From 73d7ddf371ce0f4eca3b1066aa995551dba2c6ce Mon Sep 17 00:00:00 2001 From: vaf Date: Mon, 1 Dec 2025 17:38:06 +0100 Subject: [PATCH] WIP: create encrypt with IV methods in SymmetricCipherFacade --- .../lib/encryption/symmetric/AesCbcFacade.ts | 4 ++-- .../symmetric/SymmetricCipherFacade.ts | 23 +++++++++++++++++++ .../symmetric/SymmetricKeyDeriver.ts | 2 +- 3 files changed, 26 insertions(+), 3 deletions(-) diff --git a/packages/tutanota-crypto/lib/encryption/symmetric/AesCbcFacade.ts b/packages/tutanota-crypto/lib/encryption/symmetric/AesCbcFacade.ts index 1e230ce354..21355316f2 100644 --- a/packages/tutanota-crypto/lib/encryption/symmetric/AesCbcFacade.ts +++ b/packages/tutanota-crypto/lib/encryption/symmetric/AesCbcFacade.ts @@ -28,7 +28,7 @@ export class AesCbcFacade { encrypt( key: AesKey, plainText: Uint8Array, - hasRandomIvToPrepend: boolean, + mustPrependIv: boolean, iv: Uint8Array, padding: boolean, cipherVersion: SymmetricCipherVersion, @@ -40,7 +40,7 @@ export class AesCbcFacade { ) let unauthenticatedCiphertext - if (hasRandomIvToPrepend) { + if (mustPrependIv) { //version byte is not included into authentication tag for legacy reasons unauthenticatedCiphertext = concat(iv, cipherText) } else { diff --git a/packages/tutanota-crypto/lib/encryption/symmetric/SymmetricCipherFacade.ts b/packages/tutanota-crypto/lib/encryption/symmetric/SymmetricCipherFacade.ts index cb2dee1068..95020d42a1 100644 --- a/packages/tutanota-crypto/lib/encryption/symmetric/SymmetricCipherFacade.ts +++ b/packages/tutanota-crypto/lib/encryption/symmetric/SymmetricCipherFacade.ts @@ -42,6 +42,29 @@ export class SymmetricCipherFacade { return this.encrypt(key, bytes, true, SymmetricCipherVersion.UnusedReservedUnauthenticated, true) } + /** + * Encrypts a byte array with AES in CBC mode with a custom IV. + * + * Forces encryption without authentication. The custom IV is prepended to the returned CBC ciphertext. + * + * @deprecated + */ + encryptValueDeprecatedUnauthenticated(key: AesKey, bytes: Uint8Array, iv: Uint8Array): Uint8Array { + // TODO + return this.aesCbcFacade.encrypt(key, bytes, true, iv, true, SymmetricCipherVersion.AesCbcThenHmac) + } + + /** + * Encrypts a byte array with AES in CBC mode with a custom IV. + * + * Forces encryption without authentication. The custom IV is prepended to the returned CBC ciphertext. + * + * @deprecated + */ + encryptDatabaseKeyDeprecatedUnauthenticated(key: AesKey, bytes: Uint8Array, iv: Uint8Array): Uint8Array { + return this.aesCbcFacade.encrypt(key, bytes, true, iv, true, SymmetricCipherVersion.UnusedReservedUnauthenticated, true) + } + /** * Decrypts byte array with AES in CBC mode. * diff --git a/packages/tutanota-crypto/lib/encryption/symmetric/SymmetricKeyDeriver.ts b/packages/tutanota-crypto/lib/encryption/symmetric/SymmetricKeyDeriver.ts index 77a5128a7a..ba6b58f14a 100644 --- a/packages/tutanota-crypto/lib/encryption/symmetric/SymmetricKeyDeriver.ts +++ b/packages/tutanota-crypto/lib/encryption/symmetric/SymmetricKeyDeriver.ts @@ -26,7 +26,7 @@ export class SymmetricKeyDeriver { switch (symmetricCipherVersion) { case SymmetricCipherVersion.UnusedReservedUnauthenticated: //we allow unauthenticated encryption of search index - if (keyLength !== AesKeyLength.Aes128 && skipAuthentication === false) { + if (keyLength !== AesKeyLength.Aes128 && !skipAuthentication) { throw new CryptoError("key length " + keyLength + " is incompatible with cipherVersion " + symmetricCipherVersion) } return { encryptionKey: key, authenticationKey: null }