crypto: do not allow multiple calls to setAuthTag

Calling setAuthTag multiple times can result in hard to detect bugs
since to the user, it is unclear which invocation actually affected
OpenSSL.

PR-URL: https://github.com/nodejs/node/pull/22931
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Ujjwal Sharma <usharma1998@gmail.com>

1 files changed, 2 insertions, 5 deletions

diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index 47e0ba5349..4cf3ac5652 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -2894,14 +2894,11 @@ void CipherBase::SetAuthTag(const FunctionCallbackInfo<Value>& args) {
 
   if (!cipher->ctx_ ||
       !cipher->IsAuthenticatedMode() ||
-      cipher->kind_ != kDecipher) {
+      cipher->kind_ != kDecipher ||
+      cipher->auth_tag_state_ != kAuthTagUnknown) {
     return args.GetReturnValue().Set(false);
   }
 
-  // TODO(tniessen): Throw if the authentication tag has already been set.
-  if (cipher->auth_tag_state_ == kAuthTagPassedToOpenSSL)
-    return args.GetReturnValue().Set(true);
-
   unsigned int tag_len = Buffer::Length(args[0]);
   const int mode = EVP_CIPHER_CTX_mode(cipher->ctx_.get());
   bool is_valid;