-
Notifications
You must be signed in to change notification settings - Fork 30.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto: Allow GCM ciphers to have a longer IV length #6376
Conversation
In addition, the GCM spec does state the IV can have arbitrary length from 1 to 2^64 bits. This PR still enforces the 96 bit recommend default. |
/cc @nodejs/crypto |
7da4fd4
to
c7066fb
Compare
EVP_CIPHER_CTX_init(&ctx_); | ||
const bool encrypt = (kind_ == kCipher); | ||
EVP_CipherInit_ex(&ctx_, cipher_, nullptr, nullptr, nullptr, encrypt); | ||
|
||
/* Set IV length. Only required if GCM cipher and IV is >12 bytes. */ | ||
if (EVP_CIPHER_mode(cipher_) == EVP_CIPH_GCM_MODE && iv_len > 12) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps you can use EVP_CIPHER_iv_length(cipher_)
instead of a magic(ish) number.
LGTM with nits. |
ed78728
to
dfb3d8b
Compare
@bnoordhuis Fixed the nits 👍 |
LGTM. CI: https://ci.nodejs.org/job/node-test-pull-request/2406/ Can one other member of @nodejs/crypto take a look? |
That build failed. Seems to be an issue on OSX, dont think it is related to the code change. |
LGTM |
argh! the tick-processor test again :-( really need to figure out why that's flaky again |
96 bits IV in GCM has only a performance benefit rather than a security one. I think that there is no reason to limits its size to be lager than 96 bits as long as it is nonce. |
@shigeki Agreed, probably worded that comment wrong. I was tempted to remove the the >96bit check. |
key: '6970787039613669314d623455536234', | ||
iv: 'a582a11e7579bfdd0e28f008e1790990d100', plain: 'Hello World!', | ||
ct: '50A054B6DA42B7A853DDE0CC', | ||
tag: 'B05EEC074CE5D0984A1ECAD16300283E', tampered: false } | ||
]; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The official GCM spec has test vectors in Appendix B.
http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf
For 8bytes and 60bytes IV, there are Test Case 5/6 of aes128-gcm, Test Case 11/12 of aes192-gcm and Test Case 17/18 of aes256-gcm.
I think it is better to use them. Also I'd be glad if you replace existing 12bytes IV tests to the official test vectors.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Quick nit: for future reference for anyone looking at this bit of code... some inline comments indicating where the iv's came from and why they were selected would be helpful. As is, the test is rather difficult to follow.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, since you're working in this file, would it be possible to update the require statements to use const
(in a separate commit)
Awesome, thank you!
|
{ algo: 'aes-128-gcm', | ||
key: 'feffe9928665731c6d6a8f9467308308', | ||
iv: 'cafebabefacedbaddecaf888', | ||
plain: 'd9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255', |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
for the sake of readability and linting, can these be split into multiple concatenated lines? e.g.
'd9313225f88406e5a55909c5aff526' +
'9a86a7a9531534f7da2e4c303d8a31' +
'8a721c3c0c95956809532fcf0e2449' +
'a6b525b16aedf5aa0de657ba637b39' +
'1aafd255'
One additional comment from me. Otherwise LGTM once @shigeki is happy with it. Thank you for adding the source comments |
Yes. If we permit to use larger size of IV than 12 bytes, we should allow smaller size as well. |
919fdc3
to
0fab5be
Compare
Appreciate it! Let's give @shigeki some time to review. I know he's looking at the openssl update today so he's likely to be tied up for a bit. I'll throw this into CI for testing here soon tho while we wait. |
@jasnell Noticed the CI failed in FIPS mode. openssl-fips has an lower limit of 12 byte iv length. Could you rerun ? |
Woops I just submitted https://ci.nodejs.org/job/node-test-pull-request/2493/ |
@nodejs/crypto @nodejs/lts should we backport to v4.x? |
I think this would be an acceptable change for a semver-minor LTS release. |
@bnoordhuis this change is not landing cleanly, would you be willing to back port? |
GCM cipher IV length can be >=1 bytes. When not the default 12 bytes (96 bits) sets the IV length using `EVP_CIPHER_CTX_ctrl` with type `EVP_CTRL_GCM_SET_IVLEN` PR-URL: nodejs#6376 Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
GCM cipher IV length can be >=1 bytes. When not the default 12 bytes (96 bits) sets the IV length using `EVP_CIPHER_CTX_ctrl` with type `EVP_CTRL_GCM_SET_IVLEN` PR-URL: #6376 Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
GCM cipher IV length can be >=1 bytes. When not the default 12 bytes (96 bits) sets the IV length using `EVP_CIPHER_CTX_ctrl` with type `EVP_CTRL_GCM_SET_IVLEN` PR-URL: #6376 Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
GCM cipher IV length can be >=1 bytes. When not the default 12 bytes (96 bits) sets the IV length using `EVP_CIPHER_CTX_ctrl` with type `EVP_CTRL_GCM_SET_IVLEN` PR-URL: #6376 Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
Fix a regression introduced in commit 2996b5c ("crypto: Allow GCM ciphers to have a longer IV length") from April 2016 where a misplaced parenthesis in a 'is ECB cipher?' check made it possible to use empty IVs with non-ECB ciphers. Also fix some exit bugs in test/parallel/test-crypto-authenticated.js that were introduced in commit 4a40832 ("test: cleanup IIFE tests") where removing the IFFEs made the test exit prematurely instead of just skipping subtests. PR-URL: nodejs#9032 Refs: nodejs#6376 Refs: nodejs#9024 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
Fix a regression introduced in commit 2996b5c ("crypto: Allow GCM ciphers to have a longer IV length") from April 2016 where a misplaced parenthesis in a 'is ECB cipher?' check made it possible to use empty IVs with non-ECB ciphers. Also fix some exit bugs in test/parallel/test-crypto-authenticated.js that were introduced in commit 4a40832 ("test: cleanup IIFE tests") where removing the IFFEs made the test exit prematurely instead of just skipping subtests. PR-URL: #9032 Refs: #6376 Refs: #9024 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
Fix a regression introduced in commit 2996b5c ("crypto: Allow GCM ciphers to have a longer IV length") from April 2016 where a misplaced parenthesis in a 'is ECB cipher?' check made it possible to use empty IVs with non-ECB ciphers. Also fix some exit bugs in test/parallel/test-crypto-authenticated.js that were introduced in commit 4a40832 ("test: cleanup IIFE tests") where removing the IFFEs made the test exit prematurely instead of just skipping subtests. PR-URL: #9032 Refs: #6376 Refs: #9024 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
Fix a regression introduced in commit 2996b5c ("crypto: Allow GCM ciphers to have a longer IV length") from April 2016 where a misplaced parenthesis in a 'is ECB cipher?' check made it possible to use empty IVs with non-ECB ciphers. Also fix some exit bugs in test/parallel/test-crypto-authenticated.js that were introduced in commit 4a40832 ("test: cleanup IIFE tests") where removing the IFFEs made the test exit prematurely instead of just skipping subtests. PR-URL: nodejs#9032 Refs: nodejs#6376 Refs: nodejs#9024 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
Fix a regression introduced in commit 2996b5c ("crypto: Allow GCM ciphers to have a longer IV length") from April 2016 where a misplaced parenthesis in a 'is ECB cipher?' check made it possible to use empty IVs with non-ECB ciphers. Also fix some exit bugs in test/parallel/test-crypto-authenticated.js that were introduced in commit 4a40832 ("test: cleanup IIFE tests") where removing the IFFEs made the test exit prematurely instead of just skipping subtests. PR-URL: #9032 Refs: #6376 Refs: #9024 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
Fix a regression introduced in commit 2996b5c ("crypto: Allow GCM ciphers to have a longer IV length") from April 2016 where a misplaced parenthesis in a 'is ECB cipher?' check made it possible to use empty IVs with non-ECB ciphers. Also fix some exit bugs in test/parallel/test-crypto-authenticated.js that were introduced in commit 4a40832 ("test: cleanup IIFE tests") where removing the IFFEs made the test exit prematurely instead of just skipping subtests. PR-URL: #9032 Refs: #6376 Refs: #9024 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>
Checklist
Affected core subsystem(s)
crypto
Description of change
GCM cipher IV length can have an value >=12 bytes.
When not the default 12 bytes (96 bits) sets the IV length using
EVP_CIPHER_CTX_ctrl
with typeEVP_CTRL_GCM_SET_IVLEN