Allow MessageEncryptor to take advantage authenticated encryption modes

[bdewater]

AEAD modes have been supported since Ruby 2.0 (doc) and OpenSSL 1.0.1. It is faster:

require 'benchmark/ips'
require 'active_support/message_encryptor'
require 'active_support/key_generator'

Benchmark.ips do |x|
  salt  = SecureRandom.random_bytes(64)
  key   = ActiveSupport::KeyGenerator.new('password').generate_key(salt)
  data  = 'my secret data'

  x.report("default roundtrip") do
    crypt = ActiveSupport::MessageEncryptor.new(key)
    encrypted_data = crypt.encrypt_and_sign(data)
    crypt.decrypt_and_verify(encrypted_data)
  end

  x.report("aes-256-gcm roundtrip") do
    crypt = ActiveSupport::MessageEncryptor.new(key, cipher: 'aes-256-gcm')
    encrypted_data = crypt.encrypt_and_sign(data)
    crypt.decrypt_and_verify(encrypted_data)
  end

  x.compare!
end

Warming up --------------------------------------
   default roundtrip     2.148k i/100ms
aes-256-gcm roundtrip
                         4.698k i/100ms
Calculating -------------------------------------
   default roundtrip     21.947k (± 3.4%) i/s -    111.696k in   5.095390s
aes-256-gcm roundtrip
                         48.374k (± 4.2%) i/s -    244.296k in   5.058709s

Comparison:
aes-256-gcm roundtrip:    48374.4 i/s
   default roundtrip:    21946.7 i/s - 2.20x slower

And it produces smaller ciphertexts:

irb(main):090:0> ActiveSupport::MessageEncryptor.new(key).encrypt_and_sign(data).length
=> 138
irb(main):091:0> ActiveSupport::MessageEncryptor.new(key, cipher: 'aes-256-gcm').encrypt_and_sign(data).length
=> 76

[rafaelfranca]

r? @matthewd @jeremy

[jeremy]

Dig it! Can you ensure compatibility with MessageEncryptor that already use an AEAD cipher?

[bdewater]

That could probably work by counting the -- occurrences, I'll work on it somewhere later this week.

[bdewater]

@jeremy that should not work right now. MessageVerifier will tell that the message is valid but OpenSSL::Cipher::CipherError will be raised during decryption because the auth_tag is not set.

I've also done a quick test with aes-256-ccm (the only other AEAD chipher on my system with OpenSSL 1.0.2h according to OpenSSL::Cipher.ciphers) on my branch and it looks like that the Ruby bindings do not support this mode as authenticated. I've changed the #aead_mode? check to use what the bindings report about the cipher.

Edit: already fixed in Ruby trunk at ruby/ruby@9f70378

[jeremy]

take advantage *of

[bdewater]

Thanks for the feedback @jeremy, PR updated! However #23297 is also on the 5.1.0 milestone, in which direction does the team want to go with MessageEncryptor?

[jeremy]

Squashed in d4ea18a

[jeremy]

Thanks @bdewater! #23297 is a much larger effort to switch to a new message envelope (and more). Your work is independent and good for release even if the JWE work slips to 5.2.

[vipulnsward]

We should be adding a note that, switching modes busts previous auth messages that were set with current environment.

[vipulnsward]

Hmm, nevermind, I don't see how this will affect existing auth