chacha20poly1305_nostd/

lib.rs

//! ChaCha20-Poly1305 Authenticated Encryption with Associated Data (AEAD)
//!
//! Pure-Rust implementation combining:
//! - ChaCha20 stream cipher (encryption)
//! - Poly1305 MAC (authentication)
//!
//! This is a custom implementation to avoid LLVM SIMD issues on x86_64-unknown-none.
//!
//! Properties:
//! - 256-bit key, 96-bit nonce
//! - 128-bit authentication tag
//! - Constant-time operations
//! - ~4 cycles/byte on modern x86_64
//!
//! Used by:
//! - WireGuard: Transport data encryption
//! - SSH: chacha20-poly1305@openssh.com cipher

#![no_std]
#![forbid(unsafe_code)]

#[cfg(feature = "alloc")]
extern crate alloc;

#[cfg(feature = "alloc")]
use alloc::vec::Vec;

use poly1305_nostd::Poly1305;
use chacha20::cipher::{KeyIvInit, StreamCipher};
use chacha20::ChaCha20;

/// Key size for ChaCha20-Poly1305 (32 bytes)
pub const CHACHA20_KEY_SIZE: usize = 32;

/// Nonce size for ChaCha20-Poly1305 (12 bytes)
pub const CHACHA20_NONCE_SIZE: usize = 12;

/// Authentication tag size (16 bytes)
pub const POLY1305_TAG_SIZE: usize = 16;

/// Cryptographic error types
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum CryptoError {
    /// Authentication tag verification failed
    AuthenticationFailed,
    /// Invalid key size
    InvalidKeySize,
    /// Invalid nonce size
    InvalidNonceSize,
    /// Invalid ciphertext length
    InvalidLength,
}

pub type CryptoResult<T> = Result<T, CryptoError>;

/// ChaCha20-Poly1305 AEAD cipher
#[derive(Debug, PartialEq)]
pub struct ChaCha20Poly1305 {
    key: [u8; 32],
}

impl ChaCha20Poly1305 {
    /// Create a new cipher from a 32-byte key
    pub fn new(key: &[u8]) -> CryptoResult<Self> {
        if key.len() != CHACHA20_KEY_SIZE {
            return Err(CryptoError::InvalidKeySize);
        }

        let mut key_array = [0u8; 32];
        key_array.copy_from_slice(key);

        Ok(Self { key: key_array })
    }

    /// Encrypt plaintext with authentication
    ///
    /// # Arguments
    /// * `nonce` - 12-byte nonce (MUST be unique per message)
    /// * `plaintext` - Data to encrypt
    /// * `aad` - Optional associated data (authenticated but not encrypted)
    ///
    /// # Returns
    /// Ciphertext with 16-byte Poly1305 tag appended
    #[cfg(feature = "alloc")]
    pub fn encrypt(&self, nonce: &[u8], plaintext: &[u8], aad: Option<&[u8]>) -> CryptoResult<Vec<u8>> {
        if nonce.len() != CHACHA20_NONCE_SIZE {
            return Err(CryptoError::InvalidNonceSize);
        }

        // Create ChaCha20 cipher
        let mut cipher = ChaCha20::new(&self.key.into(), nonce.into());

        // Generate Poly1305 key using ChaCha20 block 0
        // RFC 8439: Use first 32 bytes of block 0, but consume full 64-byte block
        let mut block0 = [0u8; 64];
        cipher.apply_keystream(&mut block0);
        let mut poly_key = [0u8; 32];
        poly_key.copy_from_slice(&block0[..32]);

        // Encrypt plaintext with ChaCha20 (now at block 1)
        let mut ciphertext = plaintext.to_vec();
        cipher.apply_keystream(&mut ciphertext);

        // Compute Poly1305 MAC over AAD (if any) and ciphertext
        let tag = self.compute_tag(&poly_key, aad.unwrap_or(&[]), &ciphertext);

        // Append tag to ciphertext
        ciphertext.extend_from_slice(&tag);

        Ok(ciphertext)
    }

    /// Decrypt ciphertext and verify authentication tag
    ///
    /// # Arguments
    /// * `nonce` - 12-byte nonce (same as used for encryption)
    /// * `ciphertext` - Encrypted data with 16-byte tag appended
    /// * `aad` - Optional associated data (must match encryption AAD)
    ///
    /// # Returns
    /// Plaintext on success, or error if authentication fails
    #[cfg(feature = "alloc")]
    pub fn decrypt(&self, nonce: &[u8], ciphertext: &[u8], aad: Option<&[u8]>) -> CryptoResult<Vec<u8>> {
        if nonce.len() != CHACHA20_NONCE_SIZE {
            return Err(CryptoError::InvalidNonceSize);
        }

        if ciphertext.len() < POLY1305_TAG_SIZE {
            return Err(CryptoError::InvalidLength);
        }

        // Split ciphertext and tag
        let ct_len = ciphertext.len() - POLY1305_TAG_SIZE;
        let ct = &ciphertext[..ct_len];
        let received_tag = &ciphertext[ct_len..];

        // Create ChaCha20 cipher
        let mut cipher = ChaCha20::new(&self.key.into(), nonce.into());

        // Generate Poly1305 key using ChaCha20 block 0
        // RFC 8439: Use first 32 bytes of block 0, but consume full 64-byte block
        let mut block0 = [0u8; 64];
        cipher.apply_keystream(&mut block0);
        let mut poly_key = [0u8; 32];
        poly_key.copy_from_slice(&block0[..32]);

        // Recompute and verify tag
        let expected_tag = self.compute_tag(&poly_key, aad.unwrap_or(&[]), ct);

        // Constant-time comparison
        if !constant_time_eq(&expected_tag, received_tag) {
            return Err(CryptoError::AuthenticationFailed);
        }

        // Decrypt ciphertext (cipher now at block 1)
        let mut plaintext = ct.to_vec();
        cipher.apply_keystream(&mut plaintext);

        Ok(plaintext)
    }

    /// Compute Poly1305 MAC over AAD || ciphertext
    ///
    /// RFC 8439 construction:
    /// - Pad AAD to 16-byte boundary
    /// - Append ciphertext
    /// - Pad ciphertext to 16-byte boundary
    /// - Append AAD length (8 bytes, little-endian)
    /// - Append ciphertext length (8 bytes, little-endian)
    fn compute_tag(&self, poly_key: &[u8; 32], aad: &[u8], ciphertext: &[u8]) -> [u8; 16] {
        let mut poly = Poly1305::new(poly_key);

        // Add AAD
        poly.update(aad);

        // Pad AAD to 16-byte boundary
        if aad.len() % 16 != 0 {
            let pad_len = 16 - (aad.len() % 16);
            let padding = [0u8; 16];
            poly.update(&padding[..pad_len]);
        }

        // Add ciphertext
        poly.update(ciphertext);

        // Pad ciphertext to 16-byte boundary
        if ciphertext.len() % 16 != 0 {
            let pad_len = 16 - (ciphertext.len() % 16);
            let padding = [0u8; 16];
            poly.update(&padding[..pad_len]);
        }

        // Add lengths (little-endian u64)
        let mut lengths = [0u8; 16];
        lengths[0..8].copy_from_slice(&(aad.len() as u64).to_le_bytes());
        lengths[8..16].copy_from_slice(&(ciphertext.len() as u64).to_le_bytes());
        poly.update(&lengths);

        poly.finalize()
    }
}

/// Constant-time equality comparison
fn constant_time_eq(a: &[u8], b: &[u8]) -> bool {
    if a.len() != b.len() {
        return false;
    }

    let mut diff = 0u8;
    for (x, y) in a.iter().zip(b.iter()) {
        diff |= x ^ y;
    }

    diff == 0
}

#[cfg(all(test, feature = "alloc"))]
mod tests {
    use super::*;

    #[test]
    fn test_encrypt_decrypt_basic() {
        let key = [0x42u8; 32];
        let nonce = [0x07u8; 12];
        let plaintext = b"Hello, Luna!";

        let cipher = ChaCha20Poly1305::new(&key).unwrap();

        let ciphertext = cipher.encrypt(&nonce, plaintext, None).unwrap();
        assert_eq!(ciphertext.len(), plaintext.len() + POLY1305_TAG_SIZE);

        let decrypted = cipher.decrypt(&nonce, &ciphertext, None).unwrap();
        assert_eq!(decrypted, plaintext);
    }

    #[test]
    fn test_encrypt_decrypt_with_aad() {
        let key = [0x42u8; 32];
        let nonce = [0x07u8; 12];
        let plaintext = b"Secret message";
        let aad = b"public header";

        let cipher = ChaCha20Poly1305::new(&key).unwrap();

        let ciphertext = cipher.encrypt(&nonce, plaintext, Some(aad)).unwrap();
        let decrypted = cipher.decrypt(&nonce, &ciphertext, Some(aad)).unwrap();
        assert_eq!(decrypted, plaintext);

        // Wrong AAD should fail authentication
        let wrong_aad = b"wrong header!";
        let result = cipher.decrypt(&nonce, &ciphertext, Some(wrong_aad));
        assert_eq!(result, Err(CryptoError::AuthenticationFailed));
    }

    #[test]
    fn test_tampered_ciphertext() {
        let key = [0x42u8; 32];
        let nonce = [0x07u8; 12];
        let plaintext = b"Original message";

        let cipher = ChaCha20Poly1305::new(&key).unwrap();
        let mut ciphertext = cipher.encrypt(&nonce, plaintext, None).unwrap();

        // Tamper with one byte
        ciphertext[0] ^= 0xFF;

        // Decryption should fail
        let result = cipher.decrypt(&nonce, &ciphertext, None);
        assert_eq!(result, Err(CryptoError::AuthenticationFailed));
    }

    #[test]
    fn test_tampered_tag() {
        let key = [0x42u8; 32];
        let nonce = [0x07u8; 12];
        let plaintext = b"Original message";

        let cipher = ChaCha20Poly1305::new(&key).unwrap();
        let mut ciphertext = cipher.encrypt(&nonce, plaintext, None).unwrap();

        // Tamper with tag
        let len = ciphertext.len();
        ciphertext[len - 1] ^= 0xFF;

        // Decryption should fail
        let result = cipher.decrypt(&nonce, &ciphertext, None);
        assert_eq!(result, Err(CryptoError::AuthenticationFailed));
    }

    #[test]
    fn test_rfc8439_vector() {
        // RFC 8439 Appendix A.5 Test Vector
        let key = [
            0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87,
            0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f,
            0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97,
            0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f,
        ];

        let nonce = [
            0x07, 0x00, 0x00, 0x00,
            0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47,
        ];

        let aad = [0x50, 0x51, 0x52, 0x53, 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7];

        let plaintext = b"Ladies and Gentlemen of the class of '99: If I could offer you only one tip for the future, sunscreen would be it.";

        let cipher = ChaCha20Poly1305::new(&key).unwrap();
        let ciphertext = cipher.encrypt(&nonce, plaintext, Some(&aad)).unwrap();

        // Expected ciphertext (from RFC)
        let expected_ct = [
            0xd3, 0x1a, 0x8d, 0x34, 0x64, 0x8e, 0x60, 0xdb, 0x7b, 0x86, 0xaf, 0xbc,
            0x53, 0xef, 0x7e, 0xc2, 0xa4, 0xad, 0xed, 0x51, 0x29, 0x6e, 0x08, 0xfe,
            0xa9, 0xe2, 0xb5, 0xa7, 0x36, 0xee, 0x62, 0xd6, 0x3d, 0xbe, 0xa4, 0x5e,
            0x8c, 0xa9, 0x67, 0x12, 0x82, 0xfa, 0xfb, 0x69, 0xda, 0x92, 0x72, 0x8b,
            0x1a, 0x71, 0xde, 0x0a, 0x9e, 0x06, 0x0b, 0x29, 0x05, 0xd6, 0xa5, 0xb6,
            0x7e, 0xcd, 0x3b, 0x36, 0x92, 0xdd, 0xbd, 0x7f, 0x2d, 0x77, 0x8b, 0x8c,
            0x98, 0x03, 0xae, 0xe3, 0x28, 0x09, 0x1b, 0x58, 0xfa, 0xb3, 0x24, 0xe4,
            0xfa, 0xd6, 0x75, 0x94, 0x55, 0x85, 0x80, 0x8b, 0x48, 0x31, 0xd7, 0xbc,
            0x3f, 0xf4, 0xde, 0xf0, 0x8e, 0x4b, 0x7a, 0x9d, 0xe5, 0x76, 0xd2, 0x65,
            0x86, 0xce, 0xc6, 0x4b, 0x61, 0x16,
        ];

        let expected_tag = [
            0x1a, 0xe1, 0x0b, 0x59, 0x4f, 0x09, 0xe2, 0x6a,
            0x7e, 0x90, 0x2e, 0xcb, 0xd0, 0x60, 0x06, 0x91,
        ];

        // Verify ciphertext
        assert_eq!(&ciphertext[..plaintext.len()], &expected_ct[..]);

        // Verify tag
        let tag_offset = ciphertext.len() - 16;
        assert_eq!(&ciphertext[tag_offset..], &expected_tag[..]);

        // Verify decryption works
        let decrypted = cipher.decrypt(&nonce, &ciphertext, Some(&aad)).unwrap();
        assert_eq!(decrypted, plaintext);
    }

    #[test]
    fn test_invalid_key_size() {
        let short_key = [0x42u8; 16];
        let result = ChaCha20Poly1305::new(&short_key);
        assert_eq!(result, Err(CryptoError::InvalidKeySize));
    }

    #[test]
    fn test_invalid_nonce_size() {
        let key = [0x42u8; 32];
        let short_nonce = [0x07u8; 8];
        let plaintext = b"test";

        let cipher = ChaCha20Poly1305::new(&key).unwrap();
        let result = cipher.encrypt(&short_nonce, plaintext, None);
        assert_eq!(result, Err(CryptoError::InvalidNonceSize));
    }
}