new fuzzers

Author: eschorn1

CHANGELOG.md

@@ -5,6 +5,11 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## 0.4.5 (2024-11-07)
+
+- Bug fix in Hash-ML-DSA - thank you @codespree
+- Two new fuzzers with tons of coverage: fuzz_sign and fuzz_verify
+
 ## 0.4.4 (2024-10-29)
 
 - Significant shrink of required stack size

Cargo.toml

@@ -2,7 +2,7 @@ workspace = { exclude = ["ct_cm4", "dudect", "fuzz", "wasm"] }
 
 [package]
 name = "fips204"
-version = "0.4.4"
+version = "0.4.5"
 authors = ["Eric Schorn <[email protected]>"]
 description = "FIPS 204: Module-Lattice-Based Digital Signature"
 categories = ["cryptography", "no-std"]

fuzz/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "fips204-fuzz"
-version = "0.4.4"
+version = "0.4.5"
 authors = ["Eric Schorn <[email protected]>"]
 description = "Fuzz harness for FIPS 204 (draft) ML-DSA"
 edition = "2021"
@@ -16,6 +16,7 @@ cargo-fuzz = true
 [dependencies]
 libfuzzer-sys = "0.4"
 rand_core = { version = "0.6.4", default-features = false }
+rand_chacha = "0.3.1"
 
 
 [dependencies.fips204]
@@ -39,3 +40,15 @@ name = "fuzz_all"
 path = "fuzz_targets/fuzz_all.rs"
 test = false
 doc = false
+
+[[bin]]
+name = "fuzz_verify"
+path = "fuzz_targets/fuzz_verify.rs"
+test = false
+doc = false
+
+[[bin]]
+name = "fuzz_sign"
+path = "fuzz_targets/fuzz_sign.rs"
+test = false
+doc = false

fuzz/README.md

@@ -1,7 +1,7 @@
 This is a work in progress, but good results currently.
 
-Harness code is in fuzz/fuzz_targets/fuzz_all.rs. The Cargo.toml file specifies 
-that overflow-checks and debug-assertions are enabled (so the fuzzer can find these panics).
+Harness code is in fuzz/fuzz_targets/*. The Cargo.toml file specifies that overflow-checks and 
+debug-assertions are enabled (so the fuzzer can find these panics).
 
 See <https://rust-fuzz.github.io/book/introduction.html>
 
@@ -14,20 +14,38 @@ $ for i in $(seq 1 2); do head -c 6292 </dev/urandom > corpus/fuzz_all/seed$i; d
 $ dd if=/dev/zero bs=1 count=6292 | tr '\0x00' '\377' > corpus/fuzz_all/seed3
 $ cargo fuzz run fuzz_all -j 4 -- -max_total_time=1000  # run three times
 
-#1020: cov: 13306 ft: 9885 corp: 153 exec/s 0 oom/timeout/crash: 0/0/0 time: 867s job: 50 dft_time: 0
-#1046: cov: 13306 ft: 9910 corp: 155 exec/s 0 oom/timeout/crash: 0/0/0 time: 883s job: 51 dft_time: 0
-#1096: cov: 13306 ft: 9912 corp: 156 exec/s 0 oom/timeout/crash: 0/0/0 time: 905s job: 52 dft_time: 0
-#1132: cov: 13306 ft: 9912 corp: 156 exec/s 0 oom/timeout/crash: 0/0/0 time: 914s job: 53 dft_time: 0
 #1184: cov: 13306 ft: 9913 corp: 157 exec/s 0 oom/timeout/crash: 0/0/0 time: 927s job: 54 dft_time: 0
 #1245: cov: 13306 ft: 9985 corp: 160 exec/s 1 oom/timeout/crash: 0/0/0 time: 945s job: 55 dft_time: 0
 #1270: cov: 13306 ft: 9985 corp: 160 exec/s 0 oom/timeout/crash: 0/0/0 time: 964s job: 56 dft_time: 0
 #1297: cov: 13306 ft: 9990 corp: 162 exec/s 0 oom/timeout/crash: 0/0/0 time: 979s job: 57 dft_time: 0
 #1331: cov: 13306 ft: 9997 corp: 164 exec/s 0 oom/timeout/crash: 0/0/0 time: 996s job: 58 dft_time: 0
 INFO: fuzzed for 1005 seconds, wrapping up soon
 INFO: exiting: 0 time: 1019s
+
+
+$ cargo fuzz run fuzz_sign -j 4 -- -max_total_time=1000
+
+#241: cov: 18829 ft: 12381 corp: 18 exec/s 0 oom/timeout/crash: 0/0/0 time: 890s job: 63 dft_time: 0
+#247: cov: 18829 ft: 12474 corp: 19 exec/s 0 oom/timeout/crash: 0/0/0 time: 905s job: 64 dft_time: 0
+#253: cov: 18829 ft: 12575 corp: 20 exec/s 0 oom/timeout/crash: 0/0/0 time: 952s job: 65 dft_time: 0
+#259: cov: 18829 ft: 12588 corp: 21 exec/s 0 oom/timeout/crash: 0/0/0 time: 968s job: 66 dft_time: 0
+#266: cov: 18829 ft: 12702 corp: 22 exec/s 0 oom/timeout/crash: 0/0/0 time: 998s job: 67 dft_time: 0
+INFO: fuzzed for 1014 seconds, wrapping up soon
+INFO: exiting: 0 time: 1047s
+
+
+$ cargo fuzz run fuzz_verify -j 4 -- -max_total_time=1000
+
+#307: cov: 18818 ft: 12996 corp: 30 exec/s 0 oom/timeout/crash: 0/0/0 time: 915s job: 57 dft_time: 0
+#314: cov: 18818 ft: 13023 corp: 32 exec/s 0 oom/timeout/crash: 0/0/0 time: 934s job: 58 dft_time: 0
+#321: cov: 18818 ft: 13040 corp: 33 exec/s 0 oom/timeout/crash: 0/0/0 time: 945s job: 59 dft_time: 0
+#328: cov: 18818 ft: 13063 corp: 34 exec/s 0 oom/timeout/crash: 0/0/0 time: 964s job: 60 dft_time: 0
+#336: cov: 18818 ft: 13078 corp: 35 exec/s 0 oom/timeout/crash: 0/0/0 time: 998s job: 61 dft_time: 0
+INFO: fuzzed for 1018 seconds, wrapping up soon
+INFO: exiting: 0 time: 1031s
 ~~~
 
-Coverage status of ml_dsa_44 is robust, see:
+Coverage status of, for example, ml_dsa_44 is robust, see:
 
 ~~~
 $ cargo fuzz coverage fuzz_all

fuzz/fuzz_targets/fuzz_sign.rs

@@ -0,0 +1,132 @@
+#![no_main]
+use fips204::traits::{KeyGen, SerDes, Signer, Verifier};
+use fips204::Ph;
+use fips204::{ml_dsa_44, ml_dsa_65, ml_dsa_87};
+use libfuzzer_sys::fuzz_target;
+use rand_chacha::ChaCha20Rng;
+use rand_core::{CryptoRngCore, SeedableRng};
+
+
+// Helper to create deterministic RNG from data
+fn create_rng(seed_data: &[u8]) -> ChaCha20Rng {
+    let seed = if seed_data.len() >= 32 {
+        let mut arr = [0u8; 32];
+        arr.copy_from_slice(&seed_data[..32]);
+        arr
+    } else {
+        let mut arr = [0u8; 32];
+        arr[..seed_data.len()].copy_from_slice(seed_data);
+        arr
+    };
+    ChaCha20Rng::from_seed(seed)
+}
+
+
+// Helper function to test signing operations for a specific parameter set
+fn fuzz_signer_for_params<S, V>(
+    data: &[u8], rng: &mut impl CryptoRngCore, keypair: &(V, S), ctx: &[u8],
+) where
+    S: Signer<PublicKey = V>,
+    V: Verifier<Signature = S::Signature> + SerDes + Clone,
+    <S as Signer>::Signature: PartialEq,
+    <V as SerDes>::ByteArray: PartialEq,
+{
+    let (pk, sk) = keypair;
+
+    // Test regular signing
+    if let Ok(sig1) = sk.try_sign_with_rng(rng, data, ctx) {
+        // Verify the signature works
+        assert!(pk.clone().verify(data, &sig1, ctx));
+
+        // Test that signing the same message twice produces different signatures
+        if let Ok(sig2) = sk.try_sign_with_rng(rng, data, ctx) {
+            // Signatures should be different (due to randomization)
+            assert!(sig1 != sig2);
+            // But both should verify
+            assert!(pk.clone().verify(data, &sig2, ctx));
+        }
+
+        // Verify public key derivation
+        let derived_pk = sk.get_public_key();
+        assert!(derived_pk.clone().into_bytes() == pk.clone().into_bytes());
+        assert!(derived_pk.verify(data, &sig1, ctx));
+    }
+
+    // Test hash signing with different hash functions
+    for ph in [Ph::SHA256, Ph::SHA512, Ph::SHAKE128] {
+        if let Ok(sig) = sk.try_hash_sign_with_rng(rng, data, ctx, &ph) {
+            // Verify the hash signature works
+            assert!(pk.hash_verify(data, &sig, ctx, &ph));
+
+            // Test that hash signing the same message twice produces different signatures
+            if let Ok(sig2) = sk.try_hash_sign_with_rng(rng, data, ctx, &ph) {
+                assert!(sig != sig2);
+                assert!(pk.hash_verify(data, &sig2, ctx, &ph));
+            }
+
+            // Verify signature doesn't work with wrong hash function
+            let wrong_ph = match ph {
+                Ph::SHA256 => Ph::SHA512,
+                _ => Ph::SHA256,
+            };
+            assert!(!pk.hash_verify(data, &sig, ctx, &wrong_ph));
+        }
+    }
+}
+
+
+fuzz_target!(|data: &[u8]| {
+    // Skip empty inputs
+    if data.is_empty() {
+        return;
+    }
+
+    // Create deterministic RNG from first part of input
+    let mut rng = create_rng(data);
+
+    // Generate keypairs using the RNG
+    let ml_dsa_44_keypair = ml_dsa_44::KG::try_keygen_with_rng(&mut rng).unwrap();
+    let ml_dsa_65_keypair = ml_dsa_65::KG::try_keygen_with_rng(&mut rng).unwrap();
+    let ml_dsa_87_keypair = ml_dsa_87::KG::try_keygen_with_rng(&mut rng).unwrap();
+
+    // Use first byte as context length
+    let ctx_len = (data[0] as usize) % 8;
+    let (ctx, msg) = data.split_at(ctx_len.min(data.len()));
+
+    // Test all parameter sets
+    fuzz_signer_for_params(msg, &mut rng, &ml_dsa_44_keypair, ctx);
+    fuzz_signer_for_params(msg, &mut rng, &ml_dsa_65_keypair, ctx);
+    fuzz_signer_for_params(msg, &mut rng, &ml_dsa_87_keypair, ctx);
+
+    // Test edge cases
+    if let Some((pk, sk)) = Some(&ml_dsa_65_keypair) {
+        // Test empty message
+        if let Ok(sig) = sk.try_sign_with_rng(&mut rng, &[], ctx) {
+            assert!(pk.verify(&[], &sig, ctx));
+        }
+
+        // Test empty context
+        if let Ok(sig) = sk.try_sign_with_rng(&mut rng, msg, &[]) {
+            assert!(pk.verify(msg, &sig, &[]));
+        }
+
+        // Test large message (if we have enough data)
+        if msg.len() > 100 {
+            if let Ok(sig) = sk.try_sign_with_rng(&mut rng, msg, ctx) {
+                assert!(pk.verify(msg, &sig, ctx));
+            }
+        }
+
+        // Test signing with different RNG seeds
+        if msg.len() > 32 {
+            let mut different_rng = create_rng(&msg[..32]);
+            if let Ok(sig1) = sk.try_sign_with_rng(&mut rng, msg, ctx) {
+                if let Ok(sig2) = sk.try_sign_with_rng(&mut different_rng, msg, ctx) {
+                    assert!(sig1 != sig2);
+                    assert!(pk.verify(msg, &sig1, ctx));
+                    assert!(pk.verify(msg, &sig2, ctx));
+                }
+            }
+        }
+    }
+});

fuzz/fuzz_targets/fuzz_verify.rs

@@ -0,0 +1,95 @@
+#![no_main]
+use fips204::traits::{KeyGen, SerDes, Signer, Verifier};
+use fips204::Ph;
+use fips204::{ml_dsa_44, ml_dsa_65, ml_dsa_87};
+use libfuzzer_sys::fuzz_target;
+
+
+// Helper function to test a specific parameter set
+fn fuzz_verify_for_params<S, V>(data: &[u8], keypair: &(V, S), ctx: &[u8])
+where
+    S: Signer,
+    V: Verifier<Signature = S::Signature>,
+{
+    let (pk, sk) = keypair;
+
+    // Test regular verify
+    if let Ok(sig) = sk.try_sign(data, ctx) {
+        // Valid signature should verify
+        assert!(pk.verify(data, &sig, ctx));
+
+        // Modified message should not verify
+        if !data.is_empty() {
+            let mut modified_msg = data.to_vec();
+            modified_msg[0] ^= 1;
+            assert!(!pk.verify(&modified_msg, &sig, ctx));
+        }
+
+        // Modified context should not verify
+        let mut modified_ctx = ctx.to_vec();
+        modified_ctx.push(1);
+        assert!(!pk.verify(data, &sig, &modified_ctx));
+    }
+
+    // Test hash verify
+    for ph in [Ph::SHA256, Ph::SHA512, Ph::SHAKE128] {
+        if let Ok(sig) = sk.try_hash_sign(data, ctx, &ph) {
+            // Valid signature should verify
+            assert!(pk.hash_verify(data, &sig, ctx, &ph));
+
+            // Modified message should not verify
+            if !data.is_empty() {
+                let mut modified_msg = data.to_vec();
+                modified_msg[0] ^= 1;
+                assert!(!pk.hash_verify(&modified_msg, &sig, ctx, &ph));
+            }
+
+            // Modified context should not verify
+            let mut modified_ctx = ctx.to_vec();
+            modified_ctx.push(1);
+            assert!(!pk.hash_verify(data, &sig, &modified_ctx, &ph));
+
+            // Different hash function should not verify
+            let different_ph = match ph {
+                Ph::SHA256 => Ph::SHA512,
+                _ => Ph::SHA256,
+            };
+            assert!(!pk.hash_verify(data, &sig, ctx, &different_ph));
+        }
+    }
+}
+
+
+fuzz_target!(|data: &[u8]| {
+    // Skip empty inputs
+    if data.is_empty() {
+        return;
+    }
+
+    // Generate static keypairs (for speed)
+    let seed = [42u8; 32];
+    let ml_dsa_44_keypair = ml_dsa_44::KG::keygen_from_seed(&seed);
+    let ml_dsa_65_keypair = ml_dsa_65::KG::keygen_from_seed(&seed);
+    let ml_dsa_87_keypair = ml_dsa_87::KG::keygen_from_seed(&seed);
+
+    // Use first byte as context length
+    let ctx_len = (data[0] as usize) % 8;
+    let (ctx, msg) = data.split_at(ctx_len.min(data.len()));
+
+    // Test all parameter sets
+    fuzz_verify_for_params(msg, &ml_dsa_44_keypair, ctx);
+    fuzz_verify_for_params(msg, &ml_dsa_65_keypair, ctx);
+    fuzz_verify_for_params(msg, &ml_dsa_87_keypair, ctx);
+
+    // Test serialization/deserialization
+    if !msg.is_empty() {
+        let (pk, sk) = &ml_dsa_65_keypair;
+        if let Ok(sig) = sk.try_sign(msg, ctx) {
+            // Serialize and deserialize the public key
+            let pk_bytes = pk.clone().into_bytes();
+            if let Ok(recovered_pk) = ml_dsa_65::PublicKey::try_from_bytes(pk_bytes) {
+                assert!(recovered_pk.verify(msg, &sig, ctx));
+            }
+        }
+    }
+});