common/sphinx: don't use temporary to xor in cipher stream.

The chacha API makes this a bit awkward, to we use a helper. Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
2025-03-01 17:47:30 +01:00 · 2020-12-08 17:18:21 +10:30 · 2020-12-08 17:18:21 +10:30 · b5ab7e3ce3
commit b5ab7e3ce3
parent 0701f74878
2 changed files with 212 additions and 17 deletions
--- a/common/sphinx.c
+++ b/common/sphinx.c
@ -170,14 +170,6 @@ enum onion_wire parse_onionpacket(const u8 *src,
 	return 0;
 }

-static void xorbytes(uint8_t *d, const uint8_t *a, const uint8_t *b, size_t len)
-{
-	size_t i;
-
-	for (i = 0; i < len; i++)
-		d[i] = a[i] ^ b[i];
-}
-
 /*
 * Generate a pseudo-random byte stream of length `dstlen` from key `k` and
 * store it in `dst`. `dst must be at least `dstlen` bytes long.
@ -197,6 +189,45 @@ static void xor_cipher_stream(void *dst, const struct secret *k, size_t dstlen)
 	crypto_stream_chacha20_xor(dst, dst, dstlen, nonce, k->data);
 }

+#define CHACHA20_BLOCK_BYTES 64
+
+static void xor_cipher_stream_off(const struct secret *k,
+				  size_t off,
+				  void *dst, size_t dstlen)
+{
+	const u8 nonce[8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+	u8 block[CHACHA20_BLOCK_BYTES];
+	size_t block_off;
+	size_t ic = off / CHACHA20_BLOCK_BYTES;
+
+	/* From https://libsodium.gitbook.io/doc/advanced/stream_ciphers/chacha20:
+	 *
+	 * The crypto_stream_chacha20_xor_ic() function is similar to
+	 * crypto_stream_chacha20_xor() but adds the ability to set
+	 * the initial value of the block counter to a non-zero value,
+	 * ic.
+	 *
+	 * This permits direct access to any block without having to
+	 * compute the previous ones.
+	 */
+	block_off = (off % CHACHA20_BLOCK_BYTES);
+	if (block_off != 0) {
+		size_t rem = CHACHA20_BLOCK_BYTES - block_off;
+		if (rem > dstlen)
+			rem = dstlen;
+		memcpy(block + block_off, dst, rem);
+		crypto_stream_chacha20_xor_ic(block, block, block_off + rem,
+					      nonce,
+					      ic,
+					      k->data);
+		ic++;
+		memcpy(dst, block + block_off, rem);
+		dst = (char *)dst + rem;
+		dstlen -= rem;
+	}
+	crypto_stream_chacha20_xor_ic(dst, dst, dstlen, nonce, ic, k->data);
+}
+
 /* Convenience function: s2/s2len can be NULL/0 if unwanted */
 static void compute_hmac(const struct secret *key,
 			 const u8 *s1, size_t s1len,
@ -226,7 +257,6 @@ static void generate_header_padding(void *dst, size_t dstlen,
 				    const struct sphinx_path *path,
 				    struct hop_params *params)
 {
-	u8 stream[2 * ROUTING_INFO_SIZE];
 	struct secret key;
 	size_t fillerStart, fillerEnd, fillerSize;

@ -234,8 +264,6 @@ static void generate_header_padding(void *dst, size_t dstlen,
 	for (int i = 0; i < tal_count(path->hops) - 1; i++) {
 		subkey_from_hmac("rho", &params[i].secret, &key);

-		generate_cipher_stream(stream, &key, sizeof(stream));
-
 		/* Sum up how many bytes have been used by previous hops,
 		 * that gives us the start in the stream */
 		fillerSize = 0;
@ -250,8 +278,8 @@ static void generate_header_padding(void *dst, size_t dstlen,

 		/* Apply the cipher-stream to the part of the filler that'll
 		 * be added by this hop */
-		xorbytes(dst, dst, stream + fillerStart,
-			 fillerEnd - fillerStart);
+		xor_cipher_stream_off(&key, fillerStart,
+				      dst, fillerEnd - fillerStart);
 	}
 }

@ -259,7 +287,6 @@ static void generate_prefill(void *dst, size_t dstlen,
 			     const struct sphinx_path *path,
 			     struct hop_params *params)
 {
-	u8 stream[2 * ROUTING_INFO_SIZE];
 	struct secret key;
 	size_t fillerStart, fillerSize;

@ -267,8 +294,6 @@ static void generate_prefill(void *dst, size_t dstlen,
 	for (int i = 0; i < tal_count(path->hops); i++) {
 		subkey_from_hmac("rho", &params[i].secret, &key);

-		generate_cipher_stream(stream, &key, sizeof(stream));
-
 		/* Sum up how many bytes have been used by previous hops,
 		 * that gives us the start in the stream */
 		fillerSize = 0;
@ -278,7 +303,7 @@ static void generate_prefill(void *dst, size_t dstlen,

 		/* Apply the cipher-stream to the part of the filler that'll
 		 * be added by this hop */
-		xorbytes(dst, dst, stream + fillerStart, dstlen);
+		xor_cipher_stream_off(&key, fillerStart, dst, dstlen);
 	}
 }

--- a/common/test/run-sphinx-xor_cipher_stream.c
+++ b/common/test/run-sphinx-xor_cipher_stream.c
@ -0,0 +1,170 @@
+#include "../sphinx.c"
+#include <assert.h>
+#include <common/setup.h>
+#include <stdio.h>
+#include <unistd.h>
+
+/* AUTOGENERATED MOCKS START */
+/* Generated stub for amount_asset_is_main */
+bool amount_asset_is_main(struct amount_asset *asset UNNEEDED)
+{ fprintf(stderr, "amount_asset_is_main called!\n"); abort(); }
+/* Generated stub for amount_asset_to_sat */
+struct amount_sat amount_asset_to_sat(struct amount_asset *asset UNNEEDED)
+{ fprintf(stderr, "amount_asset_to_sat called!\n"); abort(); }
+/* Generated stub for amount_sat */
+struct amount_sat amount_sat(u64 satoshis UNNEEDED)
+{ fprintf(stderr, "amount_sat called!\n"); abort(); }
+/* Generated stub for amount_sat_add */
+ bool amount_sat_add(struct amount_sat *val UNNEEDED,
+				       struct amount_sat a UNNEEDED,
+				       struct amount_sat b UNNEEDED)
+{ fprintf(stderr, "amount_sat_add called!\n"); abort(); }
+/* Generated stub for amount_sat_eq */
+bool amount_sat_eq(struct amount_sat a UNNEEDED, struct amount_sat b UNNEEDED)
+{ fprintf(stderr, "amount_sat_eq called!\n"); abort(); }
+/* Generated stub for amount_sat_greater_eq */
+bool amount_sat_greater_eq(struct amount_sat a UNNEEDED, struct amount_sat b UNNEEDED)
+{ fprintf(stderr, "amount_sat_greater_eq called!\n"); abort(); }
+/* Generated stub for amount_sat_sub */
+ bool amount_sat_sub(struct amount_sat *val UNNEEDED,
+				       struct amount_sat a UNNEEDED,
+				       struct amount_sat b UNNEEDED)
+{ fprintf(stderr, "amount_sat_sub called!\n"); abort(); }
+/* Generated stub for amount_sat_to_asset */
+struct amount_asset amount_sat_to_asset(struct amount_sat *sat UNNEEDED, const u8 *asset UNNEEDED)
+{ fprintf(stderr, "amount_sat_to_asset called!\n"); abort(); }
+/* Generated stub for amount_tx_fee */
+struct amount_sat amount_tx_fee(u32 fee_per_kw UNNEEDED, size_t weight UNNEEDED)
+{ fprintf(stderr, "amount_tx_fee called!\n"); abort(); }
+/* Generated stub for fromwire */
+const u8 *fromwire(const u8 **cursor UNNEEDED, size_t *max UNNEEDED, void *copy UNNEEDED, size_t n UNNEEDED)
+{ fprintf(stderr, "fromwire called!\n"); abort(); }
+/* Generated stub for fromwire_amount_sat */
+struct amount_sat fromwire_amount_sat(const u8 **cursor UNNEEDED, size_t *max UNNEEDED)
+{ fprintf(stderr, "fromwire_amount_sat called!\n"); abort(); }
+/* Generated stub for fromwire_bool */
+bool fromwire_bool(const u8 **cursor UNNEEDED, size_t *max UNNEEDED)
+{ fprintf(stderr, "fromwire_bool called!\n"); abort(); }
+/* Generated stub for fromwire_fail */
+void *fromwire_fail(const u8 **cursor UNNEEDED, size_t *max UNNEEDED)
+{ fprintf(stderr, "fromwire_fail called!\n"); abort(); }
+/* Generated stub for fromwire_hmac */
+void fromwire_hmac(const u8 **ptr UNNEEDED, size_t *max UNNEEDED, struct hmac *hmac UNNEEDED)
+{ fprintf(stderr, "fromwire_hmac called!\n"); abort(); }
+/* Generated stub for fromwire_secp256k1_ecdsa_signature */
+void fromwire_secp256k1_ecdsa_signature(const u8 **cursor UNNEEDED, size_t *max UNNEEDED,
+					secp256k1_ecdsa_signature *signature UNNEEDED)
+{ fprintf(stderr, "fromwire_secp256k1_ecdsa_signature called!\n"); abort(); }
+/* Generated stub for fromwire_sha256 */
+void fromwire_sha256(const u8 **cursor UNNEEDED, size_t *max UNNEEDED, struct sha256 *sha256 UNNEEDED)
+{ fprintf(stderr, "fromwire_sha256 called!\n"); abort(); }
+/* Generated stub for fromwire_tal_arrn */
+u8 *fromwire_tal_arrn(const tal_t *ctx UNNEEDED,
+		       const u8 **cursor UNNEEDED, size_t *max UNNEEDED, size_t num UNNEEDED)
+{ fprintf(stderr, "fromwire_tal_arrn called!\n"); abort(); }
+/* Generated stub for fromwire_u16 */
+u16 fromwire_u16(const u8 **cursor UNNEEDED, size_t *max UNNEEDED)
+{ fprintf(stderr, "fromwire_u16 called!\n"); abort(); }
+/* Generated stub for fromwire_u32 */
+u32 fromwire_u32(const u8 **cursor UNNEEDED, size_t *max UNNEEDED)
+{ fprintf(stderr, "fromwire_u32 called!\n"); abort(); }
+/* Generated stub for fromwire_u64 */
+u64 fromwire_u64(const u8 **cursor UNNEEDED, size_t *max UNNEEDED)
+{ fprintf(stderr, "fromwire_u64 called!\n"); abort(); }
+/* Generated stub for fromwire_u8 */
+u8 fromwire_u8(const u8 **cursor UNNEEDED, size_t *max UNNEEDED)
+{ fprintf(stderr, "fromwire_u8 called!\n"); abort(); }
+/* Generated stub for fromwire_u8_array */
+void fromwire_u8_array(const u8 **cursor UNNEEDED, size_t *max UNNEEDED, u8 *arr UNNEEDED, size_t num UNNEEDED)
+{ fprintf(stderr, "fromwire_u8_array called!\n"); abort(); }
+/* Generated stub for hmac_done */
+void hmac_done(crypto_auth_hmacsha256_state *state UNNEEDED,
+	       struct hmac *hmac UNNEEDED)
+{ fprintf(stderr, "hmac_done called!\n"); abort(); }
+/* Generated stub for hmac_start */
+void hmac_start(crypto_auth_hmacsha256_state *state UNNEEDED,
+		const void *key UNNEEDED, size_t klen UNNEEDED)
+{ fprintf(stderr, "hmac_start called!\n"); abort(); }
+/* Generated stub for hmac_update */
+void hmac_update(crypto_auth_hmacsha256_state *state UNNEEDED,
+		 const void *src UNNEEDED, size_t slen UNNEEDED)
+{ fprintf(stderr, "hmac_update called!\n"); abort(); }
+/* Generated stub for new_onionreply */
+struct onionreply *new_onionreply(const tal_t *ctx UNNEEDED, const u8 *contents TAKES UNNEEDED)
+{ fprintf(stderr, "new_onionreply called!\n"); abort(); }
+/* Generated stub for onion_payload_length */
+size_t onion_payload_length(const u8 *raw_payload UNNEEDED, size_t len UNNEEDED,
+			    bool has_realm UNNEEDED,
+			    bool *valid UNNEEDED,
+			    enum onion_payload_type *type UNNEEDED)
+{ fprintf(stderr, "onion_payload_length called!\n"); abort(); }
+/* Generated stub for pubkey_from_node_id */
+bool pubkey_from_node_id(struct pubkey *key UNNEEDED, const struct node_id *id UNNEEDED)
+{ fprintf(stderr, "pubkey_from_node_id called!\n"); abort(); }
+/* Generated stub for subkey_from_hmac */
+void subkey_from_hmac(const char *prefix UNNEEDED,
+		      const struct secret *base UNNEEDED,
+		      struct secret *key UNNEEDED)
+{ fprintf(stderr, "subkey_from_hmac called!\n"); abort(); }
+/* Generated stub for towire */
+void towire(u8 **pptr UNNEEDED, const void *data UNNEEDED, size_t len UNNEEDED)
+{ fprintf(stderr, "towire called!\n"); abort(); }
+/* Generated stub for towire_amount_sat */
+void towire_amount_sat(u8 **pptr UNNEEDED, const struct amount_sat sat UNNEEDED)
+{ fprintf(stderr, "towire_amount_sat called!\n"); abort(); }
+/* Generated stub for towire_bool */
+void towire_bool(u8 **pptr UNNEEDED, bool v UNNEEDED)
+{ fprintf(stderr, "towire_bool called!\n"); abort(); }
+/* Generated stub for towire_hmac */
+void towire_hmac(u8 **pptr UNNEEDED, const struct hmac *hmac UNNEEDED)
+{ fprintf(stderr, "towire_hmac called!\n"); abort(); }
+/* Generated stub for towire_pad */
+void towire_pad(u8 **pptr UNNEEDED, size_t num UNNEEDED)
+{ fprintf(stderr, "towire_pad called!\n"); abort(); }
+/* Generated stub for towire_secp256k1_ecdsa_signature */
+void towire_secp256k1_ecdsa_signature(u8 **pptr UNNEEDED,
+			      const secp256k1_ecdsa_signature *signature UNNEEDED)
+{ fprintf(stderr, "towire_secp256k1_ecdsa_signature called!\n"); abort(); }
+/* Generated stub for towire_sha256 */
+void towire_sha256(u8 **pptr UNNEEDED, const struct sha256 *sha256 UNNEEDED)
+{ fprintf(stderr, "towire_sha256 called!\n"); abort(); }
+/* Generated stub for towire_u16 */
+void towire_u16(u8 **pptr UNNEEDED, u16 v UNNEEDED)
+{ fprintf(stderr, "towire_u16 called!\n"); abort(); }
+/* Generated stub for towire_u32 */
+void towire_u32(u8 **pptr UNNEEDED, u32 v UNNEEDED)
+{ fprintf(stderr, "towire_u32 called!\n"); abort(); }
+/* Generated stub for towire_u64 */
+void towire_u64(u8 **pptr UNNEEDED, u64 v UNNEEDED)
+{ fprintf(stderr, "towire_u64 called!\n"); abort(); }
+/* Generated stub for towire_u8 */
+void towire_u8(u8 **pptr UNNEEDED, u8 v UNNEEDED)
+{ fprintf(stderr, "towire_u8 called!\n"); abort(); }
+/* Generated stub for towire_u8_array */
+void towire_u8_array(u8 **pptr UNNEEDED, const u8 *arr UNNEEDED, size_t num UNNEEDED)
+{ fprintf(stderr, "towire_u8_array called!\n"); abort(); }
+/* AUTOGENERATED MOCKS END */
+
+#define PARTIAL_SIZE 128
+
+int main(int argc, char **argv)
+{
+	const u8 nonce[8] = { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 };
+	struct secret k;
+	u8 normal[1024];
+
+	common_setup(argv[0]);
+	memset(&k, 1, sizeof(k));
+	crypto_stream_chacha20(normal, sizeof(normal), nonce, k.data);
+
+	for (size_t i = 0; i < sizeof(normal) - PARTIAL_SIZE; i++) {
+		for (size_t len = 0; len < PARTIAL_SIZE; len++) {
+			u8 *partial = tal_arrz(tmpctx, u8, len);
+			xor_cipher_stream_off(&k, i, partial, len);
+			assert(memcmp(partial, normal + i, len) == 0);
+		}
+	}
+
+	common_shutdown();
+	return 0;
+}