HomePhabricator
Diffusion Bitcoin ABC 57c4ea35edc5

[crypto] Fix K1/K2 use in ChaCha20-Poly1305 AEAD
57c4ea35edc5
Actions

Description

[crypto] Fix K1/K2 use in ChaCha20-Poly1305 AEAD

Summary:
BIP324 mentions K1 is used for the associated data and K2 is used for
the payload. The code does the opposite. This is not a security problem
but will be a problem across implementations based on the HKDF key
derivations.

This is a backport of core#22331 and core#23271

Note: this implementation is unused in the current codebase, outside of unit tests, and will be scrapped and replaced in core#28008. I'm only backporting this fix to avoid a test failure in another pre-28008 ChaCha20 backport (core#26153). It makes reviews and merge conflicts simpler to backport this in the right order.

Test Plan: ninja check

Reviewers: #bitcoin_abc, Fabien

Reviewed By: #bitcoin_abc, Fabien

Differential Revision: https://reviews.bitcoinabc.org/D18816

Details

Provenance
Dhruv Mehta <856960+dhruv@users.noreply.github.com>Authored on Jun 18 2021, 20:25
PiRKCommitted on Wed, Oct 22, 09:59
PiRKPushed on Wed, Oct 22, 09:59
Reviewer
Restricted Project
Differential Revision
D18816: [crypto] Fix K1/K2 use in ChaCha20-Poly1305 AEAD
Parents
rABC72011bf44763: Unroll the ChaCha20 inner loop for performance
Branches
Unknown
Tags
Unknown

Changes (3)

PathSize
src/
crypto/
test/

rABC57c4ea35edc5

View Options

src/crypto/chacha_poly_aead.cpp

Loading...
View Options

src/crypto/chacha_poly_aead.h

Loading...
View Options

src/test/crypto_tests.cpp

Loading...