1*e7b1675dSTing-Kang Chang// Copyright 2020 Google LLC 2*e7b1675dSTing-Kang Chang// 3*e7b1675dSTing-Kang Chang// Licensed under the Apache License, Version 2.0 (the "License"); 4*e7b1675dSTing-Kang Chang// you may not use this file except in compliance with the License. 5*e7b1675dSTing-Kang Chang// You may obtain a copy of the License at 6*e7b1675dSTing-Kang Chang// 7*e7b1675dSTing-Kang Chang// http://www.apache.org/licenses/LICENSE-2.0 8*e7b1675dSTing-Kang Chang// 9*e7b1675dSTing-Kang Chang// Unless required by applicable law or agreed to in writing, software 10*e7b1675dSTing-Kang Chang// distributed under the License is distributed on an "AS IS" BASIS, 11*e7b1675dSTing-Kang Chang// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12*e7b1675dSTing-Kang Chang// See the License for the specific language governing permissions and 13*e7b1675dSTing-Kang Chang// limitations under the License. 14*e7b1675dSTing-Kang Chang// 15*e7b1675dSTing-Kang Chang//////////////////////////////////////////////////////////////////////////////// 16*e7b1675dSTing-Kang Chang 17*e7b1675dSTing-Kang Changpackage subtle 18*e7b1675dSTing-Kang Chang 19*e7b1675dSTing-Kang Changimport ( 20*e7b1675dSTing-Kang Chang "errors" 21*e7b1675dSTing-Kang Chang "fmt" 22*e7b1675dSTing-Kang Chang 23*e7b1675dSTing-Kang Chang "golang.org/x/crypto/chacha20poly1305" 24*e7b1675dSTing-Kang Chang "github.com/google/tink/go/subtle/random" 25*e7b1675dSTing-Kang Chang "github.com/google/tink/go/tink" 26*e7b1675dSTing-Kang Chang) 27*e7b1675dSTing-Kang Chang 28*e7b1675dSTing-Kang Chang// XChaCha20Poly1305 is an implementation of AEAD interface. 29*e7b1675dSTing-Kang Changtype XChaCha20Poly1305 struct { 30*e7b1675dSTing-Kang Chang Key []byte 31*e7b1675dSTing-Kang Chang} 32*e7b1675dSTing-Kang Chang 33*e7b1675dSTing-Kang Chang// Assert that XChaCha20Poly1305 implements the AEAD interface. 34*e7b1675dSTing-Kang Changvar _ tink.AEAD = (*XChaCha20Poly1305)(nil) 35*e7b1675dSTing-Kang Chang 36*e7b1675dSTing-Kang Chang// NewXChaCha20Poly1305 returns an XChaCha20Poly1305 instance. 37*e7b1675dSTing-Kang Chang// The key argument should be a 32-bytes key. 38*e7b1675dSTing-Kang Changfunc NewXChaCha20Poly1305(key []byte) (*XChaCha20Poly1305, error) { 39*e7b1675dSTing-Kang Chang if len(key) != chacha20poly1305.KeySize { 40*e7b1675dSTing-Kang Chang return nil, errors.New("xchacha20poly1305: bad key length") 41*e7b1675dSTing-Kang Chang } 42*e7b1675dSTing-Kang Chang 43*e7b1675dSTing-Kang Chang return &XChaCha20Poly1305{Key: key}, nil 44*e7b1675dSTing-Kang Chang} 45*e7b1675dSTing-Kang Chang 46*e7b1675dSTing-Kang Chang// Encrypt encrypts plaintext with associatedData. 47*e7b1675dSTing-Kang Chang// 48*e7b1675dSTing-Kang Chang// The resulting ciphertext consists of two parts: 49*e7b1675dSTing-Kang Chang// 1. the nonce used for encryption 50*e7b1675dSTing-Kang Chang// 2. the actual ciphertext 51*e7b1675dSTing-Kang Changfunc (x *XChaCha20Poly1305) Encrypt(plaintext []byte, associatedData []byte) ([]byte, error) { 52*e7b1675dSTing-Kang Chang if len(plaintext) > maxInt-chacha20poly1305.NonceSizeX-poly1305TagSize { 53*e7b1675dSTing-Kang Chang return nil, fmt.Errorf("xchacha20poly1305: plaintext too long") 54*e7b1675dSTing-Kang Chang } 55*e7b1675dSTing-Kang Chang c, err := chacha20poly1305.NewX(x.Key) 56*e7b1675dSTing-Kang Chang if err != nil { 57*e7b1675dSTing-Kang Chang return nil, err 58*e7b1675dSTing-Kang Chang } 59*e7b1675dSTing-Kang Chang 60*e7b1675dSTing-Kang Chang nounce := random.GetRandomBytes(chacha20poly1305.NonceSizeX) 61*e7b1675dSTing-Kang Chang // Make the capacity of dst large enough so that both the nounce and the ciphertext fit inside. 62*e7b1675dSTing-Kang Chang dst := make([]byte, 0, chacha20poly1305.NonceSizeX+len(plaintext)+c.Overhead()) 63*e7b1675dSTing-Kang Chang dst = append(dst, nounce...) 64*e7b1675dSTing-Kang Chang // Seal appends the ciphertext to dst. So the final output is: nounce || ciphertext. 65*e7b1675dSTing-Kang Chang return c.Seal(dst, nounce, plaintext, associatedData), nil 66*e7b1675dSTing-Kang Chang} 67*e7b1675dSTing-Kang Chang 68*e7b1675dSTing-Kang Chang// Decrypt decrypts ciphertext with associatedData. 69*e7b1675dSTing-Kang Chang// 70*e7b1675dSTing-Kang Chang// ciphertext consists of two parts: 71*e7b1675dSTing-Kang Chang// 1. the nonce used for encryption 72*e7b1675dSTing-Kang Chang// 2. the actual ciphertext 73*e7b1675dSTing-Kang Changfunc (x *XChaCha20Poly1305) Decrypt(ciphertext []byte, associatedData []byte) ([]byte, error) { 74*e7b1675dSTing-Kang Chang if len(ciphertext) < chacha20poly1305.NonceSizeX+poly1305TagSize { 75*e7b1675dSTing-Kang Chang return nil, fmt.Errorf("xchacha20poly1305: ciphertext too short") 76*e7b1675dSTing-Kang Chang } 77*e7b1675dSTing-Kang Chang 78*e7b1675dSTing-Kang Chang c, err := chacha20poly1305.NewX(x.Key) 79*e7b1675dSTing-Kang Chang if err != nil { 80*e7b1675dSTing-Kang Chang return nil, err 81*e7b1675dSTing-Kang Chang } 82*e7b1675dSTing-Kang Chang 83*e7b1675dSTing-Kang Chang n := ciphertext[:chacha20poly1305.NonceSizeX] 84*e7b1675dSTing-Kang Chang pt, err := c.Open(nil, n, ciphertext[chacha20poly1305.NonceSizeX:], associatedData) 85*e7b1675dSTing-Kang Chang if err != nil { 86*e7b1675dSTing-Kang Chang return nil, fmt.Errorf("XChaCha20Poly1305.Decrypt: %s", err) 87*e7b1675dSTing-Kang Chang } 88*e7b1675dSTing-Kang Chang return pt, nil 89*e7b1675dSTing-Kang Chang} 90