Revert "Add support for random nonce generation to ring::aead."

This reverts commit 88d5aa7. It was a breaking change
in 0.16.8, which wasn't intended. Defaulting the parameter worked for many projects but
apparently not `biscuit` and some others.

Author: briansmith

src/aead.rs

@@ -22,7 +22,7 @@
 //! [`crypto.cipher.AEAD`]: https://golang.org/pkg/crypto/cipher/#AEAD
 
 use self::block::{Block, BLOCK_LEN};
-use crate::{constant_time, cpu, error, hkdf, polyfill, rand};
+use crate::{constant_time, cpu, error, hkdf, polyfill};
 use core::ops::RangeFrom;
 
 pub use self::{
@@ -445,58 +445,18 @@ impl hkdf::KeyType for &'static Algorithm {
     }
 }
 
-mod sealed {
-    pub trait NonceGeneration {
-        const VALUE: Self;
-    }
-}
-
-/// A nonce generation strategy for `LesssSafeKey`; either `ExplicitNonces` or
-/// `RandomNonces`.
-pub trait NonceGeneration: sealed::NonceGeneration {}
-impl<T> NonceGeneration for T where T: sealed::NonceGeneration {}
-
-/// A nonce generation strategy where random nonces are used.
-///
-/// These algorithms are *NOT* nonce-misuse-resistant. They use nonces small
-/// enough where birthday collisions need to be considered, so even ensuring
-/// perfectly-random generation of nonces isn't sufficient to prevent nonce
-/// reuse.
-pub struct RandomNonces(());
-impl sealed::NonceGeneration for RandomNonces {
-    const VALUE: Self = Self(());
-}
-
-/// A nonce generation strategy where explicitly-constructed nonces are used.
-pub struct ExplicitNonces(());
-impl sealed::NonceGeneration for ExplicitNonces {
-    const VALUE: Self = Self(());
-}
-
 /// Immutable keys for use in situations where `OpeningKey`/`SealingKey` and
 /// `NonceSequence` cannot reasonably be used.
 ///
-/// These algorithms are *NOT* nonce-misuse-resistant. They use nonces small
-/// enough where the likelihood of collisions must be carefully considered.
-pub struct LessSafeKey<N = ExplicitNonces>
-where
-    N: NonceGeneration,
-{
+/// Prefer to use `OpeningKey`/`SealingKey` and `NonceSequence` when practical.
+pub struct LessSafeKey {
     key: UnboundKey,
-    _nonce_generation: N,
 }
 
-impl<N> LessSafeKey<N>
-where
-    N: NonceGeneration,
-{
+impl LessSafeKey {
     /// Constructs a `LessSafeKey` from an `UnboundKey`.
-    #[inline]
     pub fn new(key: UnboundKey) -> Self {
-        Self {
-            key,
-            _nonce_generation: N::VALUE,
-        }
+        Self { key }
     }
 
     /// Like [`OpeningKey::open_in_place()`], except it accepts an arbitrary nonce.
@@ -532,14 +492,6 @@ where
         open_within_(&self.key, nonce, aad, in_out, ciphertext_and_tag)
     }
 
-    /// The key's AEAD algorithm.
-    #[inline]
-    pub fn algorithm(&self) -> &'static Algorithm {
-        &self.key.algorithm
-    }
-}
-
-impl LessSafeKey<ExplicitNonces> {
     /// Deprecated. Renamed to [`seal_in_place_append_tag()`].
     #[deprecated(note = "Renamed to `seal_in_place_append_tag`.")]
     #[inline]
@@ -571,9 +523,6 @@ impl LessSafeKey<ExplicitNonces> {
         A: AsRef<[u8]>,
         InOut: AsMut<[u8]> + for<'in_out> Extend<&'in_out u8>,
     {
-        // Overwrite the plaintext with the ciphertext before extending `in_out`
-        // so that if the `extend()` causes a reallocation, the ciphertext (not
-        // the plaintext) will be in the old deallocated buffer.
         self.seal_in_place_separate_tag(nonce, aad, in_out.as_mut())
             .map(|tag| in_out.extend(tag.as_ref()))
     }
@@ -594,63 +543,15 @@ impl LessSafeKey<ExplicitNonces> {
     {
         seal_in_place_separate_tag_(&self.key, nonce, Aad::from(aad.as_ref()), in_out)
     }
-}
 
-impl LessSafeKey<RandomNonces> {
-    /// Like [`SealingKey::seal_in_place_append_tag()`], except the nonce is
-    /// randomly generated.
-    ///
-    /// The randomly-generated nonce is returned on success.
-    #[inline]
-    pub fn seal_with_random_nonce_in_place_append_tag<A, InOut>(
-        &self,
-        aad: Aad<A>,
-        in_out: &mut InOut,
-        rng: &dyn rand::SecureRandom,
-    ) -> Result<Nonce, error::Unspecified>
-    where
-        A: AsRef<[u8]>,
-        InOut: AsMut<[u8]> + for<'in_out> Extend<&'in_out u8>,
-    {
-        // Overwrite the plaintext with the ciphertext before extending `in_out`
-        // so that if the `extend()` causes a reallocation, the ciphertext (not
-        // the plaintext) will be in the old deallocated buffer.
-        self.seal_with_random_nonce_in_place_separate_tag(aad, in_out.as_mut(), rng)
-            .map(|(nonce, tag)| {
-                in_out.extend(tag.as_ref());
-                nonce
-            })
-    }
-
-    /// Like [`SealingKey::seal_in_place_separate_tag()`], except the nonce is
-    /// randomly generated.
-    ///
-    /// The randomly-generated nonce and the tag are returned on success.
+    /// The key's AEAD algorithm.
     #[inline]
-    pub fn seal_with_random_nonce_in_place_separate_tag<A>(
-        &self,
-        aad: Aad<A>,
-        in_out: &mut [u8],
-        rng: &dyn rand::SecureRandom,
-    ) -> Result<(Nonce, Tag), error::Unspecified>
-    where
-        A: AsRef<[u8]>,
-    {
-        let nonce = Nonce::assume_unique_for_key(rand::generate(rng)?.expose());
-        seal_in_place_separate_tag_(
-            &self.key,
-            Nonce::assume_unique_for_key(*nonce.as_ref()),
-            Aad::from(aad.as_ref()),
-            in_out,
-        )
-        .map(|tag| (nonce, tag))
+    pub fn algorithm(&self) -> &'static Algorithm {
+        &self.key.algorithm
     }
 }
 
-impl<N> core::fmt::Debug for LessSafeKey<N>
-where
-    N: NonceGeneration,
-{
+impl core::fmt::Debug for LessSafeKey {
     fn fmt(&self, f: &mut core::fmt::Formatter) -> Result<(), core::fmt::Error> {
         f.debug_struct("LessSafeKey")
             .field("algorithm", self.algorithm())

src/rand.rs

@@ -97,7 +97,7 @@ pub(crate) mod sealed {
         }
     }
 
-    impl_random_arrays![4 8 12 16 24 32 48 64];
+    impl_random_arrays![4 8 16 32 48 64];
 }
 
 /// A type that can be returned by `ring::rand::generate()`.

tests/aead_tests.rs

@@ -1,4 +1,4 @@
-// Copyright 2015-2019 Brian Smith.
+// Copyright 2015-2016 Brian Smith.
 //
 // Permission to use, copy, modify, and/or distribute this software for any
 // purpose with or without fee is hereby granted, provided that the above
@@ -48,12 +48,6 @@ fn aead_aes_gcm_128() {
         open_with_less_safe_key,
         test_file!("aead_aes_128_gcm_tests.txt"),
     );
-    test_aead(
-        &aead::AES_128_GCM,
-        seal_with_less_safe_random_nonce_key,
-        open_with_less_safe_random_nonce_key,
-        test_file!("aead_aes_128_gcm_tests.txt"),
-    );
 }
 
 #[test]
@@ -70,12 +64,6 @@ fn aead_aes_gcm_256() {
         open_with_less_safe_key,
         test_file!("aead_aes_256_gcm_tests.txt"),
     );
-    test_aead(
-        &aead::AES_256_GCM,
-        seal_with_less_safe_random_nonce_key,
-        open_with_less_safe_random_nonce_key,
-        test_file!("aead_aes_256_gcm_tests.txt"),
-    );
 }
 
 #[test]
@@ -92,12 +80,6 @@ fn aead_chacha20_poly1305() {
         open_with_less_safe_key,
         test_file!("aead_chacha20_poly1305_tests.txt"),
     );
-    test_aead(
-        &aead::CHACHA20_POLY1305,
-        seal_with_less_safe_random_nonce_key,
-        open_with_less_safe_random_nonce_key,
-        test_file!("aead_chacha20_poly1305_tests.txt"),
-    );
 }
 
 fn test_aead<Seal, Open>(
@@ -281,33 +263,6 @@ fn open_with_key<'a>(
     o_key.open_within(aad, in_out, ciphertext_and_tag)
 }
 
-fn seal_with_less_safe_random_nonce_key(
-    algorithm: &'static aead::Algorithm,
-    key: &[u8],
-    nonce: aead::Nonce,
-    aad: aead::Aad<&[u8]>,
-    in_out: &mut Vec<u8>,
-) -> Result<(), error::Unspecified> {
-    let rng = test::rand::FixedSliceRandom {
-        bytes: nonce.as_ref(),
-    };
-    let key = make_less_safe_random_nonce_key(algorithm, key);
-    key.seal_with_random_nonce_in_place_append_tag(aad, in_out, &rng)
-        .map(|_: aead::Nonce| ())
-}
-
-fn open_with_less_safe_random_nonce_key<'a>(
-    algorithm: &'static aead::Algorithm,
-    key: &[u8],
-    nonce: aead::Nonce,
-    aad: aead::Aad<&[u8]>,
-    in_out: &'a mut [u8],
-    ciphertext_and_tag: RangeFrom<usize>,
-) -> Result<&'a mut [u8], error::Unspecified> {
-    let key = make_less_safe_random_nonce_key(algorithm, key);
-    key.open_within(nonce, aad, in_out, ciphertext_and_tag)
-}
-
 fn seal_with_less_safe_key(
     algorithm: &'static aead::Algorithm,
     key: &[u8],
@@ -464,13 +419,6 @@ fn test_aead_key_debug() {
         "LessSafeKey { algorithm: CHACHA20_POLY1305 }",
         format!("{:?}", key)
     );
-
-    let key: aead::LessSafeKey<aead::RandomNonces> =
-        make_less_safe_random_nonce_key(&aead::CHACHA20_POLY1305, &key_bytes);
-    assert_eq!(
-        "LessSafeKey { algorithm: CHACHA20_POLY1305 }",
-        format!("{:?}", key)
-    );
 }
 
 fn make_key<K: aead::BoundKey<OneNonceSequence>>(
@@ -483,14 +431,6 @@ fn make_key<K: aead::BoundKey<OneNonceSequence>>(
     K::new(key, nonce_sequence)
 }
 
-fn make_less_safe_random_nonce_key(
-    algorithm: &'static aead::Algorithm,
-    key: &[u8],
-) -> aead::LessSafeKey<aead::RandomNonces> {
-    let key = aead::UnboundKey::new(algorithm, key).unwrap();
-    aead::LessSafeKey::new(key)
-}
-
 fn make_less_safe_key(algorithm: &'static aead::Algorithm, key: &[u8]) -> aead::LessSafeKey {
     let key = aead::UnboundKey::new(algorithm, key).unwrap();
     aead::LessSafeKey::new(key)