From b1567cf500044be4d6c97e4ef65345acb4aa70ff Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Mon, 19 Dec 2016 15:11:27 -0500
Subject: [PATCH] Three more fuzzers: consensus, hsdesc, intro points

---
 src/or/routerparse.c           |  9 +++-
 src/or/routerparse.h           |  2 +
 src/test/fuzz/dict/consensus   | 52 +++++++++++++++++++++++
 src/test/fuzz/dict/hsdescv2    |  8 ++++
 src/test/fuzz/dict/iptsv2      |  6 +++
 src/test/fuzz/fuzz_consensus.c | 78 ++++++++++++++++++++++++++++++++++
 src/test/fuzz/fuzz_hsdescv2.c  | 52 +++++++++++++++++++++++
 src/test/fuzz/fuzz_iptsv2.c    | 46 ++++++++++++++++++++
 8 files changed, 252 insertions(+), 1 deletion(-)
 create mode 100644 src/test/fuzz/dict/consensus
 create mode 100644 src/test/fuzz/dict/hsdescv2
 create mode 100644 src/test/fuzz/dict/iptsv2
 create mode 100644 src/test/fuzz/fuzz_consensus.c
 create mode 100644 src/test/fuzz/fuzz_hsdescv2.c
 create mode 100644 src/test/fuzz/fuzz_iptsv2.c

diff --git a/src/or/routerparse.c b/src/or/routerparse.c
index 5fd2e0829..0aa953cc5 100644
--- a/src/or/routerparse.c
+++ b/src/or/routerparse.c
@@ -1172,6 +1172,12 @@ tor_version_is_obsolete(const char *myversion, const char *versionlist)
   return ret;
 }
 
+MOCK_IMPL(STATIC int,
+signed_digest_equals, (const uint8_t *d1, const uint8_t *d2, size_t len))
+{
+  return tor_memeq(d1, d2, len);
+}
+
 /** Check whether the object body of the token in <b>tok</b> has a good
  * signature for <b>digest</b> using key <b>pkey</b>.
  * If <b>CST_NO_CHECK_OBJTYPE</b> is set, do not check
@@ -1214,7 +1220,8 @@ check_signature_token(const char *digest,
   }
   //  log_debug(LD_DIR,"Signed %s hash starts %s", doctype,
   //            hex_str(signed_digest,4));
-  if (tor_memneq(digest, signed_digest, digest_len)) {
+  if (! signed_digest_equals((const uint8_t *)digest,
+                             (const uint8_t *)signed_digest, digest_len)) {
     log_warn(LD_DIR, "Error reading %s: signature does not match.", doctype);
     tor_free(signed_digest);
     return -1;
diff --git a/src/or/routerparse.h b/src/or/routerparse.h
index a461d6794..8eea989e3 100644
--- a/src/or/routerparse.h
+++ b/src/or/routerparse.h
@@ -123,6 +123,8 @@ MOCK_DECL(STATIC void,dump_desc,(const char *desc, const char *type));
 MOCK_DECL(STATIC int, router_compute_hash_final,(char *digest,
                            const char *start, size_t len,
                            digest_algorithm_t alg));
+MOCK_DECL(STATIC int, signed_digest_equals,
+          (const uint8_t *d1, const uint8_t *d2, size_t len));
 #endif
 
 #define ED_DESC_SIGNATURE_PREFIX "Tor router descriptor signature v1"
diff --git a/src/test/fuzz/dict/consensus b/src/test/fuzz/dict/consensus
new file mode 100644
index 000000000..3fcd9ee7f
--- /dev/null
+++ b/src/test/fuzz/dict/consensus
@@ -0,0 +1,52 @@
+"a"
+"additional-digest"
+"additional-signature"
+"bandwidth-weights"
+"client-versions"
+"consensus-digest"
+"consensus-method"
+"consensus-methods"
+"contact"
+"dir-address"
+"directory-footer"
+"directory-signature"
+"dir-identity-key"
+"dir-key-certificate-version"
+"dir-key-certification"
+"dir-key-crosscert"
+"dir-key-expires"
+"dir-key-published"
+"dir-signing-key"
+"dir-source"
+"fingerprint"
+"fresh-until"
+"id"
+"known-flags"
+"legacy-dir-key"
+"m"
+"network-status-version"
+"opt"
+"p"
+"package"
+"params"
+"pr"
+"published"
+"r"
+"recommended-client-protocols"
+"recommended-relay-protocols"
+"required-client-protocols"
+"required-relay-protocols"
+"s"
+"server-versions"
+"shared-rand-commit"
+"shared-rand-current-value"
+"shared-rand-participate"
+"shared-rand-previous-value"
+"signing-ed25519"
+"v"
+"valid-after"
+"valid-until"
+"vote-digest"
+"vote-status"
+"voting-delay"
+"w"
diff --git a/src/test/fuzz/dict/hsdescv2 b/src/test/fuzz/dict/hsdescv2
new file mode 100644
index 000000000..48788301d
--- /dev/null
+++ b/src/test/fuzz/dict/hsdescv2
@@ -0,0 +1,8 @@
+"introduction-points"
+"permanent-key"
+"protocol-versions"
+"publication-time"
+"rendezvous-service-descriptor"
+"secret-id-part"
+"signature"
+"version"
diff --git a/src/test/fuzz/dict/iptsv2 b/src/test/fuzz/dict/iptsv2
new file mode 100644
index 000000000..57791c5e3
--- /dev/null
+++ b/src/test/fuzz/dict/iptsv2
@@ -0,0 +1,6 @@
+"introduction-point"
+"ip-address"
+"onion-port"
+"onion-key"
+"service-key"
+
diff --git a/src/test/fuzz/fuzz_consensus.c b/src/test/fuzz/fuzz_consensus.c
new file mode 100644
index 000000000..f5d22f69a
--- /dev/null
+++ b/src/test/fuzz/fuzz_consensus.c
@@ -0,0 +1,78 @@
+/* Copyright (c) 2016, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+#define ROUTERPARSE_PRIVATE
+#include "or.h"
+#include "routerparse.h"
+#include "networkstatus.h"
+#include "fuzzing.h"
+
+static void
+mock_dump_desc__nodump(const char *desc, const char *type)
+{
+  (void)desc;
+  (void)type;
+}
+
+static int
+mock_router_produce_hash_final__nohash(char *digest,
+                                       const char *start, size_t len,
+                                       digest_algorithm_t alg)
+{
+  (void)start;
+  (void)len;
+  /* we could look at start[..] */
+  if (alg == DIGEST_SHA1)
+    memset(digest, 0x01, 20);
+  else
+    memset(digest, 0x02, 32);
+  return 0;
+}
+
+static int
+mock_signed_digest_equals__yes(const uint8_t *d1, const uint8_t *d2,
+                               size_t len)
+{
+  (void) tor_memeq(d1, d2, len);
+  return 1;
+}
+
+int
+fuzz_init(void)
+{
+  disable_signature_checking();
+  MOCK(dump_desc, mock_dump_desc__nodump);
+  MOCK(router_compute_hash_final, mock_router_produce_hash_final__nohash);
+  MOCK(signed_digest_equals, mock_signed_digest_equals__yes);
+  ed25519_init();
+  return 0;
+}
+
+int
+fuzz_cleanup(void)
+{
+  return 0;
+}
+
+int
+fuzz_main(const uint8_t *data, size_t sz)
+{
+  networkstatus_t *ns;
+  char *str = tor_memdup_nulterm(data, sz);
+  const char *eos = NULL;
+  networkstatus_type_t tp = NS_TYPE_CONSENSUS;
+  if (tor_memstr(data, MIN(sz, 1024), "tus vote"))
+    tp = NS_TYPE_VOTE;
+  const char *what = (tp == NS_TYPE_CONSENSUS) ? "consensus" : "vote";
+  ns = networkstatus_parse_vote_from_string(str,
+                                            &eos,
+                                            tp);
+  if (ns) {
+    log_debug(LD_GENERAL, "Parsing as %s okay", what);
+    networkstatus_vote_free(ns);
+  } else {
+    log_debug(LD_GENERAL, "Parsing as %s failed", what);
+  }
+  tor_free(str);
+  return 0;
+}
+
diff --git a/src/test/fuzz/fuzz_hsdescv2.c b/src/test/fuzz/fuzz_hsdescv2.c
new file mode 100644
index 000000000..53b7cbe2f
--- /dev/null
+++ b/src/test/fuzz/fuzz_hsdescv2.c
@@ -0,0 +1,52 @@
+/* Copyright (c) 2016, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+#define ROUTERPARSE_PRIVATE
+#include "or.h"
+#include "routerparse.h"
+#include "rendcommon.h"
+#include "fuzzing.h"
+
+static void
+mock_dump_desc__nodump(const char *desc, const char *type)
+{
+  (void)desc;
+  (void)type;
+}
+
+int
+fuzz_init(void)
+{
+  disable_signature_checking();
+  MOCK(dump_desc, mock_dump_desc__nodump);
+  ed25519_init();
+  return 0;
+}
+
+int
+fuzz_cleanup(void)
+{
+  return 0;
+}
+
+int
+fuzz_main(const uint8_t *data, size_t sz)
+{
+  rend_service_descriptor_t *desc = NULL;
+  char desc_id[64];
+  char *ipts = NULL;
+  size_t ipts_size, esize;
+  const char *next;
+  char *str = tor_memdup_nulterm(data, sz);
+  (void) rend_parse_v2_service_descriptor(&desc, desc_id, &ipts, &ipts_size,
+                                          &esize, &next, str, 1);
+  if (desc) {
+    log_debug(LD_GENERAL, "Parsing okay");
+    rend_service_descriptor_free(desc);
+  } else {
+    log_debug(LD_GENERAL, "Parsing failed");
+  }
+  tor_free(ipts);
+  tor_free(str);
+  return 0;
+}
+
diff --git a/src/test/fuzz/fuzz_iptsv2.c b/src/test/fuzz/fuzz_iptsv2.c
new file mode 100644
index 000000000..341d4880b
--- /dev/null
+++ b/src/test/fuzz/fuzz_iptsv2.c
@@ -0,0 +1,46 @@
+/* Copyright (c) 2016, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+#define ROUTERPARSE_PRIVATE
+#include "or.h"
+#include "routerparse.h"
+#include "rendcommon.h"
+#include "fuzzing.h"
+
+static void
+mock_dump_desc__nodump(const char *desc, const char *type)
+{
+  (void)desc;
+  (void)type;
+}
+
+int
+fuzz_init(void)
+{
+  disable_signature_checking();
+  MOCK(dump_desc, mock_dump_desc__nodump);
+  ed25519_init();
+  return 0;
+}
+
+int
+fuzz_cleanup(void)
+{
+  return 0;
+}
+
+int
+fuzz_main(const uint8_t *data, size_t sz)
+{
+  rend_service_descriptor_t *desc =
+    tor_malloc_zero(sizeof(rend_service_descriptor_t));
+  const char *str = (const char*) data;
+  int r = rend_parse_introduction_points(desc, str, sz);
+  if (r >= 0) {
+    log_debug(LD_GENERAL, "Parsing okay: %d", r);
+  } else {
+    log_debug(LD_GENERAL, "Parsing failed");
+  }
+  rend_service_descriptor_free(desc);
+  return 0;
+}
+