1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
use chacha20poly1305::aead::{Aead, NewAead, Payload};
use tink_core::{utils::wrap_err, TinkError};
pub const X_CHA_CHA20_KEY_SIZE: usize = 32;
pub const X_CHA_CHA20_NONCE_SIZE: usize = 24;
const POLY1305_TAG_SIZE: usize = 16;
#[derive(Clone)]
pub struct XChaCha20Poly1305 {
key: chacha20poly1305::Key,
}
impl XChaCha20Poly1305 {
pub fn new(key: &[u8]) -> Result<XChaCha20Poly1305, TinkError> {
if key.len() != X_CHA_CHA20_KEY_SIZE {
return Err("XChaCha20Poly1305: bad key length".into());
}
Ok(XChaCha20Poly1305 {
key: chacha20poly1305::Key::clone_from_slice(key),
})
}
}
impl tink_core::Aead for XChaCha20Poly1305 {
fn encrypt(&self, pt: &[u8], aad: &[u8]) -> Result<Vec<u8>, TinkError> {
if pt.len() > (isize::MAX as usize) - X_CHA_CHA20_NONCE_SIZE - POLY1305_TAG_SIZE {
return Err("XChaCha20Poly1305: plaintext too long".into());
}
let cipher = chacha20poly1305::XChaCha20Poly1305::new(&self.key);
let n = new_nonce();
let ct = cipher
.encrypt(&n, Payload { msg: pt, aad })
.map_err(|e| wrap_err("XChaCha20Poly1305", e))?;
let mut ret = Vec::with_capacity(n.len() + ct.len());
ret.extend_from_slice(&n);
ret.extend_from_slice(&ct);
Ok(ret)
}
fn decrypt(&self, ct: &[u8], aad: &[u8]) -> Result<Vec<u8>, TinkError> {
if ct.len() < X_CHA_CHA20_NONCE_SIZE + POLY1305_TAG_SIZE {
return Err("XChaCha20Poly1305: ciphertext too short".into());
}
let cipher = chacha20poly1305::XChaCha20Poly1305::new(&self.key);
let n = chacha20poly1305::XNonce::from_slice(&ct[..X_CHA_CHA20_NONCE_SIZE]);
cipher
.decrypt(
n,
Payload {
msg: &ct[X_CHA_CHA20_NONCE_SIZE..],
aad,
},
)
.map_err(|e| wrap_err("XChaCha20Poly1305", e))
}
}
fn new_nonce() -> chacha20poly1305::XNonce {
let iv = tink_core::subtle::random::get_random_bytes(X_CHA_CHA20_NONCE_SIZE);
*chacha20poly1305::XNonce::from_slice(&iv)
}