AES-GCM-256 output adds extra bytes?

[knightcode]

Describe the bug

This Node.js code below produces an output whose size is equal to the input size:

const key = Buffer.from("hLbInPgDomkaXyl4M/5Vu8kJ7XSSHLJSNJFAXraMkVI=", "base64");
const iv  = Buffer.from("vOOEV2pG/geYWezALcfVt2b1NG18+HnIzjca9c7FhXY=", "base64");
const aad = Buffer.from("6165b598c98a2f096d00017b", "hex");

const cipher = crypto.createCipheriv("aes-256-gcm", key, iv, {authTagLength: 16});
cipher.setAAD(aad);

let message = Buffer.from("Hello World\n", "utf-8");
let encrypted = cipher.update(message);
encrypted = Buffer.concat([encrypted, cipher.final()]);
const authTag = cipher.getAuthTag();
logger.info("enc:     ", encrypted.toString("base64"), "size:", encrypted.length);

output: enc: NHvJrsXYmiVeE8VO size: 12
authtag (base64): LgqWVXwFrTfE2d/nquvsCg==

Fwict, Node.js uses pkcs7 padding by default unless a call is made to cipher.setAutoPadding(false), and it throws if the input size isn't a multiple of the block size in that case.

This CryptoSwift code adds an extra 4 bytes to the output:

do {
      let message = Data("Hello World\n".utf8).bytes

      guard let key = Data(base64Encoded: "hLbInPgDomkaXyl4M/5Vu8kJ7XSSHLJSNJFAXraMkVI="),
            let iv = Data(base64Encoded: "vOOEV2pG/geYWezALcfVt2b1NG18+HnIzjca9c7FhXY=") else {
        return
      }
      let aad = Data(hex: "6165b598c98a2f096d00017b").bytes


      let gcm = GCM(iv: iv.bytes, additionalAuthenticatedData: aad, tagLength: 16, mode: .detached)
      let aes = try AES(key: key.bytes, blockMode: gcm, padding: .pkcs7)
      let ct = try aes.encrypt(message)
      let tag = gcm.authenticationTag!

      print("cipher:", ct.toBase64(), "count:", ct.count, "auth:", tag.toBase64(), "count:", tag.count)
} catch {
  print("Error encrypting: \(error)")
}

output: cipher: NHvJrsXYmiVeE8VOkCjvVg== count: 16 auth: nsDVw/NVoC1TV0ueJ7uXXw== count: 16

I'm not certain if this is a bug or if I need to change a setting somewhere. My actual need is the interoperability of these two implementations. More specifically, I'm trying to pass the ciphertext and auth tag from the node.js implementation to this CryptoSwift code:

    guard let tag = Data(base64Encoded: "LgqWVXwFrTfE2d/nquvsCg==")?.bytes,
            let ct = Data(base64Encoded: "NHvJrsXYmiVeE8VO")?.bytes else { return }
      let dgcm = GCM(iv: iv.bytes, authenticationTag: tag, additionalAuthenticatedData: aad, mode: .detached)

      let daes = try AES(key: key.bytes, blockMode: dgcm, padding: .pkcs7)
      var decryptor = try daes.makeDecryptor()
      var decrypted = try decryptor.update(withBytes: ct)
      decrypted.append(contentsOf: try decryptor.finish())

      print("decrypted:", String(data: Data(decrypted), encoding: .utf8) ?? "Decoding failed")

output: decrypted: He

It seems like it's still expecting the tag to be appended to the end of the ciphertext or something to that effect.

(I'm using the update()/finish() methods here because I expect to use this with large files)

[knightcode]

CryptoKit version:

    guard let key = Data(base64Encoded: "hLbInPgDomkaXyl4M/5Vu8kJ7XSSHLJSNJFAXraMkVI="),
          let iv = Data(base64Encoded: "vOOEV2pG/geYWezALcfVt2b1NG18+HnIzjca9c7FhXY=") else {
      return
    }
    let message = Data("Hello World\n".utf8)
    let aad = Data(hex: "6165b598c98a2f096d00017b")

    do {
      let skey = SymmetricKey(data: key)
      let nonce = try CryptoKit.AES.GCM.Nonce(data: iv)
      let box = try CryptoKit.AES.GCM.seal(message, using: skey, nonce: nonce, authenticating: aad)
      let d = box.ciphertext
      print("cipher: \(d.base64EncodedString()) length: \(d.count) tag: \(box.tag.base64EncodedString()) len: \(box.tag.count)")
    } catch {
      print("error with cryptokit: \(error)")
    }

output: cipher: NHvJrsXYmiVeE8VO length: 12 tag: LgqWVXwFrTfE2d/nquvsCg== len: 16

It matches the Node.js output

[knightcode]

Any update on this? If it wasn't clear, the CryptoKit version isn't an option for me since, afaik, it doesn't support streamed data with any kind of update()/finish() API. I added it to further the argument that CryptoSwift is not conforming to other implementations, and it seems like it should. @krzyzanowskim

[torfstack]

Did you get an update on this?

It seems to me that your node.js and cryptokit implementations do not use pkcs7 padding, as their output length is not divisible by 16, the block length of AES. Your implemention using CryptoSwift does use pkcs7 padding.