[WIP] Create POC for fuzzing payjoin

This commit adds fuzzing infrastructure for payjoin

Author: benalleng

Cargo-minimal.lock

@@ -152,6 +152,12 @@ version = "1.0.99"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b0674a1ddeecb70197781e945de4b3b8ffb61fa939a5597bcf48503737663100"
 
+[[package]]
+name = "arbitrary"
+version = "1.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c3d036a3c4ab069c7b410a2ce876bd74808d2d0888a82667669f8e783a898bf1"
+
 [[package]]
 name = "arraydeque"
 version = "0.5.1"
@@ -1920,6 +1926,16 @@ version = "0.2.174"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1171693293099992e19cddea4e8b849964e9846f4acee11b3948bcc337be8776"
 
+[[package]]
+name = "libfuzzer-sys"
+version = "0.4.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5037190e1f70cbeef565bd267599242926f724d3b8a9f510fd7e0b540cfa4404"
+dependencies = [
+ "arbitrary",
+ "cc",
+]
+
 [[package]]
 name = "libredox"
 version = "0.1.3"
@@ -2343,6 +2359,19 @@ dependencies = [
  "url",
 ]
 
+[[package]]
+name = "payjoin-fuzz"
+version = "0.0.0"
+dependencies = [
+ "bitcoin 0.32.7",
+ "bitcoin-ohttp",
+ "bitcoin_uri",
+ "libfuzzer-sys",
+ "payjoin",
+ "payjoin-test-utils",
+ "url",
+]
+
 [[package]]
 name = "payjoin-test-utils"
 version = "0.0.1"

Cargo-recent.lock

@@ -152,6 +152,12 @@ version = "1.0.99"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "b0674a1ddeecb70197781e945de4b3b8ffb61fa939a5597bcf48503737663100"
 
+[[package]]
+name = "arbitrary"
+version = "1.4.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c3d036a3c4ab069c7b410a2ce876bd74808d2d0888a82667669f8e783a898bf1"
+
 [[package]]
 name = "arraydeque"
 version = "0.5.1"
@@ -1920,6 +1926,16 @@ version = "0.2.174"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "1171693293099992e19cddea4e8b849964e9846f4acee11b3948bcc337be8776"
 
+[[package]]
+name = "libfuzzer-sys"
+version = "0.4.10"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "5037190e1f70cbeef565bd267599242926f724d3b8a9f510fd7e0b540cfa4404"
+dependencies = [
+ "arbitrary",
+ "cc",
+]
+
 [[package]]
 name = "libredox"
 version = "0.1.3"
@@ -2343,6 +2359,19 @@ dependencies = [
  "url",
 ]
 
+[[package]]
+name = "payjoin-fuzz"
+version = "0.0.0"
+dependencies = [
+ "bitcoin 0.32.7",
+ "bitcoin-ohttp",
+ "bitcoin_uri",
+ "libfuzzer-sys",
+ "payjoin",
+ "payjoin-test-utils",
+ "url",
+]
+
 [[package]]
 name = "payjoin-test-utils"
 version = "0.0.1"

Cargo.toml

@@ -1,5 +1,5 @@
 [workspace]
-members = ["payjoin", "payjoin-cli", "payjoin-directory", "payjoin-test-utils", "payjoin-ffi"]
+members = ["payjoin", "payjoin-cli", "payjoin-directory", "payjoin-test-utils", "payjoin-ffi", "fuzz"]
 resolver = "2"
 
 [patch.crates-io]

fuzz/.gitignore

@@ -0,0 +1,4 @@
+target
+corpus
+artifacts
+coverage

fuzz/Cargo.toml

@@ -0,0 +1,27 @@
+[package]
+name = "payjoin-fuzz"
+version = "0.0.0"
+publish = false
+edition = "2021"
+
+[package.metadata]
+cargo-fuzz = true
+
+[features]
+default = ["fuzzing"]
+fuzzing = []
+
+[dependencies]
+bitcoin = { version = "0.32.7", features = ["base64"] }
+bitcoin_uri = { version = "0.1.0" }
+payjoin = { version = "1.0.0-rc.0", default-features = false, features = ["_core", "v1", "v2"] }
+payjoin-test-utils = { path = "../payjoin-test-utils" }
+libfuzzer-sys = { version = "0.4.0" }
+ohttp = { package = "bitcoin-ohttp", version = "0.6.0" }
+url = { version = "2.5.4", default-features=false, features = ["serde"] }
+
+[[bin]]
+name = "uri_deserialize_pjuri"
+path = "fuzz_targets/uri/deserialize_pjuri.rs"
+test = false
+doc = false

fuzz/fuzz_targets/uri/deserialize_endpoint.rs

@@ -0,0 +1,75 @@
+#![no_main]
+
+#[cfg(feature = "fuzzing")]
+use libfuzzer_sys::fuzz_target;
+use ohttp::hpke::{Aead, Kdf, Kem};
+use ohttp::{KeyId, SymmetricSuite};
+use payjoin::{HpkeKeyPair, HpkePublicKey, OhttpKeys};
+use url::Url;
+
+fn do_test(data: &[u8]) {
+    let data_str = String::from_utf8_lossy(data);
+    let mut url = Url::parse("https://example.com").unwrap();
+
+    let serialized = "OH1QYPM5JXYNS754Y4R45QWE336QFX6ZR8DQGVQCULVZTV20TFVEYDMFQC";
+    const KEY_ID: KeyId = 1;
+    const KEM: Kem = Kem::K256Sha256;
+    const SYMMETRIC: &[SymmetricSuite] =
+        &[ohttp::SymmetricSuite::new(Kdf::HkdfSha256, Aead::ChaCha20Poly1305)];
+    let ohttp_keys = OhttpKeys(ohttp::KeyConfig::new(KEY_ID, KEM, Vec::from(SYMMETRIC)).unwrap());
+    //let ohttp_keys = OhttpKeys::from_str(serialized).unwrap();
+    url.set_ohttp(ohttp_keys.clone());
+    assert_eq!(url.fragment(), Some(serialized));
+
+    let receiver_pubkey = HpkeKeyPair::gen_keypair().1;
+    url.set_receiver_pubkey(receiver_pubkey);
+
+    let exp_time = std::time::SystemTime::UNIX_EPOCH + std::time::Duration::from_secs(1720547781);
+    url.set_exp(exp_time);
+
+    let compressed_receiver_pubkey = match url.receiver_pubkey() {
+        Ok(rpk) => rpk.to_compressed_bytes(),
+        Err(_) => return,
+    };
+    let receiver_pubkey_roundtrip =
+        match HpkePublicKey::from_compressed_bytes(&compressed_receiver_pubkey) {
+            Ok(rpk) => rpk.0,
+            Err(_) => return,
+        };
+
+    assert_eq!(url.ohttp().unwrap(), ohttp_keys);
+    assert_eq!(url.receiver_pubkey().unwrap().0, receiver_pubkey_roundtrip);
+    assert_eq!(url.exp().unwrap(), exp_time);
+}
+
+#[cfg(feature = "fuzzing")]
+fuzz_target!(|data| {
+    do_test(data);
+});
+
+#[cfg(test)]
+mod tests {
+    fn extend_vec_from_hex(hex: &str, out: &mut Vec<u8>) {
+        let mut b = 0;
+        for (idx, c) in hex.as_bytes().iter().enumerate() {
+            b <<= 4;
+            match *c {
+                b'A'..=b'F' => b |= c - b'A' + 10,
+                b'a'..=b'f' => b |= c - b'a' + 10,
+                b'0'..=b'9' => b |= c - b'0',
+                _ => panic!("Bad hex"),
+            }
+            if (idx & 1) == 1 {
+                out.push(b);
+                b = 0;
+            }
+        }
+    }
+
+    #[test]
+    fn duplicate_crash() {
+        let mut a = Vec::new();
+        extend_vec_from_hex("00000000", &mut a);
+        super::do_test(&a);
+    }
+}

fuzz/fuzz_targets/uri/deserialize_pjuri.rs

@@ -0,0 +1,70 @@
+#![no_main]
+
+use std::any::{Any, TypeId};
+
+use bitcoin::Amount;
+use bitcoin_uri::Param;
+#[cfg(feature = "fuzzing")]
+use libfuzzer_sys::fuzz_target;
+use payjoin::{Uri, UriExt};
+
+fn do_test(data: &[u8]) {
+    let data_str = String::from_utf8_lossy(data).trim_end_matches('\n').to_string();
+    let pj_uri = match data_str.parse::<Uri<_>>() {
+        Ok(pj_uri) => pj_uri.assume_checked(),
+        Err(_) => return,
+    };
+    let address = pj_uri.address.is_spend_standard();
+    if !address {
+        return;
+    }
+    let amount = pj_uri.amount;
+
+    if let Some(label) = pj_uri.clone().label {
+        if TypeId::of::<Param>() != label.type_id() {
+            return;
+        }
+    };
+    if let Some(message) = pj_uri.clone().message {
+        if TypeId::of::<Param>() != message.type_id() {
+            return;
+        }
+    };
+    let extras = pj_uri.clone().check_pj_supported().unwrap().extras;
+    assert_eq!(pj_uri.to_string(), data_str);
+    assert!(amount.is_none_or(|btc| btc < Amount::MAX_MONEY));
+    assert!(TypeId::of::<payjoin::OutputSubstitution>() == extras.output_substitution().type_id());
+    assert!(TypeId::of::<String>() == extras.endpoint().type_id())
+}
+
+#[cfg(feature = "fuzzing")]
+fuzz_target!(|data| {
+    do_test(data);
+});
+
+#[cfg(test)]
+mod tests {
+    fn extend_vec_from_hex(hex: &str, out: &mut Vec<u8>) {
+        let mut b = 0;
+        for (idx, c) in hex.as_bytes().iter().enumerate() {
+            b <<= 4;
+            match *c {
+                b'A'..=b'F' => b |= c - b'A' + 10,
+                b'a'..=b'f' => b |= c - b'a' + 10,
+                b'0'..=b'9' => b |= c - b'0',
+                _ => panic!("Bad hex"),
+            }
+            if (idx & 1) == 1 {
+                out.push(b);
+                b = 0;
+            }
+        }
+    }
+
+    #[test]
+    fn duplicate_crash() {
+        let mut a = Vec::new();
+        extend_vec_from_hex("00000000", &mut a);
+        super::do_test(&a);
+    }
+}