Bitcoin Core  31.0.0
P2P Digital Currency
chacha20poly1305.cpp
Go to the documentation of this file.
1 // Copyright (c) 2023-present The Bitcoin Core developers
2 // Distributed under the MIT software license, see the accompanying
3 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
4 
5 #include <crypto/chacha20poly1305.h>
6 
7 #include <crypto/chacha20.h>
8 #include <crypto/common.h>
9 #include <crypto/poly1305.h>
10 #include <span.h>
11 #include <support/cleanse.h>
12 
13 #include <cassert>
14 #include <cstddef>
15 
16 AEADChaCha20Poly1305::AEADChaCha20Poly1305(std::span<const std::byte> key) noexcept : m_chacha20(key)
17 {
18  assert(key.size() == KEYLEN);
19 }
20 
21 void AEADChaCha20Poly1305::SetKey(std::span<const std::byte> key) noexcept
22 {
23  assert(key.size() == KEYLEN);
24  m_chacha20.SetKey(key);
25 }
26 
27 namespace {
28 
29 int timingsafe_bcmp_internal(const unsigned char* b1, const unsigned char* b2, size_t n) noexcept
30 {
31  const unsigned char *p1 = b1, *p2 = b2;
32  int ret = 0;
33  for (; n > 0; n--)
34  ret |= *p1++ ^ *p2++;
35  return (ret != 0);
36 }
37 
39 void ComputeTag(ChaCha20& chacha20, std::span<const std::byte> aad, std::span<const std::byte> cipher, std::span<std::byte> tag) noexcept
40 {
41  static const std::byte PADDING[16] = {{}};
42 
43  // Get block of keystream (use a full 64 byte buffer to avoid the need for chacha20's own buffering).
44  std::byte first_block[ChaCha20Aligned::BLOCKLEN];
45  chacha20.Keystream(first_block);
46 
47  // Use the first 32 bytes of the first keystream block as poly1305 key.
48  Poly1305 poly1305{std::span{first_block}.first(Poly1305::KEYLEN)};
49 
50  // Compute tag:
51  // - Process the padded AAD with Poly1305.
52  const unsigned aad_padding_length = (16 - (aad.size() % 16)) % 16;
53  poly1305.Update(aad).Update(std::span{PADDING}.first(aad_padding_length));
54  // - Process the padded ciphertext with Poly1305.
55  const unsigned cipher_padding_length = (16 - (cipher.size() % 16)) % 16;
56  poly1305.Update(cipher).Update(std::span{PADDING}.first(cipher_padding_length));
57  // - Process the AAD and plaintext length with Poly1305.
58  std::byte length_desc[Poly1305::TAGLEN];
59  WriteLE64(length_desc, aad.size());
60  WriteLE64(length_desc + 8, cipher.size());
61  poly1305.Update(length_desc);
62 
63  // Output tag.
64  poly1305.Finalize(tag);
65 }
66 
67 } // namespace
68 
69 void AEADChaCha20Poly1305::Encrypt(std::span<const std::byte> plain1, std::span<const std::byte> plain2, std::span<const std::byte> aad, Nonce96 nonce, std::span<std::byte> cipher) noexcept
70 {
71  assert(cipher.size() == plain1.size() + plain2.size() + EXPANSION);
72 
73  // Encrypt using ChaCha20 (starting at block 1).
74  m_chacha20.Seek(nonce, 1);
75  m_chacha20.Crypt(plain1, cipher.first(plain1.size()));
76  m_chacha20.Crypt(plain2, cipher.subspan(plain1.size()).first(plain2.size()));
77 
78  // Seek to block 0, and compute tag using key drawn from there.
79  m_chacha20.Seek(nonce, 0);
80  ComputeTag(m_chacha20, aad, cipher.first(cipher.size() - EXPANSION), cipher.last(EXPANSION));
81 }
82 
83 bool AEADChaCha20Poly1305::Decrypt(std::span<const std::byte> cipher, std::span<const std::byte> aad, Nonce96 nonce, std::span<std::byte> plain1, std::span<std::byte> plain2) noexcept
84 {
85  assert(cipher.size() == plain1.size() + plain2.size() + EXPANSION);
86 
87  // Verify tag (using key drawn from block 0).
88  m_chacha20.Seek(nonce, 0);
89  std::byte expected_tag[EXPANSION];
90  ComputeTag(m_chacha20, aad, cipher.first(cipher.size() - EXPANSION), expected_tag);
91  if (timingsafe_bcmp_internal(UCharCast(expected_tag), UCharCast(cipher.last(EXPANSION).data()), EXPANSION)) return false;
92 
93  // Decrypt (starting at block 1).
94  m_chacha20.Crypt(cipher.first(plain1.size()), plain1);
95  m_chacha20.Crypt(cipher.subspan(plain1.size()).first(plain2.size()), plain2);
96  return true;
97 }
98 
99 void AEADChaCha20Poly1305::Keystream(Nonce96 nonce, std::span<std::byte> keystream) noexcept
100 {
101  // Skip the first output block, as it's used for generating the poly1305 key.
102  m_chacha20.Seek(nonce, 1);
103  m_chacha20.Keystream(keystream);
104 }
105 
106 void FSChaCha20Poly1305::NextPacket() noexcept
107 {
108  if (++m_packet_counter == m_rekey_interval) {
109  // Generate a full block of keystream, to avoid needing the ChaCha20 buffer, even though
110  // we only need KEYLEN (32) bytes.
111  std::byte one_block[ChaCha20Aligned::BLOCKLEN];
112  m_aead.Keystream({0xFFFFFFFF, m_rekey_counter}, one_block);
113  // Switch keys.
114  m_aead.SetKey(std::span{one_block}.first(KEYLEN));
115  // Wipe the generated keystream (a copy remains inside m_aead, which will be cleaned up
116  // once it cycles again, or is destroyed).
117  memory_cleanse(one_block, sizeof(one_block));
118  // Update counters.
119  m_packet_counter = 0;
120  ++m_rekey_counter;
121  }
122 }
123 
124 void FSChaCha20Poly1305::Encrypt(std::span<const std::byte> plain1, std::span<const std::byte> plain2, std::span<const std::byte> aad, std::span<std::byte> cipher) noexcept
125 {
126  m_aead.Encrypt(plain1, plain2, aad, {m_packet_counter, m_rekey_counter}, cipher);
127  NextPacket();
128 }
129 
130 bool FSChaCha20Poly1305::Decrypt(std::span<const std::byte> cipher, std::span<const std::byte> aad, std::span<std::byte> plain1, std::span<std::byte> plain2) noexcept
131 {
132  bool ret = m_aead.Decrypt(cipher, aad, {m_packet_counter, m_rekey_counter}, plain1, plain2);
133  NextPacket();
134  return ret;
135 }
ret
int ret
Definition: bitcoin-cli.cpp:1350
assert
assert(!tx.IsCoinBase())
FSChaCha20Poly1305::m_rekey_counter
uint64_t m_rekey_counter
The number of rekeys performed so far.
Definition: chacha20poly1305.h:95
nonce
unsigned int nonce
Definition: miner_tests.cpp:82
AEADChaCha20Poly1305::Keystream
void Keystream(Nonce96 nonce, std::span< std::byte > keystream) noexcept
Get a number of keystream bytes from the underlying stream cipher.
Definition: chacha20poly1305.cpp:99
FSChaCha20Poly1305::Encrypt
void Encrypt(std::span< const std::byte > plain, std::span< const std::byte > aad, std::span< std::byte > cipher) noexcept
Encrypt a message with a specified aad.
Definition: chacha20poly1305.h:121
FSChaCha20Poly1305::m_packet_counter
uint32_t m_packet_counter
The number of encryptions/decryptions since the last rekey.
Definition: chacha20poly1305.h:92
AEADChaCha20Poly1305::AEADChaCha20Poly1305
AEADChaCha20Poly1305(std::span< const std::byte > key) noexcept
Initialize an AEAD instance with a specified 32-byte key.
Definition: chacha20poly1305.cpp:16
ChaCha20Aligned::BLOCKLEN
static constexpr unsigned BLOCKLEN
Block size (inputs/outputs to Keystream / Crypt should be multiples of this).
Definition: chacha20.h:33
FSChaCha20Poly1305::m_aead
AEADChaCha20Poly1305 m_aead
Internal AEAD.
Definition: chacha20poly1305.h:86
WriteLE64
void WriteLE64(B *ptr, uint64_t x)
Definition: common.h:57
AEADChaCha20Poly1305::SetKey
void SetKey(std::span< const std::byte > key) noexcept
Switch to another 32-byte key.
Definition: chacha20poly1305.cpp:21
FSChaCha20Poly1305::m_rekey_interval
const uint32_t m_rekey_interval
Every how many iterations this cipher rekeys.
Definition: chacha20poly1305.h:89
ChaCha20
Unrestricted ChaCha20 cipher.
Definition: chacha20.h:75
memory_cleanse
void memory_cleanse(void *ptr, size_t len)
Secure overwrite a buffer (possibly containing secret data) with zero-bytes.
Definition: cleanse.cpp:14
Poly1305::Update
Poly1305 & Update(std::span< const std::byte > msg) noexcept
Process message bytes.
Definition: poly1305.h:57
Poly1305::KEYLEN
static constexpr unsigned KEYLEN
Length of the keys expected by the constructor.
Definition: poly1305.h:47
FSChaCha20Poly1305::NextPacket
void NextPacket() noexcept
Update counters (and if necessary, key) to transition to the next message.
Definition: chacha20poly1305.cpp:106
AEADChaCha20Poly1305::Encrypt
void Encrypt(std::span< const std::byte > plain, std::span< const std::byte > aad, Nonce96 nonce, std::span< std::byte > cipher) noexcept
Encrypt a message with a specified 96-bit nonce and aad.
Definition: chacha20poly1305.h:41
FSChaCha20Poly1305::Decrypt
bool Decrypt(std::span< const std::byte > cipher, std::span< const std::byte > aad, std::span< std::byte > plain) noexcept
Decrypt a message with a specified aad.
Definition: chacha20poly1305.h:136
Poly1305
C++ wrapper with std::byte span interface around poly1305_donna code.
Definition: poly1305.h:38
AEADChaCha20Poly1305::Nonce96
ChaCha20::Nonce96 Nonce96
96-bit nonce type.
Definition: chacha20poly1305.h:35
AEADChaCha20Poly1305::Decrypt
bool Decrypt(std::span< const std::byte > cipher, std::span< const std::byte > aad, Nonce96 nonce, std::span< std::byte > plain) noexcept
Decrypt a message with a specified 96-bit nonce and aad.
Definition: chacha20poly1305.h:56
FSChaCha20Poly1305::KEYLEN
static constexpr auto KEYLEN
Length of keys expected by the constructor.
Definition: chacha20poly1305.h:102
UCharCast
unsigned char * UCharCast(char *c)
Definition: span.h:95
Poly1305::TAGLEN
static constexpr unsigned TAGLEN
Length of the output produced by Finalize().
Definition: poly1305.h:44
Generated on Thu Apr 16 2026 12:00:00 for Bitcoin Core by   doxygen 1.8.14