Branch data Line data Source code
1 : : // Copyright (c) 2023 The Bitcoin Core developers 2 : : // Distributed under the MIT software license, see the accompanying 3 : : // file COPYING or http://www.opensource.org/licenses/mit-license.php. 4 : : 5 : : #include <bip324.h> 6 : : #include <chainparams.h> 7 : : #include <span.h> 8 : : #include <test/fuzz/FuzzedDataProvider.h> 9 : : #include <test/fuzz/fuzz.h> 10 : : #include <test/fuzz/util.h> 11 : : #include <test/util/xoroshiro128plusplus.h> 12 : : 13 : : #include <cstdint> 14 : : #include <vector> 15 : : 16 : : namespace { 17 : : 18 : 1 : void Initialize() 19 : : { 20 : 1 : ECC_Start(); 21 : 1 : SelectParams(ChainType::MAIN); 22 : 1 : } 23 : : 24 : : } // namespace 25 : : 26 [ + - - + ]: 488 : FUZZ_TARGET(bip324_cipher_roundtrip, .init=Initialize) 27 : : { 28 : : // Test that BIP324Cipher's encryption and decryption agree. 29 : : 30 : : // Load keys from fuzzer. 31 : 142 : FuzzedDataProvider provider(buffer.data(), buffer.size()); 32 : : // Initiator key 33 : 142 : CKey init_key = ConsumePrivateKey(provider, /*compressed=*/true); 34 [ + - + + ]: 142 : if (!init_key.IsValid()) return; 35 : : // Initiator entropy 36 [ + - ]: 141 : auto init_ent = provider.ConsumeBytes<std::byte>(32); 37 [ + - ]: 141 : init_ent.resize(32); 38 : : // Responder key 39 [ + - ]: 141 : CKey resp_key = ConsumePrivateKey(provider, /*compressed=*/true); 40 [ + - + + ]: 141 : if (!resp_key.IsValid()) return; 41 : : // Responder entropy 42 [ + - ]: 139 : auto resp_ent = provider.ConsumeBytes<std::byte>(32); 43 [ + - ]: 139 : resp_ent.resize(32); 44 : : 45 : : // Initialize ciphers by exchanging public keys. 46 [ + - ]: 139 : BIP324Cipher initiator(init_key, init_ent); 47 [ + - ]: 139 : assert(!initiator); 48 [ + - ]: 139 : BIP324Cipher responder(resp_key, resp_ent); 49 [ + - ]: 139 : assert(!responder); 50 : 139 : initiator.Initialize(responder.GetOurPubKey(), true); 51 [ + - ]: 139 : assert(initiator); 52 : 139 : responder.Initialize(initiator.GetOurPubKey(), false); 53 [ + - ]: 139 : assert(responder); 54 : : 55 : : // Initialize RNG deterministically, to generate contents and AAD. We assume that there are no 56 : : // (potentially buggy) edge cases triggered by specific values of contents/AAD, so we can avoid 57 : : // reading the actual data for those from the fuzzer input (which would need large amounts of 58 : : // data). 59 [ + - ]: 139 : XoRoShiRo128PlusPlus rng(provider.ConsumeIntegral<uint64_t>()); 60 : : 61 : : // Compare session IDs and garbage terminators. 62 [ + - ]: 139 : assert(initiator.GetSessionID() == responder.GetSessionID()); 63 [ + - ]: 139 : assert(initiator.GetSendGarbageTerminator() == responder.GetReceiveGarbageTerminator()); 64 [ + - ]: 139 : assert(initiator.GetReceiveGarbageTerminator() == responder.GetSendGarbageTerminator()); 65 : : 66 [ + - + + : 5928 : LIMITED_WHILE(provider.remaining_bytes(), 1000) { + + ] 67 : : // Mode: 68 : : // - Bit 0: whether the ignore bit is set in message 69 : : // - Bit 1: whether the responder (0) or initiator (1) sends 70 : : // - Bit 2: whether this ciphertext will be corrupted (making it the last sent one) 71 : : // - Bit 3-4: controls the maximum aad length (max 4095 bytes) 72 : : // - Bit 5-7: controls the maximum content length (max 16383 bytes, for performance reasons) 73 [ + - ]: 5838 : unsigned mode = provider.ConsumeIntegral<uint8_t>(); 74 : 5838 : bool ignore = mode & 1; 75 : 5838 : bool from_init = mode & 2; 76 : 5838 : bool damage = mode & 4; 77 : 5838 : unsigned aad_length_bits = 4 * ((mode >> 3) & 3); 78 [ + - ]: 5838 : unsigned aad_length = provider.ConsumeIntegralInRange<unsigned>(0, (1 << aad_length_bits) - 1); 79 : 5838 : unsigned length_bits = 2 * ((mode >> 5) & 7); 80 [ + - ]: 5838 : unsigned length = provider.ConsumeIntegralInRange<unsigned>(0, (1 << length_bits) - 1); 81 : : // Generate aad and content. 82 [ + - ]: 5838 : std::vector<std::byte> aad(aad_length); 83 [ + + ]: 728147 : for (auto& val : aad) val = std::byte{(uint8_t)rng()}; 84 [ + - ]: 5838 : std::vector<std::byte> contents(length); 85 [ + + ]: 4486262 : for (auto& val : contents) val = std::byte{(uint8_t)rng()}; 86 : : 87 : : // Pick sides. 88 [ + + ]: 5838 : auto& sender{from_init ? initiator : responder}; 89 [ + + ]: 5838 : auto& receiver{from_init ? responder : initiator}; 90 : : 91 : : // Encrypt 92 [ + - ]: 5838 : std::vector<std::byte> ciphertext(length + initiator.EXPANSION); 93 [ + - + - : 5838 : sender.Encrypt(contents, aad, ignore, ciphertext); + - ] 94 : : 95 : : // Optionally damage 1 bit in either the ciphertext (corresponding to a change in transit) 96 : : // or the aad (to make sure that decryption will fail if the AAD mismatches). 97 [ + + ]: 5838 : if (damage) { 98 [ + - ]: 49 : unsigned damage_bit = provider.ConsumeIntegralInRange<unsigned>(0, 99 : 49 : (ciphertext.size() + aad.size()) * 8U - 1U); 100 : 49 : unsigned damage_pos = damage_bit >> 3; 101 : 49 : std::byte damage_val{(uint8_t)(1U << (damage_bit & 3))}; 102 [ + + ]: 49 : if (damage_pos >= ciphertext.size()) { 103 : 2 : aad[damage_pos - ciphertext.size()] ^= damage_val; 104 : 2 : } else { 105 : 47 : ciphertext[damage_pos] ^= damage_val; 106 : : } 107 : 49 : } 108 : : 109 : : // Decrypt length 110 [ + - ]: 5838 : uint32_t dec_length = receiver.DecryptLength(Span{ciphertext}.first(initiator.LENGTH_LEN)); 111 [ + + ]: 5838 : if (!damage) { 112 [ + - ]: 5789 : assert(dec_length == length); 113 : 5789 : } else { 114 : : // For performance reasons, don't try to decode if length got increased too much. 115 [ + + ]: 49 : if (dec_length > 16384 + length) break; 116 : : // Otherwise, just append zeros if dec_length > length. 117 [ + - ]: 44 : ciphertext.resize(dec_length + initiator.EXPANSION); 118 : : } 119 : : 120 : : // Decrypt 121 [ + - ]: 5833 : std::vector<std::byte> decrypt(dec_length); 122 : 5833 : bool dec_ignore{false}; 123 [ + - + - : 5833 : bool ok = receiver.Decrypt(Span{ciphertext}.subspan(initiator.LENGTH_LEN), aad, dec_ignore, decrypt); + - ] 124 : : // Decryption *must* fail if the packet was damaged, and succeed if it wasn't. 125 [ + - ]: 5833 : assert(!ok == damage); 126 [ + + ]: 5833 : if (!ok) break; 127 [ + - ]: 5789 : assert(ignore == dec_ignore); 128 [ + - + - ]: 5789 : assert(decrypt == contents); 129 [ + + ]: 5838 : } 130 : 142 : }