Crypto: replace ocaml-tweetnacl with ocaml-hacl

src/lib_client_base/client_keys.ml

@@ -207,9 +207,8 @@ let gen_keys_containing ?(prefix=false) ?(force=false) ~containing ~name (cctxt
               (fun key -> try ignore (Re.Str.search_forward re key 0); true
                 with Not_found -> false) in
           let rec loop attempts =
-            let seed = Ed25519.Seed.generate () in
             let public_key_hash, public_key, secret_key =
-              Signature.generate_key ~seed () in
+              Signature.generate_key () in
             let hash = Signature.Public_key_hash.to_b58check @@
               Signature.Public_key.hash public_key in
             if matches hash

src/lib_client_base/client_keys.mli

@@ -113,7 +113,7 @@ val append :
 val gen_keys :
   ?force:bool ->
   ?algo:Signature.algo ->
-  ?seed:Ed25519.Seed.t ->
+  ?seed:MBytes.t ->
   #Client_context.io_wallet -> string -> unit tzresult Lwt.t
 
 val register_key :

src/lib_client_base_unix/client_signer_encrypted.ml

@@ -46,7 +46,7 @@ module Encrypted_signer : SIGNER = struct
   let rec decrypt_sk sk salt = function
     | [] -> None
     | password :: pws ->
-        let key = Crypto_box.Secretbox.of_bytes_exn (pbkdf ~password ~salt) in
+        let key = Crypto_box.Secretbox.unsafe_of_bytes (pbkdf ~password ~salt) in
         match Crypto_box.Secretbox.box_open key sk nonce with
         | None -> decrypt_sk sk salt pws
         | Some sk -> Some sk
@@ -63,7 +63,7 @@ module Encrypted_signer : SIGNER = struct
     cctxt#prompt_password "Enter password for encrypted key %s: " name >>= fun password ->
     let password = MBytes.of_string password in
     let key = pbkdf ~salt ~password in
-    let key = Crypto_box.Secretbox.of_bytes_exn key in
+    let key = Crypto_box.Secretbox.unsafe_of_bytes key in
     match Crypto_box.Secretbox.box_open key skenc nonce with
     | None -> passwd_ask_loop cctxt ~name ~salt ~skenc
     | Some decrypted_sk ->
@@ -111,7 +111,7 @@ module Encrypted_signer : SIGNER = struct
     input_new_passphrase cctxt >>=? fun password ->
     let password = MBytes.of_string password in
     let salt = Rand.generate salt_len in
-    let key = Crypto_box.Secretbox.of_bytes_exn (pbkdf ~password ~salt) in
+    let key = Crypto_box.Secretbox.unsafe_of_bytes (pbkdf ~password ~salt) in
     let msg = Data_encoding.Binary.to_bytes Signature.Secret_key.encoding sk in
     let encrypted_passwd = Crypto_box.Secretbox.box key msg nonce in
     let payload = MBytes.(to_string (concat "" [salt; encrypted_passwd])) in

src/lib_crypto/crypto_box.ml

@@ -9,26 +9,36 @@
 
 (** Tezos - X25519/XSalsa20-Poly1305 cryptography *)
 
-open Tweetnacl
+open Hacl
 
-type secret_key = Box.secret Box.key
+type secret_key = secret Box.key
-type public_key = Box.public Box.key
+type public_key = public Box.key
 type channel_key = Box.combined Box.key
-type nonce = Nonce.t
+type nonce = Bigstring.t
 type target = Z.t
 
 module Secretbox = struct
   include Secretbox
-
-  let box key msg nonce = box ~key ~msg ~nonce
-
-  let box_open key cmsg nonce = box_open ~key ~cmsg ~nonce
-
   let box_noalloc key nonce msg =
-    box_noalloc ~key ~nonce ~msg
+    box ~key ~nonce ~msg ~cmsg:msg
 
   let box_open_noalloc key nonce cmsg =
-    box_open_noalloc ~key ~nonce ~cmsg
+    box_open ~key ~nonce ~cmsg ~msg:cmsg
+
+  let box key msg nonce =
+    let msglen = MBytes.length msg in
+    let cmsg = MBytes.create (msglen + zerobytes) in
+    MBytes.fill cmsg '\x00' ;
+    MBytes.blit msg 0 cmsg zerobytes msglen ;
+    box ~key ~nonce ~msg:cmsg ~cmsg ;
+    cmsg
+
+  let box_open key cmsg nonce =
+    let cmsglen = MBytes.length cmsg in
+    let msg = MBytes.create cmsglen in
+    match box_open ~key ~nonce ~cmsg ~msg with
+    | false -> None
+    | true -> Some (MBytes.sub msg zerobytes (cmsglen - zerobytes))
 end
 
 module Public_key_hash = Blake2B.Make (Base58) (struct
@@ -42,7 +52,7 @@ let () =
   Base58.check_encoded_prefix Public_key_hash.b58check_encoding "id" 30
 
 let hash pk =
-  Public_key_hash.hash_bytes [Box.to_bytes pk]
+  Public_key_hash.hash_bytes [Box.unsafe_to_bytes pk]
 
 let zerobytes = Box.zerobytes
 let boxzerobytes = Box.boxzerobytes
@@ -51,33 +61,32 @@ let random_keypair () =
   let pk, sk = Box.keypair () in
   sk, pk, hash pk
 
-let zero_nonce = Tweetnacl.Nonce.(of_bytes_exn (MBytes.make bytes '\x00'))
+let zero_nonce = MBytes.make Nonce.bytes '\x00'
 let random_nonce = Nonce.gen
 let increment_nonce = Nonce.increment
 
-let box sk pk msg nonce = Box.box ~sk ~pk ~msg ~nonce
+let precompute sk pk = Box.dh pk sk
-
-let box_open sk pk cmsg nonce = Box.box_open ~sk ~pk ~cmsg ~nonce
-
-let box_noalloc sk pk nonce msg =
-  Box.box_noalloc ~sk ~pk ~nonce ~msg
-
-let box_open_noalloc sk pk nonce cmsg =
-  Box.box_open_noalloc ~sk ~pk ~nonce ~cmsg
-
-let precompute sk pk = Box.combine pk sk
-
-let fast_box k msg nonce =
-  Box.box_combined ~k ~msg ~nonce
-
-let fast_box_open k cmsg nonce =
-  Box.box_open_combined ~k ~cmsg ~nonce
 
 let fast_box_noalloc k nonce msg =
-  Box.box_combined_noalloc ~k ~nonce ~msg
+  Box.box ~k ~nonce ~msg ~cmsg:msg
 
 let fast_box_open_noalloc k nonce cmsg =
-  Box.box_open_combined_noalloc ~k ~nonce ~cmsg
+  Box.box_open ~k ~nonce ~cmsg ~msg:cmsg
+
+let fast_box k msg nonce =
+  let msglen = MBytes.length msg in
+  let cmsg = MBytes.create (msglen + zerobytes) in
+  MBytes.fill cmsg '\x00' ;
+  MBytes.blit msg 0 cmsg zerobytes msglen ;
+  Box.box ~k ~nonce ~msg:cmsg ~cmsg ;
+  cmsg
+
+let fast_box_open k cmsg nonce =
+  let cmsglen = MBytes.length cmsg in
+  let msg = MBytes.create cmsglen in
+  match Box.box_open ~k ~nonce ~cmsg ~msg with
+  | false -> None
+  | true -> Some (MBytes.sub msg zerobytes (cmsglen - zerobytes))
 
 let compare_target hash target =
   let hash = Z.of_bits (Blake2B.to_string hash) in
@@ -106,8 +115,8 @@ let default_target = make_target 24.
 let check_proof_of_work pk nonce target =
   let hash =
     Blake2B.hash_bytes [
-      Box.to_bytes pk ;
+      Box.unsafe_to_bytes pk ;
-      Nonce.to_bytes nonce ;
+      nonce ;
     ] in
   compare_target hash target
 
@@ -124,16 +133,28 @@ let generate_proof_of_work ?max pk target =
       loop (Nonce.increment nonce) (cpt + 1) in
   loop (random_nonce ()) 0
 
-let public_key_to_bigarray = Box.to_bytes
+let public_key_to_bigarray pk =
-let public_key_of_bigarray = Box.pk_of_bytes_exn
+  let buf = MBytes.create Box.pkbytes in
+  Box.blit_to_bytes pk buf ;
+  buf
+
+let public_key_of_bigarray buf =
+  let pk = MBytes.copy buf in
+  Box.unsafe_pk_of_bytes pk
+
 let public_key_size = Box.pkbytes
 
-let secret_key_to_bigarray = Box.to_bytes
+let secret_key_to_bigarray sk =
-let secret_key_of_bigarray = Box.sk_of_bytes_exn
+  let buf = MBytes.create Box.skbytes in
+  Box.blit_to_bytes sk buf ;
+  buf
+
+let secret_key_of_bigarray buf =
+  let sk = MBytes.copy buf in
+  Box.unsafe_sk_of_bytes sk
+
 let secret_key_size = Box.skbytes
 
-let nonce_to_bigarray = Nonce.to_bytes
-let nonce_of_bigarray = Nonce.of_bytes_exn
 let nonce_size = Nonce.bytes
 
 let public_key_encoding =
@@ -151,9 +172,4 @@ let secret_key_encoding =
     (Fixed.bytes secret_key_size)
 
 let nonce_encoding =
-  let open Data_encoding in
+  Data_encoding.Fixed.bytes nonce_size
-  conv
-    nonce_to_bigarray
-    nonce_of_bigarray
-    (Fixed.bytes nonce_size)
-

src/lib_crypto/crypto_box.mli

@@ -9,7 +9,8 @@
 
 (** Tezos - X25519/XSalsa20-Poly1305 cryptography *)
 
-type nonce
+type nonce = Bigstring.t
+val nonce_size : int
 
 val zero_nonce : nonce
 val random_nonce : unit -> nonce
@@ -18,17 +19,13 @@ val increment_nonce : ?step:int -> nonce -> nonce
 module Secretbox : sig
   type key
 
-  val zerobytes : int
+  val unsafe_of_bytes : MBytes.t -> key
-  val boxzerobytes : int
-
-  val of_bytes : MBytes.t -> key option
-  val of_bytes_exn : MBytes.t -> key
-
-  val box : key -> MBytes.t -> nonce -> MBytes.t
-  val box_open : key -> MBytes.t -> nonce -> MBytes.t option
 
   val box_noalloc : key -> nonce -> MBytes.t -> unit
   val box_open_noalloc : key -> nonce -> MBytes.t -> bool
+
+  val box : key -> MBytes.t -> nonce -> MBytes.t
+  val box_open : key -> MBytes.t -> nonce -> MBytes.t option
 end
 
 type target
@@ -47,12 +44,6 @@ val boxzerobytes : int
 
 val random_keypair : unit -> secret_key * public_key * Public_key_hash.t
 
-val box : secret_key -> public_key -> MBytes.t -> nonce -> MBytes.t
-val box_open : secret_key -> public_key -> MBytes.t -> nonce -> MBytes.t option
-
-val box_noalloc : secret_key -> public_key -> nonce -> MBytes.t -> unit
-val box_open_noalloc : secret_key -> public_key -> nonce -> MBytes.t -> bool
-
 val precompute : secret_key -> public_key -> channel_key
 
 val fast_box        : channel_key -> MBytes.t -> nonce -> MBytes.t
@@ -72,10 +63,6 @@ val secret_key_to_bigarray : secret_key -> Cstruct.buffer
 val secret_key_of_bigarray : Cstruct.buffer -> secret_key
 val secret_key_size : int
 
-val nonce_to_bigarray : nonce -> Cstruct.buffer
-val nonce_of_bigarray : Cstruct.buffer -> nonce
-val nonce_size : int
-
 val public_key_encoding : public_key Data_encoding.t
 val secret_key_encoding : secret_key Data_encoding.t
 val nonce_encoding : nonce Data_encoding.t

src/lib_crypto/ed25519.ml

@@ -19,20 +19,35 @@ module Public_key_hash = Blake2B.Make(Base58)(struct
 let () =
   Base58.check_encoded_prefix Public_key_hash.b58check_encoding "tz1" 36
 
-open Tweetnacl
+open Hacl
 
 module Public_key = struct
 
-  type t = Sign.public Sign.key
+  type t = public Sign.key
 
   let name = "Ed25519.Public_key"
   let title = "Ed25519 public key"
 
-  let to_string s = MBytes.to_string (Sign.to_bytes s)
+  let to_string s = MBytes.to_string (Sign.unsafe_to_bytes s)
-  let of_string_opt s = Sign.pk_of_bytes (MBytes.of_string s)
+  let of_string_opt s =
+    if String.length s < Sign.pkbytes then None
+    else
+      let pk = MBytes.create Sign.pkbytes in
+      MBytes.blit_of_string s 0 pk 0 Sign.pkbytes ;
+      Some (Sign.unsafe_pk_of_bytes pk)
 
-  let to_bytes = Sign.to_bytes
+  let to_bytes pk =
-  let of_bytes_opt = Sign.pk_of_bytes
+    let buf = MBytes.create Sign.pkbytes in
+    Sign.blit_to_bytes pk buf ;
+    buf
+
+  let of_bytes_opt buf =
+    let buflen = MBytes.length buf in
+    if buflen < Sign.pkbytes then None
+    else
+      let pk = MBytes.create Sign.pkbytes in
+      MBytes.blit buf 0 pk 0 Sign.pkbytes ;
+      Some (Sign.unsafe_pk_of_bytes pk)
 
   let size = Sign.pkbytes
 
@@ -51,12 +66,12 @@ module Public_key = struct
     Base58.check_encoded_prefix b58check_encoding "edpk" 54
 
   let hash v =
-    Public_key_hash.hash_bytes [ Sign.to_bytes v ]
+    Public_key_hash.hash_bytes [ Sign.unsafe_to_bytes v ]
 
   include Compare.Make(struct
       type nonrec t = t
       let compare a b =
-        MBytes.compare (Sign.to_bytes a) (Sign.to_bytes b)
+        MBytes.compare (Sign.unsafe_to_bytes a) (Sign.unsafe_to_bytes b)
     end)
 
   include Helpers.MakeRaw(struct
@@ -94,24 +109,29 @@ end
 
 module Secret_key = struct
 
-  type t = Sign.secret Sign.key
+  type t = secret Sign.key
 
   let name = "Ed25519.Secret_key"
   let title = "An Ed25519 secret key"
 
-  let size = Sign.seedbytes
+  let size = Sign.skbytes
+
+  let to_bytes sk =
+    let buf = MBytes.create Sign.skbytes in
+    Sign.blit_to_bytes sk buf ;
+    buf
 
-  let to_bytes = Sign.seed
   let of_bytes_opt s =
-    match MBytes.length s with
+    if MBytes.length s > 64 then None
-    | 32 -> let _pk, sk = Sign.keypair ~seed:s () in Some sk
+    else
-    | 64 -> Sign.sk_of_bytes s
+      let sk = MBytes.create Sign.skbytes in
-    | _ -> None
+      MBytes.blit s 0 sk 0 Sign.skbytes ;
+      Some (Sign.unsafe_sk_of_bytes sk)
 
   let to_string s = MBytes.to_string (to_bytes s)
   let of_string_opt s = of_bytes_opt (MBytes.of_string s)
 
-  let to_public_key = Sign.public
+  let to_public_key = Sign.neuterize
 
   type Base58.data +=
     | Data of t
@@ -120,20 +140,29 @@ module Secret_key = struct
     Base58.register_encoding
       ~prefix: Base58.Prefix.ed25519_seed
       ~length: size
-      ~to_raw: (fun sk -> MBytes.to_string (Sign.seed sk))
+      ~to_raw: (fun sk -> MBytes.to_string (Sign.unsafe_to_bytes sk))
       ~of_raw: (fun buf ->
-          let seed = MBytes.of_string buf in
+          if String.length buf <> Sign.skbytes then None
-          match Sign.keypair ~seed () with
+          else Some (Sign.unsafe_sk_of_bytes (MBytes.of_string buf)))
-          | exception _ -> None
-          | _pk, sk -> Some sk)
       ~wrap: (fun sk -> Data sk)
 
+  (* Legacy NaCl secret key encoding. Used to store both sk and pk. *)
   let secret_key_encoding =
     Base58.register_encoding
       ~prefix: Base58.Prefix.ed25519_secret_key
-      ~length: Sign.skbytes
+      ~length: Sign.(skbytes + pkbytes)
-      ~to_raw: (fun sk -> MBytes.to_string (Sign.to_bytes sk))
+      ~to_raw: (fun sk ->
-      ~of_raw: (fun buf -> Sign.sk_of_bytes (MBytes.of_string buf))
+          let pk = Sign.neuterize sk in
+          let buf = MBytes.create Sign.(skbytes + pkbytes) in
+          Sign.blit_to_bytes sk buf ;
+          Sign.blit_to_bytes pk ~pos:Sign.skbytes buf ;
+          MBytes.to_string buf)
+      ~of_raw: (fun buf ->
+          if String.length buf <> Sign.(skbytes + pkbytes) then None
+          else
+            let sk = MBytes.create Sign.skbytes in
+            MBytes.blit_of_string buf 0 sk 0 Sign.skbytes ;
+            Some (Sign.unsafe_sk_of_bytes sk))
       ~wrap: (fun x -> Data x)
 
   let of_b58check_opt s =
@@ -165,7 +194,7 @@ module Secret_key = struct
   include Compare.Make(struct
       type nonrec t = t
       let compare a b =
-        MBytes.compare (Sign.to_bytes a) (Sign.to_bytes b)
+        MBytes.compare (Sign.unsafe_to_bytes a) (Sign.unsafe_to_bytes b)
     end)
 
   include Helpers.MakeRaw(struct
@@ -222,11 +251,6 @@ let b58check_encoding =
 let () =
   Base58.check_encoded_prefix b58check_encoding "edsig" 99
 
-include Compare.Make(struct
-    type nonrec t = t
-    let compare = MBytes.compare
-  end)
-
 include Helpers.MakeRaw(struct
     type nonrec t = t
     let name = name
@@ -260,30 +284,32 @@ let pp ppf t = Format.fprintf ppf "%s" (to_b58check t)
 
 let zero = MBytes.make size '\000'
 
-let sign key msg = Sign.detached ~key msg
+let sign sk msg =
+  let signature = MBytes.create Sign.bytes in
+  Sign.sign ~sk ~msg ~signature ;
+  signature
 
-let check public_key signature msg =
+let check pk signature msg =
-  Sign.verify_detached ~key:public_key ~signature msg
+  Sign.verify ~pk ~signature ~msg
 
-module Seed = struct
+let generate_key ?seed () =
-
+  match seed with
-  type t = Bigstring.t
+  | None ->
-
+      let pk, sk = Sign.keypair () in
-  let generate () = Rand.gen 32
+      Public_key.hash pk, pk, sk
-  let extract = Sign.seed
+  | Some seed ->
-
+      let seedlen = MBytes.length seed in
-end
+      if seedlen < Sign.skbytes then
-
+        invalid_arg (Printf.sprintf "Ed25519.generate_key: seed must \
-let generate_seeded_key seed =
+                                     be at least %d bytes long (got %d)"
-  let pk, sk = Sign.keypair ~seed () in
+                       Sign.skbytes seedlen) ;
-  (Public_key.hash pk, pk, sk)
+      let sk = MBytes.create Sign.skbytes in
-
+      MBytes.blit seed 0 sk 0 Sign.skbytes ;
-let generate_key () =
+      let sk = Sign.unsafe_sk_of_bytes sk in
-  let seed = Seed.generate () in
+      let pk = Sign.neuterize sk in
-  generate_seeded_key seed
+      Public_key.hash pk, pk, sk
 
 include Compare.Make(struct
     type nonrec t = t
     let compare = MBytes.compare
   end)
-

src/lib_crypto/ed25519.mli

@@ -10,13 +10,4 @@
 (** Tezos - Ed25519 cryptography *)
 
 include S.SIGNATURE
-
 include S.RAW_DATA with type t := t
-
-module Seed : sig
-  type t
-  val generate : unit -> t
-  val extract : Secret_key.t -> t
-end
-
-val generate_seeded_key: Seed.t -> (Public_key_hash.t * Public_key.t * Secret_key.t)

src/lib_crypto/jbuild

@@ -17,7 +17,7 @@
               lwt
               nocrypto
               blake2
-              tweetnacl
+              hacl
               secp256k1
               zarith))))
 

src/lib_crypto/rand.ml

@@ -7,7 +7,7 @@
 (*                                                                        *)
 (**************************************************************************)
 
-let generate = Tweetnacl.Rand.gen
+let generate = Hacl.Rand.gen
 
 let generate_into ?(pos=0) ?len buf =
   let buflen = MBytes.length buf in
@@ -18,4 +18,4 @@ let generate_into ?(pos=0) ?len buf =
     invalid_arg (Printf.sprintf "Rand.generate_into: \
                                  invalid slice (pos=%d len=%d)" pos len) ;
   let buf = MBytes.sub buf pos len in
-  Tweetnacl.Rand.write buf
+  Hacl.Rand.write buf

src/lib_crypto/s.ml

@@ -208,6 +208,6 @@ module type SIGNATURE = sig
   val sign: Secret_key.t -> MBytes.t -> t
   val check: Public_key.t -> t -> MBytes.t -> bool
 
-  val generate_key: unit -> (Public_key_hash.t * Public_key.t * Secret_key.t)
+  val generate_key: ?seed:MBytes.t -> unit -> (Public_key_hash.t * Public_key.t * Secret_key.t)
 
 end

src/lib_crypto/secp256k1.ml

@@ -245,9 +245,9 @@ let sign sk msg =
 let check public_key signature msg =
   Sign.verify_exn context ~pk:public_key ~msg ~signature
 
-let generate_key () =
+let generate_key ?(seed=Rand.generate 32) () =
-  let sk = Key.read_sk_exn context (Rand.generate 32) in
+  let sk = Key.read_sk_exn context seed in
   let pk = Key.neuterize_exn context sk in
   let pkh = Public_key.hash pk in
-  (pkh, pk, sk)
+  pkh, pk, sk
 

src/lib_crypto/signature.ml

@@ -486,18 +486,12 @@ let algo_param () =
     end
 
 let generate_key ?(algo = Ed25519) ?seed () =
-  match algo, seed with
+  match algo with
-  | Secp256k1, Some _ ->
+  | Secp256k1 ->
-      invalid_arg "Signature.generate_key"
+      let pkh, pk, sk = Secp256k1.generate_key ?seed () in
-  | Secp256k1, None ->
-      let (pkh, pk, sk) = Secp256k1.generate_key () in
       (Public_key_hash.Secp256k1 pkh,
        Public_key.Secp256k1 pk, Secret_key.Secp256k1 sk)
-  | Ed25519, seed ->
+  | Ed25519 ->
-      let seed =
+      let pkh, pk, sk = Ed25519.generate_key ?seed () in
-        match seed with
-        | None -> Ed25519.Seed.generate ()
-        | Some seed -> seed in
-      let (pkh, pk, sk) = Ed25519.generate_seeded_key seed in
       (Public_key_hash.Ed25519 pkh,
        Public_key.Ed25519 pk, Secret_key.Ed25519 sk)

src/lib_crypto/signature.mli

@@ -41,5 +41,5 @@ val algo_param: unit -> (algo, 'a) Clic.parameter
 
 val generate_key:
   ?algo:algo ->
-  ?seed:Ed25519.Seed.t ->
+  ?seed:MBytes.t ->
   unit -> public_key_hash * public_key * secret_key

src/lib_crypto/test/test_ed25519.ml

@@ -7,10 +7,6 @@
 (*                                                                        *)
 (**************************************************************************)
 
-let get_keys () =
-  let seed = Ed25519.Seed.generate () in
-  Ed25519.generate_seeded_key seed
-
 module type B58CHECK = sig
   type t
   val pp: Format.formatter -> t -> unit
@@ -29,7 +25,7 @@ let test_b58check_roundtrip
       input
 
 let test_b58check_roundtrips () =
-  let (pubkey_hash, pubkey, seckey) = get_keys () in
+  let pubkey_hash, pubkey, seckey = Ed25519.generate_key () in
   test_b58check_roundtrip (module Ed25519.Public_key_hash) pubkey_hash;
   test_b58check_roundtrip (module Ed25519.Public_key) pubkey;
   test_b58check_roundtrip (module Ed25519.Secret_key) seckey

src/lib_crypto/tezos-crypto.opam

@@ -17,7 +17,7 @@ depends: [
   "lwt"
   "nocrypto"
   "blake2"
-  "tweetnacl"
+  "hacl"
   "zarith"
   "secp256k1"
   "alcotest" { test & >= "0.8.3" }