oxicrypto-aead 0.1.0

Pure Rust AEAD implementations for OxiCrypto (AES-GCM, ChaCha20-Poly1305, AES-GCM-SIV, XChaCha20-Poly1305)
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153

#![forbid(unsafe_code)]

//! XChaCha20-Poly1305 authenticated encryption for the OxiCrypto stack.
//!
//! XChaCha20-Poly1305 extends the ChaCha20-Poly1305 nonce to 192 bits (24 bytes),
//! making random nonce generation safe even for high-volume encryption.
//!
//! Backed by `chacha20poly1305::XChaCha20Poly1305` (same crate as M1, `aead 0.5` chain).
//!
//! Key: 32 bytes. Nonce: 24 bytes. Tag: 16 bytes.

use aead::{AeadInPlace, KeyInit};
use chacha20poly1305::XChaCha20Poly1305 as Inner;
use oxicrypto_core::{Aead, CryptoError};

/// XChaCha20-Poly1305 authenticated encryption with a 24-byte nonce.
///
/// Key: 32 bytes, nonce: 24 bytes, tag: 16 bytes.
#[derive(Debug, Default, Clone, Copy)]
pub struct XChaCha20Poly1305;

impl Aead for XChaCha20Poly1305 {
    fn name(&self) -> &'static str {
        "XChaCha20-Poly1305"
    }
    fn key_len(&self) -> usize {
        32
    }
    fn nonce_len(&self) -> usize {
        24
    }
    fn tag_len(&self) -> usize {
        16
    }
    fn seal(
        &self,
        key: &[u8],
        nonce: &[u8],
        aad: &[u8],
        pt: &[u8],
        ct_out: &mut [u8],
    ) -> Result<usize, CryptoError> {
        if key.len() != 32 {
            return Err(CryptoError::InvalidKey);
        }
        if nonce.len() != 24 {
            return Err(CryptoError::InvalidNonce);
        }
        let required = pt.len().checked_add(16).ok_or(CryptoError::BadInput)?;
        if ct_out.len() < required {
            return Err(CryptoError::BufferTooSmall);
        }
        ct_out[..pt.len()].copy_from_slice(pt);
        let cipher = Inner::new_from_slice(key).map_err(|_| CryptoError::InvalidKey)?;
        let nonce_arr = aead::generic_array::GenericArray::from_slice(nonce);
        let tag = cipher
            .encrypt_in_place_detached(nonce_arr, aad, &mut ct_out[..pt.len()])
            .map_err(|_| CryptoError::Internal("XChaCha20Poly1305 encrypt failed"))?;
        ct_out[pt.len()..required].copy_from_slice(&tag);
        Ok(required)
    }
    fn open(
        &self,
        key: &[u8],
        nonce: &[u8],
        aad: &[u8],
        ct: &[u8],
        pt_out: &mut [u8],
    ) -> Result<usize, CryptoError> {
        if key.len() != 32 {
            return Err(CryptoError::InvalidKey);
        }
        if nonce.len() != 24 {
            return Err(CryptoError::InvalidNonce);
        }
        if ct.len() < 16 {
            return Err(CryptoError::BadInput);
        }
        let pt_len = ct.len() - 16;
        if pt_out.len() < pt_len {
            return Err(CryptoError::BufferTooSmall);
        }
        pt_out[..pt_len].copy_from_slice(&ct[..pt_len]);
        let cipher = Inner::new_from_slice(key).map_err(|_| CryptoError::InvalidKey)?;
        let nonce_arr = aead::generic_array::GenericArray::from_slice(nonce);
        let tag = aead::Tag::<Inner>::clone_from_slice(&ct[pt_len..]);
        cipher
            .decrypt_in_place_detached(nonce_arr, aad, &mut pt_out[..pt_len], &tag)
            .map_err(|_| CryptoError::InvalidTag)?;
        Ok(pt_len)
    }
}

impl XChaCha20Poly1305 {
    /// Encrypt `pt` with associated data `aad`.
    ///
    /// `ct_out` must be at least `pt.len() + 16` bytes.
    /// Returns the number of bytes written (= `pt.len() + 16`).
    pub fn seal(
        &self,
        key: &[u8; 32],
        nonce: &[u8; 24],
        aad: &[u8],
        pt: &[u8],
        ct_out: &mut [u8],
    ) -> Result<usize, CryptoError> {
        const TAG_LEN: usize = 16;
        let required = pt.len().checked_add(TAG_LEN).ok_or(CryptoError::BadInput)?;
        if ct_out.len() < required {
            return Err(CryptoError::BufferTooSmall);
        }
        ct_out[..pt.len()].copy_from_slice(pt);
        let cipher = Inner::new_from_slice(key).map_err(|_| CryptoError::InvalidKey)?;
        let nonce_arr = aead::generic_array::GenericArray::from_slice(nonce.as_ref());
        let tag = cipher
            .encrypt_in_place_detached(nonce_arr, aad, &mut ct_out[..pt.len()])
            .map_err(|_| CryptoError::Internal("XChaCha20Poly1305 encrypt failed"))?;
        ct_out[pt.len()..required].copy_from_slice(&tag);
        Ok(required)
    }

    /// Decrypt `ct` (ciphertext ‖ tag) into `pt_out`.
    ///
    /// Returns the number of plaintext bytes written.
    pub fn open(
        &self,
        key: &[u8; 32],
        nonce: &[u8; 24],
        aad: &[u8],
        ct: &[u8],
        pt_out: &mut [u8],
    ) -> Result<usize, CryptoError> {
        const TAG_LEN: usize = 16;
        if ct.len() < TAG_LEN {
            return Err(CryptoError::BadInput);
        }
        let pt_len = ct.len() - TAG_LEN;
        if pt_out.len() < pt_len {
            return Err(CryptoError::BufferTooSmall);
        }
        pt_out[..pt_len].copy_from_slice(&ct[..pt_len]);
        let cipher = Inner::new_from_slice(key).map_err(|_| CryptoError::InvalidKey)?;
        let nonce_arr = aead::generic_array::GenericArray::from_slice(nonce.as_ref());
        let tag = aead::Tag::<Inner>::clone_from_slice(&ct[pt_len..]);
        cipher
            .decrypt_in_place_detached(nonce_arr, aad, &mut pt_out[..pt_len], &tag)
            .map_err(|_| CryptoError::InvalidTag)?;
        Ok(pt_len)
    }

    /// Ciphertext overhead (tag length).
    pub const TAG_LEN: usize = 16;
}