Retropex/bitcoin
1
0
Fork 0
mirror of https://github.com/Retropex/bitcoin.git synced 2025-05-14 20:20:43 +02:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

Switch all callers from poly1305_auth to Poly1305 class

Browse Source 
This also removes the old poly1305_auth interface, as it no longer serves any
function. The new Poly1305 class based interface is more modern and safe.
This commit is contained in:
Pieter Wuille 2023-06-28 10:52:12 -04:00
parent 8871f7d1ae
commit 4e5c933f6a
8 changed files with 39 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/bench/chacha_poly_aead.cpp
View File

@ -23,8 +23,8 @@ static ChaCha20Poly1305AEAD aead(k1, 32, k2, 32);
static void CHACHA20_POLY1305_AEAD(benchmark::Bench& bench, size_t buffersize, bool include_decryption) static void CHACHA20_POLY1305_AEAD(benchmark::Bench& bench, size_t buffersize, bool include_decryption)
{ {
std::vector<unsigned char> in(buffersize + CHACHA20_POLY1305_AEAD_AAD_LEN + POLY1305_TAGLEN, 0); std::vector<unsigned char> in(buffersize + CHACHA20_POLY1305_AEAD_AAD_LEN + Poly1305::TAGLEN, 0);
std::vector<unsigned char> out(buffersize + CHACHA20_POLY1305_AEAD_AAD_LEN + POLY1305_TAGLEN, 0); std::vector<unsigned char> out(buffersize + CHACHA20_POLY1305_AEAD_AAD_LEN + Poly1305::TAGLEN, 0);
uint64_t seqnr_payload = 0; uint64_t seqnr_payload = 0;
uint64_t seqnr_aad = 0; uint64_t seqnr_aad = 0;
int aad_pos = 0; int aad_pos = 0;

10
src/bench/poly1305.cpp
View File

@ -6,6 +6,8 @@
#include <bench/bench.h> #include <bench/bench.h>
#include <crypto/poly1305.h> #include <crypto/poly1305.h>
#include <span.h>
/* Number of bytes to process per iteration */ /* Number of bytes to process per iteration */
static constexpr uint64_t BUFFER_SIZE_TINY = 64; static constexpr uint64_t BUFFER_SIZE_TINY = 64;
static constexpr uint64_t BUFFER_SIZE_SMALL = 256; static constexpr uint64_t BUFFER_SIZE_SMALL = 256;
@ -13,11 +15,11 @@ static constexpr uint64_t BUFFER_SIZE_LARGE = 1024*1024;
static void POLY1305(benchmark::Bench& bench, size_t buffersize) static void POLY1305(benchmark::Bench& bench, size_t buffersize)
{ {
std::vector<unsigned char> tag(POLY1305_TAGLEN, 0); std::vector<std::byte> tag(Poly1305::TAGLEN, {});
std::vector<unsigned char> key(POLY1305_KEYLEN, 0); std::vector<std::byte> key(Poly1305::KEYLEN, {});
std::vector<unsigned char> in(buffersize, 0); std::vector<std::byte> in(buffersize, {});
bench.batch(in.size()).unit("byte").run([&] { bench.batch(in.size()).unit("byte").run([&] {
poly1305_auth(tag.data(), in.data(), in.size(), key.data()); Poly1305{key}.Update(in).Finalize(tag);
}); });
} }

20
src/crypto/chacha_poly_aead.cpp
View File

@ -50,13 +50,13 @@ bool ChaCha20Poly1305AEAD::Crypt(uint64_t seqnr_payload, uint64_t seqnr_aad, int
// check buffer boundaries // check buffer boundaries
if ( if (
// if we encrypt, make sure the source contains at least the expected AAD and the destination has at least space for the source + MAC // if we encrypt, make sure the source contains at least the expected AAD and the destination has at least space for the source + MAC
(is_encrypt && (src_len < CHACHA20_POLY1305_AEAD_AAD_LEN || dest_len < src_len + POLY1305_TAGLEN)) || (is_encrypt && (src_len < CHACHA20_POLY1305_AEAD_AAD_LEN || dest_len < src_len + Poly1305::TAGLEN)) ||
// if we decrypt, make sure the source contains at least the expected AAD+MAC and the destination has at least space for the source - MAC // if we decrypt, make sure the source contains at least the expected AAD+MAC and the destination has at least space for the source - MAC
(!is_encrypt && (src_len < CHACHA20_POLY1305_AEAD_AAD_LEN + POLY1305_TAGLEN || dest_len < src_len - POLY1305_TAGLEN))) { (!is_encrypt && (src_len < CHACHA20_POLY1305_AEAD_AAD_LEN + Poly1305::TAGLEN || dest_len < src_len - Poly1305::TAGLEN))) {
return false; return false;
} }
unsigned char expected_tag[POLY1305_TAGLEN], poly_key[POLY1305_KEYLEN]; unsigned char expected_tag[Poly1305::TAGLEN], poly_key[Poly1305::KEYLEN];
memset(poly_key, 0, sizeof(poly_key)); memset(poly_key, 0, sizeof(poly_key));
// block counter 0 for the poly1305 key // block counter 0 for the poly1305 key
@ -67,18 +67,20 @@ bool ChaCha20Poly1305AEAD::Crypt(uint64_t seqnr_payload, uint64_t seqnr_aad, int
// if decrypting, verify the tag prior to decryption // if decrypting, verify the tag prior to decryption
if (!is_encrypt) { if (!is_encrypt) {
const unsigned char* tag = src + src_len - POLY1305_TAGLEN; const unsigned char* tag = src + src_len - Poly1305::TAGLEN;
poly1305_auth(expected_tag, src, src_len - POLY1305_TAGLEN, poly_key); Poly1305{MakeByteSpan(poly_key)}
.Update(AsBytes(Span{src, src_len - Poly1305::TAGLEN}))
.Finalize(MakeWritableByteSpan(expected_tag));
// constant time compare the calculated MAC with the provided MAC // constant time compare the calculated MAC with the provided MAC
if (timingsafe_bcmp(expected_tag, tag, POLY1305_TAGLEN) != 0) { if (timingsafe_bcmp(expected_tag, tag, Poly1305::TAGLEN) != 0) {
memory_cleanse(expected_tag, sizeof(expected_tag)); memory_cleanse(expected_tag, sizeof(expected_tag));
memory_cleanse(poly_key, sizeof(poly_key)); memory_cleanse(poly_key, sizeof(poly_key));
return false; return false;
} }
memory_cleanse(expected_tag, sizeof(expected_tag)); memory_cleanse(expected_tag, sizeof(expected_tag));
// MAC has been successfully verified, make sure we don't convert it in decryption // MAC has been successfully verified, make sure we don't convert it in decryption
src_len -= POLY1305_TAGLEN; src_len -= Poly1305::TAGLEN;
} }
// calculate and cache the next 64byte keystream block if requested sequence number is not yet the cache // calculate and cache the next 64byte keystream block if requested sequence number is not yet the cache
@ -99,7 +101,9 @@ bool ChaCha20Poly1305AEAD::Crypt(uint64_t seqnr_payload, uint64_t seqnr_aad, int
// If encrypting, calculate and append tag // If encrypting, calculate and append tag
if (is_encrypt) { if (is_encrypt) {
// the poly1305 tag expands over the AAD (3 bytes length) & encrypted payload // the poly1305 tag expands over the AAD (3 bytes length) & encrypted payload
poly1305_auth(dest + src_len, dest, src_len, poly_key); Poly1305{MakeByteSpan(poly_key)}
.Update(AsBytes(Span{dest, src_len}))
.Finalize(AsWritableBytes(Span{dest + src_len, Poly1305::TAGLEN}));
} }
// cleanse no longer required MAC and polykey // cleanse no longer required MAC and polykey

8
src/crypto/poly1305.cpp
View File

@ -221,11 +221,3 @@ void poly1305_update(poly1305_context *st, const unsigned char *m, size_t bytes)
} }
} // namespace poly1305_donna } // namespace poly1305_donna
void poly1305_auth(unsigned char mac[16], const unsigned char *m, size_t bytes, const unsigned char key[32]) {
using namespace poly1305_donna;
poly1305_context ctx;
poly1305_init(&ctx, key);
poly1305_update(&ctx, m, bytes);
poly1305_finish(&ctx, mac);
}

9
src/crypto/poly1305.h
View File

@ -11,8 +11,6 @@
#include <cstdlib> #include <cstdlib>
#include <stdint.h> #include <stdint.h>
#define POLY1305_KEYLEN 32
#define POLY1305_TAGLEN 16
#define POLY1305_BLOCK_SIZE 16 #define POLY1305_BLOCK_SIZE 16
namespace poly1305_donna { namespace poly1305_donna {
@ -42,10 +40,10 @@ class Poly1305
public: public:
/** Length of the output produced by Finalize(). */ /** Length of the output produced by Finalize(). */
static constexpr unsigned TAGLEN = POLY1305_TAGLEN; static constexpr unsigned TAGLEN{16};
/** Length of the keys expected by the constructor. */ /** Length of the keys expected by the constructor. */
static constexpr unsigned KEYLEN = POLY1305_KEYLEN; static constexpr unsigned KEYLEN{32};
/** Construct a Poly1305 object with a given 32-byte key. */ /** Construct a Poly1305 object with a given 32-byte key. */
Poly1305(Span<const std::byte> key) noexcept Poly1305(Span<const std::byte> key) noexcept
@ -69,7 +67,4 @@ public:
} }
}; };
void poly1305_auth(unsigned char out[POLY1305_TAGLEN], const unsigned char *m, size_t inlen,
const unsigned char key[POLY1305_KEYLEN]);
#endif // BITCOIN_CRYPTO_POLY1305_H #endif // BITCOIN_CRYPTO_POLY1305_H

21
src/test/crypto_tests.cpp
View File

@ -184,26 +184,25 @@ static void TestChaCha20(const std::string &hex_message, const std::string &hexk
static void TestPoly1305(const std::string &hexmessage, const std::string &hexkey, const std::string& hextag) static void TestPoly1305(const std::string &hexmessage, const std::string &hexkey, const std::string& hextag)
{ {
std::vector<unsigned char> key = ParseHex(hexkey); auto key = ParseHex<std::byte>(hexkey);
std::vector<unsigned char> m = ParseHex(hexmessage); auto m = ParseHex<std::byte>(hexmessage);
std::vector<unsigned char> tag = ParseHex(hextag); auto tag = ParseHex<std::byte>(hextag);
std::vector<unsigned char> tagres; std::vector<std::byte> tagres(Poly1305::TAGLEN);
tagres.resize(POLY1305_TAGLEN); Poly1305{key}.Update(m).Finalize(tagres);
poly1305_auth(tagres.data(), m.data(), m.size(), key.data());
BOOST_CHECK(tag == tagres); BOOST_CHECK(tag == tagres);
// Test incremental interface // Test incremental interface
for (int splits = 0; splits < 10; ++splits) { for (int splits = 0; splits < 10; ++splits) {
for (int iter = 0; iter < 10; ++iter) { for (int iter = 0; iter < 10; ++iter) {
auto data = MakeByteSpan(m); auto data = Span{m};
Poly1305 poly1305{MakeByteSpan(key)}; Poly1305 poly1305{key};
for (int chunk = 0; chunk < splits; ++chunk) { for (int chunk = 0; chunk < splits; ++chunk) {
size_t now = InsecureRandRange(data.size() + 1); size_t now = InsecureRandRange(data.size() + 1);
poly1305.Update(data.first(now)); poly1305.Update(data.first(now));
data = data.subspan(now); data = data.subspan(now);
} }
tagres.assign(POLY1305_TAGLEN, 0); tagres.assign(Poly1305::TAGLEN, std::byte{});
poly1305.Update(data).Finalize(MakeWritableByteSpan(tagres)); poly1305.Update(data).Finalize(tagres);
BOOST_CHECK(tag == tagres); BOOST_CHECK(tag == tagres);
} }
} }
@ -858,7 +857,7 @@ static void TestChaCha20Poly1305AEAD(bool must_succeed, unsigned int expected_aa
std::vector<unsigned char> expected_ciphertext_and_mac = ParseHex(hex_encrypted_message); std::vector<unsigned char> expected_ciphertext_and_mac = ParseHex(hex_encrypted_message);
std::vector<unsigned char> expected_ciphertext_and_mac_sequence999 = ParseHex(hex_encrypted_message_seq_999); std::vector<unsigned char> expected_ciphertext_and_mac_sequence999 = ParseHex(hex_encrypted_message_seq_999);
std::vector<unsigned char> ciphertext_buf(plaintext_buf.size() + POLY1305_TAGLEN, 0); std::vector<unsigned char> ciphertext_buf(plaintext_buf.size() + Poly1305::TAGLEN, 0);
std::vector<unsigned char> plaintext_buf_new(plaintext_buf.size(), 0); std::vector<unsigned char> plaintext_buf_new(plaintext_buf.size(), 0);
std::vector<unsigned char> cmp_ctx_buffer(64); std::vector<unsigned char> cmp_ctx_buffer(64);
uint32_t out_len = 0; uint32_t out_len = 0;

8
src/test/fuzz/crypto_chacha20_poly1305_aead.cpp
View File

@ -26,16 +26,16 @@ FUZZ_TARGET(crypto_chacha20_poly1305_aead)
uint64_t seqnr_aad = 0; uint64_t seqnr_aad = 0;
int aad_pos = 0; int aad_pos = 0;
size_t buffer_size = fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, 4096); size_t buffer_size = fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, 4096);
std::vector<uint8_t> in(buffer_size + CHACHA20_POLY1305_AEAD_AAD_LEN + POLY1305_TAGLEN, 0); std::vector<uint8_t> in(buffer_size + CHACHA20_POLY1305_AEAD_AAD_LEN + Poly1305::TAGLEN, 0);
std::vector<uint8_t> out(buffer_size + CHACHA20_POLY1305_AEAD_AAD_LEN + POLY1305_TAGLEN, 0); std::vector<uint8_t> out(buffer_size + CHACHA20_POLY1305_AEAD_AAD_LEN + Poly1305::TAGLEN, 0);
bool is_encrypt = fuzzed_data_provider.ConsumeBool(); bool is_encrypt = fuzzed_data_provider.ConsumeBool();
LIMITED_WHILE(fuzzed_data_provider.ConsumeBool(), 10000) { LIMITED_WHILE(fuzzed_data_provider.ConsumeBool(), 10000) {
CallOneOf( CallOneOf(
fuzzed_data_provider, fuzzed_data_provider,
[&] { [&] {
buffer_size = fuzzed_data_provider.ConsumeIntegralInRange<size_t>(64, 4096); buffer_size = fuzzed_data_provider.ConsumeIntegralInRange<size_t>(64, 4096);
in = std::vector<uint8_t>(buffer_size + CHACHA20_POLY1305_AEAD_AAD_LEN + POLY1305_TAGLEN, 0); in = std::vector<uint8_t>(buffer_size + CHACHA20_POLY1305_AEAD_AAD_LEN + Poly1305::TAGLEN, 0);
out = std::vector<uint8_t>(buffer_size + CHACHA20_POLY1305_AEAD_AAD_LEN + POLY1305_TAGLEN, 0); out = std::vector<uint8_t>(buffer_size + CHACHA20_POLY1305_AEAD_AAD_LEN + Poly1305::TAGLEN, 0);
}, },
[&] { [&] {
(void)aead.Crypt(seqnr_payload, seqnr_aad, aad_pos, out.data(), out.size(), in.data(), buffer_size, is_encrypt); (void)aead.Crypt(seqnr_payload, seqnr_aad, aad_pos, out.data(), out.size(), in.data(), buffer_size, is_encrypt);

6
src/test/fuzz/crypto_poly1305.cpp
View File

@ -14,11 +14,11 @@ FUZZ_TARGET(crypto_poly1305)
{ {
FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()}; FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};
const std::vector<uint8_t> key = ConsumeFixedLengthByteVector(fuzzed_data_provider, POLY1305_KEYLEN); const std::vector<uint8_t> key = ConsumeFixedLengthByteVector(fuzzed_data_provider, Poly1305::KEYLEN);
const std::vector<uint8_t> in = ConsumeRandomLengthByteVector(fuzzed_data_provider); const std::vector<uint8_t> in = ConsumeRandomLengthByteVector(fuzzed_data_provider);
std::vector<uint8_t> tag_out(POLY1305_TAGLEN); std::vector<std::byte> tag_out(Poly1305::TAGLEN);
poly1305_auth(tag_out.data(), in.data(), in.size(), key.data()); Poly1305{MakeByteSpan(key)}.Update(MakeByteSpan(in)).Finalize(tag_out);
} }