Bug 228879

Summary: Add console logging to encourage the use of authenticated encryption in WebCrypto
Product: WebKit Reporter: Kate Cheney <katherine_cheney>
Component: New BugsAssignee: Kate Cheney <katherine_cheney>
Status: RESOLVED FIXED    
Severity: Normal CC: bfulgham, ews-watchlist, hi, jiewen_tan, mkwst
Priority: P2 Keywords: InRadar
Version: WebKit Nightly Build   
Hardware: Unspecified   
OS: Unspecified   
Attachments:
Description Flags
Patch
none
Patch
none
Patch
none
Patch ews-feeder: commit-queue-

Description Kate Cheney 2021-08-06 15:55:47 PDT 
Add console logging to encourage the use of authenticated encryption in WebCrypto
Comment 1 Kate Cheney 2021-08-06 15:59:53 PDT 
Created attachment 435096 [details]
Patch
Comment 2 Kate Cheney 2021-08-06 16:00:16 PDT 
rdar://80655397
Comment 3 Brent Fulgham 2021-08-06 16:09:22 PDT 
Comment on attachment 435096 [details]
Patch

View in context: https://bugs.webkit.org/attachment.cgi?id=435096&action=review

r=me

> Source/WebCore/crypto/SubtleCrypto.cpp:538
> +        scriptExecutionContext()->addConsoleMessage(MessageSource::Security, MessageLevel::Warning, "AES-CBC and AES-CTR do not provide authentication by default, and implementing it manually can result in minor, but serious mistakes. We recommended using authenticated encryption like GCM to protect against chosen-ciphertext attacks.");

This might be better as a separate function:

void SubtleCrypto::addAuthenticatedEncryptionWarningIfNecessary()
{
    if (key.algorithmIdentifier() == CryptoAlgorithmIdentifier::AES_CBC || key.algorithmIdentifier() == CryptoAlgorithmIdentifier::AES_CTR)
        scriptExecutionContext()->addConsoleMessage(MessageSource::Security, MessageLevel::Warning, "AES-CBC and AES-CTR do not provide authentication by default, and implementing it manually can result in minor, but serious mistakes. We recommended using authenticated encryption like GCM to protect against chosen-ciphertext attacks.");
}

Then the two implementations would always be consistent in language and format, and if we want to warn about more things we could just add them in one place.

> Source/WebCore/crypto/SubtleCrypto.cpp:579
> +        scriptExecutionContext()->addConsoleMessage(MessageSource::Security, MessageLevel::Warning, "AES-CBC and AES-CTR do not provide authentication by default, and implementing it manually can result in minor, but serious mistakes. We recommended using authenticated encryption like GCM to protect against chosen-ciphertext attacks.");

... and this could just be replaced with:

addAuthenticatedEncryptionWarningIfNecessary();
Comment 4 Kate Cheney 2021-08-06 16:18:25 PDT 
(In reply to Brent Fulgham from comment #3)
> Comment on attachment 435096 [details]
> Patch
> 
> View in context:
> https://bugs.webkit.org/attachment.cgi?id=435096&action=review
> 
> r=me
> 
> > Source/WebCore/crypto/SubtleCrypto.cpp:538
> > +        scriptExecutionContext()->addConsoleMessage(MessageSource::Security, MessageLevel::Warning, "AES-CBC and AES-CTR do not provide authentication by default, and implementing it manually can result in minor, but serious mistakes. We recommended using authenticated encryption like GCM to protect against chosen-ciphertext attacks.");
> 
> This might be better as a separate function:
> 
> void SubtleCrypto::addAuthenticatedEncryptionWarningIfNecessary()
> {
>     if (key.algorithmIdentifier() == CryptoAlgorithmIdentifier::AES_CBC ||
> key.algorithmIdentifier() == CryptoAlgorithmIdentifier::AES_CTR)
>         scriptExecutionContext()->addConsoleMessage(MessageSource::Security,
> MessageLevel::Warning, "AES-CBC and AES-CTR do not provide authentication by
> default, and implementing it manually can result in minor, but serious
> mistakes. We recommended using authenticated encryption like GCM to protect
> against chosen-ciphertext attacks.");
> }
> 
> Then the two implementations would always be consistent in language and
> format, and if we want to warn about more things we could just add them in
> one place.
> 
> > Source/WebCore/crypto/SubtleCrypto.cpp:579
> > +        scriptExecutionContext()->addConsoleMessage(MessageSource::Security, MessageLevel::Warning, "AES-CBC and AES-CTR do not provide authentication by default, and implementing it manually can result in minor, but serious mistakes. We recommended using authenticated encryption like GCM to protect against chosen-ciphertext attacks.");
> 
> ... and this could just be replaced with:
> 
> addAuthenticatedEncryptionWarningIfNecessary();

Good idea, will change.
Comment 5 Kate Cheney 2021-08-06 16:31:12 PDT 
Created attachment 435097 [details]
Patch
Comment 6 Kate Cheney 2021-08-06 16:31:27 PDT 
Will land after EWS is green.
Comment 7 Kate Cheney 2021-08-09 10:01:21 PDT 
Created attachment 435188 [details]
Patch
Comment 8 Kate Cheney 2021-08-09 10:03:53 PDT 
Updated test expectations for imported tests to avoid logging console output to stdout. Also some tests called encrypt/decrypt up to 1000 times to test for crashing. To avoid 1000 lines of console logging in test expectations I also marked these with the "DumpJSConsoleLogInStdErr" expectation. Awaiting green bots.
Comment 9 Kate Cheney 2021-08-09 10:55:55 PDT 
Created attachment 435195 [details]
Patch
Comment 10 EWS 2021-08-09 13:06:38 PDT 
Committed r280790 (240369@main): <https://commits.webkit.org/240369@main>

All reviewed patches have been landed. Closing bug and clearing flags on attachment 435195 [details].