Add support for getting/setting GCM authentication tag (fixes #115)

[mwild1]

See #115 (comment) for context.

[daurnimator]

When was EVP_CIPHER_CTX_ctrl introduced? luaossl still tries to be compatible with old openssl versions

[mwild1]

I believe it's been around a "long time". I don't know if it was in 0.9.8 (I can dig if really necessary), but it's certainly in 1.0.2. It's due to be retired post-3.0.

[daurnimator]

It's due to be retired post-3.0.

What is it going to be replaced with?

[mwild1]

A new OSSL_PARAM API they've introduced. I haven't looked too much into it so far, as I haven't been working on any code that can be 3.0.x-only just yet.

[daurnimator]

Should this be cipher_gcm_get_tag or similar to follow the naming of the option?

[mwild1]

Possibly. It's actually not unique to GCM, but to the family of AEAD modes - in OpenSSL this includes CCM. In 1.1.x there is now therefore an alias for EVP_CTRL_AEAD_GET_TAG but this constant is not defined in 1.0.x. The current code should work with both GCM and CCM.

If we change the name, we could call it e.g. :get_aead_tag(), but I don't know whether this level of disambiguation is necessary.

[daurnimator]

Would it be sensible to use EVP_CIPHER_type to get the type of the cipher and then use the relevant constant?

[mwild1]

I don't think so. As I mentioned, modern versions of OpenSSL have both CCM_GET_TAG and GCM_GET_TAG aliased to AEAD_GET_TAG. The latter was added in 1.1, but before this the CCM variant was an alias of GCM_GET_TAG anyway.

In summary: in old versions, GCM_GET_TAG and CCM_GET_TAG are interchangeable identifiers for the same operation. In newer versions (1.1+) AEAD_GET_TAG was added as a generic identifier for this operation.

References:

• openssl/openssl@e640fa0

[daurnimator]

Could you add a comment saying as much?

[mwild1]

Added in 4a8b770

[mwild1]

The following code snippet can be used to test GCM encryption (it's based on the code originally posted as broken in #115):

local cipher = require "openssl.cipher"
local key = "abcdefghijklmnopabcdefghijklmnop"
local iv = "123456123456"
local message = "My secret message"

local c = cipher.new("aes-256-gcm"):encrypt(key, iv);
local encrypted = c:update(message)
assert(c:final());
local tag = assert(c:getTag(16));

print("Encrypted to "..#encrypted.." bytes with "..#tag.."-byte tag");

-- Now for the decryption
local aes = cipher.new("aes-256-gcm"):decrypt(key, iv)
-- Provide the expected authentication tag to OpenSSL
aes:setTag(tag);
local decrypted = aes:update(encrypted)
print(decrypted)
print(aes:final())

CCM can be tested by changing c:getTag(16) to c:getTag(12) and obviously changing -gcm to -ccm in the cipher name.

[daurnimator]

The following code snippet ...

Could you add this as a regression test?

[mwild1]

Regression test added in e402818

[daurnimator]

Couple of nits; otherwise LGTM.

[daurnimator]

These need whitespace for alignment

[mwild1]

Fixed in 0dad2b3

[daurnimator]

Suggested change

	} /* cipher_get_tag() */
	} /* cipher_set_tag() */

[mwild1]

Fixed in 0dad2b3

[daurnimator]

Merged with bed73b6

[daurnimator]

@mwild1 I'm only running your regression tests now, and I get:

$ lua 115-test-aead.lua 
lua: 115-test-aead.lua:12: bad argument #2 to 'encrypt' (12: invalid IV length (should be 7))
stack traceback:
	[C]: in method 'encrypt'
	115-test-aead.lua:12: in function 'test_aead'
	115-test-aead.lua:36: in main chunk
	[C]: in ?

[mwild1]

Well that's interesting. The test passes fine for me as-is. If I change the IV length to 7, I get:

lua: 115-test-aead.lua:12: bad argument #2 to 'encrypt' (7: invalid IV length (should be 12))
stack traceback:
	[C]: in function 'encrypt'
	115-test-aead.lua:12: in function 'test_aead'
	115-test-aead.lua:37: in main chunk
	[C]: in ?

This is with OpenSSL 1.1.1.

Although I can't find it now, I vaguely recall some documentation that indicated the iv_length() function was not reliable for ciphers that accept IVs of variable/multiple lengths.

My guess is that maybe the default IV length has changed between versions. Out of curiosity, what version was your result with?

Some further reading:

• AEAD: EVP_CIPHER_CTX_iv_length is oblivious to EVP_CTRL_AEAD_SET_IVLEN openssl/openssl#8330 has some discussion about this issue
• openssl/openssl@728f944 may improve the situation, but is in 1.1.1+ only

So in 1.1.1+ if we explicitly set the IV length (which might be sensible anyway if the default varies between versions) then this issue should go away. But if we want backwards-compatibility with pre-1.1.1, I guess we need to skip this check for these ciphers.

[daurnimator]

If I change the IV length to 7, I get:

lua: 115-test-aead.lua:12: bad argument #2 to 'encrypt' (7: invalid IV length (should be 12))
stack traceback:
	[C]: in function 'encrypt'
	115-test-aead.lua:12: in function 'test_aead'
	115-test-aead.lua:37: in main chunk
	[C]: in ?

Me too:

$ git diff
diff --git a/regress/115-test-aead.lua b/regress/115-test-aead.lua
index ed0f7f8..5026ce1 100644
--- a/regress/115-test-aead.lua
+++ b/regress/115-test-aead.lua
@@ -5,7 +5,7 @@ local cipher = require "openssl.cipher"
 
 -- Test AES-256-GCM
 local key = "abcdefghijklmnopabcdefghijklmnop"
-local iv = "123456123456"
+local iv = "1234561"
 local message = "My secret message"
 
 function test_aead(params)
$ lua 115-test-aead.lua 
lua: 115-test-aead.lua:12: bad argument #2 to 'encrypt' (7: invalid IV length (should be 12))
stack traceback:
	[C]: in method 'encrypt'
	115-test-aead.lua:12: in function 'test_aead'
	115-test-aead.lua:31: in main chunk
	[C]: in ?

Out of curiosity, what version was your result with?

$ openssl version
OpenSSL 1.1.1p  21 Jun 2022

So in 1.1.1+ if we explicitly set the IV length (which might be sensible anyway if the default varies between versions) then this issue should go away.

I'm running new enough that the fix you mentioned should be in. I guess it's something else...

[daurnimator]

oh; I only just noticed the line number in the stack trace: the error moves from 36 to 31 when the IV changes length.

So I guess for aes-256-gcm it wants 12; but for aes-256-ccm it wants 7? or some variable length where it's currently initialised to 7?

[mwild1]

Yeah, I made these changes for testing:

diff --git a/regress/115-test-aead.lua b/regress/115-test-aead.lua
index ed0f7f8..febea2d 100644
--- a/regress/115-test-aead.lua
+++ b/regress/115-test-aead.lua
@@ -9,7 +9,7 @@ local iv = "123456123456"
 local message = "My secret message"
 
 function test_aead(params)
-       local c = cipher.new(params.cipher):encrypt(key, iv)
+       local c = cipher.new(params.cipher):encrypt(key, params.iv)
 
        local encrypted = c:update(message)
        regress.check(encrypted)
@@ -31,9 +31,11 @@ end
 test_aead {
        cipher = "aes-256-gcm";
        tag_length = 16;
+       iv = iv;
 }
 
 test_aead {
        cipher = "aes-256-ccm";
        tag_length = 12;
+       iv = iv:sub(1, 7);
 }

[daurnimator]

@mwild1 how about #202 ?