[tor-commits] [tor/master] Replace signature-checking and digest-checking while fuzzing
nickm at torproject.org
nickm at torproject.org
Mon Jan 30 13:45:47 UTC 2017
commit 0666928c5c367506b0173118153bb804e46eca44
Author: Nick Mathewson <nickm at torproject.org>
Date: Tue Dec 13 20:23:16 2016 -0500
Replace signature-checking and digest-checking while fuzzing
---
src/test/fuzz/fuzz_descriptor.c | 49 ++++++++++++++++++++++++--
src/test/fuzz/fuzzing.h | 2 ++
src/test/fuzz/fuzzing_common.c | 78 ++++++++++++++++++++++++++++++++++++++++-
3 files changed, 126 insertions(+), 3 deletions(-)
diff --git a/src/test/fuzz/fuzz_descriptor.c b/src/test/fuzz/fuzz_descriptor.c
index 12297fd..563787b 100644
--- a/src/test/fuzz/fuzz_descriptor.c
+++ b/src/test/fuzz/fuzz_descriptor.c
@@ -1,12 +1,53 @@
-
+#define ROUTERPARSE_PRIVATE
#include "or.h"
#include "routerparse.h"
#include "routerlist.h"
+#include "routerkeys.h"
#include "fuzzing.h"
+static int
+mock_check_tap_onion_key_crosscert__nocheck(const uint8_t *crosscert,
+ int crosscert_len,
+ const crypto_pk_t *onion_pkey,
+ const ed25519_public_key_t *master_id_pkey,
+ const uint8_t *rsa_id_digest)
+{
+ tor_assert(crosscert && onion_pkey && master_id_pkey && rsa_id_digest);
+ /* we could look at crosscert[..] */
+ (void) crosscert_len;
+ return 0;
+}
+
+static void
+mock_dump_desc__nodump(const char *desc, const char *type)
+{
+ (void)desc;
+ (void)type;
+}
+
+static int
+mock_router_produce_hash_final__nohash(char *digest,
+ const char *start, size_t len,
+ digest_algorithm_t alg)
+{
+ (void)start;
+ (void)len;
+ /* we could look at start[..] */
+ if (alg == DIGEST_SHA1)
+ memset(digest, 0x01, 20);
+ else
+ memset(digest, 0x02, 32);
+ return 0;
+}
+
int
fuzz_init(void)
{
+ disable_signature_checking();
+ MOCK(check_tap_onion_key_crosscert,
+ mock_check_tap_onion_key_crosscert__nocheck);
+ MOCK(dump_desc, mock_dump_desc__nodump);
+ MOCK(router_compute_hash_final, mock_router_produce_hash_final__nohash);
ed25519_init();
return 0;
}
@@ -25,8 +66,12 @@ fuzz_main(const uint8_t *data, size_t sz)
ri = router_parse_entry_from_string((const char *)str,
str+sz,
0, 0, 0, NULL);
- if (ri)
+ if (ri) {
+ log_debug(LD_GENERAL, "Parsing okay");
routerinfo_free(ri);
+ } else {
+ log_debug(LD_GENERAL, "Parsing failed");
+ }
return 0;
}
diff --git a/src/test/fuzz/fuzzing.h b/src/test/fuzz/fuzzing.h
index 794ed14..a8cbb1d 100644
--- a/src/test/fuzz/fuzzing.h
+++ b/src/test/fuzz/fuzzing.h
@@ -5,4 +5,6 @@ int fuzz_init(void);
int fuzz_cleanup(void);
int fuzz_main(const uint8_t *data, size_t sz);
+void disable_signature_checking(void);
+
#endif /* FUZZING_H */
diff --git a/src/test/fuzz/fuzzing_common.c b/src/test/fuzz/fuzzing_common.c
index 87affc4..e17bae3 100644
--- a/src/test/fuzz/fuzzing_common.c
+++ b/src/test/fuzz/fuzzing_common.c
@@ -1,13 +1,88 @@
+#define CRYPTO_ED25519_PRIVATE
#include "orconfig.h"
#include "or.h"
#include "backtrace.h"
#include "config.h"
#include "fuzzing.h"
+#include "crypto.h"
+#include "crypto_ed25519.h"
extern const char tor_git_revision[];
const char tor_git_revision[] = "";
-#define MAX_FUZZ_SIZE (128*1024)
+static int
+mock_crypto_pk_public_checksig__nocheck(const crypto_pk_t *env, char *to,
+ size_t tolen,
+ const char *from, size_t fromlen)
+{
+ tor_assert(env && to && from);
+ (void)fromlen;
+ /* We could look at from[0..fromlen-1] ... */
+ tor_assert(tolen >= crypto_pk_keysize(env));
+ memset(to, 0x01, 20);
+ return 20;
+}
+
+static int
+mock_crypto_pk_public_checksig_digest__nocheck(crypto_pk_t *env,
+ const char *data,
+ size_t datalen,
+ const char *sig,
+ size_t siglen)
+{
+ tor_assert(env && data && sig);
+ (void)datalen;
+ (void)siglen;
+ /* We could look at data[..] and sig[..] */
+ return 0;
+}
+
+static int
+mock_ed25519_checksig__nocheck(const ed25519_signature_t *signature,
+ const uint8_t *msg, size_t len,
+ const ed25519_public_key_t *pubkey)
+{
+ tor_assert(signature && msg && pubkey);
+ /* We could look at msg[0..len-1] ... */
+ (void)len;
+ return 0;
+}
+
+static int
+mock_ed25519_checksig_batch__nocheck(int *okay_out,
+ const ed25519_checkable_t *checkable,
+ int n_checkable)
+{
+ tor_assert(checkable);
+ int i;
+ for (i = 0; i < n_checkable; ++i) {
+ /* We could look at messages and signatures XXX */
+ tor_assert(checkable[i].pubkey);
+ tor_assert(checkable[i].msg);
+ if (okay_out)
+ okay_out[i] = 1;
+ }
+ return 0;
+}
+
+static int
+mock_ed25519_impl_spot_check__nocheck(void)
+{
+ return 0;
+}
+
+
+void
+disable_signature_checking(void)
+{
+ MOCK(crypto_pk_public_checksig,
+ mock_crypto_pk_public_checksig__nocheck);
+ MOCK(crypto_pk_public_checksig_digest,
+ mock_crypto_pk_public_checksig_digest__nocheck);
+ MOCK(ed25519_checksig, mock_ed25519_checksig__nocheck);
+ MOCK(ed25519_checksig_batch, mock_ed25519_checksig_batch__nocheck);
+ MOCK(ed25519_impl_spot_check, mock_ed25519_impl_spot_check__nocheck);
+}
#ifdef LLVM_FUZZ
int
@@ -70,6 +145,7 @@ main(int argc, char **argv)
__AFL_INIT();
#endif
+#define MAX_FUZZ_SIZE (128*1024)
char *input = read_file_to_str_until_eof(0, MAX_FUZZ_SIZE, &size);
tor_assert(input);
fuzz_main((const uint8_t*)input, size);
More information about the tor-commits
mailing list