Merge bitcoin/bitcoin#27993: Make poly1305 support incremental computation + modernize

4e5c933f6a Switch all callers from poly1305_auth to Poly1305 class (Pieter Wuille) 8871f7d1ae tests: add more Poly1305 test vectors (Pieter Wuille) 40e6c5b9fc crypto: add Poly1305 class with std::byte Span interface (Pieter Wuille) 50269b391f crypto: switch poly1305 to incremental implementation (Pieter Wuille) Pull request description: Our current Poly1305 code (src/crypto/poly1305.*) only supports computing the entire tag in one go (the `poly1305_auth` function takes a key and message, and outputs the tag). However, the RFC8439 authenticated encryption (as used in BIP324, see #27634) scheme makes use of Poly1305 in a way where the message consists of 3 different pieces: * The additionally authenticated data (AAD), padded to 16 bytes. * The ciphertext, padded to 16 bytes. * The length of the AAD and the length of the ciphertext, together another 16 bytes. Implementing RFC8439 using the existing `poly1305_auth` function requires creating a temporary copy with all these pieces of data concatenated just for the purpose of computing the tag (the approach used in #25361). This PR replaces the poly1305 code with new code from https://github.com/floodyberry/poly1305-donna (with minor adjustments to make it match our coding style and use our utility functions, documented in the commit) which supports incremental operation, and then adds a C++ wrapper interface using std::byte Spans around it, and adds tests that incremental and all-at-once computation match. ACKs for top commit: achow101: ACK 4e5c933f6a theStack: ACK 4e5c933f6a stratospher: tested ACK 4e5c933. Tree-SHA512: df6e9a2a4a38a480f9e4360d3e3def5311673a727a4a85b008a084cf6843b260dc82cec7c73e1cecaaccbf10f3521a0ae7dba388b65d0b086770f7fbc5223e2a
2026-06-01 08:44:02 +02:00 · 2023-07-17 18:20:37 -04:00
parent d09c8bc730 4e5c933f6a
commit 306157ae92
8 changed files with 386 additions and 148 deletions
--- a/src/test/fuzz/crypto_chacha20_poly1305_aead.cpp
+++ b/src/test/fuzz/crypto_chacha20_poly1305_aead.cpp
@@ -26,16 +26,16 @@ FUZZ_TARGET(crypto_chacha20_poly1305_aead)
    uint64_t seqnr_aad = 0;
    int aad_pos = 0;
    size_t buffer_size = fuzzed_data_provider.ConsumeIntegralInRange<size_t>(0, 4096);
-    std::vector<uint8_t> in(buffer_size + CHACHA20_POLY1305_AEAD_AAD_LEN + POLY1305_TAGLEN, 0);
-    std::vector<uint8_t> out(buffer_size + CHACHA20_POLY1305_AEAD_AAD_LEN + POLY1305_TAGLEN, 0);
+    std::vector<uint8_t> in(buffer_size + CHACHA20_POLY1305_AEAD_AAD_LEN + Poly1305::TAGLEN, 0);
+    std::vector<uint8_t> out(buffer_size + CHACHA20_POLY1305_AEAD_AAD_LEN + Poly1305::TAGLEN, 0);
    bool is_encrypt = fuzzed_data_provider.ConsumeBool();
    LIMITED_WHILE(fuzzed_data_provider.ConsumeBool(), 10000) {
        CallOneOf(
            fuzzed_data_provider,
            [&] {
                buffer_size = fuzzed_data_provider.ConsumeIntegralInRange<size_t>(64, 4096);
-                in = std::vector<uint8_t>(buffer_size + CHACHA20_POLY1305_AEAD_AAD_LEN + POLY1305_TAGLEN, 0);
-                out = std::vector<uint8_t>(buffer_size + CHACHA20_POLY1305_AEAD_AAD_LEN + POLY1305_TAGLEN, 0);
+                in = std::vector<uint8_t>(buffer_size + CHACHA20_POLY1305_AEAD_AAD_LEN + Poly1305::TAGLEN, 0);
+                out = std::vector<uint8_t>(buffer_size + CHACHA20_POLY1305_AEAD_AAD_LEN + Poly1305::TAGLEN, 0);
            },
            [&] {
                (void)aead.Crypt(seqnr_payload, seqnr_aad, aad_pos, out.data(), out.size(), in.data(), buffer_size, is_encrypt);
--- a/src/test/fuzz/crypto_poly1305.cpp
+++ b/src/test/fuzz/crypto_poly1305.cpp
@@ -14,9 +14,40 @@ FUZZ_TARGET(crypto_poly1305)
 {
    FuzzedDataProvider fuzzed_data_provider{buffer.data(), buffer.size()};

-    const std::vector<uint8_t> key = ConsumeFixedLengthByteVector(fuzzed_data_provider, POLY1305_KEYLEN);
+    const std::vector<uint8_t> key = ConsumeFixedLengthByteVector(fuzzed_data_provider, Poly1305::KEYLEN);
    const std::vector<uint8_t> in = ConsumeRandomLengthByteVector(fuzzed_data_provider);

-    std::vector<uint8_t> tag_out(POLY1305_TAGLEN);
-    poly1305_auth(tag_out.data(), in.data(), in.size(), key.data());
+    std::vector<std::byte> tag_out(Poly1305::TAGLEN);
+    Poly1305{MakeByteSpan(key)}.Update(MakeByteSpan(in)).Finalize(tag_out);
+}
+
+
+FUZZ_TARGET(crypto_poly1305_split)
+{
+    FuzzedDataProvider provider{buffer.data(), buffer.size()};
+
+    // Read key and instantiate two Poly1305 objects with it.
+    auto key = provider.ConsumeBytes<std::byte>(Poly1305::KEYLEN);
+    key.resize(Poly1305::KEYLEN);
+    Poly1305 poly_full{key}, poly_split{key};
+
+    // Vector that holds all bytes processed so far.
+    std::vector<std::byte> total_input;
+
+    // Process input in pieces.
+    LIMITED_WHILE(provider.remaining_bytes(), 100) {
+        auto in = provider.ConsumeRandomLengthString();
+        poly_split.Update(MakeByteSpan(in));
+        // Update total_input to match what was processed.
+        total_input.insert(total_input.end(), MakeByteSpan(in).begin(), MakeByteSpan(in).end());
+    }
+
+    // Process entire input at once.
+    poly_full.Update(total_input);
+
+    // Verify both agree.
+    std::array<std::byte, Poly1305::TAGLEN> tag_split, tag_full;
+    poly_split.Finalize(tag_split);
+    poly_full.Finalize(tag_full);
+    assert(tag_full == tag_split);
 }