Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto: improve setAuthTag #22538

Closed
wants to merge 1 commit into from

Conversation

tniessen
Copy link
Member

This is an attempt to make the behavior of setAuthTag match the documentation: In GCM mode, it can be called at any time before invoking final, even after the last call to update.

Fixes: #22421

cc @nodejs/crypto @nodejs/security-wg @achronos0

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • tests and/or benchmarks are included
  • commit message follows commit guidelines

This is an attempt to make the behavior of setAuthTag match the
documentation: In GCM mode, it can be called at any time before
invoking final, even after the last call to update.

Fixes: nodejs#22421
@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem. labels Aug 26, 2018
@tniessen
Copy link
Member Author

Ping @nodejs/crypto

@BridgeAR
Copy link
Member

This needs a review. No one looked at it for five days.

@tniessen
Copy link
Member Author

Thanks, @BridgeAR. @nodejs/crypto seems to be mostly dead these days. The change itself isn't that complex:

It should be possible to call setAuthTag() at any point before calling final(), but it currently isn't because the authentication tag is cached in the CipherBase class and only passed to OpenSSL once setAAD or update is called. The simplest solution is to also pass the cached tag to OpenSSL when final() is called, and that's what this PR does.

@tniessen
Copy link
Member Author

@tniessen tniessen added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Aug 31, 2018
@addaleax
Copy link
Member

addaleax commented Sep 2, 2018

Landed in b402609

@addaleax addaleax closed this Sep 2, 2018
addaleax pushed a commit that referenced this pull request Sep 2, 2018
This is an attempt to make the behavior of setAuthTag match the
documentation: In GCM mode, it can be called at any time before
invoking final, even after the last call to update.

Fixes: #22421

PR-URL: #22538
Reviewed-By: Anna Henningsen <anna@addaleax.net>
targos pushed a commit that referenced this pull request Sep 2, 2018
This is an attempt to make the behavior of setAuthTag match the
documentation: In GCM mode, it can be called at any time before
invoking final, even after the last call to update.

Fixes: #22421

PR-URL: #22538
Reviewed-By: Anna Henningsen <anna@addaleax.net>
targos pushed a commit that referenced this pull request Sep 3, 2018
This is an attempt to make the behavior of setAuthTag match the
documentation: In GCM mode, it can be called at any time before
invoking final, even after the last call to update.

Fixes: #22421

PR-URL: #22538
Reviewed-By: Anna Henningsen <anna@addaleax.net>
targos pushed a commit that referenced this pull request Sep 6, 2018
This is an attempt to make the behavior of setAuthTag match the
documentation: In GCM mode, it can be called at any time before
invoking final, even after the last call to update.

Fixes: #22421

PR-URL: #22538
Reviewed-By: Anna Henningsen <anna@addaleax.net>
@tniessen tniessen removed the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Sep 12, 2018
seebees added a commit to seebees/aws-encryption-sdk-javascript that referenced this pull request Aug 28, 2019
resolves aws#199

In Node.js versions 10.9 and older will fail to decrypt if decipher.update is not called.
nodejs/node#22538 fixes this.

If the content is empty, push an empty buffer.
seebees added a commit to aws/aws-encryption-sdk-javascript that referenced this pull request Sep 9, 2019
resolves #199

In Node.js versions 10.9 and older will fail to decrypt if decipher.update is not called.
nodejs/node#22538 fixes this.

If the content is empty, push an empty buffer.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

crypto Decipher: setAuthTag() must be called before update()
4 participants