doc: update function description for decipher.setAAD

jbuhacoff · codebytere · commit 72d1245d42f5 · 2020-05-20T21:40:00.000-07:00
According to the [NodeJS CCM example](https://nodejs.org/docs/latest-v14.x/api/crypto.html#crypto_ccm_mode], when decrypting the `plaintextLength` parameter actually refers to the ciphertext length, not the plaintext length: ``` decipher.setAAD(aad, { plaintextLength: ciphertext.length }); ``` The same can be seen in the [OpenSSL docs](https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption) where a call to `EVP_DecryptUpdate` passes the ciphertext length: ``` /* Provide the total ciphertext length */ if(1 != EVP_DecryptUpdate(ctx, NULL, &len, NULL, ciphertext_len)) handleErrors(); ``` This parameter probably should have been called `inputLength` or `bufferLength` instead of `plaintextLength`, so that it makes sense both when encrypting and decrypting, but at least we can correct the sentence in the documentation for now to refer to the correct value. PR-URL: #33095 Reviewed-By: Ujjwal Sharma <ryzokuken@disroot.org> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
diff --git a/doc/api/crypto.md b/doc/api/crypto.md
@@ -493,7 +493,7 @@ _additional authenticated data_ (AAD) input parameter.
 
 The `options` argument is optional for `GCM`. When using `CCM`, the
 `plaintextLength` option must be specified and its value must match the length
-of the plaintext in bytes. See [CCM mode][].
+of the ciphertext in bytes. See [CCM mode][].
 
 The `decipher.setAAD()` method must be called before [`decipher.update()`][].
 
@@ -3104,7 +3104,12 @@ mode must adhere to certain restrictions when using the cipher API:
   mode might fail as CCM cannot handle more than one chunk of data per instance.
 * When passing additional authenticated data (AAD), the length of the actual
   message in bytes must be passed to `setAAD()` via the `plaintextLength`
-  option. This is not necessary if no AAD is used.
+  option.
+  Many crypto libraries include the authentication tag in the ciphertext,
+  which means that they produce ciphertexts of the length
+  `plaintextLength + authTagLength`. Node.js does not include the authentication
+  tag, so the ciphertext length is always `plaintextLength`.
+  This is not necessary if no AAD is used.
 * As CCM processes the whole message at once, `update()` can only be called
   once.
 * Even though calling `update()` is sufficient to encrypt/decrypt the message,
