1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97
// Copyright 2020 The Tink-Rust Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
////////////////////////////////////////////////////////////////////////////////
//! Provides subtle implementations of the `DeterministicAEAD` primitive using AES-SIV.
use aes_siv::{aead::generic_array::GenericArray, siv::Aes256Siv};
use std::{cell::RefCell, rc::Rc};
use tink_core::{utils::wrap_err, TinkError};
const AES_BLOCK_SIZE: usize = 16;
/// `AesSiv` is an implementation of AES-SIV-CMAC as defined in
/// [RFC 5297](https://tools.ietf.org/html/rfc5297).
///
/// `AesSiv` implements a deterministic encryption with additional data (i.e. the
/// `DeterministicAEAD` trait). Hence the implementation below is restricted
/// to one AD component.
///
/// # Security Note:
///
/// Chatterjee, Menezes and Sarkar analyze AES-SIV in Section 5.1 of
/// ["Another Look at Tightness"](https://www.math.uwaterloo.ca/~ajmeneze/publications/tightness.pdf)
///
/// Their analysis shows that AES-SIV is susceptible to an attack in
/// a multi-user setting. Concretely, if an attacker knows the encryption
/// of a message m encrypted and authenticated with k different keys,
/// then it is possible to find one of the MAC keys in time 2^b / k
/// where b is the size of the MAC key. A consequence of this attack
/// is that 128-bit MAC keys give unsufficient security.
/// Since 192-bit AES keys are not supported by tink for voodoo reasons
/// and RFC 5297 only supports same size encryption and MAC keys this
/// implies that keys must be 64 bytes (2*256 bits) long.
#[derive(Clone)]
pub struct AesSiv {
// Need to use interior mutability because `aes_siv::siv::Siv` operations
// take a `&mut self` parameter.
cipher: Rc<RefCell<Aes256Siv>>,
}
/// Key size in bytes.
pub const AES_SIV_KEY_SIZE: usize = 64; // 512 bits
impl AesSiv {
/// Return an [`AesSiv`] instance.
pub fn new(key: &[u8]) -> Result<AesSiv, TinkError> {
if key.len() != AES_SIV_KEY_SIZE {
return Err(format!("AesSiv::new: invalid key size {}", key.len()).into());
}
Ok(AesSiv {
cipher: Rc::new(RefCell::new(Aes256Siv::new(*GenericArray::from_slice(key)))),
})
}
}
impl tink_core::DeterministicAead for AesSiv {
fn encrypt_deterministically(
&self,
plaintext: &[u8],
additional_data: &[u8],
) -> Result<Vec<u8>, TinkError> {
if plaintext.len() > (isize::MAX as usize) - AES_BLOCK_SIZE {
return Err("AesSiv: plaintext too long".into());
}
self.cipher
.borrow_mut()
.encrypt(&[additional_data], plaintext)
.map_err(|e| wrap_err("AesSiv: encrypt failed", e))
}
fn decrypt_deterministically(
&self,
ciphertext: &[u8],
additional_data: &[u8],
) -> Result<Vec<u8>, TinkError> {
if ciphertext.len() < aes_siv::siv::IV_SIZE {
return Err("AesSiv: ciphertext is too short".into());
}
self.cipher
.borrow_mut()
.decrypt(&[additional_data], ciphertext)
.map_err(|e| wrap_err("AesSiv: decrypt failed", e))
}
}