Fuzz v3 hidden services

If we want the fuzzer to effectively fuzz v3 hidden services, we need to:

• fuzz GET requests: #21476 (moved)
• fuzz POST requests: #21478 (moved)
• add v3 GET and POST requests to the fuzzing corpus
• add tokens from v3 GET and POST requests as new fuzzing token lists
• disable the encrypted connection check when fuzzing (we should do this for v2 services as well)
• create a v3 descriptor fuzzer
• add v3 descriptor examples to the fuzzing corpus
• add tokens from v3 descriptors as a new fuzzing token list

changed milestone to %Tor: unspecified

added 034-removed-20180328 034-triage-20180328 component::core tor/tor fuzz milestone::Tor: unspecified points::2 priority::high prop224 severity::normal sponsor::R-can status::new tor-hs type::task labels

Trac:
Sponsor: N/A to SponsorR-can

Trac:
Points: N/A to 2
Priority: Medium to High

Prioritize prop224 tickets for 031 milestone. They are all "Enhancement".

Trac:
Priority: High to Very High

Taking those ticket for patches.

Trac:
Owner: N/A to dgoulet
Status: new to accepted

More of a task, not really a feature.

Trac:
Type: enhancement to task

Trac:
Description: If we want the fuzzer to effectively fuzz v3 hidden services, we need to:

• fuzz GET requests: #21476 (moved)
• fuzz POST requests: #21478 (moved)
• add v3 GET and POST requests to the fuzzing corpus
• disable the encrypted connection check when fuzzing (we should do this for v2 services as well)
• create a v3 descriptor fuzzer
• add v3 descriptor examples to the fuzzing corpus

to

If we want the fuzzer to effectively fuzz v3 hidden services, we need to:

• fuzz GET requests: #21476 (moved)
• fuzz POST requests: #21478 (moved)
• add v3 GET and POST requests to the fuzzing corpus
• add tokens from v3 GET and POST requests as new fuzzing token lists
• disable the encrypted connection check when fuzzing (we should do this for v2 services as well)
• create a v3 descriptor fuzzer
• add v3 descriptor examples to the fuzzing corpus
• add tokens from v3 descriptors as a new fuzzing token list

I've done some initial fuzzing for the descriptor encoding/decoding. More is needed for service and client in 032. Moving this out of 031 milestone.

Trac:
Milestone: Tor: 0.3.1.x-final to Tor: 0.3.2.x-final

This has been merged upstream but then disabled because of a problem with how the HS API is used.

Commit 97347b11 adds basic fuzzing for descriptors and disabled in 5ef656e7

Trac:
Status: accepted to needs_revision

Trac:
Owner: dgoulet to haxxpop
Status: needs_revision to assigned

We need this for 032 alpha so I'm taking ownership.

Trac:
Owner: haxxpop to dgoulet
Status: assigned to accepted

See branch: bug21509_032_01

The branch reverts 5ef656e7 which disabled the fuzzing for v3 descriptor. Then, I've added a dummy subcredential that is mandatory for the decoding API.

This makes the decryption fail all the time of the encrypted layer but that is fine because this very basic fuzzing program only fuzz the plaintext part for now.

Trac:
Status: accepted to needs_review

merging to 0.3.2 and forward.

How hard would it be to get the decrypted part fuzzed too?

Replying to nickm:

merging to 0.3.2 and forward.

How hard would it be to get the decrypted part fuzzed too?

A bit more work in mocking functions because lots of crypto checks are done (decrypt, MAC validation, signature...)

And we would need to expose the inners like desc_decrypt_all() or decrypt_desc_layer(). A bit of work but not that crazy I think.

I've got a fuzzer for the decrypted parts, but I should run it for a while before uploading.

Trac:
Owner: dgoulet to nickm
Status: needs_review to accepted

Okay, the fuzzers didn't find anything. What do you think of hsdescv3_fuzz_more?

Trac:
Status: accepted to needs_review

Great addition!

This will allow us to test the decode_superencrypted() function but most of it is tokenize_string(). So a good next step would be to explicitly fuzz decode_intro_points() which happens if the super encrypted section is properly decrypted and decoded. See desc_decode_encrypted_v3()

Thanks!

Trac:
Status: needs_review to merge_ready

merged to 0.3.2!

Sounds like you think there's more work, so putting this back in "accepted".

Trac:
Priority: Very High to High
Status: merge_ready to accepted

Trac:
hs_descriptor.c.gcov

I've attached the gcov output of running the fuzz_static_testcases.sh script on hs_descriptor.c with the current fuzzing corpus. Note that this doesn't actually fuzz -- it just shows us what our current corpus reaches. But it looks like we're at least getting inside decode_intro_points() a little? We should add some seed elements to the corpus that trigger more of it getting parsed, though.

Trac:
Milestone: Tor: 0.3.2.x-final to Tor: 0.3.3.x-final

I don't think we have plans for additional fuzz tests in 033 timeframe. Perhaps a worthy GSoC project, but pushing to 034 for now.

Trac:
Milestone: Tor: 0.3.3.x-final to Tor: 0.3.4.x-final

Trac:
Keywords: N/A deleted, 034-triage-20180328 added

Per our triage process, these tickets are pending removal from 0.3.4.

Trac:
Keywords: N/A deleted, 034-removed-20180328 added

These tickets, tagged with 034-removed-*, are no longer in-scope for 0.3.4. We can reconsider any of them, if time permits.

Trac:
Milestone: Tor: 0.3.4.x-final to Tor: unspecified

I am not actually working on these tickets, so they shouldn't be assigned to me.

Trac:
Status: accepted to assigned
Owner: nickm to N/A

Change tickets that are assigned to nobody to "new".

Trac:
Status: assigned to new

changed time estimate to 16h

moved to tpo/core/tor#21509 (closed)