perf: Remove Vec from chacha::encrypt/decrypt

In order to limit perf/allocation changes from master, remove the last
use of Vec from the handshake code.

The decrypt/encrypt code now takes an out parameter to place the
decrypted bytes. All handshake users know the fixed-size of the output
decryption so they can use arrays. The Conduit code will still allocate
a Vec based on the input message and pass it through.

After this patch, the handshake code is now Vec-less and copies are
minimized.

Author: julianknutsen

lightning/src/ln/peers/chacha.rs

@@ -3,21 +3,18 @@ use util::chacha20poly1305rfc::ChaCha20Poly1305RFC;
 
 pub const TAG_SIZE: usize = 16;
 
-pub fn encrypt(key: &[u8], nonce: u64, associated_data: &[u8], plaintext: &[u8]) -> Vec<u8> {
+pub fn encrypt(key: &[u8], nonce: u64, associated_data: &[u8], plaintext: &[u8], ciphertext_out: &mut [u8]) {
 	let mut nonce_bytes = [0; 12];
 	nonce_bytes[4..].copy_from_slice(&byte_utils::le64_to_array(nonce));
 
 	let mut chacha = ChaCha20Poly1305RFC::new(key, &nonce_bytes, associated_data);
-	let mut ciphertext = vec![0u8; plaintext.len()];
 	let mut authentication_tag = [0u8; 16];
-	chacha.encrypt(plaintext, &mut ciphertext, &mut authentication_tag);
+	chacha.encrypt(plaintext, &mut ciphertext_out[..plaintext.len()], &mut authentication_tag);
 
-	let mut tagged_ciphertext = ciphertext;
-	tagged_ciphertext.extend_from_slice(&authentication_tag);
-	tagged_ciphertext
+	ciphertext_out[plaintext.len()..].copy_from_slice(&authentication_tag);
 }
 
-pub fn decrypt(key: &[u8], nonce: u64, associated_data: &[u8], tagged_ciphertext: &[u8]) -> Result<Vec<u8>, String> {
+pub fn decrypt(key: &[u8], nonce: u64, associated_data: &[u8], tagged_ciphertext: &[u8], plaintext_out: &mut [u8]) -> Result<(), String> {
 	let mut nonce_bytes = [0; 12];
 	nonce_bytes[4..].copy_from_slice(&byte_utils::le64_to_array(nonce));
 
@@ -27,14 +24,14 @@ pub fn decrypt(key: &[u8], nonce: u64, associated_data: &[u8], tagged_ciphertext
 	}
 	let end_index = length - 16;
 	let ciphertext = &tagged_ciphertext[0..end_index];
-	let authentication_tag = &tagged_ciphertext[end_index..length];
+	let authentication_tag = &tagged_ciphertext[end_index..];
 
 	let mut chacha = ChaCha20Poly1305RFC::new(key, &nonce_bytes, associated_data);
-	let mut plaintext = vec![0u8; length - 16];
-	let success = chacha.decrypt(ciphertext, &mut plaintext, authentication_tag);
-	if success {
-		Ok(plaintext.to_vec())
-	} else {
+	let success = chacha.decrypt(ciphertext, plaintext_out, authentication_tag);
+
+	if !success {
 		Err("invalid hmac".to_string())
+	} else {
+		Ok(())
 	}
 }

lightning/src/ln/peers/conduit.rs

@@ -119,10 +119,10 @@ impl Encryptor {
 
 		let mut ciphertext = vec![0u8; TAGGED_MESSAGE_LENGTH_HEADER_SIZE + length as usize + chacha::TAG_SIZE];
 
-		ciphertext[0..TAGGED_MESSAGE_LENGTH_HEADER_SIZE].copy_from_slice(&chacha::encrypt(&self.sending_key, self.sending_nonce as u64, &[0; 0], &length_bytes));
+		chacha::encrypt(&self.sending_key, self.sending_nonce as u64, &[0; 0], &length_bytes, &mut ciphertext[..TAGGED_MESSAGE_LENGTH_HEADER_SIZE]);
 		self.increment_nonce();
 
-		ciphertext[TAGGED_MESSAGE_LENGTH_HEADER_SIZE..].copy_from_slice(&chacha::encrypt(&self.sending_key, self.sending_nonce as u64, &[0; 0], buffer));
+		&chacha::encrypt(&self.sending_key, self.sending_nonce as u64, &[0; 0], buffer, &mut ciphertext[TAGGED_MESSAGE_LENGTH_HEADER_SIZE..]);
 		self.increment_nonce();
 
 		ciphertext
@@ -172,7 +172,7 @@ impl Decryptor {
 
 			let encrypted_length = &buffer[0..TAGGED_MESSAGE_LENGTH_HEADER_SIZE];
 			let mut length_bytes = [0u8; MESSAGE_LENGTH_HEADER_SIZE];
-			length_bytes.copy_from_slice(&chacha::decrypt(&self.receiving_key, self.receiving_nonce as u64, &[0; 0], encrypted_length)?);
+			chacha::decrypt(&self.receiving_key, self.receiving_nonce as u64, &[0; 0], encrypted_length, &mut length_bytes)?;
 
 			self.increment_nonce();
 
@@ -190,8 +190,9 @@ impl Decryptor {
 		self.pending_message_length = None;
 
 		let encrypted_message = &buffer[TAGGED_MESSAGE_LENGTH_HEADER_SIZE..message_end_index];
+		let mut message = vec![0u8; message_length];
 
-		let message = chacha::decrypt(&self.receiving_key, self.receiving_nonce as u64, &[0; 0], encrypted_message)?;
+		chacha::decrypt(&self.receiving_key, self.receiving_nonce as u64, &[0; 0], encrypted_message, &mut message)?;
 
 		self.increment_nonce();
 

lightning/src/ln/peers/handshake/states.rs

@@ -285,12 +285,14 @@ impl IHandshakeState for InitiatorAwaitingActTwoState {
 			hash,
 		)?;
 
+		let mut act_three = EMPTY_ACT_THREE;
+
 		// start serializing act three
 		// 1. c = encryptWithAD(temp_k2, 1, h, s.pub.serializeCompressed())
-		let tagged_encrypted_pubkey = chacha::encrypt(&temporary_key, 1, &hash, &initiator_static_public_key.serialize());
+		chacha::encrypt(&temporary_key, 1, &hash, &initiator_static_public_key.serialize(), &mut act_three[1..50]);
 
 		// 2. h = SHA-256(h || c)
-		let hash = concat_then_sha256!(hash, tagged_encrypted_pubkey);
+		let hash = concat_then_sha256!(hash, act_three[1..50]);
 
 		// 3. se = ECDH(s.priv, re)
 		let ecdh = ecdh(&initiator_static_private_key, &responder_ephemeral_public_key);
@@ -299,7 +301,7 @@ impl IHandshakeState for InitiatorAwaitingActTwoState {
 		let (chaining_key, temporary_key) = hkdf::derive(&chaining_key, &ecdh);
 
 		// 5. t = encryptWithAD(temp_k3, 0, h, zero)
-		let authentication_tag = chacha::encrypt(&temporary_key, 0, &hash, &[0; 0]);
+		chacha::encrypt(&temporary_key, 0, &hash, &[0; 0], &mut act_three[50..]);
 
 		// 6. sk, rk = HKDF(ck, zero)
 		let (sending_key, receiving_key) = hkdf::derive(&chaining_key, &[0; 0]);
@@ -308,11 +310,6 @@ impl IHandshakeState for InitiatorAwaitingActTwoState {
 		// - done by Conduit
 		let conduit = Conduit::new(sending_key, receiving_key, chaining_key);
 
-		// Send m = 0 || c || t over the network buffer
-		let mut act_three = EMPTY_ACT_THREE;
-		act_three[1..50].copy_from_slice(&tagged_encrypted_pubkey);
-		act_three[50..].copy_from_slice(&authentication_tag);
-
 		Ok((
 			Some(Act::Three(act_three)),
 			HandshakeState::Complete(Some((conduit, responder_static_public_key)))
@@ -352,7 +349,7 @@ impl IHandshakeState for ResponderAwaitingActThreeState {
 		// 2. Parse the read message (m) into v, c, and t
 		let version = act_three_bytes[0];
 		let tagged_encrypted_pubkey = &act_three_bytes[1..50];
-		let chacha_tag = &act_three_bytes[50..66];
+		let chacha_tag = &act_three_bytes[50..];
 
 		// 3. If v is an unrecognized handshake version, then the responder MUST abort the connection attempt.
 		if version != 0 {
@@ -361,8 +358,9 @@ impl IHandshakeState for ResponderAwaitingActThreeState {
 		}
 
 		// 4. rs = decryptWithAD(temp_k2, 1, h, c)
-		let remote_pubkey_vec = chacha::decrypt(&temporary_key, 1, &hash, &tagged_encrypted_pubkey)?;
-		let initiator_pubkey = if let Ok(public_key) = PublicKey::from_slice(remote_pubkey_vec.as_slice()) {
+		let mut remote_pubkey = [0; 33];
+		chacha::decrypt(&temporary_key, 1, &hash, &tagged_encrypted_pubkey, &mut remote_pubkey)?;
+		let initiator_pubkey = if let Ok(public_key) = PublicKey::from_slice(&remote_pubkey) {
 			public_key
 		} else {
 			return Err("invalid remote public key".to_string());
@@ -378,7 +376,7 @@ impl IHandshakeState for ResponderAwaitingActThreeState {
 		let (chaining_key, temporary_key) = hkdf::derive(&chaining_key, &ecdh);
 
 		// 8. p = decryptWithAD(temp_k3, 0, h, t)
-		let _tag_check = chacha::decrypt(&temporary_key, 0, &hash, &chacha_tag)?;
+		chacha::decrypt(&temporary_key, 0, &hash, &chacha_tag, &mut [0; 0])?;
 
 		// 9. rk, sk = HKDF(ck, zero)
 		let (receiving_key, sending_key) = hkdf::derive(&chaining_key, &[0; 0]);
@@ -434,15 +432,13 @@ fn calculate_act_message(local_private_ephemeral_key: &SecretKey, local_public_e
 
 	// 5. ACT1: c = encryptWithAD(temp_k1, 0, h, zero)
 	// 5. ACT2: c = encryptWithAD(temp_k2, 0, h, zero)
-	let tagged_ciphertext = chacha::encrypt(&temporary_key, 0, &hash, &[0; 0]);
+	chacha::encrypt(&temporary_key, 0, &hash, &[0; 0], &mut act_out[34..]);
 
 	// 6. h = SHA-256(h || c)
-	let hash = concat_then_sha256!(hash, tagged_ciphertext);
+	let hash = concat_then_sha256!(hash, &act_out[34..]);
 
 	// Send m = 0 || e.pub.serializeCompressed() || c
-
 	act_out[1..34].copy_from_slice(&serialized_local_public_key);
-	act_out[34..50].copy_from_slice(&tagged_ciphertext);
 
 	(hash, chaining_key, temporary_key)
 }
@@ -455,7 +451,7 @@ fn process_act_message(act_bytes: &[u8], local_private_key: &SecretKey, chaining
 	// 2.Parse the read message (m) into v, re, and c
 	let version = act_bytes[0];
 	let ephemeral_public_key_bytes = &act_bytes[1..34];
-	let chacha_tag = &act_bytes[34..50];
+	let chacha_tag = &act_bytes[34..];
 
 	let ephemeral_public_key = if let Ok(public_key) = PublicKey::from_slice(&ephemeral_public_key_bytes) {
 		public_key
@@ -481,7 +477,7 @@ fn process_act_message(act_bytes: &[u8], local_private_key: &SecretKey, chaining
 	let (chaining_key, temporary_key) = hkdf::derive(&chaining_key, &ecdh);
 
 	// 7. p = decryptWithAD(temp_k1, 0, h, c)
-	let _tag_check = chacha::decrypt(&temporary_key, 0, &hash, &chacha_tag)?;
+	chacha::decrypt(&temporary_key, 0, &hash, &chacha_tag, &mut [0; 0])?;
 
 	// 8. h = SHA-256(h || c)
 	let hash = concat_then_sha256!(hash, chacha_tag);