[v6.x backport] src: turn key length exception into CHECK #16585
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
`crypto.createCipher()` sets the fixed IV derived from password and it leads to a security risk of nonce reuse when counter mode is used. A warning is emitted when CTR, GCM or CCM is used in `crypto.createCipher()` to notify users to avoid nonce reuse. Fixes: nodejs#13801 PR-URL: nodejs#13821 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de>
The previous commit is a back-port of pull request nodejs#13821 to v6.x. Its regression test does not apply to the v6.x branch (depends on semver-major pull request nodejs#9405) so this commit adds a new test. Refs: nodejs#13821 Refs: nodejs#9405
EVP_CIPHER_CTX_FLAG_WRAP_ALLOW flag needs to be set in using wrap mode ciphers. In `crypto.createCipher()`, AES key wrap mode does not use a default IV defined in RFC3394 but a generated IV with `EVP_BytesToKey()` to be consistent API behaviors with other ciphers. The built-in AES wrap mode in OpenSSL is not supported in FIPS mode as http://openssl.6102.n7.nabble.com/AES-Key-Wrap-in-FIPS-Mode-td50238.html so its tests in FIPS mode are skipped. Fixes: nodejs#15009 PR-URL: nodejs#15037 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: James M Snell <jasnell@gmail.com>
This exception can logically never happen because of the key stretching that takes place first. Failure must therefore be a bug in Node.js and not in the executing script. PR-URL: nodejs#15183 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
nodejs-github-bot
added
c++
MylesBorins
pushed a commit
that referenced
this pull request
Nov 14, 2017
This exception can logically never happen because of the key stretching that takes place first. Failure must therefore be a bug in Node.js and not in the executing script. Backport-PR-URL: #16585 PR-URL: #15183 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
|
landed in 8b70ad1 |
MylesBorins
pushed a commit
that referenced
this pull request
Nov 21, 2017
This exception can logically never happen because of the key stretching that takes place first. Failure must therefore be a bug in Node.js and not in the executing script. Backport-PR-URL: #16585 PR-URL: #15183 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins
pushed a commit
that referenced
this pull request
Nov 28, 2017
This exception can logically never happen because of the key stretching that takes place first. Failure must therefore be a bug in Node.js and not in the executing script. Backport-PR-URL: #16585 PR-URL: #15183 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
#15183
Depends on #16584, which should land first.
https://ci.nodejs.org/job/node-test-pull-request/11069/