bitcoin-bitcoin-core/src/test/fuzz/crypto_chacha20.cpp

// Copyright (c) 2020-2021 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.

#include <crypto/chacha20.h>
#include <test/fuzz/FuzzedDataProvider.h>
#include <test/fuzz/fuzz.h>
#include <test/fuzz/util.h>
#include <test/util/xoroshiro128plusplus.h>

#include <array>
#include <cstddef>
#include <cstdint>
#include <vector>

FUZZ_TARGET(crypto_chacha20)
{
    FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};

    const auto key = ConsumeFixedLengthByteVector<std::byte>(fuzzed_data_provider, ChaCha20::KEYLEN);
    ChaCha20 chacha20{key};

    LIMITED_WHILE(fuzzed_data_provider.ConsumeBool(), 10000) {
        CallOneOf(
            fuzzed_data_provider,
            [&] {
                auto key = ConsumeFixedLengthByteVector<std::byte>(fuzzed_data_provider, ChaCha20::KEYLEN);
                chacha20.SetKey(key);
            },
            [&] {
                chacha20.Seek(
                    {
                        fuzzed_data_provider.ConsumeIntegral<uint32_t>(),
                        fuzzed_data_provider.ConsumeIntegral<uint64_t>()
                    }, fuzzed_data_provider.ConsumeIntegral<uint32_t>());
            },
            [&] {
                std::vector<uint8_t> output(fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, 4096));
                chacha20.Keystream(MakeWritableByteSpan(output));
            },
            [&] {
                std::vector<std::byte> output(fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, 4096));
                const auto input = ConsumeFixedLengthByteVector<std::byte>(fuzzed_data_provider, output.size());
                chacha20.Crypt(input, output);
            });
    }
}

namespace
{

/** Fuzzer that invokes ChaCha20::Crypt() or ChaCha20::Keystream multiple times:
    once for a large block at once, and then the same data in chunks, comparing
    the outcome.

    If UseCrypt, seeded Xoroshiro128++ output is used as input to Crypt().
    If not, Keystream() is used directly, or sequences of 0x00 are encrypted.
*/
template<bool UseCrypt>
void ChaCha20SplitFuzz(FuzzedDataProvider& provider)
{
    // Determine key, iv, start position, length.
    auto key_bytes = ConsumeFixedLengthByteVector<std::byte>(provider, ChaCha20::KEYLEN);
    uint64_t iv = provider.ConsumeIntegral<uint64_t>();
    uint32_t iv_prefix = provider.ConsumeIntegral<uint32_t>();
    uint64_t total_bytes = provider.ConsumeIntegralInRange<uint64_t>(0, 1000000);
    /* ~x = 2^BITS - 1 - x, so ~(total_bytes >> 6) is the maximal seek position. */
    uint32_t seek = provider.ConsumeIntegralInRange<uint32_t>(0, ~(uint32_t)(total_bytes >> 6));

    // Initialize two ChaCha20 ciphers, with the same key/iv/position.
    ChaCha20 crypt1(key_bytes);
    ChaCha20 crypt2(key_bytes);
    crypt1.Seek({iv_prefix, iv}, seek);
    crypt2.Seek({iv_prefix, iv}, seek);

    // Construct vectors with data.
    std::vector<std::byte> data1, data2;
    data1.resize(total_bytes);
    data2.resize(total_bytes);

    // If using Crypt(), initialize data1 and data2 with the same Xoroshiro128++ based
    // stream.
    if constexpr (UseCrypt) {
        uint64_t seed = provider.ConsumeIntegral<uint64_t>();
        XoRoShiRo128PlusPlus rng(seed);
        uint64_t bytes = 0;
        while (bytes < (total_bytes & ~uint64_t{7})) {
            uint64_t val = rng();
            WriteLE64(UCharCast(data1.data() + bytes), val);
            WriteLE64(UCharCast(data2.data() + bytes), val);
            bytes += 8;
        }
        if (bytes < total_bytes) {
            std::byte valbytes[8];
            uint64_t val = rng();
            WriteLE64(UCharCast(valbytes), val);
            std::copy(valbytes, valbytes + (total_bytes - bytes), data1.data() + bytes);
            std::copy(valbytes, valbytes + (total_bytes - bytes), data2.data() + bytes);
        }
    }

    // Whether UseCrypt is used or not, the two byte arrays must match.
    assert(data1 == data2);

    // Encrypt data1, the whole array at once.
    if constexpr (UseCrypt) {
        crypt1.Crypt(data1, data1);
    } else {
        crypt1.Keystream(data1);
    }

    // Encrypt data2, in at most 256 chunks.
    uint64_t bytes2 = 0;
    int iter = 0;
    while (true) {
        bool is_last = (iter == 255) || (bytes2 == total_bytes) || provider.ConsumeBool();
        ++iter;
        // Determine how many bytes to encrypt in this chunk: a fuzzer-determined
        // amount for all but the last chunk (which processes all remaining bytes).
        uint64_t now = is_last ? total_bytes - bytes2 :
            provider.ConsumeIntegralInRange<uint64_t>(0, total_bytes - bytes2);
        // For each chunk, consider using Crypt() even when UseCrypt is false.
        // This tests that Keystream() has the same behavior as Crypt() applied
        // to 0x00 input bytes.
        if (UseCrypt || provider.ConsumeBool()) {
            crypt2.Crypt(Span{data2}.subspan(bytes2, now), Span{data2}.subspan(bytes2, now));
        } else {
            crypt2.Keystream(Span{data2}.subspan(bytes2, now));
        }
        bytes2 += now;
        if (is_last) break;
    }
    // We should have processed everything now.
    assert(bytes2 == total_bytes);
    // And the result should match.
    assert(data1 == data2);
}

} // namespace

FUZZ_TARGET(chacha20_split_crypt)
{
    FuzzedDataProvider provider{buffer.data(), buffer.size()};
    ChaCha20SplitFuzz<true>(provider);
}

FUZZ_TARGET(chacha20_split_keystream)
{
    FuzzedDataProvider provider{buffer.data(), buffer.size()};
    ChaCha20SplitFuzz<false>(provider);
}

FUZZ_TARGET(crypto_fschacha20)
{
    FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};

    auto key = fuzzed_data_provider.ConsumeBytes<std::byte>(FSChaCha20::KEYLEN);
    key.resize(FSChaCha20::KEYLEN);

    auto fsc20 = FSChaCha20{key, fuzzed_data_provider.ConsumeIntegralInRange<uint32_t>(1, 1024)};

    LIMITED_WHILE(fuzzed_data_provider.ConsumeBool(), 10000)
    {
        auto input = fuzzed_data_provider.ConsumeBytes<std::byte>(fuzzed_data_provider.ConsumeIntegralInRange(0, 4096));
        std::vector<std::byte> output;
        output.resize(input.size());
        fsc20.Crypt(input, output);
    }
}
scripted-diff: Rename MakeFuzzingContext to MakeNoLogFileContext -BEGIN VERIFY SCRIPT- # Rename sed -i -e 's/MakeFuzzingContext/MakeNoLogFileContext/g' $(git grep -l MakeFuzzingContext) # Bump the copyright of touched files in this scripted diff to avoid touching them again later ./contrib/devtools/copyright_header.py update ./src/test/fuzz/ -END VERIFY SCRIPT- 2021-01-25 12:23:45 +01:00			`// Copyright (c) 2020-2021 The Bitcoin Core developers`
tests: Add fuzzing harness for ChaCha20 2020-06-17 11:12:05 +00:00			`// Distributed under the MIT software license, see the accompanying`
			`// file COPYING or http://www.opensource.org/licenses/mit-license.php.`

			`#include <crypto/chacha20.h>`
			`#include <test/fuzz/FuzzedDataProvider.h>`
			`#include <test/fuzz/fuzz.h>`
			`#include <test/fuzz/util.h>`
Add fuzz test for testing that ChaCha20 works as a stream 2022-06-13 18:17:28 -04:00			`#include <test/util/xoroshiro128plusplus.h>`
tests: Add fuzzing harness for ChaCha20 2020-06-17 11:12:05 +00:00
crypto: add FSChaCha20, a rekeying wrapper around ChaCha20 This adds the FSChaCha20 stream cipher as specified in BIP324, a wrapper around the ChaCha20 stream cipher (specified in RFC8439 section 2.4) which automatically rekeys every N messages, and manages the nonces used for encryption. Co-authored-by: dhruv <856960+dhruv@users.noreply.github.com> 2023-06-28 18:20:30 -04:00			`#include <array>`
			`#include <cstddef>`
tests: Add fuzzing harness for ChaCha20 2020-06-17 11:12:05 +00:00			`#include <cstdint>`
			`#include <vector>`

fuzz: Link all targets once 2020-12-03 16:42:49 +01:00			`FUZZ_TARGET(crypto_chacha20)`
tests: Add fuzzing harness for ChaCha20 2020-06-17 11:12:05 +00:00			`{`
			`FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};`

fuzz: support std::byte in Consume{Fixed,Variable}LengthByteVector 2023-07-18 16:48:01 -04:00			`const auto key = ConsumeFixedLengthByteVector<std::byte>(fuzzed_data_provider, ChaCha20::KEYLEN);`
			`ChaCha20 chacha20{key};`
crypto: require key on ChaCha20 initialization 2023-07-18 13:52:52 -04:00
fuzz: replace every fuzzer-controlled loop with a LIMITED_WHILE loop Blindly chose a cap of 10000 iterations for every loop, except for the two in script_ops.cpp and scriptnum_ops.cpp which appeared to (sometimes) be deserializing individual bytes; capped those to one million to ensure that sometimes we try working with massive scripts. There was also one fuzzer-controlled loop in timedata.cpp which was already capped, so I left that alone. git grep 'while (fuzz' should now run clean except for timedata.cpp 2021-10-25 19:48:22 +00:00			`LIMITED_WHILE(fuzzed_data_provider.ConsumeBool(), 10000) {`
fuzz: Introduce CallOneOf helper to replace switch-case Can be reviewed with --ignore-all-space 2021-01-02 13:38:14 +01:00			`CallOneOf(`
			`fuzzed_data_provider,`
			`[&] {`
fuzz: support std::byte in Consume{Fixed,Variable}LengthByteVector 2023-07-18 16:48:01 -04:00			`auto key = ConsumeFixedLengthByteVector<std::byte>(fuzzed_data_provider, ChaCha20::KEYLEN);`
			`chacha20.SetKey(key);`
fuzz: Introduce CallOneOf helper to replace switch-case Can be reviewed with --ignore-all-space 2021-01-02 13:38:14 +01:00			`},`
			`[&] {`
crypto: refactor ChaCha20 classes to use Span<std::byte> interface 2023-07-18 10:11:49 -04:00			`chacha20.Seek(`
crypto: Implement RFC8439-compatible variant of ChaCha20 There are two variants of ChaCha20 in use. The original one uses a 64-bit nonce and a 64-bit block counter, while the one used in RFC8439 uses a 96-bit nonce and 32-bit block counter. This commit changes the interface to use the 96/32 split (but automatically incrementing the first 32-bit part of the nonce when the 32-bit block counter overflows, so to retain compatibility with >256 GiB output). Simultaneously, also merge the SetIV and Seek64 functions, as we almost always call both anyway. Co-authored-by: dhruv <856960+dhruv@users.noreply.github.com> 2023-06-27 16:24:02 -04:00			`{`
			`fuzzed_data_provider.ConsumeIntegral<uint32_t>(),`
			`fuzzed_data_provider.ConsumeIntegral<uint64_t>()`
			`}, fuzzed_data_provider.ConsumeIntegral<uint32_t>());`
fuzz: Introduce CallOneOf helper to replace switch-case Can be reviewed with --ignore-all-space 2021-01-02 13:38:14 +01:00			`},`
			`[&] {`
			`std::vector<uint8_t> output(fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, 4096));`
crypto: refactor ChaCha20 classes to use Span<std::byte> interface 2023-07-18 10:11:49 -04:00			`chacha20.Keystream(MakeWritableByteSpan(output));`
fuzz: Introduce CallOneOf helper to replace switch-case Can be reviewed with --ignore-all-space 2021-01-02 13:38:14 +01:00			`},`
			`[&] {`
fuzz: support std::byte in Consume{Fixed,Variable}LengthByteVector 2023-07-18 16:48:01 -04:00			`std::vector<std::byte> output(fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, 4096));`
			`const auto input = ConsumeFixedLengthByteVector<std::byte>(fuzzed_data_provider, output.size());`
			`chacha20.Crypt(input, output);`
fuzz: Introduce CallOneOf helper to replace switch-case Can be reviewed with --ignore-all-space 2021-01-02 13:38:14 +01:00			`});`
tests: Add fuzzing harness for ChaCha20 2020-06-17 11:12:05 +00:00			`}`
			`}`
Add fuzz test for testing that ChaCha20 works as a stream 2022-06-13 18:17:28 -04:00
			`namespace`
			`{`

			`/** Fuzzer that invokes ChaCha20::Crypt() or ChaCha20::Keystream multiple times:`
			`once for a large block at once, and then the same data in chunks, comparing`
			`the outcome.`

			`If UseCrypt, seeded Xoroshiro128++ output is used as input to Crypt().`
			`If not, Keystream() is used directly, or sequences of 0x00 are encrypted.`
			`*/`
			`template<bool UseCrypt>`
			`void ChaCha20SplitFuzz(FuzzedDataProvider& provider)`
			`{`
			`// Determine key, iv, start position, length.`
fuzz: support std::byte in Consume{Fixed,Variable}LengthByteVector 2023-07-18 16:48:01 -04:00			`auto key_bytes = ConsumeFixedLengthByteVector<std::byte>(provider, ChaCha20::KEYLEN);`
Add fuzz test for testing that ChaCha20 works as a stream 2022-06-13 18:17:28 -04:00			`uint64_t iv = provider.ConsumeIntegral<uint64_t>();`
crypto: Implement RFC8439-compatible variant of ChaCha20 There are two variants of ChaCha20 in use. The original one uses a 64-bit nonce and a 64-bit block counter, while the one used in RFC8439 uses a 96-bit nonce and 32-bit block counter. This commit changes the interface to use the 96/32 split (but automatically incrementing the first 32-bit part of the nonce when the 32-bit block counter overflows, so to retain compatibility with >256 GiB output). Simultaneously, also merge the SetIV and Seek64 functions, as we almost always call both anyway. Co-authored-by: dhruv <856960+dhruv@users.noreply.github.com> 2023-06-27 16:24:02 -04:00			`uint32_t iv_prefix = provider.ConsumeIntegral<uint32_t>();`
Add fuzz test for testing that ChaCha20 works as a stream 2022-06-13 18:17:28 -04:00			`uint64_t total_bytes = provider.ConsumeIntegralInRange<uint64_t>(0, 1000000);`
crypto: Implement RFC8439-compatible variant of ChaCha20 There are two variants of ChaCha20 in use. The original one uses a 64-bit nonce and a 64-bit block counter, while the one used in RFC8439 uses a 96-bit nonce and 32-bit block counter. This commit changes the interface to use the 96/32 split (but automatically incrementing the first 32-bit part of the nonce when the 32-bit block counter overflows, so to retain compatibility with >256 GiB output). Simultaneously, also merge the SetIV and Seek64 functions, as we almost always call both anyway. Co-authored-by: dhruv <856960+dhruv@users.noreply.github.com> 2023-06-27 16:24:02 -04:00			`/* ~x = 2^BITS - 1 - x, so ~(total_bytes >> 6) is the maximal seek position. */`
			`uint32_t seek = provider.ConsumeIntegralInRange<uint32_t>(0, ~(uint32_t)(total_bytes >> 6));`
Add fuzz test for testing that ChaCha20 works as a stream 2022-06-13 18:17:28 -04:00
			`// Initialize two ChaCha20 ciphers, with the same key/iv/position.`
crypto: refactor ChaCha20 classes to use Span<std::byte> interface 2023-07-18 10:11:49 -04:00			`ChaCha20 crypt1(key_bytes);`
			`ChaCha20 crypt2(key_bytes);`
			`crypt1.Seek({iv_prefix, iv}, seek);`
			`crypt2.Seek({iv_prefix, iv}, seek);`
Add fuzz test for testing that ChaCha20 works as a stream 2022-06-13 18:17:28 -04:00
			`// Construct vectors with data.`
crypto: refactor ChaCha20 classes to use Span<std::byte> interface 2023-07-18 10:11:49 -04:00			`std::vector<std::byte> data1, data2;`
Add fuzz test for testing that ChaCha20 works as a stream 2022-06-13 18:17:28 -04:00			`data1.resize(total_bytes);`
			`data2.resize(total_bytes);`

			`// If using Crypt(), initialize data1 and data2 with the same Xoroshiro128++ based`
			`// stream.`
			`if constexpr (UseCrypt) {`
			`uint64_t seed = provider.ConsumeIntegral<uint64_t>();`
			`XoRoShiRo128PlusPlus rng(seed);`
			`uint64_t bytes = 0;`
			`while (bytes < (total_bytes & ~uint64_t{7})) {`
			`uint64_t val = rng();`
crypto: refactor ChaCha20 classes to use Span<std::byte> interface 2023-07-18 10:11:49 -04:00			`WriteLE64(UCharCast(data1.data() + bytes), val);`
			`WriteLE64(UCharCast(data2.data() + bytes), val);`
Add fuzz test for testing that ChaCha20 works as a stream 2022-06-13 18:17:28 -04:00			`bytes += 8;`
			`}`
			`if (bytes < total_bytes) {`
crypto: refactor ChaCha20 classes to use Span<std::byte> interface 2023-07-18 10:11:49 -04:00			`std::byte valbytes[8];`
Add fuzz test for testing that ChaCha20 works as a stream 2022-06-13 18:17:28 -04:00			`uint64_t val = rng();`
crypto: refactor ChaCha20 classes to use Span<std::byte> interface 2023-07-18 10:11:49 -04:00			`WriteLE64(UCharCast(valbytes), val);`
Add fuzz test for testing that ChaCha20 works as a stream 2022-06-13 18:17:28 -04:00			`std::copy(valbytes, valbytes + (total_bytes - bytes), data1.data() + bytes);`
			`std::copy(valbytes, valbytes + (total_bytes - bytes), data2.data() + bytes);`
			`}`
			`}`

			`// Whether UseCrypt is used or not, the two byte arrays must match.`
			`assert(data1 == data2);`

			`// Encrypt data1, the whole array at once.`
			`if constexpr (UseCrypt) {`
crypto: refactor ChaCha20 classes to use Span<std::byte> interface 2023-07-18 10:11:49 -04:00			`crypt1.Crypt(data1, data1);`
Add fuzz test for testing that ChaCha20 works as a stream 2022-06-13 18:17:28 -04:00			`} else {`
crypto: refactor ChaCha20 classes to use Span<std::byte> interface 2023-07-18 10:11:49 -04:00			`crypt1.Keystream(data1);`
Add fuzz test for testing that ChaCha20 works as a stream 2022-06-13 18:17:28 -04:00			`}`

			`// Encrypt data2, in at most 256 chunks.`
			`uint64_t bytes2 = 0;`
			`int iter = 0;`
			`while (true) {`
			`bool is_last = (iter == 255) \|\| (bytes2 == total_bytes) \|\| provider.ConsumeBool();`
			`++iter;`
			`// Determine how many bytes to encrypt in this chunk: a fuzzer-determined`
			`// amount for all but the last chunk (which processes all remaining bytes).`
			`uint64_t now = is_last ? total_bytes - bytes2 :`
			`provider.ConsumeIntegralInRange<uint64_t>(0, total_bytes - bytes2);`
			`// For each chunk, consider using Crypt() even when UseCrypt is false.`
			`// This tests that Keystream() has the same behavior as Crypt() applied`
			`// to 0x00 input bytes.`
			`if (UseCrypt \|\| provider.ConsumeBool()) {`
crypto: refactor ChaCha20 classes to use Span<std::byte> interface 2023-07-18 10:11:49 -04:00			`crypt2.Crypt(Span{data2}.subspan(bytes2, now), Span{data2}.subspan(bytes2, now));`
Add fuzz test for testing that ChaCha20 works as a stream 2022-06-13 18:17:28 -04:00			`} else {`
crypto: refactor ChaCha20 classes to use Span<std::byte> interface 2023-07-18 10:11:49 -04:00			`crypt2.Keystream(Span{data2}.subspan(bytes2, now));`
Add fuzz test for testing that ChaCha20 works as a stream 2022-06-13 18:17:28 -04:00			`}`
			`bytes2 += now;`
			`if (is_last) break;`
			`}`
			`// We should have processed everything now.`
			`assert(bytes2 == total_bytes);`
			`// And the result should match.`
			`assert(data1 == data2);`
			`}`

			`} // namespace`

			`FUZZ_TARGET(chacha20_split_crypt)`
			`{`
			`FuzzedDataProvider provider{buffer.data(), buffer.size()};`
			`ChaCha20SplitFuzz<true>(provider);`
			`}`

			`FUZZ_TARGET(chacha20_split_keystream)`
			`{`
			`FuzzedDataProvider provider{buffer.data(), buffer.size()};`
			`ChaCha20SplitFuzz<false>(provider);`
			`}`
crypto: add FSChaCha20, a rekeying wrapper around ChaCha20 This adds the FSChaCha20 stream cipher as specified in BIP324, a wrapper around the ChaCha20 stream cipher (specified in RFC8439 section 2.4) which automatically rekeys every N messages, and manages the nonces used for encryption. Co-authored-by: dhruv <856960+dhruv@users.noreply.github.com> 2023-06-28 18:20:30 -04:00
			`FUZZ_TARGET(crypto_fschacha20)`
			`{`
			`FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};`

			`auto key = fuzzed_data_provider.ConsumeBytes<std::byte>(FSChaCha20::KEYLEN);`
			`key.resize(FSChaCha20::KEYLEN);`

			`auto fsc20 = FSChaCha20{key, fuzzed_data_provider.ConsumeIntegralInRange<uint32_t>(1, 1024)};`

			`LIMITED_WHILE(fuzzed_data_provider.ConsumeBool(), 10000)`
			`{`
			`auto input = fuzzed_data_provider.ConsumeBytes<std::byte>(fuzzed_data_provider.ConsumeIntegralInRange(0, 4096));`
			`std::vector<std::byte> output;`
			`output.resize(input.size());`
			`fsc20.Crypt(input, output);`
			`}`
			`}`