use CHACHA20_POLY1305 instead of AES_256_GCM

2025-07-07 20:06:36 +02:00 · 2021-10-17 17:36:30 -04:00 · 2021-10-17 17:36:30 -04:00 · 4300f7bdda
commit 4300f7bdda
parent 97d1366b66
2 changed files with 8 additions and 8 deletions
--- a/docs/src/sync-protocol.md
+++ b/docs/src/sync-protocol.md
@ -52,7 +52,7 @@ The salt is the SHA256 hash of the 16-byte form of the client key.

 #### Encryption

-The client uses [AEAD](https://commondatastorage.googleapis.com/chromium-boringssl-docs/aead.h.html), with algorithm AES_256_GCM.
+The client uses [AEAD](https://commondatastorage.googleapis.com/chromium-boringssl-docs/aead.h.html), with algorithm CHACHA20_POLY1305.
 Each encrypted payload has an associated version ID.
 The 16-byte form of this UUID is used as the associated data (AAD) with the AEAD algorithm.
 The client should generate a random nonce, noting that AEAD is _not secure_ if a nonce is used repeatedly for the same key.
--- a/taskchampion/src/server/crypto.rs
+++ b/taskchampion/src/server/crypto.rs
@ -28,7 +28,7 @@ impl Cryptor {
    fn derive_key(client_key: Uuid, secret: &Secret) -> anyhow::Result<aead::LessSafeKey> {
        let salt = digest::digest(&digest::SHA256, client_key.as_bytes());

-        let mut key_bytes = vec![0u8; ring::aead::AES_256_GCM.key_len()];
+        let mut key_bytes = vec![0u8; aead::CHACHA20_POLY1305.key_len()];
        pbkdf2::derive(
            pbkdf2::PBKDF2_HMAC_SHA256,
            std::num::NonZeroU32::new(PBKDF2_ITERATIONS).unwrap(),
@ -37,9 +37,9 @@ impl Cryptor {
            &mut key_bytes,
        );

-        let unbound_key = ring::aead::UnboundKey::new(&ring::aead::AES_256_GCM, &key_bytes)
+        let unbound_key = aead::UnboundKey::new(&aead::CHACHA20_POLY1305, &key_bytes)
            .map_err(|_| anyhow::anyhow!("error while creating AEAD key"))?;
-        Ok(ring::aead::LessSafeKey::new(unbound_key))
+        Ok(aead::LessSafeKey::new(unbound_key))
    }

    /// Encrypt the given payload.
@ -53,9 +53,9 @@ impl Cryptor {
        self.rng
            .fill(&mut nonce_buf)
            .map_err(|_| anyhow::anyhow!("error generating random nonce"))?;
-        let nonce = ring::aead::Nonce::assume_unique_for_key(nonce_buf);
+        let nonce = aead::Nonce::assume_unique_for_key(nonce_buf);

-        let aad = ring::aead::Aad::from(version_id.as_bytes());
+        let aad = aead::Aad::from(version_id.as_bytes());

        let tag = self
            .key
@ -85,8 +85,8 @@ impl Cryptor {

        let mut nonce = [0u8; aead::NONCE_LEN];
        nonce.copy_from_slice(env.nonce);
-        let nonce = ring::aead::Nonce::assume_unique_for_key(nonce);
-        let aad = ring::aead::Aad::from(version_id.as_bytes());
+        let nonce = aead::Nonce::assume_unique_for_key(nonce);
+        let aad = aead::Aad::from(version_id.as_bytes());

        let mut payload = env.payload.to_vec();
        let plaintext = self