Fuzz process onion failure #3683
Conversation
|
👋 Thanks for assigning @arik-so as a reviewer! |
joostjager
force-pushed
the
fuzz-process-onion-failure
branch
2 times, most recently
from
7bdde66 to
fe4bcd7
Compare
| @@ -1129,7 +1142,7 @@ where | |||
| let mut hmac = HmacEngine::<Sha256>::new(&um); | |||
| hmac.input(&encrypted_packet.data[32..]); | |||
|
|
|||
| if !fixed_time_eq(&Hmac::from_engine(hmac).to_byte_array(), &encrypted_packet.data[..32]) { | |||
| if &Hmac::from_engine(hmac).to_byte_array() != &encrypted_packet.data[..32] { | |||
There was a problem hiding this comment.
Required for fuzzer, and fixed_time_eq not needed here at the sender side.
There was a problem hiding this comment.
I'd kinda rather do this upstream at rust-bitcoin/rust-bitcoin#4289 so we don't have to think about it (tho its also totally the case that our next-hop can probably identify whether we were the sender based on our timing already and there isn't much we can do to fix that, making this constant time is not gonna help lol).
There was a problem hiding this comment.
I don't see how using equal time here would help the next hop identify that we are the sender? When we get here, there is no further comm with the next hop anymore. Or you mean the time until the next attempt for this payment that may potentially flow through the same next hop? For that, I'd think there is so much else also happening such as pathfinding, that this really does not matter.
If equal time cmp isn't adding anything for multiple reasons, then I'd say let's do the faster normal cmp?
The upstream issue is of course still useful for fuzzing of other uses of fixed_time_eq that are timing sensitive.
There was a problem hiding this comment.
So if making this constant time isn't gonna mitigate detection, what's the issue with just making it a regular comparison? And alternatively, if there's enough value to keep using fixed_time_eq, would it make sense to use one or the other based on a cfg flag so we use regular comparisons only in a fuzz context?
There was a problem hiding this comment.
Oops, missed this. I believe we decode inline when processing a message from a peer. Thus they can measure how long it takes us to process the message to figure out which parts of the code they hit. Given we're iterating the onion its vaguely reminiscent of Bleichenbacher's, but we already exit the loop early so its not like we're particularly robust here. Again, the right fix is to do things like this in a background task rather than in a message processing function.
joostjager
force-pushed
the
fuzz-process-onion-failure
branch
2 times, most recently
from
dba48e0 to
52b665b
Compare
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #3683 +/- ##
==========================================
- Coverage 89.25% 89.22% -0.03%
==========================================
Files 155 155
Lines 119959 119951 -8
Branches 119959 119951 -8
==========================================
- Hits 107069 107029 -40
- Misses 10276 10298 +22
- Partials 2614 2624 +10 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
joostjager
force-pushed
the
fuzz-process-onion-failure
branch
from
52b665b to
1dd2d94
Compare
| pubkey: get_pubkey!(), | ||
| node_features: NodeFeatures::empty(), | ||
| short_channel_id: get_u64!(), | ||
| channel_features: ChannelFeatures::empty(), |
There was a problem hiding this comment.
I didn't bother setting the features as they aren't used for the onion failure processing. Mainly because it seemed not straight-fwd to do it.
joostjager
force-pushed
the
fuzz-process-onion-failure
branch
2 times, most recently
from
f37db7b to
4f9618a
Compare
fuzz/src/process_onion_failure.rs
Outdated
| let session_priv = match SecretKey::from_slice(get_slice!(32)) { | ||
| Ok(val) => val, | ||
| Err(_) => return, | ||
| }; | ||
|
|
||
| let payment_id = match get_slice!(32).try_into() { | ||
| Ok(val) => PaymentId(val), | ||
| Err(_) => return, | ||
| }; |
There was a problem hiding this comment.
These we might just want to hard-code. It shouldn't be the case that we ever care about the value, and making them a part of the input just gives the fuzzer more stuff to twiddle that does nothing but invalidate the rest of the input.
There was a problem hiding this comment.
Hard-coded keys and things that aren't used in process_onion_failure.
fuzz/src/process_onion_failure.rs
Outdated
| }; | ||
|
|
||
| let mut hops = Vec::<RouteHop>::new(); | ||
| let hop_count = get_slice!(1)[0] as usize; |
There was a problem hiding this comment.
I kinda wonder if we shouldn't make this less flexible - either always do 20 (21?) or have a flag that selects between 20 (21?) and 1 or so. Probably there are no bugs that are only reachable if we have 5/7/10/etc hops.
There was a problem hiding this comment.
Hm, but then there are also the trampoline hops and blinded path hops. I think I am ok with just %30 all of them
| let failure_len = get_u16!(); | ||
| let encrypted_packet = OnionErrorPacket { data: get_slice!(failure_len).into() }; |
There was a problem hiding this comment.
Should we replace this with just reading the OnionErrorPacket using standard Readable from the remainder of the stream, rather than reading a length prefix?
There was a problem hiding this comment.
I don't think there is a standard readable defined for OnionErrorPacket?
There was a problem hiding this comment.
Ah, I guess we'd have to read an DecodedOnionErrorPacket?
There was a problem hiding this comment.
Read that, and then write it out again to get a raw byte array. I'm not sure if it makes it better.
joostjager
force-pushed
the
fuzz-process-onion-failure
branch
2 times, most recently
from
c10a9e5 to
ebf4f89
Compare
joostjager
force-pushed
the
fuzz-process-onion-failure
branch
from
ebf4f89 to
64cd40c
Compare
Preparatory commit that exposes types that are related to onion failure processing to the fuzzing targets.
Because this method is used by the sender of the payment after the htlc has been resolved, there is no information that can leak to downstream nodes. Revert to a regular comparison for better performance and easier fuzzing.
joostjager
force-pushed
the
fuzz-process-onion-failure
branch
from
64cd40c to
fcbb658
Compare
Adds a fuzz target that exercises the processing of a failure message that is received by the sender of a payment. Fuzzing this is important because the input data is coming directly off the wire.
joostjager
force-pushed
the
fuzz-process-onion-failure
branch
from
fcbb658 to
17737be
Compare
Adds a fuzzer for
process_onion_failure. The fuzzer found this regression: #3686