Fuzz test onion messages

Author: valentinewallace

fuzz/src/bin/gen_target.sh

@@ -9,6 +9,7 @@ GEN_TEST() {
 GEN_TEST chanmon_deser
 GEN_TEST chanmon_consistency
 GEN_TEST full_stack
+GEN_TEST onion_message
 GEN_TEST peer_crypt
 GEN_TEST process_network_graph
 GEN_TEST router

fuzz/src/bin/onion_message_target.rs

@@ -0,0 +1,113 @@
+// This file is Copyright its original authors, visible in version control
+// history.
+//
+// This file is licensed under the Apache License, Version 2.0 <LICENSE-APACHE
+// or http://www.apache.org/licenses/LICENSE-2.0> or the MIT license
+// <LICENSE-MIT or http://opensource.org/licenses/MIT>, at your option.
+// You may not use this file except in accordance with one or both of these
+// licenses.
+
+// This file is auto-generated by gen_target.sh based on target_template.txt
+// To modify it, modify target_template.txt and run gen_target.sh instead.
+
+#![cfg_attr(feature = "libfuzzer_fuzz", no_main)]
+
+#[cfg(not(fuzzing))]
+compile_error!("Fuzz targets need cfg=fuzzing");
+
+extern crate lightning_fuzz;
+use lightning_fuzz::onion_message::*;
+
+#[cfg(feature = "afl")]
+#[macro_use] extern crate afl;
+#[cfg(feature = "afl")]
+fn main() {
+	fuzz!(|data| {
+		onion_message_run(data.as_ptr(), data.len());
+	});
+}
+
+#[cfg(feature = "honggfuzz")]
+#[macro_use] extern crate honggfuzz;
+#[cfg(feature = "honggfuzz")]
+fn main() {
+	loop {
+		fuzz!(|data| {
+			onion_message_run(data.as_ptr(), data.len());
+		});
+	}
+}
+
+#[cfg(feature = "libfuzzer_fuzz")]
+#[macro_use] extern crate libfuzzer_sys;
+#[cfg(feature = "libfuzzer_fuzz")]
+fuzz_target!(|data: &[u8]| {
+	onion_message_run(data.as_ptr(), data.len());
+});
+
+#[cfg(feature = "stdin_fuzz")]
+fn main() {
+	use std::io::Read;
+
+	let mut data = Vec::with_capacity(8192);
+	std::io::stdin().read_to_end(&mut data).unwrap();
+	onion_message_run(data.as_ptr(), data.len());
+}
+
+#[test]
+fn run_test_cases() {
+	use std::fs;
+	use std::io::Read;
+	use lightning_fuzz::utils::test_logger::StringBuffer;
+
+	use std::sync::{atomic, Arc};
+	{
+		let data: Vec<u8> = vec![0];
+		onion_message_run(data.as_ptr(), data.len());
+	}
+	let mut threads = Vec::new();
+	let threads_running = Arc::new(atomic::AtomicUsize::new(0));
+	if let Ok(tests) = fs::read_dir("test_cases/onion_message") {
+		for test in tests {
+			let mut data: Vec<u8> = Vec::new();
+			let path = test.unwrap().path();
+			fs::File::open(&path).unwrap().read_to_end(&mut data).unwrap();
+			threads_running.fetch_add(1, atomic::Ordering::AcqRel);
+
+			let thread_count_ref = Arc::clone(&threads_running);
+			let main_thread_ref = std::thread::current();
+			threads.push((path.file_name().unwrap().to_str().unwrap().to_string(),
+				std::thread::spawn(move || {
+					let string_logger = StringBuffer::new();
+
+					let panic_logger = string_logger.clone();
+					let res = if ::std::panic::catch_unwind(move || {
+						onion_message_test(&data, panic_logger);
+					}).is_err() {
+						Some(string_logger.into_string())
+					} else { None };
+					thread_count_ref.fetch_sub(1, atomic::Ordering::AcqRel);
+					main_thread_ref.unpark();
+					res
+				})
+			));
+			while threads_running.load(atomic::Ordering::Acquire) > 32 {
+				std::thread::park();
+			}
+		}
+	}
+	let mut failed_outputs = Vec::new();
+	for (test, thread) in threads.drain(..) {
+		if let Some(output) = thread.join().unwrap() {
+			println!("\nOutput of {}:\n{}\n", test, output);
+			failed_outputs.push(test);
+		}
+	}
+	if !failed_outputs.is_empty() {
+		println!("Test cases which failed: ");
+		for case in failed_outputs {
+			println!("{}", case);
+		}
+		panic!();
+	}
+}

fuzz/src/lib.rs

@@ -17,6 +17,7 @@ pub mod utils;
 pub mod chanmon_deser;
 pub mod chanmon_consistency;
 pub mod full_stack;
+pub mod onion_message;
 pub mod peer_crypt;
 pub mod process_network_graph;
 pub mod router;

fuzz/src/onion_message.rs

@@ -0,0 +1,139 @@
+// Imports that need to be added manually
+use bitcoin::bech32::u5;
+use bitcoin::blockdata::script::Script;
+use bitcoin::secp256k1::{PublicKey, SecretKey};
+use bitcoin::secp256k1::ecdh::SharedSecret;
+use bitcoin::secp256k1::ecdsa::RecoverableSignature;
+
+use lightning::chain::keysinterface::{Recipient, KeyMaterial, KeysInterface};
+use lightning::ln::msgs::{self, DecodeError};
+use lightning::ln::script::ShutdownScript;
+use lightning::util::enforcing_trait_impls::EnforcingSigner;
+use lightning::util::logger::Logger;
+use lightning::util::ser::{Readable, Writeable, Writer};
+use lightning::onion_message::OnionMessenger;
+
+use utils::test_logger;
+
+use std::io::Cursor;
+use std::sync::atomic::{AtomicU64, Ordering};
+use std::sync::Arc;
+
+#[inline]
+/// Actual fuzz test, method signature and name are fixed
+pub fn do_test(data: &[u8], logger: &Arc<dyn Logger>) {
+	if let Ok(msg) = <msgs::OnionMessage as Readable>::read(&mut Cursor::new(data)) {
+		// Serialization checking adapted from `msg_targets::utils::test_msg_simple`
+		let mut w = VecWriter(Vec::new());
+		msg.write(&mut w).unwrap();
+		assert_eq!(msg.serialized_length(), w.0.len());
+
+		let onion_message = <msgs::OnionMessage as Readable>::read(&mut Cursor::new(&w.0)).unwrap();
+		let mut w_two = VecWriter(Vec::new());
+		msg.write(&mut w_two).unwrap();
+		assert_eq!(&w.0[..], &w_two.0[..]);
+
+		// Finally, make sure we can handle the onion message in OnionMessenger
+		let secret = SecretKey::from_slice(&[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1]).unwrap();
+		let keys_manager = KeyProvider {
+			node_secret: secret,
+			counter: AtomicU64::new(0),
+		};
+		let onion_messenger = OnionMessenger::new(&keys_manager, Arc::clone(&logger));
+		let mut pk = [2; 33]; pk[1] = 0xff;
+		let peer_node_id_not_used = PublicKey::from_slice(&pk).unwrap();
+		onion_messenger.handle_onion_message(&peer_node_id_not_used, &onion_message);
+	}
+}
+
+/// Method that needs to be added manually, {name}_test
+pub fn onion_message_test<Out: test_logger::Output>(data: &[u8], out: Out) {
+	let logger: Arc<dyn Logger> = Arc::new(test_logger::TestLogger::new("".to_owned(), out));
+	do_test(data, &logger);
+}
+
+/// Method that needs to be added manually, {name}_run
+#[no_mangle]
+pub extern "C" fn onion_message_run(data: *const u8, datalen: usize) {
+	let logger: Arc<dyn Logger> = Arc::new(test_logger::TestLogger::new("".to_owned(), test_logger::DevNull {}));
+	do_test(unsafe { std::slice::from_raw_parts(data, datalen) }, &logger);
+}
+
+pub struct VecWriter(pub Vec<u8>);
+impl Writer for VecWriter {
+	fn write_all(&mut self, buf: &[u8]) -> Result<(), ::std::io::Error> {
+		self.0.extend_from_slice(buf);
+		Ok(())
+	}
+}
+struct KeyProvider {
+	node_secret: SecretKey,
+	counter: AtomicU64,
+}
+impl KeysInterface for KeyProvider {
+	type Signer = EnforcingSigner;
+
+	fn get_node_secret(&self, _recipient: Recipient) -> Result<SecretKey, ()> {
+		Ok(self.node_secret.clone())
+	}
+
+	fn ecdh(&self, recipient: Recipient, other_key: &PublicKey, tweak: Option<&[u8; 32]>) -> Result<SharedSecret, ()> {
+		let mut node_secret = self.get_node_secret(recipient)?;
+		if let Some(tweak) = tweak {
+			node_secret.mul_assign(tweak).map_err(|_| ())?;
+		}
+		Ok(SharedSecret::new(other_key, &node_secret))
+	}
+
+	fn get_inbound_payment_key_material(&self) -> KeyMaterial { unreachable!() }
+
+	fn get_destination_script(&self) -> Script { unreachable!() }
+
+	fn get_shutdown_scriptpubkey(&self) -> ShutdownScript { unreachable!() }
+
+	fn get_channel_signer(&self, _inbound: bool, _channel_value_satoshis: u64) -> EnforcingSigner {
+		unreachable!()
+	}
+
+	fn get_secure_random_bytes(&self) -> [u8; 32] {
+		let ctr = self.counter.fetch_add(1, Ordering::Relaxed);
+		[0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
+		(ctr >> 8*7) as u8, (ctr >> 8*6) as u8, (ctr >> 8*5) as u8, (ctr >> 8*4) as u8, (ctr >> 8*3) as u8, (ctr >> 8*2) as u8, (ctr >> 8*1) as u8, 14, (ctr >> 8*0) as u8]
+	}
+
+	fn read_chan_signer(&self, _data: &[u8]) -> Result<EnforcingSigner, DecodeError> { unreachable!() }
+
+	fn sign_invoice(&self, _hrp_bytes: &[u8], _invoice_data: &[u5], _recipient: Recipient) -> Result<RecoverableSignature, ()> {
+		unreachable!()
+	}
+}
+
+#[cfg(test)]
+mod tests {
+	use lightning::util::logger::{Logger, Record};
+	use std::collections::HashMap;
+	use std::sync::{Arc, Mutex};
+
+	struct TrackingLogger {
+		/// (module, message) -> count
+		pub lines: Mutex<HashMap<(String, String), usize>>,
+	}
+	impl Logger for TrackingLogger {
+		fn log(&self, record: &Record) {
+			*self.lines.lock().unwrap().entry((record.module_path.to_string(), format!("{}", record.args))).or_insert(0) += 1;
+			println!("{:<5} [{} : {}, {}] {}", record.level.to_string(), record.module_path, record.file, record.line, record.args);
+		}
+	}
+
+	#[test]
+	fn seed_fuzzer() {
+		// Seed the onion message fuzzer so it learns plausible paths to explore.
+
+		let one_hop_om = "02e8a5f5953e9c8996204fac6e3ff62964b709b4010a8bb9a7167dbe9669b7e9d605560002e8a5f5953e9c8996204fac6e3ff62964b709b4010a8bb9a7167dbe9669b7e9d63e36cc60b1e4c0c2eeabb2c06517932cc67df0d6a07693072540ef05c2352a904565a06cebd8ac8fe58aaafc9913f9e5d6b6bc7cd5ae0ee38d605866838b4fd8fb0a924044d7327a135123214d9ba13fa07c93812a32232e98e2ec727c19add515d3edd5ecbdcee737e57bc61c8158dfed529dabc0d9c8556fe145879b43b05940de4c1b2e29148e52d007e45bb19a3b91571e87800d681107f97e261dd4188236b9963ab1d338a8f48668f75373bc7c0876ee1f200583710016d4241dfa0e11ab8ba7dd3ad3f6a67c059cdf1184f68b7250ac0cb4ddb08413ee8e1dd3fca52e6d2a1104fd8f9a0346cb2eab2c993554804f432cd419eb207872e81a6b928c0807d46e7423cd6d244774a67a0c28be4751ce906b6a6cfcb1bd6b7c8f23eac21c4ac402d25f2f403bb4a40604c702c9f63bab356c73435a3c4dee1ee01ea04b30824e3fe7675c4adf4bd1efdceb74852541295dd6851d8033c5f6942c792221c0234ae0cd7df65d1c35c912cdb7c7be8d436875d0155b02d23b4c483aac258c1bf3a5bcfa98b5e3c3909828648c0771316fc6c7473b27906793ac6e92d9525c539e15817ed134551f1f946e6182feda1e2a98a3a07e33f487440cd91766bcf3f58e6baa76a9b3854a6ecd82f54fc2e6390f9e7e80fec7561872f309752a61276403607c315b9a5c27b1c29b74ea48f5d2e5ad757b06a592712e1b7a2736196043f879f8d9b2c0a5abe2cc3f22259d09cf8cb9140155af42d261f1ca212de547daef1564d8ebbde4a2f6a894001a271aa3560a8429ee328070e4b29de82bfcad0714012e3a74150774fb232accdc2d0410cfa4d6d33fcd4bd7124a473f05a0ca67fb7045fca32f73daa7ad0d21d72f3d3bcdb0b7ea9243e911fc98a30afe4cb3368b5c43c51b793363d6eaca6b0f23c1b1bb72ed5d09b7d2c4c3c7917ba2ce0e4592842daa538ff25690f4e10202e958afd3b6b587536fb1210fa24c702e25aa548f647d3ba408b08175967ca64c8cdeee6108adbf170c2f72fa12459a606096db38619e7f3e1c75fa7d42cd448678068af31f63b0ba6b19d44206f3a84c6f5fe3420d36f067bcbb45972a61bbe40a050b950224df16dd71732e2d94cda10bc57da0c949a8709b166e29b4343616eef888c2605c2bb897c708afe3ea6cb7b5a518cb693a6406ef096c44405edb7be0378f68a533190b2ee767112b182ddad420ebfeb52a0edbaba4d21bd67184c138961dec5a2cbb9ccbf4cdaa6516603cbf86c120ea7f862a81e04ce6146d12d1b82b3f9bedb5d19e1555bcd484f2174c5af9331878b5da77eeb783e0f5628d2a6caec3657d505f534ca5a36891b9e582b247241502f6b28110c5b48be9babd300ebaf234614ffc842f90e92d9c4e866122474dcccd48b63f4db62fbd057559f3ad82d7d15dd559fa95afd2fc1406a79d9ee47f7bab91b2d5a1cced70cbb261c56e4fb27ee2f8b0e811eb661a51bdb02a918de71cb8b15a6c9a8b9088f65ae40a54c1d05639fdbdeba74a34b9ac6db620dd1f49105e6961c21d72b46708a786efbe63afe4c78f6f6116270ff40ca392d4adbb2b7380f431e5f433ec97e17e013433cfbd690c4c6d663430fd0bbb0278abd207b1af3cb16961efbc14ef3869650645b975d54bcc7c8a1403e2bf1026a3c65e03947fa63ebe47054343a88210104a93c93173181e9ea05a463f390320136231ecf2fbf181c0854eae083c3f46ffc06ef43186705c7524cd300f0c835fcd491d88a29e678a5577754508c8a9cc62bad628679bd51ad5abb3f9ac1f02ea789e20a889bfdc2f133515c713a85d94edfca693185458ef37d9986bb22e017bd11b5916b51455d3178aa3204ef88d70016d51ab349c4ca2f3";
+		let logger = Arc::new(TrackingLogger { lines: Mutex::new(HashMap::new()) });
+		super::do_test(&::hex::decode(one_hop_om).unwrap(), &(Arc::clone(&logger) as Arc<dyn Logger>));
+
+		let two_unblinded_two_blinded_hops_om = "02e8a5f5953e9c8996204fac6e3ff62964b709b4010a8bb9a7167dbe9669b7e9d605560002e8a5f5953e9c8996204fac6e3ff62964b709b4010a8bb9a7167dbe9669b7e9d61936efb48d730c47d9e1d46247242c427d15545015e967f32a31291a9cf45d1717ae0644ae619778adb9176e576a48b024f0f5bfe5dc30f9d7815599955d2f94e5ee26cd6252f58c5ee79d2f70c971560d70a5fdaa37404f291c18adc987440830034d18a9529eb4187d8cd69da4a1c51db45d1c64b8b61b68bae078d9e807e1ed5fb004d565559a20e0dd1388e2cbffd58e693892c440d00dade7c3c9338c98c396469d8fd3c85c54f97f24dbfd7ac264879b4eb0489b12582c049745ddb7004f26b40c8149c4c47faa7fb2d74d3a752b13a575f6705d30109e75cf1ed3d0f471b7673592248c0e3da6ea3d812d9ebaaf226251673c28f56cfd0c297a5d4c165880b947f08629f53154e849ad530c2a61c13b5930a85a6c2636dd22d8555cd5f48a43276b5afa41d4681b29549125a8e0bc9c1e960fce4045b5c2a405a774f174f3f2aade2b0fe3ecd53cc94d8868e38589cdb1ceb749df803692afe0f37668e13b39957782950fe1f765d8f6e6f2185be345a73e7e3f26a87ce0cc0cabfb7e43a92e13e3d07d1c4c1f9af52d1b7cc65869911c44654f27ccbed8622fb816b3076c673c12f8308cb91aa78923af94405380ee5d1e75eaacaf44255b41e6f79eb6289cee43eab3baf84c6b1b8d75322e2034369447ed756430d4a459a782b1c213b24773ff2365765239f4f0ca52cf149e390c2edb69f062b17001d4c15a65b4e5d12334d3524c88cbf8b55033c7592b5ec9805cca817891dea8d952d6fa54b39960e244b420a365a80dd1d34c56a9c210df6cc20052eee8d2a6abfbd542e0a5591c2d79b1a19f3bbc042935f862413abd346fffc95230f7e7bbaa8ccc92d47e2d52015b297e88b5ea80d92c0a25fad2cabb273d4e4adea2ec0d3334986631e7aa16208b80e1571ce0d17f323caaa4f63812cc02a58fe0807e8abd786e467e40af5dfe119f240a8286c0a74efdd30ad0fe5b86d3e3a9f980f44db6052cdb51ffc378886447852e90778ff814239278afde8bd218327a7422ca172f31648cf5f36d87559682a5018b8e875ea0771a35bff0a5d40d3d95840e2e7b0f14a2e09260a599221e7cf1db4161fc4d16843aaa64ca8d26ab619ff37d63c2fe8730a9af4ec8e7c50d19878c07106294113dbadab861177ad2e474aa34ca66b8dafde4971cb8f9c6bab58cae2316b19d1115323bb0644bf0f40d0ed718d84bdcf01dc4e3f3ead7ee20313ebb7c854c3966588d63e6d6b276d92394cf820455a8a4ee50bdbf1050e74242936fd3988f0783cddc1138e802671b504c8f779e5d2e3ac5b5d27bebe993314623194fe1ed0128f168d41d09fbc1103470a892da821aa85682880084c0a1dbb79fda230a83bc0740155695c2b7c38636ca38c97def5b59105f55fcfe6b8570919f5640f9c671fcad42b618dbfd0986bb2d624ab85401f373842afb659670127998b87f599980e1e50b1edee5a0e136aa79f22b1f7ebfe5a529a7e096c422da32c32946156f2be9d6e4e16a8f99e1ddafaa533255e369d5661bd33c564d3556a5659fa68b1e1a9da6017c750f2b1eb86b24d5692398ab797bec9409d554a10df444f84652776bd7c356eb0ba5a9edf5013b5909e5489f61fb0bb3e7b3de0fe83b4ae949582415bea0a45f253a3ed70d2f6126ef44822a5fc86097685d7e8869cb6f9d02e12598b5ba20552438d4f295c65d23421b7b7eeef2601473daa3aa1c288675d8fb71155c6b6c42fae2a883c9470588f817ac193beb61755d704e39a48d111e676dc47844f70dee30b85cd0b25bba5624c1420f269a3d6ce6cbc83fa087099e1260230b4ed8919a95bfa771bbe915c34fc82dbafad0796e3018aff8b448f39c57fdedd0f3b4134fb8b009af71";
+		super::do_test(&::hex::decode(one_hop_om).unwrap(), &(Arc::clone(&logger) as Arc<dyn Logger>));
+	}
+}

fuzz/targets.h

@@ -2,6 +2,7 @@
 void chanmon_deser_run(const unsigned char* data, size_t data_len);
 void chanmon_consistency_run(const unsigned char* data, size_t data_len);
 void full_stack_run(const unsigned char* data, size_t data_len);
+void onion_message_run(const unsigned char* data, size_t data_len);
 void peer_crypt_run(const unsigned char* data, size_t data_len);
 void process_network_graph_run(const unsigned char* data, size_t data_len);
 void router_run(const unsigned char* data, size_t data_len);

lightning/src/lib.rs

@@ -76,6 +76,9 @@ pub mod util;
 pub mod chain;
 pub mod ln;
 pub mod routing;
+#[cfg(fuzzing)]
+pub mod onion_message;
+#[cfg(not(fuzzing))]
 #[allow(unused)]
 mod onion_message; // To be exposed after sending/receiving OMs is supported in PeerManager.