From 4128ce80e3dc805395d468c92269c5794e0b6966 Mon Sep 17 00:00:00 2001 From: Leo Nash Date: Thu, 30 Oct 2025 19:39:26 +0000 Subject: [PATCH] Use a 12-byte nonce as an input to Chacha20-Poly1305 Previously, we were using the Chacha20-Poly1305 implementation at `rust-lightning/lightning/src/crypto/chacha20poly1305rfc.rs`. That implementation required us to use an 8-byte nonce. Since we made the switch to the `rust-bitcoin/chacha20_poly1305` implementation, we can now use a full 12-byte nonce as specified in the RFC. --- src/util/key_obfuscator.rs | 4 ++++ src/util/storable_builder.rs | 2 +- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/src/util/key_obfuscator.rs b/src/util/key_obfuscator.rs index 21d1e14..8f420c3 100644 --- a/src/util/key_obfuscator.rs +++ b/src/util/key_obfuscator.rs @@ -136,6 +136,10 @@ impl KeyObfuscator { fn generate_synthetic_nonce(&self, initial_nonce_material: &[u8]) -> [u8; NONCE_LENGTH] { let hmac = Self::hkdf(&self.hashing_key, initial_nonce_material); let mut nonce = [0u8; NONCE_LENGTH]; + // TODO: While the RFC specifies a 12-byte nonce, we use an 8-byte nonce for + // backwards compatibility with the rust-lightning implementation of + // Chacha20Poly1305. We now use the rust-bitcoin implementation, which allows + // for 12-byte nonces, so we should figure out an upgrade path for this. nonce[4..].copy_from_slice(&hmac[..8]); nonce } diff --git a/src/util/storable_builder.rs b/src/util/storable_builder.rs index c8c53ae..489991f 100644 --- a/src/util/storable_builder.rs +++ b/src/util/storable_builder.rs @@ -47,7 +47,7 @@ impl StorableBuilder { &self, input: Vec, version: i64, data_encryption_key: &[u8; 32], aad: &[u8], ) -> Storable { let mut nonce = [0u8; NONCE_LENGTH]; - self.entropy_source.fill_bytes(&mut nonce[4..]); + self.entropy_source.fill_bytes(&mut nonce); let mut data_blob = PlaintextBlob { value: input, version }.encode_to_vec();