cipher: use EVP_CIPHER_fetch() if available

Likewise, use EVP_MD_fetch() if it is available.

This adds support for AES-GCM-SIV with OpenSSL 3.2 or later.

Author: rhenium

ext/openssl/ossl_cipher.c

@@ -33,7 +33,7 @@
 static VALUE cCipher;
 static VALUE eCipherError;
 static VALUE eAuthTagError;
-static ID id_auth_tag_len, id_key_set;
+static ID id_auth_tag_len, id_key_set, id_cipher_holder;
 
 static VALUE ossl_cipher_alloc(VALUE klass);
 static void ossl_cipher_free(void *ptr);
@@ -46,30 +46,58 @@ static const rb_data_type_t ossl_cipher_type = {
     0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED,
 };
 
+#ifdef OSSL_USE_PROVIDER
+static void
+ossl_evp_cipher_free(void *ptr)
+{
+    // This is safe to call against const EVP_CIPHER * returned by
+    // EVP_get_cipherbyname()
+    EVP_CIPHER_free(ptr);
+}
+
+static const rb_data_type_t ossl_evp_cipher_holder_type = {
+    "OpenSSL/EVP_CIPHER",
+    {
+        .dfree = ossl_evp_cipher_free,
+    },
+    0, 0, RUBY_TYPED_FREE_IMMEDIATELY | RUBY_TYPED_WB_PROTECTED,
+};
+#endif
+
 /*
  * PUBLIC
  */
 const EVP_CIPHER *
-ossl_evp_get_cipherbyname(VALUE obj)
+ossl_evp_cipher_fetch(VALUE obj, volatile VALUE *holder)
 {
+    *holder = Qnil;
     if (rb_obj_is_kind_of(obj, cCipher)) {
-	EVP_CIPHER_CTX *ctx;
-
-	GetCipher(obj, ctx);
-
-	return EVP_CIPHER_CTX_cipher(ctx);
+        EVP_CIPHER_CTX *ctx;
+        GetCipher(obj, ctx);
+        EVP_CIPHER *cipher = (EVP_CIPHER *)EVP_CIPHER_CTX_cipher(ctx);
+#ifdef OSSL_USE_PROVIDER
+        *holder = TypedData_Wrap_Struct(0, &ossl_evp_cipher_holder_type, NULL);
+        if (!EVP_CIPHER_up_ref(cipher))
+            ossl_raise(eCipherError, "EVP_CIPHER_up_ref");
+        RTYPEDDATA_DATA(*holder) = cipher;
+#endif
+        return cipher;
     }
-    else {
-	const EVP_CIPHER *cipher;
 
-	StringValueCStr(obj);
-	cipher = EVP_get_cipherbyname(RSTRING_PTR(obj));
-	if (!cipher)
-	    ossl_raise(eCipherError, "unsupported cipher algorithm: %"PRIsVALUE,
-                       obj);
-
-	return cipher;
+    const char *name = StringValueCStr(obj);
+    EVP_CIPHER *cipher = (EVP_CIPHER *)EVP_get_cipherbyname(name);
+#ifdef OSSL_USE_PROVIDER
+    if (!cipher) {
+        ossl_clear_error();
+        *holder = TypedData_Wrap_Struct(0, &ossl_evp_cipher_holder_type, NULL);
+        cipher = EVP_CIPHER_fetch(NULL, name, NULL);
+        RTYPEDDATA_DATA(*holder) = cipher;
     }
+#endif
+    if (!cipher)
+        ossl_raise(eCipherError, "unsupported cipher algorithm: %"PRIsVALUE,
+                   obj);
+    return cipher;
 }
 
 VALUE
@@ -78,6 +106,9 @@ ossl_cipher_new(const EVP_CIPHER *cipher)
     VALUE ret;
     EVP_CIPHER_CTX *ctx;
 
+    // NOTE: This does not set id_cipher_holder because this function should
+    // only be called from ossl_engine.c, which will not use any
+    // reference-counted ciphers.
     ret = ossl_cipher_alloc(cCipher);
     AllocCipher(ret, ctx);
     if (EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, -1) != 1)
@@ -114,15 +145,17 @@ ossl_cipher_initialize(VALUE self, VALUE str)
 {
     EVP_CIPHER_CTX *ctx;
     const EVP_CIPHER *cipher;
+    VALUE cipher_holder;
 
     GetCipherInit(self, ctx);
     if (ctx) {
 	ossl_raise(rb_eRuntimeError, "Cipher already initialized!");
     }
-    cipher = ossl_evp_get_cipherbyname(str);
+    cipher = ossl_evp_cipher_fetch(str, &cipher_holder);
     AllocCipher(self, ctx);
     if (EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, -1) != 1)
-	ossl_raise(eCipherError, NULL);
+        ossl_raise(eCipherError, "EVP_CipherInit_ex");
+    rb_ivar_set(self, id_cipher_holder, cipher_holder);
 
     return self;
 }
@@ -1106,4 +1139,5 @@ Init_ossl_cipher(void)
 
     id_auth_tag_len = rb_intern_const("auth_tag_len");
     id_key_set = rb_intern_const("key_set");
+    id_cipher_holder = rb_intern_const("EVP_CIPHER_holder");
 }

ext/openssl/ossl_cipher.h

@@ -10,7 +10,16 @@
 #if !defined(_OSSL_CIPHER_H_)
 #define _OSSL_CIPHER_H_
 
-const EVP_CIPHER *ossl_evp_get_cipherbyname(VALUE);
+/*
+ * Gets EVP_CIPHER from a String or an OpenSSL::Digest instance (discouraged,
+ * but still supported for compatibility). A holder object is created if the
+ * EVP_CIPHER is a "fetched" algorithm.
+ */
+const EVP_CIPHER *ossl_evp_cipher_fetch(VALUE obj, volatile VALUE *holder);
+/*
+ * This is meant for OpenSSL::Engine#cipher. EVP_CIPHER must not be a fetched
+ * one.
+ */
 VALUE ossl_cipher_new(const EVP_CIPHER *);
 void Init_ossl_cipher(void);
 

ext/openssl/ossl_pkcs7.c

@@ -68,7 +68,7 @@ static VALUE cPKCS7;
 static VALUE cPKCS7Signer;
 static VALUE cPKCS7Recipient;
 static VALUE ePKCS7Error;
-static ID id_md_holder;
+static ID id_md_holder, id_cipher_holder;
 
 static void
 ossl_pkcs7_free(void *ptr)
@@ -313,7 +313,7 @@ ossl_pkcs7_s_sign(int argc, VALUE *argv, VALUE klass)
 static VALUE
 ossl_pkcs7_s_encrypt(int argc, VALUE *argv, VALUE klass)
 {
-    VALUE certs, data, cipher, flags;
+    VALUE certs, data, cipher, flags, cipher_holder;
     STACK_OF(X509) *x509s;
     BIO *in;
     const EVP_CIPHER *ciph;
@@ -327,7 +327,7 @@ ossl_pkcs7_s_encrypt(int argc, VALUE *argv, VALUE klass)
                  "cipher must be specified. Before version 3.3, " \
                  "the default cipher was RC2-40-CBC.");
     }
-    ciph = ossl_evp_get_cipherbyname(cipher);
+    ciph = ossl_evp_cipher_fetch(cipher, &cipher_holder);
     flg = NIL_P(flags) ? 0 : NUM2INT(flags);
     ret = NewPKCS7(cPKCS7);
     in = ossl_obj2bio(&data);
@@ -344,6 +344,7 @@ ossl_pkcs7_s_encrypt(int argc, VALUE *argv, VALUE klass)
     BIO_free(in);
     SetPKCS7(ret, p7);
     ossl_pkcs7_set_data(ret, data);
+    rb_ivar_set(ret, id_cipher_holder, cipher_holder);
     sk_X509_pop_free(x509s, X509_free);
 
     return ret;
@@ -536,11 +537,13 @@ static VALUE
 ossl_pkcs7_set_cipher(VALUE self, VALUE cipher)
 {
     PKCS7 *pkcs7;
+    const EVP_CIPHER *ciph;
+    VALUE cipher_holder;
 
     GetPKCS7(self, pkcs7);
-    if (!PKCS7_set_cipher(pkcs7, ossl_evp_get_cipherbyname(cipher))) {
-	ossl_raise(ePKCS7Error, NULL);
-    }
+    ciph = ossl_evp_cipher_fetch(cipher, &cipher_holder);
+    if (!PKCS7_set_cipher(pkcs7, ciph))
+        ossl_raise(ePKCS7Error, "PKCS7_set_cipher");
 
     return cipher;
 }
@@ -1165,4 +1168,5 @@ Init_ossl_pkcs7(void)
     DefPKCS7Const(NOSMIMECAP);
 
     id_md_holder = rb_intern_const("EVP_MD_holder");
+    id_cipher_holder = rb_intern_const("EVP_CIPHER_holder");
 }

ext/openssl/ossl_pkey.c

@@ -814,14 +814,14 @@ VALUE
 ossl_pkey_export_traditional(int argc, VALUE *argv, VALUE self, int to_der)
 {
     EVP_PKEY *pkey;
-    VALUE cipher, pass;
+    VALUE cipher, pass, cipher_holder;
     const EVP_CIPHER *enc = NULL;
     BIO *bio;
 
     GetPKey(self, pkey);
     rb_scan_args(argc, argv, "02", &cipher, &pass);
     if (!NIL_P(cipher)) {
-	enc = ossl_evp_get_cipherbyname(cipher);
+        enc = ossl_evp_cipher_fetch(cipher, &cipher_holder);
 	pass = ossl_pem_passwd_value(pass);
     }
 
@@ -849,7 +849,7 @@ static VALUE
 do_pkcs8_export(int argc, VALUE *argv, VALUE self, int to_der)
 {
     EVP_PKEY *pkey;
-    VALUE cipher, pass;
+    VALUE cipher, pass, cipher_holder;
     const EVP_CIPHER *enc = NULL;
     BIO *bio;
 
@@ -860,7 +860,7 @@ do_pkcs8_export(int argc, VALUE *argv, VALUE self, int to_der)
 	 * TODO: EncryptedPrivateKeyInfo actually has more options.
 	 * Should they be exposed?
 	 */
-	enc = ossl_evp_get_cipherbyname(cipher);
+        enc = ossl_evp_cipher_fetch(cipher, &cipher_holder);
 	pass = ossl_pem_passwd_value(pass);
     }
 

test/openssl/test_cipher.rb

@@ -345,6 +345,24 @@ def test_aes_ocb_tag_len
 
   end if has_cipher?("aes-128-ocb")
 
+  def test_aes_gcm_siv
+    # RFC 8452 Appendix C.1., 8th example
+    key = ["01000000000000000000000000000000"].pack("H*")
+    iv  = ["030000000000000000000000"].pack("H*")
+    aad = ["01"].pack("H*")
+    pt =  ["0200000000000000"].pack("H*")
+    ct =  ["1e6daba35669f4273b0a1a2560969cdf790d99759abd1508"].pack("H*")
+    tag = ["3b0a1a2560969cdf790d99759abd1508"].pack("H*")
+    ct_without_tag = ct.byteslice(0, ct.bytesize - tag.bytesize)
+
+    cipher = new_encryptor("aes-128-gcm-siv", key: key, iv: iv, auth_data: aad)
+    assert_equal ct_without_tag, cipher.update(pt) << cipher.final
+    assert_equal tag, cipher.auth_tag
+    cipher = new_decryptor("aes-128-gcm-siv", key: key, iv: iv, auth_tag: tag,
+                           auth_data: aad)
+    assert_equal pt, cipher.update(ct_without_tag) << cipher.final
+  end if openssl?(3, 2, 0)
+
   def test_aes_gcm_key_iv_order_issue
     pt = "[ruby/openssl#49]"
     cipher = OpenSSL::Cipher.new("aes-128-gcm").encrypt