Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

v16.20.0 proposal #47272

Merged
merged 23 commits into from
Mar 29, 2023
+49,462 −62,278
Merged

v16.20.0 proposal #47272

Changes from 1 commit
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
908c4df
test: mark test-crypto-key-objects flaky on Linux
richardlau Feb 16, 2023
1913b67
deps: update corepack to 0.15.2
nodejs-github-bot Nov 27, 2022
a467782
deps: update corepack to 0.15.3
nodejs-github-bot Jan 2, 2023
748bc96
deps: update corepack to 0.16.0
nodejs-github-bot Feb 18, 2023
962a747
deps: update corepack to 0.17.0
nodejs-github-bot Feb 26, 2023
6a01d39
src: add support for externally shared js builtins
mhdawson Aug 24, 2022
7af9bdb
deps: upgrade npm to 8.19.4
npm-cli-bot Feb 15, 2023
088e9cd
test: add WPTRunner support for variants and generating WPT reports
panva Feb 3, 2023
0d1485b
test: fix default WPT titles
panva Feb 22, 2023
cf76d07
test: fix WPT title when no META title is present
panva Feb 25, 2023
fc47d58
test: remove cjs loader from stack traces
GeoffreyBooth Aug 14, 2022
56cbc7f
deps: V8: cherry-pick c2792e58035f
gengjiawen Oct 14, 2022
768e562
tools: make `utils.SearchFiles` deterministic
brjsp Oct 4, 2022
efe1be4
test: skip test depending on `overlapped-checker` when not available
aduh95 Oct 15, 2022
809371a
module: require.resolve.paths returns null with node schema
fossamagna Nov 20, 2022
4617512
crypto: ensure auth tag set for chacha20-poly1305
bnoordhuis Jan 14, 2023
de6dd67
crypto: avoid hang when no algorithm available
richardlau Jan 19, 2023
b4ebe6d
deps: update c-ares to 1.19.0
targos Feb 1, 2023
85f88c6
deps: V8: cherry-pick 90be99fab31c
targos Feb 20, 2023
2497216
deps: update undici to 5.20.0
nodejs-github-bot Feb 18, 2023
086bb2f
Revert "src: let http2 streams end after session close"
Trott Feb 21, 2023
d081032
test: fix test-net-connect-reset-until-connected
batrla Feb 25, 2023
6fd13be
2023-03-29, Version 16.20.0 'Gallium' (LTS)
BethGriggs Mar 27, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
crypto: ensure auth tag set for chacha20-poly1305 
Because OpenSSL v1.x doesn't do that by itself (OpenSSL v3.x does.)

Fixes: #45874
PR-URL: #46185
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Filip Skokan <panva.ip@gmail.com>
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
@bnoordhuis @BethGriggs
bnoordhuis authored and BethGriggs committed Mar 27, 2023
commit 46175127884e749c3f3591de20384b6e337706c6
8 changes: 8 additions & 0 deletions src/crypto/crypto_cipher.cc
View file
Original file line number Diff line number Diff line change
@@ -898,6 +898,14 @@ bool CipherBase::Final(std::unique_ptr<BackingStore>* out) {
if (kind_ == kDecipher && IsSupportedAuthenticatedMode(ctx_.get()))
MaybePassAuthTagToOpenSSL();

// OpenSSL v1.x doesn't verify the presence of the auth tag so do
// it ourselves, see https://github.com/nodejs/node/issues/45874.
if (OPENSSL_VERSION_NUMBER < 0x30000000L && kind_ == kDecipher &&
NID_chacha20_poly1305 == EVP_CIPHER_CTX_nid(ctx_.get()) &&
auth_tag_state_ != kAuthTagPassedToOpenSSL) {
return false;
}

// In CCM mode, final() only checks whether authentication failed in update().
// EVP_CipherFinal_ex must not be called and will fail.
bool ok;
31 changes: 31 additions & 0 deletions test/parallel/test-crypto-authenticated.js
View file
Original file line number Diff line number Diff line change
@@ -786,3 +786,34 @@ for (const test of TEST_CASES) {
assert.strictEqual(plaintext.toString('hex'), testCase.plain);
}
}

// https://github.com/nodejs/node/issues/45874
{
const rfcTestCases = TEST_CASES.filter(({ algo, tampered }) => {
return algo === 'chacha20-poly1305' && tampered === false;
});
assert.strictEqual(rfcTestCases.length, 1);

const [testCase] = rfcTestCases;
const key = Buffer.from(testCase.key, 'hex');
const iv = Buffer.from(testCase.iv, 'hex');
const aad = Buffer.from(testCase.aad, 'hex');
const opt = { authTagLength: 16 };

const cipher = crypto.createCipheriv('chacha20-poly1305', key, iv, opt);
const ciphertext = Buffer.concat([
cipher.setAAD(aad).update(testCase.plain, 'hex'),
cipher.final(),
]);
const authTag = cipher.getAuthTag();

assert.strictEqual(ciphertext.toString('hex'), testCase.ct);
assert.strictEqual(authTag.toString('hex'), testCase.tag);

const decipher = crypto.createDecipheriv('chacha20-poly1305', key, iv, opt);
decipher.setAAD(aad).update(ciphertext);

assert.throws(() => {
decipher.final();
}, /Unsupported state or unable to authenticate data/);
}