bitcoin-bitcoin-core/src/crypto/chacha20poly1305.cpp

// Copyright (c) 2023 The Bitcoin Core developers
// Distributed under the MIT software license, see the accompanying
// file COPYING or http://www.opensource.org/licenses/mit-license.php.

#if defined(HAVE_CONFIG_H)
#include <config/bitcoin-config.h>
#endif

#include <crypto/chacha20poly1305.h>

#include <crypto/common.h>
#include <crypto/chacha20.h>
#include <crypto/poly1305.h>
#include <span.h>
#include <support/cleanse.h>

#include <assert.h>
#include <cstddef>

AEADChaCha20Poly1305::AEADChaCha20Poly1305(Span<const std::byte> key) noexcept : m_chacha20(key)
{
    assert(key.size() == KEYLEN);
}

void AEADChaCha20Poly1305::SetKey(Span<const std::byte> key) noexcept
{
    assert(key.size() == KEYLEN);
    m_chacha20.SetKey(key);
}

namespace {

#ifndef HAVE_TIMINGSAFE_BCMP
#define HAVE_TIMINGSAFE_BCMP

int timingsafe_bcmp(const unsigned char* b1, const unsigned char* b2, size_t n) noexcept
{
    const unsigned char *p1 = b1, *p2 = b2;
    int ret = 0;
    for (; n > 0; n--)
        ret |= *p1++ ^ *p2++;
    return (ret != 0);
}

#endif

/** Compute poly1305 tag. chacha20 must be set to the right nonce, block 0. Will be at block 1 after. */
void ComputeTag(ChaCha20& chacha20, Span<const std::byte> aad, Span<const std::byte> cipher, Span<std::byte> tag) noexcept
{
    static const std::byte PADDING[16] = {{}};

    // Get block of keystream (use a full 64 byte buffer to avoid the need for chacha20's own buffering).
    std::byte first_block[ChaCha20Aligned::BLOCKLEN];
    chacha20.Keystream(first_block);

    // Use the first 32 bytes of the first keystream block as poly1305 key.
    Poly1305 poly1305{Span{first_block}.first(Poly1305::KEYLEN)};

    // Compute tag:
    // - Process the padded AAD with Poly1305.
    const unsigned aad_padding_length = (16 - (aad.size() % 16)) % 16;
    poly1305.Update(aad).Update(Span{PADDING}.first(aad_padding_length));
    // - Process the padded ciphertext with Poly1305.
    const unsigned cipher_padding_length = (16 - (cipher.size() % 16)) % 16;
    poly1305.Update(cipher).Update(Span{PADDING}.first(cipher_padding_length));
    // - Process the AAD and plaintext length with Poly1305.
    std::byte length_desc[Poly1305::TAGLEN];
    WriteLE64(UCharCast(length_desc), aad.size());
    WriteLE64(UCharCast(length_desc + 8), cipher.size());
    poly1305.Update(length_desc);

    // Output tag.
    poly1305.Finalize(tag);
}

} // namespace

void AEADChaCha20Poly1305::Encrypt(Span<const std::byte> plain1, Span<const std::byte> plain2, Span<const std::byte> aad, Nonce96 nonce, Span<std::byte> cipher) noexcept
{
    assert(cipher.size() == plain1.size() + plain2.size() + EXPANSION);

    // Encrypt using ChaCha20 (starting at block 1).
    m_chacha20.Seek(nonce, 1);
    m_chacha20.Crypt(plain1, cipher.first(plain1.size()));
    m_chacha20.Crypt(plain2, cipher.subspan(plain1.size()).first(plain2.size()));

    // Seek to block 0, and compute tag using key drawn from there.
    m_chacha20.Seek(nonce, 0);
    ComputeTag(m_chacha20, aad, cipher.first(cipher.size() - EXPANSION), cipher.last(EXPANSION));
}

bool AEADChaCha20Poly1305::Decrypt(Span<const std::byte> cipher, Span<const std::byte> aad, Nonce96 nonce, Span<std::byte> plain1, Span<std::byte> plain2) noexcept
{
    assert(cipher.size() == plain1.size() + plain2.size() + EXPANSION);

    // Verify tag (using key drawn from block 0).
    m_chacha20.Seek(nonce, 0);
    std::byte expected_tag[EXPANSION];
    ComputeTag(m_chacha20, aad, cipher.first(cipher.size() - EXPANSION), expected_tag);
    if (timingsafe_bcmp(UCharCast(expected_tag), UCharCast(cipher.last(EXPANSION).data()), EXPANSION)) return false;

    // Decrypt (starting at block 1).
    m_chacha20.Crypt(cipher.first(plain1.size()), plain1);
    m_chacha20.Crypt(cipher.subspan(plain1.size()).first(plain2.size()), plain2);
    return true;
}

void AEADChaCha20Poly1305::Keystream(Nonce96 nonce, Span<std::byte> keystream) noexcept
{
    // Skip the first output block, as it's used for generating the poly1305 key.
    m_chacha20.Seek(nonce, 1);
    m_chacha20.Keystream(keystream);
}

void FSChaCha20Poly1305::NextPacket() noexcept
{
    if (++m_packet_counter == m_rekey_interval) {
        // Generate a full block of keystream, to avoid needing the ChaCha20 buffer, even though
        // we only need KEYLEN (32) bytes.
        std::byte one_block[ChaCha20Aligned::BLOCKLEN];
        m_aead.Keystream({0xFFFFFFFF, m_rekey_counter}, one_block);
        // Switch keys.
        m_aead.SetKey(Span{one_block}.first(KEYLEN));
        // Wipe the generated keystream (a copy remains inside m_aead, which will be cleaned up
        // once it cycles again, or is destroyed).
        memory_cleanse(one_block, sizeof(one_block));
        // Update counters.
        m_packet_counter = 0;
        ++m_rekey_counter;
    }
}

void FSChaCha20Poly1305::Encrypt(Span<const std::byte> plain1, Span<const std::byte> plain2, Span<const std::byte> aad, Span<std::byte> cipher) noexcept
{
    m_aead.Encrypt(plain1, plain2, aad, {m_packet_counter, m_rekey_counter}, cipher);
    NextPacket();
}

bool FSChaCha20Poly1305::Decrypt(Span<const std::byte> cipher, Span<const std::byte> aad, Span<std::byte> plain1, Span<std::byte> plain2) noexcept
{
    bool ret = m_aead.Decrypt(cipher, aad, {m_packet_counter, m_rekey_counter}, plain1, plain2);
    NextPacket();
    return ret;
}
crypto: add the ChaCha20Poly1305 AEAD as specified in RFC8439 This adds an implementation of the ChaCha20Poly1305 AEAD exactly matching the version specified in RFC8439 section 2.8, including tests and official test vectors. 2023-06-30 00:30:34 -04:00			`// Copyright (c) 2023 The Bitcoin Core developers`
			`// Distributed under the MIT software license, see the accompanying`
			`// file COPYING or http://www.opensource.org/licenses/mit-license.php.`

scripted-diff: Fix bitcoin_config_h includes -BEGIN VERIFY SCRIPT- regex_string='^(?!//).(AC_APPLE_UNIVERSAL_BUILD\|BOOST_PROCESS_USE_STD_FS\|CHAR_EQUALS_INT8\|CLIENT_VERSION_BUILD\|CLIENT_VERSION_IS_RELEASE\|CLIENT_VERSION_MAJOR\|CLIENT_VERSION_MINOR\|COPYRIGHT_HOLDERS\|COPYRIGHT_HOLDERS_FINAL\|COPYRIGHT_HOLDERS_SUBSTITUTION\|COPYRIGHT_YEAR\|ENABLE_ARM_SHANI\|ENABLE_AVX2\|ENABLE_EXTERNAL_SIGNER\|ENABLE_SSE41\|ENABLE_TRACING\|ENABLE_WALLET\|ENABLE_X86_SHANI\|ENABLE_ZMQ\|HAVE_BOOST\|HAVE_BUILTIN_CLZL\|HAVE_BUILTIN_CLZLL\|HAVE_BYTESWAP_H\|HAVE_CLMUL\|HAVE_CONSENSUS_LIB\|HAVE_CXX20\|HAVE_DECL_BE16TOH\|HAVE_DECL_BE32TOH\|HAVE_DECL_BE64TOH\|HAVE_DECL_BSWAP_16\|HAVE_DECL_BSWAP_32\|HAVE_DECL_BSWAP_64\|HAVE_DECL_FORK\|HAVE_DECL_FREEIFADDRS\|HAVE_DECL_GETIFADDRS\|HAVE_DECL_HTOBE16\|HAVE_DECL_HTOBE32\|HAVE_DECL_HTOBE64\|HAVE_DECL_HTOLE16\|HAVE_DECL_HTOLE32\|HAVE_DECL_HTOLE64\|HAVE_DECL_LE16TOH\|HAVE_DECL_LE32TOH\|HAVE_DECL_LE64TOH\|HAVE_DECL_PIPE2\|HAVE_DECL_SETSID\|HAVE_DECL_STRERROR_R\|HAVE_DEFAULT_VISIBILITY_ATTRIBUTE\|HAVE_DLFCN_H\|HAVE_DLLEXPORT_ATTRIBUTE\|HAVE_ENDIAN_H\|HAVE_EVHTTP_CONNECTION_GET_PEER_CONST_CHAR\|HAVE_FDATASYNC\|HAVE_GETENTROPY_RAND\|HAVE_GETRANDOM\|HAVE_GMTIME_R\|HAVE_INTTYPES_H\|HAVE_LIBADVAPI32\|HAVE_LIBCOMCTL32\|HAVE_LIBCOMDLG32\|HAVE_LIBGDI32\|HAVE_LIBIPHLPAPI\|HAVE_LIBKERNEL32\|HAVE_LIBOLE32\|HAVE_LIBOLEAUT32\|HAVE_LIBSHELL32\|HAVE_LIBSHLWAPI\|HAVE_LIBUSER32\|HAVE_LIBUUID\|HAVE_LIBWINMM\|HAVE_LIBWS2_32\|HAVE_MALLOC_INFO\|HAVE_MALLOPT_ARENA_MAX\|HAVE_MINIUPNPC_MINIUPNPC_H\|HAVE_MINIUPNPC_UPNPCOMMANDS_H\|HAVE_MINIUPNPC_UPNPERRORS_H\|HAVE_NATPMP_H\|HAVE_O_CLOEXEC\|HAVE_POSIX_FALLOCATE\|HAVE_PTHREAD\|HAVE_PTHREAD_PRIO_INHERIT\|HAVE_STDINT_H\|HAVE_STDIO_H\|HAVE_STDLIB_H\|HAVE_STRERROR_R\|HAVE_STRINGS_H\|HAVE_STRING_H\|HAVE_STRONG_GETAUXVAL\|HAVE_SYSCTL\|HAVE_SYSCTL_ARND\|HAVE_SYSTEM\|HAVE_SYS_ENDIAN_H\|HAVE_SYS_PRCTL_H\|HAVE_SYS_RESOURCES_H\|HAVE_SYS_SELECT_H\|HAVE_SYS_STAT_H\|HAVE_SYS_SYSCTL_H\|HAVE_SYS_TYPES_H\|HAVE_SYS_VMMETER_H\|HAVE_THREAD_LOCAL\|HAVE_TIMINGSAFE_BCMP\|HAVE_UNISTD_H\|HAVE_VM_VM_PARAM_H\|LT_OBJDIR\|PACKAGE_BUGREPORT\|PACKAGE_NAME\|PACKAGE_STRING\|PACKAGE_TARNAME\|PACKAGE_URL\|PACKAGE_VERSION\|PTHREAD_CREATE_JOINABLE\|QT_QPA_PLATFORM_ANDROID\|QT_QPA_PLATFORM_COCOA\|QT_QPA_PLATFORM_MINIMAL\|QT_QPA_PLATFORM_WINDOWS\|QT_QPA_PLATFORM_XCB\|QT_STATICPLUGIN\|STDC_HEADERS\|STRERROR_R_CHAR_P\|USE_ASM\|USE_BDB\|USE_DBUS\|USE_NATPMP\|USE_QRCODE\|USE_SQLITE\|USE_UPNP\|_FILE_OFFSET_BITS\|_LARGE_FILES)' exclusion_files=":(exclude)src/minisketch :(exclude)src/crc32c :(exclude)src/secp256k1 :(exclude)src/crypto/sha256_arm_shani.cpp :(exclude)src/crypto/sha256_avx2.cpp :(exclude)src/crypto/sha256_sse41.cpp :(exclude)src/crypto/sha256_x86_shani.cpp" git grep --perl-regexp --files-with-matches "$regex_string" -- '.cpp' $exclusion_files \| xargs git grep -L "bitcoin-config.h" \| while read -r file; do line_number=$(awk -v my_file="$file" '/\/\/ file COPYING or https?:\/\/www.opensource.org\/licenses\/mit-license.php\./ {line = NR} /^\/\// && NR == line + 1 {while(getline && /^\/\//) line = NR} END {print line+1}' "$file"); sed -i "${line_number}i\\\\n\#if defined(HAVE_CONFIG_H)\\n#include <config/bitcoin-config.h>\\n\#endif" "$file"; done; git grep --perl-regexp --files-with-matches "$regex_string" -- '.h' $exclusion_files \| xargs git grep -L "bitcoin-config.h" \| while read -r file; do sed -i "/#define._H/a \\\\n\#if defined(HAVE_CONFIG_H)\\n#include <config/bitcoin-config.h>\\n\#endif" "$file"; done; for file in $(git grep --files-with-matches 'bitcoin-config.h' -- '.cpp' '.h' $exclusion_files); do if ! grep -q --perl-regexp "$regex_string" $file; then sed -i '/HAVE_CONFIG_H/{N;N;N;d;}' $file; fi; done; -END VERIFY SCRIPT- The first command creates a regular expression for matching all bitcoin-config.h symbols in the following form: ^(?!//).(AC_APPLE_UNIVERSAL_BUILD\|BOOST_PROCESS_USE_STD_FS\|...\|_LARGE_FILES). It was generated with: ./autogen.sh && printf '^(?!//).(%s)' $(awk '/^#undef/ {print $2}' src/config/bitcoin-config.h.in \| paste -sd "\|" -) The second command holds a list of files and directories that should not be processed. These include subtree directories as well as some crypto files that already get their symbols through the makefile. The third command checks for missing bitcoin-config headers in .cpp files and adds the header if it is missing. The fourth command checks for missing bitcoin-config headers in .h files and adds the header if it is missing. The fifth command checks for unneeded bitcoin-config headers in sources files and removes the header if it is unneeded. 2024-02-13 08:03:02 +01:00			`#if defined(HAVE_CONFIG_H)`
			`#include <config/bitcoin-config.h>`
			`#endif`

crypto: add the ChaCha20Poly1305 AEAD as specified in RFC8439 This adds an implementation of the ChaCha20Poly1305 AEAD exactly matching the version specified in RFC8439 section 2.8, including tests and official test vectors. 2023-06-30 00:30:34 -04:00			`#include <crypto/chacha20poly1305.h>`

			`#include <crypto/common.h>`
			`#include <crypto/chacha20.h>`
			`#include <crypto/poly1305.h>`
			`#include <span.h>`
crypto: add FSChaCha20Poly1305, rekeying wrapper around ChaCha20Poly1305 This adds the FSChaCha20Poly1305 AEAD as specified in BIP324, a wrapper around the ChaCha20Poly1305 AEAD (as specified in RFC8439 section 2.8) which automatically rekeys every N messages, and automatically increments the nonce every message. 2023-06-29 14:55:16 -04:00			`#include <support/cleanse.h>`
crypto: add the ChaCha20Poly1305 AEAD as specified in RFC8439 This adds an implementation of the ChaCha20Poly1305 AEAD exactly matching the version specified in RFC8439 section 2.8, including tests and official test vectors. 2023-06-30 00:30:34 -04:00
			`#include <assert.h>`
			`#include <cstddef>`

crypto: refactor ChaCha20 classes to use Span<std::byte> interface 2023-07-18 10:11:49 -04:00			`AEADChaCha20Poly1305::AEADChaCha20Poly1305(Span<const std::byte> key) noexcept : m_chacha20(key)`
crypto: add the ChaCha20Poly1305 AEAD as specified in RFC8439 This adds an implementation of the ChaCha20Poly1305 AEAD exactly matching the version specified in RFC8439 section 2.8, including tests and official test vectors. 2023-06-30 00:30:34 -04:00			`{`
			`assert(key.size() == KEYLEN);`
			`}`

			`void AEADChaCha20Poly1305::SetKey(Span<const std::byte> key) noexcept`
			`{`
			`assert(key.size() == KEYLEN);`
crypto: refactor ChaCha20 classes to use Span<std::byte> interface 2023-07-18 10:11:49 -04:00			`m_chacha20.SetKey(key);`
crypto: add the ChaCha20Poly1305 AEAD as specified in RFC8439 This adds an implementation of the ChaCha20Poly1305 AEAD exactly matching the version specified in RFC8439 section 2.8, including tests and official test vectors. 2023-06-30 00:30:34 -04:00			`}`

			`namespace {`

			`#ifndef HAVE_TIMINGSAFE_BCMP`
			`#define HAVE_TIMINGSAFE_BCMP`

			`int timingsafe_bcmp(const unsigned char* b1, const unsigned char* b2, size_t n) noexcept`
			`{`
			`const unsigned char p1 = b1, p2 = b2;`
			`int ret = 0;`
			`for (; n > 0; n--)`
			`ret \|= p1++ ^ p2++;`
			`return (ret != 0);`
			`}`

			`#endif`

			`/** Compute poly1305 tag. chacha20 must be set to the right nonce, block 0. Will be at block 1 after. */`
			`void ComputeTag(ChaCha20& chacha20, Span<const std::byte> aad, Span<const std::byte> cipher, Span<std::byte> tag) noexcept`
			`{`
			`static const std::byte PADDING[16] = {{}};`

			`// Get block of keystream (use a full 64 byte buffer to avoid the need for chacha20's own buffering).`
crypto: refactor ChaCha20 classes to use Span<std::byte> interface 2023-07-18 10:11:49 -04:00			`std::byte first_block[ChaCha20Aligned::BLOCKLEN];`
			`chacha20.Keystream(first_block);`
crypto: add the ChaCha20Poly1305 AEAD as specified in RFC8439 This adds an implementation of the ChaCha20Poly1305 AEAD exactly matching the version specified in RFC8439 section 2.8, including tests and official test vectors. 2023-06-30 00:30:34 -04:00
			`// Use the first 32 bytes of the first keystream block as poly1305 key.`
			`Poly1305 poly1305{Span{first_block}.first(Poly1305::KEYLEN)};`

			`// Compute tag:`
			`// - Process the padded AAD with Poly1305.`
			`const unsigned aad_padding_length = (16 - (aad.size() % 16)) % 16;`
			`poly1305.Update(aad).Update(Span{PADDING}.first(aad_padding_length));`
			`// - Process the padded ciphertext with Poly1305.`
			`const unsigned cipher_padding_length = (16 - (cipher.size() % 16)) % 16;`
			`poly1305.Update(cipher).Update(Span{PADDING}.first(cipher_padding_length));`
			`// - Process the AAD and plaintext length with Poly1305.`
			`std::byte length_desc[Poly1305::TAGLEN];`
			`WriteLE64(UCharCast(length_desc), aad.size());`
			`WriteLE64(UCharCast(length_desc + 8), cipher.size());`
			`poly1305.Update(length_desc);`

			`// Output tag.`
			`poly1305.Finalize(tag);`
			`}`

			`} // namespace`

crypto: support split plaintext in ChaCha20Poly1305 Encrypt/Decrypt 2023-07-06 20:40:20 -04:00			`void AEADChaCha20Poly1305::Encrypt(Span<const std::byte> plain1, Span<const std::byte> plain2, Span<const std::byte> aad, Nonce96 nonce, Span<std::byte> cipher) noexcept`
crypto: add the ChaCha20Poly1305 AEAD as specified in RFC8439 This adds an implementation of the ChaCha20Poly1305 AEAD exactly matching the version specified in RFC8439 section 2.8, including tests and official test vectors. 2023-06-30 00:30:34 -04:00			`{`
crypto: support split plaintext in ChaCha20Poly1305 Encrypt/Decrypt 2023-07-06 20:40:20 -04:00			`assert(cipher.size() == plain1.size() + plain2.size() + EXPANSION);`
crypto: add the ChaCha20Poly1305 AEAD as specified in RFC8439 This adds an implementation of the ChaCha20Poly1305 AEAD exactly matching the version specified in RFC8439 section 2.8, including tests and official test vectors. 2023-06-30 00:30:34 -04:00
			`// Encrypt using ChaCha20 (starting at block 1).`
crypto: refactor ChaCha20 classes to use Span<std::byte> interface 2023-07-18 10:11:49 -04:00			`m_chacha20.Seek(nonce, 1);`
			`m_chacha20.Crypt(plain1, cipher.first(plain1.size()));`
			`m_chacha20.Crypt(plain2, cipher.subspan(plain1.size()).first(plain2.size()));`
crypto: add the ChaCha20Poly1305 AEAD as specified in RFC8439 This adds an implementation of the ChaCha20Poly1305 AEAD exactly matching the version specified in RFC8439 section 2.8, including tests and official test vectors. 2023-06-30 00:30:34 -04:00
			`// Seek to block 0, and compute tag using key drawn from there.`
crypto: refactor ChaCha20 classes to use Span<std::byte> interface 2023-07-18 10:11:49 -04:00			`m_chacha20.Seek(nonce, 0);`
crypto: support split plaintext in ChaCha20Poly1305 Encrypt/Decrypt 2023-07-06 20:40:20 -04:00			`ComputeTag(m_chacha20, aad, cipher.first(cipher.size() - EXPANSION), cipher.last(EXPANSION));`
crypto: add the ChaCha20Poly1305 AEAD as specified in RFC8439 This adds an implementation of the ChaCha20Poly1305 AEAD exactly matching the version specified in RFC8439 section 2.8, including tests and official test vectors. 2023-06-30 00:30:34 -04:00			`}`

crypto: support split plaintext in ChaCha20Poly1305 Encrypt/Decrypt 2023-07-06 20:40:20 -04:00			`bool AEADChaCha20Poly1305::Decrypt(Span<const std::byte> cipher, Span<const std::byte> aad, Nonce96 nonce, Span<std::byte> plain1, Span<std::byte> plain2) noexcept`
crypto: add the ChaCha20Poly1305 AEAD as specified in RFC8439 This adds an implementation of the ChaCha20Poly1305 AEAD exactly matching the version specified in RFC8439 section 2.8, including tests and official test vectors. 2023-06-30 00:30:34 -04:00			`{`
crypto: support split plaintext in ChaCha20Poly1305 Encrypt/Decrypt 2023-07-06 20:40:20 -04:00			`assert(cipher.size() == plain1.size() + plain2.size() + EXPANSION);`
crypto: add the ChaCha20Poly1305 AEAD as specified in RFC8439 This adds an implementation of the ChaCha20Poly1305 AEAD exactly matching the version specified in RFC8439 section 2.8, including tests and official test vectors. 2023-06-30 00:30:34 -04:00
			`// Verify tag (using key drawn from block 0).`
crypto: refactor ChaCha20 classes to use Span<std::byte> interface 2023-07-18 10:11:49 -04:00			`m_chacha20.Seek(nonce, 0);`
crypto: add the ChaCha20Poly1305 AEAD as specified in RFC8439 This adds an implementation of the ChaCha20Poly1305 AEAD exactly matching the version specified in RFC8439 section 2.8, including tests and official test vectors. 2023-06-30 00:30:34 -04:00			`std::byte expected_tag[EXPANSION];`
crypto: support split plaintext in ChaCha20Poly1305 Encrypt/Decrypt 2023-07-06 20:40:20 -04:00			`ComputeTag(m_chacha20, aad, cipher.first(cipher.size() - EXPANSION), expected_tag);`
crypto: BIP324 ciphersuite follow-up follow-up to #28008. * move `dummy_tag` variable in FSChaCha20Poly1305 crypto_tests outside of the loop to be reused every time * use easy to read `cipher.last()` in `AEADChaCha20Poly1305::Decrypt()` * comment for initiator in `BIP324Cipher::Initialize()` * systematically damage ciphertext with bit positions in bip324_tests * use 4095 max bytes for aad in bip324 fuzz test 2023-08-13 11:55:46 +05:30			`if (timingsafe_bcmp(UCharCast(expected_tag), UCharCast(cipher.last(EXPANSION).data()), EXPANSION)) return false;`
crypto: add the ChaCha20Poly1305 AEAD as specified in RFC8439 This adds an implementation of the ChaCha20Poly1305 AEAD exactly matching the version specified in RFC8439 section 2.8, including tests and official test vectors. 2023-06-30 00:30:34 -04:00
			`// Decrypt (starting at block 1).`
crypto: refactor ChaCha20 classes to use Span<std::byte> interface 2023-07-18 10:11:49 -04:00			`m_chacha20.Crypt(cipher.first(plain1.size()), plain1);`
			`m_chacha20.Crypt(cipher.subspan(plain1.size()).first(plain2.size()), plain2);`
crypto: add the ChaCha20Poly1305 AEAD as specified in RFC8439 This adds an implementation of the ChaCha20Poly1305 AEAD exactly matching the version specified in RFC8439 section 2.8, including tests and official test vectors. 2023-06-30 00:30:34 -04:00			`return true;`
			`}`
crypto: add FSChaCha20Poly1305, rekeying wrapper around ChaCha20Poly1305 This adds the FSChaCha20Poly1305 AEAD as specified in BIP324, a wrapper around the ChaCha20Poly1305 AEAD (as specified in RFC8439 section 2.8) which automatically rekeys every N messages, and automatically increments the nonce every message. 2023-06-29 14:55:16 -04:00
			`void AEADChaCha20Poly1305::Keystream(Nonce96 nonce, Span<std::byte> keystream) noexcept`
			`{`
			`// Skip the first output block, as it's used for generating the poly1305 key.`
crypto: refactor ChaCha20 classes to use Span<std::byte> interface 2023-07-18 10:11:49 -04:00			`m_chacha20.Seek(nonce, 1);`
			`m_chacha20.Keystream(keystream);`
crypto: add FSChaCha20Poly1305, rekeying wrapper around ChaCha20Poly1305 This adds the FSChaCha20Poly1305 AEAD as specified in BIP324, a wrapper around the ChaCha20Poly1305 AEAD (as specified in RFC8439 section 2.8) which automatically rekeys every N messages, and automatically increments the nonce every message. 2023-06-29 14:55:16 -04:00			`}`

			`void FSChaCha20Poly1305::NextPacket() noexcept`
			`{`
			`if (++m_packet_counter == m_rekey_interval) {`
			`// Generate a full block of keystream, to avoid needing the ChaCha20 buffer, even though`
			`// we only need KEYLEN (32) bytes.`
crypto: refactor ChaCha20 classes to use Span<std::byte> interface 2023-07-18 10:11:49 -04:00			`std::byte one_block[ChaCha20Aligned::BLOCKLEN];`
crypto: add FSChaCha20Poly1305, rekeying wrapper around ChaCha20Poly1305 This adds the FSChaCha20Poly1305 AEAD as specified in BIP324, a wrapper around the ChaCha20Poly1305 AEAD (as specified in RFC8439 section 2.8) which automatically rekeys every N messages, and automatically increments the nonce every message. 2023-06-29 14:55:16 -04:00			`m_aead.Keystream({0xFFFFFFFF, m_rekey_counter}, one_block);`
			`// Switch keys.`
			`m_aead.SetKey(Span{one_block}.first(KEYLEN));`
			`// Wipe the generated keystream (a copy remains inside m_aead, which will be cleaned up`
			`// once it cycles again, or is destroyed).`
			`memory_cleanse(one_block, sizeof(one_block));`
			`// Update counters.`
			`m_packet_counter = 0;`
			`++m_rekey_counter;`
			`}`
			`}`

crypto: support split plaintext in ChaCha20Poly1305 Encrypt/Decrypt 2023-07-06 20:40:20 -04:00			`void FSChaCha20Poly1305::Encrypt(Span<const std::byte> plain1, Span<const std::byte> plain2, Span<const std::byte> aad, Span<std::byte> cipher) noexcept`
crypto: add FSChaCha20Poly1305, rekeying wrapper around ChaCha20Poly1305 This adds the FSChaCha20Poly1305 AEAD as specified in BIP324, a wrapper around the ChaCha20Poly1305 AEAD (as specified in RFC8439 section 2.8) which automatically rekeys every N messages, and automatically increments the nonce every message. 2023-06-29 14:55:16 -04:00			`{`
crypto: support split plaintext in ChaCha20Poly1305 Encrypt/Decrypt 2023-07-06 20:40:20 -04:00			`m_aead.Encrypt(plain1, plain2, aad, {m_packet_counter, m_rekey_counter}, cipher);`
crypto: add FSChaCha20Poly1305, rekeying wrapper around ChaCha20Poly1305 This adds the FSChaCha20Poly1305 AEAD as specified in BIP324, a wrapper around the ChaCha20Poly1305 AEAD (as specified in RFC8439 section 2.8) which automatically rekeys every N messages, and automatically increments the nonce every message. 2023-06-29 14:55:16 -04:00			`NextPacket();`
			`}`

crypto: support split plaintext in ChaCha20Poly1305 Encrypt/Decrypt 2023-07-06 20:40:20 -04:00			`bool FSChaCha20Poly1305::Decrypt(Span<const std::byte> cipher, Span<const std::byte> aad, Span<std::byte> plain1, Span<std::byte> plain2) noexcept`
crypto: add FSChaCha20Poly1305, rekeying wrapper around ChaCha20Poly1305 This adds the FSChaCha20Poly1305 AEAD as specified in BIP324, a wrapper around the ChaCha20Poly1305 AEAD (as specified in RFC8439 section 2.8) which automatically rekeys every N messages, and automatically increments the nonce every message. 2023-06-29 14:55:16 -04:00			`{`
crypto: support split plaintext in ChaCha20Poly1305 Encrypt/Decrypt 2023-07-06 20:40:20 -04:00			`bool ret = m_aead.Decrypt(cipher, aad, {m_packet_counter, m_rekey_counter}, plain1, plain2);`
crypto: add FSChaCha20Poly1305, rekeying wrapper around ChaCha20Poly1305 This adds the FSChaCha20Poly1305 AEAD as specified in BIP324, a wrapper around the ChaCha20Poly1305 AEAD (as specified in RFC8439 section 2.8) which automatically rekeys every N messages, and automatically increments the nonce every message. 2023-06-29 14:55:16 -04:00			`NextPacket();`
			`return ret;`
			`}`