postpone GCM authentication tag requirement until finalization (#3421)

* postpone GCM authentication tag requirement until finalization

Add a .finalize_with_tag() variant of the .finalize() function of
the GCM context. At the same time, do not enforce the requirement
of supplying the tag with the mode ctor. This facilitates
streamed decryption when the MAC is appended to the ciphertext
and cannot be efficiently retrieved ahead of decryption.

According to the GCM spec (section 7.2: “Algorithm for the
Authenticated Decryption Function”), the tag itself is not needed
until the ciphertext has been decrypted.

Addresses #3380

Signed-off-by: Philipp Gesang <philipp.gesang@intra2net.com>

* disallow delayed GCM tag passing for legacy OpenSSL

Old versions of Ubuntu supported by Cryptography ship a v1.0.1 of
OpenSSL which is no longer supported by upstream. This library
seems to cause erratic test failures with the delayed GCM tag
functionality which are not reproducible outside the CI.
Unfortunately OpenSSL v1.0.1 does not even document the required
API (``EVP_EncryptInit(3)``) so there is no by-the-book fix.

For backends of version 1.0.1 and earlier, verify the GCM tag
at the same stage as before.

Also, indicate to the user that late passing of GCM tags is
unsupported by throwing ``NotImplementedError`` for these backend
versions if

    - the method ``finalize_with_tag()`` is invoked, or
    - the mode ctor is called without passing a tag.

Unit tests have been adapted to account for different backend
versions.

2 files changed, 96 insertions, 2 deletions

diff --git a/tests/hazmat/primitives/test_aes.py b/tests/hazmat/primitives/test_aes.py
index 8826aae8..392a847f 100644
--- a/tests/hazmat/primitives/test_aes.py
+++ b/tests/hazmat/primitives/test_aes.py
@@ -303,3 +303,99 @@ class TestAESModeGCM(object):
         assert encryptor._aad_bytes_processed == 8
         encryptor.authenticate_additional_data(b"0" * 18)
         assert encryptor._aad_bytes_processed == 26
+
+    def test_gcm_tag_decrypt_none(self, backend):
+        key = binascii.unhexlify(b"5211242698bed4774a090620a6ca56f3")
+        iv = binascii.unhexlify(b"b1e1349120b6e832ef976f5d")
+        aad = binascii.unhexlify(b"b6d729aab8e6416d7002b9faa794c410d8d2f193")
+
+        encryptor = base.Cipher(
+            algorithms.AES(key),
+            modes.GCM(iv),
+            backend=backend
+        ).encryptor()
+        encryptor.authenticate_additional_data(aad)
+        encryptor.finalize()
+
+        if backend.name == "openssl" and \
+                backend.openssl_version_number() < 0x10002000:
+            with pytest.raises(NotImplementedError):
+                decryptor = base.Cipher(
+                    algorithms.AES(key),
+                    modes.GCM(iv),
+                    backend=backend
+                ).decryptor()
+        else:
+            decryptor = base.Cipher(
+                algorithms.AES(key),
+                modes.GCM(iv),
+                backend=backend
+            ).decryptor()
+            decryptor.authenticate_additional_data(aad)
+            with pytest.raises(ValueError):
+                decryptor.finalize()
+
+    def test_gcm_tag_decrypt_mode(self, backend):
+        key = binascii.unhexlify(b"5211242698bed4774a090620a6ca56f3")
+        iv = binascii.unhexlify(b"b1e1349120b6e832ef976f5d")
+        aad = binascii.unhexlify(b"b6d729aab8e6416d7002b9faa794c410d8d2f193")
+
+        encryptor = base.Cipher(
+            algorithms.AES(key),
+            modes.GCM(iv),
+            backend=backend
+        ).encryptor()
+        encryptor.authenticate_additional_data(aad)
+        encryptor.finalize()
+        tag = encryptor.tag
+
+        decryptor = base.Cipher(
+            algorithms.AES(key),
+            modes.GCM(iv, tag),
+            backend=backend
+        ).decryptor()
+        decryptor.authenticate_additional_data(aad)
+        decryptor.finalize()
+
+    def test_gcm_tag_decrypt_finalize(self, backend):
+        key = binascii.unhexlify(b"5211242698bed4774a090620a6ca56f3")
+        iv = binascii.unhexlify(b"b1e1349120b6e832ef976f5d")
+        aad = binascii.unhexlify(b"b6d729aab8e6416d7002b9faa794c410d8d2f193")
+
+        encryptor = base.Cipher(
+            algorithms.AES(key),
+            modes.GCM(iv),
+            backend=backend
+        ).encryptor()
+        encryptor.authenticate_additional_data(aad)
+        encryptor.finalize()
+        tag = encryptor.tag
+
+        if backend.name == "openssl" and \
+                backend.openssl_version_number() < 0x10002000:
+            with pytest.raises(NotImplementedError):
+                decryptor = base.Cipher(
+                    algorithms.AES(key),
+                    modes.GCM(iv),
+                    backend=backend
+                ).decryptor()
+            decryptor = base.Cipher(
+                algorithms.AES(key),
+                modes.GCM(iv, tag=encryptor.tag),
+                backend=backend
+            ).decryptor()
+        else:
+            decryptor = base.Cipher(
+                algorithms.AES(key),
+                modes.GCM(iv),
+                backend=backend
+            ).decryptor()
+        decryptor.authenticate_additional_data(aad)
+
+        if backend.name == "openssl" and \
+                backend.openssl_version_number() < 0x10002000:
+            with pytest.raises(NotImplementedError):
+                decryptor.finalize_with_tag(tag)
+            decryptor.finalize()
+        else:
+            decryptor.finalize_with_tag(tag)
diff --git a/tests/hazmat/primitives/utils.py b/tests/hazmat/primitives/utils.py
index d0e87a78..59326367 100644
--- a/tests/hazmat/primitives/utils.py
+++ b/tests/hazmat/primitives/utils.py
@@ -304,8 +304,6 @@ def aead_tag_exception_test(backend, cipher_factory, mode_factory):
         mode_factory(binascii.unhexlify(b"0" * 24)),
         backend
     )
-    with pytest.raises(ValueError):
-        cipher.decryptor()
 
     with pytest.raises(ValueError):
         mode_factory(binascii.unhexlify(b"0" * 24), b"000")