crypto: add AES-OCB Web Cryptography algorithm

Author: panva

deps/ncrypto/ncrypto.cc

@@ -2927,6 +2927,9 @@ const Cipher Cipher::AES_256_GCM = Cipher::FromNid(NID_aes_256_gcm);
 const Cipher Cipher::AES_128_KW = Cipher::FromNid(NID_id_aes128_wrap);
 const Cipher Cipher::AES_192_KW = Cipher::FromNid(NID_id_aes192_wrap);
 const Cipher Cipher::AES_256_KW = Cipher::FromNid(NID_id_aes256_wrap);
+const Cipher Cipher::AES_128_OCB = Cipher::FromNid(NID_aes_128_ocb);
+const Cipher Cipher::AES_192_OCB = Cipher::FromNid(NID_aes_192_ocb);
+const Cipher Cipher::AES_256_OCB = Cipher::FromNid(NID_aes_256_ocb);
 const Cipher Cipher::CHACHA20_POLY1305 = Cipher::FromNid(NID_chacha20_poly1305);
 
 bool Cipher::isGcmMode() const {
@@ -3129,6 +3132,11 @@ bool CipherCtxPointer::isGcmMode() const {
   return getMode() == EVP_CIPH_GCM_MODE;
 }
 
+bool CipherCtxPointer::isOcbMode() const {
+  if (!ctx_) return false;
+  return getMode() == EVP_CIPH_OCB_MODE;
+}
+
 bool CipherCtxPointer::isCcmMode() const {
   if (!ctx_) return false;
   return getMode() == EVP_CIPH_CCM_MODE;

deps/ncrypto/ncrypto.h

@@ -373,6 +373,9 @@ class Cipher final {
   static const Cipher AES_128_KW;
   static const Cipher AES_192_KW;
   static const Cipher AES_256_KW;
+  static const Cipher AES_128_OCB;
+  static const Cipher AES_192_OCB;
+  static const Cipher AES_256_OCB;
   static const Cipher CHACHA20_POLY1305;
 
   struct CipherParams {
@@ -738,6 +741,7 @@ class CipherCtxPointer final {
   int getNid() const;
 
   bool isGcmMode() const;
+  bool isOcbMode() const;
   bool isCcmMode() const;
   bool isWrapMode() const;
   bool isChaCha20Poly1305() const;

doc/api/webcrypto.md

@@ -2,6 +2,9 @@
 
 <!-- YAML
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/59365
+    description: AES-OCB algorithm is now supported.
   - version: REPLACEME
     pr-url: https://github.com/nodejs/node/pull/59365
     description: ChaCha20-Poly1305 algorithm is now supported.
@@ -101,6 +104,7 @@ WICG proposal:
 
 Algorithms:
 
+* `'AES-OCB'`[^openssl30]
 * `'ChaCha20-Poly1305'`
 * `'cSHAKE128'`
 * `'cSHAKE256'`
@@ -489,6 +493,7 @@ implementation and the APIs supported for each:
 | `'AES-CTR'`                          | ✔             | ✔           | ✔           | ✔                 | ✔                   |                        |               |          |                |
 | `'AES-GCM'`                          | ✔             | ✔           | ✔           | ✔                 | ✔                   |                        |               |          |                |
 | `'AES-KW'`                           | ✔             | ✔           | ✔           |                   | ✔                   |                        |               |          |                |
+| `'AES-OCB'`[^modern-algos]           | ✔             | ✔           | ✔           | ✔                 | ✔                   |                        |               |          |                |
 | `'ChaCha20-Poly1305'`[^modern-algos] | ✔             | ✔           | ✔           | ✔                 | ✔                   |                        |               |          |                |
 | `'cSHAKE128'`[^modern-algos]         |               |             |             |                   |                     |                        |               | ✔        |                |
 | `'cSHAKE256'`[^modern-algos]         |               |             |             |                   |                     |                        |               | ✔        |                |
@@ -641,6 +646,7 @@ Valid key usages depend on the key algorithm (identified by
 | `'AES-CTR'`                          | ✔           | ✔           |          |            |               |                | ✔           | ✔             |
 | `'AES-GCM'`                          | ✔           | ✔           |          |            |               |                | ✔           | ✔             |
 | `'AES-KW'`                           |             |             |          |            |               |                | ✔           | ✔             |
+| `'AES-OCB'`[^modern-algos]           | ✔           | ✔           |          |            |               |                | ✔           | ✔             |
 | `'ChaCha20-Poly1305'`[^modern-algos] | ✔           | ✔           |          |            |               |                | ✔           | ✔             |
 | `'ECDH'`                             |             |             |          |            | ✔             | ✔              |             |               |
 | `'ECDSA'`                            |             |             | ✔        | ✔          |               |                |             |               |
@@ -715,6 +721,9 @@ which can be used to detect whether a given algorithm identifier
 <!-- YAML
 added: v15.0.0
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/59365
+    description: AES-OCB algorithm is now supported.
   - version: REPLACEME
     pr-url: https://github.com/nodejs/node/pull/59365
     description: ChaCha20-Poly1305 algorithm is now supported.
@@ -735,6 +744,7 @@ The algorithms currently supported include:
 * `'AES-CBC'`
 * `'AES-CTR'`
 * `'AES-GCM'`
+* `'AES-OCB'`[^modern-algos]
 * `'ChaCha20-Poly1305'`[^modern-algos]
 * `'RSA-OAEP'`
 
@@ -866,6 +876,9 @@ whose value is one of the above.
 <!-- YAML
 added: v15.0.0
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/59365
+    description: AES-OCB algorithm is now supported.
   - version: REPLACEME
     pr-url: https://github.com/nodejs/node/pull/59365
     description: ChaCha20-Poly1305 algorithm is now supported.
@@ -886,6 +899,7 @@ The algorithms currently supported include:
 * `'AES-CBC'`
 * `'AES-CTR'`
 * `'AES-GCM'`
+* `'AES-OCB'`[^modern-algos]
 * `'ChaCha20-Poly1305'`[^modern-algos]
 * `'RSA-OAEP'`
 
@@ -894,6 +908,9 @@ The algorithms currently supported include:
 <!-- YAML
 added: v15.0.0
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/59365
+    description: AES-OCB algorithm is now supported.
   - version: REPLACEME
     pr-url: https://github.com/nodejs/node/pull/59365
     description: ChaCha20-Poly1305 algorithm is now supported.
@@ -934,6 +951,7 @@ specification.
 | `'AES-CTR'`                          |          |           | ✔       | ✔       | ✔              |                |              |
 | `'AES-GCM'`                          |          |           | ✔       | ✔       | ✔              |                |              |
 | `'AES-KW'`                           |          |           | ✔       | ✔       | ✔              |                |              |
+| `'AES-OCB'`[^modern-algos]           |          |           | ✔       |         | ✔              |                |              |
 | `'ChaCha20-Poly1305'`[^modern-algos] |          |           | ✔       |         | ✔              |                |              |
 | `'ECDH'`                             | ✔        | ✔         | ✔       | ✔       |                | ✔              |              |
 | `'ECDSA'`                            | ✔        | ✔         | ✔       | ✔       |                | ✔              |              |
@@ -966,6 +984,9 @@ Derives the public key from a given private key.
 <!-- YAML
 added: v15.0.0
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/59365
+    description: AES-OCB algorithm is now supported.
   - version: REPLACEME
     pr-url: https://github.com/nodejs/node/pull/59365
     description: ChaCha20-Poly1305 algorithm is now supported.
@@ -1010,6 +1031,7 @@ The {CryptoKey} (secret key) generating algorithms supported include:
 * `'AES-CTR'`
 * `'AES-GCM'`
 * `'AES-KW'`
+* `'AES-OCB'`[^modern-algos]
 * `'ChaCha20-Poly1305'`[^modern-algos]
 * `'HMAC'`
 
@@ -1018,6 +1040,9 @@ The {CryptoKey} (secret key) generating algorithms supported include:
 <!-- YAML
 added: v15.0.0
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/59365
+    description: AES-OCB algorithm is now supported.
   - version: REPLACEME
     pr-url: https://github.com/nodejs/node/pull/59365
     description: ChaCha20-Poly1305 algorithm is now supported.
@@ -1064,6 +1089,7 @@ The algorithms currently supported include:
 | `'AES-CTR'`                          |          |           | ✔       | ✔       | ✔              |                |              |
 | `'AES-GCM'`                          |          |           | ✔       | ✔       | ✔              |                |              |
 | `'AES-KW'`                           |          |           | ✔       | ✔       | ✔              |                |              |
+| `'AES-OCB'`[^modern-algos]           |          |           | ✔       |         | ✔              |                |              |
 | `'ChaCha20-Poly1305'`[^modern-algos] |          |           | ✔       |         | ✔              |                |              |
 | `'ECDH'`                             | ✔        | ✔         | ✔       | ✔       |                | ✔              |              |
 | `'ECDSA'`                            | ✔        | ✔         | ✔       | ✔       |                | ✔              |              |
@@ -1127,6 +1153,9 @@ The algorithms currently supported include:
 <!-- YAML
 added: v15.0.0
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/59365
+    description: AES-OCB algorithm is now supported.
   - version: REPLACEME
     pr-url: https://github.com/nodejs/node/pull/59365
     description: ChaCha20-Poly1305 algorithm is now supported.
@@ -1163,6 +1192,7 @@ The wrapping algorithms currently supported include:
 * `'AES-CTR'`
 * `'AES-GCM'`
 * `'AES-KW'`
+* `'AES-OCB'`[^modern-algos]
 * `'ChaCha20-Poly1305'`[^modern-algos]
 * `'RSA-OAEP'`
 
@@ -1172,6 +1202,7 @@ The unwrapped key algorithms supported include:
 * `'AES-CTR'`
 * `'AES-GCM'`
 * `'AES-KW'`
+* `'AES-OCB'`[^modern-algos]
 * `'ChaCha20-Poly1305'`[^modern-algos]
 * `'ECDH'`
 * `'ECDSA'`
@@ -1234,6 +1265,9 @@ The algorithms currently supported include:
 <!-- YAML
 added: v15.0.0
 changes:
+  - version: REPLACEME
+    pr-url: https://github.com/nodejs/node/pull/59365
+    description: AES-OCB algorithm is now supported.
   - version: REPLACEME
     pr-url: https://github.com/nodejs/node/pull/59365
     description: ChaCha20-Poly1305 algorithm is now supported.
@@ -1266,6 +1300,7 @@ The wrapping algorithms currently supported include:
 * `'AES-CTR'`
 * `'AES-GCM'`
 * `'AES-KW'`
+* `'AES-OCB'`[^modern-algos]
 * `'ChaCha20-Poly1305'`[^modern-algos]
 * `'RSA-OAEP'`
 
@@ -1323,7 +1358,7 @@ given key.
 added: v15.0.0
 -->
 
-* Type: {string} Must be `'AES-GCM'` or `'ChaCha20-Poly1305'`.
+* Type: {string} Must be `'AES-GCM'`, `'AES-OCB'`, or `'ChaCha20-Poly1305'`.
 
 #### `aeadParams.tagLength`
 
@@ -1345,8 +1380,7 @@ added: v15.0.0
 added: v15.0.0
 -->
 
-* Type: {string} Must be one of `'AES-CBC'`, `'AES-CTR'`, `'AES-GCM'`, or
-  `'AES-KW'`
+* Type: {string} Must be one of `'AES-CBC'`, `'AES-CTR'`, `'AES-GCM'`, `'AES-OCB'`, or `'AES-KW'`
 
 #### `aesDerivedKeyParams.length`
 
@@ -2178,6 +2212,8 @@ The length (in bytes) of the random salt to use.
 
 [^modern-algos]: See [Modern Algorithms in the Web Cryptography API][]
 
+[^openssl30]: Requires OpenSSL >= 3.0
+
 [^openssl35]: Requires OpenSSL >= 3.5
 
 [JSON Web Key]: https://tools.ietf.org/html/rfc7517

lib/internal/crypto/aes.js

@@ -18,14 +18,17 @@ const {
   kKeyVariantAES_CBC_128,
   kKeyVariantAES_GCM_128,
   kKeyVariantAES_KW_128,
+  kKeyVariantAES_OCB_128,
   kKeyVariantAES_CTR_192,
   kKeyVariantAES_CBC_192,
   kKeyVariantAES_GCM_192,
   kKeyVariantAES_KW_192,
+  kKeyVariantAES_OCB_192,
   kKeyVariantAES_CTR_256,
   kKeyVariantAES_CBC_256,
   kKeyVariantAES_GCM_256,
   kKeyVariantAES_KW_256,
+  kKeyVariantAES_OCB_256,
   kWebCryptoCipherDecrypt,
   kWebCryptoCipherEncrypt,
 } = internalBinding('crypto');
@@ -61,6 +64,7 @@ function getAlgorithmName(name, length) {
     case 'AES-CTR': return `A${length}CTR`;
     case 'AES-GCM': return `A${length}GCM`;
     case 'AES-KW': return `A${length}KW`;
+    case 'AES-OCB': return `A${length}OCB`;
   }
 }
 
@@ -99,6 +103,13 @@ function getVariant(name, length) {
         case 256: return kKeyVariantAES_KW_256;
       }
       break;
+    case 'AES-OCB':
+      switch (length) {
+        case 128: return kKeyVariantAES_OCB_128;
+        case 192: return kKeyVariantAES_OCB_192;
+        case 256: return kKeyVariantAES_OCB_256;
+      }
+      break;
   }
 }
 
@@ -172,11 +183,49 @@ function asyncAesGcmCipher(mode, key, data, algorithm) {
     algorithm.additionalData));
 }
 
+function asyncAesOcbCipher(mode, key, data, algorithm) {
+  const { tagLength = 128 } = algorithm;
+
+  const tagByteLength = tagLength / 8;
+  let tag;
+  switch (mode) {
+    case kWebCryptoCipherDecrypt: {
+      const slice = ArrayBufferIsView(data) ?
+        TypedArrayPrototypeSlice : ArrayBufferPrototypeSlice;
+      tag = slice(data, -tagByteLength);
+
+      // Similar to GCM, OCB requires the tag to be present for decryption
+      if (tagByteLength > tag.byteLength) {
+        return PromiseReject(lazyDOMException(
+          'The provided data is too small.',
+          'OperationError'));
+      }
+
+      data = slice(data, 0, -tagByteLength);
+      break;
+    }
+    case kWebCryptoCipherEncrypt:
+      tag = tagByteLength;
+      break;
+  }
+
+  return jobPromise(() => new AESCipherJob(
+    kCryptoJobAsync,
+    mode,
+    key[kKeyObject][kHandle],
+    data,
+    getVariant('AES-OCB', key.algorithm.length),
+    algorithm.iv,
+    tag,
+    algorithm.additionalData));
+}
+
 function aesCipher(mode, key, data, algorithm) {
   switch (algorithm.name) {
     case 'AES-CTR': return asyncAesCtrCipher(mode, key, data, algorithm);
     case 'AES-CBC': return asyncAesCbcCipher(mode, key, data, algorithm);
     case 'AES-GCM': return asyncAesGcmCipher(mode, key, data, algorithm);
+    case 'AES-OCB': return asyncAesOcbCipher(mode, key, data, algorithm);
     case 'AES-KW': return asyncAesKwCipher(mode, key, data);
   }
 }
@@ -235,7 +284,11 @@ function aesImportKey(
       keyObject = keyData;
       break;
     }
+    case 'raw-secret':
     case 'raw': {
+      if (format === 'raw' && name === 'AES-OCB') {
+        return undefined;
+      }
       validateKeyLength(keyData.byteLength * 8);
       keyObject = createSecretKey(keyData);
       break;

lib/internal/crypto/keys.js

@@ -196,6 +196,8 @@ const {
         case 'AES-GCM':
           // Fall through
         case 'AES-KW':
+          // Fall through
+        case 'AES-OCB':
           result = require('internal/crypto/aes')
             .aesImportKey(algorithm, 'KeyObject', this, extractable, keyUsages);
           break;

lib/internal/crypto/util.js

@@ -36,6 +36,7 @@ const {
   EVP_PKEY_ML_DSA_44,
   EVP_PKEY_ML_DSA_65,
   EVP_PKEY_ML_DSA_87,
+  kKeyVariantAES_OCB_128: hasAesOcbMode,
 } = internalBinding('crypto');
 
 const { getOptionValue } = require('internal/options');
@@ -205,6 +206,14 @@ const kAlgorithmDefinitions = {
     'wrapKey': null,
     'unwrapKey': null,
   },
+  'AES-OCB': {
+    'generateKey': 'AesKeyGenParams',
+    'exportKey': null,
+    'importKey': null,
+    'encrypt': 'AeadParams',
+    'decrypt': 'AeadParams',
+    'get key length': 'AesDerivedKeyParams',
+  },
   'ChaCha20-Poly1305': {
     'generateKey': null,
     'exportKey': null,
@@ -326,6 +335,7 @@ const kAlgorithmDefinitions = {
 // Conditionally supported algorithms
 const conditionalAlgorithms = {
   'AES-KW': !process.features.openssl_is_boringssl,
+  'AES-OCB': !!hasAesOcbMode,
   'ChaCha20-Poly1305': !process.features.openssl_is_boringssl ||
     ArrayPrototypeIncludes(getCiphers(), 'chacha20-poly1305'),
   'cSHAKE128': !process.features.openssl_is_boringssl ||
@@ -347,6 +357,7 @@ const conditionalAlgorithms = {
 
 // Experimental algorithms
 const experimentalAlgorithms = [
+  'AES-OCB',
   'ChaCha20-Poly1305',
   'cSHAKE128',
   'cSHAKE256',