|
| 1 | +/* This is a fuzz test for `peer_init_received()`, which is responsible for |
| 2 | + * handling BOLT #1 `init` messages. All this test essentially does in encode |
| 3 | + * the fuzzer's input as the payload for a cryptographically valid 'init' |
| 4 | + * message and pass it to this handler. |
| 5 | + */ |
| 6 | +#include "config.h" |
| 7 | +#include <fcntl.h> |
| 8 | +#include <ccan/ccan/io/io.h> |
| 9 | +#include <ccan/ccan/str/hex/hex.h> |
| 10 | +#include <common/setup.h> |
| 11 | +#include <common/utils.h> |
| 12 | +#include <tests/fuzz/libfuzz.h> |
| 13 | + |
| 14 | +static struct io_plan *test_write(struct io_conn *conn, const void *data, |
| 15 | + size_t len, struct io_plan *(*next)(struct io_conn *, void *), void *arg); |
| 16 | + |
| 17 | +static struct io_plan *test_read(struct io_conn *conn, void *data, size_t len, |
| 18 | + struct io_plan *(*next)(struct io_conn *, void *), void *arg); |
| 19 | + |
| 20 | +#undef io_write |
| 21 | +#define io_write(conn, data, len, cb, cb_arg) \ |
| 22 | + test_write((conn), \ |
| 23 | + (data), \ |
| 24 | + (len), \ |
| 25 | + (struct io_plan *(*)(struct io_conn *, void *))(cb), \ |
| 26 | + (void *)(cb_arg)) |
| 27 | + |
| 28 | +#undef io_read |
| 29 | +#define io_read(conn, data, len, cb, cb_arg) \ |
| 30 | + test_read((conn), \ |
| 31 | + (data), \ |
| 32 | + (len), \ |
| 33 | + (struct io_plan *(*)(struct io_conn *, void *))(cb), \ |
| 34 | + (void *)(cb_arg)) |
| 35 | + |
| 36 | +#include "../../connectd/peer_exchange_initmsg.c" |
| 37 | + |
| 38 | +/* MOCKS START */ |
| 39 | +bool address_routable(const struct wireaddr *wireaddr UNNEEDED, |
| 40 | + bool allow_localhost UNNEEDED) |
| 41 | +{ return false; } |
| 42 | +struct io_plan *peer_connected(struct io_conn *conn UNNEEDED, |
| 43 | + struct daemon *daemon UNNEEDED, |
| 44 | + const struct node_id *id UNNEEDED, |
| 45 | + const struct wireaddr_internal *addr UNNEEDED, |
| 46 | + const struct wireaddr *remote_addr UNNEEDED, |
| 47 | + struct crypto_state *cs UNNEEDED, |
| 48 | + const u8 *their_features TAKES UNNEEDED, |
| 49 | + enum is_websocket is_websocket UNNEEDED, |
| 50 | + bool incoming UNNEEDED) |
| 51 | +{ if (taken(their_features)) |
| 52 | + tal_steal(tmpctx, their_features); |
| 53 | + return io_close(conn); |
| 54 | +} |
| 55 | +/* MOCKS END */ |
| 56 | + |
| 57 | +/* These functions are only called when `peer_init_received()` |
| 58 | + * enounters an error or an unknown message. Simply return |
| 59 | + * when that happens. |
| 60 | + */ |
| 61 | +static struct io_plan * |
| 62 | +test_write(struct io_conn *conn, const void *data, size_t len, |
| 63 | + struct io_plan *(*next)(struct io_conn *, void *), void *arg) |
| 64 | +{ |
| 65 | + return io_close(conn); |
| 66 | +} |
| 67 | + |
| 68 | +static struct io_plan * |
| 69 | +test_read(struct io_conn *conn, void *data, size_t len, |
| 70 | + struct io_plan *(*next)(struct io_conn *, void *), void *arg) |
| 71 | +{ |
| 72 | + return io_close(conn); |
| 73 | +} |
| 74 | + |
| 75 | +static struct secret secret_from_hex(const char *hex) |
| 76 | +{ |
| 77 | + struct secret secret; |
| 78 | + hex += 2; |
| 79 | + if (!hex_decode(hex, strlen(hex), &secret, sizeof(secret))) |
| 80 | + abort(); |
| 81 | + return secret; |
| 82 | +} |
| 83 | + |
| 84 | +/* Encodes the given message. Stores the decrypting crypto_state in `cs`. */ |
| 85 | +static u8 *encode_msg(const tal_t *ctx, const void *message, size_t size, struct crypto_state *cs) |
| 86 | +{ |
| 87 | + struct crypto_state cs_out, cs_in; |
| 88 | + struct secret sk, rk, ck; |
| 89 | + u16 len; |
| 90 | + |
| 91 | + void *msg = tal_dup_arr(ctx, char, message, size, 0); |
| 92 | + |
| 93 | + ck = secret_from_hex("0x919219dbb2920afa8db80f9a51787a840bcf111ed8d588caf9ab4be716e42b01"); |
| 94 | + sk = secret_from_hex("0x969ab31b4d288cedf6218839b27a3e2140827047f2c0f01bf5c04435d43511a9"); |
| 95 | + rk = secret_from_hex("0xbb9020b8965f4df047e07f955f3c4b88418984aadc5cdb35096b9ea8fa5c3442"); |
| 96 | + |
| 97 | + cs_out.sn = cs_out.rn = cs_in.sn = cs_in.rn = 0; |
| 98 | + cs_out.sk = cs_in.rk = sk; |
| 99 | + cs_out.rk = cs_in.sk = rk; |
| 100 | + cs_out.s_ck = cs_out.r_ck = cs_in.s_ck = cs_in.r_ck = ck; |
| 101 | + |
| 102 | + u8 *encoded_msg = cryptomsg_encrypt_msg(ctx, &cs_out, msg); |
| 103 | + |
| 104 | + if (!cryptomsg_decrypt_header(&cs_in, encoded_msg, &len)) |
| 105 | + abort(); |
| 106 | + |
| 107 | + /* Trim header */ |
| 108 | + memmove(encoded_msg, encoded_msg + CRYPTOMSG_HDR_SIZE, |
| 109 | + tal_bytelen(encoded_msg) - CRYPTOMSG_HDR_SIZE); |
| 110 | + tal_resize(&encoded_msg, tal_bytelen(encoded_msg) - CRYPTOMSG_HDR_SIZE); |
| 111 | + |
| 112 | + *cs = cs_in; |
| 113 | + return encoded_msg; |
| 114 | +} |
| 115 | + |
| 116 | +static struct io_plan *do_nothing(struct io_conn *conn, void *side) |
| 117 | +{ |
| 118 | + return io_close(conn); |
| 119 | +} |
| 120 | + |
| 121 | +void init(int *argc, char ***argv) |
| 122 | +{ |
| 123 | + chainparams = chainparams_for_network("bitcoin"); |
| 124 | + /* Don't call this if we're in unit-test mode, as libfuzz.c does it */ |
| 125 | + if (!tmpctx) |
| 126 | + common_setup("fuzzer"); |
| 127 | + int devnull = open("/dev/null", O_WRONLY); |
| 128 | + status_setup_sync(devnull); |
| 129 | + dev_towire_allow_invalid_node_id = true; |
| 130 | +} |
| 131 | + |
| 132 | +void run(const uint8_t *data, size_t size) |
| 133 | +{ |
| 134 | + struct io_conn *conn; |
| 135 | + struct crypto_state cs; |
| 136 | + struct early_peer *peer; |
| 137 | + u8 *encoded_msg; |
| 138 | + |
| 139 | + encoded_msg = encode_msg(tmpctx, data, size, &cs); |
| 140 | + peer = tal(tmpctx, struct early_peer); |
| 141 | + peer->cs = cs; |
| 142 | + peer->msg = encoded_msg; |
| 143 | + peer->incoming = true; |
| 144 | + peer->daemon = talz(tmpctx, struct daemon); |
| 145 | + peer->timeout = NULL; |
| 146 | + |
| 147 | + conn = io_new_conn(tmpctx, -1, do_nothing, NULL); |
| 148 | + peer_init_received(conn, peer); |
| 149 | + |
| 150 | + clean_tmpctx(); |
| 151 | +} |
0 commit comments