fix: Unbreak the fuzzer more (#2552)

larseggert · web-flow · commit 7d409244a96b · 2025-04-02T15:09:32.000+03:00
* fix: Link `freebl_static` on static link

* More static

* Less

* More

* pk11wrap

* More

* sqlite3

* sqlite

* More

* More

* Finalize

* Debug Windows

* Fix

* Minimize
diff --git a/fuzz/fuzz_targets/client_initial.rs b/fuzz/fuzz_targets/client_initial.rs
@@ -6,17 +6,16 @@ use libfuzzer_sys::fuzz_target;
 #[cfg(all(fuzzing, not(windows)))]
 fuzz_target!(|data: &[u8]| {
     use neqo_common::{Datagram, Encoder, Role};
-    use neqo_transport::{packet::MIN_INITIAL_PACKET_SIZE, Version};
+    use neqo_transport::{packet::MIN_INITIAL_PACKET_SIZE, ConnectionParameters, Version};
     use test_fixture::{
-        default_client, default_server,
         header_protection::{
             apply_header_protection, decode_initial_header, initial_aead_and_hp,
             remove_header_protection,
         },
-        now,
+        new_client, new_server, now, DEFAULT_ALPN,
     };
 
-    let mut client = default_client();
+    let mut client = new_client(ConnectionParameters::default().mlkem(false));
     let ci = client.process_output(now()).dgram().expect("a datagram");
     let Some((header, d_cid, s_cid, payload)) = decode_initial_header(&ci, Role::Client) else {
         return;
@@ -59,7 +58,7 @@ fuzz_target!(|data: &[u8]| {
     );
     let fuzzed_ci = Datagram::new(ci.source(), ci.destination(), ci.tos(), ciphertext);
 
-    let mut server = default_server();
+    let mut server = new_server(DEFAULT_ALPN, ConnectionParameters::default().mlkem(false));
     let _response = server.process(Some(fuzzed_ci), now());
 });
 
diff --git a/fuzz/fuzz_targets/server_initial.rs b/fuzz/fuzz_targets/server_initial.rs
@@ -6,19 +6,18 @@ use libfuzzer_sys::fuzz_target;
 #[cfg(all(fuzzing, not(windows)))]
 fuzz_target!(|data: &[u8]| {
     use neqo_common::{Datagram, Encoder, Role};
-    use neqo_transport::{packet::MIN_INITIAL_PACKET_SIZE, Version};
+    use neqo_transport::{packet::MIN_INITIAL_PACKET_SIZE, ConnectionParameters, Version};
     use test_fixture::{
-        default_client, default_server,
         header_protection::{
             apply_header_protection, decode_initial_header, initial_aead_and_hp,
             remove_header_protection,
         },
-        now,
+        new_client, new_server, now, DEFAULT_ALPN,
     };
 
-    let mut client = default_client();
+    let mut client = new_client(ConnectionParameters::default().mlkem(false));
     let ci = client.process_output(now()).dgram().expect("a datagram");
-    let mut server = default_server();
+    let mut server = new_server(DEFAULT_ALPN, ConnectionParameters::default().mlkem(false));
     let si = server.process(Some(ci), now()).dgram().expect("a datagram");
 
     let Some((header, d_cid, s_cid, payload)) = decode_initial_header(&si, Role::Server) else {
diff --git a/neqo-crypto/build.rs b/neqo-crypto/build.rs
@@ -149,11 +149,11 @@ fn dynamic_link() {
 }
 
 fn static_link() {
-    let static_libs = [
+    let mut static_libs = vec![
         "certdb",
         "certhi",
         "cryptohi",
-        "freebl",
+        "freebl_static",
         if env::consts::OS == "windows" {
             "libnspr4"
         } else {
@@ -164,9 +164,7 @@ fn static_link() {
         "nssdev",
         "nsspki",
         "nssutil",
-        "pk11wrap",
-        "pkcs12",
-        "pkcs7",
+        "pk11wrap_static",
         if env::consts::OS == "windows" {
             "libplc4"
         } else {
@@ -177,10 +175,46 @@ fn static_link() {
         } else {
             "plds4"
         },
-        "smime",
         "softokn_static",
         "ssl",
     ];
+    // macOS always dynamically links against the system sqlite library.
+    // See https://github.com/nss-dev/nss/blob/a8c22d8fc0458db3e261acc5e19b436ab573a961/coreconf/Darwin.mk#L130-L135
+    if env::consts::OS == "macos" {
+        println!("cargo:rustc-link-lib=dylib=sqlite3");
+    } else {
+        static_libs.push("sqlite");
+    }
+    // Hardware specific libs.
+    // See https://github.com/mozilla/application-services/blob/0a2dac76f979b8bcfb6bacb5424b50f58520b8fe/components/support/rc_crypto/nss/nss_build_common/src/lib.rs#L127-L157
+    let target_arch = env::var("CARGO_CFG_TARGET_ARCH").unwrap();
+    let target_os = env::var("CARGO_CFG_TARGET_OS").unwrap();
+    // https://searchfox.org/nss/rev/0d5696b3edce5124353f03159d2aa15549db8306/lib/freebl/freebl.gyp#508-542
+    if target_arch == "arm" || target_arch == "aarch64" {
+        static_libs.push("armv8_c_lib");
+    }
+    if target_arch == "x86_64" || target_arch == "x86" {
+        static_libs.push("gcm-aes-x86_c_lib");
+        static_libs.push("sha-x86_c_lib");
+    }
+    if target_arch == "arm" {
+        static_libs.push("gcm-aes-arm32-neon_c_lib");
+    }
+    if target_arch == "aarch64" {
+        static_libs.push("gcm-aes-aarch64_c_lib");
+    }
+    if target_arch == "x86_64" {
+        static_libs.push("hw-acc-crypto-avx");
+        static_libs.push("hw-acc-crypto-avx2");
+    }
+    // https://searchfox.org/nss/rev/08c4d05078d00089f8d7540651b0717a9d66f87e/lib/freebl/freebl.gyp#315-324
+    if (target_os == "android" || target_os == "linux") && target_arch == "x86_64" {
+        static_libs.push("intel-gcm-wrap_c_lib");
+        // https://searchfox.org/nss/rev/08c4d05078d00089f8d7540651b0717a9d66f87e/lib/freebl/freebl.gyp#43-47
+        if (target_os == "android" || target_os == "linux") && target_arch == "x86_64" {
+            static_libs.push("intel-gcm-s_lib");
+        }
+    }
     for lib in static_libs {
         println!("cargo:rustc-link-lib=static={lib}");
     }
@@ -331,9 +365,9 @@ fn setup_standalone(nss: &str) -> Vec<String> {
         "cargo:rustc-link-search=native={}",
         nsslibdir.to_str().unwrap()
     );
-    // FIXME: NSPR doesn't build proper dynamic libraries on Windows.
     if env::var("CARGO_CFG_FUZZING").is_ok()
-        || env::var("DEBUG").is_ok()
+        || env::var("PROFILE").unwrap_or_default() == "debug"
+        // FIXME: NSPR doesn't build proper dynamic libraries on Windows.
         || env::consts::OS == "windows"
     {
         static_link();
diff --git a/test-fixture/src/lib.rs b/test-fixture/src/lib.rs
@@ -38,7 +38,16 @@ pub mod header_protection;
 pub mod sim;
 
 /// The path for the database used in tests.
-pub const NSS_DB_PATH: &str = concat!(env!("CARGO_MANIFEST_DIR"), "/db");
+///
+/// Initialized via the `NSS_DB_PATH` environment variable. If that is not set,
+/// it defaults to the `db` directory in the current crate. If the environment
+/// variable is set to `$ARGV0`, it will be initialized to the directory of the
+/// current executable.
+pub const NSS_DB_PATH: &str = if let Some(dir) = option_env!("NSS_DB_PATH") {
+    dir
+} else {
+    concat!(env!("CARGO_MANIFEST_DIR"), "/db")
+};
 
 /// Initialize the test fixture.  Only call this if you aren't also calling a
 /// fixture function that depends on setup.  Other functions in the fixture
@@ -48,7 +57,14 @@ pub const NSS_DB_PATH: &str = concat!(env!("CARGO_MANIFEST_DIR"), "/db");
 ///
 /// When the NSS initialization fails.
 pub fn fixture_init() {
-    init_db(NSS_DB_PATH).unwrap();
+    if NSS_DB_PATH == "$ARGV0" {
+        let mut current_exe = std::env::current_exe().unwrap();
+        current_exe.pop();
+        let nss_db_path = current_exe.to_str().unwrap();
+        init_db(nss_db_path).unwrap();
+    } else {
+        init_db(NSS_DB_PATH).unwrap();
+    }
 }
 
 // This needs to be > 2ms to avoid it being rounded to zero.
