Remove unnecessary double MAC for AEAD ciphers

Krisell · Krisell · commit 3800323e1d05 · 2021-08-20T14:30:35.000+02:00
diff --git a/src/Illuminate/Encryption/Encrypter.php b/src/Illuminate/Encryption/Encrypter.php
@@ -10,6 +10,18 @@
 
 class Encrypter implements EncrypterContract, StringEncrypter
 {
+    /**
+     * The supported cipher algorithms and their properties.
+     *
+     * @var array
+     */
+    private static $supportedCiphers = [
+        'AES-128-CBC' => ['size' => 16, 'aead' => false],
+        'AES-256-CBC' => ['size' => 32, 'aead' => false],
+        'AES-128-GCM' => ['size' => 16, 'aead' => true],
+        'AES-256-GCM' => ['size' => 32, 'aead' => true],
+    ];
+
     /**
      * The encryption key.
      *
@@ -37,12 +49,13 @@ public function __construct($key, $cipher = 'AES-128-CBC')
     {
         $key = (string) $key;
 
-        if (static::supported($key, $cipher)) {
-            $this->key = $key;
-            $this->cipher = $cipher;
-        } else {
-            throw new RuntimeException('The only supported ciphers are AES-128-CBC, AES-256-CBC, AES-128-GCM, and AES-256-GCM with the correct key lengths.');
+        if (! static::supported($key, $cipher)) {
+            $ciphers = implode(', ', array_keys(self::$supportedCiphers));
+            throw new RuntimeException("Unsupported cipher or incorrect key length. Supported ciphers are: $ciphers.");
         }
+
+        $this->key = $key;
+        $this->cipher = $cipher;
     }
 
     /**
@@ -54,12 +67,11 @@ public function __construct($key, $cipher = 'AES-128-CBC')
      */
     public static function supported($key, $cipher)
     {
-        $length = mb_strlen($key, '8bit');
+        if (! isset(self::$supportedCiphers[$cipher])) {
+            return false;
+        }
 
-        return ($cipher === 'AES-128-CBC' && $length === 16) ||
-            ($cipher === 'AES-256-CBC' && $length === 32) ||
-            ($cipher === 'AES-128-GCM' && $length === 16) ||
-            ($cipher === 'AES-256-GCM' && $length === 32);
+        return mb_strlen($key, '8bit') === self::$supportedCiphers[$cipher]['size'];
     }
 
     /**
@@ -70,7 +82,7 @@ public static function supported($key, $cipher)
      */
     public static function generateKey($cipher)
     {
-        return random_bytes($cipher === 'AES-128-CBC' ? 16 : 32);
+        return random_bytes(self::$supportedCiphers[$cipher]['size']);
     }
 
     /**
@@ -86,33 +98,31 @@ public function encrypt($value, $serialize = true)
     {
         $iv = random_bytes(openssl_cipher_iv_length($this->cipher));
 
-        $tag = in_array($this->cipher, ['AES-128-GCM', 'AES-256-GCM']) ? '' : null;
-
-        // First we will encrypt the value using OpenSSL. After this is encrypted we
-        // will proceed to calculating a MAC for the encrypted value so that this
-        // value can be verified later as not having been changed by the users.
-        $value =
-            in_array($this->cipher, ['AES-128-GCM', 'AES-256-GCM']) ?
-                \openssl_encrypt(
-                    $serialize ? serialize($value) : $value,
-                    $this->cipher, $this->key, 0, $iv, $tag
-                ) :
-                \openssl_encrypt(
-                    $serialize ? serialize($value) : $value,
-                    $this->cipher, $this->key, 0, $iv
-                );
+        // A tag (mac) is returned by openssl_encrypt for AEAD ciphers.
+        // Including $tag in the call for non-AEAD ciphers results in a warning before PHP 8.1.
+        $tag = '';
+        $value = self::$supportedCiphers[$this->cipher]['aead']
+            ? \openssl_encrypt(
+                $serialize ? serialize($value) : $value,
+                $this->cipher, $this->key, 0, $iv, $tag
+            )
+            : \openssl_encrypt(
+                $serialize ? serialize($value) : $value,
+                $this->cipher, $this->key, 0, $iv
+            );
 
         if ($value === false) {
             throw new EncryptException('Could not encrypt the data.');
         }
 
-        // Once we get the encrypted value we'll go ahead and base64_encode the input
-        // vector and create the MAC for the encrypted value so we can then verify
-        // its authenticity. Then, we'll JSON the data into the "payload" array.
-        $mac = $this->hash(
-            $iv = base64_encode($iv), $value, $tag = $tag ? base64_encode($tag) : ''
-        );
+        $iv = base64_encode($iv);
+        $tag = base64_encode($tag);
+
+        $mac = self::$supportedCiphers[$this->cipher]['aead']
+            ? '' // For AEAD-algoritms, the tag/mac is returned by openssl_encrypt
+            : $this->hash($iv, $value);
 
+        // Both tag and mac are included for compatibility reasons. A breaking update could use the same name for these.
         $json = json_encode(compact('iv', 'value', 'mac', 'tag'), JSON_UNESCAPED_SLASHES);
 
         if (json_last_error() !== JSON_ERROR_NONE) {
@@ -184,12 +194,11 @@ public function decryptString($payload)
      *
      * @param  string  $iv
      * @param  mixed  $value
-     * @param  string  $tag
      * @return string
      */
-    protected function hash($iv, $value, $tag = '')
+    protected function hash($iv, $value)
     {
-        return hash_hmac('sha256', $tag.$iv.$value, $this->key);
+        return hash_hmac('sha256', $iv.$value, $this->key);
     }
 
     /**
@@ -211,7 +220,8 @@ protected function getJsonPayload($payload)
             throw new DecryptException('The payload is invalid.');
         }
 
-        if (! $this->validMac($payload)) {
+        // We only need to check for the valid MAC if a non-AEAD algorithm is used
+        if (! self::$supportedCiphers[$this->cipher]['aead'] && ! $this->validMac($payload)) {
             throw new DecryptException('The MAC is invalid.');
         }
 
@@ -239,7 +249,7 @@ protected function validPayload($payload)
     protected function validMac(array $payload)
     {
         return hash_equals(
-            $this->hash($payload['iv'], $payload['value'], $payload['tag'] ?? ''), $payload['mac']
+            $this->hash($payload['iv'], $payload['value']), $payload['mac']
         );
     }
 
diff --git a/tests/Encryption/EncrypterTest.php b/tests/Encryption/EncrypterTest.php
@@ -56,34 +56,54 @@ public function testWithCustomCipher()
         $this->assertSame('foo', $e->decrypt($encrypted));
     }
 
+    public function testThatAnAeadCipherIncludesTag()
+    {
+        $e = new Encrypter(str_repeat('b', 32), 'AES-256-GCM');
+        $encrypted = $e->encrypt('foo');
+        $data = json_decode(base64_decode($encrypted));
+
+        $this->assertEmpty($data->mac);
+        $this->assertNotEmpty($data->tag);
+    }
+
+    public function testThatANonAeadCipherIncludesMac()
+    {
+        $e = new Encrypter(str_repeat('b', 32), 'AES-256-CBC');
+        $encrypted = $e->encrypt('foo');
+        $data = json_decode(base64_decode($encrypted));
+
+        $this->assertEmpty($data->tag);
+        $this->assertNotEmpty($data->mac);
+    }
+
     public function testDoNoAllowLongerKey()
     {
         $this->expectException(RuntimeException::class);
-        $this->expectExceptionMessage('The only supported ciphers are AES-128-CBC, AES-256-CBC, AES-128-GCM, and AES-256-GCM with the correct key lengths.');
+        $this->expectExceptionMessage('Unsupported cipher or incorrect key length. Supported ciphers are: AES-128-CBC, AES-256-CBC, AES-128-GCM, AES-256-GCM.');
 
         new Encrypter(str_repeat('z', 32));
     }
 
     public function testWithBadKeyLength()
     {
         $this->expectException(RuntimeException::class);
-        $this->expectExceptionMessage('The only supported ciphers are AES-128-CBC, AES-256-CBC, AES-128-GCM, and AES-256-GCM with the correct key lengths.');
+        $this->expectExceptionMessage('Unsupported cipher or incorrect key length. Supported ciphers are: AES-128-CBC, AES-256-CBC, AES-128-GCM, AES-256-GCM.');
 
         new Encrypter(str_repeat('a', 5));
     }
 
     public function testWithBadKeyLengthAlternativeCipher()
     {
         $this->expectException(RuntimeException::class);
-        $this->expectExceptionMessage('The only supported ciphers are AES-128-CBC, AES-256-CBC, AES-128-GCM, and AES-256-GCM with the correct key lengths.');
+        $this->expectExceptionMessage('Unsupported cipher or incorrect key length. Supported ciphers are: AES-128-CBC, AES-256-CBC, AES-128-GCM, AES-256-GCM.');
 
         new Encrypter(str_repeat('a', 16), 'AES-256-CFB8');
     }
 
     public function testWithUnsupportedCipher()
     {
         $this->expectException(RuntimeException::class);
-        $this->expectExceptionMessage('The only supported ciphers are AES-128-CBC, AES-256-CBC, AES-128-GCM, and AES-256-GCM with the correct key lengths.');
+        $this->expectExceptionMessage('Unsupported cipher or incorrect key length. Supported ciphers are: AES-128-CBC, AES-256-CBC, AES-128-GCM, AES-256-GCM.');
 
         new Encrypter(str_repeat('c', 16), 'AES-256-CFB8');
     }
