The issue involves a specific edge case in AES-CCM mode handling that requires crypto expertise.
The issue occurs when using `cipher.update()` with a zero-length ArrayBufferView in AES-CCM mode, causing an unexpected exception. The fix likely involves modifying the CCM mode handling in the crypto module to properly handle this edge case, similar to how AES-GCM handles it. The main blocker is the need for deep understanding of both Node.js crypto internals and CCM mode specifics.
v25.8.1
Darwin Mac 25.3.0 Darwin Kernel Version 25.3.0: Wed Jan 28 20:56:42 PST 2026; root:xnu-12377.91.3~2/RELEASE_ARM64_T8142 arm64
crypto
import crypto from "node:crypto";
const key = crypto.randomBytes(16);
const nonce = crypto.randomBytes(13);
const ccm = crypto.createCipheriv("aes-128-ccm", key, nonce, { authTagLength: 16 });
ccm.setAAD(Buffer.alloc(0), { plaintextLength: 0 });
ccm.update(new DataView(new ArrayBuffer(0)));
ccm.final();
Happens on AES-CCM but not AES-GCM
The expected behavior is not to receive an exception because it is effectively a no-op. This is also a different behavior between CCM and GCM.
Error: error:1C800077:Provider routines::tag not set
at Cipheriv.final (node:internal/crypto/cipher:170:29)
at [eval]:10:5
at [eval]:11:4
at runScriptInThisContext (node:internal/vm:219:10)
at node:internal/process/execution:451:12
at [eval]-wrapper:6:24
at runScriptInContext (node:internal/process/execution:449:60)
at evalFunction (node:internal/process/execution:283:30)
at evalTypeScript (node:internal/process/execution:295:3)
at node:internal/main/eval_string:71:3 {
opensslErrorStack: [ 'error:1C800077:Provider routines::tag not set' ],
library: 'Provider routines',
reason: 'tag not set',
code: 'ERR_OSSL_TAG_NOT_SET'
}
I maintain a cryptography library for Gleam (which can compile to JS). This case popped up in my property-based testing.
Claim this issue to let others know you're working on it. You'll earn 20 points when you complete it!