fix(ext/node): implement AES GCM cipher (#20368)

Adds support for AES-GCM 128/256 bit keys in `node:crypto` and `setAAD()`, `setAuthTag()` and `getAuthTag()` Uses https://github.com/littledivy/aead-gcm-stream Fixes https://github.com/denoland/deno/issues/19836 https://github.com/denoland/deno/issues/20353
2024-11-21 15:04:11 -05:00 · 2023-09-05 22:31:50 -07:00 · 2023-09-05 22:31:50 -07:00 · 9befa566ec
commit 9befa566ec
parent a0af53fea1
10 changed files with 109097 additions and 27 deletions
--- a/Cargo.lock
+++ b/Cargo.lock
@ -37,6 +37,20 @@ dependencies = [
 "generic-array 0.14.7",
 ]

+[[package]]
+name = "aead-gcm-stream"
+version = "0.1.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "4a09ecb526d53de2842cc876ee5c9b51161ee60399edeca4cf74892a01b48177"
+dependencies = [
+ "aead",
+ "aes",
+ "cipher",
+ "ctr",
+ "ghash",
+ "subtle",
+]
+
 [[package]]
 name = "aes"
 version = "0.8.3"
@ -1375,6 +1389,7 @@ dependencies = [
 name = "deno_node"
 version = "0.55.0"
 dependencies = [
+ "aead-gcm-stream",
 "aes",
 "brotli",
 "cbc",
--- a/cli/tests/integration/node_unit_tests.rs
+++ b/cli/tests/integration/node_unit_tests.rs
@ -54,6 +54,7 @@ util::unit_test_factory!(
    buffer_test,
    child_process_test,
    crypto_cipher_test = crypto / crypto_cipher_test,
+    crypto_cipher_gcm_test = crypto / crypto_cipher_gcm_test,
    crypto_hash_test = crypto / crypto_hash_test,
    crypto_key_test = crypto / crypto_key_test,
    crypto_sign_test = crypto / crypto_sign_test,
--- a/cli/tests/unit_node/crypto/crypto_cipher_gcm_test.ts
+++ b/cli/tests/unit_node/crypto/crypto_cipher_gcm_test.ts
@ -0,0 +1,103 @@
+// Copyright 2018-2023 the Deno authors. All rights reserved. MIT license.
+
+import crypto from "node:crypto";
+import { Buffer } from "node:buffer";
+import testVectors128 from "./gcmEncryptExtIV128.json" assert { type: "json" };
+import testVectors256 from "./gcmEncryptExtIV256.json" assert { type: "json" };
+import { assertEquals } from "../../../../test_util/std/testing/asserts.ts";
+
+const aesGcm = (bits: string, key: Uint8Array) => {
+  const ALGO = bits == "128" ? `aes-128-gcm` : `aes-256-gcm`;
+
+  // encrypt returns base64-encoded ciphertext
+  const encrypt = (
+    iv: Uint8Array,
+    str: string,
+    aad: Uint8Array,
+  ): [string, Buffer] => {
+    const cipher = crypto.createCipheriv(ALGO, key, iv);
+    cipher.setAAD(aad);
+    let enc = cipher.update(str, "base64", "base64");
+    enc += cipher.final("base64");
+    return [enc, cipher.getAuthTag()];
+  };
+
+  const decrypt = (
+    enc: string,
+    iv: Uint8Array,
+    aad: Uint8Array,
+    authTag: Uint8Array,
+  ) => {
+    const decipher = crypto.createDecipheriv(ALGO, key, iv);
+    decipher.setAuthTag(authTag);
+    decipher.setAAD(aad);
+    let str = decipher.update(enc, "base64", "base64");
+    str += decipher.final("base64");
+
+    return str;
+  };
+
+  return {
+    encrypt,
+    decrypt,
+  };
+};
+
+type TestVector = {
+  key: Uint8Array;
+  nonce: Uint8Array;
+  aad: Uint8Array;
+  plaintext: string;
+  ciphertext: string;
+  tag: Uint8Array;
+};
+
+for (
+  // NIST CAVS vectors
+  const [bits, vectors] of Object.entries({
+    // <https://csrc.nist.gov/Projects/cryptographic-algorithm-validation-program/CAVP-TESTING-BLOCK-CIPHER-MODES>
+    //
+    // From: `gcmEncryptExtIV128.rsp`
+    128: testVectors128,
+    // <https://csrc.nist.gov/Projects/cryptographic-algorithm-validation-program/CAVP-TESTING-BLOCK-CIPHER-MODES>
+    //
+    // From: `gcmEncryptExtIV256.rsp`
+    256: testVectors256,
+  })
+) {
+  for (let i = 0; i < vectors.length; i++) {
+    const rawTest = vectors[i];
+    const test: TestVector = {
+      key: new Uint8Array(rawTest.key),
+      nonce: new Uint8Array(rawTest.nonce),
+      aad: new Uint8Array(rawTest.aad),
+      plaintext: Buffer.from(rawTest.plaintext).toString("base64"),
+      ciphertext: Buffer.from(rawTest.ciphertext).toString("base64"),
+      tag: new Uint8Array(rawTest.tag),
+    };
+
+    Deno.test({
+      name: `aes-${bits}-gcm encrypt ${i + 1}/${vectors.length}`,
+      fn() {
+        const cipher = aesGcm(bits, test.key);
+        const [enc, tag] = cipher.encrypt(test.nonce, test.plaintext, test.aad);
+        assertEquals(enc, test.ciphertext);
+        assertEquals(new Uint8Array(tag), test.tag);
+      },
+    });
+
+    Deno.test({
+      name: `aes-${bits}-gcm decrypt ${i + 1}/${vectors.length}`,
+      fn() {
+        const cipher = aesGcm(bits, test.key);
+        const plaintext = cipher.decrypt(
+          test.ciphertext,
+          test.nonce,
+          test.aad,
+          test.tag,
+        );
+        assertEquals(plaintext, test.plaintext);
+      },
+    });
+  }
+}
--- a/cli/tests/unit_node/crypto/gcmEncryptExtIV128.json
+++ b/cli/tests/unit_node/crypto/gcmEncryptExtIV128.json
--- a/cli/tests/unit_node/crypto/gcmEncryptExtIV256.json
+++ b/cli/tests/unit_node/crypto/gcmEncryptExtIV256.json
--- a/ext/node/Cargo.toml
+++ b/ext/node/Cargo.toml
@ -14,6 +14,7 @@ description = "Node compatibility for Deno"
 path = "lib.rs"

 [dependencies]
+aead-gcm-stream = "0.1"
 aes.workspace = true
 brotli.workspace = true
 cbc.workspace = true
--- a/ext/node/lib.rs
+++ b/ext/node/lib.rs
@ -155,6 +155,8 @@ deno_core::extension!(deno_node,
    ops::crypto::op_node_create_decipheriv,
    ops::crypto::op_node_cipheriv_encrypt,
    ops::crypto::op_node_cipheriv_final,
+    ops::crypto::op_node_cipheriv_set_aad,
+    ops::crypto::op_node_decipheriv_set_aad,
    ops::crypto::op_node_create_cipheriv,
    ops::crypto::op_node_create_hash,
    ops::crypto::op_node_get_hashes,
--- a/ext/node/ops/crypto/cipher.rs
+++ b/ext/node/ops/crypto/cipher.rs
@ -13,15 +13,24 @@ use std::borrow::Cow;
 use std::cell::RefCell;
 use std::rc::Rc;

+type Tag = Option<Vec<u8>>;
+
+type Aes128Gcm = aead_gcm_stream::AesGcm<aes::Aes128>;
+type Aes256Gcm = aead_gcm_stream::AesGcm<aes::Aes256>;
+
 enum Cipher {
  Aes128Cbc(Box<cbc::Encryptor<aes::Aes128>>),
  Aes128Ecb(Box<ecb::Encryptor<aes::Aes128>>),
-  // TODO(kt3k): add more algorithms Aes192Cbc, Aes256Cbc, Aes128GCM, etc.
+  Aes128Gcm(Box<Aes128Gcm>),
+  Aes256Gcm(Box<Aes256Gcm>),
+  // TODO(kt3k): add more algorithms Aes192Cbc, Aes256Cbc, etc.
 }

 enum Decipher {
  Aes128Cbc(Box<cbc::Decryptor<aes::Aes128>>),
  Aes128Ecb(Box<ecb::Decryptor<aes::Aes128>>),
+  Aes128Gcm(Box<Aes128Gcm>),
+  Aes256Gcm(Box<Aes256Gcm>),
  // TODO(kt3k): add more algorithms Aes192Cbc, Aes256Cbc, Aes128GCM, etc.
 }

@ -40,6 +49,10 @@ impl CipherContext {
    })
  }

+  pub fn set_aad(&self, aad: &[u8]) {
+    self.cipher.borrow_mut().set_aad(aad);
+  }
+
  pub fn encrypt(&self, input: &[u8], output: &mut [u8]) {
    self.cipher.borrow_mut().encrypt(input, output);
  }
@ -48,7 +61,7 @@ impl CipherContext {
    self,
    input: &[u8],
    output: &mut [u8],
-  ) -> Result<(), AnyError> {
+  ) -> Result<Tag, AnyError> {
    Rc::try_unwrap(self.cipher)
      .map_err(|_| type_error("Cipher context is already in use"))?
      .into_inner()
@ -63,6 +76,10 @@ impl DecipherContext {
    })
  }

+  pub fn set_aad(&self, aad: &[u8]) {
+    self.decipher.borrow_mut().set_aad(aad);
+  }
+
  pub fn decrypt(&self, input: &[u8], output: &mut [u8]) {
    self.decipher.borrow_mut().decrypt(input, output);
  }
@ -71,11 +88,12 @@ impl DecipherContext {
    self,
    input: &[u8],
    output: &mut [u8],
+    auth_tag: &[u8],
  ) -> Result<(), AnyError> {
    Rc::try_unwrap(self.decipher)
      .map_err(|_| type_error("Decipher context is already in use"))?
      .into_inner()
-      .r#final(input, output)
+      .r#final(input, output, auth_tag)
  }
 }

@ -103,10 +121,37 @@ impl Cipher {
        Aes128Cbc(Box::new(cbc::Encryptor::new(key.into(), iv.into())))
      }
      "aes-128-ecb" => Aes128Ecb(Box::new(ecb::Encryptor::new(key.into()))),
+      "aes-128-gcm" => {
+        let mut cipher =
+          aead_gcm_stream::AesGcm::<aes::Aes128>::new(key.into());
+        cipher.init(iv.try_into()?);
+
+        Aes128Gcm(Box::new(cipher))
+      }
+      "aes-256-gcm" => {
+        let mut cipher =
+          aead_gcm_stream::AesGcm::<aes::Aes256>::new(key.into());
+        cipher.init(iv.try_into()?);
+
+        Aes256Gcm(Box::new(cipher))
+      }
      _ => return Err(type_error(format!("Unknown cipher {algorithm_name}"))),
    })
  }

+  fn set_aad(&mut self, aad: &[u8]) {
+    use Cipher::*;
+    match self {
+      Aes128Gcm(cipher) => {
+        cipher.set_aad(aad);
+      }
+      Aes256Gcm(cipher) => {
+        cipher.set_aad(aad);
+      }
+      _ => {}
+    }
+  }
+
  /// encrypt encrypts the data in the middle of the input.
  fn encrypt(&mut self, input: &[u8], output: &mut [u8]) {
    use Cipher::*;
@ -123,11 +168,19 @@ impl Cipher {
          encryptor.encrypt_block_b2b_mut(input.into(), output.into());
        }
      }
+      Aes128Gcm(cipher) => {
+        output[..input.len()].copy_from_slice(input);
+        cipher.encrypt(output);
+      }
+      Aes256Gcm(cipher) => {
+        output[..input.len()].copy_from_slice(input);
+        cipher.encrypt(output);
+      }
    }
  }

  /// r#final encrypts the last block of the input data.
-  fn r#final(self, input: &[u8], output: &mut [u8]) -> Result<(), AnyError> {
+  fn r#final(self, input: &[u8], output: &mut [u8]) -> Result<Tag, AnyError> {
    assert!(input.len() < 16);
    use Cipher::*;
    match self {
@ -135,14 +188,16 @@ impl Cipher {
        let _ = (*encryptor)
          .encrypt_padded_b2b_mut::<Pkcs7>(input, output)
          .map_err(|_| type_error("Cannot pad the input data"))?;
-        Ok(())
+        Ok(None)
      }
      Aes128Ecb(encryptor) => {
        let _ = (*encryptor)
          .encrypt_padded_b2b_mut::<Pkcs7>(input, output)
          .map_err(|_| type_error("Cannot pad the input data"))?;
-        Ok(())
+        Ok(None)
      }
+      Aes128Gcm(cipher) => Ok(Some(cipher.finish().to_vec())),
+      Aes256Gcm(cipher) => Ok(Some(cipher.finish().to_vec())),
    }
  }
 }
@ -159,10 +214,37 @@ impl Decipher {
        Aes128Cbc(Box::new(cbc::Decryptor::new(key.into(), iv.into())))
      }
      "aes-128-ecb" => Aes128Ecb(Box::new(ecb::Decryptor::new(key.into()))),
+      "aes-128-gcm" => {
+        let mut decipher =
+          aead_gcm_stream::AesGcm::<aes::Aes128>::new(key.into());
+        decipher.init(iv.try_into()?);
+
+        Aes128Gcm(Box::new(decipher))
+      }
+      "aes-256-gcm" => {
+        let mut decipher =
+          aead_gcm_stream::AesGcm::<aes::Aes256>::new(key.into());
+        decipher.init(iv.try_into()?);
+
+        Aes256Gcm(Box::new(decipher))
+      }
      _ => return Err(type_error(format!("Unknown cipher {algorithm_name}"))),
    })
  }

+  fn set_aad(&mut self, aad: &[u8]) {
+    use Decipher::*;
+    match self {
+      Aes128Gcm(decipher) => {
+        decipher.set_aad(aad);
+      }
+      Aes256Gcm(decipher) => {
+        decipher.set_aad(aad);
+      }
+      _ => {}
+    }
+  }
+
  /// decrypt decrypts the data in the middle of the input.
  fn decrypt(&mut self, input: &[u8], output: &mut [u8]) {
    use Decipher::*;
@ -179,26 +261,56 @@ impl Decipher {
          decryptor.decrypt_block_b2b_mut(input.into(), output.into());
        }
      }
+      Aes128Gcm(decipher) => {
+        output[..input.len()].copy_from_slice(input);
+        decipher.decrypt(output);
+      }
+      Aes256Gcm(decipher) => {
+        output[..input.len()].copy_from_slice(input);
+        decipher.decrypt(output);
+      }
    }
  }

  /// r#final decrypts the last block of the input data.
-  fn r#final(self, input: &[u8], output: &mut [u8]) -> Result<(), AnyError> {
-    assert!(input.len() == 16);
+  fn r#final(
+    self,
+    input: &[u8],
+    output: &mut [u8],
+    auth_tag: &[u8],
+  ) -> Result<(), AnyError> {
    use Decipher::*;
    match self {
      Aes128Cbc(decryptor) => {
+        assert!(input.len() == 16);
        let _ = (*decryptor)
          .decrypt_padded_b2b_mut::<Pkcs7>(input, output)
          .map_err(|_| type_error("Cannot unpad the input data"))?;
        Ok(())
      }
      Aes128Ecb(decryptor) => {
+        assert!(input.len() == 16);
        let _ = (*decryptor)
          .decrypt_padded_b2b_mut::<Pkcs7>(input, output)
          .map_err(|_| type_error("Cannot unpad the input data"))?;
        Ok(())
      }
+      Aes128Gcm(decipher) => {
+        let tag = decipher.finish();
+        if tag.as_slice() == auth_tag {
+          Ok(())
+        } else {
+          Err(type_error("Failed to authenticate data"))
+        }
+      }
+      Aes256Gcm(decipher) => {
+        let tag = decipher.finish();
+        if tag.as_slice() == auth_tag {
+          Ok(())
+        } else {
+          Err(type_error("Failed to authenticate data"))
+        }
+      }
    }
  }
 }
--- a/ext/node/ops/crypto/mod.rs
+++ b/ext/node/ops/crypto/mod.rs
@ -235,6 +235,20 @@ pub fn op_node_create_cipheriv(
  )
 }

+#[op(fast)]
+pub fn op_node_cipheriv_set_aad(
+  state: &mut OpState,
+  rid: u32,
+  aad: &[u8],
+) -> bool {
+  let context = match state.resource_table.get::<cipher::CipherContext>(rid) {
+    Ok(context) => context,
+    Err(_) => return false,
+  };
+  context.set_aad(aad);
+  true
+}
+
 #[op(fast)]
 pub fn op_node_cipheriv_encrypt(
  state: &mut OpState,
@ -256,7 +270,7 @@ pub fn op_node_cipheriv_final(
  rid: u32,
  input: &[u8],
  output: &mut [u8],
-) -> Result<(), AnyError> {
+) -> Result<Option<Vec<u8>>, AnyError> {
  let context = state.resource_table.take::<cipher::CipherContext>(rid)?;
  let context = Rc::try_unwrap(context)
    .map_err(|_| type_error("Cipher context is already in use"))?;
@ -278,6 +292,20 @@ pub fn op_node_create_decipheriv(
  )
 }

+#[op(fast)]
+pub fn op_node_decipheriv_set_aad(
+  state: &mut OpState,
+  rid: u32,
+  aad: &[u8],
+) -> bool {
+  let context = match state.resource_table.get::<cipher::DecipherContext>(rid) {
+    Ok(context) => context,
+    Err(_) => return false,
+  };
+  context.set_aad(aad);
+  true
+}
+
 #[op(fast)]
 pub fn op_node_decipheriv_decrypt(
  state: &mut OpState,
@ -299,11 +327,12 @@ pub fn op_node_decipheriv_final(
  rid: u32,
  input: &[u8],
  output: &mut [u8],
+  auth_tag: &[u8],
 ) -> Result<(), AnyError> {
  let context = state.resource_table.take::<cipher::DecipherContext>(rid)?;
  let context = Rc::try_unwrap(context)
    .map_err(|_| type_error("Cipher context is already in use"))?;
-  context.r#final(input, output)
+  context.r#final(input, output, auth_tag)
 }

 #[op]
--- a/ext/node/polyfills/internal/crypto/cipher.ts
+++ b/ext/node/polyfills/internal/crypto/cipher.ts
@ -36,6 +36,8 @@ function isStringOrBuffer(val) {

 const { ops, encode } = globalThis.__bootstrap.core;

+const NO_TAG = new Uint8Array();
+
 export type CipherCCMTypes =
  | "aes-128-ccm"
  | "aes-192-ccm"
@ -143,6 +145,10 @@ export class Cipheriv extends Transform implements Cipher {
  /** plaintext data cache */
  #cache: BlockModeCache;

+  #needsBlockCache: boolean;
+
+  #authTag?: Buffer;
+
  constructor(
    cipher: string,
    key: CipherKey,
@ -162,6 +168,8 @@ export class Cipheriv extends Transform implements Cipher {
    });
    this.#cache = new BlockModeCache(false);
    this.#context = ops.op_node_create_cipheriv(cipher, toU8(key), toU8(iv));
+    this.#needsBlockCache =
+      !(cipher == "aes-128-gcm" || cipher == "aes-256-gcm");
    if (this.#context == 0) {
      throw new TypeError("Unknown cipher");
    }
@ -169,21 +177,29 @@ export class Cipheriv extends Transform implements Cipher {

  final(encoding: string = getDefaultEncoding()): Buffer | string {
    const buf = new Buffer(16);
-    ops.op_node_cipheriv_final(this.#context, this.#cache.cache, buf);
+    const maybeTag = ops.op_node_cipheriv_final(
+      this.#context,
+      this.#cache.cache,
+      buf,
+    );
+    if (maybeTag) {
+      this.#authTag = Buffer.from(maybeTag);
+      return encoding === "buffer" ? Buffer.from([]) : "";
+    }
    return encoding === "buffer" ? buf : buf.toString(encoding);
  }

  getAuthTag(): Buffer {
-    notImplemented("crypto.Cipheriv.prototype.getAuthTag");
+    return this.#authTag!;
  }

  setAAD(
-    _buffer: ArrayBufferView,
+    buffer: ArrayBufferView,
    _options?: {
      plaintextLength: number;
    },
  ): this {
-    notImplemented("crypto.Cipheriv.prototype.setAAD");
+    ops.op_node_cipheriv_set_aad(this.#context, buffer);
    return this;
  }

@ -198,13 +214,23 @@ export class Cipheriv extends Transform implements Cipher {
    outputEncoding: Encoding = getDefaultEncoding(),
  ): Buffer | string {
    // TODO(kt3k): throw ERR_INVALID_ARG_TYPE if data is not string, Buffer, or ArrayBufferView
+    let buf = data;
    if (typeof data === "string" && typeof inputEncoding === "string") {
-      this.#cache.add(Buffer.from(data, inputEncoding));
-    } else {
-      this.#cache.add(data);
+      buf = Buffer.from(data, inputEncoding);
    }
-    const input = this.#cache.get();
+
    let output;
+    if (!this.#needsBlockCache) {
+      output = Buffer.allocUnsafe(buf.length);
+      ops.op_node_cipheriv_encrypt(this.#context, buf, output);
+      return outputEncoding === "buffer"
+        ? output
+        : output.toString(outputEncoding);
+    }
+
+    this.#cache.add(buf);
+    const input = this.#cache.get();
+
    if (input === null) {
      output = Buffer.alloc(0);
    } else {
@ -262,6 +288,10 @@ export class Decipheriv extends Transform implements Cipher {
  /** ciphertext data cache */
  #cache: BlockModeCache;

+  #needsBlockCache: boolean;
+
+  #authTag?: BinaryLike;
+
  constructor(
    cipher: string,
    key: CipherKey,
@ -281,6 +311,8 @@ export class Decipheriv extends Transform implements Cipher {
    });
    this.#cache = new BlockModeCache(true);
    this.#context = ops.op_node_create_decipheriv(cipher, toU8(key), toU8(iv));
+    this.#needsBlockCache =
+      !(cipher == "aes-128-gcm" || cipher == "aes-256-gcm");
    if (this.#context == 0) {
      throw new TypeError("Unknown cipher");
    }
@ -288,22 +320,34 @@ export class Decipheriv extends Transform implements Cipher {

  final(encoding: string = getDefaultEncoding()): Buffer | string {
    let buf = new Buffer(16);
-    ops.op_node_decipheriv_final(this.#context, this.#cache.cache, buf);
+    ops.op_node_decipheriv_final(
+      this.#context,
+      this.#cache.cache,
+      buf,
+      this.#authTag || NO_TAG,
+    );
+
+    if (!this.#needsBlockCache) {
+      return encoding === "buffer" ? Buffer.from([]) : "";
+    }
+
    buf = buf.subarray(0, 16 - buf.at(-1)); // Padded in Pkcs7 mode
    return encoding === "buffer" ? buf : buf.toString(encoding);
  }

  setAAD(
-    _buffer: ArrayBufferView,
+    buffer: ArrayBufferView,
    _options?: {
      plaintextLength: number;
    },
  ): this {
-    notImplemented("crypto.Decipheriv.prototype.setAAD");
+    ops.op_node_decipheriv_set_aad(this.#context, buffer);
+    return this;
  }

-  setAuthTag(_buffer: BinaryLike, _encoding?: string): this {
-    notImplemented("crypto.Decipheriv.prototype.setAuthTag");
+  setAuthTag(buffer: BinaryLike, _encoding?: string): this {
+    this.#authTag = buffer;
+    return this;
  }

  setAutoPadding(_autoPadding?: boolean): this {
@ -316,13 +360,22 @@ export class Decipheriv extends Transform implements Cipher {
    outputEncoding: Encoding = getDefaultEncoding(),
  ): Buffer | string {
    // TODO(kt3k): throw ERR_INVALID_ARG_TYPE if data is not string, Buffer, or ArrayBufferView
+    let buf = data;
    if (typeof data === "string" && typeof inputEncoding === "string") {
-      this.#cache.add(Buffer.from(data, inputEncoding));
-    } else {
-      this.#cache.add(data);
+      buf = Buffer.from(data, inputEncoding);
    }
-    const input = this.#cache.get();
+
    let output;
+    if (!this.#needsBlockCache) {
+      output = Buffer.allocUnsafe(buf.length);
+      ops.op_node_decipheriv_decrypt(this.#context, buf, output);
+      return outputEncoding === "buffer"
+        ? output
+        : output.toString(outputEncoding);
+    }
+
+    this.#cache.add(buf);
+    const input = this.#cache.get();
    if (input === null) {
      output = Buffer.alloc(0);
    } else {