crypto: make auth tag size assumption explicit #57803

tniessen · 2025-04-09T08:15:26Z

The CipherBase class assumes that any authentication tag will fit into EVP_GCM_TLS_TAG_LEN bytes, which is true because Node.js only supports GCM with AES as the block cipher, and the block size of AES happens to be 16 bytes, which coincidentally is also the output size of the Poly1305 construction used by ChaCha20-Poly1305 as well as the maximum size of authentication tags produced by AES in CCM or OCB mode.

This commit adds a new constant ncrypto::Cipher::MAX_AUTH_TAG_LENGTH which is the maximum length of authentication tags produced by algorithms that Node.js supports and replaces some constants in CipherBase with semantically more meaningful named constants.

The OpenSSL team is debating whether a constant like MAX_AUTH_TAG_LENGTH (EVP_MAX_AEAD_TAG_LENGTH) should exist at all since its value necessarily depends on the set of AEAD algorithms supported, but I do believe that, for Node.js, this is a step in the right direction. It certainly makes more sense than to use the AES-GCM tag size as defined by TLS.

(Then again, ncrypto::Cipher::MAX_KEY_LENGTH is set to 512 bits and I do not believe that we currently support any ciphers that use 512-bit keys, so in the same sense, we could increase ncrypto::Cipher::MAX_AUTH_TAG_LENGTH in the future just to be on the safe side for user-provisioned ciphers at the cost of allocating a few more bytes for each CipherBase object.)

The `CipherBase` class assumes that any authentication tag will fit into `EVP_GCM_TLS_TAG_LEN` bytes, which is true because Node.js only supports GCM with AES as the blocker cipher, and the block size of AES happens to be 16 bytes, which coincidentally is also the output size of the Poly1305 construction used by ChaCha20-Poly1305 as well as the maximum size of authentication tags produced by AES in CCM or OCB mode. This commit adds a new constant `ncrypto::Cipher::MAX_AUTH_TAG_LENGTH` which is the maximum length of authentication tags produced by algorithms that Node.js supports and replaces some constants in `CipherBase` with semantically more meaningful named constants. The OpenSSL team is debating whether a constant like `MAX_AUTH_TAG_LENGTH` (`EVP_MAX_AEAD_TAG_LENGTH`) should exist at all since its value necessarily depends on the set of AEAD algorithms supported, but I do believe that, for Node.js, this is a step in the right direction. It certainly makes more sense than to use the AES-GCM tag size as defined by TLS.

nodejs-github-bot · 2025-04-09T08:15:32Z

Review requested:

@nodejs/crypto
@nodejs/security-wg

codecov · 2025-04-09T09:04:26Z

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 90.22%. Comparing base (1540fc6) to head (bfa5d9f).
Report is 233 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #57803      +/-   ##
==========================================
- Coverage   90.23%   90.22%   -0.02%     
==========================================
  Files         630      630              
  Lines      185288   185516     +228     
  Branches    36344    36384      +40     
==========================================
+ Hits       167203   167375     +172     
- Misses      11006    11033      +27     
- Partials     7079     7108      +29

Files with missing lines	Coverage Δ
src/crypto/crypto_cipher.cc	`72.45% <100.00%> (ø)`
src/crypto/crypto_cipher.h	`60.00% <ø> (ø)`

... and 32 files with indirect coverage changes

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

nodejs-github-bot · 2025-04-11T20:57:52Z

CI: https://ci.nodejs.org/job/node-test-pull-request/66208/ 💛

The `CipherBase` class assumes that any authentication tag will fit into `EVP_GCM_TLS_TAG_LEN` bytes, which is true because Node.js only supports GCM with AES as the blocker cipher, and the block size of AES happens to be 16 bytes, which coincidentally is also the output size of the Poly1305 construction used by ChaCha20-Poly1305 as well as the maximum size of authentication tags produced by AES in CCM or OCB mode. This commit adds a new constant `ncrypto::Cipher::MAX_AUTH_TAG_LENGTH` which is the maximum length of authentication tags produced by algorithms that Node.js supports and replaces some constants in `CipherBase` with semantically more meaningful named constants. The OpenSSL team is debating whether a constant like `MAX_AUTH_TAG_LENGTH` (`EVP_MAX_AEAD_TAG_LENGTH`) should exist at all since its value necessarily depends on the set of AEAD algorithms supported, but I do believe that, for Node.js, this is a step in the right direction. It certainly makes more sense than to use the AES-GCM tag size as defined by TLS. PR-URL: #57803 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: James M Snell <jasnell@gmail.com>

jasnell · 2025-04-12T18:25:47Z

Landed in 195ed4a

The `CipherBase` class assumes that any authentication tag will fit into `EVP_GCM_TLS_TAG_LEN` bytes, which is true because Node.js only supports GCM with AES as the blocker cipher, and the block size of AES happens to be 16 bytes, which coincidentally is also the output size of the Poly1305 construction used by ChaCha20-Poly1305 as well as the maximum size of authentication tags produced by AES in CCM or OCB mode. This commit adds a new constant `ncrypto::Cipher::MAX_AUTH_TAG_LENGTH` which is the maximum length of authentication tags produced by algorithms that Node.js supports and replaces some constants in `CipherBase` with semantically more meaningful named constants. The OpenSSL team is debating whether a constant like `MAX_AUTH_TAG_LENGTH` (`EVP_MAX_AEAD_TAG_LENGTH`) should exist at all since its value necessarily depends on the set of AEAD algorithms supported, but I do believe that, for Node.js, this is a step in the right direction. It certainly makes more sense than to use the AES-GCM tag size as defined by TLS. PR-URL: #57803 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: James M Snell <jasnell@gmail.com>

aduh95 · 2025-05-06T19:42:26Z

This needs a manual backport for v22.x

The `CipherBase` class assumes that any authentication tag will fit into `EVP_GCM_TLS_TAG_LEN` bytes, which is true because Node.js only supports GCM with AES as the blocker cipher, and the block size of AES happens to be 16 bytes, which coincidentally is also the output size of the Poly1305 construction used by ChaCha20-Poly1305 as well as the maximum size of authentication tags produced by AES in CCM or OCB mode. This commit adds a new constant `ncrypto::Cipher::MAX_AUTH_TAG_LENGTH` which is the maximum length of authentication tags produced by algorithms that Node.js supports and replaces some constants in `CipherBase` with semantically more meaningful named constants. The OpenSSL team is debating whether a constant like `MAX_AUTH_TAG_LENGTH` (`EVP_MAX_AEAD_TAG_LENGTH`) should exist at all since its value necessarily depends on the set of AEAD algorithms supported, but I do believe that, for Node.js, this is a step in the right direction. It certainly makes more sense than to use the AES-GCM tag size as defined by TLS. PR-URL: nodejs/node#57803 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: James M Snell <jasnell@gmail.com>

tniessen added crypto Issues and PRs related to the crypto subsystem. c++ Issues and PRs that require attention from people who are familiar with C++. labels Apr 9, 2025

nodejs-github-bot added lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. labels Apr 9, 2025

addaleax approved these changes Apr 9, 2025

View reviewed changes

tniessen added author ready PRs that have at least one approval, no pending requests for changes, and a CI started. request-ci Add this label to start a Jenkins CI on a PR. labels Apr 10, 2025

github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Apr 10, 2025

This comment has been minimized.

Sign in to view

jasnell approved these changes Apr 10, 2025

View reviewed changes

jasnell closed this Apr 12, 2025

RafaelGSS mentioned this pull request May 1, 2025

2025-05-06, Version 24.0.0 (Current) #57609

Merged

aduh95 added the backport-requested-v22.x PRs awaiting manual backport to the v22.x-staging branch. label May 6, 2025

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

crypto: make auth tag size assumption explicit #57803

crypto: make auth tag size assumption explicit #57803

Uh oh!

tniessen commented Apr 9, 2025 •

edited

Loading

Uh oh!

nodejs-github-bot commented Apr 9, 2025

Uh oh!

codecov bot commented Apr 9, 2025 •

edited

Loading

Uh oh!

This comment has been minimized.

nodejs-github-bot commented Apr 11, 2025 •

edited by jasnell

Loading

Uh oh!

jasnell commented Apr 12, 2025

Uh oh!

aduh95 commented May 6, 2025

Uh oh!

Uh oh!

Uh oh!

crypto: make auth tag size assumption explicit #57803

crypto: make auth tag size assumption explicit #57803

Uh oh!

Conversation

tniessen commented Apr 9, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

nodejs-github-bot commented Apr 9, 2025

Uh oh!

codecov bot commented Apr 9, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

This comment has been minimized.

nodejs-github-bot commented Apr 11, 2025 • edited by jasnell Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

jasnell commented Apr 12, 2025

Uh oh!

aduh95 commented May 6, 2025

Uh oh!

Uh oh!

tniessen commented Apr 9, 2025 •

edited

Loading

codecov bot commented Apr 9, 2025 •

edited

Loading

nodejs-github-bot commented Apr 11, 2025 •

edited by jasnell

Loading