From 0666928c5c367506b0173118153bb804e46eca44 Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Tue, 13 Dec 2016 20:23:16 -0500
Subject: [PATCH] Replace signature-checking and digest-checking while fuzzing

---
 src/test/fuzz/fuzz_descriptor.c | 49 ++++++++++++++++++++-
 src/test/fuzz/fuzzing.h         |  2 +
 src/test/fuzz/fuzzing_common.c  | 78 ++++++++++++++++++++++++++++++++-
 3 files changed, 126 insertions(+), 3 deletions(-)

diff --git a/src/test/fuzz/fuzz_descriptor.c b/src/test/fuzz/fuzz_descriptor.c
index 12297fdfc2..563787b7cc 100644
--- a/src/test/fuzz/fuzz_descriptor.c
+++ b/src/test/fuzz/fuzz_descriptor.c
@@ -1,12 +1,53 @@
-
+#define ROUTERPARSE_PRIVATE
 #include "or.h"
 #include "routerparse.h"
 #include "routerlist.h"
+#include "routerkeys.h"
 #include "fuzzing.h"
 
+static int
+mock_check_tap_onion_key_crosscert__nocheck(const uint8_t *crosscert,
+                                   int crosscert_len,
+                                   const crypto_pk_t *onion_pkey,
+                                   const ed25519_public_key_t *master_id_pkey,
+                                   const uint8_t *rsa_id_digest)
+{
+  tor_assert(crosscert && onion_pkey && master_id_pkey && rsa_id_digest);
+  /* we could look at crosscert[..] */
+  (void) crosscert_len;
+  return 0;
+}
+
+static void
+mock_dump_desc__nodump(const char *desc, const char *type)
+{
+  (void)desc;
+  (void)type;
+}
+
+static int
+mock_router_produce_hash_final__nohash(char *digest,
+                                       const char *start, size_t len,
+                                       digest_algorithm_t alg)
+{
+  (void)start;
+  (void)len;
+  /* we could look at start[..] */
+  if (alg == DIGEST_SHA1)
+    memset(digest, 0x01, 20);
+  else
+    memset(digest, 0x02, 32);
+  return 0;
+}
+
 int
 fuzz_init(void)
 {
+  disable_signature_checking();
+  MOCK(check_tap_onion_key_crosscert,
+       mock_check_tap_onion_key_crosscert__nocheck);
+  MOCK(dump_desc, mock_dump_desc__nodump);
+  MOCK(router_compute_hash_final, mock_router_produce_hash_final__nohash);
   ed25519_init();
   return 0;
 }
@@ -25,8 +66,12 @@ fuzz_main(const uint8_t *data, size_t sz)
   ri = router_parse_entry_from_string((const char *)str,
                                       str+sz,
                                       0, 0, 0, NULL);
-  if (ri)
+  if (ri) {
+    log_debug(LD_GENERAL, "Parsing okay");
     routerinfo_free(ri);
+  } else {
+    log_debug(LD_GENERAL, "Parsing failed");
+  }
   return 0;
 }
 
diff --git a/src/test/fuzz/fuzzing.h b/src/test/fuzz/fuzzing.h
index 794ed1461e..a8cbb1d9e8 100644
--- a/src/test/fuzz/fuzzing.h
+++ b/src/test/fuzz/fuzzing.h
@@ -5,4 +5,6 @@ int fuzz_init(void);
 int fuzz_cleanup(void);
 int fuzz_main(const uint8_t *data, size_t sz);
 
+void disable_signature_checking(void);
+
 #endif /* FUZZING_H */
diff --git a/src/test/fuzz/fuzzing_common.c b/src/test/fuzz/fuzzing_common.c
index 87affc4c04..e17bae3565 100644
--- a/src/test/fuzz/fuzzing_common.c
+++ b/src/test/fuzz/fuzzing_common.c
@@ -1,13 +1,88 @@
+#define CRYPTO_ED25519_PRIVATE
 #include "orconfig.h"
 #include "or.h"
 #include "backtrace.h"
 #include "config.h"
 #include "fuzzing.h"
+#include "crypto.h"
+#include "crypto_ed25519.h"
 
 extern const char tor_git_revision[];
 const char tor_git_revision[] = "";
 
-#define MAX_FUZZ_SIZE (128*1024)
+static int
+mock_crypto_pk_public_checksig__nocheck(const crypto_pk_t *env, char *to,
+                                        size_t tolen,
+                                        const char *from, size_t fromlen)
+{
+  tor_assert(env && to && from);
+  (void)fromlen;
+  /* We could look at from[0..fromlen-1] ... */
+  tor_assert(tolen >= crypto_pk_keysize(env));
+  memset(to, 0x01, 20);
+  return 20;
+}
+
+static int
+mock_crypto_pk_public_checksig_digest__nocheck(crypto_pk_t *env,
+                                               const char *data,
+                                               size_t datalen,
+                                               const char *sig,
+                                               size_t siglen)
+{
+  tor_assert(env && data && sig);
+  (void)datalen;
+  (void)siglen;
+  /* We could look at data[..] and sig[..] */
+  return 0;
+}
+
+static int
+mock_ed25519_checksig__nocheck(const ed25519_signature_t *signature,
+                      const uint8_t *msg, size_t len,
+                      const ed25519_public_key_t *pubkey)
+{
+  tor_assert(signature && msg && pubkey);
+  /* We could look at msg[0..len-1] ... */
+  (void)len;
+  return 0;
+}
+
+static int
+mock_ed25519_checksig_batch__nocheck(int *okay_out,
+                                     const ed25519_checkable_t *checkable,
+                                     int n_checkable)
+{
+  tor_assert(checkable);
+  int i;
+  for (i = 0; i < n_checkable; ++i) {
+    /* We could look at messages and signatures XXX */
+    tor_assert(checkable[i].pubkey);
+    tor_assert(checkable[i].msg);
+    if (okay_out)
+      okay_out[i] = 1;
+  }
+  return 0;
+}
+
+static int
+mock_ed25519_impl_spot_check__nocheck(void)
+{
+  return 0;
+}
+
+
+void
+disable_signature_checking(void)
+{
+  MOCK(crypto_pk_public_checksig,
+       mock_crypto_pk_public_checksig__nocheck);
+  MOCK(crypto_pk_public_checksig_digest,
+       mock_crypto_pk_public_checksig_digest__nocheck);
+  MOCK(ed25519_checksig, mock_ed25519_checksig__nocheck);
+  MOCK(ed25519_checksig_batch, mock_ed25519_checksig_batch__nocheck);
+  MOCK(ed25519_impl_spot_check, mock_ed25519_impl_spot_check__nocheck);
+}
 
 #ifdef LLVM_FUZZ
 int
@@ -70,6 +145,7 @@ main(int argc, char **argv)
   __AFL_INIT();
 #endif
 
+#define MAX_FUZZ_SIZE (128*1024)
   char *input = read_file_to_str_until_eof(0, MAX_FUZZ_SIZE, &size);
   tor_assert(input);
   fuzz_main((const uint8_t*)input, size);