need to implement Cipher#auth_tag for GCM (only encrypting for now)

Author: kares

src/main/java/org/jruby/ext/openssl/Cipher.java

@@ -52,6 +52,7 @@
 
 import org.jruby.Ruby;
 import org.jruby.RubyArray;
+import org.jruby.RubyBoolean;
 import org.jruby.RubyClass;
 import org.jruby.RubyInteger;
 import org.jruby.RubyModule;
@@ -616,7 +617,7 @@ public int getIvLength() {
                 if ( "AES".equals(base) ) {
                     ivLength = 16; // OpenSSL defaults to 12
                     // NOTE: we can NOT handle 12 for non GCM mode
-                    if ( "GCM".equals(mode) ) ivLength = 12;
+                    if ( "GCM".equals(mode) || "CCM".equals(mode) ) ivLength = 12;
                 }
                 //else if ( "DES".equals(base) ) {
                 //    ivLength = 8;
@@ -1047,7 +1048,7 @@ else if ( "RC4".equalsIgnoreCase(cryptoBase) ) {
                 else {
                     final AlgorithmParameterSpec ivSpec;
                     if ( "GCM".equalsIgnoreCase(cryptoMode) ) { // e.g. 'aes-128-gcm'
-                        ivSpec = new GCMParameterSpec(this.ivLength * 8, this.realIV);
+                        ivSpec = new GCMParameterSpec(getAuthTagLength() * 8, this.realIV);
                     }
                     else {
                         ivSpec = new IvParameterSpec(this.realIV);
@@ -1083,6 +1084,9 @@ private String getCipherAlgorithm() {
     @JRubyMethod
     public IRubyObject update(final ThreadContext context, final IRubyObject arg) {
         final Ruby runtime = context.runtime;
+
+        if ( auth_tag != null ) throw newAuthTagPresentError(runtime);
+
         if ( isDebug(runtime) ) dumpVars( runtime.getOut(), "update()" );
 
         checkCipherNotNull(runtime);
@@ -1133,22 +1137,41 @@ public IRubyObject update_deprecated(final ThreadContext context, final IRubyObj
     @JRubyMethod(name = "final")
     public IRubyObject do_final(final ThreadContext context) {
         final Ruby runtime = context.runtime;
+
+        if ( auth_tag != null ) throw newAuthTagPresentError(runtime);
+
         checkCipherNotNull(runtime);
         if ( ! cipherInited ) doInitCipher(runtime);
         // trying to allow update after final like cruby-openssl. Bad idea.
         if ( "RC4".equalsIgnoreCase(cryptoBase) ) return runtime.newString("");
 
-        final ByteList str;
+        final ByteList str; boolean shared = false;
         try {
             final byte[] out = cipher.doFinal();
             if ( out != null ) {
-                str = new ByteList(out, false);
+                if ( isAuthDataMode() ) { // TODO only implemented encryption !
+
+                    // if GCM/CCM is being used, the authentication tag is appended
+                    // in the case of encryption, or verified in the case of decryption.
+                    // The result is stored in a new buffer.
+                    final int len = getAuthTagLength(); int strLen;
+                    if ( ( strLen = out.length - len ) > 0 ) {
+                        str = new ByteList(out, 0, strLen, false); shared = true;
+                    }
+                    else {
+                        str = new ByteList(ByteList.NULL_ARRAY); strLen = 0;
+                    }
+                    auth_tag = new ByteList(out, strLen, out.length - strLen);
+                }
                 // TODO: Modifying this line appears to fix the issue, but I do
                 // not have a good reason for why. Best I can tell, lastIv needs
                 // to be set regardless of encryptMode, so we'll go with this
                 // for now. JRUBY-3335.
                 //if ( realIV != null && encryptMode ) ...
-                if ( realIV != null ) setLastIVIfNeeded(out);
+                else {
+                    str = new ByteList(out, false);
+                    if ( realIV != null ) setLastIVIfNeeded(out);
+                }
             }
             else {
                 str = new ByteList(ByteList.NULL_ARRAY);
@@ -1174,7 +1197,18 @@ public IRubyObject do_final(final ThreadContext context) {
             debugStackTrace(runtime, e);
             throw newCipherError(runtime, e);
         }
-        return RubyString.newString(runtime, str);
+        return shared ? RubyString.newStringShared(runtime, str) : RubyString.newString(runtime, str);
+    }
+
+    private RaiseException newAuthTagPresentError(final Ruby runtime) {
+        final String error;
+        //if ( encryptMode ) {
+            error = "authentication tag already generated by cipher";
+        //}
+        //else {
+            //error = "authentication tag already consumed by cipher";
+        //}
+        return newCipherError(runtime, error);
     }
 
     private void setLastIVIfNeeded(final byte[] tmpIV) {
@@ -1195,6 +1229,34 @@ public IRubyObject set_padding(IRubyObject padding) {
         return padding;
     }
 
+    private transient ByteList auth_tag;
+
+    @JRubyMethod(name = "auth_tag")
+    public IRubyObject auth_tag(final ThreadContext context) {
+        if ( auth_tag != null ) {
+            return RubyString.newString(context.runtime, auth_tag);
+        }
+        if ( ! isAuthDataMode() ) {
+            throw newCipherError(context.runtime, "authentication tag not supported by this cipher");
+        }
+        return context.nil;
+    }
+
+    private boolean isAuthDataMode() { // Authenticated Encryption with Associated Data (AEAD)
+        return "GCM".equalsIgnoreCase(cryptoMode) || "CCM".equalsIgnoreCase(cryptoMode);
+    }
+
+    private static final int MAX_AUTH_TAG_LENGTH = 16;
+
+    private int getAuthTagLength() {
+        return Math.min(MAX_AUTH_TAG_LENGTH, this.key.length); // in bytes
+    }
+
+    @JRubyMethod(name = "authenticated?")
+    public RubyBoolean authenticated_p(final ThreadContext context) {
+        return context.runtime.newBoolean( isAuthDataMode() );
+    }
+
     @JRubyMethod
     public IRubyObject random_key(final ThreadContext context) {
         // str = OpenSSL::Random.random_bytes(self.key_len)

src/test/ruby/test_cipher.rb

@@ -68,6 +68,7 @@ def test_instantiate_supported_ciphers
     #puts OpenSSL::Cipher.ciphers.size
 
     OpenSSL::Cipher.ciphers.each do |cipher_name|
+      next if cipher_name.end_with?('wrap') # e.g. 'id-aes256-wrap'
       OpenSSL::Cipher.new cipher_name
     end
   end
@@ -347,6 +348,57 @@ def test_aes_128_gcm
     actual = cipher.update(bytes)
     assert_equal expected, actual
     #assert_equal "", cipher.final
+
+    cipher = OpenSSL::Cipher.new('aes-256-gcm')
+    assert_equal cipher, cipher.encrypt
+    assert_equal 32, cipher.key_len
+    assert_equal 12, cipher.iv_len
+    cipher.key = '01245678' * 4
+    cipher.iv = '0123456' * 2
+
+    bytes = '0101' * 8
+    expected = "\xA8I0\xF8\xCD?Z\xFD\x8E\"T\xF5\xF2\xC5\xC8\x05\xD4b\x85\xA3}'\xC99]\xC1\x16\x8B\x13\x9E-)" # from MRI
+    actual = cipher.update(bytes)
+    assert_equal expected, actual
+    #assert_equal "", cipher.final
+  end
+
+  def test_aes_128_gcm_with_auth_tag
+    cipher = OpenSSL::Cipher.new('aes-128-gcm')
+    cipher.encrypt
+    #assert_equal 16, cipher.key_len
+    #assert_equal 12, cipher.iv_len
+    cipher.key = '01' * 8
+    cipher.iv = '1001' * 3
+
+    plaintext = "Hello World"
+
+    padding = cipher.update("\0\0")
+    text = cipher.update(plaintext)
+
+    final = cipher.final; a_tag = cipher.auth_tag
+
+    assert_equal "\xB5\xFD", padding unless defined? JRUBY_VERSION
+    assert_equal "\xCCxqd\xDE\x92\x95\xAD0\xB4=", text unless defined? JRUBY_VERSION
+    assert_equal "", final unless defined? JRUBY_VERSION
+
+    assert_equal "\xB5\xFD\xCCxqd\xDE\x92\x95\xAD0\xB4=", padding + text + final
+
+    assert_equal "\ay\xBA\x89\xC9\x91\xF8N\xB7\xD6\x17+\x0F\\\xF8N", a_tag
+
+    assert_equal a_tag, cipher.auth_tag
+    assert_raise(OpenSSL::Cipher::CipherError) { cipher.update("\0\0") }
+    assert_equal a_tag, cipher.auth_tag
+    assert_raise(OpenSSL::Cipher::CipherError) { cipher.final }
+  end
+
+  def test_encrypt_auth_data_non_gcm
+    cipher = OpenSSL::Cipher.new 'aes-128-cfb'
+    cipher.encrypt
+    #length = 16
+    #cipher.iv = '0' * length
+    #cipher.key = '1' * length
+    assert_raise(OpenSSL::Cipher::CipherError) { cipher.auth_tag }
   end
 
   def test_encrypt_aes_cfb_16_incompatibility