Ruby: ext/openssl/ossl_cipher.c Source File

00001 /*
00002  * $Id: ossl_cipher.c 49249 2015-01-14 07:25:48Z usa $
00003  * 'OpenSSL for Ruby' project
00004  * Copyright (C) 2001-2002  Michal Rokos <m.rokos@sh.cvut.cz>
00005  * All rights reserved.
00006  */
00007 /*
00008  * This program is licenced under the same licence as Ruby.
00009  * (See the file 'LICENCE'.)
00010  */
00011 #include "ossl.h"
00012 
00013 #define WrapCipher(obj, klass, ctx) \
00014     (obj) = Data_Wrap_Struct((klass), 0, ossl_cipher_free, (ctx))
00015 #define MakeCipher(obj, klass, ctx) \
00016     (obj) = Data_Make_Struct((klass), EVP_CIPHER_CTX, 0, ossl_cipher_free, (ctx))
00017 #define AllocCipher(obj, ctx) \
00018     memset(DATA_PTR(obj) = (ctx) = ALLOC(EVP_CIPHER_CTX), 0, sizeof(EVP_CIPHER_CTX))
00019 #define GetCipherInit(obj, ctx) do { \
00020     Data_Get_Struct((obj), EVP_CIPHER_CTX, (ctx)); \
00021 } while (0)
00022 #define GetCipher(obj, ctx) do { \
00023     GetCipherInit((obj), (ctx)); \
00024     if (!(ctx)) { \
00025         ossl_raise(rb_eRuntimeError, "Cipher not inititalized!"); \
00026     } \
00027 } while (0)
00028 #define SafeGetCipher(obj, ctx) do { \
00029     OSSL_Check_Kind((obj), cCipher); \
00030     GetCipher((obj), (ctx)); \
00031 } while (0)
00032 
00033 /*
00034  * Classes
00035  */
00036 VALUE cCipher;
00037 VALUE eCipherError;
00038 
00039 static VALUE ossl_cipher_alloc(VALUE klass);
00040 
00041 /*
00042  * PUBLIC
00043  */
00044 const EVP_CIPHER *
00045 GetCipherPtr(VALUE obj)
00046 {
00047     EVP_CIPHER_CTX *ctx;
00048 
00049     SafeGetCipher(obj, ctx);
00050 
00051     return EVP_CIPHER_CTX_cipher(ctx);
00052 }
00053 
00054 VALUE
00055 ossl_cipher_new(const EVP_CIPHER *cipher)
00056 {
00057     VALUE ret;
00058     EVP_CIPHER_CTX *ctx;
00059 
00060     ret = ossl_cipher_alloc(cCipher);
00061     AllocCipher(ret, ctx);
00062     EVP_CIPHER_CTX_init(ctx);
00063     if (EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, -1) != 1)
00064         ossl_raise(eCipherError, NULL);
00065 
00066     return ret;
00067 }
00068 
00069 /*
00070  * PRIVATE
00071  */
00072 static void
00073 ossl_cipher_free(EVP_CIPHER_CTX *ctx)
00074 {
00075     if (ctx) {
00076         EVP_CIPHER_CTX_cleanup(ctx);
00077         ruby_xfree(ctx);
00078     }
00079 }
00080 
00081 static VALUE
00082 ossl_cipher_alloc(VALUE klass)
00083 {
00084     VALUE obj;
00085 
00086     WrapCipher(obj, klass, 0);
00087 
00088     return obj;
00089 }
00090 
00091 /*
00092  *  call-seq:
00093  *     Cipher.new(string) -> cipher
00094  *
00095  *  The string must contain a valid cipher name like "AES-128-CBC" or "3DES".
00096  *
00097  *  A list of cipher names is available by calling OpenSSL::Cipher.ciphers.
00098  */
00099 static VALUE
00100 ossl_cipher_initialize(VALUE self, VALUE str)
00101 {
00102     EVP_CIPHER_CTX *ctx;
00103     const EVP_CIPHER *cipher;
00104     char *name;
00105     unsigned char key[EVP_MAX_KEY_LENGTH];
00106 
00107     name = StringValuePtr(str);
00108     GetCipherInit(self, ctx);
00109     if (ctx) {
00110         ossl_raise(rb_eRuntimeError, "Cipher already inititalized!");
00111     }
00112     AllocCipher(self, ctx);
00113     EVP_CIPHER_CTX_init(ctx);
00114     if (!(cipher = EVP_get_cipherbyname(name))) {
00115         ossl_raise(rb_eRuntimeError, "unsupported cipher algorithm (%s)", name);
00116     }
00117     /*
00118      * The EVP which has EVP_CIPH_RAND_KEY flag (such as DES3) allows
00119      * uninitialized key, but other EVPs (such as AES) does not allow it.
00120      * Calling EVP_CipherUpdate() without initializing key causes SEGV so we
00121      * set the data filled with "\0" as the key by default.
00122      */
00123     memset(key, 0, EVP_MAX_KEY_LENGTH);
00124     if (EVP_CipherInit_ex(ctx, cipher, NULL, key, NULL, -1) != 1)
00125         ossl_raise(eCipherError, NULL);
00126 
00127     return self;
00128 }
00129 
00130 static VALUE
00131 ossl_cipher_copy(VALUE self, VALUE other)
00132 {
00133     EVP_CIPHER_CTX *ctx1, *ctx2;
00134 
00135     rb_check_frozen(self);
00136     if (self == other) return self;
00137 
00138     GetCipherInit(self, ctx1);
00139     if (!ctx1) {
00140         AllocCipher(self, ctx1);
00141     }
00142     SafeGetCipher(other, ctx2);
00143     if (EVP_CIPHER_CTX_copy(ctx1, ctx2) != 1)
00144         ossl_raise(eCipherError, NULL);
00145 
00146     return self;
00147 }
00148 
00149 #ifdef HAVE_OBJ_NAME_DO_ALL_SORTED
00150 static void*
00151 add_cipher_name_to_ary(const OBJ_NAME *name, VALUE ary)
00152 {
00153     rb_ary_push(ary, rb_str_new2(name->name));
00154     return NULL;
00155 }
00156 #endif
00157 
00158 #ifdef HAVE_OBJ_NAME_DO_ALL_SORTED
00159 /*
00160  *  call-seq:
00161  *     Cipher.ciphers -> array[string...]
00162  *
00163  *  Returns the names of all available ciphers in an array.
00164  */
00165 static VALUE
00166 ossl_s_ciphers(VALUE self)
00167 {
00168     VALUE ary;
00169 
00170     ary = rb_ary_new();
00171     OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_CIPHER_METH,
00172                     (void(*)(const OBJ_NAME*,void*))add_cipher_name_to_ary,
00173                     (void*)ary);
00174 
00175     return ary;
00176 }
00177 #else
00178 #define ossl_s_ciphers rb_f_notimplement
00179 #endif
00180 
00181 /*
00182  *  call-seq:
00183  *     cipher.reset -> self
00184  *
00185  *  Fully resets the internal state of the Cipher. By using this, the same
00186  *  Cipher instance may be used several times for en- or decryption tasks.
00187  *
00188  *  Internally calls EVP_CipherInit_ex(ctx, NULL, NULL, NULL, NULL, -1).
00189  */
00190 static VALUE
00191 ossl_cipher_reset(VALUE self)
00192 {
00193     EVP_CIPHER_CTX *ctx;
00194 
00195     GetCipher(self, ctx);
00196     if (EVP_CipherInit_ex(ctx, NULL, NULL, NULL, NULL, -1) != 1)
00197         ossl_raise(eCipherError, NULL);
00198 
00199     return self;
00200 }
00201 
00202 static VALUE
00203 ossl_cipher_init(int argc, VALUE *argv, VALUE self, int mode)
00204 {
00205     EVP_CIPHER_CTX *ctx;
00206     unsigned char key[EVP_MAX_KEY_LENGTH], *p_key = NULL;
00207     unsigned char iv[EVP_MAX_IV_LENGTH], *p_iv = NULL;
00208     VALUE pass, init_v;
00209 
00210     if(rb_scan_args(argc, argv, "02", &pass, &init_v) > 0){
00211         /*
00212          * oops. this code mistakes salt for IV.
00213          * We deprecated the arguments for this method, but we decided
00214          * keeping this behaviour for backward compatibility.
00215          */
00216         VALUE cname  = rb_class_path(rb_obj_class(self));
00217         rb_warn("arguments for %"PRIsVALUE"#encrypt and %"PRIsVALUE"#decrypt were deprecated; "
00218                 "use %"PRIsVALUE"#pkcs5_keyivgen to derive key and IV",
00219                 cname, cname, cname);
00220         StringValue(pass);
00221         GetCipher(self, ctx);
00222         if (NIL_P(init_v)) memcpy(iv, "OpenSSL for Ruby rulez!", sizeof(iv));
00223         else{
00224             StringValue(init_v);
00225             if (EVP_MAX_IV_LENGTH > RSTRING_LEN(init_v)) {
00226                 memset(iv, 0, EVP_MAX_IV_LENGTH);
00227                 memcpy(iv, RSTRING_PTR(init_v), RSTRING_LEN(init_v));
00228             }
00229             else memcpy(iv, RSTRING_PTR(init_v), sizeof(iv));
00230         }
00231         EVP_BytesToKey(EVP_CIPHER_CTX_cipher(ctx), EVP_md5(), iv,
00232                        (unsigned char *)RSTRING_PTR(pass), RSTRING_LENINT(pass), 1, key, NULL);
00233         p_key = key;
00234         p_iv = iv;
00235     }
00236     else {
00237         GetCipher(self, ctx);
00238     }
00239     if (EVP_CipherInit_ex(ctx, NULL, NULL, p_key, p_iv, mode) != 1) {
00240         ossl_raise(eCipherError, NULL);
00241     }
00242 
00243     return self;
00244 }
00245 
00246 /*
00247  *  call-seq:
00248  *     cipher.encrypt -> self
00249  *
00250  *  Initializes the Cipher for encryption.
00251  *
00252  *  Make sure to call Cipher#encrypt or Cipher#decrypt before using any of the
00253  *  following methods:
00254  *  * [key=, iv=, random_key, random_iv, pkcs5_keyivgen]
00255  *
00256  *  Internally calls EVP_CipherInit_ex(ctx, NULL, NULL, NULL, NULL, 1).
00257  */
00258 static VALUE
00259 ossl_cipher_encrypt(int argc, VALUE *argv, VALUE self)
00260 {
00261     return ossl_cipher_init(argc, argv, self, 1);
00262 }
00263 
00264 /*
00265  *  call-seq:
00266  *     cipher.decrypt -> self
00267  *
00268  *  Initializes the Cipher for decryption.
00269  *
00270  *  Make sure to call Cipher#encrypt or Cipher#decrypt before using any of the
00271  *  following methods:
00272  *  * [key=, iv=, random_key, random_iv, pkcs5_keyivgen]
00273  *
00274  *  Internally calls EVP_CipherInit_ex(ctx, NULL, NULL, NULL, NULL, 0).
00275  */
00276 static VALUE
00277 ossl_cipher_decrypt(int argc, VALUE *argv, VALUE self)
00278 {
00279     return ossl_cipher_init(argc, argv, self, 0);
00280 }
00281 
00282 /*
00283  *  call-seq:
00284  *     cipher.pkcs5_keyivgen(pass [, salt [, iterations [, digest]]] ) -> nil
00285  *
00286  *  Generates and sets the key/IV based on a password.
00287  *
00288  *  WARNING: This method is only PKCS5 v1.5 compliant when using RC2, RC4-40,
00289  *  or DES with MD5 or SHA1. Using anything else (like AES) will generate the
00290  *  key/iv using an OpenSSL specific method. This method is deprecated and
00291  *  should no longer be used. Use a PKCS5 v2 key generation method from
00292  *  OpenSSL::PKCS5 instead.
00293  *
00294  *  === Parameters
00295  *  +salt+ must be an 8 byte string if provided.
00296  *  +iterations+ is a integer with a default of 2048.
00297  *  +digest+ is a Digest object that defaults to 'MD5'
00298  *
00299  *  A minimum of 1000 iterations is recommended.
00300  *
00301  */
00302 static VALUE
00303 ossl_cipher_pkcs5_keyivgen(int argc, VALUE *argv, VALUE self)
00304 {
00305     EVP_CIPHER_CTX *ctx;
00306     const EVP_MD *digest;
00307     VALUE vpass, vsalt, viter, vdigest;
00308     unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH], *salt = NULL;
00309     int iter;
00310 
00311     rb_scan_args(argc, argv, "13", &vpass, &vsalt, &viter, &vdigest);
00312     StringValue(vpass);
00313     if(!NIL_P(vsalt)){
00314         StringValue(vsalt);
00315         if(RSTRING_LEN(vsalt) != PKCS5_SALT_LEN)
00316             ossl_raise(eCipherError, "salt must be an 8-octet string");
00317         salt = (unsigned char *)RSTRING_PTR(vsalt);
00318     }
00319     iter = NIL_P(viter) ? 2048 : NUM2INT(viter);
00320     digest = NIL_P(vdigest) ? EVP_md5() : GetDigestPtr(vdigest);
00321     GetCipher(self, ctx);
00322     EVP_BytesToKey(EVP_CIPHER_CTX_cipher(ctx), digest, salt,
00323                    (unsigned char *)RSTRING_PTR(vpass), RSTRING_LENINT(vpass), iter, key, iv);
00324     if (EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, -1) != 1)
00325         ossl_raise(eCipherError, NULL);
00326     OPENSSL_cleanse(key, sizeof key);
00327     OPENSSL_cleanse(iv, sizeof iv);
00328 
00329     return Qnil;
00330 }
00331 
00332 static int
00333 ossl_cipher_update_long(EVP_CIPHER_CTX *ctx, unsigned char *out, long *out_len_ptr,
00334                         const unsigned char *in, long in_len)
00335 {
00336     int out_part_len;
00337     long out_len = 0;
00338 #define UPDATE_LENGTH_LIMIT INT_MAX
00339 
00340 #if SIZEOF_LONG > UPDATE_LENGTH_LIMIT
00341     if (in_len > UPDATE_LENGTH_LIMIT) {
00342         const int in_part_len = (UPDATE_LENGTH_LIMIT / 2 + 1) & ~1;
00343         do {
00344             if (!EVP_CipherUpdate(ctx, out ? (out + out_len) : 0,
00345                                   &out_part_len, in, in_part_len))
00346                 return 0;
00347             out_len += out_part_len;
00348             in += in_part_len;
00349         } while ((in_len -= in_part_len) > UPDATE_LENGTH_LIMIT);
00350     }
00351 #endif
00352     if (!EVP_CipherUpdate(ctx, out ? (out + out_len) : 0,
00353                           &out_part_len, in, (int)in_len))
00354         return 0;
00355     if (out_len_ptr) *out_len_ptr = out_len += out_part_len;
00356     return 1;
00357 }
00358 
00359 /*
00360  *  call-seq:
00361  *     cipher.update(data [, buffer]) -> string or buffer
00362  *
00363  *  Encrypts data in a streaming fashion. Hand consecutive blocks of data
00364  *  to the +update+ method in order to encrypt it. Returns the encrypted
00365  *  data chunk. When done, the output of Cipher#final should be additionally
00366  *  added to the result.
00367  *
00368  *  === Parameters
00369  *  +data+ is a nonempty string.
00370  *  +buffer+ is an optional string to store the result.
00371  */
00372 static VALUE
00373 ossl_cipher_update(int argc, VALUE *argv, VALUE self)
00374 {
00375     EVP_CIPHER_CTX *ctx;
00376     unsigned char *in;
00377     long in_len, out_len;
00378     VALUE data, str;
00379 
00380     rb_scan_args(argc, argv, "11", &data, &str);
00381 
00382     StringValue(data);
00383     in = (unsigned char *)RSTRING_PTR(data);
00384     if ((in_len = RSTRING_LEN(data)) == 0)
00385         ossl_raise(rb_eArgError, "data must not be empty");
00386     GetCipher(self, ctx);
00387     out_len = in_len+EVP_CIPHER_CTX_block_size(ctx);
00388     if (out_len <= 0) {
00389         ossl_raise(rb_eRangeError,
00390                    "data too big to make output buffer: %ld bytes", in_len);
00391     }
00392 
00393     if (NIL_P(str)) {
00394         str = rb_str_new(0, out_len);
00395     } else {
00396         StringValue(str);
00397         rb_str_resize(str, out_len);
00398     }
00399 
00400     if (!ossl_cipher_update_long(ctx, (unsigned char *)RSTRING_PTR(str), &out_len, in, in_len))
00401         ossl_raise(eCipherError, NULL);
00402     assert(out_len < RSTRING_LEN(str));
00403     rb_str_set_len(str, out_len);
00404 
00405     return str;
00406 }
00407 
00408 /*
00409  *  call-seq:
00410  *     cipher.final -> string
00411  *
00412  *  Returns the remaining data held in the cipher object. Further calls to
00413  *  Cipher#update or Cipher#final will return garbage. This call should always
00414  *  be made as the last call of an encryption or decryption operation, after
00415  *  after having fed the entire plaintext or ciphertext to the Cipher instance.
00416  *
00417  *  If an authenticated cipher was used, a CipherError is raised if the tag
00418  *  could not be authenticated successfully. Only call this method after
00419  *  setting the authentication tag and passing the entire contents of the
00420  *  ciphertext into the cipher.
00421  */
00422 static VALUE
00423 ossl_cipher_final(VALUE self)
00424 {
00425     EVP_CIPHER_CTX *ctx;
00426     int out_len;
00427     VALUE str;
00428 
00429     GetCipher(self, ctx);
00430     str = rb_str_new(0, EVP_CIPHER_CTX_block_size(ctx));
00431     if (!EVP_CipherFinal_ex(ctx, (unsigned char *)RSTRING_PTR(str), &out_len))
00432         ossl_raise(eCipherError, NULL);
00433     assert(out_len <= RSTRING_LEN(str));
00434     rb_str_set_len(str, out_len);
00435 
00436     return str;
00437 }
00438 
00439 /*
00440  *  call-seq:
00441  *     cipher.name -> string
00442  *
00443  *  Returns the name of the cipher which may differ slightly from the original
00444  *  name provided.
00445  */
00446 static VALUE
00447 ossl_cipher_name(VALUE self)
00448 {
00449     EVP_CIPHER_CTX *ctx;
00450 
00451     GetCipher(self, ctx);
00452 
00453     return rb_str_new2(EVP_CIPHER_name(EVP_CIPHER_CTX_cipher(ctx)));
00454 }
00455 
00456 /*
00457  *  call-seq:
00458  *     cipher.key = string -> string
00459  *
00460  *  Sets the cipher key. To generate a key, you should either use a secure
00461  *  random byte string or, if the key is to be derived from a password, you
00462  *  should rely on PBKDF2 functionality provided by OpenSSL::PKCS5. To
00463  *  generate a secure random-based key, Cipher#random_key may be used.
00464  *
00465  *  Only call this method after calling Cipher#encrypt or Cipher#decrypt.
00466  */
00467 static VALUE
00468 ossl_cipher_set_key(VALUE self, VALUE key)
00469 {
00470     EVP_CIPHER_CTX *ctx;
00471 
00472     StringValue(key);
00473     GetCipher(self, ctx);
00474 
00475     if (RSTRING_LEN(key) < EVP_CIPHER_CTX_key_length(ctx))
00476         ossl_raise(eCipherError, "key length too short");
00477 
00478     if (EVP_CipherInit_ex(ctx, NULL, NULL, (unsigned char *)RSTRING_PTR(key), NULL, -1) != 1)
00479         ossl_raise(eCipherError, NULL);
00480 
00481     return key;
00482 }
00483 
00484 /*
00485  *  call-seq:
00486  *     cipher.iv = string -> string
00487  *
00488  *  Sets the cipher IV. Please note that since you should never be using ECB
00489  *  mode, an IV is always explicitly required and should be set prior to
00490  *  encryption. The IV itself can be safely transmitted in public, but it
00491  *  should be unpredictable to prevent certain kinds of attacks. You may use
00492  *  Cipher#random_iv to create a secure random IV.
00493  *
00494  *  Only call this method after calling Cipher#encrypt or Cipher#decrypt.
00495  *
00496  *  If not explicitly set, the OpenSSL default of an all-zeroes ("\\0") IV is
00497  *  used.
00498  */
00499 static VALUE
00500 ossl_cipher_set_iv(VALUE self, VALUE iv)
00501 {
00502     EVP_CIPHER_CTX *ctx;
00503 
00504     StringValue(iv);
00505     GetCipher(self, ctx);
00506 
00507     if (RSTRING_LEN(iv) < EVP_CIPHER_CTX_iv_length(ctx))
00508         ossl_raise(eCipherError, "iv length too short");
00509 
00510     if (EVP_CipherInit_ex(ctx, NULL, NULL, NULL, (unsigned char *)RSTRING_PTR(iv), -1) != 1)
00511         ossl_raise(eCipherError, NULL);
00512 
00513     return iv;
00514 }
00515 
00516 #ifdef HAVE_AUTHENTICATED_ENCRYPTION
00517 /*
00518  *  call-seq:
00519  *     cipher.auth_data = string -> string
00520  *
00521  *  Sets the cipher's additional authenticated data. This field must be
00522  *  set when using AEAD cipher modes such as GCM or CCM. If no associated
00523  *  data shall be used, this method must *still* be called with a value of "".
00524  *  The contents of this field should be non-sensitive data which will be
00525  *  added to the ciphertext to generate the authentication tag which validates
00526  *  the contents of the ciphertext.
00527  *
00528  *  The AAD must be set prior to encryption or decryption. In encryption mode,
00529  *  it must be set after calling Cipher#encrypt and setting Cipher#key= and
00530  *  Cipher#iv=. When decrypting, the authenticated data must be set after key,
00531  *  iv and especially *after* the authentication tag has been set. I.e. set it
00532  *  only after calling Cipher#decrypt, Cipher#key=, Cipher#iv= and
00533  *  Cipher#auth_tag= first.
00534  */
00535 static VALUE
00536 ossl_cipher_set_auth_data(VALUE self, VALUE data)
00537 {
00538     EVP_CIPHER_CTX *ctx;
00539     unsigned char *in;
00540     long in_len, out_len;
00541 
00542     StringValue(data);
00543 
00544     in = (unsigned char *) RSTRING_PTR(data);
00545     in_len = RSTRING_LEN(data);
00546 
00547     GetCipher(self, ctx);
00548 
00549     if (!ossl_cipher_update_long(ctx, NULL, &out_len, in, in_len))
00550         ossl_raise(eCipherError, "couldn't set additional authenticated data");
00551 
00552     return data;
00553 }
00554 
00555 #define ossl_is_gcm(nid)        (nid) == NID_aes_128_gcm || \
00556                                 (nid) == NID_aes_192_gcm || \
00557                                 (nid) == NID_aes_256_gcm
00558 
00559 static VALUE
00560 ossl_get_gcm_auth_tag(EVP_CIPHER_CTX *ctx, int len)
00561 {
00562     unsigned char *tag;
00563     VALUE ret;
00564 
00565     tag = ALLOC_N(unsigned char, len);
00566 
00567     if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, len, tag))
00568         ossl_raise(eCipherError, "retrieving the authentication tag failed");
00569 
00570     ret = rb_str_new((const char *) tag, len);
00571     xfree(tag);
00572     return ret;
00573 }
00574 
00575 /*
00576  *  call-seq:
00577  *     cipher.auth_tag([ tag_len ] -> string
00578  *
00579  *  Gets the authentication tag generated by Authenticated Encryption Cipher
00580  *  modes (GCM for example). This tag may be stored along with the ciphertext,
00581  *  then set on the decryption cipher to authenticate the contents of the
00582  *  ciphertext against changes. If the optional integer parameter +tag_len+ is
00583  *  given, the returned tag will be +tag_len+ bytes long. If the parameter is
00584  *  omitted, the maximum length of 16 bytes will be returned. For maximum
00585  *  security, the default of 16 bytes should be chosen.
00586  *
00587  *  The tag may only be retrieved after calling Cipher#final.
00588  */
00589 static VALUE
00590 ossl_cipher_get_auth_tag(int argc, VALUE *argv, VALUE self)
00591 {
00592     VALUE vtag_len;
00593     EVP_CIPHER_CTX *ctx;
00594     int nid, tag_len;
00595 
00596     if (rb_scan_args(argc, argv, "01", &vtag_len) == 0) {
00597         tag_len = 16;
00598     } else {
00599         tag_len = NUM2INT(vtag_len);
00600     }
00601 
00602     GetCipher(self, ctx);
00603     nid = EVP_CIPHER_CTX_nid(ctx);
00604 
00605     if (ossl_is_gcm(nid)) {
00606         return ossl_get_gcm_auth_tag(ctx, tag_len);
00607     } else {
00608         ossl_raise(eCipherError, "authentication tag not supported by this cipher");
00609         return Qnil; /* dummy */
00610     }
00611 }
00612 
00613 static inline void
00614 ossl_set_gcm_auth_tag(EVP_CIPHER_CTX *ctx, unsigned char *tag, int tag_len)
00615 {
00616     if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, tag_len, tag))
00617         ossl_raise(eCipherError, "unable to set GCM tag");
00618 }
00619 
00620 /*
00621  *  call-seq:
00622  *     cipher.auth_tag = string -> string
00623  *
00624  *  Sets the authentication tag to verify the contents of the
00625  *  ciphertext. The tag must be set after calling Cipher#decrypt,
00626  *  Cipher#key= and Cipher#iv=, but before assigning the associated
00627  *  authenticated data using Cipher#auth_data= and of course, before
00628  *  decrypting any of the ciphertext. After all decryption is
00629  *  performed, the tag is verified automatically in the call to
00630  *  Cipher#final.
00631  */
00632 static VALUE
00633 ossl_cipher_set_auth_tag(VALUE self, VALUE vtag)
00634 {
00635     EVP_CIPHER_CTX *ctx;
00636     int nid;
00637     unsigned char *tag;
00638     int tag_len;
00639 
00640     StringValue(vtag);
00641     tag = (unsigned char *) RSTRING_PTR(vtag);
00642     tag_len = RSTRING_LENINT(vtag);
00643 
00644     GetCipher(self, ctx);
00645     nid = EVP_CIPHER_CTX_nid(ctx);
00646 
00647     if (ossl_is_gcm(nid)) {
00648         ossl_set_gcm_auth_tag(ctx, tag, tag_len);
00649     } else {
00650         ossl_raise(eCipherError, "authentication tag not supported by this cipher");
00651     }
00652 
00653     return vtag;
00654 }
00655 
00656 /*
00657  *  call-seq:
00658  *     cipher.authenticated? -> boolean
00659  *
00660  *  Indicated whether this Cipher instance uses an Authenticated Encryption
00661  *  mode.
00662  */
00663 static VALUE
00664 ossl_cipher_is_authenticated(VALUE self)
00665 {
00666     EVP_CIPHER_CTX *ctx;
00667     int nid;
00668 
00669     GetCipher(self, ctx);
00670     nid = EVP_CIPHER_CTX_nid(ctx);
00671 
00672     if (ossl_is_gcm(nid)) {
00673         return Qtrue;
00674     } else {
00675         return Qfalse;
00676     }
00677 }
00678 #else
00679 #define ossl_cipher_set_auth_data rb_f_notimplement
00680 #define ossl_cipher_get_auth_tag rb_f_notimplement
00681 #define ossl_cipher_set_auth_tag rb_f_notimplement
00682 #define ossl_cipher_is_authenticated rb_f_notimplement
00683 #endif
00684 
00685 /*
00686  *  call-seq:
00687  *     cipher.key_len = integer -> integer
00688  *
00689  *  Sets the key length of the cipher.  If the cipher is a fixed length cipher
00690  *  then attempting to set the key length to any value other than the fixed
00691  *  value is an error.
00692  *
00693  *  Under normal circumstances you do not need to call this method (and probably shouldn't).
00694  *
00695  *  See EVP_CIPHER_CTX_set_key_length for further information.
00696  */
00697 static VALUE
00698 ossl_cipher_set_key_length(VALUE self, VALUE key_length)
00699 {
00700     int len = NUM2INT(key_length);
00701     EVP_CIPHER_CTX *ctx;
00702 
00703     GetCipher(self, ctx);
00704     if (EVP_CIPHER_CTX_set_key_length(ctx, len) != 1)
00705         ossl_raise(eCipherError, NULL);
00706 
00707     return key_length;
00708 }
00709 
00710 #if defined(HAVE_EVP_CIPHER_CTX_SET_PADDING)
00711 /*
00712  *  call-seq:
00713  *     cipher.padding = integer -> integer
00714  *
00715  *  Enables or disables padding. By default encryption operations are padded using standard block padding and the
00716  *  padding is checked and removed when decrypting. If the pad parameter is zero then no padding is performed, the
00717  *  total amount of data encrypted or decrypted must then be a multiple of the block size or an error will occur.
00718  *
00719  *  See EVP_CIPHER_CTX_set_padding for further information.
00720  */
00721 static VALUE
00722 ossl_cipher_set_padding(VALUE self, VALUE padding)
00723 {
00724     EVP_CIPHER_CTX *ctx;
00725     int pad = NUM2INT(padding);
00726 
00727     GetCipher(self, ctx);
00728     if (EVP_CIPHER_CTX_set_padding(ctx, pad) != 1)
00729         ossl_raise(eCipherError, NULL);
00730     return padding;
00731 }
00732 #else
00733 #define ossl_cipher_set_padding rb_f_notimplement
00734 #endif
00735 
00736 #define CIPHER_0ARG_INT(func)                                   \
00737     static VALUE                                                \
00738     ossl_cipher_##func(VALUE self)                              \
00739     {                                                           \
00740         EVP_CIPHER_CTX *ctx;                                    \
00741         GetCipher(self, ctx);                                   \
00742         return INT2NUM(EVP_CIPHER_##func(EVP_CIPHER_CTX_cipher(ctx)));  \
00743     }
00744 
00745 /*
00746  *  call-seq:
00747  *     cipher.key_len -> integer
00748  *
00749  *  Returns the key length in bytes of the Cipher.
00750  */
00751 CIPHER_0ARG_INT(key_length)
00752 /*
00753  *  call-seq:
00754  *     cipher.iv_len -> integer
00755  *
00756  *  Returns the expected length in bytes for an IV for this Cipher.
00757  */
00758 CIPHER_0ARG_INT(iv_length)
00759 /*
00760  *  call-seq:
00761  *     cipher.block_size -> integer
00762  *
00763  *  Returns the size in bytes of the blocks on which this Cipher operates on.
00764  */
00765 CIPHER_0ARG_INT(block_size)
00766 
00767 /*
00768  * INIT
00769  */
00770 void
00771 Init_ossl_cipher(void)
00772 {
00773 #if 0
00774     mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
00775 #endif
00776 
00777     /* Document-class: OpenSSL::Cipher
00778      *
00779      * Provides symmetric algorithms for encryption and decryption. The
00780      * algorithms that are available depend on the particular version
00781      * of OpenSSL that is installed.
00782      *
00783      * === Listing all supported algorithms
00784      *
00785      * A list of supported algorithms can be obtained by
00786      *
00787      *   puts OpenSSL::Cipher.ciphers
00788      *
00789      * === Instantiating a Cipher
00790      *
00791      * There are several ways to create a Cipher instance. Generally, a
00792      * Cipher algorithm is categorized by its name, the key length in bits
00793      * and the cipher mode to be used. The most generic way to create a
00794      * Cipher is the following
00795      *
00796      *   cipher = OpenSSL::Cipher.new('<name>-<key length>-<mode>')
00797      *
00798      * That is, a string consisting of the hyphenated concatenation of the
00799      * individual components name, key length and mode. Either all uppercase
00800      * or all lowercase strings may be used, for example:
00801      *
00802      *  cipher = OpenSSL::Cipher.new('AES-128-CBC')
00803      *
00804      * For each algorithm supported, there is a class defined under the
00805      * Cipher class that goes by the name of the cipher, e.g. to obtain an
00806      * instance of AES, you could also use
00807      *
00808      *   # these are equivalent
00809      *   cipher = OpenSSL::Cipher::AES.new(128, :CBC)
00810      *   cipher = OpenSSL::Cipher::AES.new(128, 'CBC')
00811      *   cipher = OpenSSL::Cipher::AES.new('128-CBC')
00812      *
00813      * Finally, due to its wide-spread use, there are also extra classes
00814      * defined for the different key sizes of AES
00815      *
00816      *   cipher = OpenSSL::Cipher::AES128.new(:CBC)
00817      *   cipher = OpenSSL::Cipher::AES192.new(:CBC)
00818      *   cipher = OpenSSL::Cipher::AES256.new(:CBC)
00819      *
00820      * === Choosing either encryption or decryption mode
00821      *
00822      * Encryption and decryption are often very similar operations for
00823      * symmetric algorithms, this is reflected by not having to choose
00824      * different classes for either operation, both can be done using the
00825      * same class. Still, after obtaining a Cipher instance, we need to
00826      * tell the instance what it is that we intend to do with it, so we
00827      * need to call either
00828      *
00829      *   cipher.encrypt
00830      *
00831      * or
00832      *
00833      *   cipher.decrypt
00834      *
00835      * on the Cipher instance. This should be the first call after creating
00836      * the instance, otherwise configuration that has already been set could
00837      * get lost in the process.
00838      *
00839      * === Choosing a key
00840      *
00841      * Symmetric encryption requires a key that is the same for the encrypting
00842      * and for the decrypting party and after initial key establishment should
00843      * be kept as private information. There are a lot of ways to create
00844      * insecure keys, the most notable is to simply take a password as the key
00845      * without processing the password further. A simple and secure way to
00846      * create a key for a particular Cipher is
00847      *
00848      *  cipher = OpenSSL::AES256.new(:CFB)
00849      *  cipher.encrypt
00850      *  key = cipher.random_key # also sets the generated key on the Cipher
00851      *
00852      * If you absolutely need to use passwords as encryption keys, you
00853      * should use Password-Based Key Derivation Function 2 (PBKDF2) by
00854      * generating the key with the help of the functionality provided by
00855      * OpenSSL::PKCS5.pbkdf2_hmac_sha1 or OpenSSL::PKCS5.pbkdf2_hmac.
00856      *
00857      * Although there is Cipher#pkcs5_keyivgen, its use is deprecated and
00858      * it should only be used in legacy applications because it does not use
00859      * the newer PKCS#5 v2 algorithms.
00860      *
00861      * === Choosing an IV
00862      *
00863      * The cipher modes CBC, CFB, OFB and CTR all need an "initialization
00864      * vector", or short, IV. ECB mode is the only mode that does not require
00865      * an IV, but there is almost no legitimate use case for this mode
00866      * because of the fact that it does not sufficiently hide plaintext
00867      * patterns. Therefore
00868      *
00869      * <b>You should never use ECB mode unless you are absolutely sure that
00870      * you absolutely need it</b>
00871      *
00872      * Because of this, you will end up with a mode that explicitly requires
00873      * an IV in any case. Note that for backwards compatibility reasons,
00874      * setting an IV is not explicitly mandated by the Cipher API. If not
00875      * set, OpenSSL itself defaults to an all-zeroes IV ("\\0", not the
00876      * character). Although the IV can be seen as public information, i.e.
00877      * it may be transmitted in public once generated, it should still stay
00878      * unpredictable to prevent certain kinds of attacks. Therefore, ideally
00879      *
00880      * <b>Always create a secure random IV for every encryption of your
00881      * Cipher</b>
00882      *
00883      * A new, random IV should be created for every encryption of data. Think
00884      * of the IV as a nonce (number used once) - it's public but random and
00885      * unpredictable. A secure random IV can be created as follows
00886      *
00887      *  cipher = ...
00888      *  cipher.encrypt
00889      *  key = cipher.random_key
00890      *  iv = cipher.random_iv # also sets the generated IV on the Cipher
00891      *
00892      *  Although the key is generally a random value, too, it is a bad choice
00893      *  as an IV. There are elaborate ways how an attacker can take advantage
00894      *  of such an IV. As a general rule of thumb, exposing the key directly
00895      *  or indirectly should be avoided at all cost and exceptions only be
00896      *  made with good reason.
00897      *
00898      * === Calling Cipher#final
00899      *
00900      * ECB (which should not be used) and CBC are both block-based modes.
00901      * This means that unlike for the other streaming-based modes, they
00902      * operate on fixed-size blocks of data, and therefore they require a
00903      * "finalization" step to produce or correctly decrypt the last block of
00904      * data by appropriately handling some form of padding. Therefore it is
00905      * essential to add the output of OpenSSL::Cipher#final to your
00906      * encryption/decryption buffer or you will end up with decryption errors
00907      * or truncated data.
00908      *
00909      * Although this is not really necessary for streaming-mode ciphers, it is
00910      * still recommended to apply the same pattern of adding the output of
00911      * Cipher#final there as well - it also enables you to switch between
00912      * modes more easily in the future.
00913      *
00914      * === Encrypting and decrypting some data
00915      *
00916      *   data = "Very, very confidential data"
00917      *
00918      *   cipher = OpenSSL::Cipher::AES.new(128, :CBC)
00919      *   cipher.encrypt
00920      *   key = cipher.random_key
00921      *   iv = cipher.random_iv
00922      *
00923      *   encrypted = cipher.update(data) + cipher.final
00924      *   ...
00925      *   decipher = OpenSSL::Cipher::AES.new(128, :CBC)
00926      *   decipher.decrypt
00927      *   decipher.key = key
00928      *   decipher.iv = iv
00929      *
00930      *   plain = decipher.update(encrypted) + decipher.final
00931      *
00932      *   puts data == plain #=> true
00933      *
00934      * === Authenticated Encryption and Associated Data (AEAD)
00935      *
00936      * If the OpenSSL version used supports it, an Authenticated Encryption
00937      * mode (such as GCM or CCM) should always be preferred over any
00938      * unauthenticated mode. Currently, OpenSSL supports AE only in combination
00939      * with Associated Data (AEAD) where additional associated data is included
00940      * in the encryption process to compute a tag at the end of the encryption.
00941      * This tag will also be used in the decryption process and by verifying
00942      * its validity, the authenticity of a given ciphertext is established.
00943      *
00944      * This is superior to unauthenticated modes in that it allows to detect
00945      * if somebody effectively changed the ciphertext after it had been
00946      * encrypted. This prevents malicious modifications of the ciphertext that
00947      * could otherwise be exploited to modify ciphertexts in ways beneficial to
00948      * potential attackers.
00949      *
00950      * If no associated data is needed for encryption and later decryption,
00951      * the OpenSSL library still requires a value to be set - "" may be used in
00952      * case none is available. An example using the GCM (Galois Counter Mode):
00953      *
00954      *   cipher = OpenSSL::Cipher::AES.new(128, :GCM)
00955      *   cipher.encrypt
00956      *   key = cipher.random_key
00957      *   iv = cipher.random_iv
00958      *   cipher.auth_data = ""
00959      *
00960      *   encrypted = cipher.update(data) + cipher.final
00961      *   tag = cipher.auth_tag
00962      *
00963      *   decipher = OpenSSL::Cipher::AES.new(128, :GCM)
00964      *   decipher.decrypt
00965      *   decipher.key = key
00966      *   decipher.iv = iv
00967      *   decipher.auth_tag = tag
00968      *   decipher.auth_data = ""
00969      *
00970      *   plain = decipher.update(encrypted) + decipher.final
00971      *
00972      *   puts data == plain #=> true
00973      */
00974     cCipher = rb_define_class_under(mOSSL, "Cipher", rb_cObject);
00975     eCipherError = rb_define_class_under(cCipher, "CipherError", eOSSLError);
00976 
00977     rb_define_alloc_func(cCipher, ossl_cipher_alloc);
00978     rb_define_copy_func(cCipher, ossl_cipher_copy);
00979     rb_define_module_function(cCipher, "ciphers", ossl_s_ciphers, 0);
00980     rb_define_method(cCipher, "initialize", ossl_cipher_initialize, 1);
00981     rb_define_method(cCipher, "reset", ossl_cipher_reset, 0);
00982     rb_define_method(cCipher, "encrypt", ossl_cipher_encrypt, -1);
00983     rb_define_method(cCipher, "decrypt", ossl_cipher_decrypt, -1);
00984     rb_define_method(cCipher, "pkcs5_keyivgen", ossl_cipher_pkcs5_keyivgen, -1);
00985     rb_define_method(cCipher, "update", ossl_cipher_update, -1);
00986     rb_define_method(cCipher, "final", ossl_cipher_final, 0);
00987     rb_define_method(cCipher, "name", ossl_cipher_name, 0);
00988     rb_define_method(cCipher, "key=", ossl_cipher_set_key, 1);
00989     rb_define_method(cCipher, "auth_data=", ossl_cipher_set_auth_data, 1);
00990     rb_define_method(cCipher, "auth_tag=", ossl_cipher_set_auth_tag, 1);
00991     rb_define_method(cCipher, "auth_tag", ossl_cipher_get_auth_tag, -1);
00992     rb_define_method(cCipher, "authenticated?", ossl_cipher_is_authenticated, 0);
00993     rb_define_method(cCipher, "key_len=", ossl_cipher_set_key_length, 1);
00994     rb_define_method(cCipher, "key_len", ossl_cipher_key_length, 0);
00995     rb_define_method(cCipher, "iv=", ossl_cipher_set_iv, 1);
00996     rb_define_method(cCipher, "iv_len", ossl_cipher_iv_length, 0);
00997     rb_define_method(cCipher, "block_size", ossl_cipher_block_size, 0);
00998     rb_define_method(cCipher, "padding=", ossl_cipher_set_padding, 1);
00999 }
01000 
01001