From c4e1ade05ef1cfde30a6af2516003e646d0302fc Mon Sep 17 00:00:00 2001 From: Jeffrey Czyz Date: Fri, 20 Jan 2023 13:01:47 -0600 Subject: [PATCH] Fuzz test for parsing Refund A refund is serialized as a TLV stream and encoded in bech32 without a checksum. Add a fuzz test that parses the unencoded TLV stream and deserializes the underlying Refund. Then compare the original bytes with those obtained by re-serializing the Refund. --- fuzz/src/bin/gen_target.sh | 1 + fuzz/src/bin/refund_deser_target.rs | 113 ++++++++++++++++++++++++++++ fuzz/src/lib.rs | 1 + fuzz/src/refund_deser.rs | 101 +++++++++++++++++++++++++ fuzz/targets.h | 1 + lightning/src/offers/payer.rs | 2 +- lightning/src/offers/refund.rs | 4 +- 7 files changed, 220 insertions(+), 3 deletions(-) create mode 100644 fuzz/src/bin/refund_deser_target.rs create mode 100644 fuzz/src/refund_deser.rs diff --git a/fuzz/src/bin/gen_target.sh b/fuzz/src/bin/gen_target.sh index f322e6069..946e845cb 100755 --- a/fuzz/src/bin/gen_target.sh +++ b/fuzz/src/bin/gen_target.sh @@ -13,6 +13,7 @@ GEN_TEST offer_deser GEN_TEST onion_message GEN_TEST peer_crypt GEN_TEST process_network_graph +GEN_TEST refund_deser GEN_TEST router GEN_TEST zbase32 GEN_TEST indexedmap diff --git a/fuzz/src/bin/refund_deser_target.rs b/fuzz/src/bin/refund_deser_target.rs new file mode 100644 index 000000000..c98577834 --- /dev/null +++ b/fuzz/src/bin/refund_deser_target.rs @@ -0,0 +1,113 @@ +// This file is Copyright its original authors, visible in version control +// history. +// +// This file is licensed under the Apache License, Version 2.0 or the MIT license +// , at your option. +// You may not use this file except in accordance with one or both of these +// licenses. + +// This file is auto-generated by gen_target.sh based on target_template.txt +// To modify it, modify target_template.txt and run gen_target.sh instead. + +#![cfg_attr(feature = "libfuzzer_fuzz", no_main)] + +#[cfg(not(fuzzing))] +compile_error!("Fuzz targets need cfg=fuzzing"); + +extern crate lightning_fuzz; +use lightning_fuzz::refund_deser::*; + +#[cfg(feature = "afl")] +#[macro_use] extern crate afl; +#[cfg(feature = "afl")] +fn main() { + fuzz!(|data| { + refund_deser_run(data.as_ptr(), data.len()); + }); +} + +#[cfg(feature = "honggfuzz")] +#[macro_use] extern crate honggfuzz; +#[cfg(feature = "honggfuzz")] +fn main() { + loop { + fuzz!(|data| { + refund_deser_run(data.as_ptr(), data.len()); + }); + } +} + +#[cfg(feature = "libfuzzer_fuzz")] +#[macro_use] extern crate libfuzzer_sys; +#[cfg(feature = "libfuzzer_fuzz")] +fuzz_target!(|data: &[u8]| { + refund_deser_run(data.as_ptr(), data.len()); +}); + +#[cfg(feature = "stdin_fuzz")] +fn main() { + use std::io::Read; + + let mut data = Vec::with_capacity(8192); + std::io::stdin().read_to_end(&mut data).unwrap(); + refund_deser_run(data.as_ptr(), data.len()); +} + +#[test] +fn run_test_cases() { + use std::fs; + use std::io::Read; + use lightning_fuzz::utils::test_logger::StringBuffer; + + use std::sync::{atomic, Arc}; + { + let data: Vec = vec![0]; + refund_deser_run(data.as_ptr(), data.len()); + } + let mut threads = Vec::new(); + let threads_running = Arc::new(atomic::AtomicUsize::new(0)); + if let Ok(tests) = fs::read_dir("test_cases/refund_deser") { + for test in tests { + let mut data: Vec = Vec::new(); + let path = test.unwrap().path(); + fs::File::open(&path).unwrap().read_to_end(&mut data).unwrap(); + threads_running.fetch_add(1, atomic::Ordering::AcqRel); + + let thread_count_ref = Arc::clone(&threads_running); + let main_thread_ref = std::thread::current(); + threads.push((path.file_name().unwrap().to_str().unwrap().to_string(), + std::thread::spawn(move || { + let string_logger = StringBuffer::new(); + + let panic_logger = string_logger.clone(); + let res = if ::std::panic::catch_unwind(move || { + refund_deser_test(&data, panic_logger); + }).is_err() { + Some(string_logger.into_string()) + } else { None }; + thread_count_ref.fetch_sub(1, atomic::Ordering::AcqRel); + main_thread_ref.unpark(); + res + }) + )); + while threads_running.load(atomic::Ordering::Acquire) > 32 { + std::thread::park(); + } + } + } + let mut failed_outputs = Vec::new(); + for (test, thread) in threads.drain(..) { + if let Some(output) = thread.join().unwrap() { + println!("\nOutput of {}:\n{}\n", test, output); + failed_outputs.push(test); + } + } + if !failed_outputs.is_empty() { + println!("Test cases which failed: "); + for case in failed_outputs { + println!("{}", case); + } + panic!(); + } +} diff --git a/fuzz/src/lib.rs b/fuzz/src/lib.rs index dee4dbccb..05129056a 100644 --- a/fuzz/src/lib.rs +++ b/fuzz/src/lib.rs @@ -22,6 +22,7 @@ pub mod offer_deser; pub mod onion_message; pub mod peer_crypt; pub mod process_network_graph; +pub mod refund_deser; pub mod router; pub mod zbase32; diff --git a/fuzz/src/refund_deser.rs b/fuzz/src/refund_deser.rs new file mode 100644 index 000000000..9adaa3e95 --- /dev/null +++ b/fuzz/src/refund_deser.rs @@ -0,0 +1,101 @@ +// This file is Copyright its original authors, visible in version control +// history. +// +// This file is licensed under the Apache License, Version 2.0 or the MIT license +// , at your option. +// You may not use this file except in accordance with one or both of these +// licenses. + +use bitcoin::secp256k1::{KeyPair, PublicKey, Secp256k1, SecretKey, self}; +use crate::utils::test_logger; +use core::convert::{Infallible, TryFrom}; +use lightning::chain::keysinterface::EntropySource; +use lightning::ln::PaymentHash; +use lightning::ln::features::BlindedHopFeatures; +use lightning::offers::invoice::{BlindedPayInfo, UnsignedInvoice}; +use lightning::offers::parse::SemanticError; +use lightning::offers::refund::Refund; +use lightning::onion_message::BlindedPath; +use lightning::util::ser::Writeable; + +#[inline] +pub fn do_test(data: &[u8], _out: Out) { + if let Ok(refund) = Refund::try_from(data.to_vec()) { + let mut bytes = Vec::with_capacity(data.len()); + refund.write(&mut bytes).unwrap(); + assert_eq!(data, bytes); + + let secp_ctx = Secp256k1::new(); + let keys = KeyPair::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[42; 32]).unwrap()); + let pubkey = PublicKey::from(keys); + let mut buffer = Vec::new(); + + if let Ok(invoice) = build_response(&refund, pubkey, &secp_ctx) { + invoice + .sign::<_, Infallible>( + |digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys)) + ) + .unwrap() + .write(&mut buffer) + .unwrap(); + } + } +} + +struct Randomness; + +impl EntropySource for Randomness { + fn get_secure_random_bytes(&self) -> [u8; 32] { [42; 32] } +} + +fn pubkey(byte: u8) -> PublicKey { + let secp_ctx = Secp256k1::new(); + PublicKey::from_secret_key(&secp_ctx, &privkey(byte)) +} + +fn privkey(byte: u8) -> SecretKey { + SecretKey::from_slice(&[byte; 32]).unwrap() +} + +fn build_response<'a, T: secp256k1::Signing + secp256k1::Verification>( + refund: &'a Refund, signing_pubkey: PublicKey, secp_ctx: &Secp256k1 +) -> Result, SemanticError> { + let entropy_source = Randomness {}; + let paths = vec![ + BlindedPath::new(&[pubkey(43), pubkey(44), pubkey(42)], &entropy_source, secp_ctx).unwrap(), + BlindedPath::new(&[pubkey(45), pubkey(46), pubkey(42)], &entropy_source, secp_ctx).unwrap(), + ]; + + let payinfo = vec![ + BlindedPayInfo { + fee_base_msat: 1, + fee_proportional_millionths: 1_000, + cltv_expiry_delta: 42, + htlc_minimum_msat: 100, + htlc_maximum_msat: 1_000_000_000_000, + features: BlindedHopFeatures::empty(), + }, + BlindedPayInfo { + fee_base_msat: 1, + fee_proportional_millionths: 1_000, + cltv_expiry_delta: 42, + htlc_minimum_msat: 100, + htlc_maximum_msat: 1_000_000_000_000, + features: BlindedHopFeatures::empty(), + }, + ]; + + let payment_paths = paths.into_iter().zip(payinfo.into_iter()).collect(); + let payment_hash = PaymentHash([42; 32]); + refund.respond_with(payment_paths, payment_hash, signing_pubkey)?.build() +} + +pub fn refund_deser_test(data: &[u8], out: Out) { + do_test(data, out); +} + +#[no_mangle] +pub extern "C" fn refund_deser_run(data: *const u8, datalen: usize) { + do_test(unsafe { std::slice::from_raw_parts(data, datalen) }, test_logger::DevNull {}); +} diff --git a/fuzz/targets.h b/fuzz/targets.h index b09aacc4a..e46b68af2 100644 --- a/fuzz/targets.h +++ b/fuzz/targets.h @@ -6,6 +6,7 @@ void offer_deser_run(const unsigned char* data, size_t data_len); void onion_message_run(const unsigned char* data, size_t data_len); void peer_crypt_run(const unsigned char* data, size_t data_len); void process_network_graph_run(const unsigned char* data, size_t data_len); +void refund_deser_run(const unsigned char* data, size_t data_len); void router_run(const unsigned char* data, size_t data_len); void zbase32_run(const unsigned char* data, size_t data_len); void indexedmap_run(const unsigned char* data, size_t data_len); diff --git a/lightning/src/offers/payer.rs b/lightning/src/offers/payer.rs index e389a8f6d..7e1da769e 100644 --- a/lightning/src/offers/payer.rs +++ b/lightning/src/offers/payer.rs @@ -17,7 +17,7 @@ use crate::prelude::*; /// [`InvoiceRequest::payer_id`]. /// /// [`InvoiceRequest::payer_id`]: crate::offers::invoice_request::InvoiceRequest::payer_id -#[derive(Clone, Debug)] +#[derive(Clone, Debug, PartialEq)] pub(super) struct PayerContents(pub Vec); tlv_stream!(PayerTlvStream, PayerTlvStreamRef, 0..1, { diff --git a/lightning/src/offers/refund.rs b/lightning/src/offers/refund.rs index 1488fbe97..cc0388c02 100644 --- a/lightning/src/offers/refund.rs +++ b/lightning/src/offers/refund.rs @@ -216,7 +216,7 @@ impl RefundBuilder { /// /// [`Invoice`]: crate::offers::invoice::Invoice /// [`Offer`]: crate::offers::offer::Offer -#[derive(Clone, Debug)] +#[derive(Clone, Debug, PartialEq)] pub struct Refund { pub(super) bytes: Vec, pub(super) contents: RefundContents, @@ -225,7 +225,7 @@ pub struct Refund { /// The contents of a [`Refund`], which may be shared with an [`Invoice`]. /// /// [`Invoice`]: crate::offers::invoice::Invoice -#[derive(Clone, Debug)] +#[derive(Clone, Debug, PartialEq)] pub(super) struct RefundContents { payer: PayerContents, // offer fields -- 2.39.5