Core-master/chacha20poly1305_8cpp_source.html

 // Copyright (c) 2023 The Bitcoin Core developers

 // Distributed under the MIT software license, see the accompanying

 // file COPYING or http://www.opensource.org/licenses/mit-license.php.


 #include <crypto/chacha20poly1305.h>


 #include <crypto/common.h>

 #include <crypto/chacha20.h>

 #include <crypto/poly1305.h>

 #include <span.h>

 #include <support/cleanse.h>


 #include <assert.h>

 #include <cstddef>


 AEADChaCha20Poly1305::AEADChaCha20Poly1305(Span<const std::byte> key) noexcept : m_chacha20(key)

 {

     assert(key.size() == KEYLEN);

 }


 void AEADChaCha20Poly1305::SetKey(Span<const std::byte> key) noexcept

 {

     assert(key.size() == KEYLEN);

     m_chacha20.SetKey(key);

 }


 namespace {


 #ifndef HAVE_TIMINGSAFE_BCMP

 #define HAVE_TIMINGSAFE_BCMP


 int timingsafe_bcmp(const unsigned char* b1, const unsigned char* b2, size_t n) noexcept

 {

     const unsigned char *p1 = b1, *p2 = b2;

     int ret = 0;

     for (; n > 0; n--)

         ret |= *p1++ ^ *p2++;

     return (ret != 0);

 }


 #endif


 void ComputeTag(ChaCha20& chacha20, Span<const std::byte> aad, Span<const std::byte> cipher, Span<std::byte> tag) noexcept

 {

     static const std::byte PADDING[16] = {{}};


     // Get block of keystream (use a full 64 byte buffer to avoid the need for chacha20's own buffering).

     std::byte first_block[ChaCha20Aligned::BLOCKLEN];

     chacha20.Keystream(first_block);


     // Use the first 32 bytes of the first keystream block as poly1305 key.

     Poly1305 poly1305{Span{first_block}.first(Poly1305::KEYLEN)};


     // Compute tag:

     // - Process the padded AAD with Poly1305.

     const unsigned aad_padding_length = (16 - (aad.size() % 16)) % 16;

     poly1305.Update(aad).Update(Span{PADDING}.first(aad_padding_length));

     // - Process the padded ciphertext with Poly1305.

     const unsigned cipher_padding_length = (16 - (cipher.size() % 16)) % 16;

     poly1305.Update(cipher).Update(Span{PADDING}.first(cipher_padding_length));

     // - Process the AAD and plaintext length with Poly1305.

     std::byte length_desc[Poly1305::TAGLEN];

     WriteLE64(UCharCast(length_desc), aad.size());

     WriteLE64(UCharCast(length_desc + 8), cipher.size());

     poly1305.Update(length_desc);


     // Output tag.

     poly1305.Finalize(tag);

 }


 } // namespace


 void AEADChaCha20Poly1305::Encrypt(Span<const std::byte> plain1, Span<const std::byte> plain2, Span<const std::byte> aad, Nonce96 nonce, Span<std::byte> cipher) noexcept

 {

     assert(cipher.size() == plain1.size() + plain2.size() + EXPANSION);


     // Encrypt using ChaCha20 (starting at block 1).

     m_chacha20.Seek(nonce, 1);

     m_chacha20.Crypt(plain1, cipher.first(plain1.size()));

     m_chacha20.Crypt(plain2, cipher.subspan(plain1.size()).first(plain2.size()));


     // Seek to block 0, and compute tag using key drawn from there.

     m_chacha20.Seek(nonce, 0);

     ComputeTag(m_chacha20, aad, cipher.first(cipher.size() - EXPANSION), cipher.last(EXPANSION));

 }


 bool AEADChaCha20Poly1305::Decrypt(Span<const std::byte> cipher, Span<const std::byte> aad, Nonce96 nonce, Span<std::byte> plain1, Span<std::byte> plain2) noexcept

 {

     assert(cipher.size() == plain1.size() + plain2.size() + EXPANSION);


     // Verify tag (using key drawn from block 0).

     m_chacha20.Seek(nonce, 0);

     std::byte expected_tag[EXPANSION];

     ComputeTag(m_chacha20, aad, cipher.first(cipher.size() - EXPANSION), expected_tag);

     if (timingsafe_bcmp(UCharCast(expected_tag), UCharCast(cipher.last(EXPANSION).data()), EXPANSION)) return false;


     // Decrypt (starting at block 1).

     m_chacha20.Crypt(cipher.first(plain1.size()), plain1);

     m_chacha20.Crypt(cipher.subspan(plain1.size()).first(plain2.size()), plain2);

     return true;

 }


 void AEADChaCha20Poly1305::Keystream(Nonce96 nonce, Span<std::byte> keystream) noexcept

 {

     // Skip the first output block, as it's used for generating the poly1305 key.

     m_chacha20.Seek(nonce, 1);

     m_chacha20.Keystream(keystream);

 }


 void FSChaCha20Poly1305::NextPacket() noexcept

 {

     if (++m_packet_counter == m_rekey_interval) {

         // Generate a full block of keystream, to avoid needing the ChaCha20 buffer, even though

         // we only need KEYLEN (32) bytes.

         std::byte one_block[ChaCha20Aligned::BLOCKLEN];

         m_aead.Keystream({0xFFFFFFFF, m_rekey_counter}, one_block);

         // Switch keys.

         m_aead.SetKey(Span{one_block}.first(KEYLEN));

         // Wipe the generated keystream (a copy remains inside m_aead, which will be cleaned up

         // once it cycles again, or is destroyed).

         memory_cleanse(one_block, sizeof(one_block));

         // Update counters.

         m_packet_counter = 0;

         ++m_rekey_counter;

     }

 }


 void FSChaCha20Poly1305::Encrypt(Span<const std::byte> plain1, Span<const std::byte> plain2, Span<const std::byte> aad, Span<std::byte> cipher) noexcept

 {

     m_aead.Encrypt(plain1, plain2, aad, {m_packet_counter, m_rekey_counter}, cipher);

     NextPacket();

 }


 bool FSChaCha20Poly1305::Decrypt(Span<const std::byte> cipher, Span<const std::byte> aad, Span<std::byte> plain1, Span<std::byte> plain2) noexcept

 {

     bool ret = m_aead.Decrypt(cipher, aad, {m_packet_counter, m_rekey_counter}, plain1, plain2);

     NextPacket();

     return ret;

 }

ret
int ret
Definition: bitcoin-cli.cpp:1264

chacha20.h

chacha20poly1305.h

AEADChaCha20Poly1305::AEADChaCha20Poly1305
AEADChaCha20Poly1305(Span< const std::byte > key) noexcept
Initialize an AEAD instance with a specified 32-byte key.
Definition: chacha20poly1305.cpp:16

AEADChaCha20Poly1305::Nonce96
ChaCha20::Nonce96 Nonce96
96-bit nonce type.
Definition: chacha20poly1305.h:35

AEADChaCha20Poly1305::Encrypt
void Encrypt(Span< const std::byte > plain, Span< const std::byte > aad, Nonce96 nonce, Span< std::byte > cipher) noexcept
Encrypt a message with a specified 96-bit nonce and aad.
Definition: chacha20poly1305.h:41

AEADChaCha20Poly1305::SetKey
void SetKey(Span< const std::byte > key) noexcept
Switch to another 32-byte key.
Definition: chacha20poly1305.cpp:21

AEADChaCha20Poly1305::Decrypt
bool Decrypt(Span< const std::byte > cipher, Span< const std::byte > aad, Nonce96 nonce, Span< std::byte > plain) noexcept
Decrypt a message with a specified 96-bit nonce and aad.
Definition: chacha20poly1305.h:56

AEADChaCha20Poly1305::Keystream
void Keystream(Nonce96 nonce, Span< std::byte > keystream) noexcept
Get a number of keystream bytes from the underlying stream cipher.
Definition: chacha20poly1305.cpp:104

ChaCha20Aligned::BLOCKLEN
static constexpr unsigned BLOCKLEN
Block size (inputs/outputs to Keystream / Crypt should be multiples of this).
Definition: chacha20.h:35

ChaCha20
Unrestricted ChaCha20 cipher.
Definition: chacha20.h:78

FSChaCha20Poly1305::NextPacket
void NextPacket() noexcept
Update counters (and if necessary, key) to transition to the next message.
Definition: chacha20poly1305.cpp:111

FSChaCha20Poly1305::m_rekey_interval
const uint32_t m_rekey_interval
Every how many iterations this cipher rekeys.
Definition: chacha20poly1305.h:89

FSChaCha20Poly1305::Decrypt
bool Decrypt(Span< const std::byte > cipher, Span< const std::byte > aad, Span< std::byte > plain) noexcept
Decrypt a message with a specified aad.
Definition: chacha20poly1305.h:136

FSChaCha20Poly1305::m_packet_counter
uint32_t m_packet_counter
The number of encryptions/decryptions since the last rekey.
Definition: chacha20poly1305.h:92

FSChaCha20Poly1305::m_aead
AEADChaCha20Poly1305 m_aead
Internal AEAD.
Definition: chacha20poly1305.h:86

FSChaCha20Poly1305::KEYLEN
static constexpr auto KEYLEN
Length of keys expected by the constructor.
Definition: chacha20poly1305.h:102

FSChaCha20Poly1305::m_rekey_counter
uint64_t m_rekey_counter
The number of rekeys performed so far.
Definition: chacha20poly1305.h:95

FSChaCha20Poly1305::Encrypt
void Encrypt(Span< const std::byte > plain, Span< const std::byte > aad, Span< std::byte > cipher) noexcept
Encrypt a message with a specified aad.
Definition: chacha20poly1305.h:121

Poly1305
C++ wrapper with std::byte Span interface around poly1305_donna code.
Definition: poly1305.h:38

Poly1305::KEYLEN
static constexpr unsigned KEYLEN
Length of the keys expected by the constructor.
Definition: poly1305.h:46

Poly1305::TAGLEN
static constexpr unsigned TAGLEN
Length of the output produced by Finalize().
Definition: poly1305.h:43

Span< const std::byte >

Span::first
CONSTEXPR_IF_NOT_DEBUG Span< C > first(std::size_t count) const noexcept
Definition: span.h:204

memory_cleanse
void memory_cleanse(void *ptr, size_t len)
Secure overwrite a buffer (possibly containing secret data) with zero-bytes.
Definition: cleanse.cpp:14

cleanse.h

common.h

WriteLE64
static void WriteLE64(unsigned char *ptr, uint64_t x)
Definition: common.h:50

nonce
unsigned int nonce
Definition: miner_tests.cpp:72

poly1305.h

span.h

UCharCast
unsigned char * UCharCast(char *c)
Definition: span.h:270

assert
assert(!tx.IsCoinBase())