LCOV - code coverage report
Current view: top level - src/crypto - chacha20.h (source / functions) Coverage Total Hit
Test: fuzz_coverage.info Lines: 100.0 % 6 6
Test Date: 2024-12-04 04:00:22 Functions: - 0 0
Branches: 50.0 % 6 3

             Branch data     Line data    Source code
       1                 :             : // Copyright (c) 2017-2022 The Bitcoin Core developers
       2                 :             : // Distributed under the MIT software license, see the accompanying
       3                 :             : // file COPYING or http://www.opensource.org/licenses/mit-license.php.
       4                 :             : 
       5                 :             : #ifndef BITCOIN_CRYPTO_CHACHA20_H
       6                 :             : #define BITCOIN_CRYPTO_CHACHA20_H
       7                 :             : 
       8                 :             : #include <span.h>
       9                 :             : 
      10                 :             : #include <array>
      11                 :             : #include <cstddef>
      12                 :             : #include <cstdlib>
      13                 :             : #include <stdint.h>
      14                 :             : #include <utility>
      15                 :             : 
      16                 :             : // classes for ChaCha20 256-bit stream cipher developed by Daniel J. Bernstein
      17                 :             : // https://cr.yp.to/chacha/chacha-20080128.pdf.
      18                 :             : //
      19                 :             : // The 128-bit input is here implemented as a 96-bit nonce and a 32-bit block
      20                 :             : // counter, as in RFC8439 Section 2.3. When the 32-bit block counter overflows
      21                 :             : // the first 32-bit part of the nonce is automatically incremented, making it
      22                 :             : // conceptually compatible with variants that use a 64/64 split instead.
      23                 :             : 
      24                 :             : /** ChaCha20 cipher that only operates on multiples of 64 bytes. */
      25                 :             : class ChaCha20Aligned
      26                 :             : {
      27                 :             : private:
      28                 :             :     uint32_t input[12];
      29                 :             : 
      30                 :             : public:
      31                 :             :     /** Expected key length in constructor and SetKey. */
      32                 :             :     static constexpr unsigned KEYLEN{32};
      33                 :             : 
      34                 :             :     /** Block size (inputs/outputs to Keystream / Crypt should be multiples of this). */
      35                 :             :     static constexpr unsigned BLOCKLEN{64};
      36                 :             : 
      37                 :             :     /** For safety, disallow initialization without key. */
      38                 :             :     ChaCha20Aligned() noexcept = delete;
      39                 :             : 
      40                 :             :     /** Initialize a cipher with specified 32-byte key. */
      41                 :             :     ChaCha20Aligned(Span<const std::byte> key) noexcept;
      42                 :             : 
      43                 :             :     /** Destructor to clean up private memory. */
      44                 :             :     ~ChaCha20Aligned();
      45                 :             : 
      46                 :             :     /** Set 32-byte key, and seek to nonce 0 and block position 0. */
      47                 :             :     void SetKey(Span<const std::byte> key) noexcept;
      48                 :             : 
      49                 :             :     /** Type for 96-bit nonces used by the Set function below.
      50                 :             :      *
      51                 :             :      * The first field corresponds to the LE32-encoded first 4 bytes of the nonce, also referred
      52                 :             :      * to as the '32-bit fixed-common part' in Example 2.8.2 of RFC8439.
      53                 :             :      *
      54                 :             :      * The second field corresponds to the LE64-encoded last 8 bytes of the nonce.
      55                 :             :      *
      56                 :             :      */
      57                 :             :     using Nonce96 = std::pair<uint32_t, uint64_t>;
      58                 :             : 
      59                 :             :     /** Set the 96-bit nonce and 32-bit block counter.
      60                 :             :      *
      61                 :             :      * Block_counter selects a position to seek to (to byte BLOCKLEN*block_counter). After 256 GiB,
      62                 :             :      * the block counter overflows, and nonce.first is incremented.
      63                 :             :      */
      64                 :             :     void Seek(Nonce96 nonce, uint32_t block_counter) noexcept;
      65                 :             : 
      66                 :             :     /** outputs the keystream into out, whose length must be a multiple of BLOCKLEN. */
      67                 :             :     void Keystream(Span<std::byte> out) noexcept;
      68                 :             : 
      69                 :             :     /** en/deciphers the message <input> and write the result into <output>
      70                 :             :      *
      71                 :             :      * The size of input and output must be equal, and be a multiple of BLOCKLEN.
      72                 :             :      */
      73                 :             :     void Crypt(Span<const std::byte> input, Span<std::byte> output) noexcept;
      74                 :             : };
      75                 :             : 
      76                 :             : /** Unrestricted ChaCha20 cipher. */
      77                 :             : class ChaCha20
      78                 :             : {
      79                 :             : private:
      80                 :             :     ChaCha20Aligned m_aligned;
      81                 :             :     std::array<std::byte, ChaCha20Aligned::BLOCKLEN> m_buffer;
      82                 :             :     unsigned m_bufleft{0};
      83                 :             : 
      84                 :             : public:
      85                 :             :     /** Expected key length in constructor and SetKey. */
      86                 :             :     static constexpr unsigned KEYLEN = ChaCha20Aligned::KEYLEN;
      87                 :             : 
      88                 :             :     /** For safety, disallow initialization without key. */
      89                 :             :     ChaCha20() noexcept = delete;
      90                 :             : 
      91                 :             :     /** Initialize a cipher with specified 32-byte key. */
      92         [ -  + ]:    13166161 :     ChaCha20(Span<const std::byte> key) noexcept : m_aligned(key) {}
      93                 :             : 
      94                 :             :     /** Destructor to clean up private memory. */
      95                 :             :     ~ChaCha20();
      96                 :             : 
      97                 :             :     /** Set 32-byte key, and seek to nonce 0 and block position 0. */
      98                 :             :     void SetKey(Span<const std::byte> key) noexcept;
      99                 :             : 
     100                 :             :     /** 96-bit nonce type. */
     101                 :             :     using Nonce96 = ChaCha20Aligned::Nonce96;
     102                 :             : 
     103                 :             :     /** Set the 96-bit nonce and 32-bit block counter. See ChaCha20Aligned::Seek. */
     104                 :     4131298 :     void Seek(Nonce96 nonce, uint32_t block_counter) noexcept
     105                 :             :     {
     106                 :     4130761 :         m_aligned.Seek(nonce, block_counter);
     107   [ +  -  +  - ]:     4096943 :         m_bufleft = 0;
     108                 :       28856 :     }
     109                 :             : 
     110                 :             :     /** en/deciphers the message <in_bytes> and write the result into <out_bytes>
     111                 :             :      *
     112                 :             :      * The size of in_bytes and out_bytes must be equal.
     113                 :             :      */
     114                 :             :     void Crypt(Span<const std::byte> in_bytes, Span<std::byte> out_bytes) noexcept;
     115                 :             : 
     116                 :             :     /** outputs the keystream to out. */
     117                 :             :     void Keystream(Span<std::byte> out) noexcept;
     118                 :             : };
     119                 :             : 
     120                 :             : /** Forward-secure ChaCha20
     121                 :             :  *
     122                 :             :  * This implements a stream cipher that automatically transitions to a new stream with a new key
     123                 :             :  * and new nonce after a predefined number of encryptions or decryptions.
     124                 :             :  *
     125                 :             :  * See BIP324 for details.
     126                 :             :  */
     127                 :        4860 : class FSChaCha20
     128                 :             : {
     129                 :             : private:
     130                 :             :     /** Internal stream cipher. */
     131                 :             :     ChaCha20 m_chacha20;
     132                 :             : 
     133                 :             :     /** The number of encryptions/decryptions before a rekey happens. */
     134                 :             :     const uint32_t m_rekey_interval;
     135                 :             : 
     136                 :             :     /** The number of encryptions/decryptions since the last rekey. */
     137                 :             :     uint32_t m_chunk_counter{0};
     138                 :             : 
     139                 :             :     /** The number of rekey operations that have happened. */
     140                 :             :     uint64_t m_rekey_counter{0};
     141                 :             : 
     142                 :             : public:
     143                 :             :     /** Length of keys expected by the constructor. */
     144                 :             :     static constexpr unsigned KEYLEN = 32;
     145                 :             : 
     146                 :             :     // No copy or move to protect the secret.
     147                 :             :     FSChaCha20(const FSChaCha20&) = delete;
     148                 :             :     FSChaCha20(FSChaCha20&&) = delete;
     149                 :             :     FSChaCha20& operator=(const FSChaCha20&) = delete;
     150                 :             :     FSChaCha20& operator=(FSChaCha20&&) = delete;
     151                 :             : 
     152                 :             :     /** Construct an FSChaCha20 cipher that rekeys every rekey_interval Crypt() calls. */
     153                 :             :     FSChaCha20(Span<const std::byte> key, uint32_t rekey_interval) noexcept;
     154                 :             : 
     155                 :             :     /** Encrypt or decrypt a chunk. */
     156                 :             :     void Crypt(Span<const std::byte> input, Span<std::byte> output) noexcept;
     157                 :             : };
     158                 :             : 
     159                 :             : #endif // BITCOIN_CRYPTO_CHACHA20_H
        

Generated by: LCOV version 2.0-1