Fuzz test for parsing InvoiceRequest

An invoice request is serialized as a TLV stream and encoded as bytes.
Add a fuzz test that parses the TLV stream and deserializes the
underlying InvoiceRequest. Then compare the original bytes with those
obtained by re-serializing the InvoiceRequest.

Author: jkczyz

fuzz/src/bin/gen_target.sh

@@ -9,6 +9,7 @@ GEN_TEST() {
 GEN_TEST chanmon_deser
 GEN_TEST chanmon_consistency
 GEN_TEST full_stack
+GEN_TEST invoice_request_deser
 GEN_TEST offer_deser
 GEN_TEST onion_message
 GEN_TEST peer_crypt

fuzz/src/bin/invoice_request_deser_target.rs

@@ -0,0 +1,113 @@
+// This file is Copyright its original authors, visible in version control
+// history.
+//
+// This file is licensed under the Apache License, Version 2.0 <LICENSE-APACHE
+// or http://www.apache.org/licenses/LICENSE-2.0> or the MIT license
+// <LICENSE-MIT or http://opensource.org/licenses/MIT>, at your option.
+// You may not use this file except in accordance with one or both of these
+// licenses.
+
+// This file is auto-generated by gen_target.sh based on target_template.txt
+// To modify it, modify target_template.txt and run gen_target.sh instead.
+
+#![cfg_attr(feature = "libfuzzer_fuzz", no_main)]
+
+#[cfg(not(fuzzing))]
+compile_error!("Fuzz targets need cfg=fuzzing");
+
+extern crate lightning_fuzz;
+use lightning_fuzz::invoice_request_deser::*;
+
+#[cfg(feature = "afl")]
+#[macro_use] extern crate afl;
+#[cfg(feature = "afl")]
+fn main() {
+	fuzz!(|data| {
+		invoice_request_deser_run(data.as_ptr(), data.len());
+	});
+}
+
+#[cfg(feature = "honggfuzz")]
+#[macro_use] extern crate honggfuzz;
+#[cfg(feature = "honggfuzz")]
+fn main() {
+	loop {
+		fuzz!(|data| {
+			invoice_request_deser_run(data.as_ptr(), data.len());
+		});
+	}
+}
+
+#[cfg(feature = "libfuzzer_fuzz")]
+#[macro_use] extern crate libfuzzer_sys;
+#[cfg(feature = "libfuzzer_fuzz")]
+fuzz_target!(|data: &[u8]| {
+	invoice_request_deser_run(data.as_ptr(), data.len());
+});
+
+#[cfg(feature = "stdin_fuzz")]
+fn main() {
+	use std::io::Read;
+
+	let mut data = Vec::with_capacity(8192);
+	std::io::stdin().read_to_end(&mut data).unwrap();
+	invoice_request_deser_run(data.as_ptr(), data.len());
+}
+
+#[test]
+fn run_test_cases() {
+	use std::fs;
+	use std::io::Read;
+	use lightning_fuzz::utils::test_logger::StringBuffer;
+
+	use std::sync::{atomic, Arc};
+	{
+		let data: Vec<u8> = vec![0];
+		invoice_request_deser_run(data.as_ptr(), data.len());
+	}
+	let mut threads = Vec::new();
+	let threads_running = Arc::new(atomic::AtomicUsize::new(0));
+	if let Ok(tests) = fs::read_dir("test_cases/invoice_request_deser") {
+		for test in tests {
+			let mut data: Vec<u8> = Vec::new();
+			let path = test.unwrap().path();
+			fs::File::open(&path).unwrap().read_to_end(&mut data).unwrap();
+			threads_running.fetch_add(1, atomic::Ordering::AcqRel);
+
+			let thread_count_ref = Arc::clone(&threads_running);
+			let main_thread_ref = std::thread::current();
+			threads.push((path.file_name().unwrap().to_str().unwrap().to_string(),
+				std::thread::spawn(move || {
+					let string_logger = StringBuffer::new();
+
+					let panic_logger = string_logger.clone();
+					let res = if ::std::panic::catch_unwind(move || {
+						invoice_request_deser_test(&data, panic_logger);
+					}).is_err() {
+						Some(string_logger.into_string())
+					} else { None };
+					thread_count_ref.fetch_sub(1, atomic::Ordering::AcqRel);
+					main_thread_ref.unpark();
+					res
+				})
+			));
+			while threads_running.load(atomic::Ordering::Acquire) > 32 {
+				std::thread::park();
+			}
+		}
+	}
+	let mut failed_outputs = Vec::new();
+	for (test, thread) in threads.drain(..) {
+		if let Some(output) = thread.join().unwrap() {
+			println!("\nOutput of {}:\n{}\n", test, output);
+			failed_outputs.push(test);
+		}
+	}
+	if !failed_outputs.is_empty() {
+		println!("Test cases which failed: ");
+		for case in failed_outputs {
+			println!("{}", case);
+		}
+		panic!();
+	}
+}

fuzz/src/invoice_request_deser.rs

@@ -0,0 +1,112 @@
+// This file is Copyright its original authors, visible in version control
+// history.
+//
+// This file is licensed under the Apache License, Version 2.0 <LICENSE-APACHE
+// or http://www.apache.org/licenses/LICENSE-2.0> or the MIT license
+// <LICENSE-MIT or http://opensource.org/licenses/MIT>, at your option.
+// You may not use this file except in accordance with one or both of these
+// licenses.
+
+use bitcoin::secp256k1::{KeyPair, Parity, PublicKey, Secp256k1, SecretKey, self};
+use crate::utils::test_logger;
+use core::convert::{Infallible, TryFrom};
+use lightning::chain::keysinterface::EntropySource;
+use lightning::ln::PaymentHash;
+use lightning::ln::features::BlindedHopFeatures;
+use lightning::offers::invoice::{BlindedPayInfo, UnsignedInvoice};
+use lightning::offers::invoice_request::InvoiceRequest;
+use lightning::offers::parse::SemanticError;
+use lightning::onion_message::BlindedPath;
+use lightning::util::ser::Writeable;
+
+#[inline]
+pub fn do_test<Out: test_logger::Output>(data: &[u8], _out: Out) {
+	if let Ok(invoice_request) = InvoiceRequest::try_from(data.to_vec()) {
+		let mut bytes = Vec::with_capacity(data.len());
+		invoice_request.write(&mut bytes).unwrap();
+		assert_eq!(data, bytes);
+
+		let secp_ctx = Secp256k1::new();
+		let keys = KeyPair::from_secret_key(&secp_ctx, &SecretKey::from_slice(&[42; 32]).unwrap());
+		let mut buffer = Vec::new();
+
+		if let Ok(unsigned_invoice) = build_response(&invoice_request, &secp_ctx) {
+			let signing_pubkey = unsigned_invoice.signing_pubkey();
+			let (x_only_pubkey, _) = keys.x_only_public_key();
+			let odd_pubkey = x_only_pubkey.public_key(Parity::Odd);
+			let even_pubkey = x_only_pubkey.public_key(Parity::Even);
+			if signing_pubkey == odd_pubkey || signing_pubkey == even_pubkey {
+				unsigned_invoice
+					.sign::<_, Infallible>(
+						|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys))
+					)
+					.unwrap()
+					.write(&mut buffer)
+					.unwrap();
+			} else {
+				unsigned_invoice
+					.sign::<_, Infallible>(
+						|digest| Ok(secp_ctx.sign_schnorr_no_aux_rand(digest, &keys))
+					)
+					.unwrap_err();
+			}
+		}
+	}
+}
+
+struct Randomness;
+
+impl EntropySource for Randomness {
+	fn get_secure_random_bytes(&self) -> [u8; 32] { [42; 32] }
+}
+
+fn pubkey(byte: u8) -> PublicKey {
+	let secp_ctx = Secp256k1::new();
+	PublicKey::from_secret_key(&secp_ctx, &privkey(byte))
+}
+
+fn privkey(byte: u8) -> SecretKey {
+	SecretKey::from_slice(&[byte; 32]).unwrap()
+}
+
+fn build_response<'a, T: secp256k1::Signing + secp256k1::Verification>(
+	invoice_request: &'a InvoiceRequest, secp_ctx: &Secp256k1<T>
+) -> Result<UnsignedInvoice<'a>, SemanticError> {
+	let entropy_source = Randomness {};
+	let paths = vec![
+		BlindedPath::new(&[pubkey(43), pubkey(44), pubkey(42)], &entropy_source, secp_ctx).unwrap(),
+		BlindedPath::new(&[pubkey(45), pubkey(46), pubkey(42)], &entropy_source, secp_ctx).unwrap(),
+	];
+
+	let payinfo = vec![
+		BlindedPayInfo {
+			fee_base_msat: 1,
+			fee_proportional_millionths: 1_000,
+			cltv_expiry_delta: 42,
+			htlc_minimum_msat: 100,
+			htlc_maximum_msat: 1_000_000_000_000,
+			features: BlindedHopFeatures::empty(),
+		},
+		BlindedPayInfo {
+			fee_base_msat: 1,
+			fee_proportional_millionths: 1_000,
+			cltv_expiry_delta: 42,
+			htlc_minimum_msat: 100,
+			htlc_maximum_msat: 1_000_000_000_000,
+			features: BlindedHopFeatures::empty(),
+		},
+	];
+
+	let payment_paths = paths.into_iter().zip(payinfo.into_iter()).collect();
+	let payment_hash = PaymentHash([42; 32]);
+	invoice_request.respond_with(payment_paths, payment_hash)?.build()
+}
+
+pub fn invoice_request_deser_test<Out: test_logger::Output>(data: &[u8], out: Out) {
+	do_test(data, out);
+}
+
+#[no_mangle]
+pub extern "C" fn invoice_request_deser_run(data: *const u8, datalen: usize) {
+	do_test(unsafe { std::slice::from_raw_parts(data, datalen) }, test_logger::DevNull {});
+}

fuzz/src/lib.rs

@@ -18,6 +18,7 @@ pub mod chanmon_deser;
 pub mod chanmon_consistency;
 pub mod full_stack;
 pub mod indexedmap;
+pub mod invoice_request_deser;
 pub mod offer_deser;
 pub mod onion_message;
 pub mod peer_crypt;

fuzz/targets.h

@@ -2,6 +2,7 @@
 void chanmon_deser_run(const unsigned char* data, size_t data_len);
 void chanmon_consistency_run(const unsigned char* data, size_t data_len);
 void full_stack_run(const unsigned char* data, size_t data_len);
+void invoice_request_deser_run(const unsigned char* data, size_t data_len);
 void offer_deser_run(const unsigned char* data, size_t data_len);
 void onion_message_run(const unsigned char* data, size_t data_len);
 void peer_crypt_run(const unsigned char* data, size_t data_len);

lightning/src/offers/invoice.rs

@@ -267,6 +267,11 @@ pub struct UnsignedInvoice<'a> {
 }
 
 impl<'a> UnsignedInvoice<'a> {
+	/// The public key corresponding to the key needed to sign the invoice.
+	pub fn signing_pubkey(&self) -> PublicKey {
+		self.invoice.fields().signing_pubkey
+	}
+
 	/// Signs the invoice using the given function.
 	pub fn sign<F, E>(self, sign: F) -> Result<Invoice, SignError<E>>
 	where
@@ -453,12 +458,12 @@ impl Invoice {
 		&self.contents.fields().features
 	}
 
-	/// The public key used to sign invoices.
+	/// The public key corresponding to the key used to sign the invoice.
 	pub fn signing_pubkey(&self) -> PublicKey {
 		self.contents.fields().signing_pubkey
 	}
 
-	/// Signature of the invoice using [`Invoice::signing_pubkey`].
+	/// Signature of the invoice verified using [`Invoice::signing_pubkey`].
 	pub fn signature(&self) -> Signature {
 		self.signature
 	}