crypto: add support for OCB mode for AEAD

[tniessen]

This change adds support for OCB, the newest and fastest AEAD mode offered by OpenSSL. There are relatively few changes required within the native code, the OCB implementation behaves somewhat like CCM, except that some limitations of CCM don't apply.

As OCB is patented, we will need to check whether this change has any legal implications. The holder of the patents, Phillip Rogaway, has summarized the situation here and I am pretty sure there won't be any problems, but I wouldn't want to be the one to make the decision.

Checklist

• make -j4 test (UNIX), or vcbuild test (Windows) passes
• tests and/or benchmarks are included
• documentation is changed or added
• commit message follows commit guidelines

[nodejs-github-bot]

@tniessen build started: https://ci.nodejs.org/blue/organizations/jenkins/node-test-pull-request-lite-pipeline/detail/node-test-pull-request-lite-pipeline/113/pipeline

[tniessen]

CC @nodejs/crypto. Not sure who to ping for the legal stuff.

[jasnell]

As OCB is patented, we will need to check whether this change has any legal implications.

We should marked this blocked until we can get a legal review.

@MylesBorins ... this may be one to bring up to the legal committee.

[bnoordhuis]

LGTM modulo comment.

Apropos the legal ramifications, note that we're already shipping OCB:

$ node > var c = crypto.createCipheriv('aes-128-ocb', 'x'.repeat(16), 'x'.repeat(12)); c.update('boom'); c.final() <Buffer 4e 83 df 21> 

[bnoordhuis]

Why not make this a function?

[tniessen]

Mhhh I think in my head it still looks like "less overhead". Would you like me to change it?

[bnoordhuis]

Yes, please.

[bnoordhuis]

This will conflict with #21462 when it lands (but no doubt you knew that since you reviewed it. :-))

[tniessen]

Yes, but thanks for pointing it out 😃

[tniessen]

Thanks for reviewing, @bnoordhuis!

Apropos the legal ramifications, note that we're already shipping OCB:

And we are already shipping OpenSSL which supports OCB, that's why I assume hope there won't be any problems.

[tniessen]

Comment addressed and rebased (old HEAD was 46178187be645f7451279382467c6799b0e3b8cc).

[jasnell]

I doubt there will be any issues here and it's likely safe to proceed, but it would still be good to get a legal committee review (assuming that doesn't take forever lol). Let's not block on it tho

[tniessen]

Thanks @jasnell. Sadly, I literally know nothing about our legal committee, I can't even find a list of members or documented processes involving them.

Full CI: https://ci.nodejs.org/job/node-test-pull-request/15662/

[jasnell]

That's something @MylesBorins needs to do

[tniessen]

Rebased, old HEAD was 64efc012ccb9fcdf2f619f1f9cbcf0691fae5009.
New CI: https://ci.nodejs.org/job/node-test-pull-request/15839/

I am pinging @nodejs/tsc to make sure that they know of this change, I would like to land it next week.

[Trott]

Since adding stuff to crypto has been A Thing lately, I'm going to cc @nodejs/security-wg...

[BridgeAR]

This needs a rebase.

[tniessen]

Thank you, @BridgeAR! Rebased, old HEAD was dce91f94f146bbf73b8a059ba30be4f9defa84bc.
CI: https://ci.nodejs.org/job/node-test-pull-request/15912/
Only failure seems to be unrelated, resuming: https://ci.nodejs.org/job/node-test-pull-request/15914/

I will land this tomorrow unless someone objects.

[tniessen]

Landed in b3f459e.

[targos]

Depends on #21782 to land on v10.x-staging

[targos]

#21782 landed but there are still conflicts in the C++ code.

Should this be backported to v10.x-staging? If yes please follow the guide and raise a backport PR, if not let me know or add the dont-land-on label.

/cc @tniessen

[rvagg]

Yes, it should be backported to v10.x-staging. I started working on it but decided to cut my losses. @tniessen the conflicts are around semver-major changes you've introduced in master so you'll probably have a much easier time putting a PR against v10.x-staging to backport this.

[tniessen]

I'll be home in a couple of days and will give it a try.

[targos]

@tniessen I see that you pushed a backport branch to your fork. Is it ready for a PR?

[tniessen]

@targos The code itself should work, but I am afraid that it might have unintended side effects for CCM. I'll try to verify that within the next few days.