/root/bitcoin/src/test/fuzz/crypto_chacha20.cpp

Source
// Copyright (c) 2020-present The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.

#include <crypto/chacha20.h>
#include <random.h>
#include <test/fuzz/FuzzedDataProvider.h>
#include <test/fuzz/fuzz.h>
#include <test/fuzz/util.h>

#include <array>
#include <cstddef>
#include <cstdint>
#include <vector>

FUZZ_TARGET(crypto_chacha20)
{
    FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};

    const auto key = ConsumeFixedLengthByteVector<std::byte>(fuzzed_data_provider, ChaCha20::KEYLEN);
    ChaCha20 chacha20{key};

    LIMITED_WHILE(fuzzed_data_provider.ConsumeBool(), 10000) {
        CallOneOf(
            fuzzed_data_provider,
            [&] {
                auto key = ConsumeFixedLengthByteVector<std::byte>(fuzzed_data_provider, ChaCha20::KEYLEN);
                chacha20.SetKey(key);
            },
            [&] {
                ChaCha20::Nonce96 nonce{
                    fuzzed_data_provider.ConsumeIntegral<uint32_t>(),
                    fuzzed_data_provider.ConsumeIntegral<uint64_t>()};
                chacha20.Seek(nonce, fuzzed_data_provider.ConsumeIntegral<uint32_t>());
            },
            [&] {
                std::vector<uint8_t> output(fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, 4096));
                chacha20.Keystream(MakeWritableByteSpan(output));
            },
            [&] {
                std::vector<std::byte> output(fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, 4096));
                const auto input = ConsumeFixedLengthByteVector<std::byte>(fuzzed_data_provider, output.size());
                chacha20.Crypt(input, output);
            });
    }
}

namespace
{

/** Fuzzer that invokes ChaCha20::Crypt() or ChaCha20::Keystream multiple times:
    once for a large block at once, and then the same data in chunks, comparing
    the outcome.

    If UseCrypt, seeded InsecureRandomContext output is used as input to Crypt().
    If not, Keystream() is used directly, or sequences of 0x00 are encrypted.
*/
template<bool UseCrypt>
void ChaCha20SplitFuzz(FuzzedDataProvider& provider)
{
    // Determine key, iv, start position, length.
    auto key_bytes = ConsumeFixedLengthByteVector<std::byte>(provider, ChaCha20::KEYLEN);
    uint64_t iv = provider.ConsumeIntegral<uint64_t>();
    uint32_t iv_prefix = provider.ConsumeIntegral<uint32_t>();
    uint64_t total_bytes = provider.ConsumeIntegralInRange<uint64_t>(0, 1000000);
    /* ~x = 2^BITS - 1 - x, so ~(total_bytes >> 6) is the maximal seek position. */
    uint32_t seek = provider.ConsumeIntegralInRange<uint32_t>(0, ~(uint32_t)(total_bytes >> 6));

    // Initialize two ChaCha20 ciphers, with the same key/iv/position.
    ChaCha20 crypt1(key_bytes);
    ChaCha20 crypt2(key_bytes);
    crypt1.Seek({iv_prefix, iv}, seek);
    crypt2.Seek({iv_prefix, iv}, seek);

    // Construct vectors with data.
    std::vector<std::byte> data1, data2;
    data1.resize(total_bytes);
    data2.resize(total_bytes);

    // If using Crypt(), initialize data1 and data2 with the same InsecureRandomContext based
    // stream.
    if constexpr (UseCrypt) {
        InsecureRandomContext(provider.ConsumeIntegral<uint64_t>()).fillrand(data1);
        std::copy(data1.begin(), data1.end(), data2.begin());
    }

    // Whether UseCrypt is used or not, the two byte arrays must match.
    assert(data1 == data2);

    // Encrypt data1, the whole array at once.
    if constexpr (UseCrypt) {
        crypt1.Crypt(data1, data1);
    } else {
        crypt1.Keystream(data1);
    }

    // Encrypt data2, in at most 256 chunks.
    uint64_t bytes2 = 0;
    int iter = 0;
    while (true) {
        bool is_last = (iter == 255) || (bytes2 == total_bytes) || provider.ConsumeBool();
        ++iter;
        // Determine how many bytes to encrypt in this chunk: a fuzzer-determined
        // amount for all but the last chunk (which processes all remaining bytes).
        uint64_t now = is_last ? total_bytes - bytes2 :
            provider.ConsumeIntegralInRange<uint64_t>(0, total_bytes - bytes2);
        // For each chunk, consider using Crypt() even when UseCrypt is false.
        // This tests that Keystream() has the same behavior as Crypt() applied
        // to 0x00 input bytes.
        if (UseCrypt || provider.ConsumeBool()) {
            crypt2.Crypt(std::span{data2}.subspan(bytes2, now), std::span{data2}.subspan(bytes2, now));
        } else {
            crypt2.Keystream(std::span{data2}.subspan(bytes2, now));
        }
        bytes2 += now;
        if (is_last) break;
    }
    // We should have processed everything now.
    assert(bytes2 == total_bytes);
    // And the result should match.
    assert(data1 == data2);
}

} // namespace

FUZZ_TARGET(chacha20_split_crypt)
{
    FuzzedDataProvider provider{buffer.data(), buffer.size()};
    ChaCha20SplitFuzz<true>(provider);
}

FUZZ_TARGET(chacha20_split_keystream)
{
    FuzzedDataProvider provider{buffer.data(), buffer.size()};
    ChaCha20SplitFuzz<false>(provider);
}

FUZZ_TARGET(crypto_fschacha20)
{
    FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};

    auto key = fuzzed_data_provider.ConsumeBytes<std::byte>(FSChaCha20::KEYLEN);
    key.resize(FSChaCha20::KEYLEN);

    auto fsc20 = FSChaCha20{key, fuzzed_data_provider.ConsumeIntegralInRange<uint32_t>(1, 1024)};

    LIMITED_WHILE(fuzzed_data_provider.ConsumeBool(), 10000)
    {
        auto input = fuzzed_data_provider.ConsumeBytes<std::byte>(fuzzed_data_provider.ConsumeIntegralInRange(0, 4096));
        std::vector<std::byte> output;
        output.resize(input.size());
        fsc20.Crypt(input, output);
    }
}

Line	Count	Source
1		// Copyright (c) 2020-present The Bitcoin Core developers
2		// Distributed under the MIT software license, see the accompanying
3		// file COPYING or http://www.opensource.org/licenses/mit-license.php.
4
5		#include <crypto/chacha20.h>
6		#include <random.h>
7		#include <test/fuzz/FuzzedDataProvider.h>
8		#include <test/fuzz/fuzz.h>
9		#include <test/fuzz/util.h>
10
11		#include <array>
12		#include <cstddef>
13		#include <cstdint>
14		#include <vector>
15
16		FUZZ_TARGET(crypto_chacha20)
17	0	{
18	0	FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};
19
20	0	const auto key = ConsumeFixedLengthByteVector<std::byte>(fuzzed_data_provider, ChaCha20::KEYLEN);
21	0	ChaCha20 chacha20{key};
22
23	0	LIMITED_WHILE(fuzzed_data_provider.ConsumeBool(), 10000) {
24	0	CallOneOf(
25	0	fuzzed_data_provider,
26	0	[&] {
27	0	auto key = ConsumeFixedLengthByteVector<std::byte>(fuzzed_data_provider, ChaCha20::KEYLEN);
28	0	chacha20.SetKey(key);
29	0	},
30	0	[&] {
31	0	ChaCha20::Nonce96 nonce{
32	0	fuzzed_data_provider.ConsumeIntegral<uint32_t>(),
33	0	fuzzed_data_provider.ConsumeIntegral<uint64_t>()};
34	0	chacha20.Seek(nonce, fuzzed_data_provider.ConsumeIntegral<uint32_t>());
35	0	},
36	0	[&] {
37	0	std::vector<uint8_t> output(fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, 4096));
38	0	chacha20.Keystream(MakeWritableByteSpan(output));
39	0	},
40	0	[&] {
41	0	std::vector<std::byte> output(fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, 4096));
42	0	const auto input = ConsumeFixedLengthByteVector<std::byte>(fuzzed_data_provider, output.size());
43	0	chacha20.Crypt(input, output);
44	0	});
45	0	}
46	0	}
47
48		namespace
49		{
50
51		/** Fuzzer that invokes ChaCha20::Crypt() or ChaCha20::Keystream multiple times:
52		once for a large block at once, and then the same data in chunks, comparing
53		the outcome.
54
55		If UseCrypt, seeded InsecureRandomContext output is used as input to Crypt().
56		If not, Keystream() is used directly, or sequences of 0x00 are encrypted.
57		*/
58		template<bool UseCrypt>
59		void ChaCha20SplitFuzz(FuzzedDataProvider& provider)
60	0	{
61		// Determine key, iv, start position, length.
62	0	auto key_bytes = ConsumeFixedLengthByteVector<std::byte>(provider, ChaCha20::KEYLEN);
63	0	uint64_t iv = provider.ConsumeIntegral<uint64_t>();
64	0	uint32_t iv_prefix = provider.ConsumeIntegral<uint32_t>();
65	0	uint64_t total_bytes = provider.ConsumeIntegralInRange<uint64_t>(0, 1000000);
66		/* ~x = 2^BITS - 1 - x, so ~(total_bytes >> 6) is the maximal seek position. */
67	0	uint32_t seek = provider.ConsumeIntegralInRange<uint32_t>(0, ~(uint32_t)(total_bytes >> 6));
68
69		// Initialize two ChaCha20 ciphers, with the same key/iv/position.
70	0	ChaCha20 crypt1(key_bytes);
71	0	ChaCha20 crypt2(key_bytes);
72	0	crypt1.Seek({iv_prefix, iv}, seek);
73	0	crypt2.Seek({iv_prefix, iv}, seek);
74
75		// Construct vectors with data.
76	0	std::vector<std::byte> data1, data2;
77	0	data1.resize(total_bytes);
78	0	data2.resize(total_bytes);
79
80		// If using Crypt(), initialize data1 and data2 with the same InsecureRandomContext based
81		// stream.
82	0	if constexpr (UseCrypt) {
83	0	InsecureRandomContext(provider.ConsumeIntegral<uint64_t>()).fillrand(data1);
84	0	std::copy(data1.begin(), data1.end(), data2.begin());
85	0	}
86
87		// Whether UseCrypt is used or not, the two byte arrays must match.
88	0	assert(data1 == data2);
89
90		// Encrypt data1, the whole array at once.
91	0	if constexpr (UseCrypt) {
92	0	crypt1.Crypt(data1, data1);
93	0	} else {
94	0	crypt1.Keystream(data1);
95	0	}
96
97		// Encrypt data2, in at most 256 chunks.
98	0	uint64_t bytes2 = 0;
99	0	int iter = 0;
100	0	while (true) {
101	0	bool is_last = (iter == 255) \|\| (bytes2 == total_bytes) \|\| provider.ConsumeBool();
102	0	++iter;
103		// Determine how many bytes to encrypt in this chunk: a fuzzer-determined
104		// amount for all but the last chunk (which processes all remaining bytes).
105	0	uint64_t now = is_last ? total_bytes - bytes2 :
106	0	provider.ConsumeIntegralInRange<uint64_t>(0, total_bytes - bytes2);
107		// For each chunk, consider using Crypt() even when UseCrypt is false.
108		// This tests that Keystream() has the same behavior as Crypt() applied
109		// to 0x00 input bytes.
110	0	if (UseCrypt \|\| provider.ConsumeBool()) {
111	0	crypt2.Crypt(std::span{data2}.subspan(bytes2, now), std::span{data2}.subspan(bytes2, now));
112	0	} else {
113	0	crypt2.Keystream(std::span{data2}.subspan(bytes2, now));
114	0	}
115	0	bytes2 += now;
116	0	if (is_last) break;
117	0	}
118		// We should have processed everything now.
119	0	assert(bytes2 == total_bytes);
120		// And the result should match.
121	0	assert(data1 == data2);
122	0	} Unexecuted instantiation: crypto_chacha20.cpp:_ZN12_GLOBAL__N_117ChaCha20SplitFuzzILb1EEEvR18FuzzedDataProvider Unexecuted instantiation: crypto_chacha20.cpp:_ZN12_GLOBAL__N_117ChaCha20SplitFuzzILb0EEEvR18FuzzedDataProvider
123
124		} // namespace
125
126		FUZZ_TARGET(chacha20_split_crypt)
127	0	{
128	0	FuzzedDataProvider provider{buffer.data(), buffer.size()};
129	0	ChaCha20SplitFuzz<true>(provider);
130	0	}
131
132		FUZZ_TARGET(chacha20_split_keystream)
133	0	{
134	0	FuzzedDataProvider provider{buffer.data(), buffer.size()};
135	0	ChaCha20SplitFuzz<false>(provider);
136	0	}
137
138		FUZZ_TARGET(crypto_fschacha20)
139	0	{
140	0	FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};
141
142	0	auto key = fuzzed_data_provider.ConsumeBytes<std::byte>(FSChaCha20::KEYLEN);
143	0	key.resize(FSChaCha20::KEYLEN);
144
145	0	auto fsc20 = FSChaCha20{key, fuzzed_data_provider.ConsumeIntegralInRange<uint32_t>(1, 1024)};
146
147	0	LIMITED_WHILE(fuzzed_data_provider.ConsumeBool(), 10000)
148	0	{
149	0	auto input = fuzzed_data_provider.ConsumeBytes<std::byte>(fuzzed_data_provider.ConsumeIntegralInRange(0, 4096));
150	0	std::vector<std::byte> output;
151	0	output.resize(input.size());
152	0	fsc20.Crypt(input, output);
153	0	}
154	0	}

Coverage Report

Created: 2025-09-19 18:22