RESOLVED FIXED Bug 224083
WebCrypto in Safari will not AES-GCM encrypt 0 bytes 
https://bugs.webkit.org/show_bug.cgi?id=224083
Summary WebCrypto in Safari will not AES-GCM encrypt 0 bytes
Jiewen Tan
Reported 2021-04-01 15:40:04 PDT
WebCrypto in Safari will not AES-GCM encrypt 0 bytes.
Attachments
Patch (5.98 KB, patch)
2021-04-01 15:45 PDT, Jiewen Tan 		no flags
DetailsFormatted DiffDiff
Patch (6.85 KB, patch)
2021-04-02 19:20 PDT, Jiewen Tan 		youennf: review+
DetailsFormatted DiffDiff
Patch for landing (6.82 KB, patch)
2021-04-06 10:39 PDT, Jiewen Tan 		no flags
DetailsFormatted DiffDiff
Show Obsolete (1) View All Add attachment proposed patch, testcase, etc.
Jiewen Tan
Comment 1 2021-04-01 15:40:16 PDT
Comment hidden (obsolete)
Jiewen Tan
Comment 2 2021-04-01 15:45:19 PDT
Created attachment 424955 [details] Patch
youenn fablet
Comment 3 2021-04-02 01:22:36 PDT
Comment on attachment 424955 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=424955&action=review > Source/WebCore/crypto/mac/CryptoAlgorithmAES_GCMMac.cpp:42 > + cipherText.reserveCapacity(cipherText.size() + desiredTagLengthInBytes); Can we just do Vector<uint8_t> cipherText(plainText.size() + desiredTagLengthInBytes) and update below code to memcpy the tag? This would allow to do a single allocation. > Source/WebCore/crypto/mac/CryptoAlgorithmAES_GCMMac.cpp:61 > + plainText.reserveCapacity(cipherText.size()); Are we guaranteed that cipherText.size() <= desiredTagLengthInBytes? If not, can we just write: if (cipherText.size() <= desiredTagLengthInBytes) return Vector<uint8_t> { }; If this is guaranteed, can we do: auto length = cipherText.size() - desiredTagLengthInBytes; if (!length) return Vector<uint8_t> { };
Jiewen Tan
Comment 4 2021-04-02 19:17:01 PDT
Comment on attachment 424955 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=424955&action=review Thanks Youenn for reviewing this patch. >> Source/WebCore/crypto/mac/CryptoAlgorithmAES_GCMMac.cpp:42 >> + cipherText.reserveCapacity(cipherText.size() + desiredTagLengthInBytes); > > Can we just do Vector<uint8_t> cipherText(plainText.size() + desiredTagLengthInBytes) and update below code to memcpy the tag? > This would allow to do a single allocation. Good catch. Fixed. >> Source/WebCore/crypto/mac/CryptoAlgorithmAES_GCMMac.cpp:61 >> + plainText.reserveCapacity(cipherText.size()); > > Are we guaranteed that cipherText.size() <= desiredTagLengthInBytes? > If not, can we just write: > if (cipherText.size() <= desiredTagLengthInBytes) > return Vector<uint8_t> { }; > > If this is guaranteed, can we do: > auto length = cipherText.size() - desiredTagLengthInBytes; > if (!length) > return Vector<uint8_t> { }; We cannot return empty vector directly. The cipher will contain the tag which will need to be validated by the AES-GCM algorithm.
Jiewen Tan
Comment 5 2021-04-02 19:20:26 PDT
Created attachment 425078 [details] Patch
youenn fablet
Comment 6 2021-04-06 10:10:31 PDT
Comment on attachment 425078 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=425078&action=review > Source/WebCore/crypto/mac/CryptoAlgorithmAES_GCMMac.cpp:73 > + plainText.shrink(cipherText.size() - desiredTagLengthInBytes); You could use offset here.
Jiewen Tan
Comment 7 2021-04-06 10:33:58 PDT
Comment on attachment 425078 [details] Patch View in context: https://bugs.webkit.org/attachment.cgi?id=425078&action=review Thanks Youenn for r+ this patch. >> Source/WebCore/crypto/mac/CryptoAlgorithmAES_GCMMac.cpp:73 >> + plainText.shrink(cipherText.size() - desiredTagLengthInBytes); > > You could use offset here. Good catch. Fixed.
Jiewen Tan
Comment 8 2021-04-06 10:39:15 PDT
Created attachment 425300 [details] Patch for landing
Jiewen Tan
Comment 9 2021-04-06 10:44:39 PDT
rdar://59951871
EWS
Comment 10 2021-04-06 11:10:36 PDT
Committed r275535: <https://commits.webkit.org/r275535> All reviewed patches have been landed. Closing bug and clearing flags on attachment 425300 [details].
Darin Adler
Comment 11 2021-04-06 14:46:33 PDT
Comment on attachment 425300 [details] Patch for landing View in context: https://bugs.webkit.org/attachment.cgi?id=425300&action=review > Source/WebCore/crypto/mac/CryptoAlgorithmAES_GCMMac.cpp:40 > + // This is a wordaround for rdar://75093377. Force the buffer to be a non null pointer. Typo in "workaround" here, and 2 other places below. Also not sure we should call this a "workaround". Just because we misunderstood and thought the pointer could be null, doesn’t mean we should comment each line saying "workaround" like this. Honestly, I find the relationship of the comment to he code confusing. I am fairly expect on how Vector works and I can’t find anything here that is "forcing" a buffer to be a non-null pointer.
Jiewen Tan
Comment 12 2021-04-08 14:02:03 PDT
(In reply to Darin Adler from comment #11) > Comment on attachment 425300 [details] > Patch for landing > > View in context: > https://bugs.webkit.org/attachment.cgi?id=425300&action=review > > > Source/WebCore/crypto/mac/CryptoAlgorithmAES_GCMMac.cpp:40 > > + // This is a wordaround for rdar://75093377. Force the buffer to be a non null pointer. > > Typo in "workaround" here, and 2 other places below. > > Also not sure we should call this a "workaround". Just because we > misunderstood and thought the pointer could be null, doesn’t mean we should > comment each line saying "workaround" like this. > > Honestly, I find the relationship of the comment to he code confusing. I am > fairly expect on how Vector works and I can’t find anything here that is > "forcing" a buffer to be a non-null pointer. Got you. Will land a follow up to fix the comments. As long as the Vector's capacity is larger than 0, then .data() will be non-null pointer.
Jiewen Tan
Comment 13 2021-04-08 14:31:08 PDT
A follow up according to Darin's comment. Committed r275678: <https://commits.webkit.org/r275678> Committed r275678 (236314@main): <https://commits.webkit.org/236314@main>
Note You need to log in before you can comment on or make changes to this bug.