Move Poly1305 fuzzing logic from chacha20poly1305rfc.rs

TheBlueMatt · shaavan · commit 75a54f74d8bc · 2025-07-17T21:59:33.000+05:30
Rather than skipping compilation of `poly1305.rs` when building for
fuzzing and relying on `ChaCha20Poly1305` to do the fuzzing
variants, implement an actual fuzz wrapper in `poly1305.rs`,
keeping the same fuzz MAC structure that we already have.

We also add a fuzzing implementation of `fixed_time_eq` which does
a simple comparison, to allow the fuzzer to "see into" the
comparison in some cases.

Best reviewed with `-b`.
diff --git a/lightning/src/crypto/chacha20poly1305rfc.rs b/lightning/src/crypto/chacha20poly1305rfc.rs
@@ -10,247 +10,148 @@
 // This is a port of Andrew Moons poly1305-donna
 // https://github.com/floodyberry/poly1305-donna
 
-#[cfg(not(fuzzing))]
-mod real_chachapoly {
-	use super::super::chacha20::ChaCha20;
-	use super::super::fixed_time_eq;
-	use super::super::poly1305::Poly1305;
-
-	#[derive(Clone, Copy)]
-	pub struct ChaCha20Poly1305RFC {
-		cipher: ChaCha20,
-		mac: Poly1305,
-		finished: bool,
-		data_len: usize,
-		aad_len: u64,
-	}
-
-	impl ChaCha20Poly1305RFC {
-		#[inline]
-		fn pad_mac_16(mac: &mut Poly1305, len: usize) {
-			if len % 16 != 0 {
-				mac.input(&[0; 16][0..16 - (len % 16)]);
-			}
-		}
-		pub fn new(key: &[u8], nonce: &[u8], aad: &[u8]) -> ChaCha20Poly1305RFC {
-			assert!(key.len() == 16 || key.len() == 32);
-			assert!(nonce.len() == 12);
-
-			// Ehh, I'm too lazy to *also* tweak ChaCha20 to make it RFC-compliant
-			assert!(nonce[0] == 0 && nonce[1] == 0 && nonce[2] == 0 && nonce[3] == 0);
-
-			let mut cipher = ChaCha20::new(key, &nonce[4..]);
-			let mut mac_key = [0u8; 64];
-			let zero_key = [0u8; 64];
-			cipher.process(&zero_key, &mut mac_key);
-
-			let mut mac = Poly1305::new(&mac_key[..32]);
-			mac.input(aad);
-			ChaCha20Poly1305RFC::pad_mac_16(&mut mac, aad.len());
-
-			ChaCha20Poly1305RFC {
-				cipher,
-				mac,
-				finished: false,
-				data_len: 0,
-				aad_len: aad.len() as u64,
-			}
-		}
-
-		pub fn encrypt(&mut self, input: &[u8], output: &mut [u8], out_tag: &mut [u8]) {
-			assert!(input.len() == output.len());
-			assert!(!self.finished);
-			self.cipher.process(input, output);
-			self.data_len += input.len();
-			self.mac.input(output);
-			ChaCha20Poly1305RFC::pad_mac_16(&mut self.mac, self.data_len);
-			self.finished = true;
-			self.mac.input(&self.aad_len.to_le_bytes());
-			self.mac.input(&(self.data_len as u64).to_le_bytes());
-			out_tag.copy_from_slice(&self.mac.result());
-		}
-
-		pub fn encrypt_full_message_in_place(
-			&mut self, input_output: &mut [u8], out_tag: &mut [u8],
-		) {
-			self.encrypt_in_place(input_output);
-			self.finish_and_get_tag(out_tag);
-		}
-
-		// Encrypt `input_output` in-place. To finish and calculate the tag, use `finish_and_get_tag`
-		// below.
-		pub(in super::super) fn encrypt_in_place(&mut self, input_output: &mut [u8]) {
-			debug_assert!(!self.finished);
-			self.cipher.process_in_place(input_output);
-			self.data_len += input_output.len();
-			self.mac.input(input_output);
-		}
-
-		// If we were previously encrypting with `encrypt_in_place`, this method can be used to finish
-		// encrypting and calculate the tag.
-		pub(in super::super) fn finish_and_get_tag(&mut self, out_tag: &mut [u8]) {
-			debug_assert!(!self.finished);
-			ChaCha20Poly1305RFC::pad_mac_16(&mut self.mac, self.data_len);
-			self.finished = true;
-			self.mac.input(&self.aad_len.to_le_bytes());
-			self.mac.input(&(self.data_len as u64).to_le_bytes());
-			out_tag.copy_from_slice(&self.mac.result());
-		}
-
-		/// Decrypt the `input`, checking the given `tag` prior to writing the decrypted contents
-		/// into `output`. Note that, because `output` is not touched until the `tag` is checked,
-		/// this decryption is *variable time*.
-		pub fn variable_time_decrypt(
-			&mut self, input: &[u8], output: &mut [u8], tag: &[u8],
-		) -> Result<(), ()> {
-			assert!(input.len() == output.len());
-			assert!(!self.finished);
-
-			self.finished = true;
-
-			self.mac.input(input);
-
-			self.data_len += input.len();
-			ChaCha20Poly1305RFC::pad_mac_16(&mut self.mac, self.data_len);
-			self.mac.input(&self.aad_len.to_le_bytes());
-			self.mac.input(&(self.data_len as u64).to_le_bytes());
-
-			let calc_tag = self.mac.result();
-			if fixed_time_eq(&calc_tag, tag) {
-				self.cipher.process(input, output);
-				Ok(())
-			} else {
-				Err(())
-			}
-		}
-
-		pub fn check_decrypt_in_place(
-			&mut self, input_output: &mut [u8], tag: &[u8],
-		) -> Result<(), ()> {
-			self.decrypt_in_place(input_output);
-			if self.finish_and_check_tag(tag) {
-				Ok(())
-			} else {
-				Err(())
-			}
-		}
-
-		/// Decrypt in place, without checking the tag. Use `finish_and_check_tag` to check it
-		/// later when decryption finishes.
-		///
-		/// Should never be `pub` because the public API should always enforce tag checking.
-		pub(in super::super) fn decrypt_in_place(&mut self, input_output: &mut [u8]) {
-			debug_assert!(!self.finished);
-			self.mac.input(input_output);
-			self.data_len += input_output.len();
-			self.cipher.process_in_place(input_output);
-		}
-
-		/// If we were previously decrypting with `just_decrypt_in_place`, this method must be used
-		/// to check the tag. Returns whether or not the tag is valid.
-		pub(in super::super) fn finish_and_check_tag(&mut self, tag: &[u8]) -> bool {
-			debug_assert!(!self.finished);
-			self.finished = true;
-			ChaCha20Poly1305RFC::pad_mac_16(&mut self.mac, self.data_len);
-			self.mac.input(&self.aad_len.to_le_bytes());
-			self.mac.input(&(self.data_len as u64).to_le_bytes());
+use super::chacha20::ChaCha20;
+use super::fixed_time_eq;
+use super::poly1305::Poly1305;
+
+pub struct ChaCha20Poly1305RFC {
+	cipher: ChaCha20,
+	mac: Poly1305,
+	finished: bool,
+	data_len: usize,
+	aad_len: u64,
+}
 
-			let calc_tag = self.mac.result();
-			if fixed_time_eq(&calc_tag, tag) {
-				true
-			} else {
-				false
-			}
+impl ChaCha20Poly1305RFC {
+	#[inline]
+	fn pad_mac_16(mac: &mut Poly1305, len: usize) {
+		if len % 16 != 0 {
+			mac.input(&[0; 16][0..16 - (len % 16)]);
 		}
 	}
-}
-#[cfg(not(fuzzing))]
-pub use self::real_chachapoly::ChaCha20Poly1305RFC;
-
-#[cfg(fuzzing)]
-mod fuzzy_chachapoly {
-	#[derive(Clone, Copy)]
-	pub struct ChaCha20Poly1305RFC {
-		tag: [u8; 16],
-		finished: bool,
+	pub fn new(key: &[u8], nonce: &[u8], aad: &[u8]) -> ChaCha20Poly1305RFC {
+		assert!(key.len() == 16 || key.len() == 32);
+		assert!(nonce.len() == 12);
+
+		// Ehh, I'm too lazy to *also* tweak ChaCha20 to make it RFC-compliant
+		assert!(nonce[0] == 0 && nonce[1] == 0 && nonce[2] == 0 && nonce[3] == 0);
+
+		let mut cipher = ChaCha20::new(key, &nonce[4..]);
+		let mut mac_key = [0u8; 64];
+		let zero_key = [0u8; 64];
+		cipher.process(&zero_key, &mut mac_key);
+
+		#[cfg(not(fuzzing))]
+		let mut mac = Poly1305::new(&mac_key[..32]);
+		#[cfg(fuzzing)]
+		let mut mac = Poly1305::new(&key);
+		mac.input(aad);
+		ChaCha20Poly1305RFC::pad_mac_16(&mut mac, aad.len());
+
+		ChaCha20Poly1305RFC { cipher, mac, finished: false, data_len: 0, aad_len: aad.len() as u64 }
 	}
-	impl ChaCha20Poly1305RFC {
-		pub fn new(key: &[u8], nonce: &[u8], _aad: &[u8]) -> ChaCha20Poly1305RFC {
-			assert!(key.len() == 16 || key.len() == 32);
-			assert!(nonce.len() == 12);
-
-			// Ehh, I'm too lazy to *also* tweak ChaCha20 to make it RFC-compliant
-			assert!(nonce[0] == 0 && nonce[1] == 0 && nonce[2] == 0 && nonce[3] == 0);
 
-			let mut tag = [0; 16];
-			tag.copy_from_slice(&key[0..16]);
+	pub fn encrypt(&mut self, input: &[u8], output: &mut [u8], out_tag: &mut [u8]) {
+		assert!(input.len() == output.len());
+		assert!(!self.finished);
+		self.cipher.process(input, output);
+		self.data_len += input.len();
+		self.mac.input(output);
+		ChaCha20Poly1305RFC::pad_mac_16(&mut self.mac, self.data_len);
+		self.finished = true;
+		self.mac.input(&self.aad_len.to_le_bytes());
+		self.mac.input(&(self.data_len as u64).to_le_bytes());
+		out_tag.copy_from_slice(&self.mac.result());
+	}
 
-			ChaCha20Poly1305RFC { tag, finished: false }
-		}
+	pub fn encrypt_full_message_in_place(&mut self, input_output: &mut [u8], out_tag: &mut [u8]) {
+		self.encrypt_in_place(input_output);
+		self.finish_and_get_tag(out_tag);
+	}
 
-		pub fn encrypt(&mut self, input: &[u8], output: &mut [u8], out_tag: &mut [u8]) {
-			assert!(input.len() == output.len());
-			assert!(self.finished == false);
+	// Encrypt `input_output` in-place. To finish and calculate the tag, use `finish_and_get_tag`
+	// below.
+	pub(in super::super) fn encrypt_in_place(&mut self, input_output: &mut [u8]) {
+		debug_assert!(!self.finished);
+		self.cipher.process_in_place(input_output);
+		self.data_len += input_output.len();
+		self.mac.input(input_output);
+	}
 
-			output.copy_from_slice(&input);
-			out_tag.copy_from_slice(&self.tag);
-			self.finished = true;
-		}
+	// If we were previously encrypting with `encrypt_in_place`, this method can be used to finish
+	// encrypting and calculate the tag.
+	pub(in super::super) fn finish_and_get_tag(&mut self, out_tag: &mut [u8]) {
+		debug_assert!(!self.finished);
+		ChaCha20Poly1305RFC::pad_mac_16(&mut self.mac, self.data_len);
+		self.finished = true;
+		self.mac.input(&self.aad_len.to_le_bytes());
+		self.mac.input(&(self.data_len as u64).to_le_bytes());
+		out_tag.copy_from_slice(&self.mac.result());
+	}
 
-		pub fn encrypt_full_message_in_place(
-			&mut self, input_output: &mut [u8], out_tag: &mut [u8],
-		) {
-			self.encrypt_in_place(input_output);
-			self.finish_and_get_tag(out_tag);
-		}
+	/// Decrypt the `input`, checking the given `tag` prior to writing the decrypted contents
+	/// into `output`. Note that, because `output` is not touched until the `tag` is checked,
+	/// this decryption is *variable time*.
+	pub fn variable_time_decrypt(
+		&mut self, input: &[u8], output: &mut [u8], tag: &[u8],
+	) -> Result<(), ()> {
+		assert!(input.len() == output.len());
+		assert!(!self.finished);
 
-		pub(in super::super) fn encrypt_in_place(&mut self, _input_output: &mut [u8]) {
-			assert!(self.finished == false);
-		}
+		self.finished = true;
 
-		pub(in super::super) fn finish_and_get_tag(&mut self, out_tag: &mut [u8]) {
-			assert!(self.finished == false);
-			out_tag.copy_from_slice(&self.tag);
-			self.finished = true;
-		}
+		self.mac.input(input);
 
-		pub fn variable_time_decrypt(
-			&mut self, input: &[u8], output: &mut [u8], tag: &[u8],
-		) -> Result<(), ()> {
-			assert!(input.len() == output.len());
-			assert!(self.finished == false);
+		self.data_len += input.len();
+		ChaCha20Poly1305RFC::pad_mac_16(&mut self.mac, self.data_len);
+		self.mac.input(&self.aad_len.to_le_bytes());
+		self.mac.input(&(self.data_len as u64).to_le_bytes());
 
-			if tag[..] != self.tag[..] {
-				return Err(());
-			}
-			output.copy_from_slice(input);
-			self.finished = true;
+		let calc_tag = self.mac.result();
+		if fixed_time_eq(&calc_tag, tag) {
+			self.cipher.process(input, output);
 			Ok(())
+		} else {
+			Err(())
 		}
+	}
 
-		pub fn check_decrypt_in_place(
-			&mut self, input_output: &mut [u8], tag: &[u8],
-		) -> Result<(), ()> {
-			self.decrypt_in_place(input_output);
-			if self.finish_and_check_tag(tag) {
-				Ok(())
-			} else {
-				Err(())
-			}
+	pub fn check_decrypt_in_place(
+		&mut self, input_output: &mut [u8], tag: &[u8],
+	) -> Result<(), ()> {
+		self.decrypt_in_place(input_output);
+		if self.finish_and_check_tag(tag) {
+			Ok(())
+		} else {
+			Err(())
 		}
+	}
 
-		pub(in super::super) fn decrypt_in_place(&mut self, _input: &mut [u8]) {
-			assert!(self.finished == false);
-		}
+	/// Decrypt in place, without checking the tag. Use `finish_and_check_tag` to check it
+	/// later when decryption finishes.
+	///
+	/// Should never be `pub` because the public API should always enforce tag checking.
+	pub(in super::super) fn decrypt_in_place(&mut self, input_output: &mut [u8]) {
+		debug_assert!(!self.finished);
+		self.mac.input(input_output);
+		self.data_len += input_output.len();
+		self.cipher.process_in_place(input_output);
+	}
 
-		pub(in super::super) fn finish_and_check_tag(&mut self, tag: &[u8]) -> bool {
-			if tag[..] != self.tag[..] {
-				return false;
-			}
-			self.finished = true;
+	/// If we were previously decrypting with `just_decrypt_in_place`, this method must be used
+	/// to check the tag. Returns whether or not the tag is valid.
+	pub(in super::super) fn finish_and_check_tag(&mut self, tag: &[u8]) -> bool {
+		debug_assert!(!self.finished);
+		self.finished = true;
+		ChaCha20Poly1305RFC::pad_mac_16(&mut self.mac, self.data_len);
+		self.mac.input(&self.aad_len.to_le_bytes());
+		self.mac.input(&(self.data_len as u64).to_le_bytes());
+
+		let calc_tag = self.mac.result();
+		if fixed_time_eq(&calc_tag, tag) {
 			true
+		} else {
+			false
 		}
 	}
 }
-#[cfg(fuzzing)]
-pub use self::fuzzy_chachapoly::ChaCha20Poly1305RFC;
diff --git a/lightning/src/crypto/mod.rs b/lightning/src/crypto/mod.rs
@@ -1,9 +1,14 @@
 #[cfg(not(fuzzing))]
-use bitcoin::hashes::cmp::fixed_time_eq;
+pub(crate) use bitcoin::hashes::cmp::fixed_time_eq;
+
+#[cfg(fuzzing)]
+fn fixed_time_eq(a: &[u8], b: &[u8]) -> bool {
+	assert_eq!(a.len(), b.len());
+	a == b
+}
 
 pub(crate) mod chacha20;
 pub(crate) mod chacha20poly1305rfc;
-#[cfg(not(fuzzing))]
 pub(crate) mod poly1305;
 pub(crate) mod streams;
 pub(crate) mod utils;
diff --git a/lightning/src/crypto/poly1305.rs b/lightning/src/crypto/poly1305.rs
