aboutsummaryrefslogtreecommitdiff
path: root/src/test/fuzz
diff options
context:
space:
mode:
authorAndrew Chow <github@achow101.com>2023-07-12 12:49:37 -0400
committerAndrew Chow <github@achow101.com>2023-07-12 12:58:44 -0400
commitb4794740f82e1a08294c8a5f5d586bc1925412f3 (patch)
treef103de732a17038bac14a0799f68627cb0594f1c /src/test/fuzz
parent357e3f6aa476658aecae7239b4b06d2bc362ff1e (diff)
parent0bf87476f55dceb106563156c7c8d6bfb8162e29 (diff)
Merge bitcoin/bitcoin#27985: Add support for RFC8439 variant of ChaCha20
0bf87476f55dceb106563156c7c8d6bfb8162e29 test: add ChaCha20 test triggering 32-bit block counter overflow (Sebastian Falbesoner) 7f2a985147ef541123c65d5db1c3fc3e533fd4ce tests: improve ChaCha20 unit tests (Pieter Wuille) 511a8d406e3115b97c6d35e2c603af53b3f9da13 crypto: Implement RFC8439-compatible variant of ChaCha20 (Pieter Wuille) Pull request description: Based on and replaces part of #25361, part of the BIP324 project (#27634). See also #19225 for background. There are two variants of ChaCha20 in use. The currently implemented one uses a 64-bit nonce and a 64-bit block counter, while the one used in RFC8439 (and thus BIP324) uses a 96-bit nonce and 32-bit block counter. This PR changes the logic to use the 96-bit nonce variant, though in a way that's compatible with >256 GiB output (by automatically incrementing the first 32-bit part of the nonce when the block counter overflows). For those who reviewed the original PR, the biggest change is here that the 96-bit nonce is passed as a Nonce96 type (pair of 32-bit + 64-bit integer) rather than a 12-byte array. ACKs for top commit: achow101: ACK 0bf87476f55dceb106563156c7c8d6bfb8162e29 theStack: Code-review ACK 0bf87476f55dceb106563156c7c8d6bfb8162e29 Tree-SHA512: 62e4cbd5388b8d50ef1a0dc99b6f4ad36c7b4419032035f8e622dda63a62311dd923032217e20054bcd836865d4be5c074f9e5538ca158f94f08eab75c5519c1
Diffstat (limited to 'src/test/fuzz')
-rw-r--r--src/test/fuzz/crypto_chacha20.cpp20
-rw-r--r--src/test/fuzz/crypto_diff_fuzz_chacha20.cpp39
2 files changed, 36 insertions, 23 deletions
diff --git a/src/test/fuzz/crypto_chacha20.cpp b/src/test/fuzz/crypto_chacha20.cpp
index 3fa445096a..63c7bf3b45 100644
--- a/src/test/fuzz/crypto_chacha20.cpp
+++ b/src/test/fuzz/crypto_chacha20.cpp
@@ -28,10 +28,11 @@ FUZZ_TARGET(crypto_chacha20)
chacha20.SetKey32(key.data());
},
[&] {
- chacha20.SetIV(fuzzed_data_provider.ConsumeIntegral<uint64_t>());
- },
- [&] {
- chacha20.Seek64(fuzzed_data_provider.ConsumeIntegral<uint64_t>());
+ chacha20.Seek64(
+ {
+ fuzzed_data_provider.ConsumeIntegral<uint32_t>(),
+ fuzzed_data_provider.ConsumeIntegral<uint64_t>()
+ }, fuzzed_data_provider.ConsumeIntegral<uint32_t>());
},
[&] {
std::vector<uint8_t> output(fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, 4096));
@@ -63,17 +64,16 @@ void ChaCha20SplitFuzz(FuzzedDataProvider& provider)
auto key_bytes = provider.ConsumeBytes<unsigned char>(32);
std::copy(key_bytes.begin(), key_bytes.end(), key);
uint64_t iv = provider.ConsumeIntegral<uint64_t>();
+ uint32_t iv_prefix = provider.ConsumeIntegral<uint32_t>();
uint64_t total_bytes = provider.ConsumeIntegralInRange<uint64_t>(0, 1000000);
- /* ~x = 2^64 - 1 - x, so ~(total_bytes >> 6) is the maximal seek position. */
- uint64_t seek = provider.ConsumeIntegralInRange<uint64_t>(0, ~(total_bytes >> 6));
+ /* ~x = 2^BITS - 1 - x, so ~(total_bytes >> 6) is the maximal seek position. */
+ uint32_t seek = provider.ConsumeIntegralInRange<uint32_t>(0, ~(uint32_t)(total_bytes >> 6));
// Initialize two ChaCha20 ciphers, with the same key/iv/position.
ChaCha20 crypt1(key);
ChaCha20 crypt2(key);
- crypt1.SetIV(iv);
- crypt1.Seek64(seek);
- crypt2.SetIV(iv);
- crypt2.Seek64(seek);
+ crypt1.Seek64({iv_prefix, iv}, seek);
+ crypt2.Seek64({iv_prefix, iv}, seek);
// Construct vectors with data.
std::vector<unsigned char> data1, data2;
diff --git a/src/test/fuzz/crypto_diff_fuzz_chacha20.cpp b/src/test/fuzz/crypto_diff_fuzz_chacha20.cpp
index 78fee48de6..285ea2dfe0 100644
--- a/src/test/fuzz/crypto_diff_fuzz_chacha20.cpp
+++ b/src/test/fuzz/crypto_diff_fuzz_chacha20.cpp
@@ -284,6 +284,8 @@ FUZZ_TARGET(crypto_diff_fuzz_chacha20)
// ECRYPT_keysetup() doesn't set the counter and nonce to 0 while SetKey32() does
static const uint8_t iv[8] = {0, 0, 0, 0, 0, 0, 0, 0};
+ ChaCha20::Nonce96 nonce{0, 0};
+ uint32_t counter{0};
ECRYPT_ivsetup(&ctx, iv);
LIMITED_WHILE (fuzzed_data_provider.ConsumeBool(), 3000) {
@@ -292,45 +294,56 @@ FUZZ_TARGET(crypto_diff_fuzz_chacha20)
[&] {
const std::vector<unsigned char> key = ConsumeFixedLengthByteVector(fuzzed_data_provider, 32);
chacha20.SetKey32(key.data());
+ nonce = {0, 0};
+ counter = 0;
ECRYPT_keysetup(&ctx, key.data(), key.size() * 8, 0);
// ECRYPT_keysetup() doesn't set the counter and nonce to 0 while SetKey32() does
uint8_t iv[8] = {0, 0, 0, 0, 0, 0, 0, 0};
ECRYPT_ivsetup(&ctx, iv);
},
[&] {
+ uint32_t iv_prefix = fuzzed_data_provider.ConsumeIntegral<uint32_t>();
uint64_t iv = fuzzed_data_provider.ConsumeIntegral<uint64_t>();
- chacha20.SetIV(iv);
+ nonce = {iv_prefix, iv};
+ counter = fuzzed_data_provider.ConsumeIntegral<uint32_t>();
+ chacha20.Seek64(nonce, counter);
+ ctx.input[12] = counter;
+ ctx.input[13] = iv_prefix;
ctx.input[14] = iv;
ctx.input[15] = iv >> 32;
},
[&] {
- uint64_t counter = fuzzed_data_provider.ConsumeIntegral<uint64_t>();
- chacha20.Seek64(counter);
- ctx.input[12] = counter;
- ctx.input[13] = counter >> 32;
- },
- [&] {
uint32_t integralInRange = fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, 4096);
- // DJB's version seeks forward to a multiple of 64 bytes after every operation. Correct for that.
- uint64_t pos = ctx.input[12] + (((uint64_t)ctx.input[13]) << 32) + ((integralInRange + 63) >> 6);
std::vector<uint8_t> output(integralInRange);
chacha20.Keystream(output.data(), output.size());
std::vector<uint8_t> djb_output(integralInRange);
ECRYPT_keystream_bytes(&ctx, djb_output.data(), djb_output.size());
assert(output == djb_output);
- chacha20.Seek64(pos);
+ // DJB's version seeks forward to a multiple of 64 bytes after every operation. Correct for that.
+ uint32_t old_counter = counter;
+ counter += (integralInRange + 63) >> 6;
+ if (counter < old_counter) ++nonce.first;
+ if (integralInRange & 63) {
+ chacha20.Seek64(nonce, counter);
+ }
+ assert(counter == ctx.input[12]);
},
[&] {
uint32_t integralInRange = fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, 4096);
- // DJB's version seeks forward to a multiple of 64 bytes after every operation. Correct for that.
- uint64_t pos = ctx.input[12] + (((uint64_t)ctx.input[13]) << 32) + ((integralInRange + 63) >> 6);
std::vector<uint8_t> output(integralInRange);
const std::vector<uint8_t> input = ConsumeFixedLengthByteVector(fuzzed_data_provider, output.size());
chacha20.Crypt(input.data(), output.data(), input.size());
std::vector<uint8_t> djb_output(integralInRange);
ECRYPT_encrypt_bytes(&ctx, input.data(), djb_output.data(), input.size());
assert(output == djb_output);
- chacha20.Seek64(pos);
+ // DJB's version seeks forward to a multiple of 64 bytes after every operation. Correct for that.
+ uint32_t old_counter = counter;
+ counter += (integralInRange + 63) >> 6;
+ if (counter < old_counter) ++nonce.first;
+ if (integralInRange & 63) {
+ chacha20.Seek64(nonce, counter);
+ }
+ assert(counter == ctx.input[12]);
});
}
}