AES-256-CBC-HMAC-SHA256 and similar ciphers are not recognized as authenticated ciphers

[seirdotexe]

Version

18.1.0

Platform

Microsoft Windows NT 10.0.19044.0 x64

Subsystem

crypto

What steps will reproduce the bug?

Run the following code:

import crypto from 'crypto';

let cipher = crypto.createCipheriv('AES-256-CBC-HMAC-SHA256', crypto.randomBytes(32), crypto.randomBytes(16));
let encrypted = cipher.update('My beautiful data', 'utf8', 'hex');
encrypted += cipher.final('hex');

How often does it reproduce? Is there a required condition?

This only reproduces when using:

• aes-128-cbc-hmac-sha1
• aes-128-cbc-hmac-sha256
• aes-256-cbc-hmac-sha1
• aes-256-cbc-hmac-sha256

What is the expected behavior?

On Node 17.1.0:

d8d390a8554e2ca579a1946447c8144509495f521458996db711dd6c9595080d

What do you see instead?

node:internal/crypto/cipher:180
  const ret = this[kHandle].update(data, inputEncoding);
                            ^

Error: Trying to add data in unsupported state
    at Cipheriv.update (node:internal/crypto/cipher:180:29)
    at file:///C:/Users/myuser/Documents/GitHub/something/test/playground.js:22:24
    at ModuleJob.run (node:internal/modules/esm/module_job:198:25)
    at async Promise.all (index 0)
    at async ESMLoader.import (node:internal/modules/esm/loader:409:24)
    at async loadESM (node:internal/process/esm_loader:85:5)
    at async handleMainPromise (node:internal/modules/run_main:61:12)

Additional information

It seems to work on LTS and above (tested until 17.1.0), but not on V18.

[tniessen]

I am not sure if these algorithms ever worked as expected even when they weren't throwing exceptions, I'll add the label again once I've figured that out. Could you describe your use case for these algorithms?

[seirdotexe]

I'm currently working on a project where I have to encrypt cookies using HMAC and AES. Of course I can use createHmac and separate the process, but these algorithms seem more convenient for me. I used the crypto.getCiphers function and found them and I was expecting them to work on the latest Node, but to my surprise this wasn't the case.

All in all not really breaking anything, but would be nice to have included I guess.

[tniessen]

Looks like it's OpenSSL 3. Node.js versions using OpenSSL 1.1.1 do not throw.

[tniessen]

Upon closer inspection, Node.js has never treated these algorithms as proper AEAD ciphers. In versions that do not throw when using them, they do not guarantee authenticity.

[seirdotexe]

they do not guarantee authenticity

Interesting discovery that you've made, let's hope it can be fixed

[tniessen]

Arguably, OpenSSL is also treating these strangely. Maybe these ciphers mostly exist for TLS compatibility?

Can I ask if you are following some spec that demands using these ciphers?

[seirdotexe]

I'm not following any spec. Just saw them and by their name I expected it to give me an HMAC hash alongside encrypting my data using AES, which is exactly what I was looking for.

[tniessen]

I'm not following any spec. Just saw them and by their name I expected it to give me an HMAC hash alongside encrypting my data using AES, which is exactly what I was looking for.

@seirdotexe In that case, I'd strongly suggest AES-GCM instead. It's widely supported (even in client-side Web Crypto) and generally more efficient than AES-CBC + HMAC.