mirror of
https://github.com/nodejs/node.git
synced 2024-11-21 10:59:27 +00:00
8bf7754538
OpenSSL internally represents the output length and the iteration count as signed integers, which is why node's C++ implementation expects these arguments to fit into signed integers as well. The JavaScript validation logic, however, only requires the arguments to be unsigned 32-bit integers, which is a superset of non-negative (signed) 32-bit integers. Change the JavaScript validation to match the expectation within C++. Fixes: https://github.com/nodejs/node/issues/44570 PR-URL: https://github.com/nodejs/node/pull/44575 Reviewed-By: Filip Skokan <panva.ip@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com>
242 lines
6.5 KiB
JavaScript
242 lines
6.5 KiB
JavaScript
'use strict';
|
|
const common = require('../common');
|
|
if (!common.hasCrypto)
|
|
common.skip('missing crypto');
|
|
|
|
const assert = require('assert');
|
|
const crypto = require('crypto');
|
|
|
|
function runPBKDF2(password, salt, iterations, keylen, hash) {
|
|
const syncResult =
|
|
crypto.pbkdf2Sync(password, salt, iterations, keylen, hash);
|
|
|
|
crypto.pbkdf2(password, salt, iterations, keylen, hash,
|
|
common.mustSucceed((asyncResult) => {
|
|
assert.deepStrictEqual(asyncResult, syncResult);
|
|
}));
|
|
|
|
return syncResult;
|
|
}
|
|
|
|
function testPBKDF2(password, salt, iterations, keylen, expected, encoding) {
|
|
const actual = runPBKDF2(password, salt, iterations, keylen, 'sha256');
|
|
assert.strictEqual(actual.toString(encoding || 'latin1'), expected);
|
|
}
|
|
|
|
//
|
|
// Test PBKDF2 with RFC 6070 test vectors (except #4)
|
|
//
|
|
|
|
testPBKDF2('password', 'salt', 1, 20,
|
|
'\x12\x0f\xb6\xcf\xfc\xf8\xb3\x2c\x43\xe7\x22\x52' +
|
|
'\x56\xc4\xf8\x37\xa8\x65\x48\xc9');
|
|
|
|
testPBKDF2('password', 'salt', 2, 20,
|
|
'\xae\x4d\x0c\x95\xaf\x6b\x46\xd3\x2d\x0a\xdf\xf9' +
|
|
'\x28\xf0\x6d\xd0\x2a\x30\x3f\x8e');
|
|
|
|
testPBKDF2('password', 'salt', 4096, 20,
|
|
'\xc5\xe4\x78\xd5\x92\x88\xc8\x41\xaa\x53\x0d\xb6' +
|
|
'\x84\x5c\x4c\x8d\x96\x28\x93\xa0');
|
|
|
|
testPBKDF2('passwordPASSWORDpassword',
|
|
'saltSALTsaltSALTsaltSALTsaltSALTsalt',
|
|
4096,
|
|
25,
|
|
'\x34\x8c\x89\xdb\xcb\xd3\x2b\x2f\x32\xd8\x14\xb8\x11' +
|
|
'\x6e\x84\xcf\x2b\x17\x34\x7e\xbc\x18\x00\x18\x1c');
|
|
|
|
testPBKDF2('pass\0word', 'sa\0lt', 4096, 16,
|
|
'\x89\xb6\x9d\x05\x16\xf8\x29\x89\x3c\x69\x62\x26\x65' +
|
|
'\x0a\x86\x87');
|
|
|
|
testPBKDF2('password', 'salt', 32, 32,
|
|
'64c486c55d30d4c5a079b8823b7d7cb37ff0556f537da8410233bcec330ed956',
|
|
'hex');
|
|
|
|
// Error path should not leak memory (check with valgrind).
|
|
assert.throws(
|
|
() => crypto.pbkdf2('password', 'salt', 1, 20, 'sha1'),
|
|
{
|
|
code: 'ERR_INVALID_ARG_TYPE',
|
|
name: 'TypeError'
|
|
}
|
|
);
|
|
|
|
for (const iterations of [-1, 0, 2147483648]) {
|
|
assert.throws(
|
|
() => crypto.pbkdf2Sync('password', 'salt', iterations, 20, 'sha1'),
|
|
{
|
|
code: 'ERR_OUT_OF_RANGE',
|
|
name: 'RangeError',
|
|
}
|
|
);
|
|
}
|
|
|
|
['str', null, undefined, [], {}].forEach((notNumber) => {
|
|
assert.throws(
|
|
() => {
|
|
crypto.pbkdf2Sync('password', 'salt', 1, notNumber, 'sha256');
|
|
}, {
|
|
code: 'ERR_INVALID_ARG_TYPE',
|
|
name: 'TypeError',
|
|
message: 'The "keylen" argument must be of type number.' +
|
|
`${common.invalidArgTypeHelper(notNumber)}`
|
|
});
|
|
});
|
|
|
|
[Infinity, -Infinity, NaN].forEach((input) => {
|
|
assert.throws(
|
|
() => {
|
|
crypto.pbkdf2('password', 'salt', 1, input, 'sha256',
|
|
common.mustNotCall());
|
|
}, {
|
|
code: 'ERR_OUT_OF_RANGE',
|
|
name: 'RangeError',
|
|
message: 'The value of "keylen" is out of range. It ' +
|
|
`must be an integer. Received ${input}`
|
|
});
|
|
});
|
|
|
|
[-1, 2147483648, 4294967296].forEach((input) => {
|
|
assert.throws(
|
|
() => {
|
|
crypto.pbkdf2('password', 'salt', 1, input, 'sha256',
|
|
common.mustNotCall());
|
|
}, {
|
|
code: 'ERR_OUT_OF_RANGE',
|
|
name: 'RangeError',
|
|
});
|
|
});
|
|
|
|
// Should not get FATAL ERROR with empty password and salt
|
|
// https://github.com/nodejs/node/issues/8571
|
|
crypto.pbkdf2('', '', 1, 32, 'sha256', common.mustSucceed());
|
|
|
|
assert.throws(
|
|
() => crypto.pbkdf2('password', 'salt', 8, 8, common.mustNotCall()),
|
|
{
|
|
code: 'ERR_INVALID_ARG_TYPE',
|
|
name: 'TypeError',
|
|
message: 'The "digest" argument must be of type string. ' +
|
|
'Received undefined'
|
|
});
|
|
|
|
assert.throws(
|
|
() => crypto.pbkdf2Sync('password', 'salt', 8, 8),
|
|
{
|
|
code: 'ERR_INVALID_ARG_TYPE',
|
|
name: 'TypeError',
|
|
message: 'The "digest" argument must be of type string. ' +
|
|
'Received undefined'
|
|
});
|
|
|
|
assert.throws(
|
|
() => crypto.pbkdf2Sync('password', 'salt', 8, 8, null),
|
|
{
|
|
code: 'ERR_INVALID_ARG_TYPE',
|
|
name: 'TypeError',
|
|
message: 'The "digest" argument must be of type string. ' +
|
|
'Received null'
|
|
});
|
|
[1, {}, [], true, undefined, null].forEach((input) => {
|
|
assert.throws(
|
|
() => crypto.pbkdf2(input, 'salt', 8, 8, 'sha256', common.mustNotCall()),
|
|
{
|
|
code: 'ERR_INVALID_ARG_TYPE',
|
|
name: 'TypeError',
|
|
}
|
|
);
|
|
|
|
assert.throws(
|
|
() => crypto.pbkdf2('pass', input, 8, 8, 'sha256', common.mustNotCall()),
|
|
{
|
|
code: 'ERR_INVALID_ARG_TYPE',
|
|
name: 'TypeError',
|
|
}
|
|
);
|
|
|
|
assert.throws(
|
|
() => crypto.pbkdf2Sync(input, 'salt', 8, 8, 'sha256'),
|
|
{
|
|
code: 'ERR_INVALID_ARG_TYPE',
|
|
name: 'TypeError',
|
|
}
|
|
);
|
|
|
|
assert.throws(
|
|
() => crypto.pbkdf2Sync('pass', input, 8, 8, 'sha256'),
|
|
{
|
|
code: 'ERR_INVALID_ARG_TYPE',
|
|
name: 'TypeError',
|
|
}
|
|
);
|
|
});
|
|
|
|
['test', {}, [], true, undefined, null].forEach((i) => {
|
|
const received = common.invalidArgTypeHelper(i);
|
|
assert.throws(
|
|
() => crypto.pbkdf2('pass', 'salt', i, 8, 'sha256', common.mustNotCall()),
|
|
{
|
|
code: 'ERR_INVALID_ARG_TYPE',
|
|
name: 'TypeError',
|
|
message: `The "iterations" argument must be of type number.${received}`
|
|
}
|
|
);
|
|
|
|
assert.throws(
|
|
() => crypto.pbkdf2Sync('pass', 'salt', i, 8, 'sha256'),
|
|
{
|
|
code: 'ERR_INVALID_ARG_TYPE',
|
|
name: 'TypeError',
|
|
message: `The "iterations" argument must be of type number.${received}`
|
|
}
|
|
);
|
|
});
|
|
|
|
// Any TypedArray should work for password and salt.
|
|
for (const SomeArray of [Uint8Array, Uint16Array, Uint32Array, Float32Array,
|
|
Float64Array, ArrayBuffer, SharedArrayBuffer]) {
|
|
runPBKDF2(new SomeArray(10), 'salt', 8, 8, 'sha256');
|
|
runPBKDF2('pass', new SomeArray(10), 8, 8, 'sha256');
|
|
}
|
|
|
|
assert.throws(
|
|
() => crypto.pbkdf2('pass', 'salt', 8, 8, 'md55', common.mustNotCall()),
|
|
{
|
|
code: 'ERR_CRYPTO_INVALID_DIGEST',
|
|
name: 'TypeError',
|
|
message: 'Invalid digest: md55'
|
|
}
|
|
);
|
|
|
|
assert.throws(
|
|
() => crypto.pbkdf2Sync('pass', 'salt', 8, 8, 'md55'),
|
|
{
|
|
code: 'ERR_CRYPTO_INVALID_DIGEST',
|
|
name: 'TypeError',
|
|
message: 'Invalid digest: md55'
|
|
}
|
|
);
|
|
|
|
if (!common.hasOpenSSL3) {
|
|
const kNotPBKDF2Supported = ['shake128', 'shake256'];
|
|
crypto.getHashes()
|
|
.filter((hash) => !kNotPBKDF2Supported.includes(hash))
|
|
.forEach((hash) => {
|
|
runPBKDF2(new Uint8Array(10), 'salt', 8, 8, hash);
|
|
});
|
|
}
|
|
|
|
{
|
|
// This should not crash.
|
|
assert.throws(
|
|
() => crypto.pbkdf2Sync('1', '2', 1, 1, '%'),
|
|
{
|
|
code: 'ERR_CRYPTO_INVALID_DIGEST',
|
|
name: 'TypeError',
|
|
message: 'Invalid digest: %'
|
|
}
|
|
);
|
|
}
|