Fix: HMAC minimum length checks should be enforced

Author: linuxwolf

lib/algorithms/aes-cbc-hmac-sha2.js

@@ -232,7 +232,7 @@ function cbcHmacEncryptFN(size) {
 
       var promise;
       promise = HMAC["HS" + (size * 2)].sign(iKey, mdata, {
-        loose: true
+        length: size
       });
       promise = promise.then(function(result) {
         // TODO: move slice to hmac.js
@@ -279,7 +279,7 @@ function cbcHmacDecryptFN(size) {
         helpers.int64ToBuffer(adata.length * 8)
       ]);
       promise = HMAC["HS" + (size * 2)].verify(iKey, mdata, tag, {
-        loose: true
+        length: size
       });
       promise = promise.then(function() {
         return cdata;
@@ -402,7 +402,7 @@ function concatKdfCbcHmacEncryptFN(size, alg) {
       ]);
       return Promise.all([
         Promise.resolve(cdata),
-        HMAC["HS" + (size * 2)].sign(cik, mdata, { loose: false })
+        HMAC["HS" + (size * 2)].sign(cik, mdata, { length: size })
       ]);
     });
     promise = promise.then(function(result){

lib/algorithms/hkdf.js

@@ -47,7 +47,7 @@ function hkdfDeriveFn(name) {
         T = new Buffer(0);
       }
       T = Buffer.concat([T, info, new Buffer([idx])]);
-      T = op(key, T, { loose: true });
+      T = op(key, T);
       T = T.then(function(result) {
         T = result.mac;
         okm.push(T);
@@ -58,7 +58,7 @@ function hkdfDeriveFn(name) {
     }
 
     // Step 1: Extract
-    promise = op(salt, key, { loose: true });
+    promise = op(salt, key, { length: salt.length * 8 });
     promise = promise.then(function(result) {
       // Step 2: Expand
       return expand(result.mac);

lib/algorithms/hmac.js

@@ -14,30 +14,37 @@ function hmacSignFN(name) {
   var md = name.replace("HS", "SHA").toLowerCase(),
       hash = name.replace("HS", "SHA-");
 
-  // ### Fallback Implementation -- uses forge
-  var fallback = function(key, pdata, props) {
-    props = props || {};
-    if (!props.loose && CONSTANTS.HASHLENGTH[hash] > (key.length << 3)) {
+  function checkKeyLength(len, key) {
+    len = (len || CONSTANTS.HASHLENGTH[hash]) / 8;
+    if (len > key.length) {
       return Promise.reject(new Error("invalid key length"));
     }
 
-    var sig = forge.hmac.create();
-    sig.start(md, key.toString("binary"));
-    sig.update(pdata);
-    sig = sig.digest().native();
+    return Promise.resolve(key);
+  }
 
-    return Promise.resolve({
-      data: pdata,
-      mac: sig
+  // ### Fallback Implementation -- uses forge
+  var fallback = function(key, pdata, props) {
+    props = props || {};
+    var promise;
+    promise = checkKeyLength(props.length, key);
+    promise = p.then(function() {
+      var sig = forge.hmac.create();
+      sig.start(md, key.toString("binary"));
+      sig.update(pdata);
+      sig = sig.digest().native();
+
+      return {
+        data: pdata,
+        mac: sig
+      }
     });
+    return p;
   };
 
   // ### WebCryptoAPI Implementation
   var webcrypto = function(key, pdata, props) {
     props = props || {};
-    if (!props.loose && CONSTANTS.HASHLENGTH[hash] > (key.length << 3)) {
-      return Promise.reject(new Error("invalid key length"));
-    }
 
     var alg = {
       name: "HMAC",
@@ -46,7 +53,10 @@ function hmacSignFN(name) {
       }
     };
     var promise;
-    promise = helpers.subtleCrypto.importKey("raw", key, alg, true, ["sign"]);
+    promise = checkKeyLength(props.length, key);
+    promise = promise.then(function() {
+      return helpers.subtleCrypto.importKey("raw", key, alg, true, ["sign"]);
+    });
     promise = promise.then(function(key) {
       return helpers.subtleCrypto.sign(alg, key, pdata);
     });
@@ -64,18 +74,20 @@ function hmacSignFN(name) {
   // ### NodeJS implementation
   var nodejs = function(key, pdata, props) {
     props = props || {};
-    if (!props.loose && CONSTANTS.HASHLENGTH[hash] > (key.length << 3)) {
-      return Promise.reject(new Error("invalid key length"));
-    }
 
-    var hmac = helpers.nodeCrypto.createHmac(md, key);
-    hmac.update(pdata);
+    var promise;
+    promise = checkKeyLength(props.length, key);
+    promise = promise.then(function() {
+      var hmac = helpers.nodeCrypto.createHmac(md, key);
+      hmac.update(pdata);
 
-    var sig = hmac.digest();
-    return {
-      data: pdata,
-      mac: sig
-    };
+      var sig = hmac.digest();
+      return {
+        data: pdata,
+        mac: sig
+      };
+    });
+    return promise;
   };
 
   return helpers.setupFallback(nodejs, webcrypto, fallback);
@@ -85,9 +97,9 @@ function hmacVerifyFN(name) {
   var md = name.replace("HS", "SHA").toLowerCase(),
       hash = name.replace("HS", "SHA-");
 
-  function compare(loose, expected, actual) {
-    var len = loose ? expected.length : CONSTANTS.HASHLENGTH[hash] / 8,
-        valid = true;
+  function compare(len, expected, actual) {
+    len = (len || CONSTANTS.HASHLENGTH[hash]) / 8;
+    var valid = true;
     for (var idx = 0; len > idx; idx++) {
       valid = valid && (expected[idx] === actual[idx]);
     }
@@ -97,16 +109,13 @@ function hmacVerifyFN(name) {
   // ### Fallback Implementation -- uses forge
   var fallback = function(key, pdata, mac, props) {
     props = props || {};
-    if (!props.loose && CONSTANTS.HASHLENGTH[hash] > (key.length << 3)) {
-      return Promise.reject(new Error("invalid key length"));
-    }
 
     var vrfy = forge.hmac.create();
     vrfy.start(md, new DataBuffer(key));
     vrfy.update(pdata);
     vrfy = vrfy.digest().native();
 
-    if (compare(props.loose, mac, vrfy)) {
+    if (compare(props.length, mac, vrfy)) {
       return Promise.resolve({
         data: pdata,
         mac: mac,
@@ -119,9 +128,6 @@ function hmacVerifyFN(name) {
 
   var webcrypto = function(key, pdata, mac, props) {
     props = props || {};
-    if (!props.loose && CONSTANTS.HASHLENGTH[hash] > (key.length << 3)) {
-      return Promise.reject(new Error("invalid key length"));
-    }
 
     var alg = {
       name: "HMAC",
@@ -130,14 +136,14 @@ function hmacVerifyFN(name) {
       }
     };
     var promise;
-    if (props.loose) {
+    if (props.length) {
       promise = helpers.subtleCrypto.importKey("raw", key, alg, true, ["sign"]);
       promise = promise.then(function(key) {
         return helpers.subtleCrypto.sign(alg, key, pdata);
       });
       promise = promise.then(function(result) {
         var sig = new Buffer(result);
-        return compare(true, mac, sig);
+        return compare(props.length, mac, sig);
       });
     } else {
       promise = helpers.subtleCrypto.importKey("raw", key, alg, true, ["verify"]);
@@ -162,15 +168,12 @@ function hmacVerifyFN(name) {
 
   var nodejs = function(key, pdata, mac, props) {
     props = props || {};
-    if (!props.loose && CONSTANTS.HASHLENGTH[hash] > (key.length << 3)) {
-      return Promise.reject(new Error("invalid key length"));
-    }
 
     var hmac = helpers.nodeCrypto.createHmac(md, key);
     hmac.update(pdata);
 
     var sig = hmac.digest();
-    if (!compare(props.loose, mac, sig)) {
+    if (!compare(props.length, mac, sig)) {
       throw new Error("verification failed");
     }
     return {

test/algorithms/aes-cbc-hmac-sha2-test.js

@@ -69,5 +69,43 @@ describe("algorithms/aes-cbc-hmac-sha2", function() {
 
     it("performs " + v.alg + " (" + v.desc + ") encryption", encrunner);
     it("performs " + v.alg + " (" + v.desc + ") decryption", decrunner);
+
+    it('should not pass verification (truncated tag)', function() {
+      var tamperedTag = v.tag.substring(0, 6);
+      var key = new Buffer(v.key, "hex"),
+      pdata = new Buffer(v.plaintext, "hex"),
+      cdata = new Buffer(v.ciphertext, "hex"),
+      props = {
+        iv: new Buffer(v.iv, "hex"),
+        aad: new Buffer(v.aad, "hex"),
+        tag: new Buffer(tamperedTag, "hex")
+      };
+      var promise = algorithms.decrypt(v.alg, key, cdata, props);
+      promise = promise.then(function(result) {
+        assert(false, "unexpected success");
+      });
+      promise = promise.catch(function(err) {
+        assert(err);
+      });
+    })
+    it('should not pass verification, (empty tag)', function() {
+      var tamperedTag = "";
+      var key = new Buffer(v.key, "hex"),
+      pdata = new Buffer(v.plaintext, "hex"),
+      cdata = new Buffer(v.ciphertext, "hex"),
+      props = {
+        iv: new Buffer(v.iv, "hex"),
+        aad: new Buffer(v.aad, "hex"),
+        tag: new Buffer(tamperedTag, "hex")
+      };
+      var promise = algorithms.decrypt(v.alg, key, cdata, props);
+      promise = promise.then(function(result) {
+        assert(false, "unexpected success");
+      });
+      promise = promise.catch(function(err) {
+        assert(err);
+      });
+      return promise;
+    });
   });
 });