Skip to content

Commit

Permalink
crypto: warn on invalid authentication tag length
Browse files Browse the repository at this point in the history
PR-URL: #17566
Refs: #17523
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: James M Snell <[email protected]>
  • Loading branch information
tniessen authored and MylesBorins committed Jan 9, 2018
1 parent f79d2ef commit d387c17
Show file tree
Hide file tree
Showing 2 changed files with 29 additions and 2 deletions.
12 changes: 10 additions & 2 deletions src/node_crypto.cc
Original file line number Diff line number Diff line change
Expand Up @@ -3806,9 +3806,17 @@ void CipherBase::SetAuthTag(const FunctionCallbackInfo<Value>& args) {
return env->ThrowError("Attempting to set auth tag in unsupported state");
}

// FIXME(bnoordhuis) Throw when buffer length is not a valid tag size.
// Restrict GCM tag lengths according to NIST 800-38d, page 9.
unsigned int tag_len = Buffer::Length(args[0]);
if (tag_len > 16 || (tag_len < 12 && tag_len != 8 && tag_len != 4)) {
ProcessEmitWarning(cipher->env(),
"Permitting authentication tag lengths of %u bytes is deprecated. "
"Valid GCM tag lengths are 4, 8, 12, 13, 14, 15, 16.",
tag_len);
}

// Note: we don't use std::max() here to work around a header conflict.
cipher->auth_tag_len_ = Buffer::Length(args[0]);
cipher->auth_tag_len_ = tag_len;
if (cipher->auth_tag_len_ > sizeof(cipher->auth_tag_))
cipher->auth_tag_len_ = sizeof(cipher->auth_tag_);

Expand Down
19 changes: 19 additions & 0 deletions test/parallel/test-crypto-authenticated.js
Original file line number Diff line number Diff line change
Expand Up @@ -335,6 +335,14 @@ const errMessages = {

const ciphers = crypto.getCiphers();

common.expectWarning('Warning', (common.hasFipsCrypto ? [] : [
'Use Cipheriv for counter mode of aes-192-gcm'
]).concat(
[0, 1, 2, 6, 9, 10, 11, 17]
.map((i) => `Permitting authentication tag lengths of ${i} bytes is ` +
'deprecated. Valid GCM tag lengths are 4, 8, 12, 13, 14, 15, 16.')
));

for (const i in TEST_CASES) {
const test = TEST_CASES[i];

Expand Down Expand Up @@ -476,3 +484,14 @@ for (const i in TEST_CASES) {
assert.throws(() => encrypt.setAAD(Buffer.from('123', 'ascii')),
errMessages.state);
}

// GCM only supports specific authentication tag lengths, invalid lengths should
// produce warnings.
{
for (const length of [0, 1, 2, 4, 6, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17]) {
const decrypt = crypto.createDecipheriv('aes-256-gcm',
'FxLKsqdmv0E9xrQhp0b1ZgI0K7JFZJM8',
'qkuZpJWCewa6Szih');
decrypt.setAuthTag(Buffer.from('1'.repeat(length)));
}
}

0 comments on commit d387c17

Please sign in to comment.