AES Key Wrap Segfault #15009

EternalDeiwos · 2017-08-24T12:12:28Z

Version: 6.11.2
Platform: Linux PCName 4.8.0-56-generic # 61~16.04.1-Ubuntu SMP Wed Jun 14 11:58:22 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
Subsystem: crypto -> ciphers -> id-aesXXX-wrap

We're trying to do aes key wrapping for our nodejs webcrypto implementation. We were having some trouble so we made the following test script (using data from RFC3394):

'use strict'

const crypto = require('crypto')

let cipherName = 'id-aes128-wrap'

// Ripped from RFC3394
let kekHex = '000102030405060708090A0B0C0D0E0F' // for 256: '000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F'
let keyHex = '00112233445566778899AABBCCDDEEFF' // for 256: '00112233445566778899AABBCCDDEEFF000102030405060708090A0B0C0D0E0F'
let ivHex = 'A6A6A6A6A6A6A6A6'

let iv = Buffer.from(ivHex, 'hex')
let kek = Buffer.from(kekHex, 'hex')
let key = Buffer.from(keyHex, 'hex')

try {
  let cipher = crypto.createCipheriv(cipherName, kek, iv)
  let result = cipher.update(key)
  let final = cipher.final()

  // TODO process result

  console.log('RESULT', result, final)
} catch (error) {
  console.error('ERROR', error)
}

Running this script causes node to segfault. Any ideas?

joyeecheung · 2017-08-24T15:47:44Z

I can reproduce this with v8.4.0.

Process 14998 stopped
* thread #1, name = 'node', stop reason = signal SIGSEGV: invalid address (fault address: 0x24dc000)
    frame #0: 0x0000000000a7cbe0 node`_x86_64_AES_encrypt_compact + 48
node`_x86_64_AES_encrypt_compact:
->  0xa7cbe0 <+48>: xorl   (%r15), %eax
    0xa7cbe3 <+51>: xorl   0x4(%r15), %ebx
    0xa7cbe7 <+55>: xorl   0x8(%r15), %ecx
    0xa7cbeb <+59>: xorl   0xc(%r15), %edx
(lldb) register read r15
     r15 = 0x00000000024dc000
(lldb) memory read 0x00000000024dc000
error: memory read failed for 0x24dc000

jasnell · 2017-08-24T15:56:37Z

@nodejs/crypto

shigeki · 2017-08-24T16:52:53Z

The following patch would fix this. I'll submit a PR with tests tomorrow.

diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index 1fa522d..e8391dc 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -3396,13 +3396,18 @@ void CipherBase::InitIv(const char* cipher_type,
   }

   const int expected_iv_len = EVP_CIPHER_iv_length(cipher);
-  const bool is_gcm_mode = (EVP_CIPH_GCM_MODE == EVP_CIPHER_mode(cipher));
+  const int mode = EVP_CIPHER_mode(cipher);
+  const bool is_gcm_mode = (EVP_CIPH_GCM_MODE == mode);

   if (is_gcm_mode == false && iv_len != expected_iv_len) {
     return env()->ThrowError("Invalid IV length");
   }

   EVP_CIPHER_CTX_init(&ctx_);
+
+  if (mode == EVP_CIPH_WRAP_MODE)
+    EVP_CIPHER_CTX_set_flags(&ctx_, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW);
+
   const bool encrypt = (kind_ == kCipher);
   EVP_CipherInit_ex(&ctx_, cipher, nullptr, nullptr, nullptr, encrypt);

$ ./node ~/test_aes_wrap.js
RESULT <Buffer 1f a6 8b 0a 81 12 b4 47 ae f3 4b d8 fb 5a 7b 82 9d 3e 86 23 71 d2 cf e5> <Buffer >

EternalDeiwos · 2017-08-29T16:46:56Z

@shigeki thanks for the fix 👍

EVP_CIPHER_CTX_FLAG_WRAP_ALLOW flag needs to be set in using wrap mode ciphers. In `crypto.createCipher()`, AES key wrap mode does not use a default IV defined in RFC3394 but a generated IV with `EVP_BytesToKey()` to be consistent API behaviors with other ciphers. The built-in AES wrap mode in OpenSSL is not supported in FIPS mode as http://openssl.6102.n7.nabble.com/AES-Key-Wrap-in-FIPS-Mode-td50238.html so its tests in FIPS mode are skipped. Fixes: nodejs/node#15009 PR-URL: nodejs/node#15037 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: James M Snell <[email protected]>

EVP_CIPHER_CTX_FLAG_WRAP_ALLOW flag needs to be set in using wrap mode ciphers. In `crypto.createCipher()`, AES key wrap mode does not use a default IV defined in RFC3394 but a generated IV with `EVP_BytesToKey()` to be consistent API behaviors with other ciphers. The built-in AES wrap mode in OpenSSL is not supported in FIPS mode as http://openssl.6102.n7.nabble.com/AES-Key-Wrap-in-FIPS-Mode-td50238.html so its tests in FIPS mode are skipped. Fixes: nodejs#15009 PR-URL: nodejs#15037 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: James M Snell <[email protected]>

EVP_CIPHER_CTX_FLAG_WRAP_ALLOW flag needs to be set in using wrap mode ciphers. In `crypto.createCipher()`, AES key wrap mode does not use a default IV defined in RFC3394 but a generated IV with `EVP_BytesToKey()` to be consistent API behaviors with other ciphers. The built-in AES wrap mode in OpenSSL is not supported in FIPS mode as http://openssl.6102.n7.nabble.com/AES-Key-Wrap-in-FIPS-Mode-td50238.html so its tests in FIPS mode are skipped. Fixes: #15009 PR-URL: #15037 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: James M Snell <[email protected]>

EVP_CIPHER_CTX_FLAG_WRAP_ALLOW flag needs to be set in using wrap mode ciphers. In `crypto.createCipher()`, AES key wrap mode does not use a default IV defined in RFC3394 but a generated IV with `EVP_BytesToKey()` to be consistent API behaviors with other ciphers. The built-in AES wrap mode in OpenSSL is not supported in FIPS mode as http://openssl.6102.n7.nabble.com/AES-Key-Wrap-in-FIPS-Mode-td50238.html so its tests in FIPS mode are skipped. Fixes: nodejs#15009 PR-URL: nodejs#15037 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: James M Snell <[email protected]>

EVP_CIPHER_CTX_FLAG_WRAP_ALLOW flag needs to be set in using wrap mode ciphers. In `crypto.createCipher()`, AES key wrap mode does not use a default IV defined in RFC3394 but a generated IV with `EVP_BytesToKey()` to be consistent API behaviors with other ciphers. The built-in AES wrap mode in OpenSSL is not supported in FIPS mode as http://openssl.6102.n7.nabble.com/AES-Key-Wrap-in-FIPS-Mode-td50238.html so its tests in FIPS mode are skipped. Backport-PR-URL: #16584 Fixes: #15009 PR-URL: #15037 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: James M Snell <[email protected]>

EternalDeiwos mentioned this issue Aug 24, 2017

AES-KW anvilresearch/webcrypto#45

Closed

joyeecheung added crypto Issues and PRs related to the crypto subsystem. openssl Issues and PRs related to the OpenSSL dependency. labels Aug 24, 2017

jasnell added the confirmed-bug Issues with confirmed bugs. label Aug 24, 2017

shigeki mentioned this issue Aug 26, 2017

crypto: fix error of createCipher in wrap mode #15037

Closed

4 tasks

shigeki closed this as completed in 4218f19 Aug 29, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

AES Key Wrap Segfault #15009

AES Key Wrap Segfault #15009

EternalDeiwos commented Aug 24, 2017 •

edited

Loading

joyeecheung commented Aug 24, 2017 •

edited

Loading

jasnell commented Aug 24, 2017

shigeki commented Aug 24, 2017

EternalDeiwos commented Aug 29, 2017

AES Key Wrap Segfault #15009

AES Key Wrap Segfault #15009

Comments

EternalDeiwos commented Aug 24, 2017 • edited Loading

joyeecheung commented Aug 24, 2017 • edited Loading

jasnell commented Aug 24, 2017

shigeki commented Aug 24, 2017

EternalDeiwos commented Aug 29, 2017

EternalDeiwos commented Aug 24, 2017 •

edited

Loading

joyeecheung commented Aug 24, 2017 •

edited

Loading