rubysl-openssl 2.10 → 2.11

data/ext/rubysl/openssl/ossl_bn.h

@@ -15,8 +15,10 @@ extern VALUE eBNError;
 
 extern BN_CTX *ossl_bn_ctx;
 
+#define GetBNPtr(obj) ossl_bn_value_ptr(&(obj))
+
 VALUE ossl_bn_new(const BIGNUM *);
-BIGNUM *GetBNPtr(VALUE);
+BIGNUM *ossl_bn_value_ptr(volatile VALUE *);
 void Init_ossl_bn(void);
 
 

data/ext/rubysl/openssl/ossl_cipher.c

@@ -11,17 +11,19 @@
 
 #define NewCipher(klass) \
     TypedData_Wrap_Struct((klass), &ossl_cipher_type, 0)
-#define MakeCipher(obj, klass, ctx) \
-    (obj) = TypedData_Make_Struct((klass), EVP_CIPHER_CTX, &ossl_cipher_type, (ctx))
-#define AllocCipher(obj, ctx) \
-    (DATA_PTR(obj) = (ctx) = ZALLOC(EVP_CIPHER_CTX))
+#define AllocCipher(obj, ctx) do { \
+    (ctx) = EVP_CIPHER_CTX_new(); \
+    if (!(ctx)) \
+	ossl_raise(rb_eRuntimeError, NULL); \
+    RTYPEDDATA_DATA(obj) = (ctx); \
+} while (0)
 #define GetCipherInit(obj, ctx) do { \
     TypedData_Get_Struct((obj), EVP_CIPHER_CTX, &ossl_cipher_type, (ctx)); \
 } while (0)
 #define GetCipher(obj, ctx) do { \
     GetCipherInit((obj), (ctx)); \
     if (!(ctx)) { \
-	ossl_raise(rb_eRuntimeError, "Cipher not inititalized!"); \
+	ossl_raise(rb_eRuntimeError, "Cipher not initialized!"); \
     } \
 } while (0)
 #define SafeGetCipher(obj, ctx) do { \
@@ -34,16 +36,17 @@
  */
 VALUE cCipher;
 VALUE eCipherError;
+static ID id_auth_tag_len, id_key_set;
 
 static VALUE ossl_cipher_alloc(VALUE klass);
 static void ossl_cipher_free(void *ptr);
-static size_t ossl_cipher_memsize(const void *ptr);
 
 static const rb_data_type_t ossl_cipher_type = {
     "OpenSSL/Cipher",
-    {0, ossl_cipher_free, ossl_cipher_memsize,},
-    0, 0,
-    RUBY_TYPED_FREE_IMMEDIATELY,
+    {
+	0, ossl_cipher_free,
+    },
+    0, 0, RUBY_TYPED_FREE_IMMEDIATELY,
 };
 
 /*
@@ -52,11 +55,24 @@ static const rb_data_type_t ossl_cipher_type = {
 const EVP_CIPHER *
 GetCipherPtr(VALUE obj)
 {
-    EVP_CIPHER_CTX *ctx;
+    if (rb_obj_is_kind_of(obj, cCipher)) {
+	EVP_CIPHER_CTX *ctx;
+
+	GetCipher(obj, ctx);
 
-    SafeGetCipher(obj, ctx);
+	return EVP_CIPHER_CTX_cipher(ctx);
+    }
+    else {
+	const EVP_CIPHER *cipher;
 
-    return EVP_CIPHER_CTX_cipher(ctx);
+	StringValueCStr(obj);
+	cipher = EVP_get_cipherbyname(RSTRING_PTR(obj));
+	if (!cipher)
+	    ossl_raise(rb_eArgError,
+		       "unsupported cipher algorithm: %"PRIsVALUE, obj);
+
+	return cipher;
+    }
 }
 
 VALUE
@@ -67,7 +83,6 @@ ossl_cipher_new(const EVP_CIPHER *cipher)
 
     ret = ossl_cipher_alloc(cCipher);
     AllocCipher(ret, ctx);
-    EVP_CIPHER_CTX_init(ctx);
     if (EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, -1) != 1)
 	ossl_raise(eCipherError, NULL);
 
@@ -80,18 +95,7 @@ ossl_cipher_new(const EVP_CIPHER *cipher)
 static void
 ossl_cipher_free(void *ptr)
 {
-    EVP_CIPHER_CTX *ctx = ptr;
-    if (ctx) {
-	EVP_CIPHER_CTX_cleanup(ctx);
-	ruby_xfree(ctx);
-    }
-}
-
-static size_t
-ossl_cipher_memsize(const void *ptr)
-{
-    const EVP_CIPHER_CTX *ctx = ptr;
-    return sizeof(*ctx);
+    EVP_CIPHER_CTX_free(ptr);
 }
 
 static VALUE
@@ -114,26 +118,17 @@ ossl_cipher_initialize(VALUE self, VALUE str)
     EVP_CIPHER_CTX *ctx;
     const EVP_CIPHER *cipher;
     char *name;
-    unsigned char key[EVP_MAX_KEY_LENGTH];
 
-    name = StringValuePtr(str);
+    name = StringValueCStr(str);
     GetCipherInit(self, ctx);
     if (ctx) {
-	ossl_raise(rb_eRuntimeError, "Cipher already inititalized!");
+	ossl_raise(rb_eRuntimeError, "Cipher already initialized!");
     }
     AllocCipher(self, ctx);
-    EVP_CIPHER_CTX_init(ctx);
     if (!(cipher = EVP_get_cipherbyname(name))) {
-	ossl_raise(rb_eRuntimeError, "unsupported cipher algorithm (%s)", name);
+	ossl_raise(rb_eRuntimeError, "unsupported cipher algorithm (%"PRIsVALUE")", str);
     }
-    /*
-     * The EVP which has EVP_CIPH_RAND_KEY flag (such as DES3) allows
-     * uninitialized key, but other EVPs (such as AES) does not allow it.
-     * Calling EVP_CipherUpdate() without initializing key causes SEGV so we
-     * set the data filled with "\0" as the key by default.
-     */
-    memset(key, 0, EVP_MAX_KEY_LENGTH);
-    if (EVP_CipherInit_ex(ctx, cipher, NULL, key, NULL, -1) != 1)
+    if (EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, -1) != 1)
 	ossl_raise(eCipherError, NULL);
 
     return self;
@@ -158,16 +153,13 @@ ossl_cipher_copy(VALUE self, VALUE other)
     return self;
 }
 
-#ifdef HAVE_OBJ_NAME_DO_ALL_SORTED
 static void*
 add_cipher_name_to_ary(const OBJ_NAME *name, VALUE ary)
 {
     rb_ary_push(ary, rb_str_new2(name->name));
     return NULL;
 }
-#endif
 
-#ifdef HAVE_OBJ_NAME_DO_ALL_SORTED
 /*
  *  call-seq:
  *     OpenSSL::Cipher.ciphers -> array[string...]
@@ -186,9 +178,6 @@ ossl_s_ciphers(VALUE self)
 
     return ary;
 }
-#else
-#define ossl_s_ciphers rb_f_notimplement
-#endif
 
 /*
  *  call-seq:
@@ -252,6 +241,9 @@ ossl_cipher_init(int argc, VALUE *argv, VALUE self, int mode)
 	ossl_raise(eCipherError, NULL);
     }
 
+    if (p_key)
+	rb_ivar_set(self, id_key_set, Qtrue);
+
     return self;
 }
 
@@ -263,7 +255,7 @@ ossl_cipher_init(int argc, VALUE *argv, VALUE self, int mode)
  *
  *  Make sure to call Cipher#encrypt or Cipher#decrypt before using any of the
  *  following methods:
- *  * [key=, iv=, random_key, random_iv, pkcs5_keyivgen]
+ *  * [#key=, #iv=, #random_key, #random_iv, #pkcs5_keyivgen]
  *
  *  Internally calls EVP_CipherInit_ex(ctx, NULL, NULL, NULL, NULL, 1).
  */
@@ -281,7 +273,7 @@ ossl_cipher_encrypt(int argc, VALUE *argv, VALUE self)
  *
  *  Make sure to call Cipher#encrypt or Cipher#decrypt before using any of the
  *  following methods:
- *  * [key=, iv=, random_key, random_iv, pkcs5_keyivgen]
+ *  * [#key=, #iv=, #random_key, #random_iv, #pkcs5_keyivgen]
  *
  *  Internally calls EVP_CipherInit_ex(ctx, NULL, NULL, NULL, NULL, 0).
  */
@@ -293,20 +285,20 @@ ossl_cipher_decrypt(int argc, VALUE *argv, VALUE self)
 
 /*
  *  call-seq:
- *     cipher.pkcs5_keyivgen(pass [, salt [, iterations [, digest]]] ) -> nil
+ *     cipher.pkcs5_keyivgen(pass, salt = nil, iterations = 2048, digest = "MD5") -> nil
  *
  *  Generates and sets the key/IV based on a password.
  *
- *  WARNING: This method is only PKCS5 v1.5 compliant when using RC2, RC4-40,
+ *  *WARNING*: This method is only PKCS5 v1.5 compliant when using RC2, RC4-40,
  *  or DES with MD5 or SHA1. Using anything else (like AES) will generate the
  *  key/iv using an OpenSSL specific method. This method is deprecated and
  *  should no longer be used. Use a PKCS5 v2 key generation method from
  *  OpenSSL::PKCS5 instead.
  *
  *  === Parameters
- *  +salt+ must be an 8 byte string if provided.
- *  +iterations+ is a integer with a default of 2048.
- *  +digest+ is a Digest object that defaults to 'MD5'
+ *  * +salt+ must be an 8 byte string if provided.
+ *  * +iterations+ is an integer with a default of 2048.
+ *  * +digest+ is a Digest object that defaults to 'MD5'
  *
  *  A minimum of 1000 iterations is recommended.
  *
@@ -329,6 +321,8 @@ ossl_cipher_pkcs5_keyivgen(int argc, VALUE *argv, VALUE self)
 	salt = (unsigned char *)RSTRING_PTR(vsalt);
     }
     iter = NIL_P(viter) ? 2048 : NUM2INT(viter);
+    if (iter <= 0)
+	rb_raise(rb_eArgError, "iterations must be a positive integer");
     digest = NIL_P(vdigest) ? EVP_md5() : GetDigestPtr(vdigest);
     GetCipher(self, ctx);
     EVP_BytesToKey(EVP_CIPHER_CTX_cipher(ctx), digest, salt,
@@ -338,6 +332,8 @@ ossl_cipher_pkcs5_keyivgen(int argc, VALUE *argv, VALUE self)
     OPENSSL_cleanse(key, sizeof key);
     OPENSSL_cleanse(iv, sizeof iv);
 
+    rb_ivar_set(self, id_key_set, Qtrue);
+
     return Qnil;
 }
 
@@ -346,25 +342,23 @@ ossl_cipher_update_long(EVP_CIPHER_CTX *ctx, unsigned char *out, long *out_len_p
 			const unsigned char *in, long in_len)
 {
     int out_part_len;
+    int limit = INT_MAX / 2 + 1;
     long out_len = 0;
-#define UPDATE_LENGTH_LIMIT INT_MAX
-
-#if SIZEOF_LONG > UPDATE_LENGTH_LIMIT
-    if (in_len > UPDATE_LENGTH_LIMIT) {
-	const int in_part_len = (UPDATE_LENGTH_LIMIT / 2 + 1) & ~1;
-	do {
-	    if (!EVP_CipherUpdate(ctx, out ? (out + out_len) : 0,
-				  &out_part_len, in, in_part_len))
-		return 0;
-	    out_len += out_part_len;
-	    in += in_part_len;
-	} while ((in_len -= in_part_len) > UPDATE_LENGTH_LIMIT);
-    }
-#endif
-    if (!EVP_CipherUpdate(ctx, out ? (out + out_len) : 0,
-			  &out_part_len, in, (int)in_len))
-	return 0;
-    if (out_len_ptr) *out_len_ptr = out_len += out_part_len;
+
+    do {
+	int in_part_len = in_len > limit ? limit : (int)in_len;
+
+	if (!EVP_CipherUpdate(ctx, out ? (out + out_len) : 0,
+			      &out_part_len, in, in_part_len))
+	    return 0;
+
+	out_len += out_part_len;
+	in += in_part_len;
+    } while ((in_len -= limit) > 0);
+
+    if (out_len_ptr)
+	*out_len_ptr = out_len;
+
     return 1;
 }
 
@@ -377,9 +371,8 @@ ossl_cipher_update_long(EVP_CIPHER_CTX *ctx, unsigned char *out, long *out_len_p
  *  data chunk. When done, the output of Cipher#final should be additionally
  *  added to the result.
  *
- *  === Parameters
- *  +data+ is a nonempty string.
- *  +buffer+ is an optional string to store the result.
+ *  If +buffer+ is given, the encryption/decryption result will be written to
+ *  it. +buffer+ will be resized automatically.
  */
 static VALUE
 ossl_cipher_update(int argc, VALUE *argv, VALUE self)
@@ -391,6 +384,9 @@ ossl_cipher_update(int argc, VALUE *argv, VALUE self)
 
     rb_scan_args(argc, argv, "11", &data, &str);
 
+    if (!RTEST(rb_attr_get(self, id_key_set)))
+	ossl_raise(eCipherError, "key not set");
+
     StringValue(data);
     in = (unsigned char *)RSTRING_PTR(data);
     if ((in_len = RSTRING_LEN(data)) == 0)
@@ -424,7 +420,7 @@ ossl_cipher_update(int argc, VALUE *argv, VALUE self)
  *  Returns the remaining data held in the cipher object. Further calls to
  *  Cipher#update or Cipher#final will return garbage. This call should always
  *  be made as the last call of an encryption or decryption operation, after
- *  after having fed the entire plaintext or ciphertext to the Cipher instance.
+ *  having fed the entire plaintext or ciphertext to the Cipher instance.
  *
  *  If an authenticated cipher was used, a CipherError is raised if the tag
  *  could not be authenticated successfully. Only call this method after
@@ -480,15 +476,19 @@ static VALUE
 ossl_cipher_set_key(VALUE self, VALUE key)
 {
     EVP_CIPHER_CTX *ctx;
+    int key_len;
 
     StringValue(key);
     GetCipher(self, ctx);
 
-    if (RSTRING_LEN(key) < EVP_CIPHER_CTX_key_length(ctx))
-        ossl_raise(eCipherError, "key length too short");
+    key_len = EVP_CIPHER_CTX_key_length(ctx);
+    if (RSTRING_LEN(key) != key_len)
+	ossl_raise(rb_eArgError, "key must be %d bytes", key_len);
 
     if (EVP_CipherInit_ex(ctx, NULL, NULL, (unsigned char *)RSTRING_PTR(key), NULL, -1) != 1)
-        ossl_raise(eCipherError, NULL);
+	ossl_raise(eCipherError, NULL);
+
+    rb_ivar_set(self, id_key_set, Qtrue);
 
     return key;
 }
@@ -504,20 +504,24 @@ ossl_cipher_set_key(VALUE self, VALUE key)
  *  Cipher#random_iv to create a secure random IV.
  *
  *  Only call this method after calling Cipher#encrypt or Cipher#decrypt.
- *
- *  If not explicitly set, the OpenSSL default of an all-zeroes ("\\0") IV is
- *  used.
  */
 static VALUE
 ossl_cipher_set_iv(VALUE self, VALUE iv)
 {
     EVP_CIPHER_CTX *ctx;
+    int iv_len = 0;
 
     StringValue(iv);
     GetCipher(self, ctx);
 
-    if (RSTRING_LEN(iv) < EVP_CIPHER_CTX_iv_length(ctx))
-        ossl_raise(eCipherError, "iv length too short");
+#if defined(HAVE_AUTHENTICATED_ENCRYPTION)
+    if (EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER)
+	iv_len = (int)(VALUE)EVP_CIPHER_CTX_get_app_data(ctx);
+#endif
+    if (!iv_len)
+	iv_len = EVP_CIPHER_CTX_iv_length(ctx);
+    if (RSTRING_LEN(iv) != iv_len)
+	ossl_raise(rb_eArgError, "iv must be %d bytes", iv_len);
 
     if (EVP_CipherInit_ex(ctx, NULL, NULL, NULL, (unsigned char *)RSTRING_PTR(iv), -1) != 1)
 	ossl_raise(eCipherError, NULL);
@@ -525,6 +529,27 @@ ossl_cipher_set_iv(VALUE self, VALUE iv)
     return iv;
 }
 
+/*
+ *  call-seq:
+ *     cipher.authenticated? -> true | false
+ *
+ *  Indicated whether this Cipher instance uses an Authenticated Encryption
+ *  mode.
+ */
+static VALUE
+ossl_cipher_is_authenticated(VALUE self)
+{
+    EVP_CIPHER_CTX *ctx;
+
+    GetCipher(self, ctx);
+
+#if defined(HAVE_AUTHENTICATED_ENCRYPTION)
+    return (EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER) ? Qtrue : Qfalse;
+#else
+    return Qfalse;
+#endif
+}
+
 #ifdef HAVE_AUTHENTICATED_ENCRYPTION
 /*
  *  call-seq:
@@ -557,6 +582,8 @@ ossl_cipher_set_auth_data(VALUE self, VALUE data)
     in_len = RSTRING_LEN(data);
 
     GetCipher(self, ctx);
+    if (!(EVP_CIPHER_flags(EVP_CIPHER_CTX_cipher(ctx)) & EVP_CIPH_FLAG_AEAD_CIPHER))
+	ossl_raise(eCipherError, "AEAD not supported by this cipher");
 
     if (!ossl_cipher_update_long(ctx, NULL, &out_len, in, in_len))
         ossl_raise(eCipherError, "couldn't set additional authenticated data");
@@ -564,88 +591,63 @@ ossl_cipher_set_auth_data(VALUE self, VALUE data)
     return data;
 }
 
-#define ossl_is_gcm(nid)	(nid) == NID_aes_128_gcm || \
-				(nid) == NID_aes_192_gcm || \
-				(nid) == NID_aes_256_gcm
-
-static VALUE
-ossl_get_gcm_auth_tag(EVP_CIPHER_CTX *ctx, int len)
-{
-    unsigned char *tag;
-    VALUE ret;
-
-    tag = ALLOC_N(unsigned char, len);
-
-    if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, len, tag))
-        ossl_raise(eCipherError, "retrieving the authentication tag failed");
-
-    ret = rb_str_new((const char *) tag, len);
-    xfree(tag);
-    return ret;
-}
-
 /*
  *  call-seq:
- *     cipher.auth_tag([ tag_len ] -> string
+ *     cipher.auth_tag(tag_len = 16) -> String
  *
  *  Gets the authentication tag generated by Authenticated Encryption Cipher
  *  modes (GCM for example). This tag may be stored along with the ciphertext,
  *  then set on the decryption cipher to authenticate the contents of the
  *  ciphertext against changes. If the optional integer parameter +tag_len+ is
  *  given, the returned tag will be +tag_len+ bytes long. If the parameter is
- *  omitted, the maximum length of 16 bytes will be returned. For maximum
- *  security, the default of 16 bytes should be chosen.
+ *  omitted, the default length of 16 bytes or the length previously set by
+ *  #auth_tag_len= will be used. For maximum security, the longest possible
+ *  should be chosen.
  *
  *  The tag may only be retrieved after calling Cipher#final.
  */
 static VALUE
 ossl_cipher_get_auth_tag(int argc, VALUE *argv, VALUE self)
 {
-    VALUE vtag_len;
+    VALUE vtag_len, ret;
     EVP_CIPHER_CTX *ctx;
-    int nid, tag_len;
+    int tag_len = 16;
 
-    if (rb_scan_args(argc, argv, "01", &vtag_len) == 0) {
-	tag_len = 16;
-    } else {
+    rb_scan_args(argc, argv, "01", &vtag_len);
+    if (NIL_P(vtag_len))
+	vtag_len = rb_attr_get(self, id_auth_tag_len);
+    if (!NIL_P(vtag_len))
 	tag_len = NUM2INT(vtag_len);
-    }
 
     GetCipher(self, ctx);
-    nid = EVP_CIPHER_CTX_nid(ctx);
 
-    if (ossl_is_gcm(nid)) {
-	return ossl_get_gcm_auth_tag(ctx, tag_len);
-    } else {
+    if (!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER))
 	ossl_raise(eCipherError, "authentication tag not supported by this cipher");
-	return Qnil; /* dummy */
-    }
-}
 
-static inline void
-ossl_set_gcm_auth_tag(EVP_CIPHER_CTX *ctx, unsigned char *tag, int tag_len)
-{
-    if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, tag_len, tag))
-        ossl_raise(eCipherError, "unable to set GCM tag");
+    ret = rb_str_new(NULL, tag_len);
+    if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, tag_len, RSTRING_PTR(ret)))
+	ossl_raise(eCipherError, "retrieving the authentication tag failed");
+
+    return ret;
 }
 
 /*
  *  call-seq:
  *     cipher.auth_tag = string -> string
  *
- *  Sets the authentication tag to verify the contents of the
- *  ciphertext. The tag must be set after calling Cipher#decrypt,
- *  Cipher#key= and Cipher#iv=, but before assigning the associated
- *  authenticated data using Cipher#auth_data= and of course, before
- *  decrypting any of the ciphertext. After all decryption is
- *  performed, the tag is verified automatically in the call to
- *  Cipher#final.
+ *  Sets the authentication tag to verify the integrity of the ciphertext.
+ *  This can be called only when the cipher supports AE. The tag must be set
+ *  after calling Cipher#decrypt, Cipher#key= and Cipher#iv=, but before
+ *  calling Cipher#final. After all decryption is performed, the tag is
+ *  verified automatically in the call to Cipher#final.
+ *
+ *  For OCB mode, the tag length must be supplied with #auth_tag_len=
+ *  beforehand.
  */
 static VALUE
 ossl_cipher_set_auth_tag(VALUE self, VALUE vtag)
 {
     EVP_CIPHER_CTX *ctx;
-    int nid;
     unsigned char *tag;
     int tag_len;
 
@@ -654,44 +656,80 @@ ossl_cipher_set_auth_tag(VALUE self, VALUE vtag)
     tag_len = RSTRING_LENINT(vtag);
 
     GetCipher(self, ctx);
-    nid = EVP_CIPHER_CTX_nid(ctx);
-
-    if (ossl_is_gcm(nid)) {
-	ossl_set_gcm_auth_tag(ctx, tag, tag_len);
-    } else {
+    if (!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER))
 	ossl_raise(eCipherError, "authentication tag not supported by this cipher");
-    }
+
+    if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, tag_len, tag))
+	ossl_raise(eCipherError, "unable to set AEAD tag");
 
     return vtag;
 }
 
 /*
  *  call-seq:
- *     cipher.authenticated? -> boolean
+ *     cipher.auth_tag_len = Integer -> Integer
  *
- *  Indicated whether this Cipher instance uses an Authenticated Encryption
- *  mode.
+ *  Sets the length of the authentication tag to be generated or to be given for
+ *  AEAD ciphers that requires it as in input parameter. Note that not all AEAD
+ *  ciphers support this method.
+ *
+ *  In OCB mode, the length must be supplied both when encrypting and when
+ *  decrypting, and must be before specifying an IV.
  */
 static VALUE
-ossl_cipher_is_authenticated(VALUE self)
+ossl_cipher_set_auth_tag_len(VALUE self, VALUE vlen)
 {
+    int tag_len = NUM2INT(vlen);
     EVP_CIPHER_CTX *ctx;
-    int nid;
 
     GetCipher(self, ctx);
-    nid = EVP_CIPHER_CTX_nid(ctx);
+    if (!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER))
+	ossl_raise(eCipherError, "AEAD not supported by this cipher");
 
-    if (ossl_is_gcm(nid)) {
-	return Qtrue;
-    } else {
-	return Qfalse;
-    }
+    if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, tag_len, NULL))
+	ossl_raise(eCipherError, "unable to set authentication tag length");
+
+    /* for #auth_tag */
+    rb_ivar_set(self, id_auth_tag_len, INT2NUM(tag_len));
+
+    return vlen;
+}
+
+/*
+ * call-seq:
+ *   cipher.iv_len = integer -> integer
+ *
+ * Sets the IV/nonce length of the Cipher. Normally block ciphers don't allow
+ * changing the IV length, but some make use of IV for 'nonce'. You may need
+ * this for interoperability with other applications.
+ */
+static VALUE
+ossl_cipher_set_iv_length(VALUE self, VALUE iv_length)
+{
+    int len = NUM2INT(iv_length);
+    EVP_CIPHER_CTX *ctx;
+
+    GetCipher(self, ctx);
+    if (!(EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER))
+	ossl_raise(eCipherError, "cipher does not support AEAD");
+
+    if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_IVLEN, len, NULL))
+	ossl_raise(eCipherError, "unable to set IV length");
+
+    /*
+     * EVP_CIPHER_CTX_iv_length() returns the default length. So we need to save
+     * the length somewhere. Luckily currently we aren't using app_data.
+     */
+    EVP_CIPHER_CTX_set_app_data(ctx, (void *)(VALUE)len);
+
+    return iv_length;
 }
 #else
 #define ossl_cipher_set_auth_data rb_f_notimplement
 #define ossl_cipher_get_auth_tag rb_f_notimplement
 #define ossl_cipher_set_auth_tag rb_f_notimplement
-#define ossl_cipher_is_authenticated rb_f_notimplement
+#define ossl_cipher_set_auth_tag_len rb_f_notimplement
+#define ossl_cipher_set_iv_length rb_f_notimplement
 #endif
 
 /*
@@ -719,7 +757,6 @@ ossl_cipher_set_key_length(VALUE self, VALUE key_length)
     return key_length;
 }
 
-#if defined(HAVE_EVP_CIPHER_CTX_SET_PADDING)
 /*
  *  call-seq:
  *     cipher.padding = integer -> integer
@@ -741,18 +778,6 @@ ossl_cipher_set_padding(VALUE self, VALUE padding)
 	ossl_raise(eCipherError, NULL);
     return padding;
 }
-#else
-#define ossl_cipher_set_padding rb_f_notimplement
-#endif
-
-#define CIPHER_0ARG_INT(func)					\
-    static VALUE						\
-    ossl_cipher_##func(VALUE self)				\
-    {								\
-	EVP_CIPHER_CTX *ctx;					\
-	GetCipher(self, ctx);					\
-	return INT2NUM(EVP_CIPHER_##func(EVP_CIPHER_CTX_cipher(ctx)));	\
-    }
 
 /*
  *  call-seq:
@@ -760,21 +785,54 @@ ossl_cipher_set_padding(VALUE self, VALUE padding)
  *
  *  Returns the key length in bytes of the Cipher.
  */
-CIPHER_0ARG_INT(key_length)
+static VALUE
+ossl_cipher_key_length(VALUE self)
+{
+    EVP_CIPHER_CTX *ctx;
+
+    GetCipher(self, ctx);
+
+    return INT2NUM(EVP_CIPHER_CTX_key_length(ctx));
+}
+
 /*
  *  call-seq:
  *     cipher.iv_len -> integer
  *
  *  Returns the expected length in bytes for an IV for this Cipher.
  */
-CIPHER_0ARG_INT(iv_length)
+static VALUE
+ossl_cipher_iv_length(VALUE self)
+{
+    EVP_CIPHER_CTX *ctx;
+    int len = 0;
+
+    GetCipher(self, ctx);
+#if defined(HAVE_AUTHENTICATED_ENCRYPTION)
+    if (EVP_CIPHER_CTX_flags(ctx) & EVP_CIPH_FLAG_AEAD_CIPHER)
+	len = (int)(VALUE)EVP_CIPHER_CTX_get_app_data(ctx);
+#endif
+    if (!len)
+	len = EVP_CIPHER_CTX_iv_length(ctx);
+
+    return INT2NUM(len);
+}
+
 /*
  *  call-seq:
  *     cipher.block_size -> integer
  *
  *  Returns the size in bytes of the blocks on which this Cipher operates on.
  */
-CIPHER_0ARG_INT(block_size)
+static VALUE
+ossl_cipher_block_size(VALUE self)
+{
+    EVP_CIPHER_CTX *ctx;
+
+    GetCipher(self, ctx);
+
+    return INT2NUM(EVP_CIPHER_CTX_block_size(ctx));
+}
 
 /*
  * INIT
@@ -783,7 +841,8 @@ void
 Init_ossl_cipher(void)
 {
 #if 0
-    mOSSL = rb_define_module("OpenSSL"); /* let rdoc know about mOSSL */
+    mOSSL = rb_define_module("OpenSSL");
+    eOSSLError = rb_define_class_under(mOSSL, "OpenSSLError", rb_eStandardError);
 #endif
 
     /* Document-class: OpenSSL::Cipher
@@ -882,12 +941,10 @@ Init_ossl_cipher(void)
      * you absolutely need it</b>
      *
      * Because of this, you will end up with a mode that explicitly requires
-     * an IV in any case. Note that for backwards compatibility reasons,
-     * setting an IV is not explicitly mandated by the Cipher API. If not
-     * set, OpenSSL itself defaults to an all-zeroes IV ("\\0", not the
-     * character). Although the IV can be seen as public information, i.e.
-     * it may be transmitted in public once generated, it should still stay
-     * unpredictable to prevent certain kinds of attacks. Therefore, ideally
+     * an IV in any case. Although the IV can be seen as public information,
+     * i.e. it may be transmitted in public once generated, it should still
+     * stay unpredictable to prevent certain kinds of attacks. Therefore,
+     * ideally
      *
      * <b>Always create a secure random IV for every encryption of your
      * Cipher</b>
@@ -896,16 +953,16 @@ Init_ossl_cipher(void)
      * of the IV as a nonce (number used once) - it's public but random and
      * unpredictable. A secure random IV can be created as follows
      *
-     *  cipher = ...
-     *  cipher.encrypt
-     *  key = cipher.random_key
-     *  iv = cipher.random_iv # also sets the generated IV on the Cipher
+     *   cipher = ...
+     *   cipher.encrypt
+     *   key = cipher.random_key
+     *   iv = cipher.random_iv # also sets the generated IV on the Cipher
      *
-     *  Although the key is generally a random value, too, it is a bad choice
-     *  as an IV. There are elaborate ways how an attacker can take advantage
-     *  of such an IV. As a general rule of thumb, exposing the key directly
-     *  or indirectly should be avoided at all cost and exceptions only be
-     *  made with good reason.
+     * Although the key is generally a random value, too, it is a bad choice
+     * as an IV. There are elaborate ways how an attacker can take advantage
+     * of such an IV. As a general rule of thumb, exposing the key directly
+     * or indirectly should be avoided at all cost and exceptions only be
+     * made with good reason.
      *
      * === Calling Cipher#final
      *
@@ -959,29 +1016,42 @@ Init_ossl_cipher(void)
      * could otherwise be exploited to modify ciphertexts in ways beneficial to
      * potential attackers.
      *
-     * If no associated data is needed for encryption and later decryption,
-     * the OpenSSL library still requires a value to be set - "" may be used in
-     * case none is available. An example using the GCM (Galois Counter Mode):
+     * An associated data is used where there is additional information, such as
+     * headers or some metadata, that must be also authenticated but not
+     * necessarily need to be encrypted. If no associated data is needed for
+     * encryption and later decryption, the OpenSSL library still requires a
+     * value to be set - "" may be used in case none is available.
      *
-     *   cipher = OpenSSL::Cipher::AES.new(128, :GCM)
-     *   cipher.encrypt
-     *   key = cipher.random_key
-     *   iv = cipher.random_iv
-     *   cipher.auth_data = ""
+     * An example using the GCM (Galois/Counter Mode). You have 16 bytes +key+,
+     * 12 bytes (96 bits) +nonce+ and the associated data +auth_data+. Be sure
+     * not to reuse the +key+ and +nonce+ pair. Reusing an nonce ruins the
+     * security guarantees of GCM mode.
+     *
+     *   cipher = OpenSSL::Cipher::AES.new(128, :GCM).encrypt
+     *   cipher.key = key
+     *   cipher.iv = nonce
+     *   cipher.auth_data = auth_data
      *
      *   encrypted = cipher.update(data) + cipher.final
-     *   tag = cipher.auth_tag
+     *   tag = cipher.auth_tag # produces 16 bytes tag by default
      *
-     *   decipher = OpenSSL::Cipher::AES.new(128, :GCM)
-     *   decipher.decrypt
+     * Now you are the receiver. You know the +key+ and have received +nonce+,
+     * +auth_data+, +encrypted+ and +tag+ through an untrusted network. Note
+     * that GCM accepts an arbitrary length tag between 1 and 16 bytes. You may
+     * additionally need to check that the received tag has the correct length,
+     * or you allow attackers to forge a valid single byte tag for the tampered
+     * ciphertext with a probability of 1/256.
+     *
+     *   raise "tag is truncated!" unless tag.bytesize == 16
+     *   decipher = OpenSSL::Cipher::AES.new(128, :GCM).decrypt
      *   decipher.key = key
-     *   decipher.iv = iv
+     *   decipher.iv = nonce
      *   decipher.auth_tag = tag
-     *   decipher.auth_data = ""
+     *   decipher.auth_data = auth_data
      *
-     *   plain = decipher.update(encrypted) + decipher.final
+     *   decrypted = decipher.update(encrypted) + decipher.final
      *
-     *   puts data == plain #=> true
+     *   puts data == decrypted #=> true
      */
     cCipher = rb_define_class_under(mOSSL, "Cipher", rb_cObject);
     eCipherError = rb_define_class_under(cCipher, "CipherError", eOSSLError);
@@ -1001,11 +1071,16 @@ Init_ossl_cipher(void)
     rb_define_method(cCipher, "auth_data=", ossl_cipher_set_auth_data, 1);
     rb_define_method(cCipher, "auth_tag=", ossl_cipher_set_auth_tag, 1);
     rb_define_method(cCipher, "auth_tag", ossl_cipher_get_auth_tag, -1);
+    rb_define_method(cCipher, "auth_tag_len=", ossl_cipher_set_auth_tag_len, 1);
     rb_define_method(cCipher, "authenticated?", ossl_cipher_is_authenticated, 0);
     rb_define_method(cCipher, "key_len=", ossl_cipher_set_key_length, 1);
     rb_define_method(cCipher, "key_len", ossl_cipher_key_length, 0);
     rb_define_method(cCipher, "iv=", ossl_cipher_set_iv, 1);
+    rb_define_method(cCipher, "iv_len=", ossl_cipher_set_iv_length, 1);
     rb_define_method(cCipher, "iv_len", ossl_cipher_iv_length, 0);
     rb_define_method(cCipher, "block_size", ossl_cipher_block_size, 0);
     rb_define_method(cCipher, "padding=", ossl_cipher_set_padding, 1);
+
+    id_auth_tag_len = rb_intern_const("auth_tag_len");
+    id_key_set = rb_intern_const("key_set");
 }