_ Git - rust-lightning/blob - fuzz/fuzz_targets/channel_target.rs

   1 extern crate bitcoin;
   2 extern crate lightning;
   3 extern crate secp256k1;
   4
   5 use bitcoin::blockdata::block::BlockHeader;
   6 use bitcoin::blockdata::transaction::{Transaction, TxOut};
   7 use bitcoin::util::hash::Sha256dHash;
   8 use bitcoin::network::serialize::{serialize, BitcoinHash};
   9
  10 use lightning::ln::channel::Channel;
  11 use lightning::ln::channelmanager::PendingForwardHTLCInfo;
  12 use lightning::ln::msgs;
  13 use lightning::ln::msgs::MsgDecodable;
  14 use lightning::chain::chaininterface::{FeeEstimator, ConfirmationTarget};
  15 use lightning::util::reset_rng_state;
  16
  17 use secp256k1::key::PublicKey;
  18 use secp256k1::Secp256k1;
  19
  20 use std::sync::atomic::{AtomicUsize,Ordering};
  21
  22 #[inline]
  23 pub fn slice_to_be16(v: &[u8]) -> u16 {
  24         ((v[0] as u16) << 8*1) |
  25         ((v[1] as u16) << 8*0)
  26 }
  27
  28 #[inline]
  29 pub fn slice_to_be32(v: &[u8]) -> u32 {
  30         ((v[0] as u32) << 8*3) |
  31         ((v[1] as u32) << 8*2) |
  32         ((v[2] as u32) << 8*1) |
  33         ((v[3] as u32) << 8*0)
  34 }
  35
  36 #[inline]
  37 pub fn slice_to_be64(v: &[u8]) -> u64 {
  38         ((v[0] as u64) << 8*7) |
  39         ((v[1] as u64) << 8*6) |
  40         ((v[2] as u64) << 8*5) |
  41         ((v[3] as u64) << 8*4) |
  42         ((v[4] as u64) << 8*3) |
  43         ((v[5] as u64) << 8*2) |
  44         ((v[6] as u64) << 8*1) |
  45         ((v[7] as u64) << 8*0)
  46 }
  47
  48 #[inline]
  49 fn slice_to_be24(v: &[u8]) -> u64 {
  50         //TODO: We should probably be returning a Result for channel creation, not panic!()ing on
  51         //>2**24 values...
  52         ((v[0] as u64) << 8*2) |
  53         ((v[1] as u64) << 8*1) |
  54         ((v[2] as u64) << 8*0)
  55 }
  56
  57 struct InputData<'a> {
  58         data: &'a [u8],
  59         read_pos: AtomicUsize,
  60 }
  61 impl<'a> InputData<'a> {
  62         fn get_slice(&self, len: usize) -> Option<&'a [u8]> {
  63                 let old_pos = self.read_pos.fetch_add(len, Ordering::AcqRel);
  64                 if self.data.len() < old_pos + len {
  65                         return None;
  66                 }
  67                 Some(&self.data[old_pos..old_pos + len])
  68         }
  69         fn get_slice_nonadvancing(&self, len: usize) -> Option<&'a [u8]> {
  70                 let old_pos = self.read_pos.load(Ordering::Acquire);
  71                 if self.data.len() < old_pos + len {
  72                         return None;
  73                 }
  74                 Some(&self.data[old_pos..old_pos + len])
  75         }
  76 }
  77
  78 struct FuzzEstimator<'a> {
  79         input: &'a InputData<'a>,
  80 }
  81 impl<'a> FeeEstimator for FuzzEstimator<'a> {
  82         fn get_est_sat_per_vbyte(&self, _: ConfirmationTarget) -> u64 {
  83                 //TODO: We should actually be testing at least much more than 64k...
  84                 match self.input.get_slice(2) {
  85                         Some(slice) => slice_to_be16(slice) as u64,
  86                         None => 0
  87                 }
  88         }
  89 }
  90
  91 #[inline]
  92 pub fn do_test(data: &[u8]) {
  93         reset_rng_state();
  94
  95         let input = InputData {
  96                 data,
  97                 read_pos: AtomicUsize::new(0),
  98         };
  99         let fee_est = FuzzEstimator {
 100                 input: &input,
 101         };
 102
 103         macro_rules! get_slice {
 104                 ($len: expr) => {
 105                         match input.get_slice($len as usize) {
 106                                 Some(slice) => slice,
 107                                 None => return,
 108                         }
 109                 }
 110         }
 111
 112         macro_rules! decode_msg {
 113                 ($MsgType: path, $len: expr) => {
 114                         match <($MsgType)>::decode(get_slice!($len)) {
 115                                 Ok(msg) => msg,
 116                                 Err(e) => match e {
 117                                         msgs::DecodeError::UnknownRealmByte => return,
 118                                         msgs::DecodeError::BadPublicKey => return,
 119                                         msgs::DecodeError::BadSignature => return,
 120                                         msgs::DecodeError::ExtraAddressesPerType => return,
 121                                         msgs::DecodeError::WrongLength => panic!("We picked the length..."),
 122                                 }
 123                         }
 124                 }
 125         }
 126
 127         macro_rules! decode_msg_with_len16 {
 128                 ($MsgType: path, $begin_len: expr, $factor: expr) => {
 129                         {
 130                                 let extra_len = slice_to_be16(&match input.get_slice_nonadvancing($begin_len as usize + 2) {
 131                                         Some(slice) => slice,
 132                                         None => return,
 133                                 }[$begin_len..$begin_len + 2]);
 134                                 match <($MsgType)>::decode(get_slice!($begin_len as usize + 2 + (extra_len as usize)*$factor)) {
 135                                         Ok(msg) => msg,
 136                                         Err(e) => match e {
 137                                                 msgs::DecodeError::UnknownRealmByte => return,
 138                                                 msgs::DecodeError::BadPublicKey => return,
 139                                                 msgs::DecodeError::BadSignature => return,
 140                                                 msgs::DecodeError::ExtraAddressesPerType => return,
 141                                                 msgs::DecodeError::WrongLength => panic!("We picked the length..."),
 142                                         }
 143                                 }
 144                         }
 145                 }
 146         }
 147
 148         let secp_ctx = Secp256k1::new();
 149         macro_rules! get_pubkey {
 150                 () => {
 151                         match PublicKey::from_slice(&secp_ctx, get_slice!(33)) {
 152                                 Ok(key) => key,
 153                                 Err(_) => return,
 154                         }
 155                 }
 156         }
 157
 158         macro_rules! return_err {
 159                 ($expr: expr) => {
 160                         match $expr {
 161                                 Ok(_) => {},
 162                                 Err(_) => return,
 163                         }
 164                 }
 165         }
 166
 167         let their_pubkey = get_pubkey!();
 168
 169         let mut tx = Transaction { version: 0, lock_time: 0, input: Vec::new(), output: Vec::new() };
 170
 171         let mut channel = if get_slice!(1)[0] != 0 {
 172                 let chan_value = slice_to_be24(get_slice!(3));
 173                 let mut chan = Channel::new_outbound(&fee_est, their_pubkey, chan_value, get_slice!(1)[0] == 0, slice_to_be64(get_slice!(8)));
 174                 chan.get_open_channel(Sha256dHash::from(get_slice!(32)), &fee_est).unwrap();
 175                 let accept_chan = if get_slice!(1)[0] == 0 {
 176                         decode_msg_with_len16!(msgs::AcceptChannel, 270, 1)
 177                 } else {
 178                         decode_msg!(msgs::AcceptChannel, 270)
 179                 };
 180                 return_err!(chan.accept_channel(&accept_chan));
 181
 182                 tx.output.push(TxOut{ value: chan_value, script_pubkey: chan.get_funding_redeemscript().to_v0_p2wsh() });
 183                 let funding_output = (Sha256dHash::from_data(&serialize(&tx).unwrap()[..]), 0);
 184
 185                 chan.get_outbound_funding_created(funding_output.0.clone(), funding_output.1).unwrap();
 186                 let funding_signed = decode_msg!(msgs::FundingSigned, 32+64);
 187                 return_err!(chan.funding_signed(&funding_signed));
 188                 chan
 189         } else {
 190                 let open_chan = if get_slice!(1)[0] == 0 {
 191                         decode_msg_with_len16!(msgs::OpenChannel, 2*32+6*8+4+2*2+6*33+1, 1)
 192                 } else {
 193                         decode_msg!(msgs::OpenChannel, 2*32+6*8+4+2*2+6*33+1)
 194                 };
 195                 let mut chan = match Channel::new_from_req(&fee_est, their_pubkey, &open_chan, slice_to_be64(get_slice!(8)), get_slice!(1)[0] == 0) {
 196                         Ok(chan) => chan,
 197                         Err(_) => return,
 198                 };
 199                 chan.get_accept_channel().unwrap();
 200
 201                 tx.output.push(TxOut{ value: open_chan.funding_satoshis, script_pubkey: chan.get_funding_redeemscript().to_v0_p2wsh() });
 202                 let funding_output = (Sha256dHash::from_data(&serialize(&tx).unwrap()[..]), 0);
 203
 204                 let mut funding_created = decode_msg!(msgs::FundingCreated, 32+32+2+64);
 205                 funding_created.funding_txid = funding_output.0.clone();
 206                 funding_created.funding_output_index = funding_output.1;
 207                 return_err!(chan.funding_created(&funding_created));
 208                 chan
 209         };
 210
 211         let mut header = BlockHeader { version: 0x20000000, prev_blockhash: Default::default(), merkle_root: Default::default(), time: 42, bits: 42, nonce: 42 };
 212         channel.block_connected(&header, 1, &[&tx; 1], &[42; 1]);
 213         for i in 2..100 {
 214                 header = BlockHeader { version: 0x20000000, prev_blockhash: header.bitcoin_hash(), merkle_root: Default::default(), time: 42, bits: 42, nonce: 42 };
 215                 channel.block_connected(&header, i, &[&tx; 0], &[0; 0]);
 216         }
 217
 218         let funding_locked = decode_msg!(msgs::FundingLocked, 32+33);
 219         return_err!(channel.funding_locked(&funding_locked));
 220
 221         loop {
 222                 match get_slice!(1)[0] {
 223                         0 => {
 224                                 return_err!(channel.send_htlc(slice_to_be64(get_slice!(8)), [42; 32], slice_to_be32(get_slice!(4)), msgs::OnionPacket {
 225                                         version: get_slice!(1)[0],
 226                                         public_key: get_pubkey!(),
 227                                         hop_data: [0; 20*65],
 228                                         hmac: [0; 32],
 229                                 }));
 230                         },
 231                         1 => {
 232                                 return_err!(channel.send_commitment());
 233                         },
 234                         2 => {
 235                                 let update_add_htlc = decode_msg!(msgs::UpdateAddHTLC, 32+8+8+32+4+4+33+20*65+32);
 236                                 return_err!(channel.update_add_htlc(&update_add_htlc, PendingForwardHTLCInfo::dummy()));
 237                         },
 238                         3 => {
 239                                 let update_fulfill_htlc = decode_msg!(msgs::UpdateFulfillHTLC, 32 + 8 + 32);
 240                                 return_err!(channel.update_fulfill_htlc(&update_fulfill_htlc));
 241                         },
 242                         4 => {
 243                                 let update_fail_htlc = decode_msg_with_len16!(msgs::UpdateFailHTLC, 32 + 8, 1);
 244                                 return_err!(channel.update_fail_htlc(&update_fail_htlc));
 245                         },
 246                         5 => {
 247                                 let update_fail_malformed_htlc = decode_msg!(msgs::UpdateFailMalformedHTLC, 32+8+32+2);
 248                                 return_err!(channel.update_fail_malformed_htlc(&update_fail_malformed_htlc));
 249                         },
 250                         6 => {
 251                                 let commitment_signed = decode_msg_with_len16!(msgs::CommitmentSigned, 32+64, 64);
 252                                 return_err!(channel.commitment_signed(&commitment_signed));
 253                         },
 254                         7 => {
 255                                 let revoke_and_ack = decode_msg!(msgs::RevokeAndACK, 32+32+33);
 256                                 return_err!(channel.revoke_and_ack(&revoke_and_ack));
 257                         },
 258                         8 => {
 259                                 let update_fee = decode_msg!(msgs::UpdateFee, 32+4);
 260                                 return_err!(channel.update_fee(&fee_est, &update_fee));
 261                         },
 262                         9 => {
 263                                 let shutdown = decode_msg_with_len16!(msgs::Shutdown, 32, 1);
 264                                 return_err!(channel.shutdown(&fee_est, &shutdown));
 265                         },
 266                         10 => {
 267                                 let closing_signed = decode_msg!(msgs::ClosingSigned, 32+8+64);
 268                                 return_err!(channel.closing_signed(&fee_est, &closing_signed));
 269                         },
 270                         _ => return,
 271                 }
 272         }
 273 }
 274
 275 #[cfg(feature = "afl")]
 276 extern crate afl;
 277 #[cfg(feature = "afl")]
 278 fn main() {
 279         afl::read_stdio_bytes(|data| {
 280                 do_test(&data);
 281         });
 282 }
 283
 284 #[cfg(feature = "honggfuzz")]
 285 #[macro_use] extern crate honggfuzz;
 286 #[cfg(feature = "honggfuzz")]
 287 fn main() {
 288         loop {
 289                 fuzz!(|data| {
 290                         do_test(data);
 291                 });
 292         }
 293 }
 294
 295 #[cfg(test)]
 296 mod tests {
 297         fn extend_vec_from_hex(hex: &str, out: &mut Vec<u8>) {
 298                 let mut b = 0;
 299                 for (idx, c) in hex.as_bytes().iter().enumerate() {
 300                         b <<= 4;
 301                         match *c {
 302                                 b'A'...b'F' => b |= c - b'A' + 10,
 303                                 b'a'...b'f' => b |= c - b'a' + 10,
 304                                 b'0'...b'9' => b |= c - b'0',
 305                                 _ => panic!("Bad hex"),
 306                         }
 307                         if (idx & 1) == 1 {
 308                                 out.push(b);
 309                                 b = 0;
 310                         }
 311                 }
 312         }
 313
 314         #[test]
 315         fn duplicate_crash() {
 316                 let mut a = Vec::new();
 317                 extend_vec_from_hex("00", &mut a);
 318                 super::do_test(&a);
 319         }
 320 }