_ Git - rust-lightning/blob - fuzz/fuzz_targets/full_stack_target.rs

   1 extern crate bitcoin;
   2 extern crate crypto;
   3 extern crate lightning;
   4 extern crate secp256k1;
   5
   6 use bitcoin::blockdata::block::BlockHeader;
   7 use bitcoin::blockdata::transaction::{Transaction, TxOut};
   8 use bitcoin::blockdata::script::Script;
   9 use bitcoin::network::constants::Network;
  10 use bitcoin::network::serialize::{serialize, BitcoinHash};
  11 use bitcoin::util::hash::Sha256dHash;
  12
  13 use crypto::sha2::Sha256;
  14 use crypto::digest::Digest;
  15
  16 use lightning::chain::chaininterface::{BroadcasterInterface,ConfirmationTarget,ChainListener,FeeEstimator,ChainWatchInterfaceUtil};
  17 use lightning::chain::transaction::OutPoint;
  18 use lightning::ln::channelmonitor;
  19 use lightning::ln::channelmanager::ChannelManager;
  20 use lightning::ln::peer_handler::{MessageHandler,PeerManager,SocketDescriptor};
  21 use lightning::ln::router::Router;
  22 use lightning::util::events::{EventsProvider,Event};
  23 use lightning::util::reset_rng_state;
  24
  25 use secp256k1::key::{PublicKey,SecretKey};
  26 use secp256k1::Secp256k1;
  27
  28 use std::collections::HashMap;
  29 use std::sync::Arc;
  30 use std::sync::atomic::{AtomicUsize,Ordering};
  31
  32 #[inline]
  33 pub fn slice_to_be16(v: &[u8]) -> u16 {
  34         ((v[0] as u16) << 8*1) |
  35         ((v[1] as u16) << 8*0)
  36 }
  37
  38 #[inline]
  39 pub fn slice_to_be24(v: &[u8]) -> u32 {
  40         ((v[0] as u32) << 8*2) |
  41         ((v[1] as u32) << 8*1) |
  42         ((v[2] as u32) << 8*0)
  43 }
  44
  45 #[inline]
  46 pub fn slice_to_be32(v: &[u8]) -> u32 {
  47         ((v[0] as u32) << 8*3) |
  48         ((v[1] as u32) << 8*2) |
  49         ((v[2] as u32) << 8*1) |
  50         ((v[3] as u32) << 8*0)
  51 }
  52
  53 #[inline]
  54 pub fn be64_to_array(u: u64) -> [u8; 8] {
  55         let mut v = [0; 8];
  56         v[0] = ((u >> 8*7) & 0xff) as u8;
  57         v[1] = ((u >> 8*6) & 0xff) as u8;
  58         v[2] = ((u >> 8*5) & 0xff) as u8;
  59         v[3] = ((u >> 8*4) & 0xff) as u8;
  60         v[4] = ((u >> 8*3) & 0xff) as u8;
  61         v[5] = ((u >> 8*2) & 0xff) as u8;
  62         v[6] = ((u >> 8*1) & 0xff) as u8;
  63         v[7] = ((u >> 8*0) & 0xff) as u8;
  64         v
  65 }
  66
  67 struct InputData {
  68         data: Vec<u8>,
  69         read_pos: AtomicUsize,
  70 }
  71 impl InputData {
  72         fn get_slice(&self, len: usize) -> Option<&[u8]> {
  73                 let old_pos = self.read_pos.fetch_add(len, Ordering::AcqRel);
  74                 if self.data.len() < old_pos + len {
  75                         return None;
  76                 }
  77                 Some(&self.data[old_pos..old_pos + len])
  78         }
  79 }
  80
  81 struct FuzzEstimator {
  82         input: Arc<InputData>,
  83 }
  84 impl FeeEstimator for FuzzEstimator {
  85         fn get_est_sat_per_vbyte(&self, _: ConfirmationTarget) -> u64 {
  86                 //TODO: We should actually be testing at least much more than 64k...
  87                 match self.input.get_slice(2) {
  88                         Some(slice) => slice_to_be16(slice) as u64,
  89                         None => 0
  90                 }
  91         }
  92 }
  93
  94 struct TestChannelMonitor {}
  95 impl channelmonitor::ManyChannelMonitor for TestChannelMonitor {
  96         fn add_update_monitor(&self, _funding_txo: OutPoint, _monitor: channelmonitor::ChannelMonitor) -> Result<(), channelmonitor::ChannelMonitorUpdateErr> {
  97                 //TODO!
  98                 Ok(())
  99         }
 100 }
 101
 102 struct TestBroadcaster {}
 103 impl BroadcasterInterface for TestBroadcaster {
 104         fn broadcast_transaction(&self, _tx: &Transaction) {}
 105 }
 106
 107 #[derive(Clone, PartialEq, Eq, Hash)]
 108 struct Peer {
 109         id: u8,
 110 }
 111 impl SocketDescriptor for Peer {
 112         fn send_data(&mut self, data: &Vec<u8>, write_offset: usize, _resume_read: bool) -> usize {
 113                 assert!(write_offset < data.len());
 114                 data.len() - write_offset
 115         }
 116 }
 117
 118 #[inline]
 119 pub fn do_test(data: &[u8]) {
 120         reset_rng_state();
 121
 122         let input = Arc::new(InputData {
 123                 data: data.to_vec(),
 124                 read_pos: AtomicUsize::new(0),
 125         });
 126         let fee_est = Arc::new(FuzzEstimator {
 127                 input: input.clone(),
 128         });
 129
 130         macro_rules! get_slice {
 131                 ($len: expr) => {
 132                         match input.get_slice($len as usize) {
 133                                 Some(slice) => slice,
 134                                 None => return,
 135                         }
 136                 }
 137         }
 138
 139         let secp_ctx = Secp256k1::new();
 140         macro_rules! get_pubkey {
 141                 () => {
 142                         match PublicKey::from_slice(&secp_ctx, get_slice!(33)) {
 143                                 Ok(key) => key,
 144                                 Err(_) => return,
 145                         }
 146                 }
 147         }
 148
 149         let our_network_key = match SecretKey::from_slice(&secp_ctx, get_slice!(32)) {
 150                 Ok(key) => key,
 151                 Err(_) => return,
 152         };
 153
 154         let monitor = Arc::new(TestChannelMonitor{});
 155         let watch = Arc::new(ChainWatchInterfaceUtil::new());
 156         let broadcast = Arc::new(TestBroadcaster{});
 157
 158         let channelmanager = ChannelManager::new(our_network_key, slice_to_be32(get_slice!(4)), get_slice!(1)[0] != 0, Network::Bitcoin, fee_est.clone(), monitor.clone(), watch.clone(), broadcast.clone()).unwrap();
 159         let router = Arc::new(Router::new(PublicKey::from_secret_key(&secp_ctx, &our_network_key).unwrap()));
 160
 161         let handler = PeerManager::new(MessageHandler {
 162                 chan_handler: channelmanager.clone(),
 163                 route_handler: router.clone(),
 164         }, our_network_key);
 165
 166         let mut peers = [false; 256];
 167         let mut should_forward = false;
 168         let mut payments_received = Vec::new();
 169         let mut payments_sent = 0;
 170         let mut pending_funding_generation: Vec<([u8; 32], u64, Script)> = Vec::new();
 171         let mut pending_funding_signatures = HashMap::new();
 172         let mut pending_funding_relay = Vec::new();
 173
 174         loop {
 175                 match get_slice!(1)[0] {
 176                         0 => {
 177                                 let mut new_id = 0;
 178                                 for i in 1..256 {
 179                                         if !peers[i-1] {
 180                                                 new_id = i;
 181                                                 break;
 182                                         }
 183                                 }
 184                                 if new_id == 0 { return; }
 185                                 peers[new_id - 1] = true;
 186                                 handler.new_outbound_connection(get_pubkey!(), Peer{id: (new_id - 1) as u8}).unwrap();
 187                         },
 188                         1 => {
 189                                 let mut new_id = 0;
 190                                 for i in 1..256 {
 191                                         if !peers[i-1] {
 192                                                 new_id = i;
 193                                                 break;
 194                                         }
 195                                 }
 196                                 if new_id == 0 { return; }
 197                                 peers[new_id - 1] = true;
 198                                 handler.new_inbound_connection(Peer{id: (new_id - 1) as u8}).unwrap();
 199                         },
 200                         2 => {
 201                                 let peer_id = get_slice!(1)[0];
 202                                 if !peers[peer_id as usize] { return; }
 203                                 peers[peer_id as usize] = false;
 204                                 handler.disconnect_event(&Peer{id: peer_id});
 205                         },
 206                         3 => {
 207                                 let peer_id = get_slice!(1)[0];
 208                                 if !peers[peer_id as usize] { return; }
 209                                 match handler.read_event(&mut Peer{id: peer_id}, get_slice!(get_slice!(1)[0]).to_vec()) {
 210                                         Ok(res) => assert!(!res),
 211                                         Err(_) => { peers[peer_id as usize] = false; }
 212                                 }
 213                         },
 214                         4 => {
 215                                 let value = slice_to_be24(get_slice!(3)) as u64;
 216                                 let route = match router.get_route(&get_pubkey!(), None, &Vec::new(), value, 42) {
 217                                         Ok(route) => route,
 218                                         Err(_) => return,
 219                                 };
 220                                 let mut payment_hash = [0; 32];
 221                                 payment_hash[0..8].copy_from_slice(&be64_to_array(payments_sent));
 222                                 let mut sha = Sha256::new();
 223                                 sha.input(&payment_hash);
 224                                 sha.result(&mut payment_hash);
 225                                 for i in 1..32 { payment_hash[i] = 0; }
 226                                 payments_sent += 1;
 227                                 match channelmanager.send_payment(route, payment_hash) {
 228                                         Ok(_) => {},
 229                                         Err(_) => return,
 230                                 }
 231                         },
 232                         5 => {
 233                                 let peer_id = get_slice!(1)[0];
 234                                 if !peers[peer_id as usize] { return; }
 235                                 let their_key = get_pubkey!();
 236                                 let chan_value = slice_to_be24(get_slice!(3)) as u64;
 237                                 if channelmanager.create_channel(their_key, chan_value, 0).is_err() { return; }
 238                         },
 239                         6 => {
 240                                 let mut channels = channelmanager.list_channels();
 241                                 let channel_id = get_slice!(1)[0] as usize;
 242                                 if channel_id >= channels.len() { return; }
 243                                 channels.sort_by(|a, b| { a.channel_id.cmp(&b.channel_id) });
 244                                 if channelmanager.close_channel(&channels[channel_id].channel_id).is_err() { return; }
 245                         },
 246                         7 => {
 247                                 if should_forward {
 248                                         channelmanager.process_pending_htlc_forward();
 249                                         handler.process_events();
 250                                         should_forward = false;
 251                                 }
 252                         },
 253                         8 => {
 254                                 for payment in payments_received.drain(..) {
 255                                         let mut payment_preimage = None;
 256                                         for i in 0..payments_sent {
 257                                                 let mut payment_hash = [0; 32];
 258                                                 payment_hash[0..8].copy_from_slice(&be64_to_array(i));
 259                                                 let mut sha = Sha256::new();
 260                                                 sha.input(&payment_hash);
 261                                                 sha.result(&mut payment_hash);
 262                                                 for i in 1..32 { payment_hash[i] = 0; }
 263                                                 if payment_hash == payment {
 264                                                         payment_hash = [0; 32];
 265                                                         payment_hash[0..8].copy_from_slice(&be64_to_array(i));
 266                                                         payment_preimage = Some(payment_hash);
 267                                                         break;
 268                                                 }
 269                                         }
 270                                         channelmanager.claim_funds(payment_preimage.unwrap());
 271                                 }
 272                         },
 273                         9 => {
 274                                 for payment in payments_received.drain(..) {
 275                                         channelmanager.fail_htlc_backwards(&payment);
 276                                 }
 277                         },
 278                         10 => {
 279                                 for funding_generation in  pending_funding_generation.drain(..) {
 280                                         let mut tx = Transaction { version: 0, lock_time: 0, input: Vec::new(), output: vec![TxOut {
 281                                                         value: funding_generation.1, script_pubkey: funding_generation.2,
 282                                                 }] };
 283                                         let funding_output = OutPoint::new(Sha256dHash::from_data(&serialize(&tx).unwrap()[..]), 0);
 284                                         channelmanager.funding_transaction_generated(&funding_generation.0, funding_output.clone());
 285                                         pending_funding_signatures.insert(funding_output, tx);
 286                                 }
 287                         },
 288                         11 => {
 289                                 if !pending_funding_relay.is_empty() {
 290                                         let mut txn = Vec::with_capacity(pending_funding_relay.len());
 291                                         let mut txn_idxs = Vec::with_capacity(pending_funding_relay.len());
 292                                         for (idx, tx) in pending_funding_relay.iter().enumerate() {
 293                                                 txn.push(tx);
 294                                                 txn_idxs.push(idx as u32 + 1);
 295                                         }
 296
 297                                         let mut header = BlockHeader { version: 0x20000000, prev_blockhash: Default::default(), merkle_root: Default::default(), time: 42, bits: 42, nonce: 42 };
 298                                         channelmanager.block_connected(&header, 1, &txn[..], &txn_idxs[..]);
 299                                         txn.clear();
 300                                         txn_idxs.clear();
 301                                         for i in 2..100 {
 302                                                 header = BlockHeader { version: 0x20000000, prev_blockhash: header.bitcoin_hash(), merkle_root: Default::default(), time: 42, bits: 42, nonce: 42 };
 303                                                 channelmanager.block_connected(&header, i, &txn[..], &txn_idxs[..]);
 304                                         }
 305                                 }
 306                                 pending_funding_relay.clear();
 307                         },
 308                         _ => return,
 309                 }
 310                 for event in handler.get_and_clear_pending_events() {
 311                         match event {
 312                                 Event::FundingGenerationReady { temporary_channel_id, channel_value_satoshis, output_script, .. } => {
 313                                         pending_funding_generation.push((temporary_channel_id, channel_value_satoshis, output_script));
 314                                 },
 315                                 Event::FundingBroadcastSafe { funding_txo, .. } => {
 316                                         pending_funding_relay.push(pending_funding_signatures.remove(&funding_txo).unwrap());
 317                                 },
 318                                 Event::PaymentReceived { payment_hash, .. } => {
 319                                         payments_received.push(payment_hash);
 320                                 },
 321                                 Event::PaymentSent {..} => {},
 322                                 Event::PaymentFailed {..} => {},
 323
 324                                 Event::PendingHTLCsForwardable {..} => {
 325                                         should_forward = true;
 326                                 },
 327                                 _ => panic!("Unknown event"),
 328                         }
 329                 }
 330         }
 331 }
 332
 333 #[cfg(feature = "afl")]
 334 extern crate afl;
 335 #[cfg(feature = "afl")]
 336 fn main() {
 337         afl::read_stdio_bytes(|data| {
 338                 do_test(&data);
 339         });
 340 }
 341
 342 #[cfg(feature = "honggfuzz")]
 343 #[macro_use] extern crate honggfuzz;
 344 #[cfg(feature = "honggfuzz")]
 345 fn main() {
 346         loop {
 347                 fuzz!(|data| {
 348                         do_test(data);
 349                 });
 350         }
 351 }
 352
 353 #[cfg(test)]
 354 mod tests {
 355         fn extend_vec_from_hex(hex: &str, out: &mut Vec<u8>) {
 356                 let mut b = 0;
 357                 for (idx, c) in hex.as_bytes().iter().enumerate() {
 358                         b <<= 4;
 359                         match *c {
 360                                 b'A'...b'F' => b |= c - b'A' + 10,
 361                                 b'a'...b'f' => b |= c - b'a' + 10,
 362                                 b'0'...b'9' => b |= c - b'0',
 363                                 _ => panic!("Bad hex"),
 364                         }
 365                         if (idx & 1) == 1 {
 366                                 out.push(b);
 367                                 b = 0;
 368                         }
 369                 }
 370         }
 371
 372         #[test]
 373         fn duplicate_crash() {
 374                 let mut a = Vec::new();
 375                 extend_vec_from_hex("00", &mut a);
 376                 super::do_test(&a);
 377         }
 378 }