1berry/nodejs
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

crypto: throw on invalid authentication tag length

Browse Source 
Refs: https://github.com/nodejs/node/issues/17523

PR-URL: https://github.com/nodejs/node/pull/17825
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
This commit is contained in:
Tobias Nießen 2017-12-22 18:51:33 +01:00 committed by James M Snell
parent 2b0825e77f
commit d81a7b4baa
2 changed files with 16 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/node_crypto.cc
View File

@ -2912,11 +2912,10 @@ void CipherBase::SetAuthTag(const FunctionCallbackInfo<Value>& args) {
const int mode = EVP_CIPHER_CTX_mode(cipher->ctx_); const int mode = EVP_CIPHER_CTX_mode(cipher->ctx_);
if (mode == EVP_CIPH_GCM_MODE) { if (mode == EVP_CIPH_GCM_MODE) {
if (tag_len > 16 || (tag_len < 12 && tag_len != 8 && tag_len != 4)) { if (tag_len > 16 || (tag_len < 12 && tag_len != 8 && tag_len != 4)) {
char msg[125]; char msg[50];
snprintf(msg, sizeof(msg), snprintf(msg, sizeof(msg),
"Permitting authentication tag lengths of %u bytes is deprecated. " "Invalid GCM authentication tag length: %u", tag_len);
"Valid GCM tag lengths are 4, 8, 12, 13, 14, 15, 16.", tag_len); return cipher->env()->ThrowError(msg);
ProcessEmitDeprecationWarning(cipher->env(), msg, "DEP0090");
} }
} }

22
test/parallel/test-crypto-authenticated.js
View File

@ -534,13 +534,8 @@ const expectedWarnings = common.hasFipsCrypto ?
['Use Cipheriv for counter mode of aes-256-ccm', common.noWarnCode] ['Use Cipheriv for counter mode of aes-256-ccm', common.noWarnCode]
]; ];
const expectedDeprecationWarnings = [0, 1, 2, 6, 9, 10, 11, 17] const expectedDeprecationWarnings = ['crypto.DEFAULT_ENCODING is deprecated.',
.map((i) => [`Permitting authentication tag lengths of ${i} bytes is ` + 'DEP0091'];
'deprecated. Valid GCM tag lengths are 4, 8, 12, 13, 14, 15, 16.',
'DEP0090']);
expectedDeprecationWarnings.push(['crypto.DEFAULT_ENCODING is deprecated.',
'DEP0091']);
common.expectWarning({ common.expectWarning({
Warning: expectedWarnings, Warning: expectedWarnings,
@ -719,13 +714,18 @@ for (const test of TEST_CASES) {
} }
// GCM only supports specific authentication tag lengths, invalid lengths should // GCM only supports specific authentication tag lengths, invalid lengths should
// produce warnings. // throw.
{ {
for (const length of [0, 1, 2, 4, 6, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17]) { for (const length of [0, 1, 2, 6, 9, 10, 11, 17]) {
const decrypt = crypto.createDecipheriv('aes-256-gcm', common.expectsError(() => {
'FxLKsqdmv0E9xrQhp0b1ZgI0K7JFZJM8', const decrypt = crypto.createDecipheriv('aes-128-gcm',
'FxLKsqdmv0E9xrQh',
'qkuZpJWCewa6Szih'); 'qkuZpJWCewa6Szih');
decrypt.setAuthTag(Buffer.from('1'.repeat(length))); decrypt.setAuthTag(Buffer.from('1'.repeat(length)));
}, {
type: Error,
message: `Invalid GCM authentication tag length: ${length}`
});
} }
} }