[njs] WebCrypto: fixed importKey() for AES-* keys.
Dmitry Volyntsev
xeioex at nginx.com
Thu Jan 5 04:42:38 UTC 2023
details: https://hg.nginx.org/njs/rev/02aa50753dc1
branches:
changeset: 2017:02aa50753dc1
user: Dmitry Volyntsev <xeioex at nginx.com>
date: Thu Dec 29 20:39:29 2022 -0800
description:
WebCrypto: fixed importKey() for AES-* keys.
Previously, key of of any length were accepted, whereas according to the
spec only 128, 192 and 256 bits are allowed.
diffstat:
external/njs_webcrypto_module.c | 16 +++++++++++++++-
test/webcrypto/aes.t.js | 3 +++
2 files changed, 18 insertions(+), 1 deletions(-)
diffs (55 lines):
diff -r 5fc0aa4a4e72 -r 02aa50753dc1 external/njs_webcrypto_module.c
--- a/external/njs_webcrypto_module.c Thu Dec 15 13:04:46 2022 +0100
+++ b/external/njs_webcrypto_module.c Thu Dec 29 20:39:29 2022 -0800
@@ -1840,11 +1840,25 @@ njs_ext_import_key(njs_vm_t *vm, njs_val
goto fail;
}
- /* Fall through. */
+ key->raw = key_data;
+ break;
case NJS_ALGORITHM_AES_GCM:
case NJS_ALGORITHM_AES_CTR:
case NJS_ALGORITHM_AES_CBC:
+ switch (key_data.length) {
+ case 16:
+ case 24:
+ case 32:
+ break;
+
+ default:
+ njs_type_error(vm, "Invalid key length");
+ goto fail;
+ }
+
+ /* Fall through. */
+
case NJS_ALGORITHM_PBKDF2:
case NJS_ALGORITHM_HKDF:
key->raw = key_data;
diff -r 5fc0aa4a4e72 -r 02aa50753dc1 test/webcrypto/aes.t.js
--- a/test/webcrypto/aes.t.js Thu Dec 15 13:04:46 2022 +0100
+++ b/test/webcrypto/aes.t.js Thu Dec 29 20:39:29 2022 -0800
@@ -65,6 +65,7 @@ let aes_tsuite = {
{ name: "AES-GCM", data: "aabbcc", tagLength: 96 },
{ name: "AES-GCM", data: "aabbcc", tagLength: 112 },
{ name: "AES-GCM", data: "aabbcc", tagLength: 113, exception: "TypeError: AES-GCM Invalid tagLength" },
+ { name: "AES-GCM", data: "aabbcc", key: "aabbcc", exception: "TypeError: Invalid key length" },
{ name: "AES-GCM", data: "aabbccdd".repeat(4096) },
{ name: "AES-CTR", data: "aa" },
@@ -85,11 +86,13 @@ let aes_tsuite = {
{ name: "AES-CTR", data: "aabbccdd".repeat(4096), length: 24 },
{ name: "AES-CTR", data: "aabbccdd", length: 129,
exception: "TypeError: AES-CTR algorithm.length must be between 1 and 128" },
+ { name: "AES-CTR", data: "aabbcc", key: "aabbcc", exception: "TypeError: Invalid key length" },
{ name: "AES-CBC", data: "aa" },
{ name: "AES-CBC", data: "aabbccdd".repeat(4) },
{ name: "AES-CBC", data: "aabbccdd".repeat(4096) },
{ name: "AES-CBC", data: "aabbccdd".repeat(5), iv: "ffffffffffffffffffffffffffffffff" },
+ { name: "AES-CBC", data: "aabbcc", key: "aabbcc", exception: "TypeError: Invalid key length" },
]};
run([aes_tsuite])
More information about the nginx-devel
mailing list