Only support 32-byte keys in ChaCha20{,Aligned}

author: Pieter Wuille <pieter@wuille.net> 2022-09-21 17:39:48 -0400
committer: Pieter Wuille <pieter@wuille.net> 2023-01-30 18:12:21 -0500
commit: 62ec713961ade7b58e90c905395558a41e8a59f0 (patch)
tree: c06c39ba8afe9c401cf4aef1b375aa9b9b70c0de /src/crypto
parent: f21994a02e1cc46d41995581b54222abc655be93 (diff)
4 files changed, 24 insertions, 32 deletions
diff --git a/src/crypto/chacha20.cpp b/src/crypto/chacha20.cpp
index 80db0a3a83..c5eee5ccfd 100644
--- a/src/crypto/chacha20.cpp
+++ b/src/crypto/chacha20.cpp
@@ -22,30 +22,21 @@ constexpr static inline uint32_t rotl32(uint32_t v, int c) { return (v << c) | (
 #define REPEAT10(a) do { {a}; {a}; {a}; {a}; {a}; {a}; {a}; {a}; {a}; {a}; } while(0)
 
 static const unsigned char sigma[] = "expand 32-byte k";
-static const unsigned char tau[] = "expand 16-byte k";
 
-void ChaCha20Aligned::SetKey(const unsigned char* k, size_t keylen)
+void ChaCha20Aligned::SetKey32(const unsigned char* k)
 {
-    const unsigned char *constants;
-
+    input[0] = ReadLE32(sigma + 0);
+    input[1] = ReadLE32(sigma + 4);
+    input[2] = ReadLE32(sigma + 8);
+    input[3] = ReadLE32(sigma + 12);
     input[4] = ReadLE32(k + 0);
     input[5] = ReadLE32(k + 4);
     input[6] = ReadLE32(k + 8);
     input[7] = ReadLE32(k + 12);
-    if (keylen == 32) { /* recommended */
-        k += 16;
-        constants = sigma;
-    } else { /* keylen == 16 */
-        constants = tau;
-    }
-    input[8] = ReadLE32(k + 0);
-    input[9] = ReadLE32(k + 4);
-    input[10] = ReadLE32(k + 8);
-    input[11] = ReadLE32(k + 12);
-    input[0] = ReadLE32(constants + 0);
-    input[1] = ReadLE32(constants + 4);
-    input[2] = ReadLE32(constants + 8);
-    input[3] = ReadLE32(constants + 12);
+    input[8] = ReadLE32(k + 16);
+    input[9] = ReadLE32(k + 20);
+    input[10] = ReadLE32(k + 24);
+    input[11] = ReadLE32(k + 28);
     input[12] = 0;
     input[13] = 0;
     input[14] = 0;
@@ -57,9 +48,9 @@ ChaCha20Aligned::ChaCha20Aligned()
     memset(input, 0, sizeof(input));
 }
 
-ChaCha20Aligned::ChaCha20Aligned(const unsigned char* k, size_t keylen)
+ChaCha20Aligned::ChaCha20Aligned(const unsigned char* key32)
 {
-    SetKey(k, keylen);
+    SetKey32(key32);
 }
 
 void ChaCha20Aligned::SetIV(uint64_t iv)
diff --git a/src/crypto/chacha20.h b/src/crypto/chacha20.h
index 715bf4e8e9..1119bf6323 100644
--- a/src/crypto/chacha20.h
+++ b/src/crypto/chacha20.h
@@ -20,11 +20,11 @@ private:
 public:
     ChaCha20Aligned();
 
-    /** Initialize a cipher with specified key (see SetKey for arguments). */
-    ChaCha20Aligned(const unsigned char* key, size_t keylen);
+    /** Initialize a cipher with specified 32-byte key. */
+    ChaCha20Aligned(const unsigned char* key32);
 
-    /** set key with flexible keylength (16 or 32 bytes; 32 recommended). */
-    void SetKey(const unsigned char* key, size_t keylen);
+    /** set 32-byte key. */
+    void SetKey32(const unsigned char* key32);
 
     /** set the 64-bit nonce. */
     void SetIV(uint64_t iv);
@@ -52,13 +52,13 @@ private:
 public:
     ChaCha20() = default;
 
-    /** Initialize a cipher with specified key (see SetKey for arguments). */
-    ChaCha20(const unsigned char* key, size_t keylen) : m_aligned(key, keylen) {}
+    /** Initialize a cipher with specified 32-byte key. */
+    ChaCha20(const unsigned char* key32) : m_aligned(key32) {}
 
-    /** set key with flexible keylength (16 or 32 bytes; 32 recommended). */
-    void SetKey(const unsigned char* key, size_t keylen)
+    /** set 32-byte key. */
+    void SetKey32(const unsigned char* key32)
     {
-        m_aligned.SetKey(key, keylen);
+        m_aligned.SetKey32(key32);
         m_bufleft = 0;
     }
 
diff --git a/src/crypto/chacha_poly_aead.cpp b/src/crypto/chacha_poly_aead.cpp
index 5d135f8987..119ad6902f 100644
--- a/src/crypto/chacha_poly_aead.cpp
+++ b/src/crypto/chacha_poly_aead.cpp
@@ -36,8 +36,9 @@ ChaCha20Poly1305AEAD::ChaCha20Poly1305AEAD(const unsigned char* K_1, size_t K_1_
     assert(K_1_len == CHACHA20_POLY1305_AEAD_KEY_LEN);
     assert(K_2_len == CHACHA20_POLY1305_AEAD_KEY_LEN);
 
-    m_chacha_header.SetKey(K_1, CHACHA20_POLY1305_AEAD_KEY_LEN);
-    m_chacha_main.SetKey(K_2, CHACHA20_POLY1305_AEAD_KEY_LEN);
+    static_assert(CHACHA20_POLY1305_AEAD_KEY_LEN == 32);
+    m_chacha_header.SetKey32(K_1);
+    m_chacha_main.SetKey32(K_2);
 
     // set the cached sequence number to uint64 max which hints for an unset cache.
     // we can't hit uint64 max since the rekey rule (which resets the sequence number) is 1GB
diff --git a/src/crypto/muhash.cpp b/src/crypto/muhash.cpp
index d5ae67f374..471ee6af97 100644
--- a/src/crypto/muhash.cpp
+++ b/src/crypto/muhash.cpp
@@ -299,7 +299,7 @@ Num3072 MuHash3072::ToNum3072(Span<const unsigned char> in) {
     unsigned char tmp[Num3072::BYTE_SIZE];
 
     uint256 hashed_in{(HashWriter{} << in).GetSHA256()};
-    ChaCha20Aligned(hashed_in.data(), hashed_in.size()).Keystream64(tmp, Num3072::BYTE_SIZE / 64);
+    ChaCha20Aligned(hashed_in.data()).Keystream64(tmp, Num3072::BYTE_SIZE / 64);
     Num3072 out{tmp};
 
     return out;
author	Pieter Wuille <pieter@wuille.net>	2022-09-21 17:39:48 -0400
committer	Pieter Wuille <pieter@wuille.net>	2023-01-30 18:12:21 -0500
commit	62ec713961ade7b58e90c905395558a41e8a59f0 (patch)
tree	c06c39ba8afe9c401cf4aef1b375aa9b9b70c0de /src/crypto
parent	f21994a02e1cc46d41995581b54222abc655be93 (diff)