Uploaded image for project: 'Erlang/OTP'
  1. Erlang/OTP
  2. ERL-1078

crypto:crypto_one_time_aead disregards auth tag when decrypting via chacha20_poly1305 cipher

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 22.1.4
    • Fix Version/s: 22.1.6
    • Component/s: crypto
    • Labels:
      None

      Description

      Summary

      When attempting to decrypt and verify a ciphertext / auth tag pair using the chacha20_poly1305 cipher, the value of the auth tag is not consulted, and thus the message is not authenticated (even though it is decrypted properly).

      Steps to reproduce

      1. Encrypt <<1,2,3>> using all-zero key and IV:

      1> {Enc, Auth} = crypto:crypto_one_time_aead(chacha20_poly1305, <<0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0>>, <<0,0,0,0,0,0,0,0>>, <<1,2,3>>, <<0>>, true).
      {<<"÷8ã">>,
       <<104,144,181,53,206,121,249,160,226,107,92,229,141,252,
         7,82>>}
      

      2. At first glance, decryption works as expected:

      2> crypto:crypto_one_time_aead(chacha20_poly1305, <<0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0>>, <<0,0,0,0,0,0,0,0>>, Enc, <<0>>, Auth, false).
      <<1,2,3>>
      

      3. However, if the auth tag is changed to anything (all zeroes in this example): the call comes back without error:

      3> crypto:crypto_one_time_aead(chacha20_poly1305, <<0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0>>, <<0,0,0,0,0,0,0,0>>, Enc, <<0>>, <<0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0>>, false).
      <<1,2,3>>
      

      One would expect that to return error since the auth tag does not match.

      Note that other aead ciphers (aes_128_ccm for example) work as expected, with an invalid auth tag returning error:

      1> {Enc, Auth} = crypto:crypto_one_time_aead(aes_128_ccm, <<0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0>>, <<0,0,0,0,0,0,0,0>>, <<1,2,3>>, <<0>>, true).
      {<<"A½i">>,<<232,171,16,250,190,235,221,200,190,65,177,37>>}
      2> crypto:crypto_one_time_aead(aes_128_ccm, <<0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0>>, <<0,0,0,0,0,0,0,0>>, Enc, <<0>>, Auth, false).
      <<1,2,3>>
      3> crypto:crypto_one_time_aead(aes_128_ccm, <<0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0>>, <<0,0,0,0,0,0,0,0>>, Enc, <<0>>, <<0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0>>, false).
      error
      

      (Examples above run on Erlang 22.1.4 linked against OpenSSL 1.1.1d, on macOS 10.14.6).

      Possible Explanation

      From what I've been able to find in OpenSSL documentation (see [1], [2]), tag verification with the chacha20_poly1305 cipher is similar in structure to CCM ciphers, which Erlang's aead_cipher function cases out at crypto/aead.c:112-118. I think that the enclosing condition should be revised to cipherp->flags & (CCM_MODE | CHACHA_MODE) (and a corresponding flag added to the cipher definition in crypto/c_src/cipher.c:99, but since my momma always told me not to roll my own crypto I'm not about to try and solve this on my own without taking guidance from someone more learned in crypto than myself. If such a someone could vet this approach, I'm happy to submit a patch.

      [1] https://www.openssl.org/docs/man1.1.1/man3/EVP_CIPHER_block_size.html
      [2] https://wiki.openssl.org/index.php/EVP_Authenticated_Encryption_and_Decryption

        Attachments

          Activity

            People

            Assignee:
            hans Hans Nilsson
            Reporter:
            mtrudel Mat Trudel
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: