January 2017 - tor-commits - lists.torproject.org

[tor/master] Fix memory leak on zero-length input on fuzz_http.c
by nickm＠torproject.org 30 Jan '17

30 Jan '17

commit 1d8e9e8c699e68cdbb33ab41ccbd65e3dab8ff6b Author: Nick Mathewson <nickm(a)torproject.org> Date: Wed Jan 11 13:24:48 2017 -0500 Fix memory leak on zero-length input on fuzz_http.c --- src/test/fuzz/fuzz_http.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/test/fuzz/fuzz_http.c b/src/test/fuzz/fuzz_http.c index f069900..caad0b2 100644 --- a/src/test/fuzz/fuzz_http.c +++ b/src/test/fuzz/fuzz_http.c @@ -107,7 +107,7 @@ fuzz_main(const uint8_t *stdin_buf, size_t data_size) dir_conn.base_.inbuf = buf_new_with_data((char*)stdin_buf, data_size); if (!dir_conn.base_.inbuf) { log_debug(LD_GENERAL, "Zero-Length-Input\n"); - return 0; + goto done; } /* Parse the headers */ @@ -122,6 +122,7 @@ fuzz_main(const uint8_t *stdin_buf, size_t data_size) log_debug(LD_GENERAL, "Result:\n%d\n", rv); + done: /* Reset. */ tor_free(dir_conn.base_.address); buf_free(dir_conn.base_.inbuf);

1 0

[tor/master] Memory leak on bogus ed key in microdesc
by nickm＠torproject.org 30 Jan '17

30 Jan '17

commit 143235873ba0229f83ce69c4247ba8d3c459629f Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Jan 10 14:13:45 2017 -0500 Memory leak on bogus ed key in microdesc --- src/or/routerparse.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/or/routerparse.c b/src/or/routerparse.c index 8cdeb45..58b9a22 100644 --- a/src/or/routerparse.c +++ b/src/or/routerparse.c @@ -4717,11 +4717,13 @@ microdescs_parse_from_string(const char *s, const char *eos, if (!strcmp(t->args[0], "ed25519")) { if (md->ed25519_identity_pkey) { log_warn(LD_DIR, "Extra ed25519 key in microdesc"); + smartlist_free(id_lines); goto next; } ed25519_public_key_t k; if (ed25519_public_from_base64(&k, t->args[1])<0) { log_warn(LD_DIR, "Bogus ed25519 key in microdesc"); + smartlist_free(id_lines); goto next; } md->ed25519_identity_pkey = tor_memdup(&k, sizeof(k));

1 0

[tor/master] memory leak in fuzz_vrs
by nickm＠torproject.org 30 Jan '17

30 Jan '17

commit 34fd6368708daec4c6af2b93d69d5ed774ac7c47 Author: Nick Mathewson <nickm(a)torproject.org> Date: Mon Jan 9 14:29:15 2017 -0500 memory leak in fuzz_vrs --- src/test/fuzz/fuzz_vrs.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/test/fuzz/fuzz_vrs.c b/src/test/fuzz/fuzz_vrs.c index 1c4e5e2..406a4de 100644 --- a/src/test/fuzz/fuzz_vrs.c +++ b/src/test/fuzz/fuzz_vrs.c @@ -45,7 +45,7 @@ fuzz_cleanup(void) int fuzz_main(const uint8_t *data, size_t sz) { - const char *str = tor_memdup_nulterm(data, sz), *s; + char *str = tor_memdup_nulterm(data, sz), *s; routerstatus_t *rs_ns = NULL, *rs_md = NULL, *rs_vote = NULL; vote_routerstatus_t *vrs = tor_malloc_zero(sizeof(*vrs)); smartlist_t *tokens = smartlist_new(); @@ -73,6 +73,7 @@ fuzz_main(const uint8_t *data, size_t sz) vote_routerstatus_free(vrs); memarea_clear(area); smartlist_free(tokens); + tor_free(str); return 0; }

1 0

[tor/master] Fix a pair of compilation errors.
by nickm＠torproject.org 30 Jan '17

30 Jan '17

commit 2202ad7ab0132ed5505067aca9020caa05c918fd Author: Nick Mathewson <nickm(a)torproject.org> Date: Mon Jan 23 14:52:51 2017 -0500 Fix a pair of compilation errors. --- src/or/networkstatus.c | 2 +- src/or/networkstatus.h | 3 ++- src/test/fuzz/fuzz_vrs.c | 3 ++- 3 files changed, 5 insertions(+), 3 deletions(-) diff --git a/src/or/networkstatus.c b/src/or/networkstatus.c index 49ff12b..508cf6c 100644 --- a/src/or/networkstatus.c +++ b/src/or/networkstatus.c @@ -243,7 +243,7 @@ router_reload_consensus_networkstatus(void) } /** Free all storage held by the vote_routerstatus object rs. */ -STATIC void +void vote_routerstatus_free(vote_routerstatus_t *rs) { vote_microdesc_hash_t *h, *next; diff --git a/src/or/networkstatus.h b/src/or/networkstatus.h index edf2dc7..66cd84c 100644 --- a/src/or/networkstatus.h +++ b/src/or/networkstatus.h @@ -132,8 +132,9 @@ document_signature_t *document_signature_dup(const document_signature_t *sig); void networkstatus_free_all(void); int networkstatus_get_weight_scale_param(networkstatus_t *ns); +void vote_routerstatus_free(vote_routerstatus_t *rs); + #ifdef NETWORKSTATUS_PRIVATE -STATIC void vote_routerstatus_free(vote_routerstatus_t *rs); #ifdef TOR_UNIT_TESTS STATIC int networkstatus_set_current_consensus_from_ns(networkstatus_t *c, const char *flavor); diff --git a/src/test/fuzz/fuzz_vrs.c b/src/test/fuzz/fuzz_vrs.c index 406a4de..d2c0369 100644 --- a/src/test/fuzz/fuzz_vrs.c +++ b/src/test/fuzz/fuzz_vrs.c @@ -45,7 +45,8 @@ fuzz_cleanup(void) int fuzz_main(const uint8_t *data, size_t sz) { - char *str = tor_memdup_nulterm(data, sz), *s; + char *str = tor_memdup_nulterm(data, sz); + const char *s; routerstatus_t *rs_ns = NULL, *rs_md = NULL, *rs_vote = NULL; vote_routerstatus_t *vrs = tor_malloc_zero(sizeof(*vrs)); smartlist_t *tokens = smartlist_new();

1 0

[tor/master] Update documentation and testing integration for fuzzing
by nickm＠torproject.org 30 Jan '17

30 Jan '17

commit d71fc474385281453eaa93522479d32af85c94ef Author: Nick Mathewson <nickm(a)torproject.org> Date: Fri Jan 27 11:16:23 2017 -0500 Update documentation and testing integration for fuzzing --- doc/HACKING/Fuzzing.md | 63 ++++++++++++++++++++++++++++----------- src/test/fuzz/include.am | 2 ++ src/test/fuzz_static_testcases.sh | 20 ++++++++++--- 3 files changed, 63 insertions(+), 22 deletions(-) diff --git a/doc/HACKING/Fuzzing.md b/doc/HACKING/Fuzzing.md index 36f0fc4..f5502b3 100644 --- a/doc/HACKING/Fuzzing.md +++ b/doc/HACKING/Fuzzing.md @@ -1,12 +1,53 @@ = Fuzzing Tor +== The simple version (no fuzzing, only tests) + +Check out fuzzing-corpora, and set TOR_FUZZ_CORPORA to point to the place +where you checked it out. + To run the fuzzing test cases in a deterministic fashion, use: make fuzz - [I've turned this off for now. - NM] -To build the fuzzing harness binaries, use: - make fuzzers +== Different kinds of fuzzing + +Right now we support three different kinds of fuzzer. + +First, there's American Fuzzy Lop (AFL), a fuzzer that works by forking +a target binary and passing it lots of different inputs on stdin. It's the +trickiest one to set up, so I'll be describing it more below. + +Second, there's libFuzzer, a llvm-based fuzzer that you link in as a library, +and it runs a target function over and over. To use this one, you'll need to +have a reasonably recent clang and libfuzzer installed. At that point, you +just build with --enable-expensive-hardening and --enable-libfuzzer. That +will produce a set of binaries in src/test/fuzz/lf-fuzz-* . These programs +take as input a series of directories full of fuzzing examples. For more +information on libfuzzer, see http://llvm.org/docs/LibFuzzer.html + +Third, there's Google's OSS-Fuzz infrastructure, which expects to get all of +its. For more on this, see https://github.com/google/oss-fuzz and the +projects/tor subdirectory. You'll need to mess around with Docker a bit to +test this one out; it's meant to run on Google's infrastructure. + +In all cases, you'll need some starting examples to give the fuzzer when it +starts out. There's a set in the "fuzzing-corpora" git repository. Try +setting TOR_FUZZ_CORPORA to point to a checkout of that repository + +== Writing Tor fuzzers + +A tor fuzzing harness should have: +* a fuzz_init() function to set up any necessary global state. +* a fuzz_main() function to receive input and pass it to a parser. +* a fuzz_cleanup() function to clear global state. + +Most fuzzing frameworks will produce many invalid inputs - a tor fuzzing +harness should rejecting invalid inputs without crashing or behaving badly. + +But the fuzzing harness should crash if tor fails an assertion, triggers a +bug, or accesses memory it shouldn't. This helps fuzzing frameworks detect +"interesting" cases. + == Guided Fuzzing with AFL @@ -47,7 +88,7 @@ don't care about memory limits. To Run: mkdir -p src/test/fuzz/fuzz_http_findings - ../afl/afl-fuzz -i src/test/fuzz/data/http -x src/test/fuzz/dict/http -o src/test/fuzz/fuzz_http_findings -m <asan-memory-limit> -- src/test/fuzz_dir + ../afl/afl-fuzz -i ${TOR_FUZZ_CORPORA}/http -o src/test/fuzz/fuzz_http_findings -m <asan-memory-limit> -- src/test/fuzz_dir AFL has a multi-core mode, check the documentation for details. @@ -57,20 +98,6 @@ macOS (OS X) requires slightly more preparation, including: * using afl-clang (or afl-clang-fast from the llvm directory) * disabling external crash reporting (AFL will guide you through this step) -== Writing Tor fuzzers - -A tor fuzzing harness should have: -* a fuzz_init() function to set up any necessary global state. -* a fuzz_main() function to receive input and pass it to a parser. -* a fuzz_cleanup() function to clear global state. - -Most fuzzing frameworks will produce many invalid inputs - a tor fuzzing -harness should rejecting invalid inputs without crashing or behaving badly. - -But the fuzzing harness should crash if tor fails an assertion, triggers a -bug, or accesses memory it shouldn't. This helps fuzzing frameworks detect -"interesting" cases. - == Triaging Issues Crashes are usually interesting, particularly if using AFL_HARDEN=1 and --enable-expensive-hardening. Sometimes crashes are due to bugs in the harness code. diff --git a/src/test/fuzz/include.am b/src/test/fuzz/include.am index bca0a86..c9c1747 100644 --- a/src/test/fuzz/include.am +++ b/src/test/fuzz/include.am @@ -246,3 +246,5 @@ noinst_LIBRARIES += $(OSS_FUZZ_FUZZERS) oss-fuzz-fuzzers: oss-fuzz-prereqs $(OSS_FUZZ_FUZZERS) fuzzers: $(FUZZERS) $(LIBFUZZER_FUZZERS) +fuzz: $(FUZZERS) + $(top_srcdir)/src/test/fuzz_static_testcases.sh diff --git a/src/test/fuzz_static_testcases.sh b/src/test/fuzz_static_testcases.sh index 276bc6e..bfe1677 100755 --- a/src/test/fuzz_static_testcases.sh +++ b/src/test/fuzz_static_testcases.sh @@ -5,11 +5,23 @@ set -e +if [ -z "${TOR_FUZZ_CORPORA}" ] || [ ! -d "${TOR_FUZZ_CORPORA}" ] ; then + echo "You need to set TOR_FUZZ_CORPORA to point to a checkout of " + echo "the 'fuzzing-corpora' repository." + exit 77 +fi + + + for fuzzer in "${builddir:-.}"/src/test/fuzz/fuzz-* ; do f=`basename $fuzzer` case="${f#fuzz-}" - echo "Running tests for ${case}" - for entry in ${abs_top_srcdir:-.}/src/test/fuzz/data/${case}/*; do - "${fuzzer}" "--err" < "$entry" - done + if [ -d "${TOR_FUZZ_CORPORA}/${case}" ]; then + echo "Running tests for ${case}" + for entry in "${TOR_FUZZ_CORPORA}/${case}/"*; do + "${fuzzer}" "--err" < "$entry" + done + else + echo "No tests found for ${case}" + fi done

1 0

[tor/master] Merge branch 'combined-fuzzing-v4'
by nickm＠torproject.org 30 Jan '17

30 Jan '17

1 0

[tor/master] Fuzzing: Add an initial fuzzing tool, for descriptors.
by nickm＠torproject.org 30 Jan '17

30 Jan '17

commit b96c70d668f96550401057834bb9caafb5d0e412 Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Dec 13 19:15:26 2016 -0500 Fuzzing: Add an initial fuzzing tool, for descriptors. This will need some refactoring and mocking. --- Makefile.am | 1 + src/include.am | 2 +- src/test/fuzz/fuzz_descriptor.c | 26 +++++++++++++++++++++ src/test/fuzz/fuzzing.h | 7 ++++++ src/test/fuzz/fuzzing_common.c | 52 +++++++++++++++++++++++++++++++++++++++++ src/test/fuzz/include.am | 48 +++++++++++++++++++++++++++++++++++++ 6 files changed, 135 insertions(+), 1 deletion(-) diff --git a/Makefile.am b/Makefile.am index b6e4e53..2e853d4 100644 --- a/Makefile.am +++ b/Makefile.am @@ -9,6 +9,7 @@ noinst_LIBRARIES= EXTRA_DIST= noinst_HEADERS= bin_PROGRAMS= +EXTRA_PROGRAMS= CLEANFILES= TESTS= noinst_PROGRAMS= diff --git a/src/include.am b/src/include.am index c468af3..d12684e 100644 --- a/src/include.am +++ b/src/include.am @@ -6,4 +6,4 @@ include src/test/include.am include src/tools/include.am include src/win32/include.am include src/config/include.am - +include src/test/fuzz/include.am diff --git a/src/test/fuzz/fuzz_descriptor.c b/src/test/fuzz/fuzz_descriptor.c new file mode 100644 index 0000000..1364bf4 --- /dev/null +++ b/src/test/fuzz/fuzz_descriptor.c @@ -0,0 +1,26 @@ + +#include "or.h" +#include "routerparse.h" +#include "routerlist.h" +#include "fuzzing.h" + +int +fuzz_init(void) +{ + ed25519_init(); + return 0; +} + +int +fuzz_main(const uint8_t *data, size_t sz) +{ + routerinfo_t *ri; + const char *str = (const char*) data; + ri = router_parse_entry_from_string((const char *)str, + str+sz, + 0, 0, 0, NULL); + if (ri) + routerinfo_free(ri); + return 0; +} + diff --git a/src/test/fuzz/fuzzing.h b/src/test/fuzz/fuzzing.h new file mode 100644 index 0000000..fbd54da --- /dev/null +++ b/src/test/fuzz/fuzzing.h @@ -0,0 +1,7 @@ +#ifndef FUZZING_H +#define FUZZING_H + +int fuzz_init(void); +int fuzz_main(const uint8_t *data, size_t sz); + +#endif /* FUZZING_H */ diff --git a/src/test/fuzz/fuzzing_common.c b/src/test/fuzz/fuzzing_common.c new file mode 100644 index 0000000..51d519b --- /dev/null +++ b/src/test/fuzz/fuzzing_common.c @@ -0,0 +1,52 @@ +#include "orconfig.h" +#include "torint.h" +#include "util.h" +#include "torlog.h" +#include "backtrace.h" +#include "fuzzing.h" + +extern const char tor_git_revision[]; +const char tor_git_revision[] = ""; + +#define MAX_FUZZ_SIZE (128*1024) + +#ifdef LLVM_FUZZ +int +LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { + static int initialized = 0; + if (!initialized) { + if (fuzz_init() < 0) + abort(); + } + + return fuzz_main(Data, Size); +} + +#else /* Not LLVM_FUZZ, so AFL. */ + +int +main(int argc, char **argv) +{ + size_t size; + char *input = read_file_to_str_until_eof(0, MAX_FUZZ_SIZE, &size); + + tor_threads_init(); + init_logging(1); + + if (argc > 1 && !strcmp(argv[1], "--info")) { + log_severity_list_t sev; + set_log_severity_config(LOG_INFO, LOG_ERR, &sev); + add_stream_log(&sev, "stdout", 1); + configure_backtrace_handler(NULL); + } + + tor_assert(input); + if (fuzz_init() < 0) + abort(); + fuzz_main((const uint8_t*)input, size); + tor_free(input); + return 0; +} + +#endif + diff --git a/src/test/fuzz/include.am b/src/test/fuzz/include.am new file mode 100644 index 0000000..323798f --- /dev/null +++ b/src/test/fuzz/include.am @@ -0,0 +1,48 @@ + +FUZZING_CPPFLAGS = \ + $(src_test_AM_CPPFLAGS) $(TEST_CPPFLAGS) +FUZZING_CFLAGS = \ + $(AM_CFLAGS) $(TEST_CFLAGS) +FUZZING_LDFLAG = \ + @TOR_LDFLAGS_zlib@ @TOR_LDFLAGS_openssl@ @TOR_LDFLAGS_libevent@ +FUZZING_LIBS = \ + src/or/libtor-testing.a \ + src/common/libor-crypto-testing.a \ + $(LIBKECCAK_TINY) \ + $(LIBDONNA) \ + src/common/libor-testing.a \ + src/common/libor-ctime-testing.a \ + src/common/libor-event-testing.a \ + src/trunnel/libor-trunnel-testing.a \ + @TOR_ZLIB_LIBS@ @TOR_LIB_MATH@ \ + @TOR_LIBEVENT_LIBS@ \ + @TOR_OPENSSL_LIBS@ @TOR_LIB_WS32@ @TOR_LIB_GDI@ @CURVE25519_LIBS@ \ + @TOR_SYSTEMD_LIBS@ + + +noinst_HEADERS += \ + src/test/fuzz/fuzzing_boilerplate.h + +src_test_fuzz_fuzz_descriptor_SOURCES = \ + src/test/fuzz/fuzzing_common.c \ + src/test/fuzz/fuzz_descriptor.c +src_test_fuzz_fuzz_descriptor_CPPFLAGS = $(FUZZING_CPPFLAGS) +src_test_fuzz_fuzz_descriptor_CFLAGS = $(FUZZING_CFLAGS) +src_test_fuzz_fuzz_descriptor_LDFLAGS = $(FUZZING_LDFLAG) +src_test_fuzz_fuzz_descriptor_LDADD = $(FUZZING_LIBS) + +src_test_fuzz_fuzz_http_SOURCES = \ + src/test/fuzz/fuzzing_common.c \ + src/test/fuzz/fuzz_http.c +src_test_fuzz_fuzz_http_CPPFLAGS = $(FUZZING_CPPFLAGS) +src_test_fuzz_fuzz_http_CFLAGS = $(FUZZING_CFLAGS) +src_test_fuzz_fuzz_http_LDFLAGS = $(FUZZING_LDFLAG) +src_test_fuzz_fuzz_http_LDADD = $(FUZZING_LIBS) + +FUZZERS = \ + src/test/fuzz/fuzz-descriptor \ + src/test/fuzz/fuzz-http + +# The fuzzers aren't built by default right now. That should change. +EXTRA_PROGRAMS += $(FUZZERS) +fuzzers: $(FUZZERS)

1 0

[tor/master] Replace signature-checking and digest-checking while fuzzing
by nickm＠torproject.org 30 Jan '17

30 Jan '17

commit 0666928c5c367506b0173118153bb804e46eca44 Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Dec 13 20:23:16 2016 -0500 Replace signature-checking and digest-checking while fuzzing --- src/test/fuzz/fuzz_descriptor.c | 49 ++++++++++++++++++++++++-- src/test/fuzz/fuzzing.h | 2 ++ src/test/fuzz/fuzzing_common.c | 78 ++++++++++++++++++++++++++++++++++++++++- 3 files changed, 126 insertions(+), 3 deletions(-) diff --git a/src/test/fuzz/fuzz_descriptor.c b/src/test/fuzz/fuzz_descriptor.c index 12297fd..563787b 100644 --- a/src/test/fuzz/fuzz_descriptor.c +++ b/src/test/fuzz/fuzz_descriptor.c @@ -1,12 +1,53 @@ - +#define ROUTERPARSE_PRIVATE #include "or.h" #include "routerparse.h" #include "routerlist.h" +#include "routerkeys.h" #include "fuzzing.h" +static int +mock_check_tap_onion_key_crosscert__nocheck(const uint8_t *crosscert, + int crosscert_len, + const crypto_pk_t *onion_pkey, + const ed25519_public_key_t *master_id_pkey, + const uint8_t *rsa_id_digest) +{ + tor_assert(crosscert && onion_pkey && master_id_pkey && rsa_id_digest); + /* we could look at crosscert[..] */ + (void) crosscert_len; + return 0; +} + +static void +mock_dump_desc__nodump(const char *desc, const char *type) +{ + (void)desc; + (void)type; +} + +static int +mock_router_produce_hash_final__nohash(char *digest, + const char *start, size_t len, + digest_algorithm_t alg) +{ + (void)start; + (void)len; + /* we could look at start[..] */ + if (alg == DIGEST_SHA1) + memset(digest, 0x01, 20); + else + memset(digest, 0x02, 32); + return 0; +} + int fuzz_init(void) { + disable_signature_checking(); + MOCK(check_tap_onion_key_crosscert, + mock_check_tap_onion_key_crosscert__nocheck); + MOCK(dump_desc, mock_dump_desc__nodump); + MOCK(router_compute_hash_final, mock_router_produce_hash_final__nohash); ed25519_init(); return 0; } @@ -25,8 +66,12 @@ fuzz_main(const uint8_t *data, size_t sz) ri = router_parse_entry_from_string((const char *)str, str+sz, 0, 0, 0, NULL); - if (ri) + if (ri) { + log_debug(LD_GENERAL, "Parsing okay"); routerinfo_free(ri); + } else { + log_debug(LD_GENERAL, "Parsing failed"); + } return 0; } diff --git a/src/test/fuzz/fuzzing.h b/src/test/fuzz/fuzzing.h index 794ed14..a8cbb1d 100644 --- a/src/test/fuzz/fuzzing.h +++ b/src/test/fuzz/fuzzing.h @@ -5,4 +5,6 @@ int fuzz_init(void); int fuzz_cleanup(void); int fuzz_main(const uint8_t *data, size_t sz); +void disable_signature_checking(void); + #endif /* FUZZING_H */ diff --git a/src/test/fuzz/fuzzing_common.c b/src/test/fuzz/fuzzing_common.c index 87affc4..e17bae3 100644 --- a/src/test/fuzz/fuzzing_common.c +++ b/src/test/fuzz/fuzzing_common.c @@ -1,13 +1,88 @@ +#define CRYPTO_ED25519_PRIVATE #include "orconfig.h" #include "or.h" #include "backtrace.h" #include "config.h" #include "fuzzing.h" +#include "crypto.h" +#include "crypto_ed25519.h" extern const char tor_git_revision[]; const char tor_git_revision[] = ""; -#define MAX_FUZZ_SIZE (128*1024) +static int +mock_crypto_pk_public_checksig__nocheck(const crypto_pk_t *env, char *to, + size_t tolen, + const char *from, size_t fromlen) +{ + tor_assert(env && to && from); + (void)fromlen; + /* We could look at from[0..fromlen-1] ... */ + tor_assert(tolen >= crypto_pk_keysize(env)); + memset(to, 0x01, 20); + return 20; +} + +static int +mock_crypto_pk_public_checksig_digest__nocheck(crypto_pk_t *env, + const char *data, + size_t datalen, + const char *sig, + size_t siglen) +{ + tor_assert(env && data && sig); + (void)datalen; + (void)siglen; + /* We could look at data[..] and sig[..] */ + return 0; +} + +static int +mock_ed25519_checksig__nocheck(const ed25519_signature_t *signature, + const uint8_t *msg, size_t len, + const ed25519_public_key_t *pubkey) +{ + tor_assert(signature && msg && pubkey); + /* We could look at msg[0..len-1] ... */ + (void)len; + return 0; +} + +static int +mock_ed25519_checksig_batch__nocheck(int *okay_out, + const ed25519_checkable_t *checkable, + int n_checkable) +{ + tor_assert(checkable); + int i; + for (i = 0; i < n_checkable; ++i) { + /* We could look at messages and signatures XXX */ + tor_assert(checkable[i].pubkey); + tor_assert(checkable[i].msg); + if (okay_out) + okay_out[i] = 1; + } + return 0; +} + +static int +mock_ed25519_impl_spot_check__nocheck(void) +{ + return 0; +} + + +void +disable_signature_checking(void) +{ + MOCK(crypto_pk_public_checksig, + mock_crypto_pk_public_checksig__nocheck); + MOCK(crypto_pk_public_checksig_digest, + mock_crypto_pk_public_checksig_digest__nocheck); + MOCK(ed25519_checksig, mock_ed25519_checksig__nocheck); + MOCK(ed25519_checksig_batch, mock_ed25519_checksig_batch__nocheck); + MOCK(ed25519_impl_spot_check, mock_ed25519_impl_spot_check__nocheck); +} #ifdef LLVM_FUZZ int @@ -70,6 +145,7 @@ main(int argc, char **argv) __AFL_INIT(); #endif +#define MAX_FUZZ_SIZE (128*1024) char *input = read_file_to_str_until_eof(0, MAX_FUZZ_SIZE, &size); tor_assert(input); fuzz_main((const uint8_t*)input, size);

1 0

[tor/master] Port fuzz_http to use fuzzing_common.
by nickm＠torproject.org 30 Jan '17

30 Jan '17

commit 60769e710f1099168f7508fe6834e458ce435ad9 Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Dec 13 19:41:03 2016 -0500 Port fuzz_http to use fuzzing_common. Move common logic from fuzz_http to fuzzing_common. --- src/test/fuzz/fuzz_descriptor.c | 6 ++ src/test/fuzz/fuzz_http.c | 120 ++++++++-------------------------------- src/test/fuzz/fuzzing.h | 1 + src/test/fuzz/fuzzing_common.c | 52 +++++++++++++---- src/test/fuzz/include.am | 2 +- 5 files changed, 74 insertions(+), 107 deletions(-) diff --git a/src/test/fuzz/fuzz_descriptor.c b/src/test/fuzz/fuzz_descriptor.c index 1364bf4..12297fd 100644 --- a/src/test/fuzz/fuzz_descriptor.c +++ b/src/test/fuzz/fuzz_descriptor.c @@ -12,6 +12,12 @@ fuzz_init(void) } int +fuzz_cleanup(void) +{ + return 0; +} + +int fuzz_main(const uint8_t *data, size_t sz) { routerinfo_t *ri; diff --git a/src/test/fuzz/fuzz_http.c b/src/test/fuzz/fuzz_http.c index abf5de8..ea63e83 100644 --- a/src/test/fuzz/fuzz_http.c +++ b/src/test/fuzz/fuzz_http.c @@ -4,6 +4,7 @@ #include "orconfig.h" #define BUFFERS_PRIVATE +#define DIRECTORY_PRIVATE #include "or.h" #include "backtrace.h" @@ -13,11 +14,7 @@ #include "directory.h" #include "torlog.h" -/* Silence compiler warnings about a missing extern */ -extern const char tor_git_revision[]; -const char tor_git_revision[] = ""; - -#define MAX_FUZZ_SIZE (2*MAX_HEADERS_SIZE + MAX_DIR_UL_SIZE) +#include "fuzzing.h" static int mock_get_options_calls = 0; static or_options_t *mock_options = NULL; @@ -47,101 +44,45 @@ mock_connection_write_to_buf_impl_(const char *string, size_t len, zlib ? "Compressed " : "", len, conn, string); } -/* Read a directory command (including HTTP headers) from stdin, parse it, and - * output what tor parsed */ int -main(int c, char** v) +fuzz_init(void) { - /* Disable logging by default to speed up fuzzing. */ - int loglevel = LOG_ERR; - - /* Initialise logging first */ - init_logging(1); - configure_backtrace_handler(get_version()); - - for (int i = 1; i < c; ++i) { - if (!strcmp(v[i], "--warn")) { - loglevel = LOG_WARN; - } else if (!strcmp(v[i], "--notice")) { - loglevel = LOG_NOTICE; - } else if (!strcmp(v[i], "--info")) { - loglevel = LOG_INFO; - } else if (!strcmp(v[i], "--debug")) { - loglevel = LOG_DEBUG; - } - } - - { - log_severity_list_t s; - memset(&s, 0, sizeof(s)); - set_log_severity_config(loglevel, LOG_ERR, &s); - /* ALWAYS log bug warnings. */ - s.masks[LOG_WARN-LOG_ERR] |= LD_BUG; - add_stream_log(&s, "", fileno(stdout)); - } - - /* Make BUG() and nonfatal asserts crash */ - tor_set_failed_assertion_callback(abort); - - /* Set up fake variables */ - dir_connection_t dir_conn; - int rv = -1; - ssize_t data_size = -1; - char *stdin_buf = tor_malloc(MAX_FUZZ_SIZE+1); - - /* directory_handle_command checks some tor options - * just make them all 0 */ mock_options = tor_malloc(sizeof(or_options_t)); reset_options(mock_options, &mock_get_options_calls); MOCK(get_options, mock_get_options); - - /* Set up the fake connection */ - memset(&dir_conn, 0, sizeof(dir_connection_t)); - dir_conn.base_.type = CONN_TYPE_DIR; - /* Set up fake response handler */ MOCK(connection_write_to_buf_impl_, mock_connection_write_to_buf_impl_); + return 0; +} -/* -afl extension - loop and reset state after parsing -likely needs to reset the allocation data structures and counts as well -#ifdef __AFL_HAVE_MANUAL_CONTROL - while (__AFL_LOOP(1000)) { -#endif -*/ +int +fuzz_cleanup(void) +{ + tor_free(mock_options); + UNMOCK(get_options); + UNMOCK(connection_write_to_buf_impl_); + return 0; +} - /* Initialise the data structures */ - memset(stdin_buf, 0, MAX_FUZZ_SIZE+1); +int +fuzz_main(const uint8_t *stdin_buf, size_t data_size) +{ + dir_connection_t dir_conn; + /* Set up the fake connection */ + memset(&dir_conn, 0, sizeof(dir_connection_t)); + dir_conn.base_.type = CONN_TYPE_DIR; /* Apparently tor sets this before directory_handle_command() is called. */ dir_conn.base_.address = tor_strdup("replace-this-address.example.com"); -#ifdef __AFL_HAVE_MANUAL_CONTROL - /* Tell AFL to pause and fork here - ignored if not using AFL */ - __AFL_INIT(); -#endif - - /* Read the data */ - data_size = read(STDIN_FILENO, stdin_buf, MAX_FUZZ_SIZE); - tor_assert(data_size != -1); - tor_assert(data_size <= MAX_FUZZ_SIZE); - stdin_buf[data_size] = '\0'; - tor_assert(strlen(stdin_buf) >= 0); - tor_assert(strlen(stdin_buf) <= MAX_FUZZ_SIZE); - - log_debug(LD_GENERAL, "Input-Length:\n%zu\n", data_size); - log_debug(LD_GENERAL, "Input:\n%s\n", stdin_buf); - - /* Copy the stdin data into the buffer */ - tor_assert(data_size >= 0); - dir_conn.base_.inbuf = buf_new_with_data(stdin_buf, (size_t)data_size); + dir_conn.base_.inbuf = buf_new_with_data((char*)stdin_buf, data_size); if (!dir_conn.base_.inbuf) { log_debug(LD_GENERAL, "Zero-Length-Input\n"); return 0; } /* Parse the headers */ - rv = directory_handle_command(&dir_conn); + int rv = directory_handle_command(&dir_conn); /* TODO: check the output is correctly parsed based on the input */ @@ -152,23 +93,10 @@ likely needs to reset the allocation data structures and counts as well log_debug(LD_GENERAL, "Result:\n%d\n", rv); - /* Reset */ + /* Reset. */ tor_free(dir_conn.base_.address); - buf_free(dir_conn.base_.inbuf); dir_conn.base_.inbuf = NULL; -/* -#ifdef __AFL_HAVE_MANUAL_CONTROL - } -#endif -*/ - - /* Cleanup */ - tor_free(mock_options); - UNMOCK(get_options); - - UNMOCK(connection_write_to_buf_impl_); - - tor_free(stdin_buf); + return 0; } diff --git a/src/test/fuzz/fuzzing.h b/src/test/fuzz/fuzzing.h index fbd54da..794ed14 100644 --- a/src/test/fuzz/fuzzing.h +++ b/src/test/fuzz/fuzzing.h @@ -2,6 +2,7 @@ #define FUZZING_H int fuzz_init(void); +int fuzz_cleanup(void); int fuzz_main(const uint8_t *data, size_t sz); #endif /* FUZZING_H */ diff --git a/src/test/fuzz/fuzzing_common.c b/src/test/fuzz/fuzzing_common.c index 51d519b..87affc4 100644 --- a/src/test/fuzz/fuzzing_common.c +++ b/src/test/fuzz/fuzzing_common.c @@ -1,8 +1,7 @@ #include "orconfig.h" -#include "torint.h" -#include "util.h" -#include "torlog.h" +#include "or.h" #include "backtrace.h" +#include "config.h" #include "fuzzing.h" extern const char tor_git_revision[]; @@ -28,23 +27,56 @@ int main(int argc, char **argv) { size_t size; - char *input = read_file_to_str_until_eof(0, MAX_FUZZ_SIZE, &size); tor_threads_init(); init_logging(1); - if (argc > 1 && !strcmp(argv[1], "--info")) { - log_severity_list_t sev; - set_log_severity_config(LOG_INFO, LOG_ERR, &sev); - add_stream_log(&sev, "stdout", 1); - configure_backtrace_handler(NULL); + /* Disable logging by default to speed up fuzzing. */ + int loglevel = LOG_ERR; + + /* Initialise logging first */ + init_logging(1); + configure_backtrace_handler(get_version()); + + for (int i = 1; i < argc; ++i) { + if (!strcmp(argv[i], "--warn")) { + loglevel = LOG_WARN; + } else if (!strcmp(argv[i], "--notice")) { + loglevel = LOG_NOTICE; + } else if (!strcmp(argv[i], "--info")) { + loglevel = LOG_INFO; + } else if (!strcmp(argv[i], "--debug")) { + loglevel = LOG_DEBUG; + } } - tor_assert(input); + { + log_severity_list_t s; + memset(&s, 0, sizeof(s)); + set_log_severity_config(loglevel, LOG_ERR, &s); + /* ALWAYS log bug warnings. */ + s.masks[LOG_WARN-LOG_ERR] |= LD_BUG; + add_stream_log(&s, "", fileno(stdout)); + } + + /* Make BUG() and nonfatal asserts crash */ + tor_set_failed_assertion_callback(abort); + if (fuzz_init() < 0) abort(); + +#ifdef __AFL_HAVE_MANUAL_CONTROL + /* Tell AFL to pause and fork here - ignored if not using AFL */ + __AFL_INIT(); +#endif + + char *input = read_file_to_str_until_eof(0, MAX_FUZZ_SIZE, &size); + tor_assert(input); fuzz_main((const uint8_t*)input, size); tor_free(input); + + if (fuzz_cleanup() < 0) + abort(); return 0; } diff --git a/src/test/fuzz/include.am b/src/test/fuzz/include.am index 323798f..7948b20 100644 --- a/src/test/fuzz/include.am +++ b/src/test/fuzz/include.am @@ -21,7 +21,7 @@ FUZZING_LIBS = \ noinst_HEADERS += \ - src/test/fuzz/fuzzing_boilerplate.h + src/test/fuzz/fuzzing.h src_test_fuzz_fuzz_descriptor_SOURCES = \ src/test/fuzz/fuzzing_common.c \

1 0

[tor/master] Make a bunch of signature/digest-checking functions mockable
by nickm＠torproject.org 30 Jan '17

30 Jan '17

commit e2aeaeb76c2fd04a8b5934b7682823d77dc6f064 Author: Nick Mathewson <nickm(a)torproject.org> Date: Tue Dec 13 20:22:34 2016 -0500 Make a bunch of signature/digest-checking functions mockable --- src/common/crypto.c | 15 ++++++++------- src/common/crypto.h | 10 ++++++---- src/common/crypto_ed25519.c | 22 +++++++++++----------- src/common/crypto_ed25519.h | 16 ++++++++++------ src/or/routerkeys.c | 12 ++++++------ src/or/routerkeys.h | 4 ++-- src/or/routerparse.c | 19 +++++++++++++++---- src/or/routerparse.h | 5 ++++- 8 files changed, 62 insertions(+), 41 deletions(-) diff --git a/src/common/crypto.c b/src/common/crypto.c index 062179d..7cb3330 100644 --- a/src/common/crypto.c +++ b/src/common/crypto.c @@ -1107,10 +1107,10 @@ crypto_pk_private_decrypt(crypto_pk_t *env, char *to, * tolen is the number of writable bytes in to, and must be * at least the length of the modulus of env. */ -int -crypto_pk_public_checksig(const crypto_pk_t *env, char *to, - size_t tolen, - const char *from, size_t fromlen) +MOCK_IMPL(int, +crypto_pk_public_checksig,(const crypto_pk_t *env, char *to, + size_t tolen, + const char *from, size_t fromlen)) { int r; tor_assert(env); @@ -1134,9 +1134,10 @@ crypto_pk_public_checksig(const crypto_pk_t *env, char *to, * in env. Return 0 if sig is a correct signature for * SHA1(data). Else return -1. */ -int -crypto_pk_public_checksig_digest(crypto_pk_t *env, const char *data, - size_t datalen, const char *sig, size_t siglen) +MOCK_IMPL(int, +crypto_pk_public_checksig_digest,(crypto_pk_t *env, const char *data, + size_t datalen, const char *sig, + size_t siglen)) { char digest[DIGEST_LEN]; char *buf; diff --git a/src/common/crypto.h b/src/common/crypto.h index bf2fa06..43328f5 100644 --- a/src/common/crypto.h +++ b/src/common/crypto.h @@ -178,10 +178,12 @@ int crypto_pk_public_encrypt(crypto_pk_t *env, char *to, size_t tolen, int crypto_pk_private_decrypt(crypto_pk_t *env, char *to, size_t tolen, const char *from, size_t fromlen, int padding, int warnOnFailure); -int crypto_pk_public_checksig(const crypto_pk_t *env, char *to, size_t tolen, - const char *from, size_t fromlen); -int crypto_pk_public_checksig_digest(crypto_pk_t *env, const char *data, - size_t datalen, const char *sig, size_t siglen); +MOCK_DECL(int, crypto_pk_public_checksig,(const crypto_pk_t *env, + char *to, size_t tolen, + const char *from, size_t fromlen)); +MOCK_DECL(int, crypto_pk_public_checksig_digest,(crypto_pk_t *env, + const char *data, size_t datalen, + const char *sig, size_t siglen)); int crypto_pk_private_sign(const crypto_pk_t *env, char *to, size_t tolen, const char *from, size_t fromlen); int crypto_pk_private_sign_digest(crypto_pk_t *env, char *to, size_t tolen, diff --git a/src/common/crypto_ed25519.c b/src/common/crypto_ed25519.c index 8977e7a..525d25a 100644 --- a/src/common/crypto_ed25519.c +++ b/src/common/crypto_ed25519.c @@ -15,6 +15,7 @@ * keys to and from the corresponding Curve25519 keys. */ +#define CRYPTO_ED25519_PRIVATE #include "orconfig.h" #ifdef HAVE_SYS_STAT_H #include <sys/stat.h> @@ -34,7 +35,6 @@ #include <openssl/sha.h> static void pick_ed25519_impl(void); -static int ed25519_impl_spot_check(void); /** An Ed25519 implementation, as a set of function pointers. */ typedef struct { @@ -308,10 +308,10 @@ ed25519_sign_prefixed,(ed25519_signature_t *signature_out, * * Return 0 if the signature is valid; -1 if it isn't. */ -int -ed25519_checksig(const ed25519_signature_t *signature, - const uint8_t *msg, size_t len, - const ed25519_public_key_t *pubkey) +MOCK_IMPL(int, +ed25519_checksig,(const ed25519_signature_t *signature, + const uint8_t *msg, size_t len, + const ed25519_public_key_t *pubkey)) { return get_ed_impl()->open(signature->sig, msg, len, pubkey->pubkey) < 0 ? -1 : 0; @@ -354,10 +354,10 @@ ed25519_checksig_prefixed(const ed25519_signature_t *signature, * was valid. Otherwise return -N, where N is the number of invalid * signatures. */ -int -ed25519_checksig_batch(int *okay_out, - const ed25519_checkable_t *checkable, - int n_checkable) +MOCK_IMPL(int, +ed25519_checksig_batch,(int *okay_out, + const ed25519_checkable_t *checkable, + int n_checkable)) { int i, res; const ed25519_impl_t *impl = get_ed_impl(); @@ -642,8 +642,8 @@ ed25519_pubkey_copy(ed25519_public_key_t *dest, /** Check whether the given Ed25519 implementation seems to be working. * If so, return 0; otherwise return -1. */ -static int -ed25519_impl_spot_check(void) +MOCK_IMPL(STATIC int, +ed25519_impl_spot_check,(void)) { static const uint8_t alicesk[32] = { 0xc5,0xaa,0x8d,0xf4,0x3f,0x9f,0x83,0x7b, diff --git a/src/common/crypto_ed25519.h b/src/common/crypto_ed25519.h index 56782cc..f4a4ada 100644 --- a/src/common/crypto_ed25519.h +++ b/src/common/crypto_ed25519.h @@ -51,9 +51,9 @@ int ed25519_keypair_generate(ed25519_keypair_t *keypair_out, int extra_strong); int ed25519_sign(ed25519_signature_t *signature_out, const uint8_t *msg, size_t len, const ed25519_keypair_t *key); -int ed25519_checksig(const ed25519_signature_t *signature, - const uint8_t *msg, size_t len, - const ed25519_public_key_t *pubkey); +MOCK_DECL(int,ed25519_checksig,(const ed25519_signature_t *signature, + const uint8_t *msg, size_t len, + const ed25519_public_key_t *pubkey)); MOCK_DECL(int, ed25519_sign_prefixed,(ed25519_signature_t *signature_out, @@ -84,9 +84,9 @@ typedef struct { size_t len; } ed25519_checkable_t; -int ed25519_checksig_batch(int *okay_out, - const ed25519_checkable_t *checkable, - int n_checkable); +MOCK_DECL(int, ed25519_checksig_batch,(int *okay_out, + const ed25519_checkable_t *checkable, + int n_checkable)); int ed25519_keypair_from_curve25519_keypair(ed25519_keypair_t *out, int *signbit_out, @@ -132,5 +132,9 @@ void crypto_ed25519_testing_force_impl(const char *name); void crypto_ed25519_testing_restore_impl(void); #endif +#ifdef CRYPTO_ED25519_PRIVATE +MOCK_DECL(STATIC int, ed25519_impl_spot_check, (void)); +#endif + #endif diff --git a/src/or/routerkeys.c b/src/or/routerkeys.c index 51802b1..6cc75ed 100644 --- a/src/or/routerkeys.c +++ b/src/or/routerkeys.c @@ -1207,12 +1207,12 @@ make_tap_onion_key_crosscert(const crypto_pk_t *onion_key, /** Check whether an RSA-TAP cross-certification is correct. Return 0 if it * is, -1 if it isn't. */ -int -check_tap_onion_key_crosscert(const uint8_t *crosscert, - int crosscert_len, - const crypto_pk_t *onion_pkey, - const ed25519_public_key_t *master_id_pkey, - const uint8_t *rsa_id_digest) +MOCK_IMPL(int, +check_tap_onion_key_crosscert,(const uint8_t *crosscert, + int crosscert_len, + const crypto_pk_t *onion_pkey, + const ed25519_public_key_t *master_id_pkey, + const uint8_t *rsa_id_digest)) { uint8_t *cc = tor_malloc(crypto_pk_keysize(onion_pkey)); int cc_len = diff --git a/src/or/routerkeys.h b/src/or/routerkeys.h index 98894cd..d2027f4 100644 --- a/src/or/routerkeys.h +++ b/src/or/routerkeys.h @@ -57,11 +57,11 @@ uint8_t *make_tap_onion_key_crosscert(const crypto_pk_t *onion_key, const crypto_pk_t *rsa_id_key, int *len_out); -int check_tap_onion_key_crosscert(const uint8_t *crosscert, +MOCK_DECL(int, check_tap_onion_key_crosscert,(const uint8_t *crosscert, int crosscert_len, const crypto_pk_t *onion_pkey, const ed25519_public_key_t *master_id_pkey, - const uint8_t *rsa_id_digest); + const uint8_t *rsa_id_digest)); int load_ed_keys(const or_options_t *options, time_t now); int should_make_new_ed_keys(const or_options_t *options, const time_t now); diff --git a/src/or/routerparse.c b/src/or/routerparse.c index d763a63..5fd2e08 100644 --- a/src/or/routerparse.c +++ b/src/or/routerparse.c @@ -863,8 +863,8 @@ dump_desc_populate_fifo_from_directory(const char *dirname) * type *type to file $DATADIR/unparseable-desc. Do not write more * than one descriptor to disk per minute. If there is already such a * file in the data directory, overwrite it. */ -STATIC void -dump_desc(const char *desc, const char *type) +MOCK_IMPL(STATIC void, +dump_desc,(const char *desc, const char *type)) { tor_assert(desc); tor_assert(type); @@ -4508,13 +4508,24 @@ router_get_hash_impl(const char *s, size_t s_len, char *digest, &start,&end)<0) return -1; + return router_compute_hash_final(digest, start, end-start, alg); +} + +/** Compute the digest of the len-byte directory object at + * start, using alg. Store the result in digest, which + * must be long enough to hold it. */ +MOCK_IMPL(STATIC int, +router_compute_hash_final,(char *digest, + const char *start, size_t len, + digest_algorithm_t alg)) +{ if (alg == DIGEST_SHA1) { - if (crypto_digest(digest, start, end-start) < 0) { + if (crypto_digest(digest, start, len) < 0) { log_warn(LD_BUG,"couldn't compute digest"); return -1; } } else { - if (crypto_digest256(digest, start, end-start, alg) < 0) { + if (crypto_digest256(digest, start, len, alg) < 0) { log_warn(LD_BUG,"couldn't compute digest"); return -1; } diff --git a/src/or/routerparse.h b/src/or/routerparse.h index 9a3fadc..a461d67 100644 --- a/src/or/routerparse.h +++ b/src/or/routerparse.h @@ -110,7 +110,6 @@ STATIC int routerstatus_parse_guardfraction(const char *guardfraction_str, MOCK_DECL(STATIC dumped_desc_t *, dump_desc_populate_one_file, (const char *dirname, const char *f)); STATIC void dump_desc_populate_fifo_from_directory(const char *dirname); -STATIC void dump_desc(const char *desc, const char *type); STATIC void dump_desc_fifo_cleanup(void); struct memarea_t; STATIC routerstatus_t *routerstatus_parse_entry_from_string( @@ -120,6 +119,10 @@ STATIC routerstatus_t *routerstatus_parse_entry_from_string( vote_routerstatus_t *vote_rs, int consensus_method, consensus_flavor_t flav); +MOCK_DECL(STATIC void,dump_desc,(const char *desc, const char *type)); +MOCK_DECL(STATIC int, router_compute_hash_final,(char *digest, + const char *start, size_t len, + digest_algorithm_t alg)); #endif #define ED_DESC_SIGNATURE_PREFIX "Tor router descriptor signature v1"

1 0