From afcccefac9d2caa99d8c987f050fc87fc028134f Mon Sep 17 00:00:00 2001 From: Luther Blissett Date: Wed, 26 Oct 2022 16:13:12 +0200 Subject: [PATCH] crypto/note: Use audited chacha20poly1305 crate for note encryption. --- Cargo.lock | 2 +- Cargo.toml | 4 ++-- src/crypto/note.rs | 41 ++++++++++++++++++++++++----------------- src/error.rs | 4 ++-- 4 files changed, 29 insertions(+), 22 deletions(-) diff --git a/Cargo.lock b/Cargo.lock index e9cc5a321..bee484e16 100644 --- a/Cargo.lock +++ b/Cargo.lock @@ -1196,9 +1196,9 @@ dependencies = [ "blake2b_simd", "blake3", "bs58", + "chacha20poly1305", "chrono", "clap 3.2.22", - "crypto_api_chachapoly", "darkfi-derive", "darkfi-derive-internal", "darkfi-sdk", diff --git a/Cargo.toml b/Cargo.toml index edf6f7a76..0fa7dd6e8 100644 --- a/Cargo.toml +++ b/Cargo.toml @@ -110,7 +110,7 @@ fast-socks5 = {version = "0.4.3", optional = true} rand = {version = "0.8.5", optional = true} blake2b_simd = {version = "1.0.0", optional = true} blake3 = {version = "1.3.1", optional = true} -crypto_api_chachapoly = {version = "0.5.0", optional = true} +chacha20poly1305 = {version = "0.10.1", optional = true} halo2_proofs = {version = "0.2.0", optional = true} halo2_gadgets = {version = "0.2.0", optional = true} incrementalmerkletree = {version = "0.3.0", optional = true} @@ -180,7 +180,7 @@ crypto = [ "blake2b_simd", "blake3", "bs58", - "crypto_api_chachapoly", + "chacha20poly1305", "fxhash", "halo2_gadgets", "halo2_proofs", diff --git a/src/crypto/note.rs b/src/crypto/note.rs index 6ce54ab74..c5f6115a0 100644 --- a/src/crypto/note.rs +++ b/src/crypto/note.rs @@ -1,4 +1,4 @@ -use crypto_api_chachapoly::ChachaPolyIetf; +use chacha20poly1305::{AeadInPlace, ChaCha20Poly1305, KeyInit}; use darkfi_serial::{Decodable, Encodable, SerialDecodable, SerialEncodable}; use rand::rngs::OsRng; @@ -33,14 +33,18 @@ impl Note { let mut input = Vec::new(); self.encode(&mut input)?; + let input_len = input.len(); - let mut ciphertext = vec![0; input.len() + AEAD_TAG_SIZE]; - assert_eq!( - ChachaPolyIetf::aead_cipher() - .seal_to(&mut ciphertext, &input, &[], key.as_ref(), &[0u8; 12]) - .unwrap(), - input.len() + AEAD_TAG_SIZE - ); + let mut ciphertext = vec![0_u8; input_len + AEAD_TAG_SIZE]; + ciphertext[..input_len].copy_from_slice(&input); + + let tag = ChaCha20Poly1305::new(key.as_ref().into()) + .encrypt_in_place_detached([0u8; 12][..].into(), &[], &mut ciphertext[..input_len]) + .unwrap(); + + ciphertext[input_len..].copy_from_slice(&tag); + + assert_eq!(input_len + AEAD_TAG_SIZE, ciphertext.len()); Ok(EncryptedNote { ciphertext, ephem_public }) } @@ -57,17 +61,20 @@ impl EncryptedNote { let shared_secret = sapling_ka_agree(secret, &self.ephem_public); let key = kdf_sapling(&shared_secret, &self.ephem_public); - let mut plaintext = vec![0; self.ciphertext.len() - AEAD_TAG_SIZE]; + let output_len = self.ciphertext.len() - AEAD_TAG_SIZE; - assert_eq!( - ChachaPolyIetf::aead_cipher() - .open_to(&mut plaintext, &self.ciphertext, &[], key.as_ref(), &[0u8; 12]) - .map_err(|_| Error::NoteDecryptionFailed)?, - self.ciphertext.len() - AEAD_TAG_SIZE - ); + let mut plaintext = vec![0_u8; output_len]; + plaintext.copy_from_slice(&self.ciphertext[..output_len]); - let note = Note::decode(&plaintext[..])?; - Ok(note) + match ChaCha20Poly1305::new(key.as_ref().into()).decrypt_in_place_detached( + [0u8; 12][..].into(), + &[], + &mut plaintext, + self.ciphertext[output_len..].into(), + ) { + Ok(()) => Ok(Note::decode(&plaintext[..])?), + Err(e) => Err(Error::NoteDecryptionFailed(e.to_string())), + } } } diff --git a/src/error.rs b/src/error.rs index 2e8b071c5..6413f69db 100644 --- a/src/error.rs +++ b/src/error.rs @@ -146,8 +146,8 @@ pub enum Error { #[error("halo2 plonk error: {0}")] PlonkError(String), - #[error("Unable to decrypt mint note")] - NoteDecryptionFailed, + #[error("Unable to decrypt mint note: {0}")] + NoteDecryptionFailed(String), #[error("No keypair file detected")] KeypairPathNotFound,