AesGcm, AesCcm

[krwq]

Fixes: https://github.com/dotnet/corefx/issues/23629
Low level functions for AES-GCM, AES-CCM

API shape (equivalent for AesCcm)

    public sealed class AesGcm : IDisposable
    {
        public AesGcm(ReadOnlySpan<byte> key) { }
        public AesGcm(byte[] key) { }
        public static KeySizes TagByteSizes { get => throw null; }
        public static KeySizes NonceByteSizes { get => throw null; }
        public void Encrypt(ReadOnlySpan<byte> nonce, ReadOnlySpan<byte> plaintext, Span<byte> ciphertext, Span<byte> tag, ReadOnlySpan<byte> associatedData = default) => throw null;
        public void Encrypt(byte[] nonce, byte[] plaintext, byte[] ciphertext, byte[] tag, byte[] associatedData = null) => throw null;
        public void Decrypt(ReadOnlySpan<byte> nonce, ReadOnlySpan<byte> ciphertext, ReadOnlySpan<byte> tag, Span<byte> plaintext, ReadOnlySpan<byte> associatedData = default) => throw null;
        public void Decrypt(byte[] nonce, byte[] ciphertext, byte[] tag, byte[] plaintext, byte[] associatedData = default) => throw null;
        public void Dispose() { }
    }

    public sealed class AesCcm : IDisposable { /* same as gcm */ }

Design notes:

• There is no good API design which would generalize Authenticated Encryption algorithms – each algorithm has different properties and pitfalls – for now “bare bones” implementation
• Even though AES-GCM does allow streaming most of the people use and will use it incorrectly – we won’t support that – users should encrypt multiple times instead
• Nonce is required by AES-GCM/AES-CCM - there is a known (unfortunately not by everyone) pitfall of using same nonce with the same key more than once – we considered abstraction which would make it less likely to happen but does not completely prevent it in some scenarios (abstracting it did not have good response in the issue 😄)

[vcsjones]

~It would be nice if this had platform specific types and AesG/Ccm delegated to them depending on the platform. For example, a AesGcmCng and an AesGcmOpenSsl (similar to the design of ECDsa).

It would be nice if the macOS platform used the same implementation from Unix and optionally "light up" macOS of they happen to have a suitable version of OpenSSL installed.

The motivation for this is so that there is something that is workable in macOS. I realize OpenSSL is not exactly in-the-box on macOS (aside from an ancient version and an fork of it as libressl). However, for aiding in local development, it would be useful to be able to use it if I happen to have it installed with homebrew or however I get it installed (similar to how things worked in the 1.x days).

[Tornhoof]

output.AsSpan(outputBytes)

[Tornhoof]

input.AsSpan(inputOffset)

[Tornhoof]

output.AsSpan(outputOffset)

[Tornhoof]

AsSpan(sizeof(BCRYPT_KEY_DATA_BLOB_HEADER))

Please revisit other uses of new Span/Slice/AsSpan as necessary.

[krwq]

i think these should be sealed

[krwq]

Eh, seems like CCM might not work on Ubuntu 14.04 - per openssl release notes it seems to have been added between OpenSSL 1.0.2h and OpenSSL 1.1.0 and 14.04 seems to be on 1.0.1. @bartonjs how do we handle such cases? OpenSSL version check and PNSE if lower than supported? (do we already have version checks anywhere?)

Seems like we already do that in some places:

corefx/src/Common/tests/System/Net/SslProtocolSupport.cs

Line 24 in 3cc6fda

(RuntimeInformation.IsOSPlatform(OSPlatform.Linux) && PlatformDetection.OpenSslVersion < new Version(1, 0, 2) && !PlatformDetection.IsDebian))

[krwq]

@vcsjones - I personally think this would be unnecessarily complicated but do not have strong opinion about it. As for openssl on OSX - considering I'll likely need to add version checks I think it might be possible to make it check for presence of OpenSSL and make it work on OSX if OpenSSL with appropriate version is installed. Not sure if this will happen in this PR or later though.

[vcsjones]

@krwq

I personally think this would be unnecessarily complicated but do not have strong opinion about it.

That's fine, you could also just remove the macos exclusion here. https://github.com/dotnet/corefx/pull/31389/files#diff-f5613604087291d4cee8422733c29366R383

Since ubuntu Ubuntu 14.04 might be forcing you to implement a openssl version check, you may get that for macOS for "free" as well too.

do we already have version checks anywhere?

See and it's usages

corefx/src/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.OpenSslVersion.cs

Line 17 in 711c428

internal static Version OpenSslVersion

[bartonjs]

Instead of AsSpan().Slice( you should be able to just do AsSpan(

[bartonjs]

I don't know that this really belongs in Common. And nothing about it really makes it "a key", other than usage. It's really SafeExternalizedDataHandle.

Assuming (from hallway discussions) that this is just for Linux CCM, just store it as byte[], don't bother with moving it to native memory (unless there's a persistence requirement for this pointer in OpenSSL, but I'm pretty sure they copy the data, not hold the pointer)

[krwq]

The only concern with byte[] is that it can be moved around in memory

[bartonjs]

Yep. But there's an outstanding feature request to get GC compaction to clean up after itself. And we already do it with the Aes class.

[bartonjs]

This should just be Source and ID. The purpose of this class is to make the test log easier to read. The places that are varying on nonce length should rename their source to take that into account.

[krwq]

The motivation here was that some NIST test vectors have duplicate Count = X in the same file - not sure how to rename the source to account for that (except for doing it as above except with hard-coded string)

[krwq]

ok nvm, explained later

[bartonjs]

I'd like to see the Source take into account the file and a short form of the section, just to keep the test log easier to read.

Something like Source = $"{NistGcmTestVectors} - gcmEncryptExtV128 - 128/96/0/0/128",, then the Count= item would be the CaseId here.

[bartonjs]

The field can be declared readonly. This applies to the other case-sets, too.

[bartonjs]

Why bother asking the OS for the answer we already know? I'd just make this be defined as a literal in the AnyOS version.

[morganbr]

I think this is implementation-specific

[bartonjs]

IIRC, Windows only allows a single size here, and we locked the OpenSSL/Unix one to the single Windows value.

[krwq]

@bartonjs I was wondering if this should be hard coded or "always ask OS" - will change to hard-coded as it probably won't change in the future

[bartonjs]

Most of the rest of crypto uses hex.

[bartonjs]

These feel like ArgumentException

[bartonjs]

This seems overly indented

[bartonjs]

The span ctor should not throw an ArgumentNullException.

[krwq]

@vcsjones I think we can make OSX work but I currently don't have clean OSX to test scenarios where openssl >= 1.0.0 is not present (CIs have it preinstalled). I think I'll add version detection to non-OSX for now and will leave the issue open to fix it later (or maybe someone could help testing this). We need to make sure we get PNSE and not any other exception in such cases

[vcsjones]

or maybe someone could help testing this

Happy to help if you want to go that direction. I have a 2012 MBP that has a bare 10.12 installation. I will make sure not to install openssl on it :-).

[krwq]

@vcsjones thank you for offering your help!

[vcsjones]

In the interest of moving the PR along, I'm fine with going in with macOS throwing PNSE in this PR. I can open a separate issue once this is merged to have macOS use OpenSSL if present with the version check and do that myself since I'm the one that wants it, assuming there are no other objections to it. 😊

[bartonjs]

On Linux we have a requirement that OpenSSL be found, so getting a TypeInitializationException due to the... TargetInvocationException(?) is acceptable.

On macOS we should really do a PNSE, since it's an optional component.

If we let Ubuntu 14.04 and macOS both do PNSE:

internal static class AeadAvailability
{
    internal static readonly bool IsSupported = CheckSupport();

    private static void CheckSupport()
    {
        try
        {
            if (Interop.Crypto.HoweverWeCheckOpenSslVersions > Whatever)
            {
                return true;
            }
        }
        catch (TypeInitializationException)
        {
        }

        return false;
    }
}

I think.

The intermediate type is needed to keep the TypeInitializationException from Interop.Crypto from cascading.

[bartonjs]

Though instead of checking versions it might make more sense to just add a shim method to answer the question.

Assuming that Aes128Gcm cipher (and friends) weren't defined in the version that Ubuntu 14.04 has, they'd need to be moved to non-required portable bind, and you can make a detector method return API_EXISTS(EVP_aes_128_gcm)

See the handling for EC_GF2m_simple_method for how this will need to work.

[morganbr]

I'm not sure I understand what this block is for... is it to handle a 0 length ciphertext that still has associated data? If so, I don't understand why we're passing in this value

[krwq]

yes, will add comment

[morganbr]

EvpCipherUpdate doesn't check the tag (it can't since you might add more data). This should have a different message.

[krwq]

Actually for CCM data is fixed and known upfront and EvpCipherUpdate does check the tag (what you said is true for GCM though - CCM always fails when calling *FinalEx)

[bartonjs]

Do any of the tests feed ciphertext that is too long or too short into decrypt? If not, please add those test cases.

[bartonjs]

RandomNumberGenerator.Fill(key) lets you get rid of the using.

[bartonjs]

What is this adding over the NIST cases? (If it's adding something I'm happy to have it, but I'm not seeing what it is)

[krwq]

for gcm probably not much - will remove - for ccm - nist test cases are not great (most of them have nonce size we don't support) and haven't seen any cases without AAD (will remove those which don't add value)

[morganbr]

Do we even need to support 0-length plaintext? What's the case for just producing authenticated data with AES?

[bartonjs]

I think for something like TLS that's "I'm sending an empty keepalive frame"

[krwq]

@morganbr mixed feeling about supporting vs non-supporting this scenario - on one hand there is probably no good scenarios where you should do that over i.e. calculating hash on the other hand it might make sense if for whatever reason you got such data over the wire (or the other end expected it) and would like to validate it. Since this is a low-level API I do not think we should not support it

[bartonjs]

Since this is "your input is bad" it should be something based on ArgumentException

[morganbr]

Shouldn't this have the invalid tag string?

[krwq]

yes, thanks for spotting

[morganbr]

Since this is random, it should log the tag on failure

[bartonjs]

A comment is probably warranted for why CCM opens a new key handle every time but GCM doesn't

Update: I guess you had one up at the field. Nevermind.

[krwq]

had to rebase after merge conflict

[karelz]

@krwq we do not use api-ready-for-review on PRs. Please create a new issue (or reuse existing one) with the API proposal.

[krwq]

API got approved today, squashing and merging...

[pgolebiowski]

Tears in my eyes. Thank you, @krwq! ❤️

[pgolebiowski]

Why 3.0 and not 2.2 if it's already merged?

Reference: https://github.com/dotnet/core/blob/master/roadmap.md.

@karelz

[karelz]

@pgolebiowski master flows automatically only into 3.0. .NET Core 2.2 is more servicing release for lower layers (CoreCLR/CoreFx). There is more churn (incl. automatic flow from master branch) in higher levels (e.g. ASP.NET Core).

[pgolebiowski]

Thank you for the clarification, sir.

[oliverjanik]

Anyway this can be used from the old .NET Framework?

[karelz]

No, changes in Core don't flow into .NET Framework. Too much risk of breaking something.