Skip to content

Commit

Permalink
crypto: check for invalid chacha20-poly1305 IVs
Browse files Browse the repository at this point in the history
IV lengths of 13, 14, 15, and 16 are invalid, but are not checked by
OpenSSL. IV lengths of 17 or greater are also invalid, but they
were already checked by OpenSSL.

See:
- openssl/openssl@f426625b6a
- https://www.openssl.org/news/secadv/20190306.txt

PR-URL: #26537
Reviewed-By: Ben Noordhuis <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>
Reviewed-By: Ruben Bridgewater <[email protected]>
Reviewed-By: James M Snell <[email protected]>
Reviewed-By: Michael Dawson <[email protected]>
  • Loading branch information
sam-github authored and BridgeAR committed Mar 13, 2019
1 parent d599ada commit 1a0602a
Show file tree
Hide file tree
Showing 2 changed files with 58 additions and 0 deletions.
10 changes: 10 additions & 0 deletions src/node_crypto.cc
Original file line number Diff line number Diff line change
Expand Up @@ -3673,6 +3673,16 @@ void CipherBase::InitIv(const char* cipher_type,
return env()->ThrowError("Invalid IV length");
}

if (EVP_CIPHER_nid(cipher) == NID_chacha20_poly1305) {
CHECK(has_iv);
// Check for invalid IV lengths, since OpenSSL does not under some
// conditions:
// https://www.openssl.org/news/secadv/20190306.txt.
if (iv_len > 12) {
return env()->ThrowError("Invalid IV length");
}
}

CommonInit(cipher_type, cipher, key, key_len, iv, iv_len, auth_tag_len);
}

Expand Down
48 changes: 48 additions & 0 deletions test/parallel/test-crypto-authenticated.js
Original file line number Diff line number Diff line change
Expand Up @@ -616,3 +616,51 @@ for (const test of TEST_CASES) {
assert(plain.equals(plaintext));
}
}


// Test chacha20-poly1305 rejects invalid IV lengths of 13, 14, 15, and 16 (a
// length of 17 or greater was already rejected).
// - https://www.openssl.org/news/secadv/20190306.txt
{
// Valid extracted from TEST_CASES, check that it detects IV tampering.
const valid = {
algo: 'chacha20-poly1305',
key: '808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f',
iv: '070000004041424344454647',
plain: '4c616469657320616e642047656e746c656d656e206f662074686520636c6173' +
'73206f66202739393a204966204920636f756c64206f6666657220796f75206f' +
'6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73' +
'637265656e20776f756c642062652069742e',
plainIsHex: true,
aad: '50515253c0c1c2c3c4c5c6c7',
ct: 'd31a8d34648e60db7b86afbc53ef7ec2a4aded51296e08fea9e2b5' +
'a736ee62d63dbea45e8ca9671282fafb69da92728b1a71de0a9e06' +
'0b2905d6a5b67ecd3b3692ddbd7f2d778b8c9803aee328091b58fa' +
'b324e4fad675945585808b4831d7bc3ff4def08e4b7a9de576d265' +
'86cec64b6116',
tag: '1ae10b594f09e26a7e902ecbd0600691',
tampered: false,
};

// Invalid IV lengths should be detected:
// - 12 and below are valid.
// - 13-16 are not detected as invalid by some OpenSSL versions.
check(13);
check(14);
check(15);
check(16);
// - 17 and above were always detected as invalid by OpenSSL.
check(17);

function check(ivLength) {
const prefix = ivLength - valid.iv.length / 2;
assert.throws(() => crypto.createCipheriv(
valid.algo,
Buffer.from(valid.key, 'hex'),
Buffer.from(H(prefix) + valid.iv, 'hex'),
{ authTagLength: valid.tag.length / 2 }
), errMessages.length, `iv length ${ivLength} was not rejected`);

function H(length) { return '00'.repeat(length); }
}
}

0 comments on commit 1a0602a

Please sign in to comment.