From df49c370b3beb619573e0f0d85d9f820baf0268e Mon Sep 17 00:00:00 2001 From: dhruv <856960+dhruv@users.noreply.github.com> Date: Thu, 11 Aug 2022 16:38:04 -0700 Subject: [PATCH] Allow for RFC8439 AD in cipher suite interface --- src/bench/bip324_suite.cpp | 4 ++-- src/crypto/bip324_suite.cpp | 8 +++++--- src/crypto/bip324_suite.h | 5 ++++- src/test/crypto_tests.cpp | 28 ++++++++++++++++++++------- src/test/fuzz/crypto_bip324_suite.cpp | 4 +++- 5 files changed, 35 insertions(+), 14 deletions(-) diff --git a/src/bench/bip324_suite.cpp b/src/bench/bip324_suite.cpp index fd3cd0b2f..84e6d8545 100644 --- a/src/bench/bip324_suite.cpp +++ b/src/bench/bip324_suite.cpp @@ -36,7 +36,7 @@ static void BIP324_CIPHER_SUITE(benchmark::Bench& bench, size_t contents_len, bo bench.batch(contents_len).unit("byte").run([&] { // encrypt or decrypt the buffer with a static key - const bool crypt_ok_1 = enc.Crypt(in, out, flags, true); + const bool crypt_ok_1 = enc.Crypt({}, in, out, flags, true); assert(crypt_ok_1); if (include_decryption) { @@ -44,7 +44,7 @@ static void BIP324_CIPHER_SUITE(benchmark::Bench& bench, size_t contents_len, bo std::array encrypted_pkt_len; memcpy(encrypted_pkt_len.data(), out.data(), BIP324_LENGTH_FIELD_LEN); (void)dec.DecryptLength(encrypted_pkt_len); - const bool crypt_ok_2 = dec.Crypt({out.data() + BIP324_LENGTH_FIELD_LEN, out.size() - BIP324_LENGTH_FIELD_LEN}, in, flags, false); + const bool crypt_ok_2 = dec.Crypt({}, {out.data() + BIP324_LENGTH_FIELD_LEN, out.size() - BIP324_LENGTH_FIELD_LEN}, in, flags, false); assert(crypt_ok_2); } }); diff --git a/src/crypto/bip324_suite.cpp b/src/crypto/bip324_suite.cpp index 859168185..d7da9dcb9 100644 --- a/src/crypto/bip324_suite.cpp +++ b/src/crypto/bip324_suite.cpp @@ -43,7 +43,9 @@ void BIP324CipherSuite::Rekey() rekey_c20.Keystream(reinterpret_cast(key_P.data()), BIP324_KEY_LEN); } -bool BIP324CipherSuite::Crypt(const Span input, Span output, +bool BIP324CipherSuite::Crypt(const Span aad, + const Span input, + Span output, BIP324HeaderFlags& flags, bool encrypt) { // check buffer boundaries @@ -72,13 +74,13 @@ bool BIP324CipherSuite::Crypt(const Span input, Span fsc20.Crypt({reinterpret_cast(&contents_len), BIP324_LENGTH_FIELD_LEN}, {write_pos, BIP324_LENGTH_FIELD_LEN}); write_pos += BIP324_LENGTH_FIELD_LEN; - RFC8439Encrypt({}, key_P, nonce, header_and_contents, {write_pos, BIP324_HEADER_LEN + input.size() + RFC8439_EXPANSION}); + RFC8439Encrypt(aad, key_P, nonce, header_and_contents, {write_pos, BIP324_HEADER_LEN + input.size() + RFC8439_EXPANSION}); } else { // we must use BIP324CipherSuite::DecryptLength before calling BIP324CipherSuite::Crypt // input is encrypted (header + contents) and the MAC tag i.e. the RFC8439 ciphertext blob // decrypted header will be put in flags and output will be plaintext contents. std::vector decrypted_header_and_contents(input.size() - RFC8439_EXPANSION); - auto authenticated = RFC8439Decrypt({}, key_P, nonce, input, decrypted_header_and_contents); + auto authenticated = RFC8439Decrypt(aad, key_P, nonce, input, decrypted_header_and_contents); if (!authenticated) { return false; } diff --git a/src/crypto/bip324_suite.h b/src/crypto/bip324_suite.h index b004aefd1..82e9179a7 100644 --- a/src/crypto/bip324_suite.h +++ b/src/crypto/bip324_suite.h @@ -58,7 +58,10 @@ class BIP324CipherSuite Returns true upon success. Upon failure, the output should not be used. */ - [[nodiscard]] bool Crypt(const Span input, Span output, BIP324HeaderFlags& flags, bool encrypt); + [[nodiscard]] bool Crypt(const Span aad, + const Span input, + Span output, + BIP324HeaderFlags& flags, bool encrypt); /** Decrypts the 3 byte encrypted length field (the packet header and contents length) and decodes it into a uint32_t field The FSChaCha20 keystream will advance. As a result, DecryptLength() cannot be called multiple times to get the same result. The caller must cache the result for re-use. diff --git a/src/test/crypto_tests.cpp b/src/test/crypto_tests.cpp index 75ee8d0b4..222c5c542 100644 --- a/src/test/crypto_tests.cpp +++ b/src/test/crypto_tests.cpp @@ -830,7 +830,7 @@ BOOST_AUTO_TEST_CASE(hkdf_hmac_sha256_l32_tests) "8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d"); } -static void TestBIP324CipherSuite(const std::string& hex_contents, const std::string& hex_key_L, const std::string& hex_key_P, const std::string& hex_expected_output_seq_0, const std::string& hex_expected_output_seq_999) +static void TestBIP324CipherSuite(const std::string& hex_aad, const std::string& hex_contents, const std::string& hex_key_L, const std::string& hex_key_P, const std::string& hex_expected_output_seq_0, const std::string& hex_expected_output_seq_999) { auto key_L_vec = ParseHex(hex_key_L); BIP324Key key_L; @@ -840,6 +840,8 @@ static void TestBIP324CipherSuite(const std::string& hex_contents, const std::st BIP324Key key_P; memcpy(key_P.data(), key_P_vec.data(), BIP324_KEY_LEN); + auto aad = ParseHex(hex_aad); + const auto original_contents_bytes = ParseHex(hex_contents); auto contents_buf = original_contents_bytes; @@ -856,7 +858,7 @@ static void TestBIP324CipherSuite(const std::string& hex_contents, const std::st // encrypt / decrypt the packet 1000 times for (size_t i = 0; i < 1000; ++i) { // encrypt - auto res = suite_enc.Crypt(MakeByteSpan(contents_buf), MakeWritableByteSpan(encrypted_pkt), flags, true); + auto res = suite_enc.Crypt(MakeByteSpan(aad), MakeByteSpan(contents_buf), MakeWritableByteSpan(encrypted_pkt), flags, true); BOOST_CHECK(res); // verify ciphertext & mac against the test vector if (i == 0) { @@ -869,7 +871,7 @@ static void TestBIP324CipherSuite(const std::string& hex_contents, const std::st out_len = suite_dec.DecryptLength(encrypted_pkt_len); BOOST_CHECK_EQUAL(out_len, contents_buf.size()); - res = suite_dec.Crypt({reinterpret_cast(encrypted_pkt.data()) + BIP324_LENGTH_FIELD_LEN, encrypted_pkt.size() - BIP324_LENGTH_FIELD_LEN}, MakeWritableByteSpan(contents_buf_dec), flags, false); + res = suite_dec.Crypt(MakeByteSpan(aad), {reinterpret_cast(encrypted_pkt.data()) + BIP324_LENGTH_FIELD_LEN, encrypted_pkt.size() - BIP324_LENGTH_FIELD_LEN}, MakeWritableByteSpan(contents_buf_dec), flags, false); BOOST_CHECK(res); BOOST_CHECK_EQUAL(flags, BIP324_NONE); @@ -887,29 +889,41 @@ BOOST_AUTO_TEST_CASE(bip324_cipher_suite_testvectors) // encrypting an empty message should result in 20 bytes: // 3 bytes of encrypted length, 1 byte header and 16 bytes MAC - TestBIP324CipherSuite(/* plaintext */ "", + TestBIP324CipherSuite(/* aad */ "", + /* plaintext */ "", /* k_l */ "0000000000000000000000000000000000000000000000000000000000000000", /* k_p */ "0000000000000000000000000000000000000000000000000000000000000000", /* ciphertext_and_mac_0 */ "76b8e09fbedcfd1809ff3c10adf8277fcc0581b8", /* ciphertext_and_mac_999 */ "5dd1ef229ae773099415b4ae56d003d21b4e4a08"); - TestBIP324CipherSuite("0000000000000000000000000000000000000000000000000000000000000000", + TestBIP324CipherSuite("", + "0000000000000000000000000000000000000000000000000000000000000000", "0000000000000000000000000000000000000000000000000000000000000000", "0000000000000000000000000000000000000000000000000000000000000000", "56b8e09f07e7be5551387a98ba977c732d080dcb0f29a048e3656912c6533e32ee7aed29e7e38bb44c94b6a43c525ffca66c79e9", "7dd1ef2205b549ef8e0dc60b16342f037e415cfcd3d6111532f8f9e7553e422129d9df0d58e083ad538381c1e30a51a5d296cce2"); - TestBIP324CipherSuite("0100000000000000000000000000000000000000000000000000000000000000", + TestBIP324CipherSuite("", + "0100000000000000000000000000000000000000000000000000000000000000", "0000000000000000000000000000000000000000000000000000000000000000", "0000000000000000000000000000000000000000000000000000000000000000", "56b8e09f06e7be5551387a98ba977c732d080dcb0f29a048e3656912c6533e32ee7aed2929449b86c1e4e213676824f2c48e5336", "7dd1ef2204b549ef8e0dc60b16342f037e415cfcd3d6111532f8f9e7553e422129d9df0d04fc5b2ab5cb70895a90edddbe642c00"); - TestBIP324CipherSuite("fc0000f195e66982105ffb640bb7757f579da31602fc93ec01ac56f85ac3c134a4547b733b46413042c9440049176905d3be59ea1c53f15916155c2be8241a38008b9a26bc35941e2444177c8ade6689de95264986d95889fb60e84629c9bd9a5acb1cc118be563eb9b3a4a472f82e09a7e778492b562ef7130e88dfe031c79db9d4f7c7a899151b9a475032b63fc385245fe054e3dd5a97a5f576fe064025d3ce042c566ab2c507b138db853e3d6959660996546cc9c4a6eafdc777c040d70eaf46f76dad3979e5c5360c3317166a1c894c94a371876a94df7628fe4eaaf2ccb27d5aaae0ad7ad0f9d4b6ad3b54098746d4524d38407a6deb3ab78fab78c9", + TestBIP324CipherSuite("", + "fc0000f195e66982105ffb640bb7757f579da31602fc93ec01ac56f85ac3c134a4547b733b46413042c9440049176905d3be59ea1c53f15916155c2be8241a38008b9a26bc35941e2444177c8ade6689de95264986d95889fb60e84629c9bd9a5acb1cc118be563eb9b3a4a472f82e09a7e778492b562ef7130e88dfe031c79db9d4f7c7a899151b9a475032b63fc385245fe054e3dd5a97a5f576fe064025d3ce042c566ab2c507b138db853e3d6959660996546cc9c4a6eafdc777c040d70eaf46f76dad3979e5c5360c3317166a1c894c94a371876a94df7628fe4eaaf2ccb27d5aaae0ad7ad0f9d4b6ad3b54098746d4524d38407a6deb3ab78fab78c9", "ff0102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", "3940c1184442315c7340b89171039acb48f95287e66e56f7afa7cf00f95044d26fb69d46ac5c16a2d57a1cadc39160644717559e73480734410a3f543c5f231a7d7ed77af2a64681f6a7417283cef85504ac5de9fdea100e6c67ef7a1bfcd888a92a5f1ef2c9074b44b572aa748f29ff61a850ce40470004dff5cc1d926c5abe25ace47a12c5373094a26bab027e008154fb630aa062490b5421e96691a3f79557f7a79e3cfd9100796671ea241703ddf326f113adf1694bbd6e0ca032e16f936e7bfbf174e7ef4af5b53a6a9102e6fa41a8e589290f39a7bc7a6003088c612a43a36c2e9f2e740797ad3a2a1a80e0f67157fb9abc40487077368e94751a266a0b2dac24f0adabd5c6d7ba54316eee951da560", "2db339c8500d35db91994138b4ab5e698086b4ec7fb66e75d083b18f84a9da7d696be75c349cb1555a58f65f123d4b68e2be2277fd7b38ba26ad93040a22ac8f7782b00d75c7650dcff0442f7ef91980aaabecb2c8cefec5d5eb9d495b5e1768fe316ec2a0d69d46b7289cd2e2049f27d30a6183605651d48ac40e0d06af9ec7012d477e473f2af7842335c36acf4f5bdef45605ca243b9007b5363f095850a78945508cf3fa191b8fe7fc5359d6e00741e6504f1d50904152622f4c0bdeaa0745f00d28b995543621c96d9d9d30fa1fbf403b19a716411b1700e8401a3e1e01bb1546653fbda19d83ba5e561695baea229880ff33058f85754fe9fdc09db4491f47ae64ec030ec6163d2838d9474d40ef0579"); + + // Repeat test with non-empty aad - only mac tags (last 16 bytes) in the expected outputs change + TestBIP324CipherSuite("c6d7bc3a5079ae98fec7094bdfb42aac61d3ba64af179d672c7c33fd4a139647", + "fc0000f195e66982105ffb640bb7757f579da31602fc93ec01ac56f85ac3c134a4547b733b46413042c9440049176905d3be59ea1c53f15916155c2be8241a38008b9a26bc35941e2444177c8ade6689de95264986d95889fb60e84629c9bd9a5acb1cc118be563eb9b3a4a472f82e09a7e778492b562ef7130e88dfe031c79db9d4f7c7a899151b9a475032b63fc385245fe054e3dd5a97a5f576fe064025d3ce042c566ab2c507b138db853e3d6959660996546cc9c4a6eafdc777c040d70eaf46f76dad3979e5c5360c3317166a1c894c94a371876a94df7628fe4eaaf2ccb27d5aaae0ad7ad0f9d4b6ad3b54098746d4524d38407a6deb3ab78fab78c9", + "ff0102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f", + "3940c1184442315c7340b89171039acb48f95287e66e56f7afa7cf00f95044d26fb69d46ac5c16a2d57a1cadc39160644717559e73480734410a3f543c5f231a7d7ed77af2a64681f6a7417283cef85504ac5de9fdea100e6c67ef7a1bfcd888a92a5f1ef2c9074b44b572aa748f29ff61a850ce40470004dff5cc1d926c5abe25ace47a12c5373094a26bab027e008154fb630aa062490b5421e96691a3f79557f7a79e3cfd9100796671ea241703ddf326f113adf1694bbd6e0ca032e16f936e7bfbf174e7ef4af5b53a6a9102e6fa41a8e589290f39a7bc7a6003088c612a43a36c2e9f2e740797ad3a2a1a80e0f67157fb9abc40487077368e94751a266a0b2dac4d382097b958da569f3b6fae3faaaaf2", + "2db339c8500d35db91994138b4ab5e698086b4ec7fb66e75d083b18f84a9da7d696be75c349cb1555a58f65f123d4b68e2be2277fd7b38ba26ad93040a22ac8f7782b00d75c7650dcff0442f7ef91980aaabecb2c8cefec5d5eb9d495b5e1768fe316ec2a0d69d46b7289cd2e2049f27d30a6183605651d48ac40e0d06af9ec7012d477e473f2af7842335c36acf4f5bdef45605ca243b9007b5363f095850a78945508cf3fa191b8fe7fc5359d6e00741e6504f1d50904152622f4c0bdeaa0745f00d28b995543621c96d9d9d30fa1fbf403b19a716411b1700e8401a3e1e01bb1546653fbda19d83ba5e561695baea229880ff33058f85754fe9fdc09db4491f47ae0623cf23941a59b7c7dc6cad9bd97cc1"); } BOOST_AUTO_TEST_CASE(countbits_tests) diff --git a/src/test/fuzz/crypto_bip324_suite.cpp b/src/test/fuzz/crypto_bip324_suite.cpp index 76975dab0..eb287cd83 100644 --- a/src/test/fuzz/crypto_bip324_suite.cpp +++ b/src/test/fuzz/crypto_bip324_suite.cpp @@ -36,6 +36,8 @@ FUZZ_TARGET(crypto_bip324_suite) std::vector out(BIP324_LENGTH_FIELD_LEN + BIP324_HEADER_LEN + contents_size + RFC8439_EXPANSION, std::byte{0x00}); bool is_encrypt = fdp.ConsumeBool(); BIP324HeaderFlags flags{fdp.ConsumeIntegralInRange(0, 255)}; + size_t aad_size = fdp.ConsumeIntegralInRange(0, 255); + auto aad = fdp.ConsumeBytes(aad_size); LIMITED_WHILE(fdp.ConsumeBool(), 10000) { CallOneOf( @@ -49,7 +51,7 @@ FUZZ_TARGET(crypto_bip324_suite) flags = BIP324HeaderFlags{fdp.ConsumeIntegralInRange(0, 255)}; }, [&] { - (void)suite.Crypt(in, out, flags, is_encrypt); + (void)suite.Crypt(aad, in, out, flags, is_encrypt); }, [&] { std::array encrypted_pkt_len;