Skip to content

Commit

Permalink
crypto: check for invalid chacha20-poly1305 IVs
Browse files Browse the repository at this point in the history
IV lengths of 13, 14, 15, and 16 are invalid, but are not checked by
OpenSSL. IV lengths of 17 or greater are also invalid, but they
were already checked by OpenSSL.

See:
- openssl/openssl@f426625b6a
- https://www.openssl.org/news/secadv/20190306.txt

PR-URL: #26537
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
  • Loading branch information
sam-github authored and BridgeAR committed Mar 14, 2019
1 parent 667a402 commit b9787fd
Show file tree
Hide file tree
Showing 2 changed files with 58 additions and 0 deletions.
10 changes: 10 additions & 0 deletions src/node_crypto.cc
Original file line number Diff line number Diff line change
Expand Up @@ -3660,6 +3660,16 @@ void CipherBase::InitIv(const char* cipher_type,
return env()->ThrowError("Invalid IV length");
}

if (EVP_CIPHER_nid(cipher) == NID_chacha20_poly1305) {
CHECK(has_iv);
// Check for invalid IV lengths, since OpenSSL does not under some
// conditions:
// https://www.openssl.org/news/secadv/20190306.txt.
if (iv_len > 12) {
return env()->ThrowError("Invalid IV length");
}
}

CommonInit(cipher_type, cipher, key, key_len, iv, iv_len, auth_tag_len);
}

Expand Down
48 changes: 48 additions & 0 deletions test/parallel/test-crypto-authenticated.js
Original file line number Diff line number Diff line change
Expand Up @@ -616,3 +616,51 @@ for (const test of TEST_CASES) {
assert(plain.equals(plaintext));
}
}


// Test chacha20-poly1305 rejects invalid IV lengths of 13, 14, 15, and 16 (a
// length of 17 or greater was already rejected).
// - https://www.openssl.org/news/secadv/20190306.txt
{
// Valid extracted from TEST_CASES, check that it detects IV tampering.
const valid = {
algo: 'chacha20-poly1305',
key: '808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f',
iv: '070000004041424344454647',
plain: '4c616469657320616e642047656e746c656d656e206f662074686520636c6173' +
'73206f66202739393a204966204920636f756c64206f6666657220796f75206f' +
'6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73' +
'637265656e20776f756c642062652069742e',
plainIsHex: true,
aad: '50515253c0c1c2c3c4c5c6c7',
ct: 'd31a8d34648e60db7b86afbc53ef7ec2a4aded51296e08fea9e2b5' +
'a736ee62d63dbea45e8ca9671282fafb69da92728b1a71de0a9e06' +
'0b2905d6a5b67ecd3b3692ddbd7f2d778b8c9803aee328091b58fa' +
'b324e4fad675945585808b4831d7bc3ff4def08e4b7a9de576d265' +
'86cec64b6116',
tag: '1ae10b594f09e26a7e902ecbd0600691',
tampered: false,
};

// Invalid IV lengths should be detected:
// - 12 and below are valid.
// - 13-16 are not detected as invalid by some OpenSSL versions.
check(13);
check(14);
check(15);
check(16);
// - 17 and above were always detected as invalid by OpenSSL.
check(17);

function check(ivLength) {
const prefix = ivLength - valid.iv.length / 2;
assert.throws(() => crypto.createCipheriv(
valid.algo,
Buffer.from(valid.key, 'hex'),
Buffer.from(H(prefix) + valid.iv, 'hex'),
{ authTagLength: valid.tag.length / 2 }
), errMessages.length, `iv length ${ivLength} was not rejected`);

function H(length) { return '00'.repeat(length); }
}
}

0 comments on commit b9787fd

Please sign in to comment.