Switch chacha

[Abeeujah]

closes #4316

This PR switches the ChaChaPoly encryption algorithm to the chacha20-poly1305 = "0.1.2" crate, the following impls have been modified

• EncryptedOurPeerStorage
• PeerChannelEncryptor

The chacha20-poly1305 dependency was only added because the issue description by @TheBlueMatt requested it be added, and also, thanks to @tnull for the reference implementation provided.

[ldk-reviews-bot]

👋 I see @TheBlueMatt was un-assigned.
If you'd like another reviewer assignment, please click here.

[TheBlueMatt]

You should try to remove the existing chacha20poly1305rfc module entirely. Is there some limitations of the upstream implementation that prevented that?

[Abeeujah]

@TheBlueMatt at the moment, streams.rs lightning/src/crypto/streams.rs still depends on it, I'm currently working on switching it to the chacha20-poly1305 crate as well.

[TheBlueMatt]

Looks like you still didn't manage to remove chacha20poly1305rfc.rs (and chacha20.rs and poly1305.rs)?

[ldk-reviews-bot]

👋 The first review has been submitted!

Do you think this PR is ready for a second reviewer? If so, click here to assign a second reviewer.

[TheBlueMatt]

Nah, we definitely don't want to do the full poly1305 validation twice. We'll have to upstream a Clone for Poly1305, mind opening a PR upstream at https://github.com/rust-bitcoin/rust-bitcoin/?

[Abeeujah]

GM @TheBlueMatt upstream PR has been merged, I've pointed the crate to the git rev pending when a newer crate is released, although it doesn't look like the module supports fuzzing, I'd love to get your review on the next course of action

[TheBlueMatt]

Oh good point yea, can you look into upstreaming our fuzzing logic as well? Could use a different cfg flag.

[ldk-claude-review-bot]

Issue: Git dependency prevents crates.io publishing

crates.io does not allow git dependencies. Since the lightning crate is published to crates.io, this dependency must come from a published crate before this can be merged/released. Using git + rev is fine for development/testing, but this is a release blocker.

Is there a timeline for the chacha20-poly1305 crate from rust-bitcoin being published to crates.io?

[ldk-claude-review-bot]

Potential issue: Fuzzing support regression

The deleted chacha20.rs and poly1305.rs files contained #[cfg(fuzzing)] no-op implementations:

• Fuzzing ChaCha20::process_in_place was a no-op (data passed through unencrypted)
• Fuzzing Poly1305 ignored all input and returned the first 16 bytes of the key as the tag

These no-ops allowed fuzzers (e.g., peer_crypt, full_stack, chanmon_consistency) to exercise protocol logic without needing to produce valid ciphertexts/MACs.

Does the external chacha20-poly1305 crate provide equivalent #[cfg(fuzzing)] no-op implementations? If not, fuzzers that rely on transparent crypto will be broken — the handshake MAC checks in PeerChannelEncryptor will almost always fail on arbitrary fuzz input, preventing exploration of post-handshake code paths.

The #[cfg(fuzzing)] blocks preserved in streams.rs (lines 50-53, 144-147, 240-243) only change the Poly1305 key source but don't address the ChaCha20 encryption being real vs. no-op.

[ldk-claude-review-bot]

Pre-existing bug (worth fixing while refactoring): Missing 0-byte read guard

Unlike the ChaChaTriPolyReader drain loop (line 155-159), this drain loop does not check for a 0-byte return from read(). If the underlying reader returns EOF while bytes_remain() is still > 0 (e.g., the reader has less data than expected), this will infinite-loop.

The TriPoly variant correctly handles this:

if chacha_stream.read(&mut buf)? == 0 {
    return Err(DecodeError::ShortRead);
}

There's even a test for the TriPoly case (short_read_chacha_tri_read_adapter) but no equivalent test for this path. Consider adding the same guard here.

[ldk-claude-review-bot]

Inconsistency: No #[cfg(fuzzing)] block for Poly1305 initialization here

The other three Poly1305 initialization sites in this file all have #[cfg(fuzzing)] blocks that use the encryption key directly instead of the derived mac_key. This site does not. In the old code, this was not an issue because the fuzzing Poly1305 module-level #[cfg(fuzzing)] switch handled it automatically. With the external crate, this site always uses mac_key even in fuzzing mode, making it inconsistent with the other sites.

[ldk-claude-review-bot]

Bug: Block counter vs byte offset mismatch

seek_pos is a byte count (packet_data.len() - pos), but the 3rd argument to ChaCha20::new is the initial block counter (each ChaCha20 block is 64 bytes). This is evident from how the same constructor is used in sign/mod.rs and inbound_payment.rs, where the value passed corresponds to the old code's d[0] block counter.

The old code consumed packet_data.len() - pos individual bytes from the keystream:

for _ in 0..(packet_data.len() - pos) {
    let mut dummy = [0; 1];
    chacha.process_in_place(&mut dummy);
}

The new code sets the block counter to this byte count, which would start the keystream at byte seek_pos * 64 instead of byte seek_pos. For a typical 1300-byte onion packet on the first iteration, this would start at byte 83,200 instead of byte 1300.

This will produce incorrect filler data, breaking onion packet construction and causing all multi-hop payments to fail.

The fix would need to compute the block offset and handle the remainder:

let skip_bytes = packet_data.len() - pos;
let block_offset = (skip_bytes / 64) as u32;
let byte_remainder = skip_bytes % 64;
let mut chacha = ChaCha20::new(Key::new(keys.rho), Nonce::new([0; 12]), block_offset);
if byte_remainder > 0 {
    let mut dummy = [0u8; 64];
    chacha.apply_keystream(&mut dummy[..byte_remainder]);
}

[Abeeujah]

The third argument to ChaCha20::new is a byte offset (seek), not a block counter. The constructor internally divides by 64 to get the block count and takes the remainder as the byte offset within that block. So passing seek_pos = packet_data.len() - pos correctly seeks to that byte position in the keystream.

[ldk-claude-review-bot]

Bug: Nonce format change breaks keystream compatibility

The salt was changed from 8 bytes to 12 bytes. With an 8-byte nonce, the old ChaCha20::new placed values in the state as:

• d[0]=counter, d[1]=0, d[2]=block_height, d[3]=tx_index

With a 12-byte nonce (RFC 8439), the state becomes:

• d[0]=counter, d[1]=block_height, d[2]=tx_index, d[3]=0

These produce different keystreams for any non-zero block_height or tx_index. This means:

1. get_encrypted_vout now returns different values than before for the same inputs
2. is_valid_phantom / is_valid_intercept will fail to validate fake SCIDs generated by old code
3. Any outstanding invoices using phantom or intercept SCIDs will stop working after upgrade

The test change from get_encrypted_vout(0, 0, ...) to get_encrypted_vout(1, 0, ...) below confirms the behavior changed — the old test only passed because with all-zero nonce the 8-byte and 12-byte layouts happened to coincide, but with block_height=1 they diverge.

To preserve backward compatibility, you need to place block_height and tx_index at the same position in the 12-byte nonce as they occupied in the 8-byte nonce:

let mut salt = [0u8; 12];
salt[4..8].copy_from_slice(&block_height_bytes);
salt[8..12].copy_from_slice(&tx_index_bytes);

[ldk-claude-review-bot]

Issue: --cfg=chacha20_poly1305_fuzz not added to ci-fuzz.sh

This flag is added here for the sanity check, but fuzz/ci-fuzz.sh (line 16) sets its own RUSTFLAGS without --cfg=chacha20_poly1305_fuzz:

export RUSTFLAGS="--cfg=secp256k1_fuzz --cfg=hashes_fuzz"

This means the actual honggfuzz runs will compile the chacha20-poly1305 crate without its fuzzing mode, so real ChaCha20-Poly1305 operations will be performed during fuzzing. Fuzzers won't be able to generate valid MACs, severely limiting their ability to explore post-handshake/post-decryption code paths.

[ldk-claude-review-bot]

Semantic concern: 8-byte nonce → 12-byte nonce changes keystream for non-zero nonces

All the ChaCha20::new calls in this file use Nonce::new([0; 12]) (all-zero nonce), replacing the old &[0u8; 8]. Since the nonce is all zeros, the ChaCha20 state is identical regardless of nonce length, so there's no behavioral change here.

However, this is a subtle correctness invariant: this only works because the nonce is [0; 12]. If anyone later changes the nonce to a non-zero value based on the old 8-byte pattern without adjusting the position within the 12-byte array, it would silently break (as happened in scid_utils.rs). Worth a brief comment noting this equivalence holds only for all-zero nonces.

[ldk-claude-review-bot]

[TheBlueMatt]

Cool, so I guess we're just waiting for an upstream release? Can you fix the rustfmt job in the mean time?

[codecov]

Codecov Report

❌ Patch coverage is 84.27673% with 25 lines in your changes missing coverage. Please review.
✅ Project coverage is 86.10%. Comparing base (066859b) to head (b5c8b57).
⚠️ Report is 2765 commits behind head on main.

Files with missing lines	Patch %	Lines
lightning/src/ln/funding.rs	0.00%	21 Missing ⚠️
lightning/src/crypto/streams.rs	93.22%	3 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4360      +/-   ##
==========================================
+ Coverage   84.55%   86.10%   +1.54%     
==========================================
  Files         135      158      +23     
  Lines       76569   106736   +30167     
  Branches    76569   106736   +30167     
==========================================
+ Hits        64745    91906   +27161     
- Misses       9783    12214    +2431     
- Partials     2041     2616     +575     

Flag	Coverage Δ
tests	86.10% <84.27%> (?)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.