Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

CRYPTO-60: opensslCipher support GCM mode #70

Closed
wants to merge 1 commit into from
Closed

CRYPTO-60: opensslCipher support GCM mode #70

wants to merge 1 commit into from

Conversation

kexianda
Copy link
Contributor

CRYPTO-60
support GCM mode

sundapeng
sundapeng reviewed Oct 24, 2016
View reviewed changes
src/main/java/org/apache/commons/crypto/cipher/OpenSsl.java Outdated
this.padding = padding;

// context should be initialized
if (context != 0) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

According the previous code, if context is zero, we still pass it to OpenSslCommonMode? Is the behavior changed now?

src/main/java/org/apache/commons/crypto/cipher/OpenSsl.java Outdated
// context should be initialized
if (context != 0) {
if (algorithm == AlgorithmMode.AES_GCM.ordinal()) {
opensslBlockCipher = new OpenSslGaloisCounterMode(context, algorithm, padding);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: OpenSslGaloisCounterMode: Is OpenSslGaloisCounterCipher better?

src/main/java/org/apache/commons/crypto/cipher/OpenSsl.java Outdated
if (algorithm == AlgorithmMode.AES_GCM.ordinal()) {
opensslBlockCipher = new OpenSslGaloisCounterMode(context, algorithm, padding);
} else {
opensslBlockCipher = new OpenSslCommonMode(context, algorithm, padding);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: OpenSslCommonMode: is OpenSslCommonCipher better?

src/main/java/org/apache/commons/crypto/cipher/OpenSsl.java
}
}

/** Checks whether context is initialized. */
private void checkState() {
Utils.checkState(context != 0);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same question, why not use context for checking State? Is the behavior changed now?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. behavior is not changed. The context was moved to to the Cipher(OpenSslFeedbackCipher).
    The cipher will check its own state.

  2. Well, I am considering to remove OpenSsl.java. From my point of view, now this layer(OpenSsl.java) seems redundant , we can move the logic(paramenters check) in OpenSsl.java to OpenSslCipher.
    Then, the codebase will be clear:

  • OpenSslCipher which implements the CryptoCipher interface which is exposed to the users.
  • OpenSslFeedbackCipher and its sub classes (OpenSslGaloisCounterMode,OpenSslCommonMode) are private classes. they do the real work(encription/decription) for different modes.
  • OpenSslNative: JNI class
    Maybe we can do this later.

src/main/java/org/apache/commons/crypto/cipher/OpenSslCommonMode.java Outdated
inputLen, output, outputOffset, output.length - outputOffset);

len += OpenSslNative.doFinalByteArray(context, output, outputOffset + len,
output.length - outputOffset);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should output.length - outputOffset be output.length - outputOffset - len ?

src/main/native/org/apache/commons/crypto/org_apache_commons_crypto.h Outdated
@@ -216,12 +216,15 @@ static FARPROC WINAPI do_dlsym(JNIEnv *env, HMODULE handle, LPCSTR symbol) {
#define ENCRYPT_MODE 1
#define DECRYPT_MODE 0

/** Currently only support AES/CTR/NoPadding. */
/** Currently only support AES/CTR/NoPadding, AES/CBC/NoPadding. AES/GCM/NoPadding */
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AES/CTR/NoPadding, AES/CBC/NoPadding, AES/CBC/PKCS5Padding, AES/GCM/NoPadding

sundapeng
sundapeng reviewed Oct 24, 2016
View reviewed changes
src/main/java/org/apache/commons/crypto/cipher/OpenSslGaloisCounterMode.java Outdated
}

len += OpenSslNative.doFinalByteArray(context, output, outputOffset + len,
output.length - outputOffset);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should output.length - outputOffset be output.length - outputOffset - len

@yaronlev171
Copy link

Hi, I am very interested in this PR - any reason why it was not merged?
Thanks,
Yaron.

@kexianda
Copy link
Contributor Author

@yaronlev171, This PR implements GCM only in Cipher level. it needs to be tested more, but I was busy on other stuffs. I will be back on this PR soon, i will refine the code and do more testing.

now, Stream level api does not support GCM. We need to do more work on stream API.

@yaronlev171
Copy link

@kexianda thanks for the reply.
Do you know of any standard/mainstream alternative for getting gcm to work fully with aes-ni?

yaronlev171
yaronlev171 reviewed May 5, 2017
View reviewed changes
src/main/java/org/apache/commons/crypto/cipher/OpenSslGaloisCounterMode.java
class OpenSslGaloisCounterMode extends OpenSslFeedbackCipher {

// buffer for AAD data; if consumed, set as null
private ByteArrayOutputStream aadBuffer = new ByteArrayOutputStream();
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this should be set inside init() so the cipher with aad is reusable after clean(). [tested]

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thank you for this comment. I'll update the patch.

@coveralls
Copy link

coveralls commented May 31, 2017
edited
Loading

Coverage Status

Coverage decreased (-7.4%) to 66.073% when pulling 22c98a3 on kexianda:gcm3 into 9c0a452 on apache:master.

@sundapeng
Copy link
Member

+1, thank @kexianda for the contribution!

@kexianda
Copy link
Contributor Author

kexianda commented Nov 6, 2017

Thank @sundapeng. I will update the testcases with samples for GCM/GMAC soon.

@kexianda
CRYPTO-60: opensslCipher support GCM mode
b86f1c0 
support AES-GCM cipher, also we has GMAC.
code refactor.
@kexianda
Copy link
Contributor Author

kexianda commented Nov 7, 2017

BUILD SUCCESS on my local dev enviroment. but failed on travis-ci.
weird...

@sundapeng
Copy link
Member

Thank @kexianda, I will fix it.

@asfgit asfgit closed this in aad8c55 Nov 20, 2017
@vanzin vanzin mentioned this pull request Oct 4, 2018
Open
@laxmanprabhu
Copy link

Is there a timeline for the release of this feature. The version is 3 years old.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@yaronlev171 yaronlev171 yaronlev171 left review comments

@sundapeng sundapeng sundapeng left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@kexianda @yaronlev171 @coveralls @sundapeng @laxmanprabhu