crypto/note: Use audited chacha20poly1305 crate for note encryption.

Cargo.lock

@@ -1196,9 +1196,9 @@ dependencies = [
  "blake2b_simd",
  "blake3",
  "bs58",
+ "chacha20poly1305",
  "chrono",
  "clap 3.2.22",
- "crypto_api_chachapoly",
  "darkfi-derive",
  "darkfi-derive-internal",
  "darkfi-sdk",

Cargo.toml

@@ -110,7 +110,7 @@ fast-socks5 = {version = "0.4.3", optional = true}
 rand = {version = "0.8.5", optional = true}
 blake2b_simd = {version = "1.0.0", optional = true}
 blake3 = {version = "1.3.1", optional = true}
-crypto_api_chachapoly = {version = "0.5.0", optional = true}
+chacha20poly1305 = {version = "0.10.1", optional = true}
 halo2_proofs = {version = "0.2.0", optional = true}
 halo2_gadgets = {version = "0.2.0", optional = true}
 incrementalmerkletree = {version = "0.3.0", optional = true}
@@ -180,7 +180,7 @@ crypto = [
     "blake2b_simd",
     "blake3",
     "bs58",
-    "crypto_api_chachapoly",
+    "chacha20poly1305",
     "fxhash",
     "halo2_gadgets",
     "halo2_proofs",

src/crypto/note.rs

@@ -1,4 +1,4 @@
-use crypto_api_chachapoly::ChachaPolyIetf;
+use chacha20poly1305::{AeadInPlace, ChaCha20Poly1305, KeyInit};
 use darkfi_serial::{Decodable, Encodable, SerialDecodable, SerialEncodable};
 use rand::rngs::OsRng;
 
@@ -33,14 +33,18 @@ impl Note {
 
         let mut input = Vec::new();
         self.encode(&mut input)?;
+        let input_len = input.len();
 
-        let mut ciphertext = vec![0; input.len() + AEAD_TAG_SIZE];
-        assert_eq!(
-            ChachaPolyIetf::aead_cipher()
-                .seal_to(&mut ciphertext, &input, &[], key.as_ref(), &[0u8; 12])
-                .unwrap(),
-            input.len() + AEAD_TAG_SIZE
-        );
+        let mut ciphertext = vec![0_u8; input_len + AEAD_TAG_SIZE];
+        ciphertext[..input_len].copy_from_slice(&input);
+
+        let tag = ChaCha20Poly1305::new(key.as_ref().into())
+            .encrypt_in_place_detached([0u8; 12][..].into(), &[], &mut ciphertext[..input_len])
+            .unwrap();
+
+        ciphertext[input_len..].copy_from_slice(&tag);
+
+        assert_eq!(input_len + AEAD_TAG_SIZE, ciphertext.len());
 
         Ok(EncryptedNote { ciphertext, ephem_public })
     }
@@ -57,17 +61,20 @@ impl EncryptedNote {
         let shared_secret = sapling_ka_agree(secret, &self.ephem_public);
         let key = kdf_sapling(&shared_secret, &self.ephem_public);
 
-        let mut plaintext = vec![0; self.ciphertext.len() - AEAD_TAG_SIZE];
+        let output_len = self.ciphertext.len() - AEAD_TAG_SIZE;
 
-        assert_eq!(
-            ChachaPolyIetf::aead_cipher()
-                .open_to(&mut plaintext, &self.ciphertext, &[], key.as_ref(), &[0u8; 12])
-                .map_err(|_| Error::NoteDecryptionFailed)?,
-            self.ciphertext.len() - AEAD_TAG_SIZE
-        );
+        let mut plaintext = vec![0_u8; output_len];
+        plaintext.copy_from_slice(&self.ciphertext[..output_len]);
 
-        let note = Note::decode(&plaintext[..])?;
-        Ok(note)
+        match ChaCha20Poly1305::new(key.as_ref().into()).decrypt_in_place_detached(
+            [0u8; 12][..].into(),
+            &[],
+            &mut plaintext,
+            self.ciphertext[output_len..].into(),
+        ) {
+            Ok(()) => Ok(Note::decode(&plaintext[..])?),
+            Err(e) => Err(Error::NoteDecryptionFailed(e.to_string())),
+        }
     }
 }
 

src/error.rs

@@ -146,8 +146,8 @@ pub enum Error {
     #[error("halo2 plonk error: {0}")]
     PlonkError(String),
 
-    #[error("Unable to decrypt mint note")]
-    NoteDecryptionFailed,
+    #[error("Unable to decrypt mint note: {0}")]
+    NoteDecryptionFailed(String),
 
     #[error("No keypair file detected")]
     KeypairPathNotFound,