Prevent nonce reuse in Sapling note encryption API.
This commit is contained in:
parent
90073aeca5
commit
c03e22612d
|
@ -78,6 +78,35 @@ TEST(noteencryption, sapling_api)
|
||||||
small_message
|
small_message
|
||||||
);
|
);
|
||||||
|
|
||||||
|
// Test nonce-reuse resistance of API
|
||||||
|
{
|
||||||
|
auto tmp_enc = *SaplingNoteEncryption::FromDiversifier(pk_1.d);
|
||||||
|
|
||||||
|
tmp_enc.encrypt_to_recipient(
|
||||||
|
pk_1.pk_d,
|
||||||
|
message
|
||||||
|
);
|
||||||
|
|
||||||
|
ASSERT_THROW(tmp_enc.encrypt_to_recipient(
|
||||||
|
pk_1.pk_d,
|
||||||
|
message
|
||||||
|
), std::logic_error);
|
||||||
|
|
||||||
|
tmp_enc.encrypt_to_ourselves(
|
||||||
|
sk.ovk,
|
||||||
|
cv_2,
|
||||||
|
cm_2,
|
||||||
|
small_message
|
||||||
|
);
|
||||||
|
|
||||||
|
ASSERT_THROW(tmp_enc.encrypt_to_ourselves(
|
||||||
|
sk.ovk,
|
||||||
|
cv_2,
|
||||||
|
cm_2,
|
||||||
|
small_message
|
||||||
|
), std::logic_error);
|
||||||
|
}
|
||||||
|
|
||||||
// Try to decrypt
|
// Try to decrypt
|
||||||
auto plaintext_1 = *AttemptSaplingEncDecryption(
|
auto plaintext_1 = *AttemptSaplingEncDecryption(
|
||||||
ciphertext_1,
|
ciphertext_1,
|
||||||
|
|
|
@ -121,6 +121,10 @@ boost::optional<SaplingEncCiphertext> SaplingNoteEncryption::encrypt_to_recipien
|
||||||
const SaplingEncPlaintext &message
|
const SaplingEncPlaintext &message
|
||||||
)
|
)
|
||||||
{
|
{
|
||||||
|
if (already_encrypted_enc) {
|
||||||
|
throw std::logic_error("already encrypted to the recipient using this key");
|
||||||
|
}
|
||||||
|
|
||||||
uint256 dhsecret;
|
uint256 dhsecret;
|
||||||
|
|
||||||
if (!librustzcash_sapling_ka_agree(pk_d.begin(), esk.begin(), dhsecret.begin())) {
|
if (!librustzcash_sapling_ka_agree(pk_d.begin(), esk.begin(), dhsecret.begin())) {
|
||||||
|
@ -143,6 +147,8 @@ boost::optional<SaplingEncCiphertext> SaplingNoteEncryption::encrypt_to_recipien
|
||||||
NULL, cipher_nonce, K
|
NULL, cipher_nonce, K
|
||||||
);
|
);
|
||||||
|
|
||||||
|
already_encrypted_enc = true;
|
||||||
|
|
||||||
return ciphertext;
|
return ciphertext;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -188,6 +194,10 @@ SaplingOutCiphertext SaplingNoteEncryption::encrypt_to_ourselves(
|
||||||
const SaplingOutPlaintext &message
|
const SaplingOutPlaintext &message
|
||||||
)
|
)
|
||||||
{
|
{
|
||||||
|
if (already_encrypted_out) {
|
||||||
|
throw std::logic_error("already encrypted to the recipient using this key");
|
||||||
|
}
|
||||||
|
|
||||||
// Construct the symmetric key
|
// Construct the symmetric key
|
||||||
unsigned char K[NOTEENCRYPTION_CIPHER_KEYSIZE];
|
unsigned char K[NOTEENCRYPTION_CIPHER_KEYSIZE];
|
||||||
PRF_ock(K, ovk, cv, cm, epk);
|
PRF_ock(K, ovk, cv, cm, epk);
|
||||||
|
@ -204,6 +214,8 @@ SaplingOutCiphertext SaplingNoteEncryption::encrypt_to_ourselves(
|
||||||
NULL, cipher_nonce, K
|
NULL, cipher_nonce, K
|
||||||
);
|
);
|
||||||
|
|
||||||
|
already_encrypted_out = true;
|
||||||
|
|
||||||
return ciphertext;
|
return ciphertext;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -32,7 +32,10 @@ protected:
|
||||||
// Ephemeral secret key
|
// Ephemeral secret key
|
||||||
uint256 esk;
|
uint256 esk;
|
||||||
|
|
||||||
SaplingNoteEncryption(uint256 epk, uint256 esk) : epk(epk), esk(esk) {
|
bool already_encrypted_enc;
|
||||||
|
bool already_encrypted_out;
|
||||||
|
|
||||||
|
SaplingNoteEncryption(uint256 epk, uint256 esk) : epk(epk), esk(esk), already_encrypted_enc(false), already_encrypted_out(false) {
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue