From 193d6d1bda6bb8c768b809057774aa4bca5f5d99 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Nie=C3=9Fen?= Date: Thu, 21 Jun 2018 17:59:49 +0200 Subject: [PATCH] doc: update notes about GCM decryption Given that https://github.com/nodejs/node/pull/17825 and https://github.com/nodejs/node/pull/20039 have landed on master, this statement is no longer true. PR-URL: https://github.com/nodejs/node/pull/21445 Reviewed-By: James M Snell Reviewed-By: Colin Ihrig Reviewed-By: Luigi Pinca Reviewed-By: Trivikram Kamat --- doc/api/crypto.md | 12 ++---------- 1 file changed, 2 insertions(+), 10 deletions(-) diff --git a/doc/api/crypto.md b/doc/api/crypto.md index e8acd1d0d8b..525efc01b8e 100644 --- a/doc/api/crypto.md +++ b/doc/api/crypto.md @@ -441,16 +441,8 @@ supported), the `decipher.setAuthTag()` method is used to pass in the received _authentication tag_. If no tag is provided, or if the cipher text has been tampered with, [`decipher.final()`][] will throw, indicating that the cipher text should be discarded due to failed authentication. If the tag length -is invalid according to [NIST SP 800-38D][], `decipher.setAuthTag()` will throw -an error. - -Note that this Node.js version does not verify the length of GCM authentication -tags. Such a check *must* be implemented by applications and is crucial to the -authenticity of the encrypted data, otherwise, an attacker can use an -arbitrarily short authentication tag to increase the chances of successfully -passing authentication (up to 0.39%). It is highly recommended to associate one -of the values 16, 15, 14, 13, 12, 8 or 4 bytes with each key, and to only permit -authentication tags of that length, see [NIST SP 800-38D][]. +is invalid according to [NIST SP 800-38D][] or does not match the value of the +`authTagLength` option, `decipher.setAuthTag()` will throw an error. The `decipher.setAuthTag()` method must be called before [`decipher.final()`][].