Core-master/crypto__chacha20_8cpp_source.html

 // Copyright (c) 2020-2021 The Bitcoin Core developers

 // Distributed under the MIT software license, see the accompanying

 // file COPYING or http://www.opensource.org/licenses/mit-license.php.


 #include <crypto/chacha20.h>

 #include <random.h>

 #include <test/fuzz/FuzzedDataProvider.h>

 #include <test/fuzz/fuzz.h>

 #include <test/fuzz/util.h>


 #include <array>

 #include <cstddef>

 #include <cstdint>

 #include <vector>


 FUZZ_TARGET(crypto_chacha20)

 {

     FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};


     const auto key = ConsumeFixedLengthByteVector<std::byte>(fuzzed_data_provider, ChaCha20::KEYLEN);

     ChaCha20 chacha20{key};


     LIMITED_WHILE(fuzzed_data_provider.ConsumeBool(), 10000) {

         CallOneOf(

             fuzzed_data_provider,

             [&] {

                 auto key = ConsumeFixedLengthByteVector<std::byte>(fuzzed_data_provider, ChaCha20::KEYLEN);

                 chacha20.SetKey(key);

             },

             [&] {

                 chacha20.Seek(

                     {

                         fuzzed_data_provider.ConsumeIntegral<uint32_t>(),

                         fuzzed_data_provider.ConsumeIntegral<uint64_t>()

                     }, fuzzed_data_provider.ConsumeIntegral<uint32_t>());

             },

             [&] {

                 std::vector<uint8_t> output(fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, 4096));

                 chacha20.Keystream(MakeWritableByteSpan(output));

             },

             [&] {

                 std::vector<std::byte> output(fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, 4096));

                 const auto input = ConsumeFixedLengthByteVector<std::byte>(fuzzed_data_provider, output.size());

                 chacha20.Crypt(input, output);

             });

     }

 }


 namespace

 {


 template<bool UseCrypt>

 void ChaCha20SplitFuzz(FuzzedDataProvider& provider)

 {

     // Determine key, iv, start position, length.

     auto key_bytes = ConsumeFixedLengthByteVector<std::byte>(provider, ChaCha20::KEYLEN);

     uint64_t iv = provider.ConsumeIntegral<uint64_t>();

     uint32_t iv_prefix = provider.ConsumeIntegral<uint32_t>();

     uint64_t total_bytes = provider.ConsumeIntegralInRange<uint64_t>(0, 1000000);

     /* ~x = 2^BITS - 1 - x, so ~(total_bytes >> 6) is the maximal seek position. */

     uint32_t seek = provider.ConsumeIntegralInRange<uint32_t>(0, ~(uint32_t)(total_bytes >> 6));


     // Initialize two ChaCha20 ciphers, with the same key/iv/position.

     ChaCha20 crypt1(key_bytes);

     ChaCha20 crypt2(key_bytes);

     crypt1.Seek({iv_prefix, iv}, seek);

     crypt2.Seek({iv_prefix, iv}, seek);


     // Construct vectors with data.

     std::vector<std::byte> data1, data2;

     data1.resize(total_bytes);

     data2.resize(total_bytes);


     // If using Crypt(), initialize data1 and data2 with the same InsecureRandomContext based

     // stream.

     if constexpr (UseCrypt) {

         InsecureRandomContext(provider.ConsumeIntegral<uint64_t>()).fillrand(data1);

         std::copy(data1.begin(), data1.end(), data2.begin());

     }


     // Whether UseCrypt is used or not, the two byte arrays must match.

     assert(data1 == data2);


     // Encrypt data1, the whole array at once.

     if constexpr (UseCrypt) {

         crypt1.Crypt(data1, data1);

     } else {

         crypt1.Keystream(data1);

     }


     // Encrypt data2, in at most 256 chunks.

     uint64_t bytes2 = 0;

     int iter = 0;

     while (true) {

         bool is_last = (iter == 255) || (bytes2 == total_bytes) || provider.ConsumeBool();

         ++iter;

         // Determine how many bytes to encrypt in this chunk: a fuzzer-determined

         // amount for all but the last chunk (which processes all remaining bytes).

         uint64_t now = is_last ? total_bytes - bytes2 :

             provider.ConsumeIntegralInRange<uint64_t>(0, total_bytes - bytes2);

         // For each chunk, consider using Crypt() even when UseCrypt is false.

         // This tests that Keystream() has the same behavior as Crypt() applied

         // to 0x00 input bytes.

         if (UseCrypt || provider.ConsumeBool()) {

             crypt2.Crypt(Span{data2}.subspan(bytes2, now), Span{data2}.subspan(bytes2, now));

         } else {

             crypt2.Keystream(Span{data2}.subspan(bytes2, now));

         }

         bytes2 += now;

         if (is_last) break;

     }

     // We should have processed everything now.

     assert(bytes2 == total_bytes);

     // And the result should match.

     assert(data1 == data2);

 }


 } // namespace


 FUZZ_TARGET(chacha20_split_crypt)

 {

     FuzzedDataProvider provider{buffer.data(), buffer.size()};

     ChaCha20SplitFuzz<true>(provider);

 }


 FUZZ_TARGET(chacha20_split_keystream)

 {

     FuzzedDataProvider provider{buffer.data(), buffer.size()};

     ChaCha20SplitFuzz<false>(provider);

 }


 FUZZ_TARGET(crypto_fschacha20)

 {

     FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};


     auto key = fuzzed_data_provider.ConsumeBytes<std::byte>(FSChaCha20::KEYLEN);

     key.resize(FSChaCha20::KEYLEN);


     auto fsc20 = FSChaCha20{key, fuzzed_data_provider.ConsumeIntegralInRange<uint32_t>(1, 1024)};


     LIMITED_WHILE(fuzzed_data_provider.ConsumeBool(), 10000)

     {

         auto input = fuzzed_data_provider.ConsumeBytes<std::byte>(fuzzed_data_provider.ConsumeIntegralInRange(0, 4096));

         std::vector<std::byte> output;

         output.resize(input.size());

         fsc20.Crypt(input, output);

     }

 }

FuzzedDataProvider.h

chacha20.h

ChaCha20
Unrestricted ChaCha20 cipher.
Definition: chacha20.h:78

ChaCha20::KEYLEN
static constexpr unsigned KEYLEN
Expected key length in constructor and SetKey.
Definition: chacha20.h:86

FSChaCha20
Forward-secure ChaCha20.
Definition: chacha20.h:128

FSChaCha20::KEYLEN
static constexpr unsigned KEYLEN
Length of keys expected by the constructor.
Definition: chacha20.h:144

FuzzedDataProvider
Definition: FuzzedDataProvider.h:31

FuzzedDataProvider::ConsumeBytes
std::vector< T > ConsumeBytes(size_t num_bytes)
Definition: FuzzedDataProvider.h:108

FuzzedDataProvider::ConsumeBool
bool ConsumeBool()
Definition: FuzzedDataProvider.h:288

FuzzedDataProvider::ConsumeIntegralInRange
T ConsumeIntegralInRange(T min, T max)
Definition: FuzzedDataProvider.h:204

FuzzedDataProvider::ConsumeIntegral
T ConsumeIntegral()
Definition: FuzzedDataProvider.h:194

InsecureRandomContext
xoroshiro128++ PRNG.
Definition: random.h:416

RandomMixin::fillrand
void fillrand(Span< std::byte > span) noexcept
Fill a Span with random bytes.
Definition: random.h:267

Span
A Span is an object that can refer to a contiguous sequence of objects.
Definition: span.h:98

Span::subspan
CONSTEXPR_IF_NOT_DEBUG Span< C > subspan(std::size_t offset) const noexcept
Definition: span.h:195

FUZZ_TARGET
FUZZ_TARGET(crypto_chacha20)
Definition: crypto_chacha20.cpp:16

fuzz.h

LIMITED_WHILE
#define LIMITED_WHILE(condition, limit)
Can be used to limit a theoretically unbounded loop.
Definition: fuzz.h:22

MakeWritableByteSpan
Span< std::byte > MakeWritableByteSpan(V &&v) noexcept
Definition: span.h:282

util.h

CallOneOf
size_t CallOneOf(FuzzedDataProvider &fuzzed_data_provider, Callables... callables)
Definition: util.h:35

assert
assert(!tx.IsCoinBase())