Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto: fail early if passphrase is too long #27010

Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 3 additions & 0 deletions doc/api/crypto.md
Original file line number Diff line number Diff line change
Expand Up @@ -1821,6 +1821,9 @@ Creates and returns a new key object containing a private key. If `key` is a
string or `Buffer`, `format` is assumed to be `'pem'`; otherwise, `key`
must be an object with the properties described above.

If the private key is encrypted, a `passphrase` must be specified. The length
of the passphrase is limited to 1024 bytes.

### crypto.createPublicKey(key)
<!-- YAML
added: v11.6.0
Expand Down
3 changes: 2 additions & 1 deletion src/node_crypto.cc
Original file line number Diff line number Diff line change
Expand Up @@ -178,7 +178,8 @@ static int PasswordCallback(char* buf, int size, int rwflag, void* u) {
if (passphrase != nullptr) {
size_t buflen = static_cast<size_t>(size);
size_t len = strlen(passphrase);
len = len > buflen ? buflen : len;
if (buflen < len)
return -1;
memcpy(buf, passphrase, len);
return len;
}
Expand Down
21 changes: 21 additions & 0 deletions test/parallel/test-crypto-key-objects.js
Original file line number Diff line number Diff line change
Expand Up @@ -223,6 +223,27 @@ const privateDsa = fixtures.readKey('dsa_private_encrypted_1025.pem',
message: 'Passphrase required for encrypted key'
});

// Reading an encrypted key with a passphrase that exceeds OpenSSL's buffer
// size limit should fail with an appropriate error code.
common.expectsError(() => createPrivateKey({
key: privateDsa,
format: 'pem',
passphrase: Buffer.alloc(1025, 'a')
}), {
code: 'ERR_OSSL_PEM_BAD_PASSWORD_READ',
type: Error
});

// The buffer has a size of 1024 bytes, so this passphrase should be permitted
// (but will fail decryption).
common.expectsError(() => createPrivateKey({
key: privateDsa,
format: 'pem',
passphrase: Buffer.alloc(1024, 'a')
}), {
message: /bad decrypt/
});

const publicKey = createPublicKey(publicDsa);
assert.strictEqual(publicKey.type, 'public');
assert.strictEqual(publicKey.asymmetricKeyType, 'dsa');
Expand Down