fuzz: don't fail when fuzzer generates valid Act 1 or 2 packets

The handshake targets were based on a false premise: that it is
impossible for any fuzzer to generate valid Act 1 or 2 packets. Niklas
Gogge proved this premise incorrect using AFL++ with the CMPLOG feature,
which enabled AFL++ to generate such valid packets.

We modify the targets to allow the scenario where the fuzzer finds these
valid packets and add the inputs AFL++ found to the corpus.

Author: morehouse

tests/fuzz/corpora/fuzz-connectd-handshake-act1/solution-e96a4f899509d98c1963a753951392fc78d7dbc7

@@ -4,7 +4,8 @@
  * The expected sequence of events for this test is:
  *   1. responder calls io_read() for the Act 1 packet
  *     - we inject the fuzzer-generated packet
- *   2. responder fails to validate the packet
+ *   2. if packet is valid, responder calls io_write() with an Act 2 packet
+ *     - we fail the handshake
  */
 #include "config.h"
 #include <assert.h>
@@ -15,14 +16,22 @@
 
 /* The io_write() interceptor.
  *
- * The handshake should fail during Act 1 packet validation, so this should
- * never be called. */
+ * If the fuzzer-generated Act 1 packet was valid, this should be called exactly
+ * once. Otherwise it should not be called at all. */
 static struct io_plan *
 test_write(struct io_conn *conn, const void *data, size_t len,
 	   struct io_plan *(*next)(struct io_conn *, struct handshake *),
 	   struct handshake *h)
 {
-	assert(false && "unexpected call to io_write()");
+	++write_count;
+	assert(write_count == 1 && "too many calls to io_write()");
+
+	/* Act 1 packet validation succeeded. Responder is sending the Act 2
+	 * packet. Check that it is initialized. */
+	assert(len == ACT_TWO_SIZE);
+	memcheck(data, len);
+
+	return handshake_failed(conn, h);
 }
 
 /* The io_read() interceptor.

tests/fuzz/corpora/fuzz-connectd-handshake-act1/solution-fc5902442267e17284aaded541cb2355205598a6

@@ -6,7 +6,8 @@
  *     - we discard the valid Act 1 packet
  *   2. initiator calls io_read() for the Act 2 packet
  *     - we inject the fuzzer-generated packet
- *   3. initiator fails to validate the packet
+ *   3. if packet is valid, initiator calls io_write() with an Act 3 packet
+ *     - we fail the handshake
  */
 #include "config.h"
 #include <assert.h>
@@ -18,20 +19,32 @@
 
 /* The io_write() interceptor.
  *
- * This should be called exactly once, when the initiator is writing out its Act
- * 1 packet. We check that the packet is initialized and discard it. */
+ * If the fuzzer-generated Act 2 packet was invalid, this should be called
+ * exactly once, when the initiator is writing out its Act 1 packet. Otherwise,
+ * if the Act 2 packet was valid, this should be called a second time, when the
+ * initiator is writing out its Act 3 packet. */
 static struct io_plan *
 test_write(struct io_conn *conn, const void *data, size_t len,
 	   struct io_plan *(*next)(struct io_conn *, struct handshake *),
 	   struct handshake *h)
 {
 	++write_count;
-	assert(write_count == 1 && "too many calls to io_write()");
+	if (write_count == 1) {
+		/* Initiator is sending the Act 1 packet. Check that it is
+		 * initialized and discard it. */
+		assert(len == ACT_ONE_SIZE);
+		memcheck(data, len);
 
-	assert(len == ACT_ONE_SIZE);
+		return next(conn, h);
+	}
+	assert(write_count == 2 && "too many calls to io_write()");
+
+	/* Act 2 packet validation succeeded. Initiator is sending the Act 3
+	 * packet. Check that it is initialized. */
+	assert(len == ACT_THREE_SIZE);
 	memcheck(data, len);
 
-	return next(conn, h);
+	return handshake_failed(conn, h);
 }
 
 /* The io_read() interceptor.