5 files changed, 162 insertions, 4 deletions

diff --git a/scripts/codegen/fuzzing_include_am.py b/scripts/codegen/fuzzing_include_am.py
index d2d73a3c06..639b436527 100755
--- a/scripts/codegen/fuzzing_include_am.py
+++ b/scripts/codegen/fuzzing_include_am.py
@@ -12,7 +12,8 @@ FUZZERS = """
 	diff-apply
 	extrainfo
 	hsdescv3
-	hsdescv3-inner
+    hsdescv3-inner
+    hsdescv3-middle
 	http
 	http-connect
 	microdesc
diff --git a/src/feature/hs/hs_descriptor.c b/src/feature/hs/hs_descriptor.c
index cad442718b..4650af2c53 100644
--- a/src/feature/hs/hs_descriptor.c
+++ b/src/feature/hs/hs_descriptor.c
@@ -1607,8 +1607,8 @@ decrypt_desc_layer,(const hs_descriptor_t *desc,
  * put in decrypted_out which contains the superencrypted layer of the
  * descriptor. Return the length of decrypted_out on success else 0 is
  * returned and decrypted_out is set to NULL. */
-static size_t
-desc_decrypt_superencrypted(const hs_descriptor_t *desc, char **decrypted_out)
+MOCK_IMPL(STATIC size_t,
+desc_decrypt_superencrypted,(const hs_descriptor_t *desc,char **decrypted_out))
 {
   size_t superencrypted_len = 0;
   char *superencrypted_plaintext = NULL;
@@ -2145,7 +2145,7 @@ desc_decode_plaintext_v3(smartlist_t *tokens,
 
 /** Decode the version 3 superencrypted section of the given descriptor desc.
  * The desc_superencrypted_out will be populated with the decoded data. */
-static hs_desc_decode_status_t
+STATIC hs_desc_decode_status_t
 desc_decode_superencrypted_v3(const hs_descriptor_t *desc,
                               hs_desc_superencrypted_data_t *
                               desc_superencrypted_out)
diff --git a/src/feature/hs/hs_descriptor.h b/src/feature/hs/hs_descriptor.h
index 5f3531fac7..d959431369 100644
--- a/src/feature/hs/hs_descriptor.h
+++ b/src/feature/hs/hs_descriptor.h
@@ -344,11 +344,20 @@ STATIC hs_desc_decode_status_t desc_decode_encrypted_v3(
                          const curve25519_secret_key_t *client_auth_sk,
                          hs_desc_encrypted_data_t *desc_encrypted_out);
 
+STATIC hs_desc_decode_status_t
+desc_decode_superencrypted_v3(const hs_descriptor_t *desc,
+                              hs_desc_superencrypted_data_t *
+                              desc_superencrypted_out);
+
 MOCK_DECL(STATIC size_t, desc_decrypt_encrypted,(
                         const hs_descriptor_t *desc,
                         const curve25519_secret_key_t *client_auth_sk,
                         char **decrypted_out));
 
+MOCK_DECL(STATIC size_t, desc_decrypt_superencrypted,(
+                        const hs_descriptor_t *desc,
+                        char **decrypted_out));
+
 #endif /* defined(HS_DESCRIPTOR_PRIVATE) */
 
 #endif /* !defined(TOR_HS_DESCRIPTOR_H) */
diff --git a/src/test/fuzz/fuzz_hsdescv3_middle.c b/src/test/fuzz/fuzz_hsdescv3_middle.c
new file mode 100644
index 0000000000..66a9d52cf3
--- /dev/null
+++ b/src/test/fuzz/fuzz_hsdescv3_middle.c
@@ -0,0 +1,116 @@
+/* Copyright (c) 2017-2021, The Tor Project, Inc. */
+/* See LICENSE for licensing information */
+
+#define HS_DESCRIPTOR_PRIVATE
+
+#include "core/or/or.h"
+#include "trunnel/ed25519_cert.h" /* Trunnel interface. */
+#include "lib/crypt_ops/crypto_ed25519.h"
+#include "feature/hs/hs_descriptor.h"
+#include "feature/dirparse/unparseable.h"
+
+#include "test/fuzz/fuzzing.h"
+
+static void
+mock_dump_desc__nodump(const char *desc, const char *type)
+{
+  (void)desc;
+  (void)type;
+}
+
+static int
+mock_rsa_ed25519_crosscert_check(const uint8_t *crosscert,
+                                 const size_t crosscert_len,
+                                 const crypto_pk_t *rsa_id_key,
+                                 const ed25519_public_key_t *master_key,
+                                 const time_t reject_if_expired_before)
+{
+  (void) crosscert;
+  (void) crosscert_len;
+  (void) rsa_id_key;
+  (void) master_key;
+  (void) reject_if_expired_before;
+  return 0;
+}
+
+static size_t
+mock_decrypt_desc_layer(const hs_descriptor_t *desc,
+                        const uint8_t *descriptor_cookie,
+                        bool is_superencrypted_layer,
+                        char **decrypted_out)
+{
+  (void)is_superencrypted_layer;
+  (void)desc;
+  (void)descriptor_cookie;
+  const size_t overhead = HS_DESC_ENCRYPTED_SALT_LEN + DIGEST256_LEN;
+  const uint8_t *encrypted_blob = (is_superencrypted_layer)
+    ? desc->plaintext_data.superencrypted_blob
+    : desc->superencrypted_data.encrypted_blob;
+  size_t encrypted_blob_size = (is_superencrypted_layer)
+    ? desc->plaintext_data.superencrypted_blob_size
+    : desc->superencrypted_data.encrypted_blob_size;
+
+  if (encrypted_blob_size < overhead)
+    return 0;
+  *decrypted_out = tor_memdup_nulterm(
+                   encrypted_blob + HS_DESC_ENCRYPTED_SALT_LEN,
+                   encrypted_blob_size - overhead);
+  size_t result = strlen(*decrypted_out);
+  if (result) {
+    return result;
+  } else {
+    tor_free(*decrypted_out);
+    return 0;
+  }
+}
+
+static const uint8_t *decrypted_data = NULL;
+static size_t decrypted_len = 0;
+static size_t
+mock_desc_decrypt_superencrypted(const hs_descriptor_t *desc,
+                        char **decrypted_out)
+{
+  (void)desc;
+  *decrypted_out = (char*)tor_memdup_nulterm(decrypted_data, decrypted_len);
+  return decrypted_len;
+}
+
+int
+fuzz_init(void)
+{
+  disable_signature_checking();
+  MOCK(dump_desc, mock_dump_desc__nodump);
+  MOCK(rsa_ed25519_crosscert_check, mock_rsa_ed25519_crosscert_check);
+  MOCK(decrypt_desc_layer, mock_decrypt_desc_layer);
+  MOCK(desc_decrypt_superencrypted, mock_desc_decrypt_superencrypted);
+  ed25519_init();
+  return 0;
+}
+
+int
+fuzz_cleanup(void)
+{
+  return 0;
+}
+
+int
+fuzz_main(const uint8_t *data, size_t sz)
+{
+  decrypted_data = data;
+  decrypted_len = sz;
+
+  hs_descriptor_t *desc = tor_malloc_zero(sizeof(hs_descriptor_t));
+  hs_desc_superencrypted_data_t *output = tor_malloc_zero(sizeof(*output));
+  hs_desc_decode_status_t status;
+
+  status = desc_decode_superencrypted_v3(desc, output);
+  if (status == HS_DESC_DECODE_OK) {
+    log_debug(LD_GENERAL, "Decoding okay");
+  } else {
+    log_debug(LD_GENERAL, "Decoding failed");
+  }
+
+  hs_descriptor_free(desc);
+  hs_desc_superencrypted_data_free(output);
+  return 0;
+}
diff --git a/src/test/fuzz/include.am b/src/test/fuzz/include.am
index a72df754a8..4943f7fffd 100644
--- a/src/test/fuzz/include.am
+++ b/src/test/fuzz/include.am
@@ -103,6 +103,18 @@ src_test_fuzz_fuzz_hsdescv3_inner_LDFLAGS = $(FUZZING_LDFLAG)
 src_test_fuzz_fuzz_hsdescv3_inner_LDADD = $(FUZZING_LIBS)
 endif
 
+
+if UNITTESTS_ENABLED
+src_test_fuzz_fuzz_hsdescv3_middle_SOURCES = \
+	src/test/fuzz/fuzzing_common.c \
+	src/test/fuzz/fuzz_hsdescv3_middle.c
+src_test_fuzz_fuzz_hsdescv3_middle_CPPFLAGS = $(FUZZING_CPPFLAGS)
+src_test_fuzz_fuzz_hsdescv3_middle_CFLAGS = $(FUZZING_CFLAGS)
+src_test_fuzz_fuzz_hsdescv3_middle_LDFLAGS = $(FUZZING_LDFLAG)
+src_test_fuzz_fuzz_hsdescv3_middle_LDADD = $(FUZZING_LIBS)
+endif
+
+
 if UNITTESTS_ENABLED
 src_test_fuzz_fuzz_http_SOURCES = \
 	src/test/fuzz/fuzzing_common.c \
@@ -172,6 +184,7 @@ FUZZERS = \
 	src/test/fuzz/fuzz-extrainfo \
 	src/test/fuzz/fuzz-hsdescv3 \
 	src/test/fuzz/fuzz-hsdescv3-inner \
+	src/test/fuzz/fuzz-hsdescv3-middle \
 	src/test/fuzz/fuzz-http \
 	src/test/fuzz/fuzz-http-connect \
 	src/test/fuzz/fuzz-microdesc \
@@ -247,6 +260,16 @@ src_test_fuzz_lf_fuzz_hsdescv3_inner_LDADD = $(LIBFUZZER_LIBS)
 endif
 
 if UNITTESTS_ENABLED
+src_test_fuzz_lf_fuzz_hsdescv3_middle_SOURCES = \
+	$(src_test_fuzz_fuzz_hsdescv3_middle_SOURCES)
+src_test_fuzz_lf_fuzz_hsdescv3_middle_CPPFLAGS = $(LIBFUZZER_CPPFLAGS)
+src_test_fuzz_lf_fuzz_hsdescv3_middle_CFLAGS = $(LIBFUZZER_CFLAGS)
+src_test_fuzz_lf_fuzz_hsdescv3_middle_LDFLAGS = $(LIBFUZZER_LDFLAG)
+src_test_fuzz_lf_fuzz_hsdescv3_middle_LDADD = $(LIBFUZZER_LIBS)
+endif
+
+
+if UNITTESTS_ENABLED
 src_test_fuzz_lf_fuzz_http_SOURCES = \
 	$(src_test_fuzz_fuzz_http_SOURCES)
 src_test_fuzz_lf_fuzz_http_CPPFLAGS = $(LIBFUZZER_CPPFLAGS)
@@ -308,6 +331,7 @@ LIBFUZZER_FUZZERS = \
 	src/test/fuzz/lf-fuzz-extrainfo \
 	src/test/fuzz/lf-fuzz-hsdescv3 \
 	src/test/fuzz/lf-fuzz-hsdescv3-inner \
+	src/test/fuzz/lf-fuzz-hsdescv3-middle \
 	src/test/fuzz/lf-fuzz-http \
 	src/test/fuzz/lf-fuzz-http-connect \
 	src/test/fuzz/lf-fuzz-microdesc \
@@ -372,6 +396,13 @@ src_test_fuzz_liboss_fuzz_hsdescv3_inner_a_CFLAGS = $(LIBOSS_FUZZ_CFLAGS)
 endif
 
 if UNITTESTS_ENABLED
+src_test_fuzz_liboss_fuzz_hsdescv3_middle_a_SOURCES = \
+	$(src_test_fuzz_fuzz_hsdescv3_middle_SOURCES)
+src_test_fuzz_liboss_fuzz_hsdescv3_middle_a_CPPFLAGS = $(LIBOSS_FUZZ_CPPFLAGS)
+src_test_fuzz_liboss_fuzz_hsdescv3_middle_a_CFLAGS = $(LIBOSS_FUZZ_CFLAGS)
+endif
+
+if UNITTESTS_ENABLED
 src_test_fuzz_liboss_fuzz_http_a_SOURCES = \
 	$(src_test_fuzz_fuzz_http_SOURCES)
 src_test_fuzz_liboss_fuzz_http_a_CPPFLAGS = $(LIBOSS_FUZZ_CPPFLAGS)
@@ -421,6 +452,7 @@ OSS_FUZZ_FUZZERS = \
 	src/test/fuzz/liboss-fuzz-extrainfo.a \
 	src/test/fuzz/liboss-fuzz-hsdescv3.a \
 	src/test/fuzz/liboss-fuzz-hsdescv3-inner.a \
+	src/test/fuzz/liboss-fuzz-hsdescv3-middle.a \
 	src/test/fuzz/liboss-fuzz-http.a \
 	src/test/fuzz/liboss-fuzz-http-connect.a \
 	src/test/fuzz/liboss-fuzz-microdesc.a \