Allow for RFC8439 AD in cipher suite interface

Author: dhruv

src/bench/bip324_suite.cpp

@@ -36,15 +36,15 @@ static void BIP324_CIPHER_SUITE(benchmark::Bench& bench, size_t plaintext_len, b
 
     bench.batch(plaintext_len).unit("byte").run([&] {
         // encrypt or decrypt the buffer with a static key
-        const bool crypt_ok_1 = enc.Crypt(in, out, flags, true);
+        const bool crypt_ok_1 = enc.Crypt({}, in, out, flags, true);
         assert(crypt_ok_1);
 
         if (include_decryption) {
             // if we decrypt, we need to decrypt the length first
             std::array<std::byte, BIP324_LENGTH_FIELD_LEN> len_ciphertext;
             memcpy(len_ciphertext.data(), out.data(), BIP324_LENGTH_FIELD_LEN);
             (void)dec.DecryptLength(len_ciphertext);
-            const bool crypt_ok_2 = dec.Crypt({out.data() + BIP324_LENGTH_FIELD_LEN, out.size() - BIP324_LENGTH_FIELD_LEN}, in, flags, false);
+            const bool crypt_ok_2 = dec.Crypt({}, {out.data() + BIP324_LENGTH_FIELD_LEN, out.size() - BIP324_LENGTH_FIELD_LEN}, in, flags, false);
             assert(crypt_ok_2);
         }
     });

src/crypto/bip324_suite.cpp

@@ -54,7 +54,9 @@ void BIP324CipherSuite::CommitToKeys(const Span<const std::byte> data, bool comm
     set_nonce();
 }
 
-bool BIP324CipherSuite::Crypt(const Span<const std::byte> input, Span<std::byte> output,
+bool BIP324CipherSuite::Crypt(const Span<const std::byte> aad,
+                              const Span<const std::byte> input,
+                              Span<std::byte> output,
                               BIP324HeaderFlags& flags, bool encrypt)
 {
     // check buffer boundaries
@@ -84,13 +86,14 @@ bool BIP324CipherSuite::Crypt(const Span<const std::byte> input, Span<std::byte>
         fsc20.Crypt({reinterpret_cast<std::byte*>(&ciphertext_len), BIP324_LENGTH_FIELD_LEN},
                     {write_pos, BIP324_LENGTH_FIELD_LEN});
         write_pos += BIP324_LENGTH_FIELD_LEN;
-        RFC8439Encrypt({}, payload_key, nonce, input_vec, {write_pos, BIP324_HEADER_LEN + input.size() + RFC8439_TAGLEN});
+        RFC8439Encrypt(aad, payload_key, nonce, input_vec, {write_pos, BIP324_HEADER_LEN + input.size() + RFC8439_TAGLEN});
+
     } else {
         // we must use BIP324CipherSuite::DecryptLength before calling BIP324CipherSuite::Crypt
         // input is encrypted (header + payload) and the mac tag
         // decrypted header will be put in flags and output will be payload.
         std::vector<std::byte> decrypted_plaintext(input.size() - RFC8439_TAGLEN);
-        auto authenticated = RFC8439Decrypt({}, payload_key, nonce, input, decrypted_plaintext);
+        auto authenticated = RFC8439Decrypt(aad, payload_key, nonce, input, decrypted_plaintext);
         if (!authenticated) {
             return false;
         }

src/crypto/bip324_suite.h

@@ -64,7 +64,10 @@ class BIP324CipherSuite
 
         Returns true upon success. Upon failure, the output should not be used.
         */
-    [[nodiscard]] bool Crypt(const Span<const std::byte> input, Span<std::byte> output, BIP324HeaderFlags& flags, bool encrypt);
+    [[nodiscard]] bool Crypt(const Span<const std::byte> aad,
+                             const Span<const std::byte> input,
+                             Span<std::byte> output,
+                             BIP324HeaderFlags& flags, bool encrypt);
 
     /** Decrypts the 3 byte length field ciphertext (the packet length) and decodes it into a uint32_t field
         The FSChaCha20 keystream will advance. As a result, DecryptLength() cannot be called multiple times to get the same result. The caller must cache the result for re-use.

src/test/crypto_tests.cpp

@@ -751,7 +751,7 @@ BOOST_AUTO_TEST_CASE(hkdf_hmac_sha256_l32_tests)
                 "8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d");
 }
 
-static void TestBIP324CipherSuite(const std::string& hex_input, const std::string& hex_key_l, const std::string& hex_key_p, const std::string& hex_rekey_salt, const std::string& hex_expected_output_seq_0, const std::string& hex_expected_output_seq_999)
+static void TestBIP324CipherSuite(const std::string& hex_aad, const std::string& hex_input, const std::string& hex_key_l, const std::string& hex_key_p, const std::string& hex_rekey_salt, const std::string& hex_expected_output_seq_0, const std::string& hex_expected_output_seq_999)
 {
     auto key_l_vec = ParseHex(hex_key_l);
     BIP324Key key_l;
@@ -765,6 +765,8 @@ static void TestBIP324CipherSuite(const std::string& hex_input, const std::strin
     BIP324Key rekey_salt;
     memcpy(rekey_salt.data(), rekey_salt_vec.data(), BIP324_KEY_LEN);
 
+    auto aad = ParseHex(hex_aad);
+
     const auto original_plaintext_bytes = ParseHex(hex_input);
     auto plaintext_buf = original_plaintext_bytes;
 
@@ -781,7 +783,7 @@ static void TestBIP324CipherSuite(const std::string& hex_input, const std::strin
     // encrypt / decrypt the packet 1000 times
     for (size_t i = 0; i < 1000; ++i) {
         // encrypt
-        auto res = suite_enc.Crypt(MakeByteSpan(plaintext_buf), MakeWritableByteSpan(ciphertext_buf), flags, true);
+        auto res = suite_enc.Crypt(MakeByteSpan(aad), MakeByteSpan(plaintext_buf), MakeWritableByteSpan(ciphertext_buf), flags, true);
         BOOST_CHECK(res);
         // verify ciphertext & mac against the test vector
         if (i == 0) {
@@ -794,7 +796,7 @@ static void TestBIP324CipherSuite(const std::string& hex_input, const std::strin
         out_len = suite_dec.DecryptLength(length_ciphertext);
         BOOST_CHECK_EQUAL(out_len, BIP324_HEADER_LEN + plaintext_buf.size());
 
-        res = suite_dec.Crypt({reinterpret_cast<std::byte*>(ciphertext_buf.data()) + BIP324_LENGTH_FIELD_LEN, ciphertext_buf.size() - BIP324_LENGTH_FIELD_LEN}, MakeWritableByteSpan(plaintext_buf_dec), flags, false);
+        res = suite_dec.Crypt(MakeByteSpan(aad), {reinterpret_cast<std::byte*>(ciphertext_buf.data()) + BIP324_LENGTH_FIELD_LEN, ciphertext_buf.size() - BIP324_LENGTH_FIELD_LEN}, MakeWritableByteSpan(plaintext_buf_dec), flags, false);
         BOOST_CHECK(res);
         BOOST_CHECK_EQUAL(flags, 0);
 
@@ -812,33 +814,46 @@ BOOST_AUTO_TEST_CASE(bip324_cipher_suite_testvectors)
 
     // encrypting an empty message should result in 20 bytes:
     // 3 bytes of encrypted length, 1 byte header and 16 bytes MAC
-    TestBIP324CipherSuite(/* plaintext */ "",
+    TestBIP324CipherSuite(/* aad */ "",
+                          /* plaintext */ "",
                           /* k_l */ "0000000000000000000000000000000000000000000000000000000000000000",
                           /* k_p */ "0000000000000000000000000000000000000000000000000000000000000000",
                           /* rekey_salt */ "0000000000000000000000000000000000000000000000000000000000000000",
                           /* ciphertext_and_mac_0 */ "77b8e09fbedcfd1809ff3c10adf8277fcc0581b8",
                           /* ciphertext_and_mac_999 */ "8e6aedd9148bd3bafc2377f8e4f6559b4ec26ff4");
 
-    TestBIP324CipherSuite("0000000000000000000000000000000000000000000000000000000000000000",
+    TestBIP324CipherSuite("",
+                          "0000000000000000000000000000000000000000000000000000000000000000",
                           "0000000000000000000000000000000000000000000000000000000000000000",
                           "0000000000000000000000000000000000000000000000000000000000000000",
                           "0000000000000000000000000000000000000000000000000000000000000000",
                           "57b8e09f07e7be5551387a98ba977c732d080dcb0f29a048e3656912c6533e32ee7aed29e7e38bb44c94b6a43c525ffca66c79e9",
                           "ae6aedd99d957e0f9719d248a1f25357573c4eb7fbf047911fd530bb2ec6cf6d921743a3d16ee9c81e352ba0a29a3c1c7dec8b6b");
 
-    TestBIP324CipherSuite("0100000000000000000000000000000000000000000000000000000000000000",
+    TestBIP324CipherSuite("",
+                          "0100000000000000000000000000000000000000000000000000000000000000",
                           "0000000000000000000000000000000000000000000000000000000000000000",
                           "0000000000000000000000000000000000000000000000000000000000000000",
                           "0000000000000000000000000000000000000000000000000000000000000000",
                           "57b8e09f06e7be5551387a98ba977c732d080dcb0f29a048e3656912c6533e32ee7aed2929449b86c1e4e213676824f2c48e5336",
                           "ae6aedd99c957e0f9719d248a1f25357573c4eb7fbf047911fd530bb2ec6cf6d921743a3fced1d140e9f3a4103e5c5e687cb2938");
 
-    TestBIP324CipherSuite("fc0000f195e66982105ffb640bb7757f579da31602fc93ec01ac56f85ac3c134a4547b733b46413042c9440049176905d3be59ea1c53f15916155c2be8241a38008b9a26bc35941e2444177c8ade6689de95264986d95889fb60e84629c9bd9a5acb1cc118be563eb9b3a4a472f82e09a7e778492b562ef7130e88dfe031c79db9d4f7c7a899151b9a475032b63fc385245fe054e3dd5a97a5f576fe064025d3ce042c566ab2c507b138db853e3d6959660996546cc9c4a6eafdc777c040d70eaf46f76dad3979e5c5360c3317166a1c894c94a371876a94df7628fe4eaaf2ccb27d5aaae0ad7ad0f9d4b6ad3b54098746d4524d38407a6deb3ab78fab78c9",
+    TestBIP324CipherSuite("",
+                          "fc0000f195e66982105ffb640bb7757f579da31602fc93ec01ac56f85ac3c134a4547b733b46413042c9440049176905d3be59ea1c53f15916155c2be8241a38008b9a26bc35941e2444177c8ade6689de95264986d95889fb60e84629c9bd9a5acb1cc118be563eb9b3a4a472f82e09a7e778492b562ef7130e88dfe031c79db9d4f7c7a899151b9a475032b63fc385245fe054e3dd5a97a5f576fe064025d3ce042c566ab2c507b138db853e3d6959660996546cc9c4a6eafdc777c040d70eaf46f76dad3979e5c5360c3317166a1c894c94a371876a94df7628fe4eaaf2ccb27d5aaae0ad7ad0f9d4b6ad3b54098746d4524d38407a6deb3ab78fab78c9",
                           "ff0102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
                           "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
                           "6f5ef19ed6f1a5e2db2b119494f21d8c2de638a4c6ec3b5b4d43f3196152ea10",
                           "c641c1184442315c7340b89171039acb48f95287e66e56f7afa7cf00f95044d26fb69d46ac5c16a2d57a1cadc39160644717559e73480734410a3f543c5f231a7d7ed77af2a64681f6a7417283cef85504ac5de9fdea100e6c67ef7a1bfcd888a92a5f1ef2c9074b44b572aa748f29ff61a850ce40470004dff5cc1d926c5abe25ace47a12c5373094a26bab027e008154fb630aa062490b5421e96691a3f79557f7a79e3cfd9100796671ea241703ddf326f113adf1694bbd6e0ca032e16f936e7bfbf174e7ef4af5b53a6a9102e6fa41a8e589290f39a7bc7a6003088c612a43a36c2e9f2e740797ad3a2a1a80e0f67157fb9abc40487077368e94751a266a0b2dac24f0adabd5c6d7ba54316eee951da560",
                           "7e3f8da87ddd62416fa860e3dcc8a999385425c07809de3b763e82545549d93f43a4cdb01b20e1049f68f31b13728fdf60fd8d65099ecc65d7fd90925733b7372057fa2174e487228fbb34e487a16342b721035f7f7ef26b962140aba9ba1a1a31e6bbacdfb406017f97449d3a6996b3266306bde62db2af8a3523ac5c65181b9b1818d1266a8d15ffb80675f84369411ab2bac744316180fbe08aa635dddc9dcaac7e249241665029b3ccae3b996840020dd46ce83e97a399568dcf1f58a8e29ee2535f5801ee006767218c01b31834e9ad0cf2cfd32321b16bd009233ea6a1896fbe2f6ebc2a6edfb8fcef6e4b90326b53b657f663f1f741f7f790abc2d97a1d57a3d3c2e024f783fe01dd00bad7254a1a21");
+
+    // Repeat test with non-empty aad - only mac tags (last 16 bytes) in the expected outputs change
+    TestBIP324CipherSuite("c6d7bc3a5079ae98fec7094bdfb42aac61d3ba64af179d672c7c33fd4a139647",
+                          "fc0000f195e66982105ffb640bb7757f579da31602fc93ec01ac56f85ac3c134a4547b733b46413042c9440049176905d3be59ea1c53f15916155c2be8241a38008b9a26bc35941e2444177c8ade6689de95264986d95889fb60e84629c9bd9a5acb1cc118be563eb9b3a4a472f82e09a7e778492b562ef7130e88dfe031c79db9d4f7c7a899151b9a475032b63fc385245fe054e3dd5a97a5f576fe064025d3ce042c566ab2c507b138db853e3d6959660996546cc9c4a6eafdc777c040d70eaf46f76dad3979e5c5360c3317166a1c894c94a371876a94df7628fe4eaaf2ccb27d5aaae0ad7ad0f9d4b6ad3b54098746d4524d38407a6deb3ab78fab78c9",
+                          "ff0102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
+                          "000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f",
+                          "6f5ef19ed6f1a5e2db2b119494f21d8c2de638a4c6ec3b5b4d43f3196152ea10",
+                          "c641c1184442315c7340b89171039acb48f95287e66e56f7afa7cf00f95044d26fb69d46ac5c16a2d57a1cadc39160644717559e73480734410a3f543c5f231a7d7ed77af2a64681f6a7417283cef85504ac5de9fdea100e6c67ef7a1bfcd888a92a5f1ef2c9074b44b572aa748f29ff61a850ce40470004dff5cc1d926c5abe25ace47a12c5373094a26bab027e008154fb630aa062490b5421e96691a3f79557f7a79e3cfd9100796671ea241703ddf326f113adf1694bbd6e0ca032e16f936e7bfbf174e7ef4af5b53a6a9102e6fa41a8e589290f39a7bc7a6003088c612a43a36c2e9f2e740797ad3a2a1a80e0f67157fb9abc40487077368e94751a266a0b2dac4d382097b958da569f3b6fae3faaaaf2",
+                          "7e3f8da87ddd62416fa860e3dcc8a999385425c07809de3b763e82545549d93f43a4cdb01b20e1049f68f31b13728fdf60fd8d65099ecc65d7fd90925733b7372057fa2174e487228fbb34e487a16342b721035f7f7ef26b962140aba9ba1a1a31e6bbacdfb406017f97449d3a6996b3266306bde62db2af8a3523ac5c65181b9b1818d1266a8d15ffb80675f84369411ab2bac744316180fbe08aa635dddc9dcaac7e249241665029b3ccae3b996840020dd46ce83e97a399568dcf1f58a8e29ee2535f5801ee006767218c01b31834e9ad0cf2cfd32321b16bd009233ea6a1896fbe2f6ebc2a6edfb8fcef6e4b90326b53b657f663f1f741f7f790abc2d97a1d57a3e4a4b8689de67234c56961b9d0e71c35");
 }
 
 BOOST_AUTO_TEST_CASE(countbits_tests)

src/test/fuzz/crypto_bip324_suite.cpp

@@ -37,6 +37,8 @@ FUZZ_TARGET(crypto_bip324_suite)
     std::vector<std::byte> out(BIP324_LENGTH_FIELD_LEN + BIP324_HEADER_LEN + buffer_size + RFC8439_TAGLEN, std::byte{0x00});
     bool is_encrypt = fdp.ConsumeBool();
     BIP324HeaderFlags flags{fdp.ConsumeIntegralInRange<uint8_t>(0, 255)};
+    size_t aad_size = fdp.ConsumeIntegralInRange<size_t>(0, 255);
+    auto aad = fdp.ConsumeBytes<std::byte>(aad_size);
     LIMITED_WHILE(fdp.ConsumeBool(), 10000)
     {
         CallOneOf(
@@ -50,7 +52,7 @@ FUZZ_TARGET(crypto_bip324_suite)
                 flags = BIP324HeaderFlags{fdp.ConsumeIntegralInRange<uint8_t>(0, 255)};
             },
             [&] {
-                (void)suite.Crypt(in, out, flags, is_encrypt);
+                (void)suite.Crypt(aad, in, out, flags, is_encrypt);
             },
             [&] {
                 std::array<std::byte, BIP324_LENGTH_FIELD_LEN> len_ciphertext;