Skip to content

Onion messages: add fuzz testing #1648

Merged
valentinewallace merged 2 commits intolightningdevkit:mainfrom
valentinewallace:2022-08-fuzz-onion-msgs
Aug 17, 2022
Merged

Onion messages: add fuzz testing #1648
valentinewallace merged 2 commits intolightningdevkit:mainfrom
valentinewallace:2022-08-fuzz-onion-msgs

Conversation

@valentinewallace
Copy link
Contributor

@valentinewallace valentinewallace commented Aug 3, 2022
edited
Loading

Adds fuzz testing for onion messages.

@valentinewallace valentinewallace force-pushed the 2022-08-fuzz-onion-msgs branch from afd32fd to 2721637 Compare August 4, 2022 15:05
@valentinewallace valentinewallace marked this pull request as ready for review August 4, 2022 15:25
@valentinewallace valentinewallace force-pushed the 2022-08-fuzz-onion-msgs branch 2 times, most recently from d5aafda to 5eacbb5 Compare August 4, 2022 23:42
@TheBlueMatt
Copy link
Collaborator

TheBlueMatt commented Aug 5, 2022

Test LGTM, giving this some CPU cycles now.

@TheBlueMatt
Copy link
Collaborator

TheBlueMatt commented Aug 7, 2022

Hmmm, I gave this a few weeks of CPU time and it wasn't able to find its way into a valid onion message decryption at all. This tells me we need to seed the fuzzer, like the way we do full_stack_target, at least, if not find a way to simplify the target here. I'm not sure quite how to simplify the target greatly, though, so maybe just seed it and move on.

@TheBlueMatt
Copy link
Collaborator

TheBlueMatt commented Aug 7, 2022

Specifically, the fuzzer did not fail with this patch:

diff --git a/lightning/src/onion_message/messenger.rs b/lightning/src/onion_message/messenger.rs
index 7eba3cdd..617ed434 100644
--- a/lightning/src/onion_message/messenger.rs
+++ b/lightning/src/onion_message/messenger.rs
@@ -211,11 +211,13 @@ impl<Signer: Sign, K: Deref, L: Deref> OnionMessenger<Signer, K, L>
                        Ok((Payload::Receive {
                                control_tlvs: ReceiveControlTlvs::Unblinded(ReceiveTlvs { path_id })
                        }, None)) => {
+panic!("1");
                                log_info!(self.logger, "Received an onion message with path_id: {:02x?}", path_id);
                        },
                        Ok((Payload::Forward(ForwardControlTlvs::Unblinded(ForwardTlvs {
                                next_node_id, next_blinding_override
                        })), Some((next_hop_hmac, new_packet_bytes)))) => {
+panic!("2");
                                // TODO: we need to check whether `next_node_id` is our node, in which case this is a dummy
                                // blinded hop and this onion message is destined for us. In this situation, we should keep
                                // unwrapping the onion layers to get to the final payload. Since we don't have the option

@valentinewallace valentinewallace force-pushed the 2022-08-fuzz-onion-msgs branch from a3423c9 to 5c80aaa Compare August 8, 2022 22:06
@valentinewallace
Copy link
Contributor Author

valentinewallace commented Aug 8, 2022

I added some seeding but could add more onion message seeds if it helps.

Unsure if it would be good to add msg_targets for onion_message::Payload and/or BlindedRoute?

@valentinewallace valentinewallace mentioned this pull request Aug 9, 2022
Merged
@valentinewallace valentinewallace force-pushed the 2022-08-fuzz-onion-msgs branch 2 times, most recently from b284e50 to e693109 Compare August 11, 2022 20:47
@valentinewallace
Copy link
Contributor Author

valentinewallace commented Aug 11, 2022

Able to hit the obvious panics now. I put the seeds in test_no_onion_message_breakage -- not sure if they should be checked into git as well?

TheBlueMatt
TheBlueMatt reviewed Aug 15, 2022
View reviewed changes
@valentinewallace valentinewallace force-pushed the 2022-08-fuzz-onion-msgs branch from e693109 to 611d901 Compare August 15, 2022 16:04
@valentinewallace valentinewallace force-pushed the 2022-08-fuzz-onion-msgs branch from 611d901 to 0cb95de Compare August 15, 2022 16:49
@valentinewallace valentinewallace force-pushed the 2022-08-fuzz-onion-msgs branch from 0cb95de to 75f2fce Compare August 15, 2022 21:11
TheBlueMatt
TheBlueMatt previously approved these changes Aug 15, 2022
View reviewed changes
@valentinewallace
Fuzz test onion messages
8424f3f 
Also update the fuzz ChaCha20Poly1305 to not mark as finished after a single
encrypt_in_place.  This is because more bytes may still need to be encrypted,
causing us to panic at the assertion that finished == false when we go to
encrypt more.

Also fix unused_mut warning in messenger + add log on OM forward for testing
@valentinewallace valentinewallace force-pushed the 2022-08-fuzz-onion-msgs branch from 75f2fce to 8424f3f Compare August 16, 2022 16:12
@valentinewallace valentinewallace merged commit 558c460 into lightningdevkit:main Aug 17, 2022
@jkczyz jkczyz mentioned this pull request May 10, 2023
Open
60 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@TheBlueMatt TheBlueMatt TheBlueMatt approved these changes

@wpaulino wpaulino wpaulino approved these changes

Assignees

No one assigned

Labels

Seeking Code Review

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@valentinewallace @TheBlueMatt @wpaulino