Implement verification of AES-GCM tag with OpenSSL.

2025-03-28 21:13:18 +00:00 · 2023-04-25 23:11:23 -07:00 · 2023-04-25 23:11:23 -07:00 · 1c24464e50
commit 1c24464e50
parent 8964058d0c
6 changed files with 108 additions and 13 deletions
--- a/mz_crypt.h
+++ b/mz_crypt.h
@ -38,6 +38,7 @@ void     mz_crypt_aes_reset(void *handle);
 int32_t  mz_crypt_aes_encrypt(void *handle, uint8_t *buf, int32_t size);
 int32_t  mz_crypt_aes_decrypt(void *handle, uint8_t *buf, int32_t size);
 int32_t  mz_crypt_aes_get_auth_tag(void *handle, uint8_t *tag, int32_t tag_size);
+int32_t  mz_crypt_aes_set_auth_tag(void *handle, uint8_t *tag, int32_t tag_size);
 int32_t  mz_crypt_aes_set_encrypt_key(void *handle, const void *key, int32_t key_length,
  const void *iv, int32_t iv_length);
 int32_t  mz_crypt_aes_set_decrypt_key(void *handle, const void *key, int32_t key_length,
--- a/mz_crypt_apple.c
+++ b/mz_crypt_apple.c
@ -246,14 +246,42 @@ int32_t mz_crypt_aes_decrypt(void *handle, uint8_t *buf, int32_t size) {
    return size;
 }

-int32_t mz_crypt_aes_get_auth_tag(void *handle, uint8_t *tag, int32_t tag_size) {
+int32_t mz_crypt_aes_set_auth_tag(void *handle, uint8_t *tag, int32_t tag_size) {
    mz_crypt_aes *aes = (mz_crypt_aes *)handle;
-    size_t tag_length = (size_t)tag_size;
+    uint8_t tag_actual_buf[MZ_AES_BLOCK_SIZE];
+    size_t tag_actual_len = sizeof(tag_actual_buf);
+    uint8_t *tag_actual = tag_actual_buf;
+    int32_t c = tag_size;
+    int32_t is_ok = 0;

    if (!aes || !tag || !tag_size)
        return MZ_PARAM_ERROR;

-    aes->error = CCCryptorGCMFinal(aes->crypt, tag, &tag_length);
+    /* CCCryptorGCMFinal does not verify tag */
+    aes->error = CCCryptorGCMFinal(aes->crypt, tag_actual, &tag_actual_len);
+
+    if (aes->error != kCCSuccess)
+        return MZ_CRYPT_ERROR;
+    if (tag_size != tag_actual_len)
+        return MZ_CRYPT_ERROR;
+
+    /* Timing safe comparison */
+    for (; c > 0; c--)
+        is_ok |= *tag++ ^ *tag_actual++;
+
+    if (is_ok)
+        return MZ_CRYPT_ERROR;
+
+    return MZ_OK;
+}
+
+int32_t mz_crypt_aes_get_auth_tag(void *handle, uint8_t *tag, int32_t tag_size) {
+    mz_crypt_aes *aes = (mz_crypt_aes *)handle;
+
+    if (!aes || !tag || !tag_size)
+        return MZ_PARAM_ERROR;
+
+    aes->error = CCCryptorGCMFinal(aes->crypt, tag, (size_t *)&tag_size);

    if (aes->error != kCCSuccess)
        return MZ_CRYPT_ERROR;
--- a/mz_crypt_openssl.c
+++ b/mz_crypt_openssl.c
@ -330,19 +330,59 @@ int32_t mz_crypt_aes_decrypt(void *handle, uint8_t *buf, int32_t size) {
 }

 int32_t mz_crypt_aes_get_auth_tag(void *handle, uint8_t *tag, int32_t tag_size) {
+#if OPENSSL_VERSION_NUMBER < 0x00900070L
+    return MZ_SUPPORT_ERROR;
+#else
    mz_crypt_aes *aes = (mz_crypt_aes *)handle;
+    uint8_t temp[MZ_AES_BLOCK_SIZE];
+    int temp_len = sizeof(temp);
+    int result = 0;

    if (!aes || !tag || !tag_size)
        return MZ_PARAM_ERROR;

+    /* Must call EncryptFinal for tag to be calculated */
+    result = EVP_EncryptFinal_ex(aes->ctx, NULL, &temp_len);
+
+    if (result)
+        result = EVP_CIPHER_CTX_ctrl(aes->ctx, EVP_CTRL_GCM_GET_TAG, tag_size, tag);
+
+    if (!result) {
+        aes->error = ERR_get_error();
+        return MZ_CRYPT_ERROR;
+    }
+
+    return MZ_OK;
+#endif
+}
+
+
+int32_t mz_crypt_aes_set_auth_tag(void *handle, uint8_t *tag, int32_t tag_size) {
 #if OPENSSL_VERSION_NUMBER < 0x00900070L
    return MZ_SUPPORT_ERROR;
 #else
+    mz_crypt_aes *aes = (mz_crypt_aes *)handle;
+    uint8_t temp[MZ_AES_BLOCK_SIZE];
+    int temp_len = sizeof(temp);
+    int result = 0;
+
+    if (!aes || !tag || !tag_size)
+        return MZ_PARAM_ERROR;
+
+    /* Set expected tag */
    if (!EVP_CIPHER_CTX_ctrl(aes->ctx, EVP_CTRL_GCM_SET_TAG, tag_size, tag)) {
        aes->error = ERR_get_error();
        return MZ_CRYPT_ERROR;
    }

+    /* Must call DecryptFinal for tag verification */
+    result = EVP_DecryptFinal_ex(aes->ctx, temp, &temp_len);
+
+    if (!result) {
+        aes->error = ERR_get_error();
+        return MZ_CRYPT_ERROR;
+    }
+
    return MZ_OK;
 #endif
 }
@ -386,13 +426,13 @@ static int32_t mz_crypt_aes_set_key(void *handle, const void *key, int32_t key_l
    if (!aes->ctx)
        return MZ_MEM_ERROR;

-    EVP_CIPHER_CTX_set_padding(aes->ctx, 0);
-
    if (!EVP_CipherInit_ex(aes->ctx, type, NULL, key, iv, encrypt)) {
        aes->error = ERR_get_error();
        return MZ_HASH_ERROR;
    }

+    EVP_CIPHER_CTX_set_padding(aes->ctx, 0);
+
    return MZ_OK;
 }
 #endif
--- a/mz_crypt_winvista.c
+++ b/mz_crypt_winvista.c
@ -290,6 +290,31 @@ int32_t mz_crypt_aes_get_auth_tag(void *handle, uint8_t *tag, int32_t tag_size)
        aes->error = status;
        return MZ_CRYPT_ERROR;
    }
+
+    return MZ_OK;
+}
+
+int32_t mz_crypt_aes_set_auth_tag(void *handle, uint8_t *tag, int32_t tag_size) {
+    mz_crypt_aes *aes = (mz_crypt_aes *)handle;
+    NTSTATUS status = 0;
+    ULONG output_size = 0;
+
+    if (!aes || !tag || !tag_size || !aes->auth_info)
+        return MZ_PARAM_ERROR;
+
+    aes->auth_info->pbTag = tag;
+    aes->auth_info->cbTag = tag_size;
+
+    aes->auth_info->dwFlags &= ~BCRYPT_AUTH_MODE_CHAIN_CALLS_FLAG;
+
+    status = BCryptDecrypt(aes->key, NULL, 0, aes->auth_info, aes->iv, aes->iv_length, NULL, 0,
+        &output_size, 0);
+
+    if (!NT_SUCCESS(status)) {
+        aes->error = status;
+        return MZ_CRYPT_ERROR;
+    }
+
    return MZ_OK;
 }

--- a/mz_crypt_winxp.c
+++ b/mz_crypt_winxp.c
@ -244,6 +244,10 @@ int32_t mz_crypt_aes_get_auth_tag(void *handle, uint8_t *tag, int32_t tag_size)
    return MZ_SUPPORT_ERROR;
 }

+int32_t mz_crypt_aes_set_auth_tag(void *handle, uint8_t *tag, int32_t tag_size) {
+    return MZ_SUPPORT_ERROR;
+}
+
 static int32_t mz_crypt_aes_set_key(void *handle, const void *key, int32_t key_length,
    const void *iv, int32_t iv_length) {
    mz_crypt_aes *aes = (mz_crypt_aes *)handle;
--- a/test/test_crypt.cc
+++ b/test/test_crypt.cc
@ -18,9 +18,8 @@

 #include <stdio.h> /* printf, snprintf */

-/* Include _WIN32_WINNT if not defined */
-#if GTEST_OS_WINDOWS && !defined(_WIN32_WINNT)
-#  include <windows.h>
+#if GTEST_OS_WINDOWS
+#  include <sdkddkver.h> /* _WIN32_WINNT defines */
 #endif

 #ifndef MZ_ZIP_NO_CRYPTO
@ -242,8 +241,7 @@ TEST(crypt, aes128_gcm_iv) {
    int32_t test_length = 0;
    int32_t iv_length = 0;
    uint8_t buf[120];
-    uint8_t tag1[MZ_AES_BLOCK_SIZE] = {0};
-    uint8_t tag2[MZ_AES_BLOCK_SIZE] = {0};
+    uint8_t tag[MZ_AES_BLOCK_SIZE] = {0};

    key_length = (int32_t)strlen(key);
    test_length = (int32_t)strlen(test);
@ -258,7 +256,7 @@ TEST(crypt, aes128_gcm_iv) {
    EXPECT_EQ(mz_crypt_aes_set_encrypt_key(aes, key, key_length, iv, iv_length), MZ_OK);
    EXPECT_EQ(mz_crypt_aes_encrypt(aes, buf, test_length), test_length);
    EXPECT_EQ(mz_crypt_aes_encrypt(aes, buf + test_length, test_length), test_length);
-    EXPECT_EQ(mz_crypt_aes_get_auth_tag(aes, tag1, sizeof(tag1)), MZ_OK);
+    EXPECT_EQ(mz_crypt_aes_get_auth_tag(aes, tag, sizeof(tag)), MZ_OK);
    mz_crypt_aes_delete(&aes);

    EXPECT_STRNE((char*)buf, test);
@ -269,10 +267,9 @@ TEST(crypt, aes128_gcm_iv) {
    EXPECT_EQ(mz_crypt_aes_set_decrypt_key(aes, key, key_length, iv, iv_length), MZ_OK);
    EXPECT_EQ(mz_crypt_aes_decrypt(aes, buf, test_length), test_length);
    EXPECT_EQ(mz_crypt_aes_decrypt(aes, buf + test_length, test_length), test_length);
-    EXPECT_EQ(mz_crypt_aes_get_auth_tag(aes, tag2, sizeof(tag2)), MZ_OK);
+    EXPECT_EQ(mz_crypt_aes_set_auth_tag(aes, tag, sizeof(tag)), MZ_OK);
    mz_crypt_aes_delete(&aes);

-    EXPECT_EQ(memcmp(tag1, tag2, MZ_AES_BLOCK_SIZE), 0);
    EXPECT_EQ(memcmp(buf, test, test_length), 0);
    EXPECT_EQ(memcmp(buf + test_length, test, test_length), 0);
 #endif