From c91cedf281e5207fb5fd2ca81feec9760f7c2ed0 Mon Sep 17 00:00:00 2001 From: Pieter Wuille Date: Thu, 6 Jul 2023 20:40:20 -0400 Subject: [PATCH] crypto: support split plaintext in ChaCha20Poly1305 Encrypt/Decrypt --- src/crypto/chacha20poly1305.cpp | 28 ++++++----- src/crypto/chacha20poly1305.h | 44 ++++++++++++++-- src/test/crypto_tests.cpp | 89 +++++++++++++++++++++++---------- 3 files changed, 117 insertions(+), 44 deletions(-) diff --git a/src/crypto/chacha20poly1305.cpp b/src/crypto/chacha20poly1305.cpp index c3f8fe9e64..c936dd2265 100644 --- a/src/crypto/chacha20poly1305.cpp +++ b/src/crypto/chacha20poly1305.cpp @@ -73,31 +73,33 @@ void ComputeTag(ChaCha20& chacha20, Span aad, Span plain, Span aad, Nonce96 nonce, Span cipher) noexcept +void AEADChaCha20Poly1305::Encrypt(Span plain1, Span plain2, Span aad, Nonce96 nonce, Span cipher) noexcept { - assert(cipher.size() == plain.size() + EXPANSION); + assert(cipher.size() == plain1.size() + plain2.size() + EXPANSION); // Encrypt using ChaCha20 (starting at block 1). m_chacha20.Seek64(nonce, 1); - m_chacha20.Crypt(UCharCast(plain.data()), UCharCast(cipher.data()), plain.size()); + m_chacha20.Crypt(UCharCast(plain1.data()), UCharCast(cipher.data()), plain1.size()); + m_chacha20.Crypt(UCharCast(plain2.data()), UCharCast(cipher.data() + plain1.size()), plain2.size()); // Seek to block 0, and compute tag using key drawn from there. m_chacha20.Seek64(nonce, 0); - ComputeTag(m_chacha20, aad, cipher.first(plain.size()), cipher.last(EXPANSION)); + ComputeTag(m_chacha20, aad, cipher.first(cipher.size() - EXPANSION), cipher.last(EXPANSION)); } -bool AEADChaCha20Poly1305::Decrypt(Span cipher, Span aad, Nonce96 nonce, Span plain) noexcept +bool AEADChaCha20Poly1305::Decrypt(Span cipher, Span aad, Nonce96 nonce, Span plain1, Span plain2) noexcept { - assert(cipher.size() == plain.size() + EXPANSION); + assert(cipher.size() == plain1.size() + plain2.size() + EXPANSION); // Verify tag (using key drawn from block 0). m_chacha20.Seek64(nonce, 0); std::byte expected_tag[EXPANSION]; - ComputeTag(m_chacha20, aad, cipher.first(plain.size()), expected_tag); - if (timingsafe_bcmp(UCharCast(expected_tag), UCharCast(cipher.data() + plain.size()), EXPANSION)) return false; + ComputeTag(m_chacha20, aad, cipher.first(cipher.size() - EXPANSION), expected_tag); + if (timingsafe_bcmp(UCharCast(expected_tag), UCharCast(cipher.data() + cipher.size() - EXPANSION), EXPANSION)) return false; // Decrypt (starting at block 1). - m_chacha20.Crypt(UCharCast(cipher.data()), UCharCast(plain.data()), plain.size()); + m_chacha20.Crypt(UCharCast(cipher.data()), UCharCast(plain1.data()), plain1.size()); + m_chacha20.Crypt(UCharCast(cipher.data() + plain1.size()), UCharCast(plain2.data()), plain2.size()); return true; } @@ -126,15 +128,15 @@ void FSChaCha20Poly1305::NextPacket() noexcept } } -void FSChaCha20Poly1305::Encrypt(Span plain, Span aad, Span cipher) noexcept +void FSChaCha20Poly1305::Encrypt(Span plain1, Span plain2, Span aad, Span cipher) noexcept { - m_aead.Encrypt(plain, aad, {m_packet_counter, m_rekey_counter}, cipher); + m_aead.Encrypt(plain1, plain2, aad, {m_packet_counter, m_rekey_counter}, cipher); NextPacket(); } -bool FSChaCha20Poly1305::Decrypt(Span cipher, Span aad, Span plain) noexcept +bool FSChaCha20Poly1305::Decrypt(Span cipher, Span aad, Span plain1, Span plain2) noexcept { - bool ret = m_aead.Decrypt(cipher, aad, {m_packet_counter, m_rekey_counter}, plain); + bool ret = m_aead.Decrypt(cipher, aad, {m_packet_counter, m_rekey_counter}, plain1, plain2); NextPacket(); return ret; } diff --git a/src/crypto/chacha20poly1305.h b/src/crypto/chacha20poly1305.h index c4ec978df8..dc8fb1cc13 100644 --- a/src/crypto/chacha20poly1305.h +++ b/src/crypto/chacha20poly1305.h @@ -39,13 +39,31 @@ public: * * Requires cipher.size() = plain.size() + EXPANSION. */ - void Encrypt(Span plain, Span aad, Nonce96 nonce, Span cipher) noexcept; + void Encrypt(Span plain, Span aad, Nonce96 nonce, Span cipher) noexcept + { + Encrypt(plain, {}, aad, nonce, cipher); + } + + /** Encrypt a message (given split into plain1 + plain2) with a specified 96-bit nonce and aad. + * + * Requires cipher.size() = plain1.size() + plain2.size() + EXPANSION. + */ + void Encrypt(Span plain1, Span plain2, Span aad, Nonce96 nonce, Span cipher) noexcept; /** Decrypt a message with a specified 96-bit nonce and aad. Returns true if valid. * * Requires cipher.size() = plain.size() + EXPANSION. */ - bool Decrypt(Span cipher, Span aad, Nonce96 nonce, Span plain) noexcept; + bool Decrypt(Span cipher, Span aad, Nonce96 nonce, Span plain) noexcept + { + return Decrypt(cipher, aad, nonce, plain, {}); + } + + /** Decrypt a message with a specified 96-bit nonce and aad and split the result. Returns true if valid. + * + * Requires cipher.size() = plain1.size() + plain2.size() + EXPANSION. + */ + bool Decrypt(Span cipher, Span aad, Nonce96 nonce, Span plain1, Span plain2) noexcept; /** Get a number of keystream bytes from the underlying stream cipher. * @@ -101,13 +119,31 @@ public: * * Requires cipher.size() = plain.size() + EXPANSION. */ - void Encrypt(Span plain, Span aad, Span cipher) noexcept; + void Encrypt(Span plain, Span aad, Span cipher) noexcept + { + Encrypt(plain, {}, aad, cipher); + } + + /** Encrypt a message (given split into plain1 + plain2) with a specified aad. + * + * Requires cipher.size() = plain.size() + EXPANSION. + */ + void Encrypt(Span plain1, Span plain2, Span aad, Span cipher) noexcept; /** Decrypt a message with a specified aad. Returns true if valid. * * Requires cipher.size() = plain.size() + EXPANSION. */ - bool Decrypt(Span cipher, Span aad, Span plain) noexcept; + bool Decrypt(Span cipher, Span aad, Span plain) noexcept + { + return Decrypt(cipher, aad, plain, {}); + } + + /** Decrypt a message with a specified aad and split the result. Returns true if valid. + * + * Requires cipher.size() = plain1.size() + plain2.size() + EXPANSION. + */ + bool Decrypt(Span cipher, Span aad, Span plain1, Span plain2) noexcept; }; #endif // BITCOIN_CRYPTO_CHACHA20POLY1305_H diff --git a/src/test/crypto_tests.cpp b/src/test/crypto_tests.cpp index 149a8cf7bf..6663c914a9 100644 --- a/src/test/crypto_tests.cpp +++ b/src/test/crypto_tests.cpp @@ -255,20 +255,37 @@ static void TestChaCha20Poly1305(const std::string& plain_hex, const std::string auto key = ParseHex(key_hex); auto expected_cipher = ParseHex(cipher_hex); - std::vector cipher(plain.size() + AEADChaCha20Poly1305::EXPANSION); - AEADChaCha20Poly1305 aead{key}; - aead.Encrypt(plain, aad, nonce, cipher); - BOOST_CHECK(cipher == expected_cipher); + for (int i = 0; i < 10; ++i) { + // During i=0, use single-plain Encrypt/Decrypt; others use a split at prefix. + size_t prefix = i ? InsecureRandRange(plain.size() + 1) : plain.size(); + // Encrypt. + std::vector cipher(plain.size() + AEADChaCha20Poly1305::EXPANSION); + AEADChaCha20Poly1305 aead{key}; + if (i == 0) { + aead.Encrypt(plain, aad, nonce, cipher); + } else { + aead.Encrypt(Span{plain}.first(prefix), Span{plain}.subspan(prefix), aad, nonce, cipher); + } + BOOST_CHECK(cipher == expected_cipher); - std::vector decipher(cipher.size() - AEADChaCha20Poly1305::EXPANSION); - bool ret = aead.Decrypt(cipher, aad, nonce, decipher); - BOOST_CHECK(ret); - BOOST_CHECK(decipher == plain); + // Decrypt. + std::vector decipher(cipher.size() - AEADChaCha20Poly1305::EXPANSION); + bool ret{false}; + if (i == 0) { + ret = aead.Decrypt(cipher, aad, nonce, decipher); + } else { + ret = aead.Decrypt(cipher, aad, nonce, Span{decipher}.first(prefix), Span{decipher}.subspan(prefix)); + } + BOOST_CHECK(ret); + BOOST_CHECK(decipher == plain); + } + // Test Keystream output. std::vector keystream(plain.size()); + AEADChaCha20Poly1305 aead{key}; aead.Keystream(nonce, keystream); for (size_t i = 0; i < plain.size(); ++i) { - BOOST_CHECK_EQUAL(plain[i] ^ keystream[i], cipher[i]); + BOOST_CHECK_EQUAL(plain[i] ^ keystream[i], expected_cipher[i]); } } @@ -280,25 +297,43 @@ static void TestFSChaCha20Poly1305(const std::string& plain_hex, const std::stri auto expected_cipher = ParseHex(cipher_hex); std::vector cipher(plain.size() + FSChaCha20Poly1305::EXPANSION); - FSChaCha20Poly1305 enc_aead{key, 224}; - for (uint64_t i = 0; i < msg_idx; ++i) { - std::byte dummy_tag[FSChaCha20Poly1305::EXPANSION] = {{}}; - enc_aead.Encrypt(Span{dummy_tag}.first(0), Span{dummy_tag}.first(0), dummy_tag); + for (int it = 0; it < 10; ++it) { + // During it==0 we use the single-plain Encrypt/Decrypt; others use a split at prefix. + size_t prefix = it ? InsecureRandRange(plain.size() + 1) : plain.size(); + + // Do msg_idx dummy encryptions to seek to the correct packet. + FSChaCha20Poly1305 enc_aead{key, 224}; + for (uint64_t i = 0; i < msg_idx; ++i) { + std::byte dummy_tag[FSChaCha20Poly1305::EXPANSION] = {{}}; + enc_aead.Encrypt(Span{dummy_tag}.first(0), Span{dummy_tag}.first(0), dummy_tag); + } + + // Invoke single-plain or plain1/plain2 Encrypt. + if (it == 0) { + enc_aead.Encrypt(plain, aad, cipher); + } else { + enc_aead.Encrypt(Span{plain}.first(prefix), Span{plain}.subspan(prefix), aad, cipher); + } + BOOST_CHECK(cipher == expected_cipher); + + // Do msg_idx dummy decryptions to seek to the correct packet. + FSChaCha20Poly1305 dec_aead{key, 224}; + for (uint64_t i = 0; i < msg_idx; ++i) { + std::byte dummy_tag[FSChaCha20Poly1305::EXPANSION] = {{}}; + dec_aead.Decrypt(dummy_tag, Span{dummy_tag}.first(0), Span{dummy_tag}.first(0)); + } + + // Invoke single-plain or plain1/plain2 Decrypt. + std::vector decipher(cipher.size() - AEADChaCha20Poly1305::EXPANSION); + bool ret{false}; + if (it == 0) { + ret = dec_aead.Decrypt(cipher, aad, decipher); + } else { + ret = dec_aead.Decrypt(cipher, aad, Span{decipher}.first(prefix), Span{decipher}.subspan(prefix)); + } + BOOST_CHECK(ret); + BOOST_CHECK(decipher == plain); } - - enc_aead.Encrypt(plain, aad, cipher); - BOOST_CHECK(cipher == expected_cipher); - - FSChaCha20Poly1305 dec_aead{key, 224}; - for (uint64_t i = 0; i < msg_idx; ++i) { - std::byte dummy_tag[FSChaCha20Poly1305::EXPANSION] = {{}}; - dec_aead.Decrypt(dummy_tag, Span{dummy_tag}.first(0), Span{dummy_tag}.first(0)); - } - - std::vector decipher(cipher.size() - AEADChaCha20Poly1305::EXPANSION); - bool ret = dec_aead.Decrypt(cipher, aad, decipher); - BOOST_CHECK(ret); - BOOST_CHECK(decipher == plain); } static void TestHKDF_SHA256_32(const std::string &ikm_hex, const std::string &salt_hex, const std::string &info_hex, const std::string &okm_check_hex) {