Iterate on the fuzzers to give them more "bite"

Author: cryptoquick

fuzz/Cargo.lock

@@ -36,3 +36,19 @@ path = "fuzz_targets/cross_algorithm_fuzz.rs"
 test = false
 doc = false
 bench = false
+
+# New target for key parsing
+[[bin]]
+name = "key_parsing"
+path = "fuzz_targets/key_parsing_fuzz.rs"
+test = false
+doc = false
+bench = false
+
+# New target for signature parsing
+[[bin]]
+name = "signature_parsing"
+path = "fuzz_targets/signature_parsing_fuzz.rs"
+test = false
+doc = false
+bench = false

fuzz/Cargo.toml

@@ -12,32 +12,50 @@ cargo install cargo-fuzz
 
 ## Available Fuzz Targets
 
-1. **keypair_generation** - Tests key pair generation with different algorithms
-2. **sign_verify** - Tests signature creation and verification
-3. **cross_algorithm** - Tests verification with mismatched keys and signatures from different algorithms
+1. **`keypair_generation`** - Tests key pair generation with different algorithms using fuzzed randomness.
+2. **`sign_verify`** - Tests signature creation and verification using generated keys and fuzzed messages.
+3. **`cross_algorithm`** - Tests verification with mismatched keys and signatures from different algorithms.
+4. **`key_parsing`** - Tests parsing of arbitrary byte sequences into `PublicKey` and `SecretKey` structs across algorithms.
+5. **`signature_parsing`** - Tests parsing of arbitrary byte sequences into `Signature` structs across algorithms.
 
 ## Running the Fuzz Tests
 
 To run a specific fuzz target:
 
-```
+```bash
 cargo fuzz run keypair_generation
 cargo fuzz run sign_verify
 cargo fuzz run cross_algorithm
+cargo fuzz run key_parsing
+cargo fuzz run signature_parsing
 ```
 
 To run a fuzz target for a specific amount of time:
 
-```
+```bash
 cargo fuzz run keypair_generation -- -max_total_time=60
 ```
 
 To run a fuzz target with a specific number of iterations:
 
-```
+```bash
 cargo fuzz run keypair_generation -- -runs=1000000
 ```
 
+To run **all** fuzz targets sequentially, use the provided script (make sure it's executable: `chmod +x fuzz/run_all_fuzzers.sh`):
+
+```bash
+./fuzz/run_all_fuzzers.sh
+```
+
+This script will iterate through all defined targets **in parallel** using **GNU Parallel**.
+If you don't have GNU Parallel installed, the script will output an error. You can install it using your system's package manager:
+
+- **Debian/Ubuntu:** `sudo apt update && sudo apt install parallel`
+- **Fedora:** `sudo dnf install parallel`
+- **Arch Linux:** `sudo pacman -S parallel`
+- **macOS (Homebrew):** `brew install parallel`
+
 ## Corpus Management
 
 Cargo-fuzz automatically manages a corpus of interesting inputs. You can find them in the `fuzz/corpus` directory once you've run the fuzz tests.
@@ -51,6 +69,7 @@ cargo fuzz run target_name fuzz/artifacts/target_name/crash-*
 ```
 
 When reporting an issue found by fuzzing, please include:
+
 1. The exact command used to run the fuzzer
 2. The crash input file
 3. The full output of the crash

fuzz/README.md

@@ -0,0 +1,30 @@
+#![no_main]
+
+use bitcoinpqc::{algorithm_from_index, PublicKey, SecretKey};
+use libfuzzer_sys::fuzz_target;
+
+const NUM_ALGORITHMS: u8 = 4; // SECP256K1_SCHNORR, FN_DSA_512, ML_DSA_44, SLH_DSA_128S
+
+fuzz_target!(|data: &[u8]| {
+    if data.is_empty() {
+        return; // Need at least one byte for algorithm selection
+    }
+
+    // Use first byte to select an algorithm
+    let alg_byte = data[0];
+    let algorithm = algorithm_from_index(alg_byte);
+
+    // Use remaining bytes as potential key data
+    let key_data = &data[1..];
+
+    // Attempt to parse as PublicKey
+    let _ = PublicKey::try_from_slice(algorithm, key_data);
+
+    // Attempt to parse as SecretKey
+    let secret_key_result = SecretKey::try_from_slice(algorithm, key_data);
+
+    assert!(
+        secret_key_result.is_ok(),
+        "Secret key parsing failed! Algorithm: {algorithm:?}",
+    );
+});

fuzz/fuzz_targets/key_parsing_fuzz.rs

@@ -1,6 +1,6 @@
 #![no_main]
 
-use bitcoinpqc::{generate_keypair, Algorithm};
+use bitcoinpqc::{algorithm_from_index, generate_keypair};
 use libfuzzer_sys::fuzz_target;
 
 fuzz_target!(|data: &[u8]| {
@@ -11,16 +11,16 @@ fuzz_target!(|data: &[u8]| {
 
     // Use first byte to select an algorithm
     let alg_byte = data[0];
-    let algorithm = match alg_byte % 4 {
-        0 => Algorithm::SECP256K1_SCHNORR,
-        1 => Algorithm::FN_DSA_512,
-        2 => Algorithm::ML_DSA_44,
-        _ => Algorithm::SLH_DSA_128S,
-    };
+    let algorithm = algorithm_from_index(alg_byte);
 
     // Use remaining bytes as random data
     let random_data = &data[1..];
 
     // Try to generate a keypair with this data
-    let _ = generate_keypair(algorithm, random_data);
+    let keypair = generate_keypair(algorithm, random_data);
+
+    assert!(
+        keypair.is_ok(),
+        "Keypair generation failed! Algorithm: {algorithm:?}",
+    );
 });

fuzz/fuzz_targets/keypair_generation_fuzz.rs

@@ -1,6 +1,6 @@
 #![no_main]
 
-use bitcoinpqc::{generate_keypair, sign, verify, Algorithm};
+use bitcoinpqc::{algorithm_from_index, generate_keypair, sign, verify};
 use libfuzzer_sys::fuzz_target;
 
 fuzz_target!(|data: &[u8]| {
@@ -11,12 +11,7 @@ fuzz_target!(|data: &[u8]| {
 
     // Use first byte to select an algorithm
     let alg_byte = data[0];
-    let algorithm = match alg_byte % 4 {
-        0 => Algorithm::SECP256K1_SCHNORR,
-        1 => Algorithm::FN_DSA_512,
-        2 => Algorithm::ML_DSA_44,
-        _ => Algorithm::SLH_DSA_128S,
-    };
+    let algorithm = algorithm_from_index(alg_byte);
 
     // Use 128 bytes for key generation
     let key_data = &data[1..129];
@@ -37,7 +32,12 @@ fuzz_target!(|data: &[u8]| {
     };
 
     // Try to verify the signature with the correct public key
-    let _verify_result = verify(&keypair.public_key, message, &signature);
+    let verify_result = verify(&keypair.public_key, message, &signature);
+
+    assert!(
+        verify_result.is_ok(),
+        "Verification failed for a signature generated with the corresponding private key! Algorithm: {algorithm:?}",
+    );
 
     // Also try some invalid cases (if we have a valid signature)
     if message.len() > 1 {