aljaz/lightning
1
0
Fork 0
mirror of https://github.com/aljazceru/lightning.git synced 2025-12-19 15:14:23 +01:00
Code Issues Packages Projects Releases Wiki Activity

fuzz: add handshake act 2 target

Browse Source 
The fuzz target uses static keys with a fuzzer-generated Act 2 packet.
This commit is contained in:
Matt Morehouse
2023-06-08 11:27:37 -05:00
committed by Rusty Russell
parent 4bb216a611
commit a203db00ca
1 changed files with 68 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

68
tests/fuzz/fuzz-connectd-handshake-act2.c Normal file
View File

@@ -0,0 +1,68 @@
/* This is a fuzz test for Act 2 of the BOLT 8 handshake. We intercept io_read()
* to inject the fuzzer-generated Act 2 packet in the handshake.
*
* The expected sequence of events for this test is:
* 1. initiator calls io_write() with an Act 1 packet
* - we discard the valid Act 1 packet
* 2. initiator calls io_read() for the Act 2 packet
* - we inject the fuzzer-generated packet
* 3. initiator fails to validate the packet
*/
#include "config.h"
#include <assert.h>
#include <ccan/io/io.h>
#include <ccan/mem/mem.h>
#include <common/utils.h>
#include <tests/fuzz/connectd_handshake.h>
#include <tests/fuzz/libfuzz.h>
/* The io_write() interceptor.
*
* This should be called exactly once, when the initiator is writing out its Act
* 1 packet. We check that the packet is initialized and discard it. */
static struct io_plan *
test_write(struct io_conn *conn, const void *data, size_t len,
struct io_plan *(*next)(struct io_conn *, struct handshake *),
struct handshake *h)
{
++write_count;
assert(write_count == 1 && "too many calls to io_write()");
assert(len == ACT_ONE_SIZE);
memcheck(data, len);
return next(conn, h);
}
/* The io_read() interceptor.
*
* This should be called exactly once, when the initiator is reading the Act 2
* packet. We inject fuzzer input here. */
static struct io_plan *test_read(struct io_conn *conn, void *data, size_t len,
struct io_plan *(*next)(struct io_conn *,
struct handshake *),
struct handshake *h)
{
++read_count;
assert(read_count == 1 && "too many calls to io_read()");
assert(len == ACT_TWO_SIZE);
assert(bytes_remaining >= len);
memcpy(data, bytes, len);
bytes += len;
bytes_remaining -= len;
return next(conn, h);
}
void run(const u8 *data, size_t size)
{
if (size < randombytes_SEEDBYTES + ACT_TWO_SIZE)
return;
init_globals(data, size);
handshake(INITIATOR);
clean_tmpctx();
}