Allow specifying the tag after AAD in CCM mode #7243
Conversation
|
ping
|
mattcaswell
added
branch: master
mattcaswell
left a comment
mattcaswell
left a comment
There was a problem hiding this comment.
I think the EVP_EncryptInit man page could do with some update as part of this PR to clarify when exactly the tag can be set.
There was a problem hiding this comment.
1/ I don't follow the comment in the commit message,
GCM and OCB also support to set the tag at any point before the call
to `EVP_*Final`, but this won't work for CCM due to a restriction
imposed by section 2.6 of RFC3610: The tag must be set before
actually decrypting data.
Does RFC3610 2.6 say anything specific on this subject?
Are you referring to this advice?
The recipient MUST verify the CBC-MAC before releasing any
information such as the plaintext. If the CBC-MAC verification
fails, the receiver MUST destroy all information, except for the fact
that the CBC-MAC verification failed.
It seems like good advice for any AEAD mode, and doesn't explicitly talk about in which order tag,aad,ciphertext is provided to aead-decrypt operations?
As per 2.2, before decryption can start:
- length(nonce)
- length(AAD)
- length(message)
These are needed due to CBC.MAC operations needs first block B_0 calculations.
As far as I know, there's nothing in the RFC about when tag needs to be provided, except that tag length must be known prior to decrypt finalising (releasing plaintext to caller).
2/ openssl behaviour is documented here:
- https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption
- https://www.openssl.org/docs/man1.0.2/man3/EVP_EncryptUpdate.html
It seems documented, at least on the wiki, that SET_TAG behaviour differs from GCM and CCM.
As far as I am concerned, there is no reason CCM couldn't have relax SET_TAG behaviour in the future, but it would be good if someone with more experience of this implementation could comment.
tniessen
force-pushed
the
crypto-evp-aes-ccm-relax-tag-requirement
branch
from
1c7b44c to
2c4d8ec
Compare
|
@mattcaswell Thank you for reviewing! I fixed the indentation issue, but I'll have to take a look at the documentation. @blaufish Thank you for reviewing as well!
Yes, I am. I agree that the commit message might be a bit inaccurate there, I meant "releasing any information such as the plaintext" when I wrote "decrypting data".
That is correct, but the tag is required before providing the plaintext to the user, meaning it needs to be provided before decrypting data using |
This change allows to pass the authentication tag after specifying the AAD in CCM mode. This is already true for the other two supported AEAD modes (GCM and OCB) and it seems appropriate to match the behavior. GCM and OCB also support to set the tag at any point before the call to `EVP_*Final`, but this won't work for CCM due to a restriction imposed by section 2.6 of RFC3610: The tag must be set before actually decrypting data. This commit also adds a test case for setting the tag after supplying plaintext length and AAD.
tniessen
force-pushed
the
crypto-evp-aes-ccm-relax-tag-requirement
branch
from
2c4d8ec to
30c1de8
Compare
@mattcaswell I added a few lines to the documentation, I assume that's what this has been waiting for. Please take another look. |
mattcaswell
added
the
approval: review pending
|
Ping @openssl for second review. |
paulidale
added
approval: done
This change allows to pass the authentication tag after specifying the AAD in CCM mode. This is already true for the other two supported AEAD modes (GCM and OCB) and it seems appropriate to match the behavior. GCM and OCB also support to set the tag at any point before the call to `EVP_*Final`, but this won't work for CCM due to a restriction imposed by section 2.6 of RFC3610: The tag must be set before actually decrypting data. This commit also adds a test case for setting the tag after supplying plaintext length and AAD. Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Matt Caswell <[email protected]> (Merged from #7243) (cherry picked from commit 67c81ec)
This change allows to pass the authentication tag after specifying the AAD in CCM mode. This is already true for the other two supported AEAD modes (GCM and OCB) and it seems appropriate to match the behavior. GCM and OCB also support to set the tag at any point before the call to `EVP_*Final`, but this won't work for CCM due to a restriction imposed by section 2.6 of RFC3610: The tag must be set before actually decrypting data. This commit also adds a test case for setting the tag after supplying plaintext length and AAD. Reviewed-by: Paul Dale <[email protected]> Reviewed-by: Matt Caswell <[email protected]> (Merged from #7243)
|
Pushed. Thanks. |
This was fixed in OpenSSL 1.1.1c (openssl/openssl@b48e3be947). The authentication tag can now be specified after setAAD was called, matching the behavior of the other supported AEAD modes (GCM, OCB). Refs: openssl/openssl#7243
This was fixed in OpenSSL 1.1.1c (openssl/openssl@b48e3be947). The authentication tag can now be specified after setAAD was called, matching the behavior of the other supported AEAD modes (GCM, OCB). Refs: openssl/openssl#7243 PR-URL: nodejs#28624 Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Ruben Bridgewater <[email protected]> Reviewed-By: Rich Trott <[email protected]>
This was fixed in OpenSSL 1.1.1c (openssl/openssl@b48e3be947). The authentication tag can now be specified after setAAD was called, matching the behavior of the other supported AEAD modes (GCM, OCB). Refs: openssl/openssl#7243 PR-URL: #28624 Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: Luigi Pinca <[email protected]> Reviewed-By: Ruben Bridgewater <[email protected]> Reviewed-By: Rich Trott <[email protected]>
5 participants
This change allows to pass the authentication tag after specifying the AAD in CCM mode. This is already true for the other two supported AEAD modes (GCM and OCB) and it seems appropriate to match the behavior.
GCM and OCB also support to set the tag at any point before the call to
EVP_*Final, but this won't work for CCM due to a restriction imposed by section 2.6 of RFC3610: The tag must be set before actually decrypting data.This commit also adds a test case for setting the tag after supplying plaintext length and AAD.
Checklist