f de-DRY decrypt_in_place and remove optional tag param

valentinewallace · valentinewallace · commit 18c3649d1e0e · 2022-06-15T17:51:31.000-04:00
and make it pub(super), see comment
diff --git a/lightning/src/util/chacha20poly1305rfc.rs b/lightning/src/util/chacha20poly1305rfc.rs
@@ -94,40 +94,42 @@ mod real_chachapoly {
 		}
 
 		pub fn decrypt(&mut self, input: &[u8], output: &mut [u8], tag: &[u8]) -> bool {
-			if self.decrypt_inner(input, Some(output), Some(tag)) {
-				self.cipher.process(input, output);
-				return true
-			}
-			false
-		}
-
-		// Decrypt in place, and check the tag if it's provided. If the tag is not provided, then
-		// `finish_and_check_tag` may be called to check it later.
-		pub fn decrypt_in_place(&mut self, input: &mut [u8], tag: Option<&[u8]>) -> bool {
-			if self.decrypt_inner(input, None, tag) {
-				self.cipher.process_in_place(input);
-				return true
-			}
-			false
-		}
-
-		fn decrypt_inner(&mut self, input: &[u8], output: Option<&mut [u8]>, tag: Option<&[u8]>) -> bool {
-			if let Some(output) = output {
-				assert!(input.len() == output.len());
-			}
+			assert!(input.len() == output.len());
 			assert!(self.finished == false);
 
+			self.finished = true;
+
 			self.mac.input(input);
 
 			self.data_len += input.len();
+			ChaCha20Poly1305RFC::pad_mac_16(&mut self.mac, self.data_len);
+			self.mac.input(&self.aad_len.to_le_bytes());
+			self.mac.input(&(self.data_len as u64).to_le_bytes());
 
-			if let Some(tag) = tag {
-				return self.finish_and_check_tag(tag)
+			let mut calc_tag =  [0u8; 16];
+			self.mac.raw_result(&mut calc_tag);
+			if fixed_time_eq(&calc_tag, tag) {
+				self.cipher.process(input, output);
+				true
+			} else {
+				false
 			}
-			true
 		}
 
-		pub fn finish_and_check_tag(&mut self, tag: &[u8]) -> bool {
+		// Decrypt in place, without checking the tag. Use `finish_and_check_tag` to check it
+		// later when decryption finishes.
+		//
+		// pub(super) because the public API should always enforce tag checking.
+		pub(super) fn decrypt_in_place(&mut self, input_output: &mut [u8]) {
+			assert!(self.finished == false);
+			self.mac.input(input_output);
+			self.data_len += input_output.len();
+			self.cipher.process_in_place(input_output);
+		}
+
+		// If we were previously decrypting with `decrypt_in_place`, this method must be used to finish
+		// decrypting and check the tag. Returns whether or not the tag is valid.
+		pub(super) fn finish_and_check_tag(&mut self, tag: &[u8]) -> bool {
 			self.finished = true;
 			ChaCha20Poly1305RFC::pad_mac_16(&mut self.mac, self.data_len);
 			self.mac.input(&self.aad_len.to_le_bytes());
@@ -159,7 +161,7 @@ impl<'a, R: Read> Read for ChaChaPolyReader<'a, R> {
 	fn read(&mut self, dest: &mut [u8]) -> Result<usize, io::Error> {
 		let res = self.read.read(dest)?;
 		if res > 0 {
-			self.chacha.decrypt_in_place(&mut dest[0..res], None);
+			self.chacha.decrypt_in_place(&mut dest[0..res]);
 		}
 		Ok(res)
 	}
@@ -305,13 +307,8 @@ mod fuzzy_chachapoly {
 			true
 		}
 
-		pub fn decrypt_in_place(&mut self, _input: &mut [u8], tag: Option<&[u8]>) -> bool {
+		pub fn decrypt_in_place(&mut self, _input: &mut [u8]) {
 			assert!(self.finished == false);
-			if let Some(tag) = tag {
-				if tag[..] != self.tag[..] { return false; }
-			}
-			self.finished = true;
-			true
 		}
 
 		pub fn finish_and_check_tag(&mut self, tag: &[u8]) -> bool {
