From 4bb216a61157f85b29919db8ea602a4a139706ea Mon Sep 17 00:00:00 2001
From: Matt Morehouse <mattmorehouse@gmail.com>
Date: Thu, 8 Jun 2023 11:24:11 -0500
Subject: [PATCH] fuzz: add handshake act 1 target

The fuzz target uses static keys with a fuzzer-generated Act 1 packet.
---
 tests/fuzz/Makefile                       |  1 +
 tests/fuzz/fuzz-connectd-handshake-act1.c | 59 +++++++++++++++++++++++
 2 files changed, 60 insertions(+)
 create mode 100644 tests/fuzz/fuzz-connectd-handshake-act1.c

diff --git a/tests/fuzz/Makefile b/tests/fuzz/Makefile
index 4d292858f..21952092a 100644
--- a/tests/fuzz/Makefile
+++ b/tests/fuzz/Makefile
@@ -2,6 +2,7 @@ LIBFUZZ_SRC := tests/fuzz/libfuzz.c
 LIBFUZZ_HEADERS := $(LIBFUZZ_SRC:.c=.h)
 LIBFUZZ_OBJS := $(LIBFUZZ_SRC:.c=.o)
 
+tests/fuzz/fuzz-connectd-handshake-act*.o: tests/fuzz/connectd_handshake.h
 
 FUZZ_TARGETS_SRC := $(wildcard tests/fuzz/fuzz-*.c)
 FUZZ_TARGETS_OBJS := $(FUZZ_TARGETS_SRC:.c=.o)
diff --git a/tests/fuzz/fuzz-connectd-handshake-act1.c b/tests/fuzz/fuzz-connectd-handshake-act1.c
new file mode 100644
index 000000000..ece0d82fe
--- /dev/null
+++ b/tests/fuzz/fuzz-connectd-handshake-act1.c
@@ -0,0 +1,59 @@
+/* This is a fuzz test for Act 1 of the BOLT 8 handshake. We intercept io_read()
+ * to inject the fuzzer-generated Act 1 packet in the handshake.
+ *
+ * The expected sequence of events for this test is:
+ *   1. responder calls io_read() for the Act 1 packet
+ *     - we inject the fuzzer-generated packet
+ *   2. responder fails to validate the packet
+ */
+#include "config.h"
+#include <assert.h>
+#include <ccan/io/io.h>
+#include <common/utils.h>
+#include <tests/fuzz/connectd_handshake.h>
+#include <tests/fuzz/libfuzz.h>
+
+/* The io_write() interceptor.
+ *
+ * The handshake should fail during Act 1 packet validation, so this should
+ * never be called. */
+static struct io_plan *
+test_write(struct io_conn *conn, const void *data, size_t len,
+	   struct io_plan *(*next)(struct io_conn *, struct handshake *),
+	   struct handshake *h)
+{
+	assert(false && "unexpected call to io_write()");
+}
+
+/* The io_read() interceptor.
+ *
+ * This should be called exactly once, when the responder is reading the Act 1
+ * packet. We inject fuzzer input here. */
+static struct io_plan *test_read(struct io_conn *conn, void *data, size_t len,
+				 struct io_plan *(*next)(struct io_conn *,
+							 struct handshake *),
+				 struct handshake *h)
+{
+	++read_count;
+	assert(read_count == 1 && "too many calls to io_read()");
+
+	assert(len == ACT_ONE_SIZE);
+	assert(bytes_remaining >= len);
+	memcpy(data, bytes, len);
+	bytes += len;
+	bytes_remaining -= len;
+
+	return next(conn, h);
+}
+
+void run(const uint8_t *data, size_t size)
+{
+	if (size < randombytes_SEEDBYTES + ACT_ONE_SIZE)
+		return;
+
+	init_globals(data, size);
+
+	handshake(RESPONDER);
+
+	clean_tmpctx();
+}