Replace signature-checking and digest-checking while fuzzing

2024-11-11 13:43:47 +01:00 · 2016-12-13 20:23:16 -05:00 · 2016-12-13 20:23:16 -05:00 · 0666928c5c
commit 0666928c5c
parent e2aeaeb76c
3 changed files with 126 additions and 3 deletions
--- a/src/test/fuzz/fuzz_descriptor.c
+++ b/src/test/fuzz/fuzz_descriptor.c
@ -1,12 +1,53 @@
-
+#define ROUTERPARSE_PRIVATE
 #include "or.h"
 #include "routerparse.h"
 #include "routerlist.h"
+#include "routerkeys.h"
 #include "fuzzing.h"

+static int
+mock_check_tap_onion_key_crosscert__nocheck(const uint8_t *crosscert,
+                                   int crosscert_len,
+                                   const crypto_pk_t *onion_pkey,
+                                   const ed25519_public_key_t *master_id_pkey,
+                                   const uint8_t *rsa_id_digest)
+{
+  tor_assert(crosscert && onion_pkey && master_id_pkey && rsa_id_digest);
+  /* we could look at crosscert[..] */
+  (void) crosscert_len;
+  return 0;
+}
+
+static void
+mock_dump_desc__nodump(const char *desc, const char *type)
+{
+  (void)desc;
+  (void)type;
+}
+
+static int
+mock_router_produce_hash_final__nohash(char *digest,
+                                       const char *start, size_t len,
+                                       digest_algorithm_t alg)
+{
+  (void)start;
+  (void)len;
+  /* we could look at start[..] */
+  if (alg == DIGEST_SHA1)
+    memset(digest, 0x01, 20);
+  else
+    memset(digest, 0x02, 32);
+  return 0;
+}
+
 int
 fuzz_init(void)
 {
+  disable_signature_checking();
+  MOCK(check_tap_onion_key_crosscert,
+       mock_check_tap_onion_key_crosscert__nocheck);
+  MOCK(dump_desc, mock_dump_desc__nodump);
+  MOCK(router_compute_hash_final, mock_router_produce_hash_final__nohash);
  ed25519_init();
  return 0;
 }
@ -25,8 +66,12 @@ fuzz_main(const uint8_t *data, size_t sz)
  ri = router_parse_entry_from_string((const char *)str,
                                      str+sz,
                                      0, 0, 0, NULL);
-  if (ri)
+  if (ri) {
+    log_debug(LD_GENERAL, "Parsing okay");
    routerinfo_free(ri);
+  } else {
+    log_debug(LD_GENERAL, "Parsing failed");
+  }
  return 0;
 }

--- a/src/test/fuzz/fuzzing.h
+++ b/src/test/fuzz/fuzzing.h
@ -5,4 +5,6 @@ int fuzz_init(void);
 int fuzz_cleanup(void);
 int fuzz_main(const uint8_t *data, size_t sz);

+void disable_signature_checking(void);
+
 #endif /* FUZZING_H */
--- a/src/test/fuzz/fuzzing_common.c
+++ b/src/test/fuzz/fuzzing_common.c
@ -1,13 +1,88 @@
+#define CRYPTO_ED25519_PRIVATE
 #include "orconfig.h"
 #include "or.h"
 #include "backtrace.h"
 #include "config.h"
 #include "fuzzing.h"
+#include "crypto.h"
+#include "crypto_ed25519.h"

 extern const char tor_git_revision[];
 const char tor_git_revision[] = "";

-#define MAX_FUZZ_SIZE (128*1024)
+static int
+mock_crypto_pk_public_checksig__nocheck(const crypto_pk_t *env, char *to,
+                                        size_t tolen,
+                                        const char *from, size_t fromlen)
+{
+  tor_assert(env && to && from);
+  (void)fromlen;
+  /* We could look at from[0..fromlen-1] ... */
+  tor_assert(tolen >= crypto_pk_keysize(env));
+  memset(to, 0x01, 20);
+  return 20;
+}
+
+static int
+mock_crypto_pk_public_checksig_digest__nocheck(crypto_pk_t *env,
+                                               const char *data,
+                                               size_t datalen,
+                                               const char *sig,
+                                               size_t siglen)
+{
+  tor_assert(env && data && sig);
+  (void)datalen;
+  (void)siglen;
+  /* We could look at data[..] and sig[..] */
+  return 0;
+}
+
+static int
+mock_ed25519_checksig__nocheck(const ed25519_signature_t *signature,
+                      const uint8_t *msg, size_t len,
+                      const ed25519_public_key_t *pubkey)
+{
+  tor_assert(signature && msg && pubkey);
+  /* We could look at msg[0..len-1] ... */
+  (void)len;
+  return 0;
+}
+
+static int
+mock_ed25519_checksig_batch__nocheck(int *okay_out,
+                                     const ed25519_checkable_t *checkable,
+                                     int n_checkable)
+{
+  tor_assert(checkable);
+  int i;
+  for (i = 0; i < n_checkable; ++i) {
+    /* We could look at messages and signatures XXX */
+    tor_assert(checkable[i].pubkey);
+    tor_assert(checkable[i].msg);
+    if (okay_out)
+      okay_out[i] = 1;
+  }
+  return 0;
+}
+
+static int
+mock_ed25519_impl_spot_check__nocheck(void)
+{
+  return 0;
+}
+
+
+void
+disable_signature_checking(void)
+{
+  MOCK(crypto_pk_public_checksig,
+       mock_crypto_pk_public_checksig__nocheck);
+  MOCK(crypto_pk_public_checksig_digest,
+       mock_crypto_pk_public_checksig_digest__nocheck);
+  MOCK(ed25519_checksig, mock_ed25519_checksig__nocheck);
+  MOCK(ed25519_checksig_batch, mock_ed25519_checksig_batch__nocheck);
+  MOCK(ed25519_impl_spot_check, mock_ed25519_impl_spot_check__nocheck);
+}

 #ifdef LLVM_FUZZ
 int
@ -70,6 +145,7 @@ main(int argc, char **argv)
  __AFL_INIT();
 #endif

+#define MAX_FUZZ_SIZE (128*1024)
  char *input = read_file_to_str_until_eof(0, MAX_FUZZ_SIZE, &size);
  tor_assert(input);
  fuzz_main((const uint8_t*)input, size);