libcrux/hpke/errors.rs
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112
//! # HPKE Errors
//!
//! The high-level, public HPKE APIs specified in this document are all fallible.
//! These include the Setup functions and all encryption context functions.
//! For example, `Decap()` can fail if the encapsulated key `enc` is invalid,
//! and `Open()` may fail if ciphertext decryption fails. The explicit errors
//! generated throughout this specification, along with the conditions that
//! lead to each error, are as follows:
//!
//! - `ValidationError`: KEM input or output validation failure.
//! - `DeserializeError`: Public or private key deserialization failure.
//! - `EncapError`: `Encap()` failure.
//! - `DecapError`: `Decap()` failure.
//! - `OpenError`: Context AEAD `Open()` failure.
//! - `MessageLimitReachedError`: Context AEAD sequence number overflow.
//! - `DeriveKeyPairError`: Key pair derivation failure.
//!
//! Implicit errors may also occur. As an example, certain classes of failures,
//! e.g., malformed recipient public keys, may not yield explicit errors.
//! For example, for the DHKEM variant described in this specification,
//! the `Encap()` algorithm fails when given an invalid recipient public key.
//! However, other KEM algorithms may not have an efficient algorithm for verifying
//! the validity of public keys. As a result, an equivalent error may not manifest
//! until AEAD decryption at the recipient. As another example, DHKEM's `AuthDecap()`
//! function will produce invalid output if given the wrong sender public key.
//! This error is not detectable until subsequent AEAD decryption.
//!
//! The errors in this document are meant as a guide for implementors. They are not
//! an exhaustive list of all the errors an implementation might emit. For example,
//! future KEMs might have internal failure cases, or an implementation might run
//! out of memory.
//!
//! How these errors are expressed in an API or handled by applications is an
//! implementation-specific detail. For example, some implementations may abort or
//! panic upon a `DeriveKeyPairError` failure given that it only occurs with
//! negligible probability, whereas other implementations may retry the failed
//! DeriveKeyPair operation.
//! As another example, some implementations of the DHKEM specified in this document
//! may choose to transform `ValidationError` from `DH()` into an `EncapError` or
//! `DecapError` from `Encap()` or `Decap()`, respectively, whereas others may choose
//! to raise `ValidationError` unmodified.
//!
//! Applications using HPKE APIs should not assume that the errors here are complete,
//! nor should they assume certain classes of errors will always manifest the same way
//! for all ciphersuites. For example, the DHKEM specified in this document will emit
//! a `DeserializationError` or `ValidationError` if a KEM public key is invalid. However,
//! a new KEM might not have an efficient algorithm for determining whether or not a
//! public key is valid. In this case, an invalid public key might instead yield an
//! `OpenError` when trying to decrypt a ciphertext.
//!
//! ## Exceptions
//! The exceptions raised in the HPKE RFC are modelled as errors here as well:
//!
//! - `InconsistentPskInputs`: PSK inputs are inconsistent.
//! - `UnnecessaryPsk`: PSK input provided when not needed.
//! - `MissingPsk`: Missing required PSK input.
//!
//! ## hacspec Extensions
//! In order to implement HPKE a number of additional errors are added here:
//!
//! - `UnsupportedAlgorithm`: An algorithm is not supported by the implementation
//! - `InvalidParameters`: Parameters to an algorithm are inconsistent or wrong.
//! - `CryptoError`: An opaque error happened in a crypto operation outside of this code.
/// Explicit errors generated throughout this specification.
#[derive(Debug, Copy, Clone, PartialEq)]
pub enum HpkeError {
/// KEM input or output validation failure.
ValidationError,
/// Public or private key deserialization failure.
DeserializeError,
/// `Encap()` failure.
EncapError,
/// `Decap()` failure.
DecapError,
/// Context AEAD `Open()` failure.
OpenError,
/// Context AEAD sequence number overflow.
MessageLimitReachedError,
/// Key pair derivation failure.
DeriveKeyPairError,
/// PSK inputs are inconsistent.
InconsistentPskInputs,
/// PSK input provided when not needed.
UnnecessaryPsk,
/// Missing required PSK input.
MissingPsk,
/// An algorithm is not supported by the implementation.
UnsupportedAlgorithm,
/// Parameters to an algorithm are inconsistent or wrong.
InvalidParameters,
/// An opaque error happened in a crypto operation outside of this code.
CryptoError,
}
/// A [`Result`] type that returns a [`Bytes`] or an [`HpkeError`].
pub type HpkeBytesResult = Result<Vec<u8>, HpkeError>;
impl From<crate::aead::Error> for HpkeError {
fn from(value: crate::aead::Error) -> Self {
match value {
crate::aead::Error::UnsupportedAlgorithm => Self::UnsupportedAlgorithm,
crate::aead::Error::EncryptionError => Self::EncapError,
crate::aead::Error::DecryptionFailed => Self::DecapError,
crate::aead::Error::InvalidKey
| crate::aead::Error::InvalidIv
| crate::aead::Error::InvalidTag => Self::InvalidParameters,
}
}
}