Skip to content

Commit

Permalink
doc: update function description for decipher.setAAD
Browse files Browse the repository at this point in the history
According to the
[NodeJS CCM example](https://nodejs.org/docs/latest-v14.x/api/crypto.html#crypto_ccm_mode],
when decrypting the `plaintextLength` parameter actually refers to the
ciphertext length, not the plaintext length:

```
decipher.setAAD(aad, {
  plaintextLength: ciphertext.length
});
```

The same can be seen in the
[OpenSSL docs](https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption)
where a call to `EVP_DecryptUpdate` passes the ciphertext length:

```
/* Provide the total ciphertext length */
    if(1 != EVP_DecryptUpdate(ctx, NULL, &len, NULL, ciphertext_len))
        handleErrors();
```

This parameter probably should have been called `inputLength` or
`bufferLength` instead of `plaintextLength`, so that it makes sense
both when encrypting and decrypting, but at least we can correct the
sentence in the documentation for now to refer to the correct value.

PR-URL: #33095
Reviewed-By: Ujjwal Sharma <[email protected]>
Reviewed-By: Tobias Nießen <[email protected]>
Reviewed-By: Colin Ihrig <[email protected]>
  • Loading branch information
jbuhacoff authored and codebytere committed Jun 7, 2020
1 parent 2635808 commit 9c19c02
Showing 1 changed file with 7 additions and 2 deletions.
9 changes: 7 additions & 2 deletions doc/api/crypto.md
Original file line number Diff line number Diff line change
Expand Up @@ -493,7 +493,7 @@ _additional authenticated data_ (AAD) input parameter.

The `options` argument is optional for `GCM`. When using `CCM`, the
`plaintextLength` option must be specified and its value must match the length
of the plaintext in bytes. See [CCM mode][].
of the ciphertext in bytes. See [CCM mode][].

The `decipher.setAAD()` method must be called before [`decipher.update()`][].

Expand Down Expand Up @@ -3088,7 +3088,12 @@ mode must adhere to certain restrictions when using the cipher API:
mode might fail as CCM cannot handle more than one chunk of data per instance.
* When passing additional authenticated data (AAD), the length of the actual
message in bytes must be passed to `setAAD()` via the `plaintextLength`
option. This is not necessary if no AAD is used.
option.
Many crypto libraries include the authentication tag in the ciphertext,
which means that they produce ciphertexts of the length
`plaintextLength + authTagLength`. Node.js does not include the authentication
tag, so the ciphertext length is always `plaintextLength`.
This is not necessary if no AAD is used.
* As CCM processes the whole message at once, `update()` can only be called
once.
* Even though calling `update()` is sufficient to encrypt/decrypt the message,
Expand Down

0 comments on commit 9c19c02

Please sign in to comment.