Switch all callers from poly1305_auth to Poly1305 class

This also removes the old poly1305_auth interface, as it no longer serves any
function. The new Poly1305 class based interface is more modern and safe.

src/crypto/chacha_poly_aead.cpp

@@ -50,13 +50,13 @@ bool ChaCha20Poly1305AEAD::Crypt(uint64_t seqnr_payload, uint64_t seqnr_aad, int
     // check buffer boundaries
     if (
         // if we encrypt, make sure the source contains at least the expected AAD and the destination has at least space for the source + MAC
-        (is_encrypt && (src_len < CHACHA20_POLY1305_AEAD_AAD_LEN || dest_len < src_len + POLY1305_TAGLEN)) ||
+        (is_encrypt && (src_len < CHACHA20_POLY1305_AEAD_AAD_LEN || dest_len < src_len + Poly1305::TAGLEN)) ||
         // if we decrypt, make sure the source contains at least the expected AAD+MAC and the destination has at least space for the source - MAC
-        (!is_encrypt && (src_len < CHACHA20_POLY1305_AEAD_AAD_LEN + POLY1305_TAGLEN || dest_len < src_len - POLY1305_TAGLEN))) {
+        (!is_encrypt && (src_len < CHACHA20_POLY1305_AEAD_AAD_LEN + Poly1305::TAGLEN || dest_len < src_len - Poly1305::TAGLEN))) {
         return false;
     }
 
-    unsigned char expected_tag[POLY1305_TAGLEN], poly_key[POLY1305_KEYLEN];
+    unsigned char expected_tag[Poly1305::TAGLEN], poly_key[Poly1305::KEYLEN];
     memset(poly_key, 0, sizeof(poly_key));
 
     // block counter 0 for the poly1305 key
@@ -67,18 +67,20 @@ bool ChaCha20Poly1305AEAD::Crypt(uint64_t seqnr_payload, uint64_t seqnr_aad, int
 
     // if decrypting, verify the tag prior to decryption
     if (!is_encrypt) {
-        const unsigned char* tag = src + src_len - POLY1305_TAGLEN;
-        poly1305_auth(expected_tag, src, src_len - POLY1305_TAGLEN, poly_key);
+        const unsigned char* tag = src + src_len - Poly1305::TAGLEN;
+        Poly1305{MakeByteSpan(poly_key)}
+            .Update(AsBytes(Span{src, src_len - Poly1305::TAGLEN}))
+            .Finalize(MakeWritableByteSpan(expected_tag));
 
         // constant time compare the calculated MAC with the provided MAC
-        if (timingsafe_bcmp(expected_tag, tag, POLY1305_TAGLEN) != 0) {
+        if (timingsafe_bcmp(expected_tag, tag, Poly1305::TAGLEN) != 0) {
             memory_cleanse(expected_tag, sizeof(expected_tag));
             memory_cleanse(poly_key, sizeof(poly_key));
             return false;
         }
         memory_cleanse(expected_tag, sizeof(expected_tag));
         // MAC has been successfully verified, make sure we don't convert it in decryption
-        src_len -= POLY1305_TAGLEN;
+        src_len -= Poly1305::TAGLEN;
     }
 
     // calculate and cache the next 64byte keystream block if requested sequence number is not yet the cache
@@ -99,7 +101,9 @@ bool ChaCha20Poly1305AEAD::Crypt(uint64_t seqnr_payload, uint64_t seqnr_aad, int
     // If encrypting, calculate and append tag
     if (is_encrypt) {
         // the poly1305 tag expands over the AAD (3 bytes length) & encrypted payload
-        poly1305_auth(dest + src_len, dest, src_len, poly_key);
+        Poly1305{MakeByteSpan(poly_key)}
+            .Update(AsBytes(Span{dest, src_len}))
+            .Finalize(AsWritableBytes(Span{dest + src_len, Poly1305::TAGLEN}));
     }
 
     // cleanse no longer required MAC and polykey

src/crypto/poly1305.cpp

@@ -221,11 +221,3 @@ void poly1305_update(poly1305_context *st, const unsigned char *m, size_t bytes)
 }
 
 }  // namespace poly1305_donna
-
-void poly1305_auth(unsigned char mac[16], const unsigned char *m, size_t bytes, const unsigned char key[32]) {
-    using namespace poly1305_donna;
-    poly1305_context ctx;
-    poly1305_init(&ctx, key);
-    poly1305_update(&ctx, m, bytes);
-    poly1305_finish(&ctx, mac);
-}

src/crypto/poly1305.h

@@ -11,8 +11,6 @@
 #include <cstdlib>
 #include <stdint.h>
 
-#define POLY1305_KEYLEN 32
-#define POLY1305_TAGLEN 16
 #define POLY1305_BLOCK_SIZE 16
 
 namespace poly1305_donna {
@@ -42,10 +40,10 @@ class Poly1305
 
 public:
     /** Length of the output produced by Finalize(). */
-    static constexpr unsigned TAGLEN = POLY1305_TAGLEN;
+    static constexpr unsigned TAGLEN{16};
 
     /** Length of the keys expected by the constructor. */
-    static constexpr unsigned KEYLEN = POLY1305_KEYLEN;
+    static constexpr unsigned KEYLEN{32};
 
     /** Construct a Poly1305 object with a given 32-byte key. */
     Poly1305(Span<const std::byte> key) noexcept
@@ -69,7 +67,4 @@ public:
     }
 };
 
-void poly1305_auth(unsigned char out[POLY1305_TAGLEN], const unsigned char *m, size_t inlen,
-    const unsigned char key[POLY1305_KEYLEN]);
-
 #endif // BITCOIN_CRYPTO_POLY1305_H