lo/libsoliton
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

initial commit
Some checks failed
CI / lint (push) Successful in 1m37s
Details
CI / test-python (push) Successful in 1m49s
Details
CI / test-zig (push) Successful in 1m39s
Details
CI / test-wasm (push) Successful in 1m54s
Details
CI / test (push) Successful in 14m44s
Details
CI / miri (push) Successful in 14m18s
Details
CI / build (push) Successful in 1m9s
Details
CI / fuzz-regression (push) Successful in 9m9s
Details
CI / publish (push) Failing after 1m10s
Details
CI / publish-python (push) Failing after 1m46s
Details
CI / publish-wasm (push) Has been cancelled
Details

Browse source 
Signed-off-by: Kamal Tufekcic <kamal@lo.sh>
This commit is contained in:
Kamal Tufekcic 2026-04-02 23:48:10 +03:00
commit 1d99048c95
No known key found for this signature in database
165830 changed files with 79062 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

76
soliton/fuzz/fuzz_targets/fuzz_ratchet_decrypt.rs Normal file
View file

@ -0,0 +1,76 @@
#![no_main]
use libfuzzer_sys::fuzz_target;
use soliton::primitives::xwing;
use soliton::ratchet::{RatchetHeader, RatchetState};
// Fixed keys for deterministic Bob state construction.
const ROOT_KEY: [u8; 32] = [0x11; 32];
const CHAIN_KEY: [u8; 32] = [0x22; 32];
const FP_A: [u8; 32] = [0xAA; 32];
const FP_B: [u8; 32] = [0xBB; 32];
fuzz_target!(|data: &[u8]| {
// Parse fuzzer input into:
// peer_ek (1216) | ratchet_pk (1216) | has_kem_ct (1) | [kem_ct (1120)] | n (4) | pn (4) | ciphertext
// peer_ek is Bob's initial recv_ratchet_pk (set at init_bob time).
// ratchet_pk is the value in the incoming header.
// When they differ (the common case with random fuzz input), need_ratchet = true
// and the ratchet-step path fires; when they happen to be identical, the
// same-chain path fires. Both slices are independently fuzz-controlled.
// Minimum: 1216 + 1216 + 1 + 4 + 4 + 16 = 2457 bytes (no kem_ct, 16 for Poly1305 tag)
if data.len() < 2457 {
return;
}
let Ok(peer_ek) = xwing::PublicKey::from_bytes(data[..1216].to_vec()) else {
return;
};
let Ok(ratchet_pk) = xwing::PublicKey::from_bytes(data[1216..2432].to_vec()) else {
return;
};
let Ok(mut bob) = RatchetState::init_bob(ROOT_KEY, CHAIN_KEY, FP_B, FP_A, peer_ek) else {
return;
};
let rest = &data[2432..];
let has_kem_ct = rest[0] & 0x01 != 0;
let (kem_ct, counter_start) = if has_kem_ct {
// Need 1120 bytes for kem_ct after the flag byte
if rest.len() < 1 + 1120 + 8 {
return;
}
match xwing::Ciphertext::from_bytes(rest[1..1121].to_vec()) {
// counter_start = 1 (flag) + 1120 (kem_ct) = 1121
Ok(ct) => (Some(ct), 1121),
Err(_) => return,
}
} else {
// counter_start = 1 (flag byte only; no kem_ct bytes)
(None, 1)
};
if rest.len() < counter_start + 8 {
return;
}
let n = u32::from_be_bytes(rest[counter_start..counter_start + 4].try_into().unwrap());
let pn = u32::from_be_bytes(rest[counter_start + 4..counter_start + 8].try_into().unwrap());
let ciphertext = &rest[counter_start + 8..];
let header = RatchetHeader { ratchet_pk, kem_ct, n, pn };
// decrypt must never panic regardless of input. When ratchet_pk differs
// from peer_ek (the common case), need_ratchet = true and the ratchet-step
// path fires, exercising KEM ciphertext validation, root/recv-epoch KDF,
// and rollback on decapsulation failure. When they are identical, the
// same-chain path fires and AEAD rejects almost all inputs. Both code
// paths are reachable from fuzz input. Rollback execution is exercised
// here; rollback correctness — that all 9 state fields (root_key,
// recv_epoch_key, recv_count, recv_ratchet_pk, ratchet_pending,
// recv_seen, prev_recv_epoch_key, prev_recv_ratchet_pk,
// prev_recv_seen) are fully restored on failure — is verified by the
// unit tests in ratchet/mod.rs, not by this harness.
let _ = bob.decrypt(&header, ciphertext);
});