[njs] WebCrypto: fixed importKey() for AES-* keys.

Dmitry Volyntsev xeioex at nginx.com
Thu Jan 5 04:42:38 UTC 2023


details:   https://hg.nginx.org/njs/rev/02aa50753dc1
branches:  
changeset: 2017:02aa50753dc1
user:      Dmitry Volyntsev <xeioex at nginx.com>
date:      Thu Dec 29 20:39:29 2022 -0800
description:
WebCrypto: fixed importKey() for AES-* keys.

Previously, key of of any length were accepted, whereas according to the
spec only 128, 192 and 256 bits are allowed.

diffstat:

 external/njs_webcrypto_module.c |  16 +++++++++++++++-
 test/webcrypto/aes.t.js         |   3 +++
 2 files changed, 18 insertions(+), 1 deletions(-)

diffs (55 lines):

diff -r 5fc0aa4a4e72 -r 02aa50753dc1 external/njs_webcrypto_module.c
--- a/external/njs_webcrypto_module.c	Thu Dec 15 13:04:46 2022 +0100
+++ b/external/njs_webcrypto_module.c	Thu Dec 29 20:39:29 2022 -0800
@@ -1840,11 +1840,25 @@ njs_ext_import_key(njs_vm_t *vm, njs_val
             goto fail;
         }
 
-        /* Fall through. */
+        key->raw = key_data;
+        break;
 
     case NJS_ALGORITHM_AES_GCM:
     case NJS_ALGORITHM_AES_CTR:
     case NJS_ALGORITHM_AES_CBC:
+        switch (key_data.length) {
+        case 16:
+        case 24:
+        case 32:
+            break;
+
+        default:
+            njs_type_error(vm, "Invalid key length");
+            goto fail;
+        }
+
+        /* Fall through. */
+
     case NJS_ALGORITHM_PBKDF2:
     case NJS_ALGORITHM_HKDF:
         key->raw = key_data;
diff -r 5fc0aa4a4e72 -r 02aa50753dc1 test/webcrypto/aes.t.js
--- a/test/webcrypto/aes.t.js	Thu Dec 15 13:04:46 2022 +0100
+++ b/test/webcrypto/aes.t.js	Thu Dec 29 20:39:29 2022 -0800
@@ -65,6 +65,7 @@ let aes_tsuite = {
         { name: "AES-GCM", data: "aabbcc", tagLength: 96 },
         { name: "AES-GCM", data: "aabbcc", tagLength: 112 },
         { name: "AES-GCM", data: "aabbcc", tagLength: 113, exception: "TypeError: AES-GCM Invalid tagLength" },
+        { name: "AES-GCM", data: "aabbcc", key: "aabbcc", exception: "TypeError: Invalid key length" },
         { name: "AES-GCM", data: "aabbccdd".repeat(4096) },
 
         { name: "AES-CTR", data: "aa" },
@@ -85,11 +86,13 @@ let aes_tsuite = {
         { name: "AES-CTR", data: "aabbccdd".repeat(4096), length: 24 },
         { name: "AES-CTR", data: "aabbccdd", length: 129,
           exception: "TypeError: AES-CTR algorithm.length must be between 1 and 128" },
+        { name: "AES-CTR", data: "aabbcc", key: "aabbcc", exception: "TypeError: Invalid key length" },
 
         { name: "AES-CBC", data: "aa" },
         { name: "AES-CBC", data: "aabbccdd".repeat(4) },
         { name: "AES-CBC", data: "aabbccdd".repeat(4096) },
         { name: "AES-CBC", data: "aabbccdd".repeat(5), iv: "ffffffffffffffffffffffffffffffff" },
+        { name: "AES-CBC", data: "aabbcc", key: "aabbcc", exception: "TypeError: Invalid key length" },
 ]};
 
 run([aes_tsuite])


More information about the nginx-devel mailing list