crypto: add support for OCB mode for AEAD #21447
Conversation
nodejs-github-bot
added
c++
|
CC @nodejs/crypto. Not sure who to ping for the legal stuff. |
We should marked this blocked until we can get a legal review. @MylesBorins ... this may be one to bring up to the legal committee. |
src/node_crypto.cc
Outdated
| @@ -2668,6 +2668,9 @@ void CipherBase::Init(const FunctionCallbackInfo<Value>& args) { | |||
| cipher->Init(*cipher_type, key_buf, key_buf_len, auth_tag_len); | |||
| } | |||
|
|
|||
| #define IS_SUPPORTED_AUTHENTICATED_MODE(mode) ((mode) == EVP_CIPH_CCM_MODE || \ | |||
| (mode) == EVP_CIPH_GCM_MODE || \ | |||
| (mode) == EVP_CIPH_OCB_MODE) | |||
There was a problem hiding this comment.
Why not make this a function?
There was a problem hiding this comment.
Mhhh I think in my head it still looks like "less overhead". Would you like me to change it?
src/node_crypto.cc
Outdated
| max_message_size_ = (1 << (8 * (15 - iv_len))) - 1; | ||
| } else { | ||
| max_message_size_ = INT_MAX; | ||
| } |
There was a problem hiding this comment.
This will conflict with #21462 when it lands (but no doubt you knew that since you reviewed it. :-))
There was a problem hiding this comment.
Yes, but thanks for pointing it out 😃
|
Thanks for reviewing, @bnoordhuis!
And we are already shipping OpenSSL which supports OCB, that's why I |
tniessen
force-pushed
the
crypto-add-ocb-support
branch
from
4617818 to
64efc01
Compare
|
Comment addressed and rebased (old HEAD was 46178187be645f7451279382467c6799b0e3b8cc). |
|
I doubt there will be any issues here and it's likely safe to proceed, but it would still be good to get a legal committee review (assuming that doesn't take forever lol). Let's not block on it tho |
|
Thanks @jasnell. Sadly, I literally know nothing about our legal committee, I can't even find a list of members or documented processes involving them. Full CI: https://ci.nodejs.org/job/node-test-pull-request/15662/ |
|
That's something @MylesBorins needs to do |
tniessen
added
author ready
tniessen
force-pushed
the
crypto-add-ocb-support
branch
from
64efc01 to
dce91f9
Compare
|
Rebased, old HEAD was 64efc012ccb9fcdf2f619f1f9cbcf0691fae5009. I am pinging @nodejs/tsc to make sure that they know of this change, I would like to land it next week. |
|
Since adding stuff to |
|
This needs a rebase. |
tniessen
force-pushed
the
crypto-add-ocb-support
branch
from
dce91f9 to
3322a3f
Compare
|
Thank you, @BridgeAR! Rebased, old HEAD was dce91f94f146bbf73b8a059ba30be4f9defa84bc. I will land this tomorrow unless someone objects. |
PR-URL: nodejs#21447 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: James M Snell <jasnell@gmail.com>
|
Landed in b3f459e. |
targos
removed
the
author ready
|
Depends on #21782 to land on v10.x-staging |
|
Yes, it should be backported to v10.x-staging. I started working on it but decided to cut my losses. @tniessen the conflicts are around semver-major changes you've introduced in |
|
I'll be home in a couple of days and will give it a try. |
|
@tniessen I see that you pushed a backport branch to your fork. Is it ready for a PR? |
|
@targos The code itself should work, but I am afraid that it might have unintended side effects for CCM. I'll try to verify that within the next few days. |
PR-URL: nodejs#21447 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: James M Snell <jasnell@gmail.com>
This change adds support for OCB, the newest and fastest AEAD mode offered by OpenSSL. There are relatively few changes required within the native code, the OCB implementation behaves somewhat like CCM, except that some limitations of CCM don't apply.
As OCB is patented, we will need to check whether this change has any legal implications. The holder of the patents, Phillip Rogaway, has summarized the situation here and I am pretty sure there won't be any problems, but I wouldn't want to be the one to make the decision.
Checklist
make -j4 test(UNIX), orvcbuild test(Windows) passes