Make it easier for the fuzzer to get a VerifiedInvoiceRequest

TheBlueMatt · TheBlueMatt · commit 8b5ba93063e4 · 2025-04-25T22:27:16.000Z
In the next commit we attempt to verify `InvoiceRequest`s when
fuzzing so that we can test fetching the `InvoiceRequestFields`,
but its useful to allow the verification to succeed more often
first, which we do here.
diff --git a/lightning/src/offers/signer.rs b/lightning/src/offers/signer.rs
@@ -379,7 +379,15 @@ pub(super) fn verify_recipient_metadata<'a, T: secp256k1::Signing>(
 	signing_pubkey: PublicKey, tlv_stream: impl core::iter::Iterator<Item = TlvRecord<'a>>,
 	secp_ctx: &Secp256k1<T>,
 ) -> Result<Option<Keypair>, ()> {
-	let mut hmac = hmac_for_message(metadata, expanded_key, iv_bytes, tlv_stream)?;
+	let hmac_res = hmac_for_message(metadata, expanded_key, iv_bytes, tlv_stream);
+	#[cfg(fuzzing)]
+	if hmac_res.is_err() {
+		// In fuzzing its relatively challenging for the fuzzer to find cases where we have issues
+		// in a BOLT 12 object but also have a right-sized nonce. So instead we allow any size
+		// nonce (i.e. `hmac_for_message` failing) and simply treat it as "no keypair").
+		return Ok(None);
+	}
+	let mut hmac = hmac_res?;
 	hmac.input(WITHOUT_ENCRYPTED_PAYMENT_ID_HMAC_INPUT);
 
 	verify_metadata(metadata, Hmac::from_engine(hmac), signing_pubkey, secp_ctx)
@@ -393,19 +401,32 @@ fn verify_metadata<T: secp256k1::Signing>(
 			secp_ctx,
 			&SecretKey::from_slice(hmac.as_byte_array()).unwrap(),
 		);
-		if fixed_time_eq(&signing_pubkey.serialize(), &derived_keys.public_key().serialize()) {
+		#[allow(unused_mut)]
+		let mut ok =
+			fixed_time_eq(&signing_pubkey.serialize(), &derived_keys.public_key().serialize());
+		#[cfg(fuzzing)]
+		if metadata[0] & 1 == 0 {
+			ok = true;
+		}
+		if ok {
 			Ok(Some(derived_keys))
 		} else {
 			Err(())
 		}
-	} else if metadata[Nonce::LENGTH..].len() == Sha256::LEN {
-		if fixed_time_eq(&metadata[Nonce::LENGTH..], &hmac.to_byte_array()) {
+	} else {
+		#[allow(unused_mut)]
+		let mut ok =
+			metadata.len() == Nonce::LENGTH + Sha256::LEN
+				&& fixed_time_eq(&metadata[Nonce::LENGTH..], &hmac.to_byte_array());
+		#[cfg(fuzzing)]
+		if metadata[0] & 1 == 0 {
+			ok = true;
+		}
+		if ok {
 			Ok(None)
 		} else {
 			Err(())
 		}
-	} else {
-		Err(())
 	}
 }
 
