCRIPTDIR}/handle_x.sh nghttp2 ${NGHTTPDIR} ${INSTALLDIR} || exit 1
+${SCRIPTDIR}/handle_x.sh nghttp2 ${NGHTTP2DIR} ${INSTALLDIR} || exit 1
 
 # Compile curl
 ${SCRIPTDIR}/install_curl.sh /src/curl ${INSTALLDIR}

scripts/download_nghttp3.sh

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+# If any commands fail, fail the script immediately.
+set -ex
+
+git clone --depth 1 --branch v1.1.0 https://github.com/ngtcp2/nghttp3 $1

scripts/download_ngtcp2.sh

@@ -0,0 +1,88 @@
+#!/bin/bash
+
+# If any commands fail, fail the script immediately.
+set -ex
+
+# Clone the repository to the specified directory.
+git clone --depth 1 --branch v1.1.0 https://github.com/ngtcp2/ngtcp2 $1
+
+# Teach ngtcp2 about sockets
+pushd $1
+patch -p1 <<'EOF'
+From 52690d08112ccd9a5c01b5991735bf3f8e5121b0 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Emilio=20L=C3=B3pez?= <[email protected]>
+Date: Sat, 16 Dec 2023 21:33:17 +0000
+Subject: [PATCH] Teach ngtcp2 about sockets
+
+---
+ crypto/shared.c | 4 ++++
+ lib/includes/ngtcp2/ngtcp2.h | 5 +++++
+ lib/ngtcp2_addr.c | 8 ++++++++
+ 3 files changed, 17 insertions(+)
+
+diff --git a/crypto/shared.c b/crypto/shared.c
+index 162094a3..08c9ed44 100644
+--- a/crypto/shared.c
++++ b/crypto/shared.c
+@@ -1096,6 +1096,10 @@ static size_t crypto_generate_regular_token_aad(uint8_t *dest,
+ (const uint8_t *)&((const ngtcp2_sockaddr_in6 *)(void *)sa)->sin6_addr;
+ addrlen = sizeof(((const ngtcp2_sockaddr_in6 *)(void *)sa)->sin6_addr);
+ break;
++ case NGTCP2_AF_UNIX:
++ addr = NULL;
++ addrlen = 0;
++ break;
+ default:
+ assert(0);
+ abort();
+diff --git a/lib/includes/ngtcp2/ngtcp2.h b/lib/includes/ngtcp2/ngtcp2.h
+index a8d4b4af..63958e4c 100644
+--- a/lib/includes/ngtcp2/ngtcp2.h
++++ b/lib/includes/ngtcp2/ngtcp2.h
+@@ -1235,6 +1235,10 @@ typedef struct ngtcp2_pkt_stateless_reset {
+ # error NGTCP2_AF_INET6 must be defined
+ # endif /* !NGTCP2_AF_INET6 */
+
++# ifndef NGTCP2_AF_UNIX
++# error NGTCP2_AF_UNIX must be defined
++# endif /* !NGTCP2_AF_UNIX */
++
+ typedef unsigned short int ngtcp2_sa_family;
+ typedef uint16_t ngtcp2_in_port;
+
+@@ -1270,6 +1274,7 @@ typedef uint32_t ngtcp2_socklen;
+ #else /* !NGTCP2_USE_GENERIC_SOCKADDR */
+ # define NGTCP2_AF_INET AF_INET
+ # define NGTCP2_AF_INET6 AF_INET6
++# define NGTCP2_AF_UNIX AF_UNIX
+
+ /**
+ * @typedef
+diff --git a/lib/ngtcp2_addr.c b/lib/ngtcp2_addr.c
+index f389abe7..26b57f3d 100644
+--- a/lib/ngtcp2_addr.c
++++ b/lib/ngtcp2_addr.c
+@@ -67,6 +67,10 @@ static int sockaddr_eq(const ngtcp2_sockaddr *a, const ngtcp2_sockaddr *b) {
+ return ai->sin6_port == bi->sin6_port &&
+ memcmp(&ai->sin6_addr, &bi->sin6_addr, sizeof(ai->sin6_addr)) == 0;
+ }
++ case NGTCP2_AF_UNIX: {
++ // TODO: see what makes sense here
++ return 1;
++ }
+ default:
+ ngtcp2_unreachable();
+ }
+@@ -109,6 +113,10 @@ uint32_t ngtcp2_addr_compare(const ngtcp2_addr *aa, const ngtcp2_addr *bb) {
+ }
+ return flags;
+ }
++ case NGTCP2_AF_UNIX: {
++ // TODO: see what makes sense here?
++ return 0;
++ }
+ default:
+ ngtcp2_unreachable();
+ }
+EOF
+popd

scripts/download_openssl_quic.sh

@@ -0,0 +1,7 @@
+#!/bin/bash
+
+# If any commands fail, fail the script immediately.
+set -ex
+
+# Clone the curl repository to the specified directory.
+git clone --depth 1 -b openssl-3.1.4+quic https://github.com/quictls/openssl $1

scripts/fuzz_targets

@@ -1,3 +1,3 @@
 #!/bin/bash
 
-export FUZZ_TARGETS="curl_fuzzer_dict curl_fuzzer_file curl_fuzzer_ftp curl_fuzzer_gopher curl_fuzzer_http curl_fuzzer_https curl_fuzzer_imap curl_fuzzer_ldap curl_fuzzer_mqtt curl_fuzzer_pop3 curl_fuzzer_rtmp curl_fuzzer_rtsp curl_fuzzer_scp curl_fuzzer_sftp curl_fuzzer_smb curl_fuzzer_smtp curl_fuzzer_tftp curl_fuzzer_ws curl_fuzzer fuzz_url"
+export FUZZ_TARGETS="curl_fuzzer_dict curl_fuzzer_file curl_fuzzer_ftp curl_fuzzer_gopher curl_fuzzer_http curl_fuzzer_https curl_fuzzer_http3 curl_fuzzer_imap curl_fuzzer_ldap curl_fuzzer_mqtt curl_fuzzer_pop3 curl_fuzzer_rtmp curl_fuzzer_rtsp curl_fuzzer_scp curl_fuzzer_sftp curl_fuzzer_smb curl_fuzzer_smtp curl_fuzzer_tftp curl_fuzzer_ws curl_fuzzer fuzz_url"

scripts/install_curl.sh

@@ -45,16 +45,39 @@ fi
 
 pushd ${SRCDIR}
 
+# TODO: Ignore HTTP3 socket connection failures
+pushd $1
+patch -p1 <<'EOF'
+diff --git a/lib/cf-socket.c b/lib/cf-socket.c
+index e42b4a87b..f99fcd80c 100644
+--- a/lib/cf-socket.c
++++ b/lib/cf-socket.c
+@@ -1650,7 +1650,7 @@ static CURLcode cf_udp_setup_quic(struct Curl_cfilter *cf,
+
+ rc = connect(ctx->sock, &ctx->addr.sa_addr, ctx->addr.addrlen);
+ if(-1 == rc) {
+- return socket_connect_result(data, ctx->r_ip, SOCKERRNO);
++ /* return socket_connect_result(data, ctx->r_ip, SOCKERRNO); */
+ }
+ set_local_ip(cf, data);
+ CURL_TRC_CF(data, cf, "%s socket %" CURL_FORMAT_SOCKET_T
+EOF
+popd
+
 # Build the library.
 ./buildconf
-./configure --prefix=${INSTALLDIR} \
+./configure PKG_CONFIG_PATH=${INSTALLDIR}/lib/pkgconfig \
+ --prefix=${INSTALLDIR} \
  --disable-shared \
  --enable-debug \
  --enable-maintainer-mode \
  --disable-symbol-hiding \
  --enable-ipv6 \
  --enable-websockets \
  --with-random=/dev/null \
+ --with-openssl \
+ --with-nghttp3 \
+ --with-ngtcp2 \
  ${SSLOPTION} \
  ${NGHTTPOPTION} \
  ${CODE_COVERAGE_OPTION}

scripts/install_nghttp3.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+
+# If any commands fail, fail the script immediately.
+set -ex
+
+SRCDIR=$1
+INSTALLDIR=$2
+
+if [[ ! -d ${INSTALLDIR} ]]
+then
+ # Make an install target directory.
+ mkdir ${INSTALLDIR}
+fi
+
+pushd ${SRCDIR}
+
+# Build the library.
+autoreconf -fi
+./configure --prefix=${INSTALLDIR} \
+ --disable-shared \
+ --enable-static \
+ --disable-threads \
+ --enable-lib-only
+
+make
+make install

scripts/install_ngtcp2.sh

@@ -0,0 +1,29 @@
+#!/bin/bash
+
+# If any commands fail, fail the script immediately.
+set -ex
+
+SRCDIR=$1
+INSTALLDIR=$2
+
+if [[ ! -d ${INSTALLDIR} ]]
+then
+ # Make an install target directory.
+ mkdir ${INSTALLDIR}
+fi
+
+pushd ${SRCDIR}
+
+autoreconf -fi
+./configure PKG_CONFIG_PATH=${INSTALLDIR}/lib/pkgconfig \
+ LDFLAGS="-Wl,-rpath,${INSTALLDIR}" \
+ --prefix=${INSTALLDIR} \
+ --disable-shared \
+ --enable-static \
+ --disable-threads \
+ --enable-lib-only \
+ --with-openssl \
+
+
+make
+make install

scripts/install_openssl_quic.sh

@@ -0,0 +1,10 @@
+
+#!/bin/bash
+
+# If any commands fail, fail the script immediately.
+set -ex
+
+SRCDIR=$1
+INSTALLDIR=$2
+
+$(dirname "$0")/install_openssl.sh $SRCDIR $INSTALLDIR