summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog15
-rw-r--r--ext/openssl/openssl_missing.h5
-rw-r--r--ext/openssl/ossl_cipher.c72
3 files changed, 37 insertions, 55 deletions
diff --git a/ChangeLog b/ChangeLog
index 5c11fd3eea..461b6dd4e0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,18 @@
+Sun Jun 12 14:05:45 2016 Kazuki Yamaguchi <k@rhe.jp>
+
+ * ext/openssl/ossl_cipher.c (ossl_cipher_get_auth_tag,
+ ossl_cipher_set_auth_tag): Check if the cipher flags retrieved by
+ EVP_CIPHER_CTX_flags() includes EVP_CIPH_FLAG_AEAD_CIPHER to see if
+ the cipher supports AEAD. AES-GCM was the only supported in OpenSSL
+ 1.0.1.
+
+ (Init_ossl_cipher): Fix doc; OpenSSL::Cipher::AES.new(128, :GCM) can't
+ work.
+
+ * ext/openssl/openssl_missing.h: Define EVP_CTRL_AEAD_{GET,SET}_TAG if
+ missing. They are added in OpenSSL 1.1.0, and have the same value as
+ EVP_CTRL_GCM_{GET,SET}_TAG and EVP_CTRL_CCM_{GET,SET}_TAG.
+
Sun Jun 12 13:47:42 2016 Kazuki Yamaguchi <k@rhe.jp>
* test/openssl/test_engine.rb (test_openssl_engine_builtin,
diff --git a/ext/openssl/openssl_missing.h b/ext/openssl/openssl_missing.h
index 67df70a5e2..0c01703fff 100644
--- a/ext/openssl/openssl_missing.h
+++ b/ext/openssl/openssl_missing.h
@@ -228,4 +228,9 @@ IMPL_PKEY_GETTER(EC_KEY, ec)
#undef IMPL_KEY_ACCESSOR3
#endif /* HAVE_OPAQUE_OPENSSL */
+#if defined(HAVE_AUTHENTICATED_ENCRYPTION) && !defined(EVP_CTRL_AEAD_GET_TAG)
+# define EVP_CTRL_AEAD_GET_TAG EVP_CTRL_GCM_GET_TAG
+# define EVP_CTRL_AEAD_SET_TAG EVP_CTRL_GCM_SET_TAG
+#endif
+
#endif /* _OSSL_OPENSSL_MISSING_H_ */
diff --git a/ext/openssl/ossl_cipher.c b/ext/openssl/ossl_cipher.c
index e1408b9198..be7a0321ae 100644
--- a/ext/openssl/ossl_cipher.c
+++ b/ext/openssl/ossl_cipher.c
@@ -553,29 +553,9 @@ ossl_cipher_set_auth_data(VALUE self, VALUE data)
return data;
}
-#define ossl_is_gcm(nid) (nid) == NID_aes_128_gcm || \
- (nid) == NID_aes_192_gcm || \
- (nid) == NID_aes_256_gcm
-
-static VALUE
-ossl_get_gcm_auth_tag(EVP_CIPHER_CTX *ctx, int len)
-{
- unsigned char *tag;
- VALUE ret;
-
- tag = ALLOC_N(unsigned char, len);
-
- if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, len, tag))
- ossl_raise(eCipherError, "retrieving the authentication tag failed");
-
- ret = rb_str_new((const char *) tag, len);
- xfree(tag);
- return ret;
-}
-
/*
* call-seq:
- * cipher.auth_tag([ tag_len ] -> string
+ * cipher.auth_tag(tag_len = 16) -> String
*
* Gets the authentication tag generated by Authenticated Encryption Cipher
* modes (GCM for example). This tag may be stored along with the ciphertext,
@@ -590,32 +570,23 @@ ossl_get_gcm_auth_tag(EVP_CIPHER_CTX *ctx, int len)
static VALUE
ossl_cipher_get_auth_tag(int argc, VALUE *argv, VALUE self)
{
- VALUE vtag_len;
+ VALUE vtag_len, ret;
EVP_CIPHER_CTX *ctx;
- int nid, tag_len;
+ int tag_len = 16;
- if (rb_scan_args(argc, argv, "01", &vtag_len) == 0) {
- tag_len = 16;
- } else {
+ if (rb_scan_args(argc, argv, "01", &vtag_len) == 1)
tag_len = NUM2INT(vtag_len);
- }
GetCipher(self, ctx);
- nid = EVP_CIPHER_CTX_nid(ctx);
- if (ossl_is_gcm(nid)) {
- return ossl_get_gcm_auth_tag(ctx, tag_len);
- } else {
+ if (!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER))
ossl_raise(eCipherError, "authentication tag not supported by this cipher");
- return Qnil; /* dummy */
- }
-}
-static inline void
-ossl_set_gcm_auth_tag(EVP_CIPHER_CTX *ctx, unsigned char *tag, int tag_len)
-{
- if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, tag_len, tag))
- ossl_raise(eCipherError, "unable to set GCM tag");
+ ret = rb_str_new(NULL, tag_len);
+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, tag_len, RSTRING_PTR(ret)))
+ ossl_raise(eCipherError, "retrieving the authentication tag failed");
+
+ return ret;
}
/*
@@ -634,7 +605,6 @@ static VALUE
ossl_cipher_set_auth_tag(VALUE self, VALUE vtag)
{
EVP_CIPHER_CTX *ctx;
- int nid;
unsigned char *tag;
int tag_len;
@@ -643,13 +613,11 @@ ossl_cipher_set_auth_tag(VALUE self, VALUE vtag)
tag_len = RSTRING_LENINT(vtag);
GetCipher(self, ctx);
- nid = EVP_CIPHER_CTX_nid(ctx);
-
- if (ossl_is_gcm(nid)) {
- ossl_set_gcm_auth_tag(ctx, tag, tag_len);
- } else {
+ if (!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER))
ossl_raise(eCipherError, "authentication tag not supported by this cipher");
- }
+
+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, tag_len, tag))
+ ossl_raise(eCipherError, "unable to set AEAD tag");
return vtag;
}
@@ -665,16 +633,10 @@ static VALUE
ossl_cipher_is_authenticated(VALUE self)
{
EVP_CIPHER_CTX *ctx;
- int nid;
GetCipher(self, ctx);
- nid = EVP_CIPHER_CTX_nid(ctx);
- if (ossl_is_gcm(nid)) {
- return Qtrue;
- } else {
- return Qfalse;
- }
+ return (EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER) ? Qtrue : Qfalse;
}
#else
#define ossl_cipher_set_auth_data rb_f_notimplement
@@ -948,7 +910,7 @@ Init_ossl_cipher(void)
* the OpenSSL library still requires a value to be set - "" may be used in
* case none is available. An example using the GCM (Galois Counter Mode):
*
- * cipher = OpenSSL::Cipher::AES.new(128, :GCM)
+ * cipher = OpenSSL::Cipher.new("aes-128-gcm")
* cipher.encrypt
* key = cipher.random_key
* iv = cipher.random_iv
@@ -957,7 +919,7 @@ Init_ossl_cipher(void)
* encrypted = cipher.update(data) + cipher.final
* tag = cipher.auth_tag
*
- * decipher = OpenSSL::Cipher::AES.new(128, :GCM)
+ * decipher = OpenSSL::Cipher.new("aes-128-gcm")
* decipher.decrypt
* decipher.key = key
* decipher.iv = iv