Merge pull request #43 from tankyleo/25-10-use-12-byte-nonce

tnull · web-flow · commit a126555c3c76 · 2025-11-03T19:33:14.000+01:00
Use a 12-byte nonce as an input to Chacha20-Poly1305
diff --git a/src/util/key_obfuscator.rs b/src/util/key_obfuscator.rs
@@ -136,6 +136,10 @@ impl KeyObfuscator {
 	fn generate_synthetic_nonce(&self, initial_nonce_material: &[u8]) -> [u8; NONCE_LENGTH] {
 		let hmac = Self::hkdf(&self.hashing_key, initial_nonce_material);
 		let mut nonce = [0u8; NONCE_LENGTH];
+		// TODO: While the RFC specifies a 12-byte nonce, we use an 8-byte nonce for
+		// backwards compatibility with the rust-lightning implementation of
+		// Chacha20Poly1305. We now use the rust-bitcoin implementation, which allows
+		// for 12-byte nonces, so we should figure out an upgrade path for this.
 		nonce[4..].copy_from_slice(&hmac[..8]);
 		nonce
 	}
diff --git a/src/util/storable_builder.rs b/src/util/storable_builder.rs
@@ -47,7 +47,7 @@ impl<T: EntropySource> StorableBuilder<T> {
 		&self, input: Vec<u8>, version: i64, data_encryption_key: &[u8; 32], aad: &[u8],
 	) -> Storable {
 		let mut nonce = [0u8; NONCE_LENGTH];
-		self.entropy_source.fill_bytes(&mut nonce[4..]);
+		self.entropy_source.fill_bytes(&mut nonce);
 
 		let mut data_blob = PlaintextBlob { value: input, version }.encode_to_vec();
 
