Grcov report - chacha_poly

1

// Copyright (c) 2019-2021 The Bitcoin Core developers

2

// Distributed under the MIT software license, see the accompanying

3

// file COPYING or http://www.opensource.org/licenses/mit-license.php.

4

5

#include <crypto/chacha_poly_aead.h>

6

7

#include <crypto/poly1305.h>

8

#include <support/cleanse.h>

9

10

#include <assert.h>

11

#include <string.h>

12

13

#include <cstdio>

14

#include <limits>

15

16

#ifndef HAVE_TIMINGSAFE_BCMP

17

18

int timingsafe_bcmp(const unsigned char* b1, const unsigned char* b2, size_t n)

19

20

    const unsigned char *p1 = b1, *p2 = b2;

21

    int ret = 0;

22

23

    for (; n > 0; n--)

24

        ret |= *p1++ ^ *p2++;

25

    return (ret != 0);

26

27

28

#endif // TIMINGSAFE_BCMP

29

30

ChaCha20Poly1305AEAD::ChaCha20Poly1305AEAD(const unsigned char* K_1, size_t K_1_len, const unsigned char* K_2, size_t K_2_len)

31

32

    assert(K_1_len == CHACHA20_POLY1305_AEAD_KEY_LEN);

33

    assert(K_2_len == CHACHA20_POLY1305_AEAD_KEY_LEN);

34

35

    m_chacha_header.SetKey(K_1, CHACHA20_POLY1305_AEAD_KEY_LEN);

36

    m_chacha_main.SetKey(K_2, CHACHA20_POLY1305_AEAD_KEY_LEN);

37

38

    // set the cached sequence number to uint64 max which hints for an unset cache.

39

    // we can't hit uint64 max since the rekey rule (which resets the sequence number) is 1GB

40

    m_cached_aad_seqnr = std::numeric_limits<uint64_t>::max();

41

42

43

bool ChaCha20Poly1305AEAD::Crypt(uint64_t seqnr_payload, uint64_t seqnr_aad, int aad_pos, unsigned char* dest, size_t dest_len /* length of the output buffer for sanity checks */, const unsigned char* src, size_t src_len, bool is_encrypt)

44

45

    // check buffer boundaries

46

    if (

47

        // if we encrypt, make sure the source contains at least the expected AAD and the destination has at least space for the source + MAC

48

        (is_encrypt && (src_len < CHACHA20_POLY1305_AEAD_AAD_LEN || dest_len < src_len + POLY1305_TAGLEN)) ||

49

        // if we decrypt, make sure the source contains at least the expected AAD+MAC and the destination has at least space for the source - MAC

50

        (!is_encrypt && (src_len < CHACHA20_POLY1305_AEAD_AAD_LEN + POLY1305_TAGLEN || dest_len < src_len - POLY1305_TAGLEN))) {

51

        return false;

52

53

54

    unsigned char expected_tag[POLY1305_TAGLEN], poly_key[POLY1305_KEYLEN];

55

    memset(poly_key, 0, sizeof(poly_key));

56

    m_chacha_main.SetIV(seqnr_payload);

57

58

    // block counter 0 for the poly1305 key

59

    // use lower 32bytes for the poly1305 key

60

    // (throws away 32 unused bytes (upper 32) from this ChaCha20 round)

61

    m_chacha_main.Seek(0);

62

    m_chacha_main.Crypt(poly_key, poly_key, sizeof(poly_key));

63

64

    // if decrypting, verify the tag prior to decryption

65

    if (!is_encrypt) {

66

        const unsigned char* tag = src + src_len - POLY1305_TAGLEN;

67

        poly1305_auth(expected_tag, src, src_len - POLY1305_TAGLEN, poly_key);

68

69

        // constant time compare the calculated MAC with the provided MAC

70

        if (timingsafe_bcmp(expected_tag, tag, POLY1305_TAGLEN) != 0) {

71

            memory_cleanse(expected_tag, sizeof(expected_tag));

72

            memory_cleanse(poly_key, sizeof(poly_key));

73

            return false;

74

75

        memory_cleanse(expected_tag, sizeof(expected_tag));

76

        // MAC has been successfully verified, make sure we don't convert it in decryption

77

        src_len -= POLY1305_TAGLEN;

78

79

80

    // calculate and cache the next 64byte keystream block if requested sequence number is not yet the cache

81

    if (m_cached_aad_seqnr != seqnr_aad) {

82

        m_cached_aad_seqnr = seqnr_aad;

83

        m_chacha_header.SetIV(seqnr_aad);

84

        m_chacha_header.Seek(0);

85

        m_chacha_header.Keystream(m_aad_keystream_buffer, CHACHA20_ROUND_OUTPUT);

86

87

    // crypt the AAD (3 bytes message length) with given position in AAD cipher instance keystream

88

    dest[0] = src[0] ^ m_aad_keystream_buffer[aad_pos];

89

    dest[1] = src[1] ^ m_aad_keystream_buffer[aad_pos + 1];

90

    dest[2] = src[2] ^ m_aad_keystream_buffer[aad_pos + 2];

91

92

    // Set the playload ChaCha instance block counter to 1 and crypt the payload

93

    m_chacha_main.Seek(1);

94

    m_chacha_main.Crypt(src + CHACHA20_POLY1305_AEAD_AAD_LEN, dest + CHACHA20_POLY1305_AEAD_AAD_LEN, src_len - CHACHA20_POLY1305_AEAD_AAD_LEN);

95

96

    // If encrypting, calculate and append tag

97

    if (is_encrypt) {

98

        // the poly1305 tag expands over the AAD (3 bytes length) & encrypted payload

99

        poly1305_auth(dest + src_len, dest, src_len, poly_key);

100

101

102

    // cleanse no longer required MAC and polykey

103

    memory_cleanse(poly_key, sizeof(poly_key));

104

    return true;

105

106

107

bool ChaCha20Poly1305AEAD::GetLength(uint32_t* len24_out, uint64_t seqnr_aad, int aad_pos, const uint8_t* ciphertext)

108

109

    // enforce valid aad position to avoid accessing outside of the 64byte keystream cache

110

    // (there is space for 21 times 3 bytes)

111

    assert(aad_pos >= 0 && aad_pos < CHACHA20_ROUND_OUTPUT - CHACHA20_POLY1305_AEAD_AAD_LEN);

112

    if (m_cached_aad_seqnr != seqnr_aad) {

113

        // we need to calculate the 64 keystream bytes since we reached a new aad sequence number

114

        m_cached_aad_seqnr = seqnr_aad;

115

        m_chacha_header.SetIV(seqnr_aad);                                         // use LE for the nonce

116

        m_chacha_header.Seek(0);                                                  // block counter 0

117

        m_chacha_header.Keystream(m_aad_keystream_buffer, CHACHA20_ROUND_OUTPUT); // write keystream to the cache

118

119

120

    // decrypt the ciphertext length by XORing the right position of the 64byte keystream cache with the ciphertext

121

    *len24_out = (ciphertext[0] ^ m_aad_keystream_buffer[aad_pos + 0]) |

122

                 (ciphertext[1] ^ m_aad_keystream_buffer[aad_pos + 1]) << 8 |

123

                 (ciphertext[2] ^ m_aad_keystream_buffer[aad_pos + 2]) << 16;

124

125

    return true;

126