crypto: Allow GCM ciphers to have a longer IV length #6376

mwain · 2016-04-25T18:19:43Z

Checklist

tests and code linting passes
a test and/or benchmark is included
the commit message follows commit guidelines

Affected core subsystem(s)

crypto

Description of change

GCM cipher IV length can have an value >=12 bytes.
When not the default 12 bytes (96 bits) sets the IV length using
EVP_CIPHER_CTX_ctrl with type EVP_CTRL_GCM_SET_IVLEN

mwain · 2016-04-25T19:05:11Z

In addition, the GCM spec does state the IV can have arbitrary length from 1 to 2^64 bits. This PR still enforces the 96 bit recommend default.

mscdex · 2016-04-25T19:23:19Z

/cc @nodejs/crypto

bnoordhuis · 2016-04-27T10:04:50Z

src/node_crypto.cc

  EVP_CIPHER_CTX_init(&ctx_);
  const bool encrypt = (kind_ == kCipher);
  EVP_CipherInit_ex(&ctx_, cipher_, nullptr, nullptr, nullptr, encrypt);
+
+  /* Set IV length. Only required if GCM cipher and IV is >12 bytes. */
+  if (EVP_CIPHER_mode(cipher_) == EVP_CIPH_GCM_MODE && iv_len > 12) {


Perhaps you can use EVP_CIPHER_iv_length(cipher_) instead of a magic(ish) number.

bnoordhuis · 2016-04-27T10:07:03Z

LGTM with nits.

mwain · 2016-04-27T14:04:30Z

@bnoordhuis Fixed the nits 👍

bnoordhuis · 2016-04-27T14:11:54Z

LGTM. CI: https://ci.nodejs.org/job/node-test-pull-request/2406/

Can one other member of @nodejs/crypto take a look?

mwain · 2016-04-27T14:58:19Z

That build failed. Seems to be an issue on OSX, dont think it is related to the code change.

indutny · 2016-04-27T15:02:50Z

LGTM

jasnell · 2016-04-27T15:36:08Z

argh! the tick-processor test again :-( really need to figure out why that's flaky again

shigeki · 2016-04-27T16:45:25Z

@mwain

In addition, the GCM spec does state the IV can have arbitrary length from 1 to 2^64 bits. This PR still enforces the 96 bit recommend default.

96 bits IV in GCM has only a performance benefit rather than a security one. I think that there is no reason to limits its size to be lager than 96 bits as long as it is nonce.

mwain · 2016-04-27T17:21:13Z

@shigeki Agreed, probably worded that comment wrong. I was tempted to remove the the >96bit check.

shigeki · 2016-04-28T00:45:23Z

test/parallel/test-crypto-authenticated.js

+    key: '6970787039613669314d623455536234',
+    iv: 'a582a11e7579bfdd0e28f008e1790990d100', plain: 'Hello World!',
+    ct: '50A054B6DA42B7A853DDE0CC',
+    tag: 'B05EEC074CE5D0984A1ECAD16300283E', tampered: false }
 ];


The official GCM spec has test vectors in Appendix B.
http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/proposedmodes/gcm/gcm-revised-spec.pdf
For 8bytes and 60bytes IV, there are Test Case 5/6 of aes128-gcm, Test Case 11/12 of aes192-gcm and Test Case 17/18 of aes256-gcm.
I think it is better to use them. Also I'd be glad if you replace existing 12bytes IV tests to the official test vectors.

Quick nit: for future reference for anyone looking at this bit of code... some inline comments indicating where the iv's came from and why they were selected would be helpful. As is, the test is rather difficult to follow.

Also, since you're working in this file, would it be possible to update the require statements to use const (in a separate commit)

mwain · 2016-04-29T12:19:18Z

@shigeki Ive added new test cases from the spec.
Do you think we should remove the 12 byte lower limit?

@jasnell Ive updated the the require to use const.

jasnell · 2016-04-29T12:36:09Z

Awesome, thank you!
On Apr 29, 2016 5:19 AM, "Michael" [email protected] wrote:

@shigeki https://github.com/shigeki Ive added new test cases from the
spec.
Do you think we should remove the 12 byte lower limit?

@jasnell https://github.com/jasnell Ive updated the the require to use
const.

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#6376 (comment)

jasnell · 2016-04-29T19:42:40Z

test/parallel/test-crypto-authenticated.js

+  { algo: 'aes-128-gcm',
+    key: 'feffe9928665731c6d6a8f9467308308',
+    iv: 'cafebabefacedbaddecaf888',
+    plain: 'd9313225f88406e5a55909c5aff5269a86a7a9531534f7da2e4c303d8a318a721c3c0c95956809532fcf0e2449a6b525b16aedf5aa0de657ba637b391aafd255',


for the sake of readability and linting, can these be split into multiple concatenated lines? e.g.

'd9313225f88406e5a55909c5aff526' + '9a86a7a9531534f7da2e4c303d8a31' + '8a721c3c0c95956809532fcf0e2449' + 'a6b525b16aedf5aa0de657ba637b39' + '1aafd255'

jasnell · 2016-04-29T19:43:57Z

One additional comment from me. Otherwise LGTM once @shigeki is happy with it. Thank you for adding the source comments

shigeki · 2016-04-30T01:00:37Z

@mwain

Do you think we should remove the 12 byte lower limit?

Yes. If we permit to use larger size of IV than 12 bytes, we should allow smaller size as well.

mwain · 2016-05-03T10:13:44Z

@shigeki Updated to allow smaller IV lengths. Added more tests to.
@jasnell Ive split the long lines down 👍

Once your all happy i will squish and tidy the commits up.

jasnell · 2016-05-03T13:13:45Z

Appreciate it! Let's give @shigeki some time to review. I know he's looking at the openssl update today so he's likely to be tied up for a bit. I'll throw this into CI for testing here soon tho while we wait.

jasnell · 2016-05-03T13:15:15Z

CI: https://ci.nodejs.org/job/node-test-pull-request/2478

mwain · 2016-05-04T14:58:53Z

@jasnell Noticed the CI failed in FIPS mode. openssl-fips has an lower limit of 12 byte iv length.
Skipping tests which have IV lengths <12bytes when it FIPs mode.

Could you rerun ?

bnoordhuis · 2016-05-04T15:11:48Z

https://ci.nodejs.org/job/node-test-pull-request/2494/

EDIT: Hah! https://ci.nodejs.org/job/node-test-pull-request/2493/

shigeki · 2016-05-04T15:12:13Z

Woops I just submitted https://ci.nodejs.org/job/node-test-pull-request/2493/

MylesBorins · 2016-07-11T23:53:26Z

@nodejs/crypto @nodejs/lts should we backport to v4.x?

bnoordhuis · 2016-07-12T13:27:33Z

I think this would be an acceptable change for a semver-minor LTS release.

MylesBorins · 2016-07-12T17:00:51Z

@bnoordhuis this change is not landing cleanly, would you be willing to back port?

GCM cipher IV length can be >=1 bytes. When not the default 12 bytes (96 bits) sets the IV length using `EVP_CIPHER_CTX_ctrl` with type `EVP_CTRL_GCM_SET_IVLEN` PR-URL: nodejs#6376 Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>

bnoordhuis · 2016-07-13T06:43:47Z

#7705

GCM cipher IV length can be >=1 bytes. When not the default 12 bytes (96 bits) sets the IV length using `EVP_CIPHER_CTX_ctrl` with type `EVP_CTRL_GCM_SET_IVLEN` PR-URL: #6376 Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>

Fix a regression introduced in commit 2996b5c ("crypto: Allow GCM ciphers to have a longer IV length") from April 2016 where a misplaced parenthesis in a 'is ECB cipher?' check made it possible to use empty IVs with non-ECB ciphers. Also fix some exit bugs in test/parallel/test-crypto-authenticated.js that were introduced in commit 4a40832 ("test: cleanup IIFE tests") where removing the IFFEs made the test exit prematurely instead of just skipping subtests. PR-URL: nodejs#9032 Refs: nodejs#6376 Refs: nodejs#9024 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>

Fix a regression introduced in commit 2996b5c ("crypto: Allow GCM ciphers to have a longer IV length") from April 2016 where a misplaced parenthesis in a 'is ECB cipher?' check made it possible to use empty IVs with non-ECB ciphers. Also fix some exit bugs in test/parallel/test-crypto-authenticated.js that were introduced in commit 4a40832 ("test: cleanup IIFE tests") where removing the IFFEs made the test exit prematurely instead of just skipping subtests. PR-URL: #9032 Refs: #6376 Refs: #9024 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>

Fix a regression introduced in commit 2996b5c ("crypto: Allow GCM ciphers to have a longer IV length") from April 2016 where a misplaced parenthesis in a 'is ECB cipher?' check made it possible to use empty IVs with non-ECB ciphers. Also fix some exit bugs in test/parallel/test-crypto-authenticated.js that were introduced in commit 4a40832 ("test: cleanup IIFE tests") where removing the IFFEs made the test exit prematurely instead of just skipping subtests. PR-URL: nodejs#9032 Refs: nodejs#6376 Refs: nodejs#9024 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>

Fix a regression introduced in commit 2996b5c ("crypto: Allow GCM ciphers to have a longer IV length") from April 2016 where a misplaced parenthesis in a 'is ECB cipher?' check made it possible to use empty IVs with non-ECB ciphers. Also fix some exit bugs in test/parallel/test-crypto-authenticated.js that were introduced in commit 4a40832 ("test: cleanup IIFE tests") where removing the IFFEs made the test exit prematurely instead of just skipping subtests. PR-URL: #9032 Refs: #6376 Refs: #9024 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]>

nodejs-github-bot added the c++ Issues and PRs that require attention from people who are familiar with C++. label Apr 25, 2016

mscdex added the crypto Issues and PRs related to the crypto subsystem. label Apr 25, 2016

estliberitas force-pushed the master branch 2 times, most recently from 7da4fd4 to c7066fb Compare April 26, 2016 05:23

bnoordhuis reviewed Apr 27, 2016
View reviewed changes

mwain force-pushed the crypt-gcm-ivLen-increase branch from ed78728 to dfb3d8b Compare April 27, 2016 14:01

shigeki reviewed Apr 28, 2016
View reviewed changes

jasnell reviewed Apr 29, 2016
View reviewed changes

mwain force-pushed the crypt-gcm-ivLen-increase branch from 919fdc3 to 0fab5be Compare May 3, 2016 10:10

Fishrock123 mentioned this pull request Jul 5, 2016

Propose v6.3.0 (v2) #7550

Merged

MylesBorins mentioned this pull request Jul 11, 2016

Audit commits not found on v4.x-staging #7661

Closed

MylesBorins added the lts-watch-v4.x label Jul 11, 2016

MylesBorins added dont-land-on-v4.x and removed lts-watch-v4.x labels Jul 13, 2016

MylesBorins mentioned this pull request Jul 14, 2016

v4.5.0 proposal #7688

Merged

bnoordhuis mentioned this pull request Oct 11, 2016

crypto: fix faulty logic in iv size check #9032

Merged

MylesBorins added the land-on-v4.x label Nov 11, 2016

This was referenced Nov 18, 2016

crypto: fix faulty logic in iv size check #9686

Closed

crypto: fix faulty logic in iv size check (backport #9032) #9687

Closed

This was referenced Feb 15, 2018

Change testing suite to follow lisk standards - Closes #448 LiskArchive/lisk-commander#437

Merged

Add multiple node.js version support - Closes #561 LiskArchive/lisk-elements#562

Merged

twwildey mentioned this pull request May 25, 2024

JWT decryption does not support IVs longer than encryption key length for GCM panva/jose#678

Closed

2 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

crypto: Allow GCM ciphers to have a longer IV length #6376

crypto: Allow GCM ciphers to have a longer IV length #6376

mwain commented Apr 25, 2016

mwain commented Apr 25, 2016 •

edited

Loading

mscdex commented Apr 25, 2016

bnoordhuis Apr 27, 2016

bnoordhuis commented Apr 27, 2016

mwain commented Apr 27, 2016

bnoordhuis commented Apr 27, 2016

mwain commented Apr 27, 2016

indutny commented Apr 27, 2016

jasnell commented Apr 27, 2016

shigeki commented Apr 27, 2016

mwain commented Apr 27, 2016

shigeki Apr 28, 2016

jasnell Apr 29, 2016

jasnell Apr 29, 2016

mwain commented Apr 29, 2016

jasnell commented Apr 29, 2016

jasnell Apr 29, 2016

jasnell commented Apr 29, 2016

shigeki commented Apr 30, 2016

mwain commented May 3, 2016

jasnell commented May 3, 2016

jasnell commented May 3, 2016

mwain commented May 4, 2016

bnoordhuis commented May 4, 2016 •

edited

Loading

shigeki commented May 4, 2016

MylesBorins commented Jul 11, 2016

bnoordhuis commented Jul 12, 2016

MylesBorins commented Jul 12, 2016

bnoordhuis commented Jul 13, 2016

crypto: Allow GCM ciphers to have a longer IV length #6376

crypto: Allow GCM ciphers to have a longer IV length #6376

Conversation

mwain commented Apr 25, 2016

Checklist

Affected core subsystem(s)

Description of change

mwain commented Apr 25, 2016 • edited Loading

mscdex commented Apr 25, 2016

bnoordhuis Apr 27, 2016

Choose a reason for hiding this comment

bnoordhuis commented Apr 27, 2016

mwain commented Apr 27, 2016

bnoordhuis commented Apr 27, 2016

mwain commented Apr 27, 2016

indutny commented Apr 27, 2016

jasnell commented Apr 27, 2016

shigeki commented Apr 27, 2016

mwain commented Apr 27, 2016

shigeki Apr 28, 2016

Choose a reason for hiding this comment

jasnell Apr 29, 2016

Choose a reason for hiding this comment

jasnell Apr 29, 2016

Choose a reason for hiding this comment

mwain commented Apr 29, 2016

jasnell commented Apr 29, 2016

jasnell Apr 29, 2016

Choose a reason for hiding this comment

jasnell commented Apr 29, 2016

shigeki commented Apr 30, 2016

mwain commented May 3, 2016

jasnell commented May 3, 2016

jasnell commented May 3, 2016

mwain commented May 4, 2016

bnoordhuis commented May 4, 2016 • edited Loading

shigeki commented May 4, 2016

MylesBorins commented Jul 11, 2016

bnoordhuis commented Jul 12, 2016

MylesBorins commented Jul 12, 2016

bnoordhuis commented Jul 13, 2016

mwain commented Apr 25, 2016 •

edited

Loading

bnoordhuis commented May 4, 2016 •

edited

Loading