diff options
| author | Sam Roberts <vieuxtech@gmail.com> | 2019-03-07 11:03:06 -0800 |
|---|---|---|
| committer | Sam Roberts <vieuxtech@gmail.com> | 2019-03-11 11:49:16 -0700 |
| commit | 8f93c08346e416734d9e822c6a8c505c6c108eea (patch) | |
| tree | 98cb4ee6d92ecddcc0e7dd30cea32dbdfa4f8f85 /test/parallel/test-crypto-authenticated.js | |
| parent | 06879aafee892deaf4f58747d1f087a265790492 (diff) | |
| download | android-node-v8-8f93c08346e416734d9e822c6a8c505c6c108eea.tar.gz android-node-v8-8f93c08346e416734d9e822c6a8c505c6c108eea.tar.bz2 android-node-v8-8f93c08346e416734d9e822c6a8c505c6c108eea.zip | |
crypto: check for invalid chacha20-poly1305 IVs
IV lengths of 13, 14, 15, and 16 are invalid, but are not checked by
OpenSSL. IV lengths of 17 or greater are also invalid, but they
were already checked by OpenSSL.
See:
- https://github.com/openssl/openssl/commit/f426625b6a
- https://www.openssl.org/news/secadv/20190306.txt
PR-URL: https://github.com/nodejs/node/pull/26537
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Diffstat (limited to 'test/parallel/test-crypto-authenticated.js')
| -rw-r--r-- | test/parallel/test-crypto-authenticated.js | 48 |
1 files changed, 48 insertions, 0 deletions
diff --git a/test/parallel/test-crypto-authenticated.js b/test/parallel/test-crypto-authenticated.js index c1abf12b8b..8be7296c69 100644 --- a/test/parallel/test-crypto-authenticated.js +++ b/test/parallel/test-crypto-authenticated.js @@ -616,3 +616,51 @@ for (const test of TEST_CASES) { assert(plain.equals(plaintext)); } } + + +// Test chacha20-poly1305 rejects invalid IV lengths of 13, 14, 15, and 16 (a +// length of 17 or greater was already rejected). +// - https://www.openssl.org/news/secadv/20190306.txt +{ + // Valid extracted from TEST_CASES, check that it detects IV tampering. + const valid = { + algo: 'chacha20-poly1305', + key: '808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f', + iv: '070000004041424344454647', + plain: '4c616469657320616e642047656e746c656d656e206f662074686520636c6173' + + '73206f66202739393a204966204920636f756c64206f6666657220796f75206f' + + '6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73' + + '637265656e20776f756c642062652069742e', + plainIsHex: true, + aad: '50515253c0c1c2c3c4c5c6c7', + ct: 'd31a8d34648e60db7b86afbc53ef7ec2a4aded51296e08fea9e2b5' + + 'a736ee62d63dbea45e8ca9671282fafb69da92728b1a71de0a9e06' + + '0b2905d6a5b67ecd3b3692ddbd7f2d778b8c9803aee328091b58fa' + + 'b324e4fad675945585808b4831d7bc3ff4def08e4b7a9de576d265' + + '86cec64b6116', + tag: '1ae10b594f09e26a7e902ecbd0600691', + tampered: false, + }; + + // Invalid IV lengths should be detected: + // - 12 and below are valid. + // - 13-16 are not detected as invalid by some OpenSSL versions. + check(13); + check(14); + check(15); + check(16); + // - 17 and above were always detected as invalid by OpenSSL. + check(17); + + function check(ivLength) { + const prefix = ivLength - valid.iv.length / 2; + assert.throws(() => crypto.createCipheriv( + valid.algo, + Buffer.from(valid.key, 'hex'), + Buffer.from(H(prefix) + valid.iv, 'hex'), + { authTagLength: valid.tag.length / 2 } + ), errMessages.length, `iv length ${ivLength} was not rejected`); + + function H(length) { return '00'.repeat(length); } + } +} |