Bitcoin Core  24.99.0
P2P Digital Currency
chacha_poly_aead.cpp
Go to the documentation of this file.
1 // Copyright (c) 2019-2022 The Bitcoin Core developers
2 // Distributed under the MIT software license, see the accompanying
3 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
4 
5 #if defined(HAVE_CONFIG_H)
7 #endif
8 
10 
11 #include <crypto/poly1305.h>
12 #include <support/cleanse.h>
13 
14 #include <assert.h>
15 #include <string.h>
16 
17 #include <cstdio>
18 #include <limits>
19 
20 #ifndef HAVE_TIMINGSAFE_BCMP
21 
22 int timingsafe_bcmp(const unsigned char* b1, const unsigned char* b2, size_t n)
23 {
24  const unsigned char *p1 = b1, *p2 = b2;
25  int ret = 0;
26 
27  for (; n > 0; n--)
28  ret |= *p1++ ^ *p2++;
29  return (ret != 0);
30 }
31 
32 #endif // TIMINGSAFE_BCMP
33 
34 ChaCha20Poly1305AEAD::ChaCha20Poly1305AEAD(const unsigned char* K_1, size_t K_1_len, const unsigned char* K_2, size_t K_2_len)
35 {
38 
41 
42  // set the cached sequence number to uint64 max which hints for an unset cache.
43  // we can't hit uint64 max since the rekey rule (which resets the sequence number) is 1GB
44  m_cached_aad_seqnr = std::numeric_limits<uint64_t>::max();
45 }
46 
47 bool ChaCha20Poly1305AEAD::Crypt(uint64_t seqnr_payload, uint64_t seqnr_aad, int aad_pos, unsigned char* dest, size_t dest_len /* length of the output buffer for sanity checks */, const unsigned char* src, size_t src_len, bool is_encrypt)
48 {
49  // check buffer boundaries
50  if (
51  // if we encrypt, make sure the source contains at least the expected AAD and the destination has at least space for the source + MAC
52  (is_encrypt && (src_len < CHACHA20_POLY1305_AEAD_AAD_LEN || dest_len < src_len + POLY1305_TAGLEN)) ||
53  // if we decrypt, make sure the source contains at least the expected AAD+MAC and the destination has at least space for the source - MAC
54  (!is_encrypt && (src_len < CHACHA20_POLY1305_AEAD_AAD_LEN + POLY1305_TAGLEN || dest_len < src_len - POLY1305_TAGLEN))) {
55  return false;
56  }
57 
58  unsigned char expected_tag[POLY1305_TAGLEN], poly_key[POLY1305_KEYLEN];
59  memset(poly_key, 0, sizeof(poly_key));
60  m_chacha_main.SetIV(seqnr_payload);
61 
62  // block counter 0 for the poly1305 key
63  // use lower 32bytes for the poly1305 key
64  // (throws away 32 unused bytes (upper 32) from this ChaCha20 round)
66  m_chacha_main.Crypt(poly_key, poly_key, sizeof(poly_key));
67 
68  // if decrypting, verify the tag prior to decryption
69  if (!is_encrypt) {
70  const unsigned char* tag = src + src_len - POLY1305_TAGLEN;
71  poly1305_auth(expected_tag, src, src_len - POLY1305_TAGLEN, poly_key);
72 
73  // constant time compare the calculated MAC with the provided MAC
74  if (timingsafe_bcmp(expected_tag, tag, POLY1305_TAGLEN) != 0) {
75  memory_cleanse(expected_tag, sizeof(expected_tag));
76  memory_cleanse(poly_key, sizeof(poly_key));
77  return false;
78  }
79  memory_cleanse(expected_tag, sizeof(expected_tag));
80  // MAC has been successfully verified, make sure we don't convert it in decryption
81  src_len -= POLY1305_TAGLEN;
82  }
83 
84  // calculate and cache the next 64byte keystream block if requested sequence number is not yet the cache
85  if (m_cached_aad_seqnr != seqnr_aad) {
86  m_cached_aad_seqnr = seqnr_aad;
87  m_chacha_header.SetIV(seqnr_aad);
90  }
91  // crypt the AAD (3 bytes message length) with given position in AAD cipher instance keystream
92  dest[0] = src[0] ^ m_aad_keystream_buffer[aad_pos];
93  dest[1] = src[1] ^ m_aad_keystream_buffer[aad_pos + 1];
94  dest[2] = src[2] ^ m_aad_keystream_buffer[aad_pos + 2];
95 
96  // Set the playload ChaCha instance block counter to 1 and crypt the payload
99 
100  // If encrypting, calculate and append tag
101  if (is_encrypt) {
102  // the poly1305 tag expands over the AAD (3 bytes length) & encrypted payload
103  poly1305_auth(dest + src_len, dest, src_len, poly_key);
104  }
105 
106  // cleanse no longer required MAC and polykey
107  memory_cleanse(poly_key, sizeof(poly_key));
108  return true;
109 }
110 
111 bool ChaCha20Poly1305AEAD::GetLength(uint32_t* len24_out, uint64_t seqnr_aad, int aad_pos, const uint8_t* ciphertext)
112 {
113  // enforce valid aad position to avoid accessing outside of the 64byte keystream cache
114  // (there is space for 21 times 3 bytes)
115  assert(aad_pos >= 0 && aad_pos < CHACHA20_ROUND_OUTPUT - CHACHA20_POLY1305_AEAD_AAD_LEN);
116  if (m_cached_aad_seqnr != seqnr_aad) {
117  // we need to calculate the 64 keystream bytes since we reached a new aad sequence number
118  m_cached_aad_seqnr = seqnr_aad;
119  m_chacha_header.SetIV(seqnr_aad); // use LE for the nonce
120  m_chacha_header.Seek(0); // block counter 0
121  m_chacha_header.Keystream(m_aad_keystream_buffer, CHACHA20_ROUND_OUTPUT); // write keystream to the cache
122  }
123 
124  // decrypt the ciphertext length by XORing the right position of the 64byte keystream cache with the ciphertext
125  *len24_out = (ciphertext[0] ^ m_aad_keystream_buffer[aad_pos + 0]) |
126  (ciphertext[1] ^ m_aad_keystream_buffer[aad_pos + 1]) << 8 |
127  (ciphertext[2] ^ m_aad_keystream_buffer[aad_pos + 2]) << 16;
128 
129  return true;
130 }
int ret
static constexpr int CHACHA20_POLY1305_AEAD_KEY_LEN
static constexpr int CHACHA20_POLY1305_AEAD_AAD_LEN
static constexpr int CHACHA20_ROUND_OUTPUT
void Keystream(unsigned char *c, size_t bytes)
outputs the keystream of size <bytes> into
Definition: chacha20.cpp:76
void SetIV(uint64_t iv)
Definition: chacha20.cpp:64
void Crypt(const unsigned char *input, unsigned char *output, size_t bytes)
enciphers the message <input> of length <bytes> and write the enciphered representation into <output>...
Definition: chacha20.cpp:187
void Seek(uint64_t pos)
Definition: chacha20.cpp:70
void SetKey(const unsigned char *key, size_t keylen)
set key with flexible keylength; 256bit recommended *‍/
Definition: chacha20.cpp:26
bool Crypt(uint64_t seqnr_payload, uint64_t seqnr_aad, int aad_pos, unsigned char *dest, size_t dest_len, const unsigned char *src, size_t src_len, bool is_encrypt)
Encrypts/decrypts a packet seqnr_payload, the message sequence number seqnr_aad, the messages AAD seq...
bool GetLength(uint32_t *len24_out, uint64_t seqnr_aad, int aad_pos, const uint8_t *ciphertext)
decrypts the 3 bytes AAD data and decodes it into a uint32_t field
ChaCha20Poly1305AEAD(const unsigned char *K_1, size_t K_1_len, const unsigned char *K_2, size_t K_2_len)
unsigned char m_aad_keystream_buffer[CHACHA20_ROUND_OUTPUT]
void memory_cleanse(void *ptr, size_t len)
Secure overwrite a buffer (possibly containing secret data) with zero-bytes.
Definition: cleanse.cpp:14
int timingsafe_bcmp(const unsigned char *b1, const unsigned char *b2, size_t n)
void poly1305_auth(unsigned char out[POLY1305_TAGLEN], const unsigned char *m, size_t inlen, const unsigned char key[POLY1305_KEYLEN])
Definition: poly1305.cpp:15
#define POLY1305_KEYLEN
Definition: poly1305.h:11
#define POLY1305_TAGLEN
Definition: poly1305.h:12
assert(!tx.IsCoinBase())