aboutsummaryrefslogtreecommitdiff
path: root/src/crypto
AgeCommit message (Collapse)Author
2021-10-20Fix K1/K2 use in the comments in ChaCha20-Poly1305 AEAD=
This is done for the ChaCha20-Poly1305 AEAD test vector and for the K1/K2 ChaCha20 cipher instances in chacha_poly_aead.h
2021-06-23[crypto] Fix K1/K2 use in ChaCha20-Poly1305 AEADDhruv Mehta
BIP324 mentions K1 is used for the associated data and K2 is used for the payload. The code does the opposite. This is not a security problem but will be a problem across implementations based on the HKDF key derivations.
2021-04-19crypto: Make MuHash Remove method efficientFabian Jahr
Division of MuHash objects are very expensive and multiplication relatively cheap. The whole idea of introducing and tracking numerator and denominators seperately as a representation of the internal state was so that divisions would be rare. So using divison in the Remove method did not make any sense and was just a silly mistake which is corrected here.
2021-01-24refactor: Improve encapsulation between MuHash3072 and Num3072Fabian Jahr
Also fixes a typo.
2021-01-07Merge #19055: Add MuHash3072 implementationWladimir J. van der Laan
9815332d5158d69a94abeaf465a2c07bd8e43359 test: Change MuHash Python implementation to match cpp version again (Fabian Jahr) 01297fb3ca57e4b8cbc5a89fc7c6367de33b0bc6 fuzz: Add MuHash consistency fuzz test (Fabian Jahr) b111410914041b72961536c3e4037eba103a8085 test: Add MuHash3072 fuzz test (Fabian Jahr) c1225273857f9fa2e2276396e3f8b3ea48306df3 bench: Add Muhash benchmarks (Fabian Jahr) 7b1242229d1fcc9277238a3aefb3431061c82bfa test: Add MuHash3072 unit tests (Fabian Jahr) adc708c98dbf03b1735edc91f813a36580781a95 crypto: Add MuHash3072 implementation (Fabian Jahr) 0b4d290bf5b0a4d156c523431bf89aaa9ffe92e5 crypto: Add Num3072 implementation (Fabian Jahr) 589f958662a2dcaacdb9a66f1088c74828a39577 build: Check for 128 bit integer support (Fabian Jahr) Pull request description: This is the first split of #18000 which implements the Muhash algorithm and uses it to calculate the UTXO set hash in `gettxoutsetinfo`. ACKs for top commit: laanwj: Code review ACK 9815332d5158d69a94abeaf465a2c07bd8e43359 Tree-SHA512: 4bc090738f0e3d80b74bdd8122e24a8ce80121120fd37c7e4335a73e7ba4fcd7643f2a2d559e2eebf54b8e3a3bd5f12cfb27ba61ded135fda210a07a233eae45
2021-01-04doc: Use https URLs where possibleSawyer Billings
2020-12-31scripted-diff: Bump copyright headersMarcoFalke
-BEGIN VERIFY SCRIPT- ./contrib/devtools/copyright_header.py update ./ -END VERIFY SCRIPT-
2020-12-21crypto: Add MuHash3072 implementationFabian Jahr
Co-authored-by: Pieter Wuille <pieter.wuille@gmail.com>
2020-12-20crypto: Add Num3072 implementationFabian Jahr
Num3072 is a specialized bignum implementation used in MuHash3072. Co-authored-by: Pieter Wuille <pieter.wuille@gmail.com>
2020-09-28Merge #19845: net: CNetAddr: add support to (un)serialize as ADDRv2Pieter Wuille
7be6ff61875a8d5d2335bff5d1f16ba40557adb0 net: recognize TORv3/I2P/CJDNS networks (Vasil Dimov) e0d73573a37bf4b519f6f61e5678572d48a64517 net: CNetAddr: add support to (un)serialize as ADDRv2 (Vasil Dimov) fe42411b4b07b99c591855f5f00ad45dfeec8e30 test: move HasReason so it can be reused (Vasil Dimov) d2bb681f96fb327b4c4d5b2b113692ca22fdffbf util: move HasPrefix() so it can be reused (Vasil Dimov) Pull request description: (chopped off from #19031 to ease review) Add an optional support to serialize/unserialize `CNetAddr` in ADDRv2 format (BIP155). The new serialization is engaged by ORing a flag into the stream version. So far this is only used in tests to ensure the new code works as expected. ACKs for top commit: Sjors: re-tACK 7be6ff61875a8d5d2335bff5d1f16ba40557adb0 sipa: re-utACK 7be6ff61875a8d5d2335bff5d1f16ba40557adb0 eriknylund: ACK 7be6ff61875a8d5d2335bff5d1f16ba40557adb0 I built the PR on macOS Catalina 10.15.6, ran both tests and functional tests. I've reviewed the code and think the changes look good and according to BIP155. I verified that the added Base32 encoding test looks as proposed and working. I've run a node for a week only with Onion addresses `-onlynet=onion` without issues and I can connect to other peer reviewers running TorV3 on their nodes and I can connect both of my test nodes to each other. jonatack: re-ACK 7be6ff61875a8d5d2335bff5d1f16ba40557adb0 per `git diff b9c46e0 7be6ff6`, debug build, ran/running bitcoind with this change and observed the log and `-netinfo` peer connections while connected as a tor v2 service to both tor v2 peers and also five tor v3 peers. hebasto: ACK 7be6ff61875a8d5d2335bff5d1f16ba40557adb0, tested on Linux Mint 20 (x86_64): on top of this pull and #19031 I'm able to connect to onion v3 addresses, and jonatack is able to connect to my created onion v3 address. Tree-SHA512: dc621411ac4393993aa3ccad10991717ec5f9f2643cae46a24a89802df0a33d6042994fc8ff2f0f397a3dbcd1c0e58fe4724305a2f9eb64d9342c3bdf784d9be
2020-09-21net: recognize TORv3/I2P/CJDNS networksVasil Dimov
Recognizing addresses from those networks allows us to accept and gossip them, even though we don't know how to connect to them (yet). Co-authored-by: eriknylund <erik@daychanged.com>
2020-09-14Merge #19931: Change CSipHasher's count variable to uint8_tfanquake
812037cb80f72096738cf2b0c15b39536c6c1e24 Change CSipHasher's count variable to uint8_t (Pieter Wuille) Pull request description: SipHash technically supports arbitrarily long inputs (at least, I couldn't find a limit in the [paper](https://eprint.iacr.org/2012/351.pdf)), but only the low 8 bits of the length matter. Because of that we should use an unsigned type to track the length (as any signed type could overflow, which is UB). `uint8_t` is sufficient, however. Fixes #19930. ACKs for top commit: laanwj: anyhow re-ACK 812037cb80f72096738cf2b0c15b39536c6c1e24 elichai: utACK 812037cb80f72096738cf2b0c15b39536c6c1e24 practicalswift: ACK 812037cb80f72096738cf2b0c15b39536c6c1e24 theStack: ACK 812037cb80f72096738cf2b0c15b39536c6c1e24 Tree-SHA512: 5b1440c9e4591460da198991fb421ad47d2d96def2014e761726ce361aa9575752f2c4085656e7e9badee3660ff005cc76fbd1afe4848faefe4502f3412bd896
2020-09-10Change CSipHasher's count variable to uint8_tPieter Wuille
2020-09-06Unroll Keccak-f implementationPieter Wuille
2020-09-06Implement keccak-f[1600] and SHA3-256Pieter Wuille
2020-06-29build: improve builtin_clz* detectionfanquake
The way we currently test with AC_CHECK_DECLS do not work with Clang: ```bash configure:21492: clang++-10 -std=c++11 -c -g -O2 -DHAVE_BUILD_INFO -D__STDC_FORMAT_MACROS conftest.cpp >&5 conftest.cpp:100:10: error: builtin functions must be directly called (void) __builtin_clz; ^ 1 error generated. ``` This also removes the __builtin_clz() check, as we don't actually use it anywhere, and it's trvial to re-add detection if we do start using it at some point.
2020-04-07Avoid non-trivial global constants in SHA-NI codePieter Wuille
2020-01-16Merge #17691: doc: Add missed copyright headersMarcoFalke
fac86ac7b3ceac2f884412c7a9f4bd5bab5e3916 scripted-diff: Add missed copyright headers (Hennadii Stepanov) 6fde9d5e47fc9a1042b3fb68031eab5bf55e508d script: Update EXLUDE list in copyright_header.py (Hennadii Stepanov) 1998152f15fd2b0e83f5068c375a34feaf73db8c script: Add empty line after C++ copyright (Hennadii Stepanov) 071f2fc204f542c5a287ca8835115a2ee0bf2f50 script: Add ability to insert copyright to *.sh (Hennadii Stepanov) Pull request description: This PR improves `contrib/devtools/copyright_header.py` script and adds copyright headers to the files in `src` and `test` directories with two exceptions: - [`src/reverse_iterator.h`](https://github.com/bitcoin/bitcoin/blob/master/src/reverse_iterator.h) (added to exceptions) - [`src/test/fuzz/FuzzedDataProvider.h`](https://github.com/bitcoin/bitcoin/blob/master/src/test/fuzz/FuzzedDataProvider.h) (added to exceptions) On master 5622d8f3156a293e61d0964c33d4b21d8c9fd5e0: ``` $ ./contrib/devtools/copyright_header.py report . | grep zero 25 with zero copyrights ``` With this PR: ``` $ ./contrib/devtools/copyright_header.py report . | grep zero 2 with zero copyrights ``` ~I am uncertain about our copyright policy with `build_msvc` and `contrib` directories content, so they are out of scope of this PR.~ ACKs for top commit: MarcoFalke: ACK fac86ac7b3ceac2f884412c7a9f4bd5bab5e3916 Tree-SHA512: d7832c4a7a1a3b7806119775b40ec35d7982f49ff0e6199b8cee4c0e0a36e68d51728b6ee9924b1c161df4bc6105bd93391b79d42914357fa522f499cb113fa8
2020-01-04scripted-diff: Add missed copyright headersHennadii Stepanov
-BEGIN VERIFY SCRIPT- s() { contrib/devtools/copyright_header.py insert "$1"; } s build_msvc/bitcoin_config.h s build_msvc/msvc-autogen.py s build_msvc/testconsensus/testconsensus.cpp s contrib/devtools/circular-dependencies.py s contrib/devtools/gen-manpages.sh s contrib/filter-lcov.py s contrib/gitian-build.py s contrib/install_db4.sh s src/crypto/sha256_avx2.cpp s src/crypto/sha256_sse41.cpp s src/fs.cpp s src/qt/test/addressbooktests.cpp s src/qt/test/addressbooktests.h s src/qt/test/util.cpp s src/qt/test/util.h s src/qt/test/wallettests.cpp s src/qt/test/wallettests.h s src/test/blockchain_tests.cpp s test/functional/combine_logs.py s test/lint/lint-locale-dependence.sh sed -i '1G' test/lint/lint-shebang.sh s test/lint/lint-shebang.sh -END VERIFY SCRIPT-
2019-12-30scripted-diff: Bump copyright of files changed in 2019MarcoFalke
-BEGIN VERIFY SCRIPT- ./contrib/devtools/copyright_header.py update ./ -END VERIFY SCRIPT-
2019-11-12Report amount of data gathered from environmentPieter Wuille
2019-11-12[MOVEONLY] Move cpuid code from random & sha256 to compat/cpuidPieter Wuille
2019-10-28Fix occurences of c_str() used with size() to data()Wladimir J. van der Laan
Using `data()` better communicates the intent here. Also, depending on how `c_str()` is implemented, this fixes undefined behavior: The part of the string after the first NULL character might have undefined contents.
2019-10-15Remove unused includespracticalswift
2019-06-25Add ChaCha20Poly1305@Bitcoin AEAD implementationJonas Schnelli
2019-06-02Make reasoning about dependencies easier by not including unused dependenciespracticalswift
2019-05-16Merge #14047: Add HKDF_HMAC256_L32 and method to negate a private keyWladimir J. van der Laan
8794a4b3ae4d34a4cd21a7dee9f694eef7726a4f QA: add test for HKDF HMAC_SHA256 L32 (Jonas Schnelli) 551d489416339dae8f9d896013cd060a21406e2b Add HKDF HMAC_SHA256 L=32 implementations (Jonas Schnelli) 3b64f852e400c552f031697d6a86829dc6e74bd6 QA: add test for CKey::Negate() (Jonas Schnelli) 463921bb649d644f79f9d7f0f96f10aa0d165f76 CKey: add method to negate the key (Jonas Schnelli) Pull request description: This adds a limited implementation of `HKDF` (defined by rfc5869) that supports only HMAC-SHA256 and length output of 32 bytes (will be required for v2 transport protocol). This PR also includes a method to negate a private key which is useful to enforce public keys starting with 0x02 (or 0x03) (a requirement for the v2 transport protocol). The new `CKey::Negate()` method is pretty much a wrapper around `secp256k1_ec_privkey_negate()`. Including tests. This is a subset of #14032 and a pre-requirement for the v2 transport protocol. ACKs for commit 8794a4: Tree-SHA512: 5341929dfa29f5da766ec3612784baec6a3ad69972f08b5a985a8aafdae4dae36f104a2b888d1f5d1f33561456bd111f960d7e32c2cc4fd18e48358468f26c1a
2019-05-16Merge #15950: Do not construct out-of-bound pointers in SHA2 codeWladimir J. van der Laan
c01c065b9ded3399a6a480f15543827dd5e8eb4d Do not construct out-of-bound pointers in SHA512/SHA1/RIPEMD160 code (Pieter Wuille) Pull request description: This looks like an issue in the current SHA256/512 code, where a pointer outside of the area pointed to may be constructed (this is UB in theory, though in practice every supported platform treats pointers as integers). I discovered this while investigating #14580. Sadly, it does not fix it. ACKs for commit c01c06: practicalswift: utACK c01c065b9ded3399a6a480f15543827dd5e8eb4d Tree-SHA512: 47660e00f164f38c36a1ab46e52dd91cd33cfda6a6048d67541c2f8e73c050d4d9d81b5c149bfad281212d52f204f57bebf5b19879dc7a6a5f48aa823fbc2c02
2019-05-11Add HKDF HMAC_SHA256 L=32 implementationsJonas Schnelli
2019-05-10Merge #15512: Add ChaCha20 encryption option (XOR)Jonas Schnelli
2dfe27517 Add ChaCha20 bench (Jonas Schnelli) 2bc2b8b49 Add ChaCha20 encryption option (XOR) (Jonas Schnelli) Pull request description: The current ChaCha20 implementation does not support message encryption (it can only output the keystream which is sufficient for the RNG). This PR adds the actual XORing of the `plaintext` with the `keystream` in order to return the desired `ciphertext`. Required for v2 message transport protocol. ACKs for commit 2dfe27: jnewbery: Looks good. utACK 2dfe2751713c814aea53b5a7563eb74ad1baea00. jnewbery: utACK 2dfe2751713c814aea53b5a7563eb74ad1baea00 sipa: utACK 2dfe2751713c814aea53b5a7563eb74ad1baea00 ryanofsky: utACK 2dfe2751713c814aea53b5a7563eb74ad1baea00. Changes since last review are just renaming the Crypt method, adding comments, and simplifying the benchmark. Tree-SHA512: 84bb234da2ca9fdc44bc29a786d9dd215520f81245270c1aef801ef66b6091b7793e2eb38ad6dbb084925245065c5dce9e5582f2d0fa220ab3e182d43412d5b5
2019-05-06Do not construct out-of-bound pointers in SHA512/SHA1/RIPEMD160 codePieter Wuille
2019-05-03Add ChaCha20 encryption option (XOR)Jonas Schnelli
2019-03-29Merge #15663: crypto: Remove unused AES-128 codeJonas Schnelli
f6ee177f7 Remove unused AES-128 code (practicalswift) Pull request description: Remove unused AES-128 code. As far as I can tell this AES-128 code has never been in use in the project (outside of testing/benchmarking). The AES-256 code is used in `CCrypter::Encrypt`/`CCrypter::Decrypt` (`src/wallet/crypter.cpp`). Trivia: 0.15% of the project's C++ LOC count (excluding dependencies) is trimmed off: ``` $ LOC_BEFORE=$(git grep -I "" HEAD~1 -- "*.cpp" "*.h" ":(exclude)src/leveldb/" ":(exclude)src/secp256k1/" ":(exclude)src/univalue/" | wc -l) $ LOC_AFTER=$(git grep -I "" -- "*.cpp" "*.h" ":(exclude)src/leveldb/" ":(exclude)src/secp256k1/" ":(exclude)src/univalue/" | wc -l) $ bc <<< "scale=4; ${LOC_AFTER}/${LOC_BEFORE}" .9985 ``` :-) Tree-SHA512: 9588a3cd795a89ef658b8ee7323865f57723cb4ed9560c21de793f82d35e2835059e7d6d0705e99e3d16bf6b2a444b4bf19568d50174ff3776caf8a3168f5c85
2019-03-26Add Poly1305 implementationJonas Schnelli
2019-03-25Remove unused AES-128 codepracticalswift
2019-01-16Abstract out seeding/extracting entropy into RNGState::MixExtractPieter Wuille
2018-11-05Extract CSipHasher to it's own file in crypto/ directory.Jim Posen
This is a move-only commit with the exception of changes to includes.
2018-07-27Update copyright headers to 2018DrahtBot
2018-07-09Merge #13386: SHA256 implementations based on Intel SHA ExtensionsWladimir J. van der Laan
66b2cf1ccfad545a8ec3f2a854e23f647322bf30 Use immintrin.h everywhere for intrinsics (Pieter Wuille) 4c935e2eee456ff66cdfb908b0edffdd1e8a6c04 Add SHA256 implementation using using Intel SHA intrinsics (Pieter Wuille) 268400d3188200c9e3dcd3482c4853354388a721 [Refactor] CPU feature detection logic for SHA256 (Pieter Wuille) Pull request description: Based on #13191. This adds SHA256 implementations that use Intel's SHA Extension instructions (using intrinsics). This needs GCC 4.9 or Clang 3.4. In addition to #13191, two extra implementations are provided: * (a) A variable-length SHA256 implementation using SHA extensions. * (b) A 2-way 64-byte input double-SHA256 implementation using SHA extensions. Benchmarks for 9001-element Merkle tree root computation on an AMD Ryzen 1800X system: * Using generic C++ code (pre-#10821): 6.1ms * Using SSE4 (master, #10821): 4.6ms * Using 4-way SSE4 specialized for 64-byte inputs (#13191): 2.8ms * Using 8-way AVX2 specialized for 64-byte inputs (#13191): 2.1ms * Using 2-way SHA-NI specialized for 64-byte inputs (this PR): 0.56ms Benchmarks for 32-byte SHA256 on the same system: * Using SSE4 (master, #10821): 190ns * Using SHA-NI (this PR): 53ns Benchmarks for 1000000-byte SHA256 on the same system: * Using SSE4 (master, #10821): 2.5ms * Using SHA-NI (this PR): 0.51ms Tree-SHA512: 2b319e33b22579f815d91f9daf7994a5e1e799c4f73c13e15070dd54ba71f3f6438ccf77ae9cbd1ce76f972d9cbeb5f0edfea3d86f101bbc1055db70e42743b7
2018-07-07Use __cpuid_count for gnu C to avoid gitian build fail.Chun Kuan Lee
2018-06-26Use immintrin.h everywhere for intrinsicsPieter Wuille
2018-06-26Add SHA256 implementation using using Intel SHA intrinsicsPieter Wuille
2018-06-24[Refactor] CPU feature detection logic for SHA256Pieter Wuille
2018-06-24Merge #13471: For AVX2 code, also check for AVX, XSAVE, and OS supportWladimir J. van der Laan
32d153fa360f73b4999701b97d55b12318fd2659 For AVX2 code, also check for AVX, XSAVE, and OS support (Pieter Wuille) Pull request description: Fixes #12903. Tree-SHA512: 01e71efb5d3a43c49a145a5b1dc4fe7d0a491e1e78479e7df830a2aaac57c3dcfc316e28984c695206c76f93b68e4350fc037ca36756ca579b7070e39c835da2
2018-06-18For AVX2 code, also check for AVX, XSAVE, and OS supportPieter Wuille
2018-06-12Improve coverage of SHA256 SelfTest codePieter Wuille
2018-06-12Merge #13393: Enable double-SHA256-for-64-byte code on 32-bit x86Wladimir J. van der Laan
57ba401abcfe564a2c4d259e0f758401ed74616d Enable double-SHA256-for-64-byte code on 32-bit x86 (Pieter Wuille) Pull request description: The SSE4 and AVX2 double-SHA256-for-64-byte input code from #13191 compiles fine on 32-bit x86 systems, but the autodetection logic in sha256.cpp doesn't enable it. Fix this. Note that these instruction sets are only available on CPUs that support 64-bit mode as well, so it is only beneficial in the (perhaps unlikely) scenario where a 64-bit CPU is running a 32-bit Bitcoin Core binary. Tree-SHA512: 39d5963c1ba8c33932549d5fe98bd184932689a40aeba95043eca31dd6824f566197c546b60905555eccaf407408a5f0f200247bb0907450d309b0a70b245102
2018-06-06Use bracket syntax includes ("#include <foo.h>")practicalswift
2018-06-04Enable double-SHA256-for-64-byte code on 32-bit x86Pieter Wuille
2018-05-298-way AVX2 implementation for double SHA256 on 64-byte inputsPieter Wuille