doc/html/chacha20poly1305_8cpp_source.html

// Copyright (c) 2023-present The Bitcoin Core developers

// Distributed under the MIT software license, see the accompanying

// file COPYING or http://www.opensource.org/licenses/mit-license.php.


#include <crypto/chacha20poly1305.h>


#include <crypto/chacha20.h>

#include <crypto/common.h>

#include <crypto/poly1305.h>

#include <span.h>

#include <support/cleanse.h>


#include <cassert>

#include <cstddef>


AEADChaCha20Poly1305::AEADChaCha20Poly1305(std::span<const std::byte> key) noexcept : m_chacha20(key)

{

    assert(key.size() == KEYLEN);

}


void AEADChaCha20Poly1305::SetKey(std::span<const std::byte> key) noexcept

{

    assert(key.size() == KEYLEN);

    m_chacha20.SetKey(key);

}


namespace {


int timingsafe_bcmp_internal(const unsigned char* b1, const unsigned char* b2, size_t n) noexcept

{

    const unsigned char *p1 = b1, *p2 = b2;

    int ret = 0;

    for (; n > 0; n--)

        ret |= *p1++ ^ *p2++;

    return (ret != 0);

}


void ComputeTag(ChaCha20& chacha20, std::span<const std::byte> aad, std::span<const std::byte> cipher, std::span<std::byte> tag) noexcept

{

    static const std::byte PADDING[16] = {{}};


    // Get block of keystream (use a full 64 byte buffer to avoid the need for chacha20's own buffering).

    std::byte first_block[ChaCha20Aligned::BLOCKLEN];

    chacha20.Keystream(first_block);


    // Use the first 32 bytes of the first keystream block as poly1305 key.

    Poly1305 poly1305{std::span{first_block}.first(Poly1305::KEYLEN)};


    // Compute tag:

    // - Process the padded AAD with Poly1305.

    const unsigned aad_padding_length = (16 - (aad.size() % 16)) % 16;

    poly1305.Update(aad).Update(std::span{PADDING}.first(aad_padding_length));

    // - Process the padded ciphertext with Poly1305.

    const unsigned cipher_padding_length = (16 - (cipher.size() % 16)) % 16;

    poly1305.Update(cipher).Update(std::span{PADDING}.first(cipher_padding_length));

    // - Process the AAD and plaintext length with Poly1305.

    std::byte length_desc[Poly1305::TAGLEN];

    WriteLE64(length_desc, aad.size());

    WriteLE64(length_desc + 8, cipher.size());

    poly1305.Update(length_desc);


    // Output tag.

    poly1305.Finalize(tag);

}


} // namespace


void AEADChaCha20Poly1305::Encrypt(std::span<const std::byte> plain1, std::span<const std::byte> plain2, std::span<const std::byte> aad, Nonce96 nonce, std::span<std::byte> cipher) noexcept

{

    assert(cipher.size() == plain1.size() + plain2.size() + EXPANSION);


    // Encrypt using ChaCha20 (starting at block 1).

    m_chacha20.Seek(nonce, 1);

    m_chacha20.Crypt(plain1, cipher.first(plain1.size()));

    m_chacha20.Crypt(plain2, cipher.subspan(plain1.size()).first(plain2.size()));


    // Seek to block 0, and compute tag using key drawn from there.

    m_chacha20.Seek(nonce, 0);

    ComputeTag(m_chacha20, aad, cipher.first(cipher.size() - EXPANSION), cipher.last(EXPANSION));

}


bool AEADChaCha20Poly1305::Decrypt(std::span<const std::byte> cipher, std::span<const std::byte> aad, Nonce96 nonce, std::span<std::byte> plain1, std::span<std::byte> plain2) noexcept

{

    assert(cipher.size() == plain1.size() + plain2.size() + EXPANSION);


    // Verify tag (using key drawn from block 0).

    m_chacha20.Seek(nonce, 0);

    std::byte expected_tag[EXPANSION];

    ComputeTag(m_chacha20, aad, cipher.first(cipher.size() - EXPANSION), expected_tag);

    if (timingsafe_bcmp_internal(UCharCast(expected_tag), UCharCast(cipher.last(EXPANSION).data()), EXPANSION)) return false;


    // Decrypt (starting at block 1).

    m_chacha20.Crypt(cipher.first(plain1.size()), plain1);

    m_chacha20.Crypt(cipher.subspan(plain1.size()).first(plain2.size()), plain2);

    return true;

}


void AEADChaCha20Poly1305::Keystream(Nonce96 nonce, std::span<std::byte> keystream) noexcept

{

    // Skip the first output block, as it's used for generating the poly1305 key.

    m_chacha20.Seek(nonce, 1);

    m_chacha20.Keystream(keystream);

}


void FSChaCha20Poly1305::NextPacket() noexcept

{

    if (++m_packet_counter == m_rekey_interval) {

        // Generate a full block of keystream, to avoid needing the ChaCha20 buffer, even though

        // we only need KEYLEN (32) bytes.

        std::byte one_block[ChaCha20Aligned::BLOCKLEN];

        m_aead.Keystream({0xFFFFFFFF, m_rekey_counter}, one_block);

        // Switch keys.

        m_aead.SetKey(std::span{one_block}.first(KEYLEN));

        // Wipe the generated keystream (a copy remains inside m_aead, which will be cleaned up

        // once it cycles again, or is destroyed).

        memory_cleanse(one_block, sizeof(one_block));

        // Update counters.

        m_packet_counter = 0;

        ++m_rekey_counter;

    }

}


void FSChaCha20Poly1305::Encrypt(std::span<const std::byte> plain1, std::span<const std::byte> plain2, std::span<const std::byte> aad, std::span<std::byte> cipher) noexcept

{

    m_aead.Encrypt(plain1, plain2, aad, {m_packet_counter, m_rekey_counter}, cipher);

    NextPacket();

}


bool FSChaCha20Poly1305::Decrypt(std::span<const std::byte> cipher, std::span<const std::byte> aad, std::span<std::byte> plain1, std::span<std::byte> plain2) noexcept

{

    bool ret = m_aead.Decrypt(cipher, aad, {m_packet_counter, m_rekey_counter}, plain1, plain2);

    NextPacket();

    return ret;

}


ret
int ret
Definition bitcoin-cli.cpp:1350

chacha20.h

chacha20poly1305.h

AEADChaCha20Poly1305::Nonce96
ChaCha20::Nonce96 Nonce96
96-bit nonce type.
Definition chacha20poly1305.h:35

AEADChaCha20Poly1305::Encrypt
void Encrypt(std::span< const std::byte > plain, std::span< const std::byte > aad, Nonce96 nonce, std::span< std::byte > cipher) noexcept
Encrypt a message with a specified 96-bit nonce and aad.
Definition chacha20poly1305.h:41

AEADChaCha20Poly1305::Decrypt
bool Decrypt(std::span< const std::byte > cipher, std::span< const std::byte > aad, Nonce96 nonce, std::span< std::byte > plain) noexcept
Decrypt a message with a specified 96-bit nonce and aad.
Definition chacha20poly1305.h:56

AEADChaCha20Poly1305::EXPANSION
static constexpr unsigned EXPANSION
Expansion when encrypting.
Definition chacha20poly1305.h:26

AEADChaCha20Poly1305::KEYLEN
static constexpr unsigned KEYLEN
Expected size of key argument in constructor.
Definition chacha20poly1305.h:23

AEADChaCha20Poly1305::AEADChaCha20Poly1305
AEADChaCha20Poly1305(std::span< const std::byte > key) noexcept
Initialize an AEAD instance with a specified 32-byte key.
Definition chacha20poly1305.cpp:16

AEADChaCha20Poly1305::SetKey
void SetKey(std::span< const std::byte > key) noexcept
Switch to another 32-byte key.
Definition chacha20poly1305.cpp:21

AEADChaCha20Poly1305::Keystream
void Keystream(Nonce96 nonce, std::span< std::byte > keystream) noexcept
Get a number of keystream bytes from the underlying stream cipher.
Definition chacha20poly1305.cpp:99

AEADChaCha20Poly1305::m_chacha20
ChaCha20 m_chacha20
Internal stream cipher.
Definition chacha20poly1305.h:19

ChaCha20Aligned::BLOCKLEN
static constexpr unsigned BLOCKLEN
Block size (inputs/outputs to Keystream / Crypt should be multiples of this).
Definition chacha20.h:33

ChaCha20
Unrestricted ChaCha20 cipher.
Definition chacha20.h:76

FSChaCha20Poly1305::NextPacket
void NextPacket() noexcept
Update counters (and if necessary, key) to transition to the next message.
Definition chacha20poly1305.cpp:106

FSChaCha20Poly1305::m_rekey_interval
const uint32_t m_rekey_interval
Every how many iterations this cipher rekeys.
Definition chacha20poly1305.h:89

FSChaCha20Poly1305::m_packet_counter
uint32_t m_packet_counter
The number of encryptions/decryptions since the last rekey.
Definition chacha20poly1305.h:92

FSChaCha20Poly1305::Decrypt
bool Decrypt(std::span< const std::byte > cipher, std::span< const std::byte > aad, std::span< std::byte > plain) noexcept
Decrypt a message with a specified aad.
Definition chacha20poly1305.h:136

FSChaCha20Poly1305::m_aead
AEADChaCha20Poly1305 m_aead
Internal AEAD.
Definition chacha20poly1305.h:86

FSChaCha20Poly1305::KEYLEN
static constexpr auto KEYLEN
Length of keys expected by the constructor.
Definition chacha20poly1305.h:102

FSChaCha20Poly1305::m_rekey_counter
uint64_t m_rekey_counter
The number of rekeys performed so far.
Definition chacha20poly1305.h:95

FSChaCha20Poly1305::Encrypt
void Encrypt(std::span< const std::byte > plain, std::span< const std::byte > aad, std::span< std::byte > cipher) noexcept
Encrypt a message with a specified aad.
Definition chacha20poly1305.h:121

Poly1305
C++ wrapper with std::byte span interface around poly1305_donna code.
Definition poly1305.h:39

Poly1305::Finalize
void Finalize(std::span< std::byte > out) noexcept
Write authentication tag to 16-byte out.
Definition poly1305.h:64

Poly1305::Update
Poly1305 & Update(std::span< const std::byte > msg) noexcept
Process message bytes.
Definition poly1305.h:57

Poly1305::KEYLEN
static constexpr unsigned KEYLEN
Length of the keys expected by the constructor.
Definition poly1305.h:47

Poly1305::TAGLEN
static constexpr unsigned TAGLEN
Length of the output produced by Finalize().
Definition poly1305.h:44

memory_cleanse
void memory_cleanse(void *ptr, size_t len)
Secure overwrite a buffer (possibly containing secret data) with zero-bytes.
Definition cleanse.cpp:14

cleanse.h

common.h

WriteLE64
void WriteLE64(B *ptr, uint64_t x)
Definition common.h:57

nonce
unsigned int nonce
Definition miner_tests.cpp:82

poly1305.h

span.h

UCharCast
unsigned char * UCharCast(char *c)
Definition span.h:95

assert
assert(!tx.IsCoinBase())