bip324.h
1 // Copyright (c) 2023-present The Bitcoin Core developers 2 // Distributed under the MIT software license, see the accompanying 3 // file COPYING or http://www.opensource.org/licenses/mit-license.php. 4 5 #ifndef BITCOIN_BIP324_H 6 #define BITCOIN_BIP324_H 7 8 #include <array> 9 #include <cstddef> 10 #include <optional> 11 12 #include <crypto/chacha20.h> 13 #include <crypto/chacha20poly1305.h> 14 #include <key.h> 15 #include <pubkey.h> 16 #include <span.h> 17 18 /** The BIP324 packet cipher, encapsulating its key derivation, stream cipher, and AEAD. */ 19 class BIP324Cipher 20 { 21 public: 22 static constexpr unsigned SESSION_ID_LEN{32}; 23 static constexpr unsigned GARBAGE_TERMINATOR_LEN{16}; 24 static constexpr unsigned REKEY_INTERVAL{224}; 25 static constexpr unsigned LENGTH_LEN{3}; 26 static constexpr unsigned HEADER_LEN{1}; 27 static constexpr unsigned EXPANSION = LENGTH_LEN + HEADER_LEN + FSChaCha20Poly1305::EXPANSION; 28 static constexpr std::byte IGNORE_BIT{0x80}; 29 30 private: 31 std::optional<FSChaCha20> m_send_l_cipher; 32 std::optional<FSChaCha20> m_recv_l_cipher; 33 std::optional<FSChaCha20Poly1305> m_send_p_cipher; 34 std::optional<FSChaCha20Poly1305> m_recv_p_cipher; 35 36 CKey m_key; 37 EllSwiftPubKey m_our_pubkey; 38 39 std::array<std::byte, SESSION_ID_LEN> m_session_id; 40 std::array<std::byte, GARBAGE_TERMINATOR_LEN> m_send_garbage_terminator; 41 std::array<std::byte, GARBAGE_TERMINATOR_LEN> m_recv_garbage_terminator; 42 43 public: 44 /** No default constructor; keys must be provided to create a BIP324Cipher. */ 45 BIP324Cipher() = delete; 46 47 /** Initialize a BIP324 cipher with specified key and encoding entropy (testing only). */ 48 BIP324Cipher(const CKey& key, std::span<const std::byte> ent32) noexcept; 49 50 /** Initialize a BIP324 cipher with specified key (testing only). */ 51 BIP324Cipher(const CKey& key, const EllSwiftPubKey& pubkey) noexcept; 52 53 /** Retrieve our public key. */ 54 const EllSwiftPubKey& GetOurPubKey() const noexcept { return m_our_pubkey; } 55 56 /** Initialize when the other side's public key is received. Can only be called once. 57 * 58 * initiator is set to true if we are the initiator establishing the v2 P2P connection. 59 * self_decrypt is only for testing, and swaps encryption/decryption keys, so that encryption 60 * and decryption can be tested without knowing the other side's private key. 61 */ 62 void Initialize(const EllSwiftPubKey& their_pubkey, bool initiator, bool self_decrypt = false) noexcept; 63 64 /** Determine whether this cipher is fully initialized. */ 65 explicit operator bool() const noexcept { return m_send_l_cipher.has_value(); } 66 67 /** Encrypt a packet. Only after Initialize(). 68 * 69 * It must hold that output.size() == contents.size() + EXPANSION. 70 */ 71 void Encrypt(std::span<const std::byte> contents, std::span<const std::byte> aad, bool ignore, std::span<std::byte> output) noexcept; 72 73 /** Decrypt the length of a packet. Only after Initialize(). 74 * 75 * It must hold that input.size() == LENGTH_LEN. 76 */ 77 unsigned DecryptLength(std::span<const std::byte> input) noexcept; 78 79 /** Decrypt a packet. Only after Initialize(). 80 * 81 * It must hold that input.size() + LENGTH_LEN == contents.size() + EXPANSION. 82 * Contents.size() must equal the length returned by DecryptLength. 83 */ 84 bool Decrypt(std::span<const std::byte> input, std::span<const std::byte> aad, bool& ignore, std::span<std::byte> contents) noexcept; 85 86 /** Get the Session ID. Only after Initialize(). */ 87 std::span<const std::byte> GetSessionID() const noexcept { return m_session_id; } 88 89 /** Get the Garbage Terminator to send. Only after Initialize(). */ 90 std::span<const std::byte> GetSendGarbageTerminator() const noexcept { return m_send_garbage_terminator; } 91 92 /** Get the expected Garbage Terminator to receive. Only after Initialize(). */ 93 std::span<const std::byte> GetReceiveGarbageTerminator() const noexcept { return m_recv_garbage_terminator; } 94 }; 95 96 #endif // BITCOIN_BIP324_H