Line data Source code
1 : // Copyright (c) 2023 The Bitcoin Core developers
2 : // Distributed under the MIT software license, see the accompanying
3 : // file COPYING or http://www.opensource.org/licenses/mit-license.php.
4 :
5 : #include <crypto/chacha20poly1305.h>
6 :
7 : #include <crypto/common.h>
8 : #include <crypto/chacha20.h>
9 : #include <crypto/poly1305.h>
10 : #include <span.h>
11 : #include <support/cleanse.h>
12 :
13 : #include <assert.h>
14 : #include <cstddef>
15 :
16 1168 : AEADChaCha20Poly1305::AEADChaCha20Poly1305(Span<const std::byte> key) noexcept : m_chacha20(key)
17 584 : {
18 584 : assert(key.size() == KEYLEN);
19 1168 : }
20 :
21 6050 : void AEADChaCha20Poly1305::SetKey(Span<const std::byte> key) noexcept
22 : {
23 6050 : assert(key.size() == KEYLEN);
24 6050 : m_chacha20.SetKey(key);
25 6050 : }
26 :
27 : namespace {
28 :
29 715716 : int timingsafe_bcmp_internal(const unsigned char* b1, const unsigned char* b2, size_t n) noexcept
30 : {
31 715716 : const unsigned char *p1 = b1, *p2 = b2;
32 715716 : int ret = 0;
33 12167172 : for (; n > 0; n--)
34 11451456 : ret |= *p1++ ^ *p2++;
35 715716 : return (ret != 0);
36 : }
37 :
38 : /** Compute poly1305 tag. chacha20 must be set to the right nonce, block 0. Will be at block 1 after. */
39 1373415 : void ComputeTag(ChaCha20& chacha20, Span<const std::byte> aad, Span<const std::byte> cipher, Span<std::byte> tag) noexcept
40 : {
41 : static const std::byte PADDING[16] = {{}};
42 :
43 : // Get block of keystream (use a full 64 byte buffer to avoid the need for chacha20's own buffering).
44 : std::byte first_block[ChaCha20Aligned::BLOCKLEN];
45 1373415 : chacha20.Keystream(first_block);
46 :
47 : // Use the first 32 bytes of the first keystream block as poly1305 key.
48 1373415 : Poly1305 poly1305{Span{first_block}.first(Poly1305::KEYLEN)};
49 :
50 : // Compute tag:
51 : // - Process the padded AAD with Poly1305.
52 1373415 : const unsigned aad_padding_length = (16 - (aad.size() % 16)) % 16;
53 1373415 : poly1305.Update(aad).Update(Span{PADDING}.first(aad_padding_length));
54 : // - Process the padded ciphertext with Poly1305.
55 1373415 : const unsigned cipher_padding_length = (16 - (cipher.size() % 16)) % 16;
56 1373415 : poly1305.Update(cipher).Update(Span{PADDING}.first(cipher_padding_length));
57 : // - Process the AAD and plaintext length with Poly1305.
58 : std::byte length_desc[Poly1305::TAGLEN];
59 1373415 : WriteLE64(UCharCast(length_desc), aad.size());
60 1373415 : WriteLE64(UCharCast(length_desc + 8), cipher.size());
61 1373415 : poly1305.Update(length_desc);
62 :
63 : // Output tag.
64 1373415 : poly1305.Finalize(tag);
65 1373415 : }
66 :
67 : } // namespace
68 :
69 657699 : void AEADChaCha20Poly1305::Encrypt(Span<const std::byte> plain1, Span<const std::byte> plain2, Span<const std::byte> aad, Nonce96 nonce, Span<std::byte> cipher) noexcept
70 : {
71 657699 : assert(cipher.size() == plain1.size() + plain2.size() + EXPANSION);
72 :
73 : // Encrypt using ChaCha20 (starting at block 1).
74 657699 : m_chacha20.Seek(nonce, 1);
75 657699 : m_chacha20.Crypt(plain1, cipher.first(plain1.size()));
76 657699 : m_chacha20.Crypt(plain2, cipher.subspan(plain1.size()).first(plain2.size()));
77 :
78 : // Seek to block 0, and compute tag using key drawn from there.
79 657699 : m_chacha20.Seek(nonce, 0);
80 657699 : ComputeTag(m_chacha20, aad, cipher.first(cipher.size() - EXPANSION), cipher.last(EXPANSION));
81 657699 : }
82 :
83 715716 : bool AEADChaCha20Poly1305::Decrypt(Span<const std::byte> cipher, Span<const std::byte> aad, Nonce96 nonce, Span<std::byte> plain1, Span<std::byte> plain2) noexcept
84 : {
85 715716 : assert(cipher.size() == plain1.size() + plain2.size() + EXPANSION);
86 :
87 : // Verify tag (using key drawn from block 0).
88 715716 : m_chacha20.Seek(nonce, 0);
89 : std::byte expected_tag[EXPANSION];
90 715716 : ComputeTag(m_chacha20, aad, cipher.first(cipher.size() - EXPANSION), expected_tag);
91 715716 : if (timingsafe_bcmp_internal(UCharCast(expected_tag), UCharCast(cipher.last(EXPANSION).data()), EXPANSION)) return false;
92 :
93 : // Decrypt (starting at block 1).
94 89361 : m_chacha20.Crypt(cipher.first(plain1.size()), plain1);
95 89361 : m_chacha20.Crypt(cipher.subspan(plain1.size()).first(plain2.size()), plain2);
96 89361 : return true;
97 715716 : }
98 :
99 6054 : void AEADChaCha20Poly1305::Keystream(Nonce96 nonce, Span<std::byte> keystream) noexcept
100 : {
101 : // Skip the first output block, as it's used for generating the poly1305 key.
102 6054 : m_chacha20.Seek(nonce, 1);
103 6054 : m_chacha20.Keystream(keystream);
104 6054 : }
105 :
106 1373335 : void FSChaCha20Poly1305::NextPacket() noexcept
107 : {
108 1373335 : if (++m_packet_counter == m_rekey_interval) {
109 : // Generate a full block of keystream, to avoid needing the ChaCha20 buffer, even though
110 : // we only need KEYLEN (32) bytes.
111 : std::byte one_block[ChaCha20Aligned::BLOCKLEN];
112 6050 : m_aead.Keystream({0xFFFFFFFF, m_rekey_counter}, one_block);
113 : // Switch keys.
114 6050 : m_aead.SetKey(Span{one_block}.first(KEYLEN));
115 : // Wipe the generated keystream (a copy remains inside m_aead, which will be cleaned up
116 : // once it cycles again, or is destroyed).
117 6050 : memory_cleanse(one_block, sizeof(one_block));
118 : // Update counters.
119 6050 : m_packet_counter = 0;
120 6050 : ++m_rekey_counter;
121 6050 : }
122 1373335 : }
123 :
124 657659 : void FSChaCha20Poly1305::Encrypt(Span<const std::byte> plain1, Span<const std::byte> plain2, Span<const std::byte> aad, Span<std::byte> cipher) noexcept
125 : {
126 657659 : m_aead.Encrypt(plain1, plain2, aad, {m_packet_counter, m_rekey_counter}, cipher);
127 657659 : NextPacket();
128 657659 : }
129 :
130 715676 : bool FSChaCha20Poly1305::Decrypt(Span<const std::byte> cipher, Span<const std::byte> aad, Span<std::byte> plain1, Span<std::byte> plain2) noexcept
131 : {
132 715676 : bool ret = m_aead.Decrypt(cipher, aad, {m_packet_counter, m_rekey_counter}, plain1, plain2);
133 715676 : NextPacket();
134 715676 : return ret;
135 : }
|
