crypto: warn on invalid authentication tag length

PR-URL: https://github.com/nodejs/node/pull/17566 Refs: https://github.com/nodejs/node/issues/17523 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
2017-12-09 13:23:18 +01:00 · 2017-12-09 13:23:18 +01:00 · 1a396bbd6b
commit 1a396bbd6b
parent e565534510
2 changed files with 29 additions and 2 deletions
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@ -3783,9 +3783,17 @@ void CipherBase::SetAuthTag(const FunctionCallbackInfo<Value>& args) {
    return args.GetReturnValue().Set(false);
  }

-  // FIXME(bnoordhuis) Throw when buffer length is not a valid tag size.
+  // Restrict GCM tag lengths according to NIST 800-38d, page 9.
+  unsigned int tag_len = Buffer::Length(args[0]);
+  if (tag_len > 16 || (tag_len < 12 && tag_len != 8 && tag_len != 4)) {
+    ProcessEmitWarning(cipher->env(),
+        "Permitting authentication tag lengths of %u bytes is deprecated. "
+        "Valid GCM tag lengths are 4, 8, 12, 13, 14, 15, 16.",
+        tag_len);
+  }
+
  // Note: we don't use std::max() here to work around a header conflict.
-  cipher->auth_tag_len_ = Buffer::Length(args[0]);
+  cipher->auth_tag_len_ = tag_len;
  if (cipher->auth_tag_len_ > sizeof(cipher->auth_tag_))
    cipher->auth_tag_len_ = sizeof(cipher->auth_tag_);

--- a/test/parallel/test-crypto-authenticated.js
+++ b/test/parallel/test-crypto-authenticated.js
@ -335,6 +335,14 @@ const errMessages = {

 const ciphers = crypto.getCiphers();

+common.expectWarning('Warning', (common.hasFipsCrypto ? [] : [
+  'Use Cipheriv for counter mode of aes-192-gcm'
+]).concat(
+  [0, 1, 2, 6, 9, 10, 11, 17]
+  .map((i) => `Permitting authentication tag lengths of ${i} bytes is ` +
+            'deprecated. Valid GCM tag lengths are 4, 8, 12, 13, 14, 15, 16.')
+));
+
 for (const i in TEST_CASES) {
  const test = TEST_CASES[i];

@ -476,3 +484,14 @@ for (const i in TEST_CASES) {
  assert.throws(() => encrypt.setAAD(Buffer.from('123', 'ascii')),
                errMessages.state);
 }
+
+// GCM only supports specific authentication tag lengths, invalid lengths should
+// produce warnings.
+{
+  for (const length of [0, 1, 2, 4, 6, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17]) {
+    const decrypt = crypto.createDecipheriv('aes-256-gcm',
+                                            'FxLKsqdmv0E9xrQhp0b1ZgI0K7JFZJM8',
+                                            'qkuZpJWCewa6Szih');
+    decrypt.setAuthTag(Buffer.from('1'.repeat(length)));
+  }
+}