Provide AES-GCM-SIV in CryptoExtras (#133)

# Motivation
BoringSSL exposes AES-GCM-SIV algorithms which are in general useful to have and provide a nonce-misuse resistant mode of AES-GCM. Since, `CryptoKit` is not exposing AES-GCM-SIV we need to add this to `_CryptoExtras`

# Modification
Exposes `AES-GCM-SIV` through `_CryptoExtras`.

# Result
We can now use `AES-GCM-SIV` through `_CryptoExtras`.

Author: FranzBusch

Package.swift

@@ -36,7 +36,8 @@ if development {
     ]
     dependencies = [
         "CCryptoBoringSSL",
-        "CCryptoBoringSSLShims"
+        "CCryptoBoringSSLShims",
+        "CryptoBoringWrapper"
     ]
 } else {
     swiftSettings = [
@@ -49,7 +50,8 @@ if development {
     ]
     dependencies = [
         .target(name: "CCryptoBoringSSL", condition: .when(platforms: platforms)),
-        .target(name: "CCryptoBoringSSLShims", condition: .when(platforms: platforms))
+        .target(name: "CCryptoBoringSSLShims", condition: .when(platforms: platforms)),
+        .target(name: "CryptoBoringWrapper", condition: .when(platforms: platforms))
     ]
 }
 
@@ -105,7 +107,17 @@ let package = Package(
             ],
             swiftSettings: swiftSettings
         ),
-        .target(name: "_CryptoExtras", dependencies: ["CCryptoBoringSSL", "CCryptoBoringSSLShims", "Crypto"]),
+        .target(name: "_CryptoExtras", dependencies: ["CCryptoBoringSSL", "CCryptoBoringSSLShims", "CryptoBoringWrapper", "Crypto"]),
+        .target(
+            name: "CryptoBoringWrapper",
+            dependencies: [
+                "CCryptoBoringSSL",
+                "CCryptoBoringSSLShims"
+            ],
+            exclude: [
+                "CMakeLists.txt",
+            ]
+        ),
         .executableTarget(name: "crypto-shasum", dependencies: ["Crypto"]),
         .testTarget(name: "CryptoTests", dependencies: ["Crypto"], swiftSettings: swiftSettings),
         .testTarget(name: "_CryptoExtrasTests", dependencies: ["_CryptoExtras"]),

Sources/CCryptoBoringSSLShims/include/CCryptoBoringSSLShims.h

@@ -58,6 +58,13 @@ int CCryptoBoringSSLShims_EVP_AEAD_CTX_open_gather(const EVP_AEAD_CTX *ctx, void
                                                    const void *in_tag, size_t in_tag_len,
                                                    const void *ad, size_t ad_len);
 
+
+int CCryptoBoringSSLShims_EVP_AEAD_CTX_open(const EVP_AEAD_CTX *ctx, void *out, size_t *out_len, size_t max_out_len,
+                                            const void *nonce, size_t nonce_len,
+                                            const void *in, size_t in_len,
+                                            const void *ad, size_t ad_len);
+
+
 void CCryptoBoringSSLShims_ED25519_keypair(void *out_public_key, void *out_private_key);
 
 void CCryptoBoringSSLShims_ED25519_keypair_from_seed(void *out_public_key,

Sources/CCryptoBoringSSLShims/shims.c

@@ -55,6 +55,13 @@ int CCryptoBoringSSLShims_EVP_AEAD_CTX_open_gather(const EVP_AEAD_CTX *ctx, void
     return CCryptoBoringSSL_EVP_AEAD_CTX_open_gather(ctx, out, nonce, nonce_len, in, in_len, in_tag, in_tag_len, ad, ad_len);
 }
 
+int CCryptoBoringSSLShims_EVP_AEAD_CTX_open(const EVP_AEAD_CTX *ctx, void *out, size_t *out_len, size_t max_out_len,
+                                                   const void *nonce, size_t nonce_len,
+                                                   const void *in, size_t in_len,
+                                                   const void *ad, size_t ad_len) {
+    return CCryptoBoringSSL_EVP_AEAD_CTX_open(ctx, out, out_len, max_out_len, nonce, nonce_len, in, in_len, ad, ad_len);
+}
+
 void CCryptoBoringSSLShims_ED25519_keypair(void *out_public_key, void *out_private_key) {
     CCryptoBoringSSL_ED25519_keypair(out_public_key, out_private_key);
 }

Sources/CMakeLists.txt

@@ -14,4 +14,5 @@
 
 add_subdirectory(CCryptoBoringSSL)
 add_subdirectory(CCryptoBoringSSLShims)
+add_subdirectory(CryptoBoringWrapper)
 add_subdirectory(Crypto)

Sources/Crypto/AEADs/AES/GCM/BoringSSL/AES-GCM_boring.swift

@@ -15,6 +15,7 @@
 @_exported import CryptoKit
 #else
 @_implementationOnly import CCryptoBoringSSL
+@_implementationOnly import CryptoBoringWrapper
 import Foundation
 
 enum OpenSSLAESGCMImpl {

Sources/Crypto/AEADs/ChachaPoly/BoringSSL/ChaChaPoly_boring.swift

@@ -16,8 +16,31 @@
 #else
 @_implementationOnly import CCryptoBoringSSL
 @_implementationOnly import CCryptoBoringSSLShims
+@_implementationOnly import CryptoBoringWrapper
 import Foundation
 
+extension BoringSSLAEAD {
+    /// Seal a given message.
+    func seal<Plaintext: DataProtocol, Nonce: ContiguousBytes, AuthenticatedData: DataProtocol>(message: Plaintext, key: SymmetricKey, nonce: Nonce, authenticatedData: AuthenticatedData) throws -> (ciphertext: Data, tag: Data) {
+        do {
+            let context = try AEADContext(cipher: self, key: key)
+            return try context.seal(message: message, nonce: nonce, authenticatedData: authenticatedData)
+        } catch CryptoBoringWrapperError.underlyingCoreCryptoError(let errorCode) {
+            throw CryptoKitError.underlyingCoreCryptoError(error: errorCode)
+        }
+    }
+
+    /// Open a given message.
+    func open<Nonce: ContiguousBytes, AuthenticatedData: DataProtocol>(ciphertext: Data, key: SymmetricKey, nonce: Nonce, tag: Data, authenticatedData: AuthenticatedData) throws -> Data {
+        do {
+            let context = try AEADContext(cipher: self, key: key)
+            return try context.open(ciphertext: ciphertext, nonce: nonce, tag: tag, authenticatedData: authenticatedData)
+        } catch CryptoBoringWrapperError.underlyingCoreCryptoError(let errorCode) {
+            throw CryptoKitError.underlyingCoreCryptoError(error: errorCode)
+        }
+    }
+}
+
 enum OpenSSLChaChaPolyImpl {
     static func encrypt<M: DataProtocol, AD: DataProtocol>(key: SymmetricKey, message: M, nonce: ChaChaPoly.Nonce?, authenticatedData: AD?) throws -> ChaChaPoly.SealedBox {
         guard key.bitCount == ChaChaPoly.keyBitsCount else {
@@ -48,208 +71,4 @@ enum OpenSSLChaChaPolyImpl {
         }
     }
 }
-
-/// An abstraction over a BoringSSL AEAD
-@usableFromInline
-enum BoringSSLAEAD {
-    /// The supported AEAD ciphers for BoringSSL.
-    case aes128gcm
-    case aes192gcm
-    case aes256gcm
-    case chacha20
-
-    /// Seal a given message.
-    func seal<Plaintext: DataProtocol, Nonce: ContiguousBytes, AuthenticatedData: DataProtocol>(message: Plaintext, key: SymmetricKey, nonce: Nonce, authenticatedData: AuthenticatedData) throws -> (ciphertext: Data, tag: Data) {
-        let context = try AEADContext(cipher: self, key: key)
-        return try context.seal(message: message, nonce: nonce, authenticatedData: authenticatedData)
-    }
-
-    /// Open a given message.
-    func open<Nonce: ContiguousBytes, AuthenticatedData: DataProtocol>(ciphertext: Data, key: SymmetricKey, nonce: Nonce, tag: Data, authenticatedData: AuthenticatedData) throws -> Data {
-        let context = try AEADContext(cipher: self, key: key)
-        return try context.open(ciphertext: ciphertext, nonce: nonce, tag: tag, authenticatedData: authenticatedData)
-    }
-}
-
-extension BoringSSLAEAD {
-    // Arguably this class is excessive, but it's probably better for this API to be as safe as possible
-    // rather than rely on defer statements for our cleanup.
-    class AEADContext {
-        private var context: EVP_AEAD_CTX
-
-        @usableFromInline
-        init(cipher: BoringSSLAEAD, key: SymmetricKey) throws {
-            self.context = EVP_AEAD_CTX()
-            let rc: CInt = key.withUnsafeBytes { keyPointer in
-                withUnsafeMutablePointer(to: &self.context) { contextPointer in
-                    // Create the AEAD context with a default tag length using the given key.
-                    CCryptoBoringSSLShims_EVP_AEAD_CTX_init(contextPointer, cipher.boringSSLCipher, keyPointer.baseAddress, keyPointer.count, 0, nil)
-                }
-            }
-            guard rc == 1 else {
-                throw CryptoKitError.internalBoringSSLError()
-            }
-        }
-
-        deinit {
-            withUnsafeMutablePointer(to: &self.context) { contextPointer in
-                CCryptoBoringSSL_EVP_AEAD_CTX_cleanup(contextPointer)
-            }
-        }
-    }
-}
-
-// MARK: - Sealing
-
-extension BoringSSLAEAD.AEADContext {
-    /// The main entry point for sealing data. Covers the full gamut of types, including discontiguous data types. This must be inlinable.
-    @inlinable
-    func seal<Plaintext: DataProtocol, Nonce: ContiguousBytes, AuthenticatedData: DataProtocol>(message: Plaintext, nonce: Nonce, authenticatedData: AuthenticatedData) throws -> (ciphertext: Data, tag: Data) {
-        // Seal is a somewhat awkward function. As it returns a Data, we are going to need to initialize a Data large enough to write into. Data does not provide us an
-        // initializer that gives us access to its uninitialized memory, so the cost of creating this Data is the cost of allocating the data + the cost of initializing
-        // it. For smaller plaintexts this isn't too big a deal, but for larger ones the initialization cost can really get hairy.
-        //
-        // We can avoid this by using Data(bytesNoCopy:deallocator:), so that's what we do. In principle we can do slightly better in the case where we have a discontiguous Plaintext
-        // type, but it's honestly not worth it enough to justify the code complexity.
-        switch (message.regions.count, authenticatedData.regions.count) {
-        case (1, 1):
-            // We can use a nice fast-path here.
-            return try self._sealContiguous(message: message.regions.first!, nonce: nonce, authenticatedData: authenticatedData.regions.first!)
-        case (1, _):
-            let contiguousAD = Array(authenticatedData)
-            return try self._sealContiguous(message: message.regions.first!, nonce: nonce, authenticatedData: contiguousAD)
-        case (_, 1):
-            let contiguousMessage = Array(message)
-            return try self._sealContiguous(message: contiguousMessage, nonce: nonce, authenticatedData: authenticatedData.regions.first!)
-        case (_, _):
-            let contiguousMessage = Array(message)
-            let contiguousAD = Array(authenticatedData)
-            return try self._sealContiguous(message: contiguousMessage, nonce: nonce, authenticatedData: contiguousAD)
-        }
-    }
-
-    /// A fast-path for sealing contiguous data. Also inlinable to gain specialization information.
-    @inlinable
-    func _sealContiguous<Plaintext: ContiguousBytes, Nonce: ContiguousBytes, AuthenticatedData: ContiguousBytes>(message: Plaintext, nonce: Nonce, authenticatedData: AuthenticatedData) throws -> (ciphertext: Data, tag: Data) {
-        return try message.withUnsafeBytes { messagePointer in
-            try nonce.withUnsafeBytes { noncePointer in
-                try authenticatedData.withUnsafeBytes { authenticatedDataPointer in
-                    try self._sealContiguous(plaintext: messagePointer, noncePointer: noncePointer, authenticatedData: authenticatedDataPointer)
-                }
-            }
-        }
-    }
-
-    /// The unsafe base call: not inlinable so that it can touch private variables.
-    @usableFromInline
-    func _sealContiguous(plaintext: UnsafeRawBufferPointer, noncePointer: UnsafeRawBufferPointer, authenticatedData: UnsafeRawBufferPointer) throws -> (ciphertext: Data, tag: Data) {
-        let tagByteCount = CCryptoBoringSSL_EVP_AEAD_max_overhead(self.context.aead)
-
-        // We use malloc here because we are going to call free later. We force unwrap to trigger crashes if the allocation
-        // fails.
-        let outputBuffer = UnsafeMutableRawBufferPointer(start: malloc(plaintext.count)!, count: plaintext.count)
-        let tagBuffer = UnsafeMutableRawBufferPointer(start: malloc(tagByteCount)!, count: tagByteCount)
-        var actualTagSize = tagBuffer.count
-
-        let rc = withUnsafeMutablePointer(to: &self.context) { contextPointer in
-            CCryptoBoringSSLShims_EVP_AEAD_CTX_seal_scatter(contextPointer,
-                                                            outputBuffer.baseAddress,
-                                                            tagBuffer.baseAddress, &actualTagSize, tagBuffer.count,
-                                                            noncePointer.baseAddress, noncePointer.count,
-                                                            plaintext.baseAddress, plaintext.count,
-                                                            nil, 0,
-                                                            authenticatedData.baseAddress, authenticatedData.count)
-        }
-
-        guard rc == 1 else {
-            // Ooops, error. Free the memory we allocated before we throw.
-            free(outputBuffer.baseAddress)
-            free(tagBuffer.baseAddress)
-            throw CryptoKitError.internalBoringSSLError()
-        }
-
-        let output = Data(bytesNoCopy: outputBuffer.baseAddress!, count: outputBuffer.count, deallocator: .free)
-        let tag = Data(bytesNoCopy: tagBuffer.baseAddress!, count: actualTagSize, deallocator: .free)
-        return (ciphertext: output, tag: tag)
-    }
-}
-
-// MARK: - Opening
-
-extension BoringSSLAEAD.AEADContext {
-    /// The main entry point for opening data. Covers the full gamut of types, including discontiguous data types. This must be inlinable.
-    @inlinable
-    func open<Nonce: ContiguousBytes, AuthenticatedData: DataProtocol>(ciphertext: Data, nonce: Nonce, tag: Data, authenticatedData: AuthenticatedData) throws -> Data {
-        // Open is a somewhat awkward function. As it returns a Data, we are going to need to initialize a Data large enough to write into. Data does not provide us an
-        // initializer that gives us access to its uninitialized memory, so the cost of creating this Data is the cost of allocating the data + the cost of initializing
-        // it. For smaller plaintexts this isn't too big a deal, but for larger ones the initialization cost can really get hairy.
-        //
-        // We can avoid this by using Data(bytesNoCopy:deallocator:), so that's what we do. In principle we can do slightly better in the case where we have a discontiguous Plaintext
-        // type, but it's honestly not worth it enough to justify the code complexity.
-        if authenticatedData.regions.count == 1 {
-            // We can use a nice fast-path here.
-            return try self._openContiguous(ciphertext: ciphertext, nonce: nonce, tag: tag, authenticatedData: authenticatedData.regions.first!)
-        } else {
-            let contiguousAD = Array(authenticatedData)
-            return try self._openContiguous(ciphertext: ciphertext, nonce: nonce, tag: tag, authenticatedData: contiguousAD)
-        }
-    }
-
-    /// A fast-path for opening contiguous data. Also inlinable to gain specialization information.
-    @inlinable
-    func _openContiguous<Nonce: ContiguousBytes, AuthenticatedData: ContiguousBytes>(ciphertext: Data, nonce: Nonce, tag: Data, authenticatedData: AuthenticatedData) throws -> Data {
-        try ciphertext.withUnsafeBytes { ciphertextPointer in
-            try nonce.withUnsafeBytes { nonceBytes in
-                try tag.withUnsafeBytes { tagBytes in
-                    try authenticatedData.withUnsafeBytes { authenticatedDataBytes in
-                        try self._openContiguous(ciphertext: ciphertextPointer, nonceBytes: nonceBytes, tagBytes: tagBytes, authenticatedData: authenticatedDataBytes)
-                    }
-                }
-            }
-        }
-    }
-
-    /// The unsafe base call: not inlinable so that it can touch private variables.
-    @usableFromInline
-    func _openContiguous(ciphertext: UnsafeRawBufferPointer, nonceBytes: UnsafeRawBufferPointer, tagBytes: UnsafeRawBufferPointer, authenticatedData: UnsafeRawBufferPointer) throws -> Data {
-        // We use malloc here because we are going to call free later. We force unwrap to trigger crashes if the allocation
-        // fails.
-        let outputBuffer = UnsafeMutableRawBufferPointer(start: malloc(ciphertext.count)!, count: ciphertext.count)
-
-        let rc = withUnsafePointer(to: &self.context) { contextPointer in
-            CCryptoBoringSSLShims_EVP_AEAD_CTX_open_gather(contextPointer,
-                                                           outputBuffer.baseAddress,
-                                                           nonceBytes.baseAddress, nonceBytes.count,
-                                                           ciphertext.baseAddress, ciphertext.count,
-                                                           tagBytes.baseAddress, tagBytes.count,
-                                                           authenticatedData.baseAddress, authenticatedData.count)
-        }
-
-        guard rc == 1 else {
-            // Ooops, error. Free the memory we allocated before we throw.
-            free(outputBuffer.baseAddress)
-            throw CryptoKitError.internalBoringSSLError()
-        }
-
-        let output = Data(bytesNoCopy: outputBuffer.baseAddress!, count: outputBuffer.count, deallocator: .free)
-        return output
-    }
-}
-
-// MARK: - Supported ciphers
-
-extension BoringSSLAEAD {
-    var boringSSLCipher: OpaquePointer {
-        switch self {
-        case .aes128gcm:
-            return CCryptoBoringSSL_EVP_aead_aes_128_gcm()
-        case .aes192gcm:
-            return CCryptoBoringSSL_EVP_aead_aes_192_gcm()
-        case .aes256gcm:
-            return CCryptoBoringSSL_EVP_aead_aes_256_gcm()
-        case .chacha20:
-            return CCryptoBoringSSL_EVP_aead_chacha20_poly1305()
-        }
-    }
-}
 #endif // (os(macOS) || os(iOS) || os(watchOS) || os(tvOS)) && CRYPTO_IN_SWIFTPM && !CRYPTO_IN_SWIFTPM_FORCE_BUILD_API

Sources/Crypto/CMakeLists.txt

@@ -85,12 +85,14 @@ target_compile_definitions(Crypto PRIVATE
   CRYPTO_IN_SWIFTPM_FORCE_BUILD_API)
 target_include_directories(Crypto PRIVATE
   $<TARGET_PROPERTY:CCryptoBoringSSL,INCLUDE_DIRECTORIES>
-  $<TARGET_PROPERTY:CCryptoBoringSSLShims,INCLUDE_DIRECTORIES>)
+  $<TARGET_PROPERTY:CCryptoBoringSSLShims,INCLUDE_DIRECTORIES>
+  $<TARGET_PROPERTY:CryptoBoringWrapper,INCLUDE_DIRECTORIES>)
 target_link_libraries(Crypto PUBLIC
   $<$<NOT:$<PLATFORM_ID:Darwin>>:dispatch>
   $<$<NOT:$<PLATFORM_ID:Darwin>>:Foundation>
   CCryptoBoringSSL
-  CCryptoBoringSSLShims)
+  CCryptoBoringSSLShims
+  CryptoBoringWrapper)
 set_target_properties(Crypto PROPERTIES
   INTERFACE_INCLUDE_DIRECTORIES ${CMAKE_Swift_MODULE_DIRECTORY})