aead

Pure Haskell AEAD-ChaCha20-Poly1305 (docs.ppad.tech/aead).
git clone git://git.ppad.tech/aead.git
Log | Files | Refs | README | LICENSE
commit 65bccd86c7bf525268bc3b1c4e53a2709919f822
parent 4029c0e9bc92c7e85d2c2ebac9cb539cdb738be4
Author: Jared Tobin <jared@jtobin.io>
Date:   Tue, 11 Mar 2025 09:05:49 +0400

lib: fix AEAD buffer for pathological cases

Diffstat:

Mlib/Crypto/AEAD/ChaCha20Poly1305.hs | 26+++++++++++++++-----------


1 file changed, 15 insertions(+), 11 deletions(-)

diff --git a/lib/Crypto/AEAD/ChaCha20Poly1305.hs b/lib/Crypto/AEAD/ChaCha20Poly1305.hs
@@ -94,14 +94,16 @@ encrypt aad key nonce plaintext
   | BS.length key  /= 32  = error "ppad-aead (encrypt): invalid key"
   | BS.length nonce /= 12 = error "ppad-aead (encrypt): invalid nonce"
   | otherwise =
-      let otk   = _poly1305_key_gen key nonce
-          ciphertext = ChaCha20.cipher key 1 nonce plaintext
-          md0 = aad <> pad16 aad
-          md1 = md0 <> ciphertext <> pad16 ciphertext
+      let otk = _poly1305_key_gen key nonce
+          cip = ChaCha20.cipher key 1 nonce plaintext
+          md0 | BS.length aad == 0 = mempty
+              | otherwise          = aad <> pad16 aad
+          md1 | BS.length cip == 0 = md0
+              | otherwise          = md0 <> cip <> pad16 cip
           md2 = md1 <> unroll8 (fi (BS.length aad))
-          md3 = md2 <> unroll8 (fi (BS.length ciphertext))
+          md3 = md2 <> unroll8 (fi (BS.length cip))
           tag = Poly1305.mac otk md3
-      in  (ciphertext, tag)
+      in  (cip, tag)
 
 -- | Decrypt an authenticated ciphertext, given a message authentication
 --   code and some additional authenticated data, via a 256-bit key and
@@ -122,18 +124,20 @@ decrypt
   -> BS.ByteString                  -- ^ 96-bit nonce
   -> (BS.ByteString, BS.ByteString) -- ^ (arbitrary-length ciphertext, 128-bit MAC)
   -> Maybe BS.ByteString
-decrypt aad key nonce (ciphertext, mac)
+decrypt aad key nonce (cip, mac)
   | BS.length key /= 32   = error "ppad-aead (decrypt): invalid key"
   | BS.length nonce /= 12 = error "ppad-aead (decrypt): invalid nonce"
   | BS.length mac /= 16   = Nothing
   | otherwise =
       let otk = _poly1305_key_gen key nonce
-          md0 = aad <> pad16 aad
-          md1 = md0 <> ciphertext <> pad16 ciphertext
+          md0 | BS.length aad == 0 = mempty
+              | otherwise          = aad <> pad16 aad
+          md1 | BS.length cip == 0 = md0
+              | otherwise          = md0 <> cip <> pad16 cip
           md2 = md1 <> unroll8 (fi (BS.length aad))
-          md3 = md2 <> unroll8 (fi (BS.length ciphertext))
+          md3 = md2 <> unroll8 (fi (BS.length cip))
           tag = Poly1305.mac otk md3
       in  if   mac == tag
-          then pure (ChaCha20.cipher key 1 nonce ciphertext)
+          then pure (ChaCha20.cipher key 1 nonce cip)
           else Nothing