crypto__chacha20_8cpp_source.html

// Copyright (c) 2020-2021 The Bitcoin Core developers

// Distributed under the MIT software license, see the accompanying

// file COPYING or http://www.opensource.org/licenses/mit-license.php.


#include <crypto/chacha20.h>

#include <random.h>

#include <test/fuzz/FuzzedDataProvider.h>

#include <test/fuzz/fuzz.h>

#include <test/fuzz/util.h>


#include <array>

#include <cstddef>

#include <cstdint>

#include <vector>


FUZZ_TARGET(crypto_chacha20)

{

    FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};


    const auto key = ConsumeFixedLengthByteVector<std::byte>(fuzzed_data_provider, ChaCha20::KEYLEN);

    ChaCha20 chacha20{key};


    LIMITED_WHILE(fuzzed_data_provider.ConsumeBool(), 10000) {

        CallOneOf(

            fuzzed_data_provider,

            [&] {

                auto key = ConsumeFixedLengthByteVector<std::byte>(fuzzed_data_provider, ChaCha20::KEYLEN);

                chacha20.SetKey(key);

            },

            [&] {

                ChaCha20::Nonce96 nonce{

                    fuzzed_data_provider.ConsumeIntegral<uint32_t>(),

                    fuzzed_data_provider.ConsumeIntegral<uint64_t>()};

                chacha20.Seek(nonce, fuzzed_data_provider.ConsumeIntegral<uint32_t>());

            },

            [&] {

                std::vector<uint8_t> output(fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, 4096));

                chacha20.Keystream(MakeWritableByteSpan(output));

            },

            [&] {

                std::vector<std::byte> output(fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, 4096));

                const auto input = ConsumeFixedLengthByteVector<std::byte>(fuzzed_data_provider, output.size());

                chacha20.Crypt(input, output);

            });

    }

}


namespace

{


template<bool UseCrypt>

void ChaCha20SplitFuzz(FuzzedDataProvider& provider)

{

    // Determine key, iv, start position, length.

    auto key_bytes = ConsumeFixedLengthByteVector<std::byte>(provider, ChaCha20::KEYLEN);

    uint64_t iv = provider.ConsumeIntegral<uint64_t>();

    uint32_t iv_prefix = provider.ConsumeIntegral<uint32_t>();

    uint64_t total_bytes = provider.ConsumeIntegralInRange<uint64_t>(0, 1000000);

    /* ~x = 2^BITS - 1 - x, so ~(total_bytes >> 6) is the maximal seek position. */

    uint32_t seek = provider.ConsumeIntegralInRange<uint32_t>(0, ~(uint32_t)(total_bytes >> 6));


    // Initialize two ChaCha20 ciphers, with the same key/iv/position.

    ChaCha20 crypt1(key_bytes);

    ChaCha20 crypt2(key_bytes);

    crypt1.Seek({iv_prefix, iv}, seek);

    crypt2.Seek({iv_prefix, iv}, seek);


    // Construct vectors with data.

    std::vector<std::byte> data1, data2;

    data1.resize(total_bytes);

    data2.resize(total_bytes);


    // If using Crypt(), initialize data1 and data2 with the same InsecureRandomContext based

    // stream.

    if constexpr (UseCrypt) {

        InsecureRandomContext(provider.ConsumeIntegral<uint64_t>()).fillrand(data1);

        std::copy(data1.begin(), data1.end(), data2.begin());

    }


    // Whether UseCrypt is used or not, the two byte arrays must match.

    assert(data1 == data2);


    // Encrypt data1, the whole array at once.

    if constexpr (UseCrypt) {

        crypt1.Crypt(data1, data1);

    } else {

        crypt1.Keystream(data1);

    }


    // Encrypt data2, in at most 256 chunks.

    uint64_t bytes2 = 0;

    int iter = 0;

    while (true) {

        bool is_last = (iter == 255) || (bytes2 == total_bytes) || provider.ConsumeBool();

        ++iter;

        // Determine how many bytes to encrypt in this chunk: a fuzzer-determined

        // amount for all but the last chunk (which processes all remaining bytes).

        uint64_t now = is_last ? total_bytes - bytes2 :

            provider.ConsumeIntegralInRange<uint64_t>(0, total_bytes - bytes2);

        // For each chunk, consider using Crypt() even when UseCrypt is false.

        // This tests that Keystream() has the same behavior as Crypt() applied

        // to 0x00 input bytes.

        if (UseCrypt || provider.ConsumeBool()) {

            crypt2.Crypt(Span{data2}.subspan(bytes2, now), Span{data2}.subspan(bytes2, now));

        } else {

            crypt2.Keystream(Span{data2}.subspan(bytes2, now));

        }

        bytes2 += now;

        if (is_last) break;

    }

    // We should have processed everything now.

    assert(bytes2 == total_bytes);

    // And the result should match.

    assert(data1 == data2);

}


} // namespace


FUZZ_TARGET(chacha20_split_crypt)

{

    FuzzedDataProvider provider{buffer.data(), buffer.size()};

    ChaCha20SplitFuzz<true>(provider);

}


FUZZ_TARGET(chacha20_split_keystream)

{

    FuzzedDataProvider provider{buffer.data(), buffer.size()};

    ChaCha20SplitFuzz<false>(provider);

}


FUZZ_TARGET(crypto_fschacha20)

{

    FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};


    auto key = fuzzed_data_provider.ConsumeBytes<std::byte>(FSChaCha20::KEYLEN);

    key.resize(FSChaCha20::KEYLEN);


    auto fsc20 = FSChaCha20{key, fuzzed_data_provider.ConsumeIntegralInRange<uint32_t>(1, 1024)};


    LIMITED_WHILE(fuzzed_data_provider.ConsumeBool(), 10000)

    {

        auto input = fuzzed_data_provider.ConsumeBytes<std::byte>(fuzzed_data_provider.ConsumeIntegralInRange(0, 4096));

        std::vector<std::byte> output;

        output.resize(input.size());

        fsc20.Crypt(input, output);

    }

}

FuzzedDataProvider.h

chacha20.h

ChaCha20
Unrestricted ChaCha20 cipher.
Definition: chacha20.h:78

ChaCha20::KEYLEN
static constexpr unsigned KEYLEN
Expected key length in constructor and SetKey.
Definition: chacha20.h:86

ChaCha20::Nonce96
ChaCha20Aligned::Nonce96 Nonce96
96-bit nonce type.
Definition: chacha20.h:101

FSChaCha20
Forward-secure ChaCha20.
Definition: chacha20.h:128

FSChaCha20::KEYLEN
static constexpr unsigned KEYLEN
Length of keys expected by the constructor.
Definition: chacha20.h:144

FuzzedDataProvider
Definition: FuzzedDataProvider.h:32

FuzzedDataProvider::ConsumeBytes
std::vector< T > ConsumeBytes(size_t num_bytes)
Definition: FuzzedDataProvider.h:109

FuzzedDataProvider::ConsumeBool
bool ConsumeBool()
Definition: FuzzedDataProvider.h:289

FuzzedDataProvider::ConsumeIntegralInRange
T ConsumeIntegralInRange(T min, T max)
Definition: FuzzedDataProvider.h:205

FuzzedDataProvider::ConsumeIntegral
T ConsumeIntegral()
Definition: FuzzedDataProvider.h:195

InsecureRandomContext
xoroshiro128++ PRNG.
Definition: random.h:416

RandomMixin::fillrand
void fillrand(Span< std::byte > span) noexcept
Fill a Span with random bytes.
Definition: random.h:267

Span
A Span is an object that can refer to a contiguous sequence of objects.
Definition: span.h:98

Span::subspan
CONSTEXPR_IF_NOT_DEBUG Span< C > subspan(std::size_t offset) const noexcept
Definition: span.h:195

FUZZ_TARGET
FUZZ_TARGET(crypto_chacha20)
Definition: crypto_chacha20.cpp:16

fuzz.h

LIMITED_WHILE
#define LIMITED_WHILE(condition, limit)
Can be used to limit a theoretically unbounded loop.
Definition: fuzz.h:22

nonce
unsigned int nonce
Definition: miner_tests.cpp:74

MakeWritableByteSpan
Span< std::byte > MakeWritableByteSpan(V &&v) noexcept
Definition: span.h:275

util.h

CallOneOf
size_t CallOneOf(FuzzedDataProvider &fuzzed_data_provider, Callables... callables)
Definition: util.h:35

assert
assert(!tx.IsCoinBase())