From ed5f00dc9e9ec51695e0ad74b7cdcd8731d8fff7 Mon Sep 17 00:00:00 2001 From: Dhruv Mehta <856960+dhruv@users.noreply.github.com> Date: Thu, 7 Oct 2021 14:52:44 -0700 Subject: [PATCH] fuzz: Provide correct MAC tag to assist v2 transport fuzzing before commit: 131072 pulse cov: 1734 ft: 1993 corp: 19/107b lim: 1260 exec/s: 757 rss: 465Mb after commit: 131072 pulse cov: 1888 ft: 2708 corp: 50/4004b lim: 1100 exec/s: 762 rss: 467Mb --- .../fuzz/p2p_v2_transport_serialization.cpp | 38 +++++++++++++++---- 1 file changed, 31 insertions(+), 7 deletions(-) diff --git a/src/test/fuzz/p2p_v2_transport_serialization.cpp b/src/test/fuzz/p2p_v2_transport_serialization.cpp index 367f641ef3..2b99404476 100644 --- a/src/test/fuzz/p2p_v2_transport_serialization.cpp +++ b/src/test/fuzz/p2p_v2_transport_serialization.cpp @@ -4,6 +4,7 @@ #include #include +#include #include #include #include @@ -14,8 +15,8 @@ FUZZ_TARGET(p2p_v2_transport_serialization) { - CPrivKey k1(32, 0); - CPrivKey k2(32, 0); + CPrivKey k1(CHACHA20_POLY1305_AEAD_KEY_LEN, 0); + CPrivKey k2(CHACHA20_POLY1305_AEAD_KEY_LEN, 0); // Construct deserializer, with a dummy NodeId V2TransportDeserializer deserializer{(NodeId)0, k1, k2}; @@ -23,13 +24,27 @@ FUZZ_TARGET(p2p_v2_transport_serialization) FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()}; bool length_assist = fuzzed_data_provider.ConsumeBool(); + + // There is no sense in providing a mac assist if the length is incorrect. + bool mac_assist = length_assist && fuzzed_data_provider.ConsumeBool(); auto payload_bytes = fuzzed_data_provider.ConsumeRemainingBytes(); - if (length_assist && payload_bytes.size() >= CHACHA20_POLY1305_AEAD_AAD_LEN + CHACHA20_POLY1305_AEAD_TAG_LEN) { - uint32_t packet_length = payload_bytes.size() - CHACHA20_POLY1305_AEAD_AAD_LEN - CHACHA20_POLY1305_AEAD_TAG_LEN; - payload_bytes[0] = packet_length & 0xff; - payload_bytes[1] = (packet_length >> 8) & 0xff; - payload_bytes[2] = (packet_length >> 16) & 0xff; + if (payload_bytes.size() >= CHACHA20_POLY1305_AEAD_AAD_LEN + CHACHA20_POLY1305_AEAD_TAG_LEN) { + if (length_assist) { + uint32_t packet_length = payload_bytes.size() - CHACHA20_POLY1305_AEAD_AAD_LEN - CHACHA20_POLY1305_AEAD_TAG_LEN; + payload_bytes[0] = packet_length & 0xff; + payload_bytes[1] = (packet_length >> 8) & 0xff; + payload_bytes[2] = (packet_length >> 16) & 0xff; + } + + if (mac_assist) { + unsigned char pseudorandom_bytes[CHACHA20_POLY1305_AEAD_AAD_LEN + POLY1305_KEYLEN]; + memset(pseudorandom_bytes, 0, sizeof(pseudorandom_bytes)); + ChaCha20Forward4064 chacha{k1}; + chacha.Crypt(pseudorandom_bytes, pseudorandom_bytes, CHACHA20_POLY1305_AEAD_AAD_LEN + POLY1305_KEYLEN); + + poly1305_auth(payload_bytes.data() + (payload_bytes.size() - POLY1305_TAGLEN), payload_bytes.data(), (payload_bytes.size() - POLY1305_TAGLEN), pseudorandom_bytes + CHACHA20_POLY1305_AEAD_AAD_LEN); + } } Span msg_bytes{payload_bytes}; @@ -43,6 +58,15 @@ FUZZ_TARGET(p2p_v2_transport_serialization) bool reject_message{true}; bool disconnect{true}; CNetMessage result{deserializer.GetMessage(m_time, reject_message, disconnect)}; + + if (mac_assist) { + assert(!disconnect); + } + + if (length_assist && mac_assist) { + assert(!reject_message); + } + if (!reject_message) { assert(result.m_type.size() <= CMessageHeader::COMMAND_SIZE); assert(result.m_raw_message_size <= buffer.size());