From 4fe806837f9a63786d359960882faf25938fb93a Mon Sep 17 00:00:00 2001 From: Jeffrey Czyz Date: Fri, 20 Jan 2023 13:34:34 -0600 Subject: [PATCH] Fuzz test for parsing InvoiceRequest An invoice request is serialized as a TLV stream and encoded as bytes. Add a fuzz test that parses the TLV stream and deserializes the underlying InvoiceRequest. Then compare the original bytes with those obtained by re-serializing the InvoiceRequest. --- fuzz/src/bin/gen_target.sh | 1 + fuzz/src/bin/invoice_request_deser_target.rs | 113 +++++++++++++++++++ fuzz/src/invoice_request_deser.rs | 108 ++++++++++++++++++ fuzz/src/lib.rs | 1 + fuzz/targets.h | 1 + lightning/src/offers/invoice.rs | 9 +- 6 files changed, 231 insertions(+), 2 deletions(-) create mode 100644 fuzz/src/bin/invoice_request_deser_target.rs create mode 100644 fuzz/src/invoice_request_deser.rs diff --git a/fuzz/src/bin/gen_target.sh b/fuzz/src/bin/gen_target.sh index 946e845cb..44d3ab29e 100755 --- a/fuzz/src/bin/gen_target.sh +++ b/fuzz/src/bin/gen_target.sh @@ -9,6 +9,7 @@ GEN_TEST() { GEN_TEST chanmon_deser GEN_TEST chanmon_consistency GEN_TEST full_stack +GEN_TEST invoice_request_deser GEN_TEST offer_deser GEN_TEST onion_message GEN_TEST peer_crypt diff --git a/fuzz/src/bin/invoice_request_deser_target.rs b/fuzz/src/bin/invoice_request_deser_target.rs new file mode 100644 index 000000000..97741ff3a --- /dev/null +++ b/fuzz/src/bin/invoice_request_deser_target.rs @@ -0,0 +1,113 @@ +// This file is Copyright its original authors, visible in version control +// history. +// +// This file is licensed under the Apache License, Version 2.0 or the MIT license +// , at your option. +// You may not use this file except in accordance with one or both of these +// licenses. + +// This file is auto-generated by gen_target.sh based on target_template.txt +// To modify it, modify target_template.txt and run gen_target.sh instead. + +#![cfg_attr(feature = "libfuzzer_fuzz", no_main)] + +#[cfg(not(fuzzing))] +compile_error!("Fuzz targets need cfg=fuzzing"); + +extern crate lightning_fuzz; +use lightning_fuzz::invoice_request_deser::*; + +#[cfg(feature = "afl")] +#[macro_use] extern crate afl; +#[cfg(feature = "afl")] +fn main() { + fuzz!(|data| { + invoice_request_deser_run(data.as_ptr(), data.len()); + }); +} + +#[cfg(feature = "honggfuzz")] +#[macro_use] extern crate honggfuzz; +#[cfg(feature = "honggfuzz")] +fn main() { + loop { + fuzz!(|data| { + invoice_request_deser_run(data.as_ptr(), data.len()); + }); + } +} + +#[cfg(feature = "libfuzzer_fuzz")] +#[macro_use] extern crate libfuzzer_sys; +#[cfg(feature = "libfuzzer_fuzz")] +fuzz_target!(|data: &[u8]| { + invoice_request_deser_run(data.as_ptr(), data.len()); +}); + +#[cfg(feature = "stdin_fuzz")] +fn main() { + use std::io::Read; + + let mut data = Vec::with_capacity(8192); + std::io::stdin().read_to_end(&mut data).unwrap(); + invoice_request_deser_run(data.as_ptr(), data.len()); +} + +#[test] +fn run_test_cases() { + use std::fs; + use std::io::Read; + use lightning_fuzz::utils::test_logger::StringBuffer; + + use std::sync::{atomic, Arc}; + { + let data: Vec = vec![0]; + invoice_request_deser_run(data.as_ptr(), data.len()); + } + let mut threads = Vec::new(); + let threads_running = Arc::new(atomic::AtomicUsize::new(0)); + if let Ok(tests) = fs::read_dir("test_cases/invoice_request_deser") { + for test in tests { + let mut data: Vec = Vec::new(); + let path = test.unwrap().path(); + fs::File::open(&path).unwrap().read_to_end(&mut data).unwrap(); + threads_running.fetch_add(1, atomic::Ordering::AcqRel); + + let thread_count_ref = Arc::clone(&threads_running); + let main_thread_ref = std::thread::current(); + threads.push((path.file_name().unwrap().to_str().unwrap().to_string(), + std::thread::spawn(move || { + let string_logger = StringBuffer::new(); + + let panic_logger = string_logger.clone(); + let res = if ::std::panic::catch_unwind(move || { + invoice_request_deser_test(&data, panic_logger); + }).is_err() { + Some(string_logger.into_string()) + } else { None }; + thread_count_ref.fetch_sub(1, atomic::Ordering::AcqRel); + main_thread_ref.unpark(); + res + }) + )); + while threads_running.load(atomic::Ordering::Acquire) > 32 { + std::thread::park(); + } + } + } + let mut failed_outputs = Vec::new(); + for (test, thread) in threads.drain(..) { + if let Some(output) = thread.join().unwrap() { + println!("\nOutput of {}:\n{}\n", test, output); + failed_outputs.push(test); + } + } + if !failed_outputs.is_empty() { + println!("Test cases which failed: "); + for case in failed_outputs { + println!("{}", case); + } + panic!(); + } +} diff --git a/fuzz/src/invoice_request_deser.rs b/fuzz/src/invoice_request_deser.rs new file mode 100644 index 000000000..bdc3c0d25 --- /dev/null +++ b/fuzz/src/invoice_request_deser.rs @@ -0,0 +1,108 @@ +// This file is Copyright its original authors, visible in version control +// history. +// +// This file is licensed under the Apache License, Version 2.0 or the MIT license +// , at your option. +// You may not use this file except in accordance with one or both of these +// licenses. + +use bitcoin::secp256k1::{KeyPair, PublicKey, Secp256k1, SecretKey, self}; +use crate::utils::test_logger; +use core::convert::{Infallible, TryFrom}; +use lightning::chain::keysinterface::EntropySource; +use lightning::ln::PaymentHash; +use lightning::ln::features::BlindedHopFeatures; +use lightning::offers::invoice::{BlindedPayInfo, UnsignedInvoice}; +use lightning::offers::invoice_request::InvoiceRequest; +use lightning::offers::parse::SemanticError; +use lightning::onion_message::BlindedPath; +use lightning::util::ser::Writeable; + +#[inline] +pub fn do_test(data: &[u8], _out: Out) { + if let Ok(invoice_request) = InvoiceRequest::try_from(data.to_vec()) { + let mut bytes = Vec::with_capacity(data.len()); + invoice_request.write(&mut bytes).unwrap(); + assert_eq!(data, bytes); + + let secp_ctx = Secp256k1::new(); + let keys = KeyPair::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[42; 32]).unwrap()); + let mut buffer = Vec::new(); + + if let Ok(unsigned_invoice) = build_response(&invoice_request, &secp_ctx) { + if unsigned_invoice.signing_pubkey() == keys.public_key() { + unsigned_invoice + .sign::<_, Infallible>( + |digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys)) + ) + .unwrap() + .write(&mut buffer) + .unwrap(); + } else { + unsigned_invoice + .sign::<_, Infallible>( + |digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys)) + ) + .unwrap_err(); + } + } + } +} + +struct Randomness; + +impl EntropySource for Randomness { + fn get_secure_random_bytes(&self) -> [u8; 32] { [42; 32] } +} + +fn pubkey(byte: u8) -> PublicKey { + let secp_ctx = Secp256k1::new(); + PublicKey::from_secret_key(&secp_ctx, &privkey(byte)) +} + +fn privkey(byte: u8) -> SecretKey { + SecretKey::from_slice(&[byte; 32]).unwrap() +} + +fn build_response<'a, T: secp256k1::Signing + secp256k1::Verification>( + invoice_request: &'a InvoiceRequest, secp_ctx: &Secp256k1 +) -> Result, SemanticError> { + let entropy_source = Randomness {}; + let paths = vec![ + BlindedPath::new(&[pubkey(43), pubkey(44), pubkey(42)], &entropy_source, secp_ctx).unwrap(), + BlindedPath::new(&[pubkey(45), pubkey(46), pubkey(42)], &entropy_source, secp_ctx).unwrap(), + ]; + + let payinfo = vec![ + BlindedPayInfo { + fee_base_msat: 1, + fee_proportional_millionths: 1_000, + cltv_expiry_delta: 42, + htlc_minimum_msat: 100, + htlc_maximum_msat: 1_000_000_000_000, + features: BlindedHopFeatures::empty(), + }, + BlindedPayInfo { + fee_base_msat: 1, + fee_proportional_millionths: 1_000, + cltv_expiry_delta: 42, + htlc_minimum_msat: 100, + htlc_maximum_msat: 1_000_000_000_000, + features: BlindedHopFeatures::empty(), + }, + ]; + + let payment_paths = paths.into_iter().zip(payinfo.into_iter()).collect(); + let payment_hash = PaymentHash([42; 32]); + invoice_request.respond_with(payment_paths, payment_hash)?.build() +} + +pub fn invoice_request_deser_test(data: &[u8], out: Out) { + do_test(data, out); +} + +#[no_mangle] +pub extern "C" fn invoice_request_deser_run(data: *const u8, datalen: usize) { + do_test(unsafe { std::slice::from_raw_parts(data, datalen) }, test_logger::DevNull {}); +} diff --git a/fuzz/src/lib.rs b/fuzz/src/lib.rs index 05129056a..68b35d4ee 100644 --- a/fuzz/src/lib.rs +++ b/fuzz/src/lib.rs @@ -18,6 +18,7 @@ pub mod chanmon_deser; pub mod chanmon_consistency; pub mod full_stack; pub mod indexedmap; +pub mod invoice_request_deser; pub mod offer_deser; pub mod onion_message; pub mod peer_crypt; diff --git a/fuzz/targets.h b/fuzz/targets.h index e46b68af2..09187a59a 100644 --- a/fuzz/targets.h +++ b/fuzz/targets.h @@ -2,6 +2,7 @@ void chanmon_deser_run(const unsigned char* data, size_t data_len); void chanmon_consistency_run(const unsigned char* data, size_t data_len); void full_stack_run(const unsigned char* data, size_t data_len); +void invoice_request_deser_run(const unsigned char* data, size_t data_len); void offer_deser_run(const unsigned char* data, size_t data_len); void onion_message_run(const unsigned char* data, size_t data_len); void peer_crypt_run(const unsigned char* data, size_t data_len); diff --git a/lightning/src/offers/invoice.rs b/lightning/src/offers/invoice.rs index d1b1e99ba..7a3438b64 100644 --- a/lightning/src/offers/invoice.rs +++ b/lightning/src/offers/invoice.rs @@ -267,6 +267,11 @@ pub struct UnsignedInvoice<'a> { } impl<'a> UnsignedInvoice<'a> { + /// The public key corresponding to the key needed to sign the invoice. + pub fn signing_pubkey(&self) -> PublicKey { + self.invoice.fields().signing_pubkey + } + /// Signs the invoice using the given function. pub fn sign(self, sign: F) -> Result> where @@ -453,12 +458,12 @@ impl Invoice { &self.contents.fields().features } - /// The public key used to sign invoices. + /// The public key corresponding to the key used to sign the invoice. pub fn signing_pubkey(&self) -> PublicKey { self.contents.fields().signing_pubkey } - /// Signature of the invoice using [`Invoice::signing_pubkey`]. + /// Signature of the invoice verified using [`Invoice::signing_pubkey`]. pub fn signature(&self) -> Signature { self.signature } -- 2.39.5