CryptoAuthFuzz.c 12 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374
  1. /* vim: set expandtab ts=4 sw=4: */
  2. /*
  3. * You may redistribute this program and/or modify it under the terms of
  4. * the GNU General Public License as published by the Free Software Foundation,
  5. * either version 3 of the License, or (at your option) any later version.
  6. *
  7. * This program is distributed in the hope that it will be useful,
  8. * but WITHOUT ANY WARRANTY; without even the implied warranty of
  9. * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
  10. * GNU General Public License for more details.
  11. *
  12. * You should have received a copy of the GNU General Public License
  13. * along with this program. If not, see <https://www.gnu.org/licenses/>.
  14. */
  15. #include "crypto/test/CryptoAuthFuzz.h"
  16. #include "crypto/random/Random.h"
  17. #include "crypto/test/TestCa.h"
  18. #include "benc/String.h"
  19. #include "memory/MallocAllocator.h"
  20. #include "util/events/EventBase.h"
  21. #include "util/Assert.h"
  22. #include "util/Bits.h"
  23. #include "util/Hex.h"
  24. #include "util/Endian.h"
  25. #include "util/log/FileWriterLog.h"
  26. #include "crypto/random/test/DeterminentRandomSeed.h"
  27. #include "crypto/random/Random.h"
  28. #include "crypto/AddressCalc.h"
  29. #include "crypto/CryptoAuth.h"
  30. struct DelayedMsg {
  31. struct Message* msg;
  32. struct DelayedMsg* next;
  33. struct Allocator* alloc;
  34. /** The relevant node's sendCounter must be this much for the packet to be forwarded */
  35. int sendAfter;
  36. };
  37. struct Context;
  38. struct Node {
  39. TestCa_t* ca;
  40. TestCa_Session_t* session;
  41. struct Iface plaintext;
  42. struct Iface ciphertext;
  43. struct DelayedMsg* delayedMsgs;
  44. int sendCounter;
  45. uint8_t pubKey[32];
  46. struct Context* ctx;
  47. Identity
  48. };
  49. struct Context {
  50. struct Node nodeA;
  51. struct Node nodeB;
  52. struct Allocator* alloc;
  53. struct Random* rand;
  54. struct Log* log;
  55. /** Number of messages which make back and forth *while* both CAs are in ESTABLISHED state. */
  56. int successMessageCount;
  57. Identity
  58. };
  59. // Increase this number to make the fuzz test run longer.
  60. #define QUICK_CYCLES 20
  61. #define SLOW_CYCLES 7500
  62. #define PACKETS 500000
  63. #define SUCCESS_MESSAGES_REQUIRED 5
  64. #define logNode(ctx, node, format, ...) \
  65. if (node == &ctx->nodeA) { \
  66. Log_debug((ctx)->log, "(nodeA) " format, __VA_ARGS__); \
  67. } else { \
  68. Log_debug((ctx)->log, "(nodeB) " format, __VA_ARGS__); \
  69. }
  70. #define logNode0(ctx, node, format) logNode((ctx), (node), "%s", (format))
  71. static bool maybe(struct Context* ctx, uint32_t chanceIsOneInWhat)
  72. {
  73. return Random_uint16(ctx->rand) < (65535 / chanceIsOneInWhat);
  74. }
  75. static void resetNode(struct Context* ctx, struct Node* node)
  76. {
  77. logNode0(ctx, node, "RESET");
  78. TestCa_reset(node->session);
  79. }
  80. /**
  81. * Mutable bit is any bit for which the CryptoAuth does not promise to fail any packet
  82. * where that bit has been flipped on the wire.
  83. */
  84. #define HIGHEST_MUTIBLE_BIT 127
  85. static bool isMutableBit(int bitNum)
  86. {
  87. // difference between HELLO and REPEAT HELLO which are usually interchangable
  88. if (bitNum == 31) {
  89. return true;
  90. }
  91. // Bytes between authType and end of auth header are mutable
  92. if (bitNum >= 40 && bitNum <= HIGHEST_MUTIBLE_BIT) {
  93. return true;
  94. }
  95. // wtf why?
  96. if (bitNum == 568) {
  97. return true;
  98. }
  99. return false;
  100. }
  101. static void flipBit(struct Message* msg, uint32_t bitNum)
  102. {
  103. Assert_true(Message_getLength(msg) * 8 > (int)bitNum);
  104. msg->msgbytes[bitNum / 8] ^= 128 >> (bitNum % 8);
  105. }
  106. static void flipMutableBit(struct Context* ctx, struct Node* from, struct Message* msg)
  107. {
  108. uint32_t bitNum;
  109. do {
  110. bitNum = Random_uint8(ctx->rand) % (HIGHEST_MUTIBLE_BIT + 1);
  111. } while (!isMutableBit(bitNum));
  112. logNode(ctx, from, "FLIPPING MUTABLE BIT %u", bitNum);
  113. flipBit(msg, bitNum);
  114. }
  115. static void flipImmutableBit(struct Context* ctx, struct Node* from, struct Message* msg)
  116. {
  117. uint32_t bitNum;
  118. do {
  119. bitNum = Random_uint16(ctx->rand) % (Message_getLength(msg) * 8);
  120. } while (isMutableBit(bitNum));
  121. logNode(ctx, from, "FLIPPING IMMUTABLE BIT %u", bitNum);
  122. flipBit(msg, bitNum);
  123. }
  124. static int queuedMessageCount(struct Node* node)
  125. {
  126. int i = 0;
  127. for (struct DelayedMsg* dm = node->delayedMsgs; dm; dm = dm->next) {
  128. Assert_true(!dm->next || dm->next->sendAfter >= dm->sendAfter);
  129. i++;
  130. }
  131. return i;
  132. }
  133. static void duplicate(struct Context* ctx, struct Node* from, struct Message* msg)
  134. {
  135. if (queuedMessageCount(from) > 500) {
  136. logNode0(ctx, from, "OOM can't duplicate");
  137. return;
  138. }
  139. logNode0(ctx, from, "DUPLICATE");
  140. struct Allocator* alloc = Allocator_child(ctx->alloc);
  141. struct DelayedMsg* delayed = Allocator_calloc(alloc, sizeof(struct DelayedMsg), 1);
  142. delayed->msg = Message_clone(msg, alloc);
  143. delayed->next = from->delayedMsgs;
  144. from->delayedMsgs = delayed;
  145. delayed->alloc = alloc;
  146. }
  147. static void delay(struct Context* ctx, struct Node* from, struct Message* msg, int afterMsgs)
  148. {
  149. if (queuedMessageCount(from) > 500) {
  150. logNode0(ctx, from, "OOM can't delay (drop instead)");
  151. return;
  152. }
  153. logNode(ctx, from, "DELAY %d packets (ptr:%p)", afterMsgs, (void*)msg);
  154. struct Allocator* alloc = Allocator_child(ctx->alloc);
  155. struct DelayedMsg* delayed = Allocator_calloc(alloc, sizeof(struct DelayedMsg), 1);
  156. Allocator_adopt(alloc, Message_getAlloc(msg));
  157. delayed->msg = msg;
  158. delayed->sendAfter = from->sendCounter + afterMsgs;
  159. delayed->alloc = alloc;
  160. struct DelayedMsg** dp = &from->delayedMsgs;
  161. while (*dp && (*dp)->sendAfter < delayed->sendAfter) {
  162. dp = &(*dp)->next;
  163. }
  164. delayed->next = *dp;
  165. *dp = delayed;
  166. }
  167. static void sendFrom(struct Context* ctx, struct Node* from, struct Message* msg)
  168. {
  169. struct Node* to = (from == &ctx->nodeA) ? &ctx->nodeB : &ctx->nodeA;
  170. logNode0(ctx, from, "SEND");
  171. // 1/20 chance the packet is dropped
  172. if (maybe(ctx, 20)) {
  173. logNode0(ctx, from, "DROP");
  174. return;
  175. }
  176. // 1/10 chance the packet has a bit flipped which the cryptoauth is not guaranteed to fail
  177. if (maybe(ctx, 8)) { flipMutableBit(ctx, from, msg); }
  178. // 1/10 chance the packet is duplicated
  179. if (maybe(ctx, 10)) { duplicate(ctx, from, msg); }
  180. // 1/8 chance the packet is delayed for something between 1 and 8 packets
  181. if (maybe(ctx, 8)) {
  182. delay(ctx, from, msg, (Random_uint8(ctx->rand) % 8) + 1);
  183. return;
  184. }
  185. // 1/30 chance the packet has a bit flipped in a validated already
  186. bool flippedImmutable = false;
  187. if (maybe(ctx, 20)) {
  188. flipImmutableBit(ctx, from, msg);
  189. flippedImmutable = true;
  190. }
  191. Er_assert(Message_epushAd(msg, &flippedImmutable, sizeof flippedImmutable));
  192. Er_assert(Message_epush(msg, NULL, 16)); // peer ipv6
  193. Iface_send(&to->ciphertext, msg); // --> afterDecrypt (hopefully)
  194. }
  195. static bool sendQueued(struct Context* ctx, struct Node* fromNode)
  196. {
  197. if (!fromNode->delayedMsgs || fromNode->delayedMsgs->sendAfter > fromNode->sendCounter) {
  198. return false;
  199. }
  200. struct DelayedMsg* dmsg = fromNode->delayedMsgs;
  201. fromNode->delayedMsgs = dmsg->next;
  202. logNode(ctx, fromNode, "SENDING QUEUED (ptr:%p)", (void*)dmsg->msg);
  203. sendFrom(ctx, fromNode, dmsg->msg);
  204. Allocator_free(dmsg->alloc);
  205. return true;
  206. }
  207. static void mainLoop(struct Context* ctx)
  208. {
  209. for (int i = 0; i < PACKETS; i++) {
  210. if (ctx->successMessageCount > SUCCESS_MESSAGES_REQUIRED) { return; }
  211. if (maybe(ctx, 800)) {
  212. resetNode(ctx, &ctx->nodeA);
  213. } else if (maybe(ctx, 200)) {
  214. resetNode(ctx, &ctx->nodeB);
  215. }
  216. // Try to interleave if there are multiple to send on each side.
  217. while (sendQueued(ctx, maybe(ctx, 2) ? &ctx->nodeA : &ctx->nodeB)) ;
  218. while (sendQueued(ctx, &ctx->nodeA)) ;
  219. while (sendQueued(ctx, &ctx->nodeB)) ;
  220. struct Allocator* alloc = Allocator_child(ctx->alloc);
  221. struct Message* msg = Message_new(0, 512, alloc);
  222. Er_assert(Message_epush(msg, "hey", 4));
  223. Iface_send(&ctx->nodeA.plaintext, msg);
  224. //Assert_true(!TestCa_encrypt(ctx->nodeA.session, msg));
  225. //sendFrom(ctx, &ctx->nodeA, msg);
  226. Allocator_free(alloc);
  227. }
  228. Assert_failure("Nodes could not sync");
  229. }
  230. static Iface_DEFUN afterEncrypt(struct Message* msg, struct Iface* iface)
  231. {
  232. struct Node* n = Identity_containerOf(iface, struct Node, ciphertext);
  233. sendFrom(n->ctx, n, msg);
  234. return NULL;
  235. }
  236. static Iface_DEFUN afterDecrypt(struct Message* msg, struct Iface* iface)
  237. {
  238. bool flippedImmutable = false;
  239. Er_assert(Message_epopAd(msg, &flippedImmutable, sizeof flippedImmutable));
  240. struct Node* to = Identity_containerOf(iface, struct Node, plaintext);
  241. enum CryptoAuth_DecryptErr e = Er_assert(Message_epop32h(msg));
  242. if (!e) {
  243. Assert_true(!flippedImmutable);
  244. Assert_true(Message_getLength(msg) == 4 && !Bits_memcmp(msg->msgbytes, "hey", 4));
  245. if (to == &to->ctx->nodeB) {
  246. // 1/10 chance the node decides not to reply.
  247. if (maybe(to->ctx, 10)) {
  248. return NULL;
  249. }
  250. //Assert_true(!TestCa_encrypt(to->session, msg));
  251. to->sendCounter++;
  252. Iface_send(&to->plaintext, msg);
  253. //sendFrom(ctx, to, msg);
  254. } else if (TestCa_getState(to->ctx->nodeA.session) == RTypes_CryptoAuth_State_t_Established &&
  255. TestCa_getState(to->ctx->nodeB.session) == RTypes_CryptoAuth_State_t_Established)
  256. {
  257. to->ctx->successMessageCount++;
  258. }
  259. }
  260. return NULL;
  261. }
  262. #define PRIVATEKEY_A \
  263. Constant_stringForHex("53ff22b2eb94ce8c5f1852c0f557eb901f067e5273d541e0a21e143c20dff9da")
  264. #define PRIVATEKEY_B \
  265. Constant_stringForHex("b71c4f43e3d4b1879b5065d44a1cb43eaf07ddba96de6a72ca761c4ef4bd2988")
  266. void* CryptoAuthFuzz_init(struct Allocator* alloc, struct Random* rand, enum TestCa_Config cfg)
  267. {
  268. struct Context* ctx = Allocator_calloc(alloc, sizeof(struct Context), 1);
  269. Identity_set(ctx);
  270. Identity_set(&ctx->nodeA);
  271. Identity_set(&ctx->nodeB);
  272. struct EventBase* base = EventBase_new(alloc);
  273. ctx->alloc = alloc;
  274. uint8_t buf[64];
  275. Random_bytes(rand, buf, 64);
  276. Random_t* r0 = Random_newWithSeed(alloc, NULL, DeterminentRandomSeed_new(alloc, buf), NULL);
  277. Random_t* r1 = Random_newWithSeed(alloc, NULL, DeterminentRandomSeed_new(alloc, buf), NULL);
  278. ctx->nodeA.ca = TestCa_new(alloc, PRIVATEKEY_A, base, NULL, r0, r1, cfg);
  279. ctx->nodeB.ca = TestCa_new(alloc, PRIVATEKEY_B, base, NULL, r0, r1, cfg);
  280. TestCa_getPubKey(ctx->nodeA.ca, ctx->nodeA.pubKey);
  281. TestCa_getPubKey(ctx->nodeB.ca, ctx->nodeB.pubKey);
  282. ctx->nodeA.ctx = ctx;
  283. ctx->nodeA.ciphertext.send = afterEncrypt;
  284. ctx->nodeA.plaintext.send = afterDecrypt;
  285. ctx->nodeA.session = TestCa_newSession(
  286. ctx->nodeA.ca, alloc, ctx->nodeB.pubKey, false, "nodeA", true);
  287. Iface_plumb(&ctx->nodeA.ciphertext, &ctx->nodeA.session->ciphertext);
  288. Iface_plumb(&ctx->nodeA.plaintext, &ctx->nodeA.session->plaintext);
  289. ctx->nodeB.ctx = ctx;
  290. ctx->nodeB.ciphertext.send = afterEncrypt;
  291. ctx->nodeB.plaintext.send = afterDecrypt;
  292. ctx->nodeB.session = TestCa_newSession(
  293. ctx->nodeB.ca, alloc, ctx->nodeA.pubKey, false, "nodeB", true);
  294. Iface_plumb(&ctx->nodeB.ciphertext, &ctx->nodeB.session->ciphertext);
  295. Iface_plumb(&ctx->nodeB.plaintext, &ctx->nodeB.session->plaintext);
  296. return ctx;
  297. }
  298. void CryptoAuthFuzz_main(void* vctx, struct Message* fuzz)
  299. {
  300. struct Context* ctx = Identity_check((struct Context*) vctx);
  301. // This is not ideal, but this test was already written before AFL.
  302. RandomSeed_t* rs = DeterminentRandomSeed_new(ctx->alloc, fuzz->msgbytes);
  303. ctx->rand = Random_newWithSeed(ctx->alloc, NULL, rs, NULL);
  304. if (maybe(ctx, 2)) {
  305. TestCa_addUser_ipv6(String_CONST("pass"), String_CONST("user"), NULL, ctx->nodeB.ca);
  306. } else {
  307. uint8_t nodeAAddress[16];
  308. AddressCalc_addressForPublicKey(nodeAAddress, ctx->nodeA.pubKey);
  309. TestCa_addUser_ipv6(String_CONST("pass"),
  310. String_CONST("user"),
  311. nodeAAddress,
  312. ctx->nodeB.ca);
  313. }
  314. if (maybe(ctx, 3)) {
  315. // 33% chance of no authentication
  316. TestCa_removeUsers(ctx->nodeB.ca, String_CONST("user"));
  317. } else if (maybe(ctx, 2)) {
  318. // 33% chance of authType 2
  319. TestCa_setAuth(String_CONST("pass"), String_CONST("user"), ctx->nodeA.session);
  320. } else {
  321. // 33% chance of authType 1
  322. TestCa_setAuth(String_CONST("pass"), NULL, ctx->nodeA.session);
  323. }
  324. mainLoop(ctx);
  325. }