Adds LessSafeKey::open_in_place_separate_tag (#1116)

wpt-oai · justsmth · web-flow · commit 1cbe889cafb9 · 2026-05-11T15:53:42.000-04:00
* Adds LessSafeKey::open_in_place_separate_tag for in-place but out of band tags

* Expands test coverage for open_in_place_separate_tag

Expand tests to cover AES-256-GCM, ChaCha20-Poly1305, empty plaintext, and
wrong-tag rejection.

* Additional cleanup

---------

Co-authored-by: Justin Smith &lt;justsmth@amazon.com&gt;
diff --git a/aws-lc-rs/src/aead.rs b/aws-lc-rs/src/aead.rs
@@ -736,6 +736,37 @@ impl LessSafeKey {
         self.open_within(nonce, aad, in_out, 0..)
     }
 
+    /// Like [`OpeningKey::open_in_place()`], except the authentication tag is
+    /// passed separately.
+    ///
+    /// `in_out` contains the ciphertext on input and is overwritten with the
+    /// plaintext on success. `tag` is the authentication tag, e.g. as produced
+    /// by [`Self::seal_in_place_separate_tag()`].
+    ///
+    /// `nonce` must be unique for every use of the key to open data.
+    // # FIPS
+    // This method must not be used.
+    //
+    /// # Errors
+    /// `error::Unspecified` when ciphertext is invalid. In this case, `in_out` may
+    /// have been overwritten in an unspecified way.
+    #[inline]
+    #[allow(clippy::needless_pass_by_value)]
+    pub fn open_in_place_separate_tag<'in_out, A>(
+        &self,
+        nonce: Nonce,
+        aad: Aad<A>,
+        tag: &[u8],
+        in_out: &'in_out mut [u8],
+    ) -> Result<&'in_out mut [u8], Unspecified>
+    where
+        A: AsRef<[u8]>,
+    {
+        self.key
+            .open_in_place_separate_tag(&nonce, aad.as_ref(), tag, in_out)?;
+        Ok(in_out)
+    }
+
     /// Like [`OpeningKey::open_within()`], except it accepts an arbitrary nonce.
     ///
     /// `nonce` must be unique for every use of the key to open data.
@@ -764,7 +795,7 @@ impl LessSafeKey {
             .open_within(nonce, aad.as_ref(), in_out, ciphertext_and_tag)
     }
 
-    /// Authenticates and decrypts (“opens”) data into another provided slice.
+    /// Authenticates and decrypts ("opens") data into another provided slice.
     ///
     /// `aad` is the additional authenticated data (AAD), if any.
     ///
diff --git a/aws-lc-rs/src/aead/unbound_key.rs b/aws-lc-rs/src/aead/unbound_key.rs
@@ -88,16 +88,57 @@ impl UnboundKey {
         in_tag: &[u8],
         out_plaintext: &mut [u8],
     ) -> Result<(), Unspecified> {
-        self.check_per_nonce_max_bytes(in_ciphertext.len())?;
+        self.open_separate_gather_impl(
+            nonce,
+            aad,
+            in_ciphertext.as_ptr(),
+            in_ciphertext.len(),
+            in_tag,
+            out_plaintext.as_mut_ptr(),
+            out_plaintext.len(),
+        )
+    }
 
-        // ensure that the lengths match
-        {
-            let actual = in_ciphertext.len();
-            let expected = out_plaintext.len();
+    #[inline]
+    pub(crate) fn open_in_place_separate_tag(
+        &self,
+        nonce: &Nonce,
+        aad: &[u8],
+        in_tag: &[u8],
+        in_out: &mut [u8],
+    ) -> Result<(), Unspecified> {
+        let ptr = in_out.as_mut_ptr();
+        let len = in_out.len();
+        self.open_separate_gather_impl(nonce, aad, ptr.cast_const(), len, in_tag, ptr, len)
+    }
 
-            if actual != expected {
-                return Err(Unspecified);
-            }
+    /// Common FFI path for `EVP_AEAD_CTX_open_gather`-based opening.
+    ///
+    /// `in_ciphertext` / `out_plaintext` may alias (exactly, i.e. same base
+    /// pointer and length). `EVP_AEAD_CTX_open_gather` explicitly permits
+    /// `out == in`, which is how `open_in_place_separate_tag` works.
+    ///
+    /// Callers must ensure:
+    /// * `in_ciphertext` is valid for reads of `in_ciphertext_len` bytes.
+    /// * `out_plaintext` is valid for writes of `out_plaintext_len` bytes.
+    /// * If the two pointers alias, they must alias exactly (same base, same length).
+    #[inline]
+    #[allow(clippy::too_many_arguments)]
+    fn open_separate_gather_impl(
+        &self,
+        nonce: &Nonce,
+        aad: &[u8],
+        in_ciphertext: *const u8,
+        in_ciphertext_len: usize,
+        in_tag: &[u8],
+        out_plaintext: *mut u8,
+        out_plaintext_len: usize,
+    ) -> Result<(), Unspecified> {
+        self.check_per_nonce_max_bytes(in_ciphertext_len)?;
+
+        // ensure that the lengths match
+        if in_ciphertext_len != out_plaintext_len {
+            return Err(Unspecified);
         }
 
         unsafe {
@@ -106,11 +147,11 @@ impl UnboundKey {
 
             if 1 != EVP_AEAD_CTX_open_gather(
                 aead_ctx.as_const_ptr(),
-                out_plaintext.as_mut_ptr(),
+                out_plaintext,
                 nonce.as_ptr(),
                 nonce.len(),
-                in_ciphertext.as_ptr(),
-                in_ciphertext.len(),
+                in_ciphertext,
+                in_ciphertext_len,
                 in_tag.as_ptr(),
                 in_tag.len(),
                 aad.as_ptr(),
diff --git a/aws-lc-rs/tests/aead_test.rs b/aws-lc-rs/tests/aead_test.rs
@@ -606,6 +606,115 @@ fn test_aead_thread_safeness() {
     }
 }
 
+fn test_open_in_place_separate_tag_for(
+    algorithm: &'static aead::Algorithm,
+    key_bytes: &[u8],
+    plaintext: &[u8],
+) {
+    let nonce_bytes = [0x24; NONCE_LEN];
+    let aad = b"detached-tag";
+
+    let sealing_key = make_less_safe_key(algorithm, key_bytes);
+    let opening_key = make_less_safe_key(algorithm, key_bytes);
+    let mut in_out = plaintext.to_vec();
+
+    let tag = sealing_key
+        .seal_in_place_separate_tag(
+            Nonce::try_assume_unique_for_key(&nonce_bytes).unwrap(),
+            Aad::from(aad.as_slice()),
+            &mut in_out,
+        )
+        .unwrap();
+
+    let result = opening_key
+        .open_in_place_separate_tag(
+            Nonce::try_assume_unique_for_key(&nonce_bytes).unwrap(),
+            Aad::from(aad.as_slice()),
+            tag.as_ref(),
+            &mut in_out,
+        )
+        .unwrap();
+
+    assert_eq!(plaintext, result);
+}
+
+#[test]
+fn test_less_safe_key_open_in_place_separate_tag() {
+    let plaintext = b"open detached tags in place";
+
+    test_open_in_place_separate_tag_for(&aead::AES_128_GCM, &[0x42; 16], plaintext);
+    test_open_in_place_separate_tag_for(&aead::AES_256_GCM, &[0x42; 32], plaintext);
+    test_open_in_place_separate_tag_for(&aead::CHACHA20_POLY1305, &[0x42; 32], plaintext);
+}
+
+#[test]
+fn test_less_safe_key_open_in_place_separate_tag_empty_plaintext() {
+    test_open_in_place_separate_tag_for(&aead::AES_128_GCM, &[0x42; 16], b"");
+    test_open_in_place_separate_tag_for(&aead::AES_256_GCM, &[0x42; 32], b"");
+    test_open_in_place_separate_tag_for(&aead::CHACHA20_POLY1305, &[0x42; 32], b"");
+}
+
+#[test]
+fn test_less_safe_key_open_in_place_separate_tag_wrong_tag() {
+    let key_bytes = [0x42; 16];
+    let nonce_bytes = [0x24; NONCE_LEN];
+    let aad = b"detached-tag";
+    let plaintext = b"open detached tags in place";
+
+    let sealing_key = make_less_safe_key(&aead::AES_128_GCM, &key_bytes);
+    let opening_key = make_less_safe_key(&aead::AES_128_GCM, &key_bytes);
+    let mut in_out = plaintext.to_vec();
+
+    let tag = sealing_key
+        .seal_in_place_separate_tag(
+            Nonce::try_assume_unique_for_key(&nonce_bytes).unwrap(),
+            Aad::from(aad.as_slice()),
+            &mut in_out,
+        )
+        .unwrap();
+
+    let mut bad_tag = tag.as_ref().to_vec();
+    bad_tag[0] ^= 0xff;
+
+    let result = opening_key.open_in_place_separate_tag(
+        Nonce::try_assume_unique_for_key(&nonce_bytes).unwrap(),
+        Aad::from(aad.as_slice()),
+        &bad_tag,
+        &mut in_out,
+    );
+
+    assert!(result.is_err());
+}
+
+#[test]
+fn test_less_safe_key_open_in_place_separate_tag_wrong_aad() {
+    let key_bytes = [0x42; 16];
+    let nonce_bytes = [0x24; NONCE_LEN];
+    let aad = b"detached-tag";
+    let plaintext = b"open detached tags in place";
+
+    let sealing_key = make_less_safe_key(&aead::AES_128_GCM, &key_bytes);
+    let opening_key = make_less_safe_key(&aead::AES_128_GCM, &key_bytes);
+    let mut in_out = plaintext.to_vec();
+
+    let tag = sealing_key
+        .seal_in_place_separate_tag(
+            Nonce::try_assume_unique_for_key(&nonce_bytes).unwrap(),
+            Aad::from(aad.as_slice()),
+            &mut in_out,
+        )
+        .unwrap();
+
+    let result = opening_key.open_in_place_separate_tag(
+        Nonce::try_assume_unique_for_key(&nonce_bytes).unwrap(),
+        Aad::from(b"wrong-aad".as_slice()),
+        tag.as_ref(),
+        &mut in_out,
+    );
+
+    assert!(result.is_err());
+}
+
 #[test]
 fn test_aead_key_debug() {
     let key_bytes = [0; 32];
