1 // ring has a garbage API so its use is avoided, but rust-crypto doesn't have RFC-variant poly1305
2 // Instead, we steal rust-crypto's implementation and tweak it to match the RFC.
4 // This file is licensed under the Apache License, Version 2.0 <LICENSE-APACHE
5 // or http://www.apache.org/licenses/LICENSE-2.0> or the MIT license
6 // <LICENSE-MIT or http://opensource.org/licenses/MIT>, at your option.
7 // You may not use this file except in accordance with one or both of these
10 // This is a port of Andrew Moons poly1305-donna
11 // https://github.com/floodyberry/poly1305-donna
13 use ln::msgs::DecodeError;
14 use util::ser::{FixedLengthReader, LengthRead, LengthReadableArgs, Readable, Writeable, Writer};
15 use io::{self, Read, Write};
19 use util::chacha20::ChaCha20;
20 use util::poly1305::Poly1305;
21 use bitcoin::hashes::cmp::fixed_time_eq;
23 #[derive(Clone, Copy)]
24 pub struct ChaCha20Poly1305RFC {
32 impl ChaCha20Poly1305RFC {
34 fn pad_mac_16(mac: &mut Poly1305, len: usize) {
36 mac.input(&[0; 16][0..16 - (len % 16)]);
39 pub fn new(key: &[u8], nonce: &[u8], aad: &[u8]) -> ChaCha20Poly1305RFC {
40 assert!(key.len() == 16 || key.len() == 32);
41 assert!(nonce.len() == 12);
43 // Ehh, I'm too lazy to *also* tweak ChaCha20 to make it RFC-compliant
44 assert!(nonce[0] == 0 && nonce[1] == 0 && nonce[2] == 0 && nonce[3] == 0);
46 let mut cipher = ChaCha20::new(key, &nonce[4..]);
47 let mut mac_key = [0u8; 64];
48 let zero_key = [0u8; 64];
49 cipher.process(&zero_key, &mut mac_key);
51 let mut mac = Poly1305::new(&mac_key[..32]);
53 ChaCha20Poly1305RFC::pad_mac_16(&mut mac, aad.len());
60 aad_len: aad.len() as u64,
64 pub fn encrypt(&mut self, input: &[u8], output: &mut [u8], out_tag: &mut [u8]) {
65 assert!(input.len() == output.len());
66 assert!(self.finished == false);
67 self.cipher.process(input, output);
68 self.data_len += input.len();
69 self.mac.input(output);
70 ChaCha20Poly1305RFC::pad_mac_16(&mut self.mac, self.data_len);
72 self.mac.input(&self.aad_len.to_le_bytes());
73 self.mac.input(&(self.data_len as u64).to_le_bytes());
74 self.mac.raw_result(out_tag);
77 // Encrypt `input_output` in-place. To finish and calculate the tag, use `finish_and_get_tag`
79 pub(super) fn encrypt_in_place(&mut self, input_output: &mut [u8]) {
80 debug_assert!(self.finished == false);
81 self.cipher.process_in_place(input_output);
82 self.data_len += input_output.len();
83 self.mac.input(input_output);
86 // If we were previously encrypting with `encrypt_in_place`, this method can be used to finish
87 // encrypting and calculate the tag.
88 pub(super) fn finish_and_get_tag(&mut self, out_tag: &mut [u8]) {
89 debug_assert!(self.finished == false);
90 ChaCha20Poly1305RFC::pad_mac_16(&mut self.mac, self.data_len);
92 self.mac.input(&self.aad_len.to_le_bytes());
93 self.mac.input(&(self.data_len as u64).to_le_bytes());
94 self.mac.raw_result(out_tag);
97 pub fn decrypt(&mut self, input: &[u8], output: &mut [u8], tag: &[u8]) -> bool {
98 assert!(input.len() == output.len());
99 assert!(self.finished == false);
101 self.finished = true;
103 self.mac.input(input);
105 self.data_len += input.len();
106 ChaCha20Poly1305RFC::pad_mac_16(&mut self.mac, self.data_len);
107 self.mac.input(&self.aad_len.to_le_bytes());
108 self.mac.input(&(self.data_len as u64).to_le_bytes());
110 let mut calc_tag = [0u8; 16];
111 self.mac.raw_result(&mut calc_tag);
112 if fixed_time_eq(&calc_tag, tag) {
113 self.cipher.process(input, output);
120 // Decrypt in place, without checking the tag. Use `finish_and_check_tag` to check it
121 // later when decryption finishes.
123 // Should never be `pub` because the public API should always enforce tag checking.
124 pub(super) fn decrypt_in_place(&mut self, input_output: &mut [u8]) {
125 debug_assert!(self.finished == false);
126 self.mac.input(input_output);
127 self.data_len += input_output.len();
128 self.cipher.process_in_place(input_output);
131 // If we were previously decrypting with `decrypt_in_place`, this method must be used to finish
132 // decrypting and check the tag. Returns whether or not the tag is valid.
133 pub(super) fn finish_and_check_tag(&mut self, tag: &[u8]) -> bool {
134 debug_assert!(self.finished == false);
135 self.finished = true;
136 ChaCha20Poly1305RFC::pad_mac_16(&mut self.mac, self.data_len);
137 self.mac.input(&self.aad_len.to_le_bytes());
138 self.mac.input(&(self.data_len as u64).to_le_bytes());
140 let mut calc_tag = [0u8; 16];
141 self.mac.raw_result(&mut calc_tag);
142 if fixed_time_eq(&calc_tag, tag) {
151 pub use self::real_chachapoly::ChaCha20Poly1305RFC;
153 /// Enables simultaneously reading and decrypting a ChaCha20Poly1305RFC stream from a std::io::Read.
154 struct ChaChaPolyReader<'a, R: Read> {
155 pub chacha: &'a mut ChaCha20Poly1305RFC,
159 impl<'a, R: Read> Read for ChaChaPolyReader<'a, R> {
160 // Decrypt bytes from Self::read into `dest`.
161 // `ChaCha20Poly1305RFC::finish_and_check_tag` must be called to check the tag after all reads
163 fn read(&mut self, dest: &mut [u8]) -> Result<usize, io::Error> {
164 let res = self.read.read(dest)?;
166 self.chacha.decrypt_in_place(&mut dest[0..res]);
172 /// Enables simultaneously writing and encrypting a byte stream into a Writer.
173 struct ChaChaPolyWriter<'a, W: Writer> {
174 pub chacha: &'a mut ChaCha20Poly1305RFC,
175 pub write: &'a mut W,
178 impl<'a, W: Writer> Writer for ChaChaPolyWriter<'a, W> {
179 // Encrypt then write bytes from `src` into Self::write.
180 // `ChaCha20Poly1305RFC::finish_and_get_tag` can be called to retrieve the tag after all writes
182 fn write_all(&mut self, src: &[u8]) -> Result<(), io::Error> {
184 while src_idx < src.len() {
185 let mut write_buffer = [0; 8192];
186 let bytes_written = (&mut write_buffer[..]).write(&src[src_idx..]).expect("In-memory writes can't fail");
187 self.chacha.encrypt_in_place(&mut write_buffer[..bytes_written]);
188 self.write.write_all(&write_buffer[..bytes_written])?;
189 src_idx += bytes_written;
195 /// Enables the use of the serialization macros for objects that need to be simultaneously encrypted and
196 /// serialized. This allows us to avoid an intermediate Vec allocation.
197 pub(crate) struct ChaChaPolyWriteAdapter<'a, W: Writeable> {
199 pub writeable: &'a W,
202 impl<'a, W: Writeable> ChaChaPolyWriteAdapter<'a, W> {
203 #[allow(unused)] // This will be used for onion messages soon
204 pub fn new(rho: [u8; 32], writeable: &'a W) -> ChaChaPolyWriteAdapter<'a, W> {
205 Self { rho, writeable }
209 impl<'a, T: Writeable> Writeable for ChaChaPolyWriteAdapter<'a, T> {
210 // Simultaneously write and encrypt Self::writeable.
211 fn write<W: Writer>(&self, w: &mut W) -> Result<(), io::Error> {
212 let mut chacha = ChaCha20Poly1305RFC::new(&self.rho, &[0; 12], &[]);
213 let mut chacha_stream = ChaChaPolyWriter { chacha: &mut chacha, write: w };
214 self.writeable.write(&mut chacha_stream)?;
215 let mut tag = [0 as u8; 16];
216 chacha.finish_and_get_tag(&mut tag);
223 /// Enables the use of the serialization macros for objects that need to be simultaneously decrypted and
224 /// deserialized. This allows us to avoid an intermediate Vec allocation.
225 pub(crate) struct ChaChaPolyReadAdapter<R: Readable> {
226 #[allow(unused)] // This will be used soon for onion messages
230 impl<T: Readable> LengthReadableArgs<[u8; 32]> for ChaChaPolyReadAdapter<T> {
231 // Simultaneously read and decrypt an object from a LengthRead, storing it in Self::readable.
232 // LengthRead must be used instead of std::io::Read because we need the total length to separate
233 // out the tag at the end.
234 fn read<R: LengthRead>(mut r: &mut R, secret: [u8; 32]) -> Result<Self, DecodeError> {
235 if r.total_bytes() < 16 { return Err(DecodeError::InvalidValue) }
237 let mut chacha = ChaCha20Poly1305RFC::new(&secret, &[0; 12], &[]);
238 let decrypted_len = r.total_bytes() - 16;
239 let s = FixedLengthReader::new(&mut r, decrypted_len);
240 let mut chacha_stream = ChaChaPolyReader { chacha: &mut chacha, read: s };
241 let readable: T = Readable::read(&mut chacha_stream)?;
242 chacha_stream.read.eat_remaining()?;
244 let mut tag = [0 as u8; 16];
245 r.read_exact(&mut tag)?;
246 if !chacha.finish_and_check_tag(&tag) {
247 return Err(DecodeError::InvalidValue)
250 Ok(Self { readable })
255 mod fuzzy_chachapoly {
256 #[derive(Clone, Copy)]
257 pub struct ChaCha20Poly1305RFC {
261 impl ChaCha20Poly1305RFC {
262 pub fn new(key: &[u8], nonce: &[u8], _aad: &[u8]) -> ChaCha20Poly1305RFC {
263 assert!(key.len() == 16 || key.len() == 32);
264 assert!(nonce.len() == 12);
266 // Ehh, I'm too lazy to *also* tweak ChaCha20 to make it RFC-compliant
267 assert!(nonce[0] == 0 && nonce[1] == 0 && nonce[2] == 0 && nonce[3] == 0);
269 let mut tag = [0; 16];
270 tag.copy_from_slice(&key[0..16]);
272 ChaCha20Poly1305RFC {
278 pub fn encrypt(&mut self, input: &[u8], output: &mut [u8], out_tag: &mut [u8]) {
279 assert!(input.len() == output.len());
280 assert!(self.finished == false);
282 output.copy_from_slice(&input);
283 out_tag.copy_from_slice(&self.tag);
284 self.finished = true;
287 pub(super) fn encrypt_in_place(&mut self, _input_output: &mut [u8]) {
288 assert!(self.finished == false);
289 self.finished = true;
292 pub(super) fn finish_and_get_tag(&mut self, out_tag: &mut [u8]) {
293 out_tag.copy_from_slice(&self.tag);
294 self.finished = true;
297 pub fn decrypt(&mut self, input: &[u8], output: &mut [u8], tag: &[u8]) -> bool {
298 assert!(input.len() == output.len());
299 assert!(self.finished == false);
301 if tag[..] != self.tag[..] { return false; }
302 output.copy_from_slice(input);
303 self.finished = true;
307 pub(super) fn decrypt_in_place(&mut self, _input: &mut [u8]) {
308 assert!(self.finished == false);
311 pub(super) fn finish_and_check_tag(&mut self, tag: &[u8]) -> bool {
312 if tag[..] != self.tag[..] { return false; }
313 self.finished = true;
319 pub use self::fuzzy_chachapoly::ChaCha20Poly1305RFC;
323 use ln::msgs::DecodeError;
324 use super::{ChaChaPolyReadAdapter, ChaChaPolyWriteAdapter};
325 use util::ser::{self, FixedLengthReader, LengthReadableArgs, Writeable};
327 // Used for for testing various lengths of serialization.
328 #[derive(Debug, PartialEq)]
329 struct TestWriteable {
334 impl_writeable_tlv_based!(TestWriteable, {
335 (1, field1, vec_type),
336 (2, field2, vec_type),
337 (3, field3, vec_type),
341 fn test_chacha_stream_adapters() {
342 // Check that ChaChaPolyReadAdapter and ChaChaPolyWriteAdapter correctly encode and decode an
344 macro_rules! check_object_read_write {
346 // First, serialize the object, encrypted with ChaCha20Poly1305.
348 let writeable_len = $obj.serialized_length() as u64 + 16;
349 let write_adapter = ChaChaPolyWriteAdapter::new(rho, &$obj);
350 let encrypted_writeable_bytes = write_adapter.encode();
351 let encrypted_writeable = &encrypted_writeable_bytes[..];
353 // Now deserialize the object back and make sure it matches the original.
354 let mut rd = FixedLengthReader::new(encrypted_writeable, writeable_len);
355 let read_adapter = <ChaChaPolyReadAdapter<TestWriteable>>::read(&mut rd, rho).unwrap();
356 assert_eq!($obj, read_adapter.readable);
360 // Try a big object that will require multiple write buffers.
361 let big_writeable = TestWriteable {
363 field2: vec![44; 4192],
364 field3: vec![45; 4192 + 1],
366 check_object_read_write!(big_writeable);
368 // Try a small object that fits into one write buffer.
369 let small_writeable = TestWriteable {
374 check_object_read_write!(small_writeable);
377 fn do_chacha_stream_adapters_ser_macros() -> Result<(), DecodeError> {
378 let writeable = TestWriteable {
380 field2: vec![44; 4192],
381 field3: vec![45; 4192 + 1],
384 // First, serialize the object into a TLV stream, encrypted with ChaCha20Poly1305.
386 let write_adapter = ChaChaPolyWriteAdapter::new(rho, &writeable);
387 let mut writer = ser::VecWriter(Vec::new());
388 encode_tlv_stream!(&mut writer, {
389 (1, write_adapter, required),
392 // Now deserialize the object back and make sure it matches the original.
393 let mut read_adapter: Option<ChaChaPolyReadAdapter<TestWriteable>> = None;
394 decode_tlv_stream!(&writer.0[..], {
395 (1, read_adapter, (option: LengthReadableArgs, rho)),
397 assert_eq!(writeable, read_adapter.unwrap().readable);
403 fn chacha_stream_adapters_ser_macros() {
404 // Test that our stream adapters work as expected with the TLV macros.
405 // This also serves to test the `option: $trait` variant of the `decode_tlv` ser macro.
406 do_chacha_stream_adapters_ser_macros().unwrap()