doc/html/bip324_8cpp_source.html

// Copyright (c) 2023-present The Bitcoin Core developers

// Distributed under the MIT software license, see the accompanying

// file COPYING or http://www.opensource.org/licenses/mit-license.php.


#include <bip324.h>


#include <chainparams.h>

#include <crypto/chacha20.h>

#include <crypto/chacha20poly1305.h>

#include <crypto/hkdf_sha256_32.h>

#include <key.h>

#include <pubkey.h>

#include <random.h>

#include <span.h>

#include <support/cleanse.h>

#include <uint256.h>


#include <algorithm>

#include <cassert>

#include <cstddef>

#include <cstdint>

#include <iterator>

#include <string>


BIP324Cipher::BIP324Cipher(const CKey& key, std::span<const std::byte> ent32) noexcept

    : m_key(key)

{

    m_our_pubkey = m_key.EllSwiftCreate(ent32);

}


BIP324Cipher::BIP324Cipher(const CKey& key, const EllSwiftPubKey& pubkey) noexcept :

    m_key(key), m_our_pubkey(pubkey) {}


void BIP324Cipher::Initialize(const EllSwiftPubKey& their_pubkey, bool initiator, bool self_decrypt) noexcept

{

    // Determine salt (fixed string + network magic bytes)

    const auto& message_header = Params().MessageStart();

    std::string salt = std::string{"bitcoin_v2_shared_secret"} + std::string(std::begin(message_header), std::end(message_header));


    // Perform ECDH to derive shared secret.

    ECDHSecret ecdh_secret = m_key.ComputeBIP324ECDHSecret(their_pubkey, m_our_pubkey, initiator);


    // Derive encryption keys from shared secret, and initialize stream ciphers and AEADs.

    bool side = (initiator != self_decrypt);

    CHKDF_HMAC_SHA256_L32 hkdf(UCharCast(ecdh_secret.data()), ecdh_secret.size(), salt);

    std::array<std::byte, 32> hkdf_32_okm;

    hkdf.Expand32("initiator_L", UCharCast(hkdf_32_okm.data()));

    (side ? m_send_l_cipher : m_recv_l_cipher).emplace(hkdf_32_okm, REKEY_INTERVAL);

    hkdf.Expand32("initiator_P", UCharCast(hkdf_32_okm.data()));

    (side ? m_send_p_cipher : m_recv_p_cipher).emplace(hkdf_32_okm, REKEY_INTERVAL);

    hkdf.Expand32("responder_L", UCharCast(hkdf_32_okm.data()));

    (side ? m_recv_l_cipher : m_send_l_cipher).emplace(hkdf_32_okm, REKEY_INTERVAL);

    hkdf.Expand32("responder_P", UCharCast(hkdf_32_okm.data()));

    (side ? m_recv_p_cipher : m_send_p_cipher).emplace(hkdf_32_okm, REKEY_INTERVAL);


    // Derive garbage terminators from shared secret.

    hkdf.Expand32("garbage_terminators", UCharCast(hkdf_32_okm.data()));

    std::copy(std::begin(hkdf_32_okm), std::begin(hkdf_32_okm) + GARBAGE_TERMINATOR_LEN,

        (initiator ? m_send_garbage_terminator : m_recv_garbage_terminator).begin());

    std::copy(std::end(hkdf_32_okm) - GARBAGE_TERMINATOR_LEN, std::end(hkdf_32_okm),

        (initiator ? m_recv_garbage_terminator : m_send_garbage_terminator).begin());


    // Derive session id from shared secret.

    hkdf.Expand32("session_id", UCharCast(m_session_id.data()));


    // Wipe all variables that contain information which could be used to re-derive encryption keys.

    memory_cleanse(ecdh_secret.data(), ecdh_secret.size());

    memory_cleanse(hkdf_32_okm.data(), sizeof(hkdf_32_okm));

    memory_cleanse(&hkdf, sizeof(hkdf));

    m_key = CKey();

}


void BIP324Cipher::Encrypt(std::span<const std::byte> contents, std::span<const std::byte> aad, bool ignore, std::span<std::byte> output) noexcept

{

    assert(output.size() == contents.size() + EXPANSION);


    // Encrypt length.

    std::byte len[LENGTH_LEN];

    len[0] = std::byte{(uint8_t)(contents.size() & 0xFF)};

    len[1] = std::byte{(uint8_t)((contents.size() >> 8) & 0xFF)};

    len[2] = std::byte{(uint8_t)((contents.size() >> 16) & 0xFF)};

    m_send_l_cipher->Crypt(len, output.first(LENGTH_LEN));


    // Encrypt plaintext.

    std::byte header[HEADER_LEN] = {ignore ? IGNORE_BIT : std::byte{0}};

    m_send_p_cipher->Encrypt(header, contents, aad, output.subspan(LENGTH_LEN));

}


uint32_t BIP324Cipher::DecryptLength(std::span<const std::byte> input) noexcept

{

    assert(input.size() == LENGTH_LEN);


    std::byte buf[LENGTH_LEN];

    // Decrypt length

    m_recv_l_cipher->Crypt(input, buf);

    // Convert to number.

    return uint32_t(buf[0]) + (uint32_t(buf[1]) << 8) + (uint32_t(buf[2]) << 16);

}


bool BIP324Cipher::Decrypt(std::span<const std::byte> input, std::span<const std::byte> aad, bool& ignore, std::span<std::byte> contents) noexcept

{

    assert(input.size() + LENGTH_LEN == contents.size() + EXPANSION);


    std::byte header[HEADER_LEN];

    if (!m_recv_p_cipher->Decrypt(input, aad, header, contents)) return false;


    ignore = (header[0] & IGNORE_BIT) == IGNORE_BIT;

    return true;

}


bip324.h

chacha20.h

chacha20poly1305.h

Params
const CChainParams & Params()
Return the currently selected parameters.
Definition chainparams.cpp:112

chainparams.h

BIP324Cipher::REKEY_INTERVAL
static constexpr unsigned REKEY_INTERVAL
Definition bip324.h:24

BIP324Cipher::Decrypt
bool Decrypt(std::span< const std::byte > input, std::span< const std::byte > aad, bool &ignore, std::span< std::byte > contents) noexcept
Decrypt a packet.
Definition bip324.cpp:100

BIP324Cipher::GARBAGE_TERMINATOR_LEN
static constexpr unsigned GARBAGE_TERMINATOR_LEN
Definition bip324.h:23

BIP324Cipher::HEADER_LEN
static constexpr unsigned HEADER_LEN
Definition bip324.h:26

BIP324Cipher::DecryptLength
unsigned DecryptLength(std::span< const std::byte > input) noexcept
Decrypt the length of a packet.
Definition bip324.cpp:89

BIP324Cipher::m_our_pubkey
EllSwiftPubKey m_our_pubkey
Definition bip324.h:37

BIP324Cipher::IGNORE_BIT
static constexpr std::byte IGNORE_BIT
Definition bip324.h:28

BIP324Cipher::BIP324Cipher
BIP324Cipher()=delete
No default constructor; keys must be provided to create a BIP324Cipher.

BIP324Cipher::m_recv_p_cipher
std::optional< FSChaCha20Poly1305 > m_recv_p_cipher
Definition bip324.h:34

BIP324Cipher::m_key
CKey m_key
Definition bip324.h:36

BIP324Cipher::m_recv_garbage_terminator
std::array< std::byte, GARBAGE_TERMINATOR_LEN > m_recv_garbage_terminator
Definition bip324.h:41

BIP324Cipher::m_session_id
std::array< std::byte, SESSION_ID_LEN > m_session_id
Definition bip324.h:39

BIP324Cipher::m_send_garbage_terminator
std::array< std::byte, GARBAGE_TERMINATOR_LEN > m_send_garbage_terminator
Definition bip324.h:40

BIP324Cipher::m_recv_l_cipher
std::optional< FSChaCha20 > m_recv_l_cipher
Definition bip324.h:32

BIP324Cipher::LENGTH_LEN
static constexpr unsigned LENGTH_LEN
Definition bip324.h:25

BIP324Cipher::EXPANSION
static constexpr unsigned EXPANSION
Definition bip324.h:27

BIP324Cipher::Initialize
void Initialize(const EllSwiftPubKey &their_pubkey, bool initiator, bool self_decrypt=false) noexcept
Initialize when the other side's public key is received.
Definition bip324.cpp:34

BIP324Cipher::m_send_p_cipher
std::optional< FSChaCha20Poly1305 > m_send_p_cipher
Definition bip324.h:33

BIP324Cipher::m_send_l_cipher
std::optional< FSChaCha20 > m_send_l_cipher
Definition bip324.h:31

BIP324Cipher::Encrypt
void Encrypt(std::span< const std::byte > contents, std::span< const std::byte > aad, bool ignore, std::span< std::byte > output) noexcept
Encrypt a packet.
Definition bip324.cpp:73

CChainParams::MessageStart
const MessageStartChars & MessageStart() const
Definition chainparams.h:90

CHKDF_HMAC_SHA256_L32
A rfc5869 HKDF implementation with HMAC_SHA256 and fixed key output length of 32 bytes (L=32).
Definition hkdf_sha256_32.h:13

CHKDF_HMAC_SHA256_L32::Expand32
void Expand32(const std::string &info, unsigned char hash[OUTPUT_SIZE])
Definition hkdf_sha256_32.cpp:16

CKey
An encapsulated private key.
Definition key.h:36

memory_cleanse
void memory_cleanse(void *ptr, size_t len)
Secure overwrite a buffer (possibly containing secret data) with zero-bytes.
Definition cleanse.cpp:14

cleanse.h

hkdf_sha256_32.h

key.h

ECDHSecret
std::array< std::byte, ECDH_SECRET_SIZE > ECDHSecret
Definition key.h:30

pubkey.h

random.h

span.h

UCharCast
unsigned char * UCharCast(char *c)
Definition span.h:95

EllSwiftPubKey
An ElligatorSwift-encoded public key.
Definition pubkey.h:309

uint256.h

assert
assert(!tx.IsCoinBase())