/
AesCcm.OpenSsl.cs
152 lines (127 loc) · 6.04 KB
/
AesCcm.OpenSsl.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
// Licensed to the .NET Foundation under one or more agreements.
// The .NET Foundation licenses this file to you under the MIT license.
using System.Diagnostics;
using System.Diagnostics.CodeAnalysis;
using Microsoft.Win32.SafeHandles;
namespace System.Security.Cryptography
{
public sealed partial class AesCcm
{
private byte[]? _key;
public static bool IsSupported { get; } = Interop.OpenSslNoInit.OpenSslIsAvailable;
[MemberNotNull(nameof(_key))]
private void ImportKey(ReadOnlySpan<byte> key)
{
// OpenSSL does not allow setting nonce length after setting the key
// we need to store it as bytes instead
// Pin the array on the POH so that the GC doesn't move it around to allow zeroing to be more effective.
_key = GC.AllocateArray<byte>(key.Length, pinned: true);
key.CopyTo(_key);
}
private void EncryptCore(
ReadOnlySpan<byte> nonce,
ReadOnlySpan<byte> plaintext,
Span<byte> ciphertext,
Span<byte> tag,
ReadOnlySpan<byte> associatedData = default)
{
CheckDisposed();
using (SafeEvpCipherCtxHandle ctx = Interop.Crypto.EvpCipherCreatePartial(GetCipher(_key.Length * 8)))
{
Interop.Crypto.CheckValidOpenSslHandle(ctx);
// We need to set mode to encryption before setting the tag and nonce length
// otherwise older versions of OpenSSL (i.e. 1.0.1f which can be found on Ubuntu 14.04) will fail
Interop.Crypto.EvpCipherSetKeyAndIV(ctx, Span<byte>.Empty, Span<byte>.Empty, Interop.Crypto.EvpCipherDirection.Encrypt);
Interop.Crypto.EvpCipherSetCcmTagLength(ctx, tag.Length);
Interop.Crypto.EvpCipherSetCcmNonceLength(ctx, nonce.Length);
Interop.Crypto.EvpCipherSetKeyAndIV(ctx, _key, nonce, Interop.Crypto.EvpCipherDirection.NoChange);
if (associatedData.Length != 0)
{
// length needs to be known ahead of time in CCM mode
Interop.Crypto.EvpCipherSetInputLength(ctx, plaintext.Length);
if (!Interop.Crypto.EvpCipherUpdate(ctx, Span<byte>.Empty, out _, associatedData))
{
throw Interop.Crypto.CreateOpenSslCryptographicException();
}
}
if (!Interop.Crypto.EvpCipherUpdate(ctx, ciphertext, out int ciphertextBytesWritten, plaintext))
{
throw Interop.Crypto.CreateOpenSslCryptographicException();
}
if (!Interop.Crypto.EvpCipherFinalEx(
ctx,
ciphertext.Slice(ciphertextBytesWritten),
out int bytesWritten))
{
throw Interop.Crypto.CreateOpenSslCryptographicException();
}
ciphertextBytesWritten += bytesWritten;
if (ciphertextBytesWritten != ciphertext.Length)
{
Debug.Fail($"CCM encrypt wrote {ciphertextBytesWritten} of {ciphertext.Length} bytes.");
throw new CryptographicException();
}
Interop.Crypto.EvpCipherGetCcmTag(ctx, tag);
}
}
private void DecryptCore(
ReadOnlySpan<byte> nonce,
ReadOnlySpan<byte> ciphertext,
ReadOnlySpan<byte> tag,
Span<byte> plaintext,
ReadOnlySpan<byte> associatedData)
{
CheckDisposed();
using (SafeEvpCipherCtxHandle ctx = Interop.Crypto.EvpCipherCreatePartial(GetCipher(_key.Length * 8)))
{
Interop.Crypto.CheckValidOpenSslHandle(ctx);
Interop.Crypto.EvpCipherSetCcmNonceLength(ctx, nonce.Length);
Interop.Crypto.EvpCipherSetCcmTag(ctx, tag);
Interop.Crypto.EvpCipherSetKeyAndIV(ctx, _key, nonce, Interop.Crypto.EvpCipherDirection.Decrypt);
if (associatedData.Length != 0)
{
// length needs to be known ahead of time in CCM mode
Interop.Crypto.EvpCipherSetInputLength(ctx, ciphertext.Length);
if (!Interop.Crypto.EvpCipherUpdate(ctx, Span<byte>.Empty, out _, associatedData))
{
throw Interop.Crypto.CreateOpenSslCryptographicException();
}
}
if (!Interop.Crypto.EvpCipherUpdate(ctx, plaintext, out int plaintextBytesWritten, ciphertext))
{
plaintext.Clear();
throw new AuthenticationTagMismatchException();
}
if (plaintextBytesWritten != plaintext.Length)
{
Debug.Fail($"CCM decrypt wrote {plaintextBytesWritten} of {plaintext.Length} bytes.");
throw new CryptographicException();
}
// The OpenSSL documentation says not to call EvpCipherFinalEx for CCM decryption, and calling it will report failure.
// https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption#Authenticated_Decryption_using_CCM_mode
}
}
private static IntPtr GetCipher(int keySizeInBits)
{
switch (keySizeInBits)
{
case 128: return Interop.Crypto.EvpAes128Ccm();
case 192: return Interop.Crypto.EvpAes192Ccm();
case 256: return Interop.Crypto.EvpAes256Ccm();
default:
Debug.Fail("Key size should already be validated");
return IntPtr.Zero;
}
}
public void Dispose()
{
CryptographicOperations.ZeroMemory(_key);
_key = null;
}
[MemberNotNull(nameof(_key))]
private void CheckDisposed()
{
ObjectDisposedException.ThrowIf(_key is null, this);
}
}
}