OpenSSL Cipher missing methods

[jwoertink]

In Ruby, the OpenSSL::Cipher class has an auth_data and auth_tag methods that seem to be missing from our Cipher.

I'm not really sure what these do, but I was trying to port some code from Ruby over, and got stuck on these methods.

[washu]

did you find a solution?

[jwoertink]

Not exactly. Ended up writing my own mini lib https://github.com/jwoertink/psst It doesn't really solve the issue, but allowed me to move on.

[washu]

i got it working with a weird caveat.
I monkeypatched lib_crypto to access the set data flag used in ruby
im my use case im reading the credentails.yml.enc file decrypting it to get the db username/passwords

here is the code im using
# key is loaded from the .enc file OR from a docker secrets file skipped for brevity key = key.hexbytes # load the encrypted file encrypted = File.open(load_file) do |file| file.gets_to_end end # copied from rails message encryptor and translated to crystal encrypted_data, iv, auth_tag = encrypted.split("--").map { |v| Base64.decode(v) } cipher = OpenSSL::Cipher.new("aes-128-gcm") cipher.decrypt cipher.key = key cipher.iv = iv cipher.auth_tag = auth_tag io = IO::Memory.new begin # rubys method that does chiper.auth_data = "", under the hoods calls down the chipher update. so i do it here first io.write(cipher.update("")) io.write(cipher.update(encrypted_data)) io.write(cipher.final) rescue e : Exception puts "Oddly we fail decryption here it could be the message auth tag is invalid or not set in the underlying ssl lib" end io.rewind decrypted_data = io.gets_to_end # for some reason we get a BOM marker as first 4 bytes and last byte is always an extra \" so we trim it off return YAML.parse(decrypted_data[5..-1])

I cant ever get the final to not error, but even not calling final the data is decrypted not exactly sure why that is but it works

here is the monkeypatch
@[Link("crypto")] lib LibCrypto EVP_CTRL_GCM_GET_TAG = 0x10 EVP_CTRL_GCM_SET_TAG = 0x11 EVP_GCM_TLS_TAG_LEN = 16 fun evp_cipher_ctx_ctrl = EVP_CIPHER_CTX_ctrl(ctx : EVP_CIPHER_CTX, type : Int32, arg : Int32, ptr : Void*) : Int32 end class OpenSSL::Cipher def auth_tag() : Bytes tag = Bytes.new(LibCrypto::EVP_GCM_TLS_TAG_LEN) LibCrypto.evp_cipher_ctx_ctrl(@ctx, LibCrypto::EVP_CTRL_GCM_GET_TAG, tag.size, pointerof(tag).as(Void*)) return tag end def auth_tag=(tag : Bytes) LibCrypto.evp_cipher_ctx_ctrl(@ctx, LibCrypto::EVP_CTRL_GCM_SET_TAG, tag.size, pointerof(tag).as(Void*)) end end