Support GMAC and multiple AAD chunks for AEAD

[tniessen]

What is the problem this feature will solve?

Node.js only allows a single call to setAAD() for AEAD algorithms. AAD that consists of multiple chunks must be concatenated in memory before it can be passed to setAAD(), which is highly inefficient.

GMAC is a MAC algorithm based on AES-GCM that consumes the entire input data as AAD and leaves the plaintext/ciphertext empty. The AES-GCM authentication tag is the MAC produced by GMAC. Implementing GMAC on top of Node.js again requires concatenating all input data in memory before calling setAAD().

What is the feature you are proposing to solve the problem?

Extend the API to allow appending multiple chunks of AAD. This is common practice and supported by various cryptographic libraries, including OpenSSL.

We should consider carefully if such an extension should be a separate WritableStream or if a simpler API makes more sense.

What alternatives have you considered?

Concatenating all data in memory before passing it to setAAD().

My primary use case for multiple calls to setAAD() is GMAC, so a separate GMAC API (similar to the existing HMAC API) would also be sufficient for my purposes. However, it would leave a gap between AES-GCM and GMAC for those rare use cases that have multiple chunks of AAD and a non-empty plaintext/ciphertext.

On a side note, I preliminarily decided against adding streaming support for AAD in https://github.com/wintercg/proposal-webcrypto-streams, see this section of the explainer. However, that is mostly due to the API constraints of the Web Crypto API.

[bnoordhuis]

Relaxing the rule that setAAD() is only called once would fix that, right?

We may want to relax it only for GMAC but I don't know how you distinguish between GMAC and regular GCM mode. By checking for non-AAD input?

[tniessen]

Relaxing the rule that setAAD() is only called once would fix that, right?

Yes, that is the simplest solution I believe. Only the function's name might be misleading. Other libraries typically use "update" or "append".

We may want to relax it only for GMAC but I don't know how you distinguish between GMAC and regular GCM mode. By checking for non-AAD input?

Yes, GMAC is defined to be GCM with empty plaintext/ciphertext. If we go that route, I think we might as well avoid the Cipher/Decipher classes altogether and add a Hmac-like API for GMAC. A few crypto libraries have done that (e.g., libgcrypt). However, the vast majority of libraries that I have worked with support multiple AAD chunks even with regular AES-GCM. This includes OpenSSL, Mbed TLS, Nettle, CMOX, and Crypto++ if I remember correctly.

[github-actions[bot]]

There has been no activity on this feature request for 5 months and it is unlikely to be implemented. It will be closed 6 months after the last non-automated comment.

For more information on how the project manages feature requests, please consult the feature request management document.

[tniessen]

@bnoordhuis Do you have a strong preference among those options? :)