Expand description
ChaCha20-Poly1305 authenticated encryption for Pair Setup.
HomeKit uses the IETF construction of ChaCha20-Poly1305 (RFC 8439): a 256-bit key, a 96-bit (12-byte) nonce, and a 128-bit (16-byte) Poly1305 authentication tag appended to the ciphertext. The encrypted M5/M6 sub-TLVs of Pair Setup are sealed with this AEAD.
The primitive is never reimplemented; it comes from the RustCrypto
chacha20poly1305 crate.
§HAP nonce layout
HAP builds the 12-byte nonce as four leading zero bytes followed by an 8-byte ASCII label (the 64-bit counter region is left-zero-padded and the label occupies its low bytes):
byte: 0 1 2 3 | 4 5 6 7 8 9 10 11
0 0 0 0 | label[0..8]For example the M5 label b"PS-Msg05" (exactly 8 bytes) yields the nonce
[0, 0, 0, 0, b'P', b'S', b'-', b'M', b's', b'g', b'0', b'5']. Labels
shorter than 8 bytes occupy the low bytes of the 8-byte region, leaving the
remaining high bytes zero. See the crate-internal hap_nonce helper.
Functions§
- chacha20poly1305_
open - Open
ciphertext_and_tag(ciphertext with the 16-byte Poly1305 tag appended) with ChaCha20-Poly1305 underkey/nonce, verifyingaad, returning the recovered plaintext. Thin public wrapper over the crate-internaldecrypthelper, used by thehap-transportrecord layer. - chacha20poly1305_
seal - Seal
plaintextwith ChaCha20-Poly1305 underkey/nonce, bindingaad, returningciphertext || tag. Thin public wrapper over the crate-internalencrypthelper, used by thehap-transportrecord layer.