xref: /aosp_15_r20/external/tink/cc/subtle/encrypt_then_authenticate.h (revision e7b1675dde1b92d52ec075b0a92829627f2c52a5) 
1 // Copyright 2017 Google Inc.
2 //
3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at
6 //
7 //     http://www.apache.org/licenses/LICENSE-2.0
8 //
9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and
13 // limitations under the License.
14 //
15 ///////////////////////////////////////////////////////////////////////////////
16 
17 #ifndef TINK_SUBTLE_ENCRYPT_THEN_AUTHENTICATE_H_
18 #define TINK_SUBTLE_ENCRYPT_THEN_AUTHENTICATE_H_
19 
20 #include <memory>
21 #include <string>
22 #include <utility>
23 
24 #include "absl/strings/string_view.h"
25 #include "tink/aead.h"
26 #include "tink/mac.h"
27 #include "tink/subtle/ind_cpa_cipher.h"
28 #include "tink/util/status.h"
29 #include "tink/util/statusor.h"
30 
31 namespace crypto {
32 namespace tink {
33 namespace subtle {
34 
35 // This primitive performs an encrypt-then-Mac operation on plaintext and
36 // associated data (ad). The Mac is computed over (ad ||
37 // ciphertext || size of ad). This implementation is based on
38 // http://tools.ietf.org/html/draft-mcgrew-aead-aes-cbc-hmac-sha2-05.
39 class EncryptThenAuthenticate : public Aead {
40  public:
41   static crypto::tink::util::StatusOr<std::unique_ptr<Aead>> New(
42       std::unique_ptr<IndCpaCipher> ind_cpa_cipher, std::unique_ptr<Mac> mac,
43       uint8_t tag_size);
44 
45   // Encrypts 'plaintext' with 'associated_data'. The resulting ciphertext
46   // allows for checking authenticity and integrity of associated_data (ad), but
47   // does not guarantee its secrecy.
48   //
49   // The plaintext is encrypted with an IndCpaCipher, then MAC is computed over
50   // (associated_data || ciphertext || t) where t is associated_data's length
51   // in bits represented as 64-bit bigendian unsigned integer. The final
52   // ciphertext format is (ind-cpa ciphertext || mac).
53   crypto::tink::util::StatusOr<std::string> Encrypt(
54       absl::string_view plaintext,
55       absl::string_view associated_data) const override;
56 
57   crypto::tink::util::StatusOr<std::string> Decrypt(
58       absl::string_view ciphertext,
59       absl::string_view associated_data) const override;
60 
61  private:
62   static constexpr int kMinTagSizeInBytes = 10;
63 
EncryptThenAuthenticate(std::unique_ptr<IndCpaCipher> ind_cpa_cipher,std::unique_ptr<Mac> mac,uint8_t tag_size)64   EncryptThenAuthenticate(std::unique_ptr<IndCpaCipher> ind_cpa_cipher,
65                           std::unique_ptr<Mac> mac, uint8_t tag_size)
66       : ind_cpa_cipher_(std::move(ind_cpa_cipher)),
67         mac_(std::move(mac)),
68         tag_size_(tag_size) {}
69 
70   const std::unique_ptr<IndCpaCipher> ind_cpa_cipher_;
71   const std::unique_ptr<Mac> mac_;
72   const uint8_t tag_size_;
73 };
74 
75 }  // namespace subtle
76 }  // namespace tink
77 }  // namespace crypto
78 
79 #endif  // TINK_SUBTLE_ENCRYPT_THEN_AUTHENTICATE_H_
80