doc/dev/chacha20poly1305_8cpp_source.html

// Copyright (c) 2023 The Bitcoin Core developers

// Distributed under the MIT software license, see the accompanying

// file COPYING or http://www.opensource.org/licenses/mit-license.php.


#include <crypto/chacha20poly1305.h>


#include <crypto/chacha20.h>

#include <crypto/common.h>

#include <crypto/poly1305.h>

#include <span.h>

#include <support/cleanse.h>


#include <cassert>

#include <cstddef>

#include <cstdint>

#include <iterator>


AEADChaCha20Poly1305::AEADChaCha20Poly1305(Span<const std::byte> key) noexcept

    : m_chacha20(key) {

    assert(key.size() == KEYLEN);

}


void AEADChaCha20Poly1305::SetKey(Span<const std::byte> key) noexcept {

    assert(key.size() == KEYLEN);

    m_chacha20.SetKey(key);

}


namespace {


int timingsafe_bcmp_internal(const uint8_t *b1, const uint8_t *b2,

                             size_t n) noexcept {

    const uint8_t *p1 = b1, *p2 = b2;

    int ret = 0;

    for (; n > 0; n--) {

        ret |= *p1++ ^ *p2++;

    }

    return (ret != 0);

}


void ComputeTag(ChaCha20 &chacha20, Span<const std::byte> aad,

                Span<const std::byte> cipher, Span<std::byte> tag) noexcept {

    static const std::byte PADDING[16] = {{}};


    // Get block of keystream (use a full 64 byte buffer to avoid the need for

    // chacha20's own buffering).

    std::byte first_block[ChaCha20Aligned::BLOCKLEN];

    chacha20.Keystream(first_block);


    // Use the first 32 bytes of the first keystream block as poly1305 key.

    Poly1305 poly1305{Span{first_block}.first(Poly1305::KEYLEN)};


    // Compute tag:

    // - Process the padded AAD with Poly1305.

    const unsigned aad_padding_length = (16 - (aad.size() % 16)) % 16;

    poly1305.Update(aad).Update(Span{PADDING}.first(aad_padding_length));

    // - Process the padded ciphertext with Poly1305.

    const unsigned cipher_padding_length = (16 - (cipher.size() % 16)) % 16;

    poly1305.Update(cipher).Update(Span{PADDING}.first(cipher_padding_length));

    // - Process the AAD and plaintext length with Poly1305.

    std::byte length_desc[Poly1305::TAGLEN];

    WriteLE64(UCharCast(length_desc), aad.size());

    WriteLE64(UCharCast(length_desc + 8), cipher.size());

    poly1305.Update(length_desc);


    // Output tag.

    poly1305.Finalize(tag);

}


} // namespace


void AEADChaCha20Poly1305::Encrypt(Span<const std::byte> plain1,

                                   Span<const std::byte> plain2,

                                   Span<const std::byte> aad, Nonce96 nonce,

                                   Span<std::byte> cipher) noexcept {

    assert(cipher.size() == plain1.size() + plain2.size() + EXPANSION);


    // Encrypt using ChaCha20 (starting at block 1).

    m_chacha20.Seek(nonce, 1);

    m_chacha20.Crypt(plain1, cipher.first(plain1.size()));

    m_chacha20.Crypt(plain2,

                     cipher.subspan(plain1.size()).first(plain2.size()));


    // Seek to block 0, and compute tag using key drawn from there.

    m_chacha20.Seek(nonce, 0);

    ComputeTag(m_chacha20, aad, cipher.first(cipher.size() - EXPANSION),

               cipher.last(EXPANSION));

}


bool AEADChaCha20Poly1305::Decrypt(Span<const std::byte> cipher,

                                   Span<const std::byte> aad, Nonce96 nonce,

                                   Span<std::byte> plain1,

                                   Span<std::byte> plain2) noexcept {

    assert(cipher.size() == plain1.size() + plain2.size() + EXPANSION);


    // Verify tag (using key drawn from block 0).

    m_chacha20.Seek(nonce, 0);

    std::byte expected_tag[EXPANSION];

    ComputeTag(m_chacha20, aad, cipher.first(cipher.size() - EXPANSION),

               expected_tag);

    if (timingsafe_bcmp_internal(

            UCharCast(expected_tag),

            UCharCast(cipher.data() + cipher.size() - EXPANSION), EXPANSION)) {

        return false;

    }


    // Decrypt (starting at block 1).

    m_chacha20.Crypt(cipher.first(plain1.size()), plain1);

    m_chacha20.Crypt(cipher.subspan(plain1.size()).first(plain2.size()),

                     plain2);

    return true;

}


void AEADChaCha20Poly1305::Keystream(Nonce96 nonce,

                                     Span<std::byte> keystream) noexcept {

    // Skip the first output block, as it's used for generating the poly1305

    // key.

    m_chacha20.Seek(nonce, 1);

    m_chacha20.Keystream(keystream);

}


void FSChaCha20Poly1305::NextPacket() noexcept {

    if (++m_packet_counter == m_rekey_interval) {

        // Generate a full block of keystream, to avoid needing the ChaCha20

        // buffer, even though we only need KEYLEN (32) bytes.

        std::byte one_block[ChaCha20Aligned::BLOCKLEN];

        m_aead.Keystream({0xFFFFFFFF, m_rekey_counter}, one_block);

        // Switch keys.

        m_aead.SetKey(Span{one_block}.first(KEYLEN));

        // Wipe the generated keystream (a copy remains inside m_aead, which

        // will be cleaned up once it cycles again, or is destroyed).

        memory_cleanse(one_block, sizeof(one_block));

        // Update counters.

        m_packet_counter = 0;

        ++m_rekey_counter;

    }

}


void FSChaCha20Poly1305::Encrypt(Span<const std::byte> plain1,

                                 Span<const std::byte> plain2,

                                 Span<const std::byte> aad,

                                 Span<std::byte> cipher) noexcept {

    m_aead.Encrypt(plain1, plain2, aad, {m_packet_counter, m_rekey_counter},

                   cipher);

    NextPacket();

}


bool FSChaCha20Poly1305::Decrypt(Span<const std::byte> cipher,

                                 Span<const std::byte> aad,

                                 Span<std::byte> plain1,

                                 Span<std::byte> plain2) noexcept {

    bool ret = m_aead.Decrypt(cipher, aad, {m_packet_counter, m_rekey_counter},

                              plain1, plain2);

    NextPacket();

    return ret;

}

chacha20.h

chacha20poly1305.h

AEADChaCha20Poly1305::AEADChaCha20Poly1305
AEADChaCha20Poly1305(Span< const std::byte > key) noexcept
Initialize an AEAD instance with a specified 32-byte key.
Definition: chacha20poly1305.cpp:18

AEADChaCha20Poly1305::Nonce96
ChaCha20::Nonce96 Nonce96
96-bit nonce type.
Definition: chacha20poly1305.h:38

AEADChaCha20Poly1305::Encrypt
void Encrypt(Span< const std::byte > plain, Span< const std::byte > aad, Nonce96 nonce, Span< std::byte > cipher) noexcept
Encrypt a message with a specified 96-bit nonce and aad.
Definition: chacha20poly1305.h:45

AEADChaCha20Poly1305::SetKey
void SetKey(Span< const std::byte > key) noexcept
Switch to another 32-byte key.
Definition: chacha20poly1305.cpp:23

AEADChaCha20Poly1305::Decrypt
bool Decrypt(Span< const std::byte > cipher, Span< const std::byte > aad, Nonce96 nonce, Span< std::byte > plain) noexcept
Decrypt a message with a specified 96-bit nonce and aad.
Definition: chacha20poly1305.h:66

AEADChaCha20Poly1305::Keystream
void Keystream(Nonce96 nonce, Span< std::byte > keystream) noexcept
Get a number of keystream bytes from the underlying stream cipher.
Definition: chacha20poly1305.cpp:117

ChaCha20Aligned::BLOCKLEN
static constexpr unsigned BLOCKLEN
Block size (inputs/outputs to Keystream / Crypt should be multiples of this).
Definition: chacha20.h:37

ChaCha20
Unrestricted ChaCha20 cipher.
Definition: chacha20.h:89

FSChaCha20Poly1305::NextPacket
void NextPacket() noexcept
Update counters (and if necessary, key) to transition to the next message.
Definition: chacha20poly1305.cpp:125

FSChaCha20Poly1305::m_rekey_interval
const uint32_t m_rekey_interval
Every how many iterations this cipher rekeys.
Definition: chacha20poly1305.h:105

FSChaCha20Poly1305::Decrypt
bool Decrypt(Span< const std::byte > cipher, Span< const std::byte > aad, Span< std::byte > plain) noexcept
Decrypt a message with a specified aad.
Definition: chacha20poly1305.h:164

FSChaCha20Poly1305::m_packet_counter
uint32_t m_packet_counter
The number of encryptions/decryptions since the last rekey.
Definition: chacha20poly1305.h:108

FSChaCha20Poly1305::m_aead
AEADChaCha20Poly1305 m_aead
Internal AEAD.
Definition: chacha20poly1305.h:102

FSChaCha20Poly1305::KEYLEN
static constexpr auto KEYLEN
Length of keys expected by the constructor.
Definition: chacha20poly1305.h:121

FSChaCha20Poly1305::m_rekey_counter
uint64_t m_rekey_counter
The number of rekeys performed so far.
Definition: chacha20poly1305.h:111

FSChaCha20Poly1305::Encrypt
void Encrypt(Span< const std::byte > plain, Span< const std::byte > aad, Span< std::byte > cipher) noexcept
Encrypt a message with a specified aad.
Definition: chacha20poly1305.h:145

Poly1305
C++ wrapper with std::byte Span interface around poly1305_donna code.
Definition: poly1305.h:38

Poly1305::KEYLEN
static constexpr unsigned KEYLEN
Length of the keys expected by the constructor.
Definition: poly1305.h:46

Poly1305::TAGLEN
static constexpr unsigned TAGLEN
Length of the output produced by Finalize().
Definition: poly1305.h:43

Span
A Span is an object that can refer to a contiguous sequence of objects.
Definition: span.h:94

Span::first
CONSTEXPR_IF_NOT_DEBUG Span< C > first(std::size_t count) const noexcept
Definition: span.h:228

memory_cleanse
void memory_cleanse(void *ptr, size_t len)
Secure overwrite a buffer (possibly containing secret data) with zero-bytes.
Definition: cleanse.cpp:14

cleanse.h

common.h

WriteLE64
static void WriteLE64(uint8_t *ptr, uint64_t x)
Definition: common.h:45

poly1305.h

span.h

UCharCast
uint8_t * UCharCast(char *c)
Definition: span.h:310

assert
assert(!tx.IsCoinBase())