/tmp/bitcoin/src/crypto/chacha20poly1305.cpp

Source
// Copyright (c) 2023-present The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.

#include <crypto/chacha20poly1305.h>

#include <crypto/chacha20.h>
#include <crypto/common.h>
#include <crypto/poly1305.h>
#include <span.h>
#include <support/cleanse.h>

#include <cassert>
#include <cstddef>

AEADChaCha20Poly1305::AEADChaCha20Poly1305(std::span<const std::byte> key) noexcept : m_chacha20(key)
{
    assert(key.size() == KEYLEN);
}

void AEADChaCha20Poly1305::SetKey(std::span<const std::byte> key) noexcept
{
    assert(key.size() == KEYLEN);
    m_chacha20.SetKey(key);
}

namespace {

int timingsafe_bcmp_internal(const unsigned char* b1, const unsigned char* b2, size_t n) noexcept
{
    const unsigned char *p1 = b1, *p2 = b2;
    int ret = 0;
    for (; n > 0; n--)
        ret |= *p1++ ^ *p2++;
    return (ret != 0);
}

/** Compute poly1305 tag. chacha20 must be set to the right nonce, block 0. Will be at block 1 after. */
void ComputeTag(ChaCha20& chacha20, std::span<const std::byte> aad, std::span<const std::byte> cipher, std::span<std::byte> tag) noexcept
{
    static const std::byte PADDING[16] = {{}};

    // Get block of keystream (use a full 64 byte buffer to avoid the need for chacha20's own buffering).
    std::byte first_block[ChaCha20Aligned::BLOCKLEN];
    chacha20.Keystream(first_block);

    // Use the first 32 bytes of the first keystream block as poly1305 key.
    Poly1305 poly1305{std::span{first_block}.first(Poly1305::KEYLEN)};

    // Compute tag:
    // - Process the padded AAD with Poly1305.
    const unsigned aad_padding_length = (16 - (aad.size() % 16)) % 16;
    poly1305.Update(aad).Update(std::span{PADDING}.first(aad_padding_length));
    // - Process the padded ciphertext with Poly1305.
    const unsigned cipher_padding_length = (16 - (cipher.size() % 16)) % 16;
    poly1305.Update(cipher).Update(std::span{PADDING}.first(cipher_padding_length));
    // - Process the AAD and plaintext length with Poly1305.
    std::byte length_desc[Poly1305::TAGLEN];
    WriteLE64(length_desc, aad.size());
    WriteLE64(length_desc + 8, cipher.size());
    poly1305.Update(length_desc);

    // Output tag.
    poly1305.Finalize(tag);
}

} // namespace

void AEADChaCha20Poly1305::Encrypt(std::span<const std::byte> plain1, std::span<const std::byte> plain2, std::span<const std::byte> aad, Nonce96 nonce, std::span<std::byte> cipher) noexcept
{
    assert(cipher.size() == plain1.size() + plain2.size() + EXPANSION);

    // Encrypt using ChaCha20 (starting at block 1).
    m_chacha20.Seek(nonce, 1);
    m_chacha20.Crypt(plain1, cipher.first(plain1.size()));
    m_chacha20.Crypt(plain2, cipher.subspan(plain1.size()).first(plain2.size()));

    // Seek to block 0, and compute tag using key drawn from there.
    m_chacha20.Seek(nonce, 0);
    ComputeTag(m_chacha20, aad, cipher.first(cipher.size() - EXPANSION), cipher.last(EXPANSION));
}

bool AEADChaCha20Poly1305::Decrypt(std::span<const std::byte> cipher, std::span<const std::byte> aad, Nonce96 nonce, std::span<std::byte> plain1, std::span<std::byte> plain2) noexcept
{
    assert(cipher.size() == plain1.size() + plain2.size() + EXPANSION);

    // Verify tag (using key drawn from block 0).
    m_chacha20.Seek(nonce, 0);
    std::byte expected_tag[EXPANSION];
    ComputeTag(m_chacha20, aad, cipher.first(cipher.size() - EXPANSION), expected_tag);
    if (timingsafe_bcmp_internal(UCharCast(expected_tag), UCharCast(cipher.last(EXPANSION).data()), EXPANSION)) return false;

    // Decrypt (starting at block 1).
    m_chacha20.Crypt(cipher.first(plain1.size()), plain1);
    m_chacha20.Crypt(cipher.subspan(plain1.size()).first(plain2.size()), plain2);
    return true;
}

void AEADChaCha20Poly1305::Keystream(Nonce96 nonce, std::span<std::byte> keystream) noexcept
{
    // Skip the first output block, as it's used for generating the poly1305 key.
    m_chacha20.Seek(nonce, 1);
    m_chacha20.Keystream(keystream);
}

void FSChaCha20Poly1305::NextPacket() noexcept
{
    if (++m_packet_counter == m_rekey_interval) {
        // Generate a full block of keystream, to avoid needing the ChaCha20 buffer, even though
        // we only need KEYLEN (32) bytes.
        std::byte one_block[ChaCha20Aligned::BLOCKLEN];
        m_aead.Keystream({0xFFFFFFFF, m_rekey_counter}, one_block);
        // Switch keys.
        m_aead.SetKey(std::span{one_block}.first(KEYLEN));
        // Wipe the generated keystream (a copy remains inside m_aead, which will be cleaned up
        // once it cycles again, or is destroyed).
        memory_cleanse(one_block, sizeof(one_block));
        // Update counters.
        m_packet_counter = 0;
        ++m_rekey_counter;
    }
}

void FSChaCha20Poly1305::Encrypt(std::span<const std::byte> plain1, std::span<const std::byte> plain2, std::span<const std::byte> aad, std::span<std::byte> cipher) noexcept
{
    m_aead.Encrypt(plain1, plain2, aad, {m_packet_counter, m_rekey_counter}, cipher);
    NextPacket();
}

bool FSChaCha20Poly1305::Decrypt(std::span<const std::byte> cipher, std::span<const std::byte> aad, std::span<std::byte> plain1, std::span<std::byte> plain2) noexcept
{
    bool ret = m_aead.Decrypt(cipher, aad, {m_packet_counter, m_rekey_counter}, plain1, plain2);
    NextPacket();
    return ret;
}

Line	Count	Source
1		// Copyright (c) 2023-present The Bitcoin Core developers
2		// Distributed under the MIT software license, see the accompanying
3		// file COPYING or http://www.opensource.org/licenses/mit-license.php.
4
5		#include <crypto/chacha20poly1305.h>
6
7		#include <crypto/chacha20.h>
8		#include <crypto/common.h>
9		#include <crypto/poly1305.h>
10		#include <span.h>
11		#include <support/cleanse.h>
12
13		#include <cassert>
14		#include <cstddef>
15
16	908	AEADChaCha20Poly1305::AEADChaCha20Poly1305(std::span<const std::byte> key) noexcept : m_chacha20(key)
17	908	{
18	908	assert(key.size() == KEYLEN);
19	908	}
20
21		void AEADChaCha20Poly1305::SetKey(std::span<const std::byte> key) noexcept
22	6.19k	{
23	6.19k	assert(key.size() == KEYLEN);
24	6.19k	m_chacha20.SetKey(key);
25	6.19k	}
26
27		namespace {
28
29		int timingsafe_bcmp_internal(const unsigned char* b1, const unsigned char* b2, size_t n) noexcept
30	749k	{
31	749k	const unsigned char p1 = b1, p2 = b2;
32	749k	int ret = 0;
33	12.7M	for (; n > 0; n--)
34	11.9M	ret \|= p1++ ^ p2++;
35	749k	return (ret != 0);
36	749k	}
37
38		/** Compute poly1305 tag. chacha20 must be set to the right nonce, block 0. Will be at block 1 after. */
39		void ComputeTag(ChaCha20& chacha20, std::span<const std::byte> aad, std::span<const std::byte> cipher, std::span<std::byte> tag) noexcept
40	1.42M	{
41	1.42M	static const std::byte PADDING[16] = {{}};
42
43		// Get block of keystream (use a full 64 byte buffer to avoid the need for chacha20's own buffering).
44	1.42M	std::byte first_block[ChaCha20Aligned::BLOCKLEN];
45	1.42M	chacha20.Keystream(first_block);
46
47		// Use the first 32 bytes of the first keystream block as poly1305 key.
48	1.42M	Poly1305 poly1305{std::span{first_block}.first(Poly1305::KEYLEN)};
49
50		// Compute tag:
51		// - Process the padded AAD with Poly1305.
52	1.42M	const unsigned aad_padding_length = (16 - (aad.size() % 16)) % 16;
53	1.42M	poly1305.Update(aad).Update(std::span{PADDING}.first(aad_padding_length));
54		// - Process the padded ciphertext with Poly1305.
55	1.42M	const unsigned cipher_padding_length = (16 - (cipher.size() % 16)) % 16;
56	1.42M	poly1305.Update(cipher).Update(std::span{PADDING}.first(cipher_padding_length));
57		// - Process the AAD and plaintext length with Poly1305.
58	1.42M	std::byte length_desc[Poly1305::TAGLEN];
59	1.42M	WriteLE64(length_desc, aad.size());
60	1.42M	WriteLE64(length_desc + 8, cipher.size());
61	1.42M	poly1305.Update(length_desc);
62
63		// Output tag.
64	1.42M	poly1305.Finalize(tag);
65	1.42M	}
66
67		} // namespace
68
69		void AEADChaCha20Poly1305::Encrypt(std::span<const std::byte> plain1, std::span<const std::byte> plain2, std::span<const std::byte> aad, Nonce96 nonce, std::span<std::byte> cipher) noexcept
70	671k	{
71	671k	assert(cipher.size() == plain1.size() + plain2.size() + EXPANSION);
72
73		// Encrypt using ChaCha20 (starting at block 1).
74	671k	m_chacha20.Seek(nonce, 1);
75	671k	m_chacha20.Crypt(plain1, cipher.first(plain1.size()));
76	671k	m_chacha20.Crypt(plain2, cipher.subspan(plain1.size()).first(plain2.size()));
77
78		// Seek to block 0, and compute tag using key drawn from there.
79	671k	m_chacha20.Seek(nonce, 0);
80	671k	ComputeTag(m_chacha20, aad, cipher.first(cipher.size() - EXPANSION), cipher.last(EXPANSION));
81	671k	}
82
83		bool AEADChaCha20Poly1305::Decrypt(std::span<const std::byte> cipher, std::span<const std::byte> aad, Nonce96 nonce, std::span<std::byte> plain1, std::span<std::byte> plain2) noexcept
84	749k	{
85	749k	assert(cipher.size() == plain1.size() + plain2.size() + EXPANSION);
86
87		// Verify tag (using key drawn from block 0).
88	749k	m_chacha20.Seek(nonce, 0);
89	749k	std::byte expected_tag[EXPANSION];
90	749k	ComputeTag(m_chacha20, aad, cipher.first(cipher.size() - EXPANSION), expected_tag);
91	749k	if (timingsafe_bcmp_internal(UCharCast(expected_tag), UCharCast(cipher.last(EXPANSION).data()), EXPANSION)) return false;
92
93		// Decrypt (starting at block 1).
94	102k	m_chacha20.Crypt(cipher.first(plain1.size()), plain1);
95	102k	m_chacha20.Crypt(cipher.subspan(plain1.size()).first(plain2.size()), plain2);
96	102k	return true;
97	749k	}
98
99		void AEADChaCha20Poly1305::Keystream(Nonce96 nonce, std::span<std::byte> keystream) noexcept
100	6.20k	{
101		// Skip the first output block, as it's used for generating the poly1305 key.
102	6.20k	m_chacha20.Seek(nonce, 1);
103	6.20k	m_chacha20.Keystream(keystream);
104	6.20k	}
105
106		void FSChaCha20Poly1305::NextPacket() noexcept
107	1.42M	{
108	1.42M	if (++m_packet_counter == m_rekey_interval) {
109		// Generate a full block of keystream, to avoid needing the ChaCha20 buffer, even though
110		// we only need KEYLEN (32) bytes.
111	6.19k	std::byte one_block[ChaCha20Aligned::BLOCKLEN];
112	6.19k	m_aead.Keystream({0xFFFFFFFF, m_rekey_counter}, one_block);
113		// Switch keys.
114	6.19k	m_aead.SetKey(std::span{one_block}.first(KEYLEN));
115		// Wipe the generated keystream (a copy remains inside m_aead, which will be cleaned up
116		// once it cycles again, or is destroyed).
117	6.19k	memory_cleanse(one_block, sizeof(one_block));
118		// Update counters.
119	6.19k	m_packet_counter = 0;
120	6.19k	++m_rekey_counter;
121	6.19k	}
122	1.42M	}
123
124		void FSChaCha20Poly1305::Encrypt(std::span<const std::byte> plain1, std::span<const std::byte> plain2, std::span<const std::byte> aad, std::span<std::byte> cipher) noexcept
125	671k	{
126	671k	m_aead.Encrypt(plain1, plain2, aad, {m_packet_counter, m_rekey_counter}, cipher);
127	671k	NextPacket();
128	671k	}
129
130		bool FSChaCha20Poly1305::Decrypt(std::span<const std::byte> cipher, std::span<const std::byte> aad, std::span<std::byte> plain1, std::span<std::byte> plain2) noexcept
131	749k	{
132	749k	bool ret = m_aead.Decrypt(cipher, aad, {m_packet_counter, m_rekey_counter}, plain1, plain2);
133	749k	NextPacket();
134	749k	return ret;
135	749k	}

Coverage Report

Created: 2026-04-29 19:21