Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for authenticated encryption/decryption using OpenSSL #4593

Open
bmmcginty opened this issue Jun 19, 2017 · 2 comments
Open

Add support for authenticated encryption/decryption using OpenSSL #4593

bmmcginty opened this issue Jun 19, 2017 · 2 comments
Labels
help wanted This issue is generally accepted and needs someone to pick it up kind:feature topic:stdlib:crypto

Comments

@bmmcginty
Copy link
Contributor

As it stands, Crystal doesn't support authenticated encryption/decryption using the OpenSSL::Cipher module.
According to
https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption
we need to be able to:
.set custom IV length? (not sure when this would be used, research)
.add AAD (authenticated data) using EVP_EncryptUpdate
.get/set the authentication tag with EVP_CIPHER_CTX_ctrl

I don't mind writing the code for this, but suggestions are welcome as to organization/naming.
An update_aad function could be used to set authenticated data.
I could use the iv_len call still, and just make an iv_len= call to set a custom IV lenggth.
Similarly, authentication_tag and authentication_tag= calls could get/set the authentication tag.

It looks like this will work for CCM and GCM AES modes.

Any thoughts?
@danielwestendorf
Copy link
Contributor

I'm working on porting Ruby on Rails' MessageEncryptor to Crystal for safe communication between rails apps and crystal apps. It's dependent on implementation this ticket suggests.

How can I help?

My current roadblock is a lack of the authenticated? method.

def new_cipher
  OpenSSL::Cipher.new(@cipher)
end

def aead_mode?
  @aead_mode ||= new_cipher.authenticated?
end

@RX14 RX14 changed the title [ topic:stdlib] [community:to-design] Add support for authenticated encryption/decryption using OpenSSL Add support for authenticated encryption/decryption using OpenSSL Aug 20, 2018
@RX14 RX14 added kind:feature topic:stdlib help wanted This issue is generally accepted and needs someone to pick it up labels Aug 20, 2018
@danielwestendorf danielwestendorf mentioned this issue Dec 27, 2018
Merged
@washu
Copy link

washu commented Jan 8, 2025
edited
Loading

if your working on the Cihper you should also add the auth tag method, please note there is a missing error check and response validation that should be done.

@[Link("crypto")]
lib LibCrypto
	EVP_CTRL_GCM_GET_TAG = 0x10
	EVP_CTRL_GCM_SET_TAG = 0x11
	EVP_GCM_TLS_TAG_LEN  = 16
	fun evp_cipher_ctx_ctrl = EVP_CIPHER_CTX_ctrl(ctx : EVP_CIPHER_CTX, type : Int32, arg : Int32, ptr : Void*) : Int32
end
class OpenSSL::Cipher
	def auth_tag() : Bytes
	    tag = Bytes.new(LibCrypto::EVP_GCM_TLS_TAG_LEN)
		rc = LibCrypto.evp_cipher_ctx_ctrl(@ctx, LibCrypto::EVP_CTRL_GCM_GET_TAG, tag.size, pointerof(tag))
		if rc < 0
            raise OpenSSL::Error.new "EVP_Cipher_CTX_ctrl"
        end
        code = LibCrypto.err_get_error
        message = String.new(LibCrypto.err_error_string(code, nil))
	    return tag
	end
	def auth_tag=(tag : Bytes)
		if LibCrypto.evp_cipher_ctx_ctrl(@ctx, LibCrypto::EVP_CTRL_GCM_SET_TAG, tag.size, pointerof(tag)) != 1
		  raise OpenSSL::Error.new "EVP_Cipher_CTX_ctrl"
        end
	    tag
	end
end

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
help wanted This issue is generally accepted and needs someone to pick it up kind:feature topic:stdlib:crypto
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@danielwestendorf @washu @HertzDevil @RX14 @bmmcginty