Bitcoin Core  0.19.99
P2P Digital Currency
chacha_poly_aead.cpp
Go to the documentation of this file.
1 // Copyright (c) 2019 The Bitcoin Core developers
2 // Distributed under the MIT software license, see the accompanying
3 // file COPYING or http://www.opensource.org/licenses/mit-license.php.
4 
6 
7 #include <crypto/poly1305.h>
8 #include <support/cleanse.h>
9 
10 #include <assert.h>
11 #include <string.h>
12 
13 #include <cstdio>
14 #include <limits>
15 
16 #ifndef HAVE_TIMINGSAFE_BCMP
17 
18 int timingsafe_bcmp(const unsigned char* b1, const unsigned char* b2, size_t n)
19 {
20  const unsigned char *p1 = b1, *p2 = b2;
21  int ret = 0;
22 
23  for (; n > 0; n--)
24  ret |= *p1++ ^ *p2++;
25  return (ret != 0);
26 }
27 
28 #endif // TIMINGSAFE_BCMP
29 
30 ChaCha20Poly1305AEAD::ChaCha20Poly1305AEAD(const unsigned char* K_1, size_t K_1_len, const unsigned char* K_2, size_t K_2_len)
31 {
32  assert(K_1_len == CHACHA20_POLY1305_AEAD_KEY_LEN);
33  assert(K_2_len == CHACHA20_POLY1305_AEAD_KEY_LEN);
36 
37  // set the cached sequence number to uint64 max which hints for an unset cache.
38  // we can't hit uint64 max since the rekey rule (which resets the sequence number) is 1GB
39  m_cached_aad_seqnr = std::numeric_limits<uint64_t>::max();
40 }
41 
42 bool ChaCha20Poly1305AEAD::Crypt(uint64_t seqnr_payload, uint64_t seqnr_aad, int aad_pos, unsigned char* dest, size_t dest_len /* length of the output buffer for sanity checks */, const unsigned char* src, size_t src_len, bool is_encrypt)
43 {
44  // check buffer boundaries
45  if (
46  // if we encrypt, make sure the source contains at least the expected AAD and the destination has at least space for the source + MAC
47  (is_encrypt && (src_len < CHACHA20_POLY1305_AEAD_AAD_LEN || dest_len < src_len + POLY1305_TAGLEN)) ||
48  // if we decrypt, make sure the source contains at least the expected AAD+MAC and the destination has at least space for the source - MAC
49  (!is_encrypt && (src_len < CHACHA20_POLY1305_AEAD_AAD_LEN + POLY1305_TAGLEN || dest_len < src_len - POLY1305_TAGLEN))) {
50  return false;
51  }
52 
53  unsigned char expected_tag[POLY1305_TAGLEN], poly_key[POLY1305_KEYLEN];
54  memset(poly_key, 0, sizeof(poly_key));
55  m_chacha_main.SetIV(seqnr_payload);
56 
57  // block counter 0 for the poly1305 key
58  // use lower 32bytes for the poly1305 key
59  // (throws away 32 unused bytes (upper 32) from this ChaCha20 round)
61  m_chacha_main.Crypt(poly_key, poly_key, sizeof(poly_key));
62 
63  // if decrypting, verify the tag prior to decryption
64  if (!is_encrypt) {
65  const unsigned char* tag = src + src_len - POLY1305_TAGLEN;
66  poly1305_auth(expected_tag, src, src_len - POLY1305_TAGLEN, poly_key);
67 
68  // constant time compare the calculated MAC with the provided MAC
69  if (timingsafe_bcmp(expected_tag, tag, POLY1305_TAGLEN) != 0) {
70  memory_cleanse(expected_tag, sizeof(expected_tag));
71  memory_cleanse(poly_key, sizeof(poly_key));
72  return false;
73  }
74  memory_cleanse(expected_tag, sizeof(expected_tag));
75  // MAC has been successfully verified, make sure we don't covert it in decryption
76  src_len -= POLY1305_TAGLEN;
77  }
78 
79  // calculate and cache the next 64byte keystream block if requested sequence number is not yet the cache
80  if (m_cached_aad_seqnr != seqnr_aad) {
81  m_cached_aad_seqnr = seqnr_aad;
82  m_chacha_header.SetIV(seqnr_aad);
85  }
86  // crypt the AAD (3 bytes message length) with given position in AAD cipher instance keystream
87  dest[0] = src[0] ^ m_aad_keystream_buffer[aad_pos];
88  dest[1] = src[1] ^ m_aad_keystream_buffer[aad_pos + 1];
89  dest[2] = src[2] ^ m_aad_keystream_buffer[aad_pos + 2];
90 
91  // Set the playload ChaCha instance block counter to 1 and crypt the payload
94 
95  // If encrypting, calculate and append tag
96  if (is_encrypt) {
97  // the poly1305 tag expands over the AAD (3 bytes length) & encrypted payload
98  poly1305_auth(dest + src_len, dest, src_len, poly_key);
99  }
100 
101  // cleanse no longer required MAC and polykey
102  memory_cleanse(poly_key, sizeof(poly_key));
103  return true;
104 }
105 
106 bool ChaCha20Poly1305AEAD::GetLength(uint32_t* len24_out, uint64_t seqnr_aad, int aad_pos, const uint8_t* ciphertext)
107 {
108  // enforce valid aad position to avoid accessing outside of the 64byte keystream cache
109  // (there is space for 21 times 3 bytes)
110  assert(aad_pos >= 0 && aad_pos < CHACHA20_ROUND_OUTPUT - CHACHA20_POLY1305_AEAD_AAD_LEN);
111  if (m_cached_aad_seqnr != seqnr_aad) {
112  // we need to calculate the 64 keystream bytes since we reached a new aad sequence number
113  m_cached_aad_seqnr = seqnr_aad;
114  m_chacha_header.SetIV(seqnr_aad); // use LE for the nonce
115  m_chacha_header.Seek(0); // block counter 0
116  m_chacha_header.Keystream(m_aad_keystream_buffer, CHACHA20_ROUND_OUTPUT); // write keystream to the cache
117  }
118 
119  // decrypt the ciphertext length by XORing the right position of the 64byte keystream cache with the ciphertext
120  *len24_out = (ciphertext[0] ^ m_aad_keystream_buffer[aad_pos + 0]) |
121  (ciphertext[1] ^ m_aad_keystream_buffer[aad_pos + 1]) << 8 |
122  (ciphertext[2] ^ m_aad_keystream_buffer[aad_pos + 2]) << 16;
123 
124  return true;
125 }
#define POLY1305_TAGLEN
Definition: poly1305.h:12
void Crypt(const unsigned char *input, unsigned char *output, size_t bytes)
enciphers the message <input> of length <bytes> and write the enciphered representation into <output>...
Definition: chacha20.cpp:182
bool GetLength(uint32_t *len24_out, uint64_t seqnr_aad, int aad_pos, const uint8_t *ciphertext)
decrypts the 3 bytes AAD data and decodes it into a uint32_t field
static constexpr int CHACHA20_POLY1305_AEAD_KEY_LEN
ChaCha20Poly1305AEAD(const unsigned char *K_1, size_t K_1_len, const unsigned char *K_2, size_t K_2_len)
int timingsafe_bcmp(const unsigned char *b1, const unsigned char *b2, size_t n)
void memory_cleanse(void *ptr, size_t len)
Secure overwrite a buffer (possibly containing secret data) with zero-bytes.
Definition: cleanse.cpp:14
void poly1305_auth(unsigned char out[POLY1305_TAGLEN], const unsigned char *m, size_t inlen, const unsigned char key[POLY1305_KEYLEN])
Definition: poly1305.cpp:15
static constexpr int CHACHA20_POLY1305_AEAD_AAD_LEN
bool Crypt(uint64_t seqnr_payload, uint64_t seqnr_aad, int aad_pos, unsigned char *dest, size_t dest_len, const unsigned char *src, size_t src_len, bool is_encrypt)
Encrypts/decrypts a packet seqnr_payload, the message sequence number seqnr_aad, the messages AAD seq...
void Seek(uint64_t pos)
Definition: chacha20.cpp:68
void Keystream(unsigned char *c, size_t bytes)
outputs the keystream of size <bytes> into
Definition: chacha20.cpp:74
unsigned char m_aad_keystream_buffer[CHACHA20_ROUND_OUTPUT]
static constexpr int CHACHA20_ROUND_OUTPUT
void SetKey(const unsigned char *key, size_t keylen)
set key with flexible keylength; 256bit recommended */
Definition: chacha20.cpp:24
void SetIV(uint64_t iv)
Definition: chacha20.cpp:62
#define POLY1305_KEYLEN
Definition: poly1305.h:11