FIX: Using init-vector instead of just iv in crypt port specification; take on crypt port is now like read update; updated crypt port initialization to be compatible with the changes of decode-url function.

Author: Oldes

src/core/p-crypt.c

@@ -713,6 +713,44 @@ static void free_crypt_cipher_context(CRYPT_CTX *ctx);
 	return CRYPT_OK;
 }
 
+/***********************************************************************
+**
+*/	static REBINT Crypt_Update(CRYPT_CTX* ctx)
+/*
+***********************************************************************/
+{
+	REBSER* bin;
+	REBCNT  len, ofs, blk;
+	REBINT  err;
+	size_t olen = 0;
+
+	bin = ctx->buffer;
+
+	//puts("update");
+#ifdef MBEDTLS_CHACHAPOLY_C
+	if (ctx->cipher_type == SYM_CHACHA20_POLY1305) {
+		Extend_Series(bin, 16);
+		err = mbedtls_chachapoly_finish((mbedtls_chachapoly_context*)ctx->cipher_ctx, BIN_TAIL(bin));
+		SERIES_TAIL(bin) += 16;
+		ctx->state = CRYPT_PORT_NEEDS_AAD;
+		return R_ARG1;
+	}
+#endif
+	if (ctx->unprocessed_len > 0) {
+		ofs = 0;
+		blk = ctx->cipher_block_size;
+		Extend_Series(bin, blk);
+
+		if (ctx->unprocessed_len > blk) abort();
+		len = blk - ctx->unprocessed_len;
+		// pad with zeros...
+		CLEAR(ctx->unprocessed_data + ctx->unprocessed_len, len);
+
+		Crypt_Crypt(ctx, ctx->unprocessed_data, blk, &olen);
+		ctx->unprocessed_len = 0;
+	}
+	return R_ARG1;
+}
 
 /***********************************************************************
 **
@@ -763,7 +801,7 @@ static void free_crypt_cipher_context(CRYPT_CTX *ctx);
 		return CRYPT_OK;
 	}
 	// test if input have enough data to do the block crypt
-	if (len > blk) {
+	if (len >= blk) {
 		// we have enough data to call crypt
 		Crypt_Crypt(ctx, input, len, &olen);
 		if (olen > len) return CRYPT_ERROR_BAD_PROCESSED_SIZE;
@@ -837,8 +875,11 @@ static void free_crypt_cipher_context(CRYPT_CTX *ctx);
 		}
 		Crypt_Write(ctx, VAL_BIN_AT(arg1), VAL_LEN(arg1));
 		break;
-	case A_READ:
 	case A_TAKE:
+		// `take` is same like `read`, but also calls `update` to process also
+		//  yet not processed data from the unprocessed buffer
+		Crypt_Update(ctx);
+	case A_READ:
 		//puts("read");
 		len = BIN_LEN(bin);
 		if (len > 0) {
@@ -852,30 +893,7 @@ static void free_crypt_cipher_context(CRYPT_CTX *ctx);
 		else return R_NONE;
 		break;
 	case A_UPDATE:
-		//puts("update");
-#ifdef MBEDTLS_CHACHAPOLY_C
-		if (ctx->cipher_type == SYM_CHACHA20_POLY1305) {
-			Extend_Series(bin, 16);
-			err = mbedtls_chachapoly_finish((mbedtls_chachapoly_context*)ctx->cipher_ctx, BIN_TAIL(bin));
-			SERIES_TAIL(bin) += 16;
-			ctx->state = CRYPT_PORT_NEEDS_AAD;
-			return R_ARG1;
-		}
-#endif
-		if (ctx->unprocessed_len > 0) {
-			ofs = 0;
-			blk = ctx->cipher_block_size;
-			Extend_Series(bin, blk);
-
-			if (ctx->unprocessed_len > blk) abort();
-			len = blk - ctx->unprocessed_len;
-			// pad with zeros...
-			CLEAR(ctx->unprocessed_data + ctx->unprocessed_len, len);
-
-			Crypt_Crypt(ctx, ctx->unprocessed_data, blk, &olen);
-			ctx->unprocessed_len = 0;
-		}
-		break;
+		return Crypt_Update(ctx);
 
 	case A_CLOSE:
 		if (ctx) {

src/mezz/sys-ports.reb

@@ -418,7 +418,8 @@ init-schemes: func [
 			spec: port/spec
 			method: any [
 				select spec 'method
-				select spec 'target ; if scheme was opened using url type
+				select spec 'target ; if scheme was opened using url type (checksum:sha1)
+				select spec 'host   ; when used as: checksum://sha1
 				'md5                ; default method
 			]
 			if any [
@@ -427,7 +428,7 @@ init-schemes: func [
 			][
 				cause-error 'access 'invalid-spec method
 			] 
-			; make port/spec to be only with midi related keys
+			; make port/spec to be only with checksum related keys
 			set port/spec: copy system/standard/port-spec-checksum spec
 			;protect/words port/spec ; protect spec object keys of modification
 		]
@@ -444,20 +445,35 @@ init-schemes: func [
 			spec: port/spec
 			algorithm: any [
 				select spec 'algorithm
-				select spec 'target ; if scheme was opened using url type
-				'AES-256-CBC        ; default cipher
+				select spec 'target ; if scheme was opened using url type: crypt:chacha20
+				select spec 'host   ; or when used as: crypt://chacha20
+			]
+			direction: any [
+				select spec 'fragment ; from: crypt://chacha20#decrypt
+				select spec 'direction
 			]
 			if any [
-				error? try [spec/algorithm: to word! algorithm] ; in case it was not
+				error? try [spec/algorithm: to word! :algorithm] ; in case it was not
 				not find system/catalog/ciphers spec/algorithm
 			][
-				cause-error 'access 'invalid-spec algorithm
-			] 
+				cause-error 'access 'invalid-spec :algorithm
+			]
+			if any [
+				error? try [spec/direction: to word! :direction] ; in case it was not
+				not find [encrypt decrypt] spec/direction
+			][
+				cause-error 'access 'invalid-spec :direction
+			]
+			; make port/spec to be only with crypt related keys
 			set port/spec: copy system/standard/port-spec-crypt spec
+			if block? port/spec/ref [
+				port/spec/ref: as url! ajoin ["crypt://" :algorithm #"#" :direction]
+			]
 			;protect/words port/spec ; protect spec object keys of modification
 		]
 	]
 
+
 	make-scheme [
 		title: "Clipboard"
 		name: 'clipboard

src/tests/units/crypt-port-test.r3

@@ -13,9 +13,10 @@ Rebol [
 test-crypt: func[port key iv plain cipher][
 	modify port 'direction 'encrypt
 	modify port 'key key
-	modify port 'iv  iv
+	modify port 'init-vector  iv
 	--assert cipher = try [read write port plain]
 	modify port 'direction 'decrypt
+	modify port 'init-vector  iv ; must reset IV, because it was changed internally!
 	--assert plain  = try [read write port cipher]
 ]
 tests: [
@@ -109,6 +110,69 @@ foreach [cipher tests] tests [
 		close port
 	]
 ]
+	--test-- "AES-128-CBC with chunked input"
+		port: open make port! [
+			scheme:    'crypt
+			algorithm: 'AES-128-CBC
+			key:       #{2B7E151628AED2A6ABF7158809CF4F3C}
+		]
+		iv: #{000102030405060708090A0B0C0D0E0F}
+		modify port 'init-vector :iv
+		; writing data in 2 chunks
+		write port #{6BC1BEE22E409F96}
+		write port #{E93D7E117393172A}
+		; no need to `update`, because the input has full block size now
+		--assert #{7649ABAC8119B246CEE98E9B12E9197D} = read port
+
+		modify port 'init-vector :iv
+		write port #{6BC1BEE22E409F96}
+
+		--assert none? read port         ; because the input was not long enough
+		crypted: read update port         ; the input is padded by `update` call
+		--assert crypted = #{6F8BB83BE51C9A7DE442745E517D4377}
+		--assert none? read update port  ; there are no more data
+		--assert none? take port
+
+		modify port 'direction 'decrypt
+		modify port 'init-vector :iv
+		; result contains padded data!
+		--assert #{6BC1BEE22E409F960000000000000000} = read write port :crypted
+
+	--test-- "AES-128-CBC with chunked input which needs padding"
+		c-port: open make port! [
+			scheme:      'crypt
+			algorithm:   'AES-128-CBC
+			key:         #{2B7E151628AED2A6ABF7158809CF4F3C}
+			init-vector: #{000102030405060708090A0B0C0D0E0F}
+		]
+		;d-port: open make port! [
+		;	scheme:      'crypt
+		;	direction:   'decrypt
+		;	algorithm:   'AES-128-CBC
+		;	key:         #{2B7E151628AED2A6ABF7158809CF4F3C}
+		;	init-vector: #{000102030405060708090A0B0C0D0E0F}
+		;]
+		;- above code can be also done using:
+		d-port: open crypt://AES-128-CBC#decrypt
+		modify d-port 'key         #{2B7E151628AED2A6ABF7158809CF4F3C}
+		modify d-port 'init-vector #{000102030405060708090A0B0C0D0E0F}
+
+		write c-port #{6BC1BEE22E409F96}
+		write c-port #{E93D7E117393172ADEADBEEF}
+		; notice that there is just a partial output, because the input is longer than a block!
+		crypted: read c-port
+		--assert crypted = #{7649ABAC8119B246CEE98E9B12E9197D}
+		write d-port :crypted
+		crypted: take c-port ; same as `read update c-port` -> take forces the padding
+		--assert crypted = #{00CA0B3A31A8BD78A2815653B0C4C9DB}
+		write d-port :crypted
+		plain: take d-port
+		; the output is padded!
+		--assert plain = #{6BC1BEE22E409F96E93D7E117393172ADEADBEEF000000000000000000000000}
+		close c-port
+		close d-port
+
+
 ===end-group===
 
 
@@ -118,7 +182,7 @@ foreach [cipher tests] tests [
 monte-carlo-test-crypt: function[port key iv plain cipher][
 	modify port 'direction 'encrypt
 	modify port 'key key
-	modify port 'iv  iv
+	modify port 'init-vector  iv
 	x: plain
 	loop 10000 [ x: read write port x ]
 	--assert cipher = x
@@ -172,7 +236,7 @@ foreach [cipher tests] monte-carlo-ecb-tests [
 monte-carlo-cbc-test-crypt: function[port key iv plain cipher][
 	modify port 'direction 'encrypt
 	modify port 'key key
-	modify port 'iv  iv
+	modify port 'init-vector  iv
 	pt: plain
 	ct-1: iv
 	loop 10000 [
@@ -283,10 +347,11 @@ foreach [cipher tests] monte-carlo-cbc-tests [
 	foreach [cipher tests] tests [
 		unless find system/catalog/ciphers cipher [continue]
 		foreach [k i p c] tests [
-			port: open [scheme: 'crypt algorithm: cipher key: k iv: i]
+			port: open [scheme: 'crypt algorithm: cipher key: k init-vector: i]
 			--test-- join "Crypt port: " cipher
 			--assert c = read write port p
 			modify port 'direction 'decrypt
+			modify port 'init-vector  i ; must reset IV, because it was changed internally!
 			--assert p = read write port c
 			close port
 		]
@@ -330,7 +395,7 @@ if find system/catalog/ciphers 'CHACHA20 [
 	foreach [key nonce plain cipher] tests [
 		--test-- join "Test Vector #" n
 		modify port 'key key
-		modify port 'iv  nonce
+		modify port 'init-vector  nonce
 		--assert cipher = read write port plain
 		++ n
 	]
@@ -339,7 +404,7 @@ if find system/catalog/ciphers 'CHACHA20 [
 
 ===start-group=== "The ChaCha20 encryption from RFC7539"
 	;https://datatracker.ietf.org/doc/rfc7539/
-	port: open crypt://CHACHA20
+	port: open crypt:CHACHA20
 
 	tests: [
 		#{0000000000000000000000000000000000000000000000000000000000000000}
@@ -371,7 +436,7 @@ if find system/catalog/ciphers 'CHACHA20 [
 	foreach [key nonce plain cipher] tests [
 		--test-- join "Test Vector #" n
 		modify port 'key key
-		modify port 'iv  nonce
+		modify port 'init-vector  nonce
 		--assert cipher = read write port plain
 		++ n
 	]