|
| 1 | +// Copyright (c) 2023 The Bitcoin Core developers |
| 2 | +// Distributed under the MIT software license, see the accompanying |
| 3 | +// file COPYING or http://www.opensource.org/licenses/mit-license.php. |
| 4 | + |
| 5 | +#include <bip324.h> |
| 6 | + |
| 7 | +#include <chainparams.h> |
| 8 | +#include <crypto/chacha20.h> |
| 9 | +#include <crypto/chacha20poly1305.h> |
| 10 | +#include <crypto/hkdf_sha256_32.h> |
| 11 | +#include <random.h> |
| 12 | +#include <span.h> |
| 13 | +#include <support/cleanse.h> |
| 14 | + |
| 15 | +#include <algorithm> |
| 16 | +#include <assert.h> |
| 17 | +#include <cstdint> |
| 18 | +#include <cstddef> |
| 19 | + |
| 20 | +BIP324Cipher::BIP324Cipher() noexcept |
| 21 | +{ |
| 22 | + m_key.MakeNewKey(true); |
| 23 | + uint256 entropy = GetRandHash(); |
| 24 | + m_our_pubkey = m_key.EllSwiftCreate(MakeByteSpan(entropy)); |
| 25 | +} |
| 26 | + |
| 27 | +BIP324Cipher::BIP324Cipher(const CKey& key, Span<const std::byte> ent32) noexcept : |
| 28 | + m_key(key) |
| 29 | +{ |
| 30 | + m_our_pubkey = m_key.EllSwiftCreate(ent32); |
| 31 | +} |
| 32 | + |
| 33 | +BIP324Cipher::BIP324Cipher(const CKey& key, const EllSwiftPubKey& pubkey) noexcept : |
| 34 | + m_key(key), m_our_pubkey(pubkey) {} |
| 35 | + |
| 36 | +void BIP324Cipher::Initialize(const EllSwiftPubKey& their_pubkey, bool initiator, bool self_decrypt) noexcept |
| 37 | +{ |
| 38 | + // Determine salt (fixed string + network magic bytes) |
| 39 | + const auto& message_header = Params().MessageStart(); |
| 40 | + std::string salt = std::string{"bitcoin_v2_shared_secret"} + std::string(std::begin(message_header), std::end(message_header)); |
| 41 | + |
| 42 | + // Perform ECDH to derive shared secret. |
| 43 | + ECDHSecret ecdh_secret = m_key.ComputeBIP324ECDHSecret(their_pubkey, m_our_pubkey, initiator); |
| 44 | + |
| 45 | + // Derive encryption keys from shared secret, and initialize stream ciphers and AEADs. |
| 46 | + bool side = (initiator != self_decrypt); |
| 47 | + CHKDF_HMAC_SHA256_L32 hkdf(UCharCast(ecdh_secret.data()), ecdh_secret.size(), salt); |
| 48 | + std::array<std::byte, 32> hkdf_32_okm; |
| 49 | + hkdf.Expand32("initiator_L", UCharCast(hkdf_32_okm.data())); |
| 50 | + (side ? m_send_l_cipher : m_recv_l_cipher).emplace(hkdf_32_okm, REKEY_INTERVAL); |
| 51 | + hkdf.Expand32("initiator_P", UCharCast(hkdf_32_okm.data())); |
| 52 | + (side ? m_send_p_cipher : m_recv_p_cipher).emplace(hkdf_32_okm, REKEY_INTERVAL); |
| 53 | + hkdf.Expand32("responder_L", UCharCast(hkdf_32_okm.data())); |
| 54 | + (side ? m_recv_l_cipher : m_send_l_cipher).emplace(hkdf_32_okm, REKEY_INTERVAL); |
| 55 | + hkdf.Expand32("responder_P", UCharCast(hkdf_32_okm.data())); |
| 56 | + (side ? m_recv_p_cipher : m_send_p_cipher).emplace(hkdf_32_okm, REKEY_INTERVAL); |
| 57 | + |
| 58 | + // Derive garbage terminators from shared secret. |
| 59 | + hkdf.Expand32("garbage_terminators", UCharCast(hkdf_32_okm.data())); |
| 60 | + std::copy(std::begin(hkdf_32_okm), std::begin(hkdf_32_okm) + GARBAGE_TERMINATOR_LEN, |
| 61 | + (initiator ? m_send_garbage_terminator : m_recv_garbage_terminator).begin()); |
| 62 | + std::copy(std::end(hkdf_32_okm) - GARBAGE_TERMINATOR_LEN, std::end(hkdf_32_okm), |
| 63 | + (initiator ? m_recv_garbage_terminator : m_send_garbage_terminator).begin()); |
| 64 | + |
| 65 | + // Derive session id from shared secret. |
| 66 | + hkdf.Expand32("session_id", UCharCast(m_session_id.data())); |
| 67 | + |
| 68 | + // Wipe all variables that contain information which could be used to re-derive encryption keys. |
| 69 | + memory_cleanse(ecdh_secret.data(), ecdh_secret.size()); |
| 70 | + memory_cleanse(hkdf_32_okm.data(), sizeof(hkdf_32_okm)); |
| 71 | + memory_cleanse(&hkdf, sizeof(hkdf)); |
| 72 | + m_key = CKey(); |
| 73 | +} |
| 74 | + |
| 75 | +void BIP324Cipher::Encrypt(Span<const std::byte> contents, Span<const std::byte> aad, bool ignore, Span<std::byte> output) noexcept |
| 76 | +{ |
| 77 | + assert(output.size() == contents.size() + EXPANSION); |
| 78 | + |
| 79 | + // Encrypt length. |
| 80 | + std::byte len[LENGTH_LEN]; |
| 81 | + len[0] = std::byte{(uint8_t)(contents.size() & 0xFF)}; |
| 82 | + len[1] = std::byte{(uint8_t)((contents.size() >> 8) & 0xFF)}; |
| 83 | + len[2] = std::byte{(uint8_t)((contents.size() >> 16) & 0xFF)}; |
| 84 | + m_send_l_cipher->Crypt(len, output.first(LENGTH_LEN)); |
| 85 | + |
| 86 | + // Encrypt plaintext. |
| 87 | + std::byte header[HEADER_LEN] = {ignore ? IGNORE_BIT : std::byte{0}}; |
| 88 | + m_send_p_cipher->Encrypt(header, contents, aad, output.subspan(LENGTH_LEN)); |
| 89 | +} |
| 90 | + |
| 91 | +uint32_t BIP324Cipher::DecryptLength(Span<const std::byte> input) noexcept |
| 92 | +{ |
| 93 | + assert(input.size() == LENGTH_LEN); |
| 94 | + |
| 95 | + std::byte buf[LENGTH_LEN]; |
| 96 | + // Decrypt length |
| 97 | + m_recv_l_cipher->Crypt(input, buf); |
| 98 | + // Convert to number. |
| 99 | + return uint32_t(buf[0]) + (uint32_t(buf[1]) << 8) + (uint32_t(buf[2]) << 16); |
| 100 | +} |
| 101 | + |
| 102 | +bool BIP324Cipher::Decrypt(Span<const std::byte> input, Span<const std::byte> aad, bool& ignore, Span<std::byte> contents) noexcept |
| 103 | +{ |
| 104 | + assert(input.size() + LENGTH_LEN == contents.size() + EXPANSION); |
| 105 | + |
| 106 | + std::byte header[HEADER_LEN]; |
| 107 | + if (!m_recv_p_cipher->Decrypt(input, aad, header, contents)) return false; |
| 108 | + |
| 109 | + ignore = (header[0] & IGNORE_BIT) == IGNORE_BIT; |
| 110 | + return true; |
| 111 | +} |
0 commit comments