mirror of
https://github.com/bitcoin/bitcoin.git
synced 2025-02-09 10:43:19 -05:00
148 lines
5.4 KiB
C++
148 lines
5.4 KiB
C++
// Copyright (c) 2023 The Bitcoin Core developers
|
|
// Distributed under the MIT software license, see the accompanying
|
|
// file COPYING or http://www.opensource.org/licenses/mit-license.php.
|
|
|
|
#ifndef BITCOIN_CRYPTO_CHACHA20POLY1305_H
|
|
#define BITCOIN_CRYPTO_CHACHA20POLY1305_H
|
|
|
|
#include <cstddef>
|
|
#include <stdint.h>
|
|
|
|
#include <crypto/chacha20.h>
|
|
#include <crypto/poly1305.h>
|
|
#include <span.h>
|
|
|
|
/** The AEAD_CHACHA20_POLY1305 authenticated encryption algorithm from RFC8439 section 2.8. */
|
|
class AEADChaCha20Poly1305
|
|
{
|
|
/** Internal stream cipher. */
|
|
ChaCha20 m_chacha20;
|
|
|
|
public:
|
|
/** Expected size of key argument in constructor. */
|
|
static constexpr unsigned KEYLEN = 32;
|
|
|
|
/** Expansion when encrypting. */
|
|
static constexpr unsigned EXPANSION = Poly1305::TAGLEN;
|
|
|
|
/** Initialize an AEAD instance with a specified 32-byte key. */
|
|
AEADChaCha20Poly1305(Span<const std::byte> key) noexcept;
|
|
|
|
/** Switch to another 32-byte key. */
|
|
void SetKey(Span<const std::byte> key) noexcept;
|
|
|
|
/** 96-bit nonce type. */
|
|
using Nonce96 = ChaCha20::Nonce96;
|
|
|
|
/** Encrypt a message with a specified 96-bit nonce and aad.
|
|
*
|
|
* Requires cipher.size() = plain.size() + EXPANSION.
|
|
*/
|
|
void Encrypt(Span<const std::byte> plain, Span<const std::byte> aad, Nonce96 nonce, Span<std::byte> cipher) noexcept
|
|
{
|
|
Encrypt(plain, {}, aad, nonce, cipher);
|
|
}
|
|
|
|
/** Encrypt a message (given split into plain1 + plain2) with a specified 96-bit nonce and aad.
|
|
*
|
|
* Requires cipher.size() = plain1.size() + plain2.size() + EXPANSION.
|
|
*/
|
|
void Encrypt(Span<const std::byte> plain1, Span<const std::byte> plain2, Span<const std::byte> aad, Nonce96 nonce, Span<std::byte> cipher) noexcept;
|
|
|
|
/** Decrypt a message with a specified 96-bit nonce and aad. Returns true if valid.
|
|
*
|
|
* Requires cipher.size() = plain.size() + EXPANSION.
|
|
*/
|
|
bool Decrypt(Span<const std::byte> cipher, Span<const std::byte> aad, Nonce96 nonce, Span<std::byte> plain) noexcept
|
|
{
|
|
return Decrypt(cipher, aad, nonce, plain, {});
|
|
}
|
|
|
|
/** Decrypt a message with a specified 96-bit nonce and aad and split the result. Returns true if valid.
|
|
*
|
|
* Requires cipher.size() = plain1.size() + plain2.size() + EXPANSION.
|
|
*/
|
|
bool Decrypt(Span<const std::byte> cipher, Span<const std::byte> aad, Nonce96 nonce, Span<std::byte> plain1, Span<std::byte> plain2) noexcept;
|
|
|
|
/** Get a number of keystream bytes from the underlying stream cipher.
|
|
*
|
|
* This is equivalent to Encrypt() with plain set to that many zero bytes, and dropping the
|
|
* last EXPANSION bytes off the result.
|
|
*/
|
|
void Keystream(Nonce96 nonce, Span<std::byte> keystream) noexcept;
|
|
};
|
|
|
|
/** Forward-secure wrapper around AEADChaCha20Poly1305.
|
|
*
|
|
* This implements an AEAD which automatically increments the nonce on every encryption or
|
|
* decryption, and cycles keys after a predetermined number of encryptions or decryptions.
|
|
*
|
|
* See BIP324 for details.
|
|
*/
|
|
class FSChaCha20Poly1305
|
|
{
|
|
private:
|
|
/** Internal AEAD. */
|
|
AEADChaCha20Poly1305 m_aead;
|
|
|
|
/** Every how many iterations this cipher rekeys. */
|
|
const uint32_t m_rekey_interval;
|
|
|
|
/** The number of encryptions/decryptions since the last rekey. */
|
|
uint32_t m_packet_counter{0};
|
|
|
|
/** The number of rekeys performed so far. */
|
|
uint64_t m_rekey_counter{0};
|
|
|
|
/** Update counters (and if necessary, key) to transition to the next message. */
|
|
void NextPacket() noexcept;
|
|
|
|
public:
|
|
/** Length of keys expected by the constructor. */
|
|
static constexpr auto KEYLEN = AEADChaCha20Poly1305::KEYLEN;
|
|
|
|
/** Expansion when encrypting. */
|
|
static constexpr auto EXPANSION = AEADChaCha20Poly1305::EXPANSION;
|
|
|
|
// No copy or move to protect the secret.
|
|
FSChaCha20Poly1305(const FSChaCha20Poly1305&) = delete;
|
|
FSChaCha20Poly1305(FSChaCha20Poly1305&&) = delete;
|
|
FSChaCha20Poly1305& operator=(const FSChaCha20Poly1305&) = delete;
|
|
FSChaCha20Poly1305& operator=(FSChaCha20Poly1305&&) = delete;
|
|
|
|
/** Construct an FSChaCha20Poly1305 cipher that rekeys every rekey_interval operations. */
|
|
FSChaCha20Poly1305(Span<const std::byte> key, uint32_t rekey_interval) noexcept :
|
|
m_aead(key), m_rekey_interval(rekey_interval) {}
|
|
|
|
/** Encrypt a message with a specified aad.
|
|
*
|
|
* Requires cipher.size() = plain.size() + EXPANSION.
|
|
*/
|
|
void Encrypt(Span<const std::byte> plain, Span<const std::byte> aad, Span<std::byte> cipher) noexcept
|
|
{
|
|
Encrypt(plain, {}, aad, cipher);
|
|
}
|
|
|
|
/** Encrypt a message (given split into plain1 + plain2) with a specified aad.
|
|
*
|
|
* Requires cipher.size() = plain.size() + EXPANSION.
|
|
*/
|
|
void Encrypt(Span<const std::byte> plain1, Span<const std::byte> plain2, Span<const std::byte> aad, Span<std::byte> cipher) noexcept;
|
|
|
|
/** Decrypt a message with a specified aad. Returns true if valid.
|
|
*
|
|
* Requires cipher.size() = plain.size() + EXPANSION.
|
|
*/
|
|
bool Decrypt(Span<const std::byte> cipher, Span<const std::byte> aad, Span<std::byte> plain) noexcept
|
|
{
|
|
return Decrypt(cipher, aad, plain, {});
|
|
}
|
|
|
|
/** Decrypt a message with a specified aad and split the result. Returns true if valid.
|
|
*
|
|
* Requires cipher.size() = plain1.size() + plain2.size() + EXPANSION.
|
|
*/
|
|
bool Decrypt(Span<const std::byte> cipher, Span<const std::byte> aad, Span<std::byte> plain1, Span<std::byte> plain2) noexcept;
|
|
};
|
|
|
|
#endif // BITCOIN_CRYPTO_CHACHA20POLY1305_H
|