From 57c0dbed227d85b000c9bc5bd9db31ed492f6659 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Nie=C3=9Fen?= Date: Thu, 13 Sep 2018 00:48:35 +0200 Subject: [PATCH 1/3] crypto: fix edge case in authenticated encryption Restricting the authentication tag length and calling update or setAAD before setAuthTag caused an incorrect authentication tag to be passed to OpenSSL: The auth_tag_len_ field was already set, so the implementation assumed that the tag itself was known as well. --- src/node_crypto.cc | 7 ++-- src/node_crypto.h | 10 ++++-- test/parallel/test-crypto-authenticated.js | 40 +++++++++++++--------- 3 files changed, 37 insertions(+), 20 deletions(-) diff --git a/src/node_crypto.cc b/src/node_crypto.cc index 4e97c390848340..1bc21f82e41667 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -2818,6 +2818,7 @@ bool CipherBase::InitAuthenticated(const char* cipher_type, int iv_len, // Remember the given authentication tag length for later. auth_tag_len_ = auth_tag_len; + auth_tag_state_ = kAuthTagLengthKnown; if (mode == EVP_CIPH_CCM_MODE) { // Restrict the message length to min(INT_MAX, 2^(8*(15-iv_len))-1) bytes. @@ -2840,6 +2841,7 @@ bool CipherBase::InitAuthenticated(const char* cipher_type, int iv_len, // Remember the given authentication tag length for later. auth_tag_len_ = auth_tag_len; + auth_tag_state_ = kAuthTagLengthKnown; } } @@ -2921,6 +2923,7 @@ void CipherBase::SetAuthTag(const FunctionCallbackInfo& args) { } cipher->auth_tag_len_ = tag_len; + cipher->auth_tag_state_ = kAuthTagKnown; CHECK_LE(cipher->auth_tag_len_, sizeof(cipher->auth_tag_)); memset(cipher->auth_tag_, 0, sizeof(cipher->auth_tag_)); @@ -2931,14 +2934,14 @@ void CipherBase::SetAuthTag(const FunctionCallbackInfo& args) { bool CipherBase::MaybePassAuthTagToOpenSSL() { - if (!auth_tag_set_ && auth_tag_len_ != kNoAuthTagLength) { + if (auth_tag_state_ == kAuthTagKnown) { if (!EVP_CIPHER_CTX_ctrl(ctx_.get(), EVP_CTRL_AEAD_SET_TAG, auth_tag_len_, reinterpret_cast(auth_tag_))) { return false; } - auth_tag_set_ = true; + auth_tag_state_ = kAuthTagPassedToOpenSSL; } return true; } diff --git a/src/node_crypto.h b/src/node_crypto.h index 86aa3ba4ba8395..6312fc58ebda01 100644 --- a/src/node_crypto.h +++ b/src/node_crypto.h @@ -363,6 +363,12 @@ class CipherBase : public BaseObject { kErrorMessageSize, kErrorState }; + enum AuthTagState { + kAuthTagUnknown, + kAuthTagLengthKnown, + kAuthTagKnown, + kAuthTagPassedToOpenSSL + }; static const unsigned kNoAuthTagLength = static_cast(-1); void Init(const char* cipher_type, @@ -404,7 +410,7 @@ class CipherBase : public BaseObject { : BaseObject(env, wrap), ctx_(nullptr), kind_(kind), - auth_tag_set_(false), + auth_tag_state_(kAuthTagUnknown), auth_tag_len_(kNoAuthTagLength), pending_auth_failed_(false) { MakeWeak(); @@ -413,7 +419,7 @@ class CipherBase : public BaseObject { private: DeleteFnPtr ctx_; const CipherKind kind_; - bool auth_tag_set_; + AuthTagState auth_tag_state_; unsigned int auth_tag_len_; char auth_tag_[EVP_GCM_TLS_TAG_LEN]; bool pending_auth_failed_; diff --git a/test/parallel/test-crypto-authenticated.js b/test/parallel/test-crypto-authenticated.js index a2f5e9cdd8a043..77587fadf79a1b 100644 --- a/test/parallel/test-crypto-authenticated.js +++ b/test/parallel/test-crypto-authenticated.js @@ -557,27 +557,35 @@ for (const test of TEST_CASES) { } // Test that the authentication tag can be set at any point before calling -// final() in GCM mode. +// final() in GCM or OCB mode. { const plain = Buffer.from('Hello world', 'utf8'); const key = Buffer.from('0123456789abcdef', 'utf8'); const iv = Buffer.from('0123456789ab', 'utf8'); - const cipher = crypto.createCipheriv('aes-128-gcm', key, iv); - const ciphertext = Buffer.concat([cipher.update(plain), cipher.final()]); - const authTag = cipher.getAuthTag(); - - for (const authTagBeforeUpdate of [true, false]) { - const decipher = crypto.createDecipheriv('aes-128-gcm', key, iv); - if (authTagBeforeUpdate) { - decipher.setAuthTag(authTag); - } - const resultUpdate = decipher.update(ciphertext); - if (!authTagBeforeUpdate) { - decipher.setAuthTag(authTag); + for (const mode of ['gcm', 'ocb']) { + for (const authTagLength of mode === 'gcm' ? [undefined, 8] : [8]) { + const cipher = crypto.createCipheriv(`aes-128-${mode}`, key, iv, { + authTagLength + }); + const ciphertext = Buffer.concat([cipher.update(plain), cipher.final()]); + const authTag = cipher.getAuthTag(); + + for (const authTagBeforeUpdate of [true, false]) { + const decipher = crypto.createDecipheriv(`aes-128-${mode}`, key, iv, { + authTagLength + }); + if (authTagBeforeUpdate) { + decipher.setAuthTag(authTag); + } + const resultUpdate = decipher.update(ciphertext); + if (!authTagBeforeUpdate) { + decipher.setAuthTag(authTag); + } + const resultFinal = decipher.final(); + const result = Buffer.concat([resultUpdate, resultFinal]); + assert(result.equals(plain)); + } } - const resultFinal = decipher.final(); - const result = Buffer.concat([resultUpdate, resultFinal]); - assert(result.equals(plain)); } } From 520717be27f34ea3e969d3781823a256b24996f8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Nie=C3=9Fen?= Date: Fri, 14 Sep 2018 16:56:45 +0200 Subject: [PATCH 2/3] Match old behavior when called multiple times --- src/node_crypto.cc | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/src/node_crypto.cc b/src/node_crypto.cc index 1bc21f82e41667..5b3c704bb72c30 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -2899,6 +2899,10 @@ void CipherBase::SetAuthTag(const FunctionCallbackInfo& args) { return args.GetReturnValue().Set(false); } + // TODO(tniessen): Throw if the authentication tag has already been set. + if (cipher->auth_tag_state_ == kAuthTagPassedToOpenSSL) + return args.GetReturnValue().Set(true); + unsigned int tag_len = Buffer::Length(args[0]); const int mode = EVP_CIPHER_CTX_mode(cipher->ctx_.get()); bool is_valid; From 994d6b7c249a12125fce8b4fbe27102ed24115f3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Nie=C3=9Fen?= Date: Fri, 14 Sep 2018 19:31:23 +0200 Subject: [PATCH 3/3] Remove redundant state --- src/node_crypto.cc | 2 -- src/node_crypto.h | 1 - 2 files changed, 3 deletions(-) diff --git a/src/node_crypto.cc b/src/node_crypto.cc index 5b3c704bb72c30..35b06e4ff07ece 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -2818,7 +2818,6 @@ bool CipherBase::InitAuthenticated(const char* cipher_type, int iv_len, // Remember the given authentication tag length for later. auth_tag_len_ = auth_tag_len; - auth_tag_state_ = kAuthTagLengthKnown; if (mode == EVP_CIPH_CCM_MODE) { // Restrict the message length to min(INT_MAX, 2^(8*(15-iv_len))-1) bytes. @@ -2841,7 +2840,6 @@ bool CipherBase::InitAuthenticated(const char* cipher_type, int iv_len, // Remember the given authentication tag length for later. auth_tag_len_ = auth_tag_len; - auth_tag_state_ = kAuthTagLengthKnown; } } diff --git a/src/node_crypto.h b/src/node_crypto.h index 6312fc58ebda01..1a93ae7a47e2cf 100644 --- a/src/node_crypto.h +++ b/src/node_crypto.h @@ -365,7 +365,6 @@ class CipherBase : public BaseObject { }; enum AuthTagState { kAuthTagUnknown, - kAuthTagLengthKnown, kAuthTagKnown, kAuthTagPassedToOpenSSL };