signalapp · jrose-signal · Jul 2, 2021 · Jun 17, 2021 · Jun 17, 2021 · Jun 17, 2021
diff --git a/Cargo.lock b/Cargo.lock
diff --git a/java/java/src/main/java/org/signal/internal/Native.java b/java/java/src/main/java/org/signal/internal/Native.java
@@ -86,7 +86,7 @@ private Native() {}
 
   public static native byte[] Aes256GcmSiv_Decrypt(long aesGcmSiv, byte[] ctext, byte[] nonce, byte[] associatedData);
   public static native void Aes256GcmSiv_Destroy(long handle);
-  public static native byte[] Aes256GcmSiv_Encrypt(long aesGcmSiv, byte[] ptext, byte[] nonce, byte[] associatedData);
+  public static native byte[] Aes256GcmSiv_Encrypt(long aesGcmSivObj, byte[] ptext, byte[] nonce, byte[] associatedData);
   public static native long Aes256GcmSiv_New(byte[] key);
 
   public static native void CryptographicHash_Destroy(long handle);

diff --git a/node/Native.d.ts b/node/Native.d.ts
@@ -44,7 +44,7 @@ export function registerErrors(errorsModule: Record<string, unknown>): void;
 
 export const enum LogLevel { Error = 1, Warn, Info, Debug, Trace }
 export function Aes256GcmSiv_Decrypt(aesGcmSiv: Wrapper<Aes256GcmSiv>, ctext: Buffer, nonce: Buffer, associatedData: Buffer): Buffer;
-export function Aes256GcmSiv_Encrypt(aesGcmSiv: Wrapper<Aes256GcmSiv>, ptext: Buffer, nonce: Buffer, associatedData: Buffer): Buffer;
+export function Aes256GcmSiv_Encrypt(aesGcmSivObj: Wrapper<Aes256GcmSiv>, ptext: Buffer, nonce: Buffer, associatedData: Buffer): Buffer;
 export function Aes256GcmSiv_New(key: Buffer): Aes256GcmSiv;
 export function CiphertextMessage_FromPlaintextContent(m: Wrapper<PlaintextContent>): CiphertextMessage;
 export function CiphertextMessage_Serialize(obj: Wrapper<CiphertextMessage>): Buffer;

diff --git a/rust/bridge/ffi/Cargo.toml b/rust/bridge/ffi/Cargo.toml
@@ -20,6 +20,7 @@ device-transfer = { path = "../../device-transfer" }
 signal-crypto = { path = "../../crypto" }
 libsignal-bridge = { path = "../shared", features = ["ffi"] }
 async-trait = "0.1.41"
+cpufeatures = "0.1.5" # Make sure iOS gets optimized crypto.
 libc = "0.2"
 rand = "0.7.3"
 log = "0.4"

diff --git a/rust/bridge/shared/Cargo.toml b/rust/bridge/shared/Cargo.toml
@@ -15,6 +15,7 @@ libsignal-protocol = { path = "../../protocol" }
 signal-crypto = { path = "../../crypto" }
 device-transfer = { path = "../../device-transfer" }
 libsignal-bridge-macros = { path = "macros" }
+aes-gcm-siv = { version = "0.10.1", features = ["armv8"] }
 futures = "0.3.7"
 log = "0.4"
 paste = "1.0"

diff --git a/rust/bridge/shared/src/crypto.rs b/rust/bridge/shared/src/crypto.rs
@@ -7,10 +7,12 @@ use ::signal_crypto;
 use libsignal_bridge_macros::*;
 use signal_crypto::*;
 
+use aes_gcm_siv::aead::generic_array::typenum::Unsigned;
+use aes_gcm_siv::aead::{AeadCore, AeadInPlace, NewAead};
+
 use crate::support::*;
 use crate::*;
 
-#[derive(Clone)]
 pub struct Aes256GcmEncryption {
     gcm: Option<signal_crypto::Aes256GcmEncryption>,
 }
@@ -39,7 +41,6 @@ impl Aes256GcmEncryption {
     }
 }
 
-#[derive(Clone)]
 pub struct Aes256GcmDecryption {
     gcm: Option<signal_crypto::Aes256GcmDecryption>,
 }
@@ -71,12 +72,15 @@ impl Aes256GcmDecryption {
     }
 }
 
+// Explicit wrapper for cbindgen purposes.
+pub struct Aes256GcmSiv(aes_gcm_siv::Aes256GcmSiv);
+
 bridge_handle!(CryptographicHash, mut = true, ffi = false, node = false);
 bridge_handle!(CryptographicMac, mut = true, ffi = false, node = false);
 bridge_handle!(Aes256GcmSiv, clone = false);
-bridge_handle!(Aes256Ctr32, mut = true, node = false);
-bridge_handle!(Aes256GcmEncryption, mut = true, node = false);
-bridge_handle!(Aes256GcmDecryption, mut = true, node = false);
+bridge_handle!(Aes256Ctr32, clone = false, mut = true, node = false);
+bridge_handle!(Aes256GcmEncryption, clone = false, mut = true, node = false);
+bridge_handle!(Aes256GcmDecryption, clone = false, mut = true, node = false);
 
 #[bridge_fn(node = false)]
 fn Aes256Ctr32_New(key: &[u8], nonce: &[u8], initial_ctr: u32) -> Result<Aes256Ctr32> {
@@ -156,22 +160,32 @@ fn Aes256GcmDecryption_VerifyTag(gcm: &mut Aes256GcmDecryption, tag: &[u8]) -> R
 
 #[bridge_fn]
 fn Aes256GcmSiv_New(key: &[u8]) -> Result<Aes256GcmSiv> {
-    Aes256GcmSiv::new(key)
+    Ok(Aes256GcmSiv(
+        aes_gcm_siv::Aes256GcmSiv::new_from_slice(key).map_err(|_| Error::InvalidKeySize)?,
+    ))
 }
 
 #[bridge_fn_buffer]
 fn Aes256GcmSiv_Encrypt<T: Env>(
     env: T,
-    aes_gcm_siv: &Aes256GcmSiv,
+    aes_gcm_siv_obj: &Aes256GcmSiv,
     ptext: &[u8],
     nonce: &[u8],
     associated_data: &[u8],
 ) -> Result<T::Buffer> {
-    let mut buf = Vec::with_capacity(ptext.len() + 16);
+    if nonce.len() != <aes_gcm_siv::Aes256GcmSiv as AeadCore>::NonceSize::USIZE {
+        return Err(Error::InvalidNonceSize);
+    }
+    let nonce: &aes_gcm_siv::Nonce = nonce.into();
+
+    let mut buf =
+        Vec::with_capacity(ptext.len() + <aes_gcm_siv::Aes256GcmSiv as AeadCore>::TagSize::USIZE);
     buf.extend_from_slice(ptext);
 
-    let gcm_tag = aes_gcm_siv.encrypt(&mut buf, nonce, associated_data)?;
-    buf.extend_from_slice(&gcm_tag);
+    aes_gcm_siv_obj
+        .0
+        .encrypt_in_place(nonce, associated_data, &mut buf)
+        .expect("cannot run out of capacity in a Vec");
 
     Ok(env.buffer(buf))
 }
@@ -184,8 +198,16 @@ fn Aes256GcmSiv_Decrypt<T: Env>(
     nonce: &[u8],
     associated_data: &[u8],
 ) -> Result<T::Buffer> {
+    if nonce.len() != <aes_gcm_siv::Aes256GcmSiv as AeadCore>::NonceSize::USIZE {
+        return Err(Error::InvalidNonceSize);
+    }
+    let nonce: &aes_gcm_siv::Nonce = nonce.into();
+
     let mut buf = ctext.to_vec();
-    aes_gcm_siv.decrypt_with_appended_tag(&mut buf, nonce, associated_data)?;
+    aes_gcm_siv
+        .0
+        .decrypt_in_place(nonce, associated_data, &mut buf)
+        .map_err(|_| Error::InvalidTag)?;
     Ok(env.buffer(buf))
 }
 

diff --git a/rust/crypto/Cargo.toml b/rust/crypto/Cargo.toml
@@ -10,32 +10,21 @@ authors = ["Jack Lloyd <[email protected]>"]
 edition = "2018"
 
 [dependencies]
-aes-soft = "0.6"
-polyval = "0.4"
+aes = { version = "0.7.4", features = ["armv8", "ctr"] }
 subtle = "2.3"
-cipher = "0.2"
 generic-array = "0.14"
+ghash = { version = "0.4.2", features = ["armv8"] }
 hmac = "0.9.0"
-rand = "0.7.3"
 sha-1 = "0.9"
 sha2 = "0.9"
 
-[target.'cfg(all(target_arch = "aarch64", any(target_os = "linux")))'.dependencies]
-libc = "0.2.93" # for getauxval
-
-[target.'cfg(any(target_arch = "x86", target_arch = "x86_64"))'.dependencies]
-aesni = { version = "0.10", features = ["nocheck"] }
-
 [dev-dependencies]
+rand = "0.7.3"
 serde = { version = "1.0", features = ["derive"] }
 serde_json = "1.0"
 hex = "0.4"
 criterion = "0.3"
 
-[[bench]]
-name = "aes_gcm_siv"
-harness = false
-
 [[bench]]
 name = "aes_gcm"
 harness = false