Add cashu fuzzing target

Author: TheBlueMatt

fuzz/src/bin/cashu_target.rs

@@ -0,0 +1,116 @@
+// This file is Copyright its original authors, visible in version control
+// history.
+//
+// This file is licensed under the Apache License, Version 2.0 <LICENSE-APACHE
+// or http://www.apache.org/licenses/LICENSE-2.0> or the MIT license
+// <LICENSE-MIT or http://opensource.org/licenses/MIT>, at your option.
+// You may not use this file except in accordance with one or both of these
+// licenses.
+
+// This file is auto-generated by gen_target.sh based on target_template.txt
+// To modify it, modify target_template.txt and run gen_target.sh instead.
+
+#![cfg_attr(feature = "libfuzzer_fuzz", no_main)]
+#![cfg_attr(rustfmt, rustfmt_skip)]
+
+#[cfg(not(fuzzing))]
+compile_error!("Fuzz targets need cfg=fuzzing");
+
+#[cfg(not(hashes_fuzz))]
+compile_error!("Fuzz targets need cfg=hashes_fuzz");
+
+#[cfg(not(secp256k1_fuzz))]
+compile_error!("Fuzz targets need cfg=secp256k1_fuzz");
+
+extern crate fuzz;
+use fuzz::cashu::*;
+
+#[cfg(feature = "afl")]
+#[macro_use] extern crate afl;
+#[cfg(feature = "afl")]
+fn main() {
+	fuzz!(|data| {
+		cashu_run(data.as_ptr(), data.len());
+	});
+}
+
+#[cfg(feature = "honggfuzz")]
+#[macro_use] extern crate honggfuzz;
+#[cfg(feature = "honggfuzz")]
+fn main() {
+	loop {
+		fuzz!(|data| {
+			cashu_run(data.as_ptr(), data.len());
+		});
+	}
+}
+
+#[cfg(feature = "libfuzzer_fuzz")]
+#[macro_use] extern crate libfuzzer_sys;
+#[cfg(feature = "libfuzzer_fuzz")]
+fuzz_target!(|data: &[u8]| {
+	cashu_run(data.as_ptr(), data.len());
+});
+
+#[cfg(feature = "stdin_fuzz")]
+fn main() {
+	use std::io::Read;
+
+	let mut data = Vec::with_capacity(8192);
+	std::io::stdin().read_to_end(&mut data).unwrap();
+	cashu_run(data.as_ptr(), data.len());
+}
+
+#[test]
+fn run_test_cases() {
+	use std::fs;
+	use std::io::Read;
+
+	use std::sync::{atomic, Arc};
+	{
+		let data: Vec<u8> = vec![0];
+		cashu_run(data.as_ptr(), data.len());
+	}
+	let mut threads = Vec::new();
+	let threads_running = Arc::new(atomic::AtomicUsize::new(0));
+	if let Ok(tests) = fs::read_dir("test_cases/cashu") {
+		for test in tests {
+			let mut data: Vec<u8> = Vec::new();
+			let path = test.unwrap().path();
+			fs::File::open(&path).unwrap().read_to_end(&mut data).unwrap();
+			threads_running.fetch_add(1, atomic::Ordering::AcqRel);
+
+			let thread_count_ref = Arc::clone(&threads_running);
+			let main_thread_ref = std::thread::current();
+			threads.push((path.file_name().unwrap().to_str().unwrap().to_string(),
+				std::thread::spawn(move || {
+					let res = if ::std::panic::catch_unwind(move || {
+						cashu_test(&data);
+					}).is_err() {
+						Some(String::new())
+					} else { None };
+					thread_count_ref.fetch_sub(1, atomic::Ordering::AcqRel);
+					main_thread_ref.unpark();
+					res
+				})
+			));
+			while threads_running.load(atomic::Ordering::Acquire) > 32 {
+				std::thread::park();
+			}
+		}
+	}
+	let mut failed_outputs = Vec::new();
+	for (test, thread) in threads.drain(..) {
+		if let Some(output) = thread.join().unwrap() {
+			println!("\nOutput of {}:\n{}\n", test, output);
+			failed_outputs.push(test);
+		}
+	}
+	if !failed_outputs.is_empty() {
+		println!("Test cases which failed: ");
+		for case in failed_outputs {
+			println!("{}", case);
+		}
+		panic!();
+	}
+}

fuzz/src/bin/gen_target.sh

@@ -6,4 +6,5 @@ GEN_TEST() {
 	echo "void $1_run(const unsigned char* data, size_t data_len);" >> ../../targets.h
 }
 
+GEN_TEST cashu
 GEN_TEST parse

fuzz/src/cashu.rs

@@ -0,0 +1,36 @@
+// This file is Copyright its original authors, visible in version control
+// history.
+//
+// This file is licensed under the Apache License, Version 2.0 <LICENSE-APACHE
+// or http://www.apache.org/licenses/LICENSE-2.0> or the MIT license
+// <LICENSE-MIT or http://opensource.org/licenses/MIT>, at your option.
+// You may not use this file except in accordance with one or both of these
+// licenses.
+
+//! We have quite a bit of logic in our cashu instruction decoder which is hard to reach from the
+//! outside because of the bech32 checksum. Instead, here, we fuzz it directly skipping the bech32
+//! check.
+
+use bitcoin_payment_instructions::cashu::*;
+
+#[inline]
+pub fn do_test(mut data: &[u8]) {
+	if let Ok(req) = CashuPaymentRequest::from_bytes_fuzzy(data) {
+		match req.to_bech32_string() {
+			Ok(reencoded) => {
+				let re_decoded = CashuPaymentRequest::from_bech32_string(&reencoded).unwrap();
+				assert_eq!(re_decoded, req);
+			},
+			Err(e) => assert_eq!(e, Error::Bech32),
+		}
+	}
+}
+
+pub fn cashu_test(data: &[u8]) {
+	do_test(data);
+}
+
+#[no_mangle]
+pub extern "C" fn cashu_run(data: *const u8, datalen: usize) {
+	do_test(unsafe { std::slice::from_raw_parts(data, datalen) });
+}

fuzz/src/lib.rs

@@ -10,4 +10,5 @@
 extern crate bitcoin;
 extern crate bitcoin_payment_instructions;
 
+pub mod cashu;
 pub mod parse;

fuzz/targets.h

@@ -1,2 +1,3 @@
 #include <stdint.h>
+void cashu_run(const unsigned char* data, size_t data_len);
 void parse_run(const unsigned char* data, size_t data_len);

src/cashu.rs

@@ -608,6 +608,12 @@ impl CashuPaymentRequest {
 		Self::from_bech32_bytes(&data)
 	}
 
+	#[cfg(fuzzing)]
+	/// Decode from a byte array so the fuzzer can bypass bech32
+	pub fn from_bytes_fuzzy(bytes: &[u8]) -> Result<CashuPaymentRequest, Error> {
+		Self::from_bech32_bytes(bytes)
+	}
+
 	/// Decode from TLV bytes
 	fn from_bech32_bytes(bytes: &[u8]) -> Result<CashuPaymentRequest, Error> {
 		let mut reader = TlvReader::new(bytes);