initial commit

Signed-off-by: Kamal Tufekcic <kamal@lo.sh>

soliton/fuzz/fuzz_targets/fuzz_stream_decrypt_at.rs

@@ -0,0 +1,34 @@
+#![no_main]
+use libfuzzer_sys::fuzz_target;
+use soliton::streaming::stream_decrypt_init;
+
+const FUZZ_KEY: [u8; 32] = [0x42; 32];
+
+fuzz_target!(|data: &[u8]| {
+    // Fuzz the random-access decrypt path (decrypt_chunk_at) with adversarial
+    // (index, chunk) pairs. Exercises index-derived nonce/AAD construction,
+    // tag-byte validation, and framing guards through the random-access API
+    // which skips the sequential state guards (next_index, finalized).
+    if data.len() < 26 + 8 {
+        return;
+    }
+    let header: [u8; 26] = data[..26].try_into().unwrap();
+    let rest = &data[26..];
+
+    let dec = match stream_decrypt_init(&FUZZ_KEY, &header, b"fuzz-at-aad") {
+        Ok(d) => d,
+        Err(_) => return,
+    };
+
+    // Each iteration: consume 8 bytes as u64 index, then up to 2048 bytes as chunk.
+    let mut cursor = 0;
+    while cursor + 8 < rest.len() {
+        let index = u64::from_be_bytes(rest[cursor..cursor + 8].try_into().unwrap());
+        cursor += 8;
+        let chunk_end = (cursor + 2048).min(rest.len());
+        let chunk_data = &rest[cursor..chunk_end];
+        cursor = chunk_end;
+
+        let _ = dec.decrypt_chunk_at(index, chunk_data);
+    }
+});