AI-generated Key Takeaways
-
This page lists known security issues for Google's Tink cryptographic library, categorized by programming language and version.
-
Tink relies on underlying security providers (like Conscrypt, OpenSSL) and inherits any vulnerabilities present in them.
-
Some known issues like "Envelope AEAD: Malleability" and "Fork Safety" affect all versions and languages of Tink.
-
Users are encouraged to utilize the latest versions of Tink and its underlying providers to mitigate potential risks.
-
For reporting issues or viewing recent reports, refer to the affected repository on GitHub.
This page lists known issues in Tink, sorted by language version:
Follow the links in the tables for more information on individual known issues.
Java (excluding Android)
Tink Java uses an underlying security provider, like Conscrypt, Oracle JDK, OpenJDK, or Bouncy Castle. Any security issue in a provider may be inherited in Tink Java.
We recommend using Tink with the latest version of the provider, especially if you use ECDSA (alternative: ED25519) or AES-GCM (alternatives: AES-EAX, AES-CTR-HMAC-AEAD or XChaCha20-Poly1305).
| Known Issue | Affected Versions |
|---|---|
| Streaming AEAD: Integer overflow | 1.0.0 - 1.3.0 |
| Envelope AEAD: Malleability | All |
| Fork Safety | All |
Android
The minimum API level that Tink supports is 19 (Android KitKat).
On Android, Tink uses the Conscrypt provided by GMS core by default, and Conscrypt otherwise. Any security issue in a provider may be inherited in Tink.
We recommend using Tink with the latest version of the provider.
| Known Issue | Affected Tink Versions | Affected Android API levels |
|---|---|---|
| Streaming AEAD: Integer overflow | 1.0.0 - 1.3.0 | All |
| Envelope AEAD: Malleability | All | All |
| Fork Safety | All | All |
| AesGcm | All | <= 19 |
| Unsupported (see above) | All | <= 18 |
C++
Tink C++ uses either BoringSSL or OpenSSL as an underlying library. Any security issue in the underlying library may be inherited in Tink C++.
| Known Issue | Affected Versions |
|---|---|
| JSON Parsing DoS | 1.0.0 - 2.1.3 |
| Subtle AEAD: AES-CTR-HMAC and EncryptThenAuthenticate | 1.0.0 - 1.3.0 |
| Envelope AEAD: Malleability | All |
| Fork Safety | All |
Python
Tink Python is a wrapper around Tink C++ using pybind11. Any security issue in Tink C++ may be inherited in Tink Python.
| Known Issue | Affected Versions |
|---|---|
| Envelope AEAD: Malleability | All |
| Fork Safety | All |
Go
Tink Go uses the underlying Go crypto libraries. Any security issues in those libraries may be inherited by Tink Go.
| Known Issue | Affected Versions |
|---|---|
| Streaming AEAD: Integer overflow | 1.0.0 - 1.3.0 |
| Envelope AEAD: Malleability | All |
| Fork Safety | All |
Objective-C
Tink Objective-C is a wrapper around Tink C++. Any security issue in Tink C++ may be inherited in Tink Objective-C.
| Known Issue | Affected Versions |
|---|---|
| Envelope AEAD: Malleability | All |
| Fork Safety | All |