AES GCM Auth Tag validation issue

[egorbeliy]

Version

v21.7.1

Platform

Darwin Egors-MacBook-Pro.local 23.4.0 Darwin Kernel Version 23.4.0: Wed Feb 21 21:45:49 PST 2024; root:xnu-10063.101.15~2/RELEASE_ARM64_T6020 arm64

Subsystem

crypto

What steps will reproduce the bug?

I tried to decrypt the cipher text and i was wondering that i don't need to use Auth Tag which is mandatory in AES GCM. You can run the code bellow:

import { createDecipheriv, randomBytes } from 'crypto'

const algorithm = 'aes-256-gcm'
const keyHex = '9b25a4b717d0c827c926565758b99b89a24f83c03a6a8319fb0fc809787ae929'
const ivHex = 'ded281917f01b9d5f0a5abce'
const key: Buffer = Buffer.from(keyHex, 'hex');
const iv: Buffer = Buffer.from(ivHex, 'hex');

// const encrypt = (text: string): string => {
//   const cipher = createCipheriv(algorithm, key, iv)
//   const start = cipher.update(text, 'utf8')
//   const end = cipher.final()
//   return Buffer.concat([ start, end]).toString('base64')
// }
// const encrypted = encrypt('testValue')

const encrypted = "njvgROnsKdsG" //testValue string in base64 encrypted by the key and iv above
console.log('encrypted ---- ', encrypted)

const decrypt = (encrypted: string): string => {
  const buffer = Buffer.from(encrypted, 'base64')
  const decipher = createDecipheriv(algorithm, key, iv)
  const decrypted = Buffer.concat([decipher.update(buffer), decipher.final()])
  return decrypted.toString('utf8')
}

const decrypted = decrypt(encrypted)

console.log('decrypted ---- ',decrypted)

How often does it reproduce? Is there a required condition?

No response

What is the expected behavior? Why is that the expected behavior?

Mac authentication error

What do you see instead?

successfully decrypted text

Additional information

No response

[tniessen]

To decrypt, you need to use createDecipheriv() instead of createCipheriv(). You then need to call decipher.setAuthTag() with the correct authentication tag, which you can obtain from the the original cipher after encryption as cipher.getAuthTag().

[egorbeliy]

it does absolutely the same if i use createDecipheriv(). So decryption works without AuthTag and the issue is relevant. i have changed the code for your convenience.

[egorbeliy]

@tniessen please test it out because it's critical security issue.

[tniessen]

@egorbeliy In Node.js 22, I am seeing this error when running your code:

Uncaught Error: Unsupported state or unable to authenticate data
    at Decipheriv.final (node:internal/crypto/cipher:184:29)
    at decrypt (REPL14:4:70)

[egorbeliy]

But for me it works well, is node version the same?

tsc aes-issue.ts 
node aes-issue.js

Feel free to check the video PoC https://drive.google.com/file/d/1HRQW7toSjHuPTrF4b6s5XoS1Kb1msSzM/view?usp=sharing

[tniessen]

1. Node.js 21 is not supported anymore, so instead please test with Node.js 20 or Node.js 22.
2. If there is a difference in behavior across versions of Node.js, it is likely due to differences in behavior across versions of OpenSSL. Since much of the node:crypto module is a thin wrapper around OpenSSL, we generally don't provide stronger security guarantees than OpenSSL. In other words, if this issue exists in a supported version of Node.js, it will be necessary to demonstrate that the issue does not also exist in OpenSSL.
3. If you are right and this is a security issue, then this was reported in violation of our security policies.

[egorbeliy]

so i got the same behaviour on v20 and v22. Basically i got your point, you won't check it. thanks.

[tniessen]

@egorbeliy Alright, I'll give it another try. Here's the code I am using (main.mjs):

import { createCipheriv, createDecipheriv, randomBytes } from 'node:crypto';

const algorithm = 'aes-256-gcm';
const keyHex = '9b25a4b717d0c827c926565758b99b89a24f83c03a6a8319fb0fc809787ae929';
const ivHex = 'ded281917f01b9d5f0a5abce';
const key = Buffer.from(keyHex, 'hex');
const iv = Buffer.from(ivHex, 'hex');

const encrypt = (text) => {
  const cipher = createCipheriv(algorithm, key, iv);
  const start = cipher.update(text, 'utf8');
  const end = cipher.final();
  return Buffer.concat([start, end]).toString('base64');
};
const encrypted = encrypt('testValue');
console.assert(encrypted === 'njvgROnsKdsG');
console.log('encrypted ---- ', encrypted);

const decrypt = (encrypted) => {
  const buffer = Buffer.from(encrypted, 'base64');
  const decipher = createDecipheriv(algorithm, key, iv);
  const decrypted = Buffer.concat([decipher.update(buffer), decipher.final()]);
  return decrypted.toString('utf8');
};

const decrypted = decrypt(encrypted);
console.log('decrypted ---- ', decrypted);

Here's what happens in Node.js 22.3.0 on Linux 6.1.92-1-MANJARO:

$ cat package.json 
{
  "dependencies": {
    "typescript": "^5.5.3"
  }
}
$ node -v
v22.3.0
$ node -p process.versions.openssl
3.3.1
$ node main.mjs 
encrypted ----  njvgROnsKdsG
node:internal/crypto/cipher:184
  const ret = this[kHandle].final();
                            ^

Error: Unsupported state or unable to authenticate data
    at Decipheriv.final (node:internal/crypto/cipher:184:29)
    at decrypt (file:///home/tniessen/testgcm/main.mjs:22:70)
    at file:///home/tniessen/testgcm/main.mjs:26:19
    at ModuleJob.run (node:internal/modules/esm/module_job:262:25)
    at async ModuleLoader.import (node:internal/modules/esm/loader:474:24)
    at async asyncRunEntryPointWithESMLoader (node:internal/modules/run_main:109:5)

Node.js v22.3.0

Here's what happens in Node.js 22.1.0 on Windows 10:

encrypted ----  njvgROnsKdsG
node:internal/crypto/cipher:184
  const ret = this[kHandle].final();
                            ^

Error: Unsupported state or unable to authenticate data
    at Decipheriv.final (node:internal/crypto/cipher:184:29)
    at decrypt (file:///C:/Users/Tobias/main.mjs:22:70)
    at file:///C:/Users/Tobias/main.mjs:26:19
    at ModuleJob.run (node:internal/modules/esm/module_job:262:25)
    at async ModuleLoader.import (node:internal/modules/esm/loader:474:24)
    at async asyncRunEntryPointWithESMLoader (node:internal/modules/run_main:119:5)

Node.js v22.1.0

Here's what happens in Node.js 20.15.0 on Linux 6.5.0-1022-azure:

$ node main.mjs 
encrypted ----  njvgROnsKdsG
node:internal/crypto/cipher:193
  const ret = this[kHandle].final();
                            ^

Error: Unsupported state or unable to authenticate data
    at Decipheriv.final (node:internal/crypto/cipher:193:29)
    at decrypt (file:///home/tniessen/dev/dblp/main.mjs:22:70)
    at file:///home/tniessen/dev/dblp/main.mjs:26:19
    at ModuleJob.run (node:internal/modules/esm/module_job:222:25)
    at async ModuleLoader.import (node:internal/modules/esm/loader:316:24)
    at async asyncRunEntryPointWithESMLoader (node:internal/modules/run_main:123:5)

Node.js v20.15.0

Could you please test the code I provided above to avoid any dependency on third-party tools, such as typescript?

[egorbeliy]

don't see the reason to test your code, coz i've reported the bug with my own. thanks for your help.

[tniessen]

@egorbeliy I was trying to help. If you don't want to debug this issue together, there is not much I can do for you.

[avivkeller]

don't see the reason to test your code, coz i've reported the bug with my own.

thanks for your help.

Also, please note that @tniessen's code is nearly identical to yours——so any discrepancies between your execution and his will help to debug and address the issue (as @tniessen said).

This information is crucial in the process of this issue, and without it, there's not much that be done to help.

[avivkeller]

Hey @egorbeliy, I see you closed the issue. If you've resolved the issue, could you let us know how, so that anyone with this problem in the future can have an easier time resolving?

[egorbeliy]

hi @RedYetiDev. We issue was using createCipheriv() to encrypt and decrypt. Thanks a lot @tniessen.

[prithivirj]

Hi @tniessen I am facing the same issue now after updating node.js from v18.2 to 22.x in AWS Lambda. Could you able to identify the root cause of why it is not working in some node.js versions

Error: Unsupported state or unable to authenticate data at Decipheriv.final (node:internal/crypto/cipher:184:29) --

[blul1ghtz]

Just ran into the exact same issue here, except im using a more RECENT version of Nodejs (24.11.0), i get this exact same error and it does not hint at what actually went wrong cus it sure as f*** aint the auth tag, i have replicated this on c++ and checked it works and they have the exact same parameters as nodejs, nodejs is cooked.

[tniessen]

@prithivirj @blul1ghtz Please provide us with minimal reproducible examples that demonstrate the issue you are facing, ideally including a self-contained code snippet as well as the expected behavior. Without more information, it is nearly impossible for us to determine what the issue is.

[blul1ghtz]

@tniessen haven't currently got the source code cus i gave up lol, but if i get it again ill send a pastebin if i get ffi-napi to work. it's just a simple script to decrypt using aes-256-gcm a known hex and iv using buffer.from

[blul1ghtz]

@tniessen hey i managed to get a version of ffi-napi to work on node 18.4.0 somehow, i haven't got source for the aes-256-gcm script yet as i am also experimenting with dpapi CryptProtectData in nodejs and ran into another issue which is ALSO well known, but there's nothing online about this happening with CryptProtectData, Should i create a new issue if this is unique to CryptProtectData (using ffi.Library) and nobody has had issues with that in particular or not? More info here: https://pastebin.com/Q1AeC5uM