crypto: fail early if passphrase is too long · nodejs/node@73bca57 (original) (raw)
3 files changed
lines changed
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1826,6 +1826,9 @@ Creates and returns a new key object containing a private key. If `key` is a | ||
| 1826 | 1826 | string or `Buffer`, `format` is assumed to be `'pem'`; otherwise, `key` |
| 1827 | 1827 | must be an object with the properties described above. |
| 1828 | 1828 | |
| 1829 | +If the private key is encrypted, a `passphrase` must be specified. The length | |
| 1830 | +of the passphrase is limited to 1024 bytes. | |
| 1831 | + | |
| 1829 | 1832 | ### crypto.createPublicKey(key) |
| 1830 | 1833 | <!-- YAML |
| 1831 | 1834 | added: v11.6.0 |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -189,7 +189,8 @@ static int PasswordCallback(char* buf, int size, int rwflag, void* u) { | ||
| 189 | 189 | if (passphrase != nullptr) { |
| 190 | 190 | size_t buflen = static_cast<size_t>(size); |
| 191 | 191 | size_t len = strlen(passphrase); |
| 192 | - len = len > buflen ? buflen : len; | |
| 192 | +if (buflen < len) | |
| 193 | +return -1; | |
| 193 | 194 | memcpy(buf, passphrase, len); |
| 194 | 195 | return len; |
| 195 | 196 | } |
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -230,6 +230,27 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem', | ||
| 230 | 230 | message: 'Passphrase required for encrypted key' |
| 231 | 231 | }); |
| 232 | 232 | |
| 233 | +// Reading an encrypted key with a passphrase that exceeds OpenSSL's buffer | |
| 234 | +// size limit should fail with an appropriate error code. | |
| 235 | +common.expectsError(() => createPrivateKey({ | |
| 236 | +key: privateDsa, | |
| 237 | +format: 'pem', | |
| 238 | +passphrase: Buffer.alloc(1025, 'a') | |
| 239 | +}), { | |
| 240 | +code: 'ERR_OSSL_PEM_BAD_PASSWORD_READ', | |
| 241 | +type: Error | |
| 242 | +}); | |
| 243 | + | |
| 244 | +// The buffer has a size of 1024 bytes, so this passphrase should be permitted | |
| 245 | +// (but will fail decryption). | |
| 246 | +common.expectsError(() => createPrivateKey({ | |
| 247 | +key: privateDsa, | |
| 248 | +format: 'pem', | |
| 249 | +passphrase: Buffer.alloc(1024, 'a') | |
| 250 | +}), { | |
| 251 | +message: /bad decrypt/ | |
| 252 | +}); | |
| 253 | + | |
| 233 | 254 | const publicKey = createPublicKey(publicDsa); |
| 234 | 255 | assert.strictEqual(publicKey.type, 'public'); |
| 235 | 256 | assert.strictEqual(publicKey.asymmetricKeyType, 'dsa'); |