From b5ab7e3ce3e8706efef411b0f685ccaffd7d486f Mon Sep 17 00:00:00 2001 From: Rusty Russell Date: Tue, 8 Dec 2020 17:18:21 +1030 Subject: [PATCH] common/sphinx: don't use temporary to xor in cipher stream. The chacha API makes this a bit awkward, to we use a helper. Signed-off-by: Rusty Russell --- common/sphinx.c | 59 ++++--- common/test/run-sphinx-xor_cipher_stream.c | 170 +++++++++++++++++++++ 2 files changed, 212 insertions(+), 17 deletions(-) create mode 100644 common/test/run-sphinx-xor_cipher_stream.c diff --git a/common/sphinx.c b/common/sphinx.c index 996fb78e8257..016a47e4175f 100644 --- a/common/sphinx.c +++ b/common/sphinx.c @@ -170,14 +170,6 @@ enum onion_wire parse_onionpacket(const u8 *src, return 0; } -static void xorbytes(uint8_t *d, const uint8_t *a, const uint8_t *b, size_t len) -{ - size_t i; - - for (i = 0; i < len; i++) - d[i] = a[i] ^ b[i]; -} - /* * Generate a pseudo-random byte stream of length `dstlen` from key `k` and * store it in `dst`. `dst must be at least `dstlen` bytes long. @@ -197,6 +189,45 @@ static void xor_cipher_stream(void *dst, const struct secret *k, size_t dstlen) crypto_stream_chacha20_xor(dst, dst, dstlen, nonce, k->data); } +#define CHACHA20_BLOCK_BYTES 64 + +static void xor_cipher_stream_off(const struct secret *k, + size_t off, + void *dst, size_t dstlen) +{ + const u8 nonce[8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; + u8 block[CHACHA20_BLOCK_BYTES]; + size_t block_off; + size_t ic = off / CHACHA20_BLOCK_BYTES; + + /* From https://libsodium.gitbook.io/doc/advanced/stream_ciphers/chacha20: + * + * The crypto_stream_chacha20_xor_ic() function is similar to + * crypto_stream_chacha20_xor() but adds the ability to set + * the initial value of the block counter to a non-zero value, + * ic. + * + * This permits direct access to any block without having to + * compute the previous ones. + */ + block_off = (off % CHACHA20_BLOCK_BYTES); + if (block_off != 0) { + size_t rem = CHACHA20_BLOCK_BYTES - block_off; + if (rem > dstlen) + rem = dstlen; + memcpy(block + block_off, dst, rem); + crypto_stream_chacha20_xor_ic(block, block, block_off + rem, + nonce, + ic, + k->data); + ic++; + memcpy(dst, block + block_off, rem); + dst = (char *)dst + rem; + dstlen -= rem; + } + crypto_stream_chacha20_xor_ic(dst, dst, dstlen, nonce, ic, k->data); +} + /* Convenience function: s2/s2len can be NULL/0 if unwanted */ static void compute_hmac(const struct secret *key, const u8 *s1, size_t s1len, @@ -226,7 +257,6 @@ static void generate_header_padding(void *dst, size_t dstlen, const struct sphinx_path *path, struct hop_params *params) { - u8 stream[2 * ROUTING_INFO_SIZE]; struct secret key; size_t fillerStart, fillerEnd, fillerSize; @@ -234,8 +264,6 @@ static void generate_header_padding(void *dst, size_t dstlen, for (int i = 0; i < tal_count(path->hops) - 1; i++) { subkey_from_hmac("rho", ¶ms[i].secret, &key); - generate_cipher_stream(stream, &key, sizeof(stream)); - /* Sum up how many bytes have been used by previous hops, * that gives us the start in the stream */ fillerSize = 0; @@ -250,8 +278,8 @@ static void generate_header_padding(void *dst, size_t dstlen, /* Apply the cipher-stream to the part of the filler that'll * be added by this hop */ - xorbytes(dst, dst, stream + fillerStart, - fillerEnd - fillerStart); + xor_cipher_stream_off(&key, fillerStart, + dst, fillerEnd - fillerStart); } } @@ -259,7 +287,6 @@ static void generate_prefill(void *dst, size_t dstlen, const struct sphinx_path *path, struct hop_params *params) { - u8 stream[2 * ROUTING_INFO_SIZE]; struct secret key; size_t fillerStart, fillerSize; @@ -267,8 +294,6 @@ static void generate_prefill(void *dst, size_t dstlen, for (int i = 0; i < tal_count(path->hops); i++) { subkey_from_hmac("rho", ¶ms[i].secret, &key); - generate_cipher_stream(stream, &key, sizeof(stream)); - /* Sum up how many bytes have been used by previous hops, * that gives us the start in the stream */ fillerSize = 0; @@ -278,7 +303,7 @@ static void generate_prefill(void *dst, size_t dstlen, /* Apply the cipher-stream to the part of the filler that'll * be added by this hop */ - xorbytes(dst, dst, stream + fillerStart, dstlen); + xor_cipher_stream_off(&key, fillerStart, dst, dstlen); } } diff --git a/common/test/run-sphinx-xor_cipher_stream.c b/common/test/run-sphinx-xor_cipher_stream.c new file mode 100644 index 000000000000..a9fc241bea1a --- /dev/null +++ b/common/test/run-sphinx-xor_cipher_stream.c @@ -0,0 +1,170 @@ +#include "../sphinx.c" +#include +#include +#include +#include + +/* AUTOGENERATED MOCKS START */ +/* Generated stub for amount_asset_is_main */ +bool amount_asset_is_main(struct amount_asset *asset UNNEEDED) +{ fprintf(stderr, "amount_asset_is_main called!\n"); abort(); } +/* Generated stub for amount_asset_to_sat */ +struct amount_sat amount_asset_to_sat(struct amount_asset *asset UNNEEDED) +{ fprintf(stderr, "amount_asset_to_sat called!\n"); abort(); } +/* Generated stub for amount_sat */ +struct amount_sat amount_sat(u64 satoshis UNNEEDED) +{ fprintf(stderr, "amount_sat called!\n"); abort(); } +/* Generated stub for amount_sat_add */ + bool amount_sat_add(struct amount_sat *val UNNEEDED, + struct amount_sat a UNNEEDED, + struct amount_sat b UNNEEDED) +{ fprintf(stderr, "amount_sat_add called!\n"); abort(); } +/* Generated stub for amount_sat_eq */ +bool amount_sat_eq(struct amount_sat a UNNEEDED, struct amount_sat b UNNEEDED) +{ fprintf(stderr, "amount_sat_eq called!\n"); abort(); } +/* Generated stub for amount_sat_greater_eq */ +bool amount_sat_greater_eq(struct amount_sat a UNNEEDED, struct amount_sat b UNNEEDED) +{ fprintf(stderr, "amount_sat_greater_eq called!\n"); abort(); } +/* Generated stub for amount_sat_sub */ + bool amount_sat_sub(struct amount_sat *val UNNEEDED, + struct amount_sat a UNNEEDED, + struct amount_sat b UNNEEDED) +{ fprintf(stderr, "amount_sat_sub called!\n"); abort(); } +/* Generated stub for amount_sat_to_asset */ +struct amount_asset amount_sat_to_asset(struct amount_sat *sat UNNEEDED, const u8 *asset UNNEEDED) +{ fprintf(stderr, "amount_sat_to_asset called!\n"); abort(); } +/* Generated stub for amount_tx_fee */ +struct amount_sat amount_tx_fee(u32 fee_per_kw UNNEEDED, size_t weight UNNEEDED) +{ fprintf(stderr, "amount_tx_fee called!\n"); abort(); } +/* Generated stub for fromwire */ +const u8 *fromwire(const u8 **cursor UNNEEDED, size_t *max UNNEEDED, void *copy UNNEEDED, size_t n UNNEEDED) +{ fprintf(stderr, "fromwire called!\n"); abort(); } +/* Generated stub for fromwire_amount_sat */ +struct amount_sat fromwire_amount_sat(const u8 **cursor UNNEEDED, size_t *max UNNEEDED) +{ fprintf(stderr, "fromwire_amount_sat called!\n"); abort(); } +/* Generated stub for fromwire_bool */ +bool fromwire_bool(const u8 **cursor UNNEEDED, size_t *max UNNEEDED) +{ fprintf(stderr, "fromwire_bool called!\n"); abort(); } +/* Generated stub for fromwire_fail */ +void *fromwire_fail(const u8 **cursor UNNEEDED, size_t *max UNNEEDED) +{ fprintf(stderr, "fromwire_fail called!\n"); abort(); } +/* Generated stub for fromwire_hmac */ +void fromwire_hmac(const u8 **ptr UNNEEDED, size_t *max UNNEEDED, struct hmac *hmac UNNEEDED) +{ fprintf(stderr, "fromwire_hmac called!\n"); abort(); } +/* Generated stub for fromwire_secp256k1_ecdsa_signature */ +void fromwire_secp256k1_ecdsa_signature(const u8 **cursor UNNEEDED, size_t *max UNNEEDED, + secp256k1_ecdsa_signature *signature UNNEEDED) +{ fprintf(stderr, "fromwire_secp256k1_ecdsa_signature called!\n"); abort(); } +/* Generated stub for fromwire_sha256 */ +void fromwire_sha256(const u8 **cursor UNNEEDED, size_t *max UNNEEDED, struct sha256 *sha256 UNNEEDED) +{ fprintf(stderr, "fromwire_sha256 called!\n"); abort(); } +/* Generated stub for fromwire_tal_arrn */ +u8 *fromwire_tal_arrn(const tal_t *ctx UNNEEDED, + const u8 **cursor UNNEEDED, size_t *max UNNEEDED, size_t num UNNEEDED) +{ fprintf(stderr, "fromwire_tal_arrn called!\n"); abort(); } +/* Generated stub for fromwire_u16 */ +u16 fromwire_u16(const u8 **cursor UNNEEDED, size_t *max UNNEEDED) +{ fprintf(stderr, "fromwire_u16 called!\n"); abort(); } +/* Generated stub for fromwire_u32 */ +u32 fromwire_u32(const u8 **cursor UNNEEDED, size_t *max UNNEEDED) +{ fprintf(stderr, "fromwire_u32 called!\n"); abort(); } +/* Generated stub for fromwire_u64 */ +u64 fromwire_u64(const u8 **cursor UNNEEDED, size_t *max UNNEEDED) +{ fprintf(stderr, "fromwire_u64 called!\n"); abort(); } +/* Generated stub for fromwire_u8 */ +u8 fromwire_u8(const u8 **cursor UNNEEDED, size_t *max UNNEEDED) +{ fprintf(stderr, "fromwire_u8 called!\n"); abort(); } +/* Generated stub for fromwire_u8_array */ +void fromwire_u8_array(const u8 **cursor UNNEEDED, size_t *max UNNEEDED, u8 *arr UNNEEDED, size_t num UNNEEDED) +{ fprintf(stderr, "fromwire_u8_array called!\n"); abort(); } +/* Generated stub for hmac_done */ +void hmac_done(crypto_auth_hmacsha256_state *state UNNEEDED, + struct hmac *hmac UNNEEDED) +{ fprintf(stderr, "hmac_done called!\n"); abort(); } +/* Generated stub for hmac_start */ +void hmac_start(crypto_auth_hmacsha256_state *state UNNEEDED, + const void *key UNNEEDED, size_t klen UNNEEDED) +{ fprintf(stderr, "hmac_start called!\n"); abort(); } +/* Generated stub for hmac_update */ +void hmac_update(crypto_auth_hmacsha256_state *state UNNEEDED, + const void *src UNNEEDED, size_t slen UNNEEDED) +{ fprintf(stderr, "hmac_update called!\n"); abort(); } +/* Generated stub for new_onionreply */ +struct onionreply *new_onionreply(const tal_t *ctx UNNEEDED, const u8 *contents TAKES UNNEEDED) +{ fprintf(stderr, "new_onionreply called!\n"); abort(); } +/* Generated stub for onion_payload_length */ +size_t onion_payload_length(const u8 *raw_payload UNNEEDED, size_t len UNNEEDED, + bool has_realm UNNEEDED, + bool *valid UNNEEDED, + enum onion_payload_type *type UNNEEDED) +{ fprintf(stderr, "onion_payload_length called!\n"); abort(); } +/* Generated stub for pubkey_from_node_id */ +bool pubkey_from_node_id(struct pubkey *key UNNEEDED, const struct node_id *id UNNEEDED) +{ fprintf(stderr, "pubkey_from_node_id called!\n"); abort(); } +/* Generated stub for subkey_from_hmac */ +void subkey_from_hmac(const char *prefix UNNEEDED, + const struct secret *base UNNEEDED, + struct secret *key UNNEEDED) +{ fprintf(stderr, "subkey_from_hmac called!\n"); abort(); } +/* Generated stub for towire */ +void towire(u8 **pptr UNNEEDED, const void *data UNNEEDED, size_t len UNNEEDED) +{ fprintf(stderr, "towire called!\n"); abort(); } +/* Generated stub for towire_amount_sat */ +void towire_amount_sat(u8 **pptr UNNEEDED, const struct amount_sat sat UNNEEDED) +{ fprintf(stderr, "towire_amount_sat called!\n"); abort(); } +/* Generated stub for towire_bool */ +void towire_bool(u8 **pptr UNNEEDED, bool v UNNEEDED) +{ fprintf(stderr, "towire_bool called!\n"); abort(); } +/* Generated stub for towire_hmac */ +void towire_hmac(u8 **pptr UNNEEDED, const struct hmac *hmac UNNEEDED) +{ fprintf(stderr, "towire_hmac called!\n"); abort(); } +/* Generated stub for towire_pad */ +void towire_pad(u8 **pptr UNNEEDED, size_t num UNNEEDED) +{ fprintf(stderr, "towire_pad called!\n"); abort(); } +/* Generated stub for towire_secp256k1_ecdsa_signature */ +void towire_secp256k1_ecdsa_signature(u8 **pptr UNNEEDED, + const secp256k1_ecdsa_signature *signature UNNEEDED) +{ fprintf(stderr, "towire_secp256k1_ecdsa_signature called!\n"); abort(); } +/* Generated stub for towire_sha256 */ +void towire_sha256(u8 **pptr UNNEEDED, const struct sha256 *sha256 UNNEEDED) +{ fprintf(stderr, "towire_sha256 called!\n"); abort(); } +/* Generated stub for towire_u16 */ +void towire_u16(u8 **pptr UNNEEDED, u16 v UNNEEDED) +{ fprintf(stderr, "towire_u16 called!\n"); abort(); } +/* Generated stub for towire_u32 */ +void towire_u32(u8 **pptr UNNEEDED, u32 v UNNEEDED) +{ fprintf(stderr, "towire_u32 called!\n"); abort(); } +/* Generated stub for towire_u64 */ +void towire_u64(u8 **pptr UNNEEDED, u64 v UNNEEDED) +{ fprintf(stderr, "towire_u64 called!\n"); abort(); } +/* Generated stub for towire_u8 */ +void towire_u8(u8 **pptr UNNEEDED, u8 v UNNEEDED) +{ fprintf(stderr, "towire_u8 called!\n"); abort(); } +/* Generated stub for towire_u8_array */ +void towire_u8_array(u8 **pptr UNNEEDED, const u8 *arr UNNEEDED, size_t num UNNEEDED) +{ fprintf(stderr, "towire_u8_array called!\n"); abort(); } +/* AUTOGENERATED MOCKS END */ + +#define PARTIAL_SIZE 128 + +int main(int argc, char **argv) +{ + const u8 nonce[8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; + struct secret k; + u8 normal[1024]; + + common_setup(argv[0]); + memset(&k, 1, sizeof(k)); + crypto_stream_chacha20(normal, sizeof(normal), nonce, k.data); + + for (size_t i = 0; i < sizeof(normal) - PARTIAL_SIZE; i++) { + for (size_t len = 0; len < PARTIAL_SIZE; len++) { + u8 *partial = tal_arrz(tmpctx, u8, len); + xor_cipher_stream_off(&k, i, partial, len); + assert(memcmp(partial, normal + i, len) == 0); + } + } + + common_shutdown(); + return 0; +}