From 9d1a45024f744bb3a5008c5015d715a38fb1dec1 Mon Sep 17 00:00:00 2001 From: evanvosberg Date: Mon, 10 Feb 2020 20:16:36 +0100 Subject: [PATCH 01/13] Fix jshint window / global warning. --- src/core.js | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/core.js b/src/core.js index 9b52388..50678ad 100644 --- a/src/core.js +++ b/src/core.js @@ -1,3 +1,5 @@ +/*globals window, global*/ + /** * CryptoJS core components. */ From 3b4c51fc42fb51ba5b702cf0de93da8f82f7b2b7 Mon Sep 17 00:00:00 2001 From: evanvosberg Date: Mon, 10 Feb 2020 20:20:52 +0100 Subject: [PATCH 02/13] Update jshint config for arrow functions in grunt task. --- .jshintrc | 62 +++++++++++++++++++-------------------- grunt/tasks/modularize.js | 1 + package.json | 2 +- 3 files changed, 33 insertions(+), 32 deletions(-) diff --git a/.jshintrc b/.jshintrc index 7672d3a..72c2b12 100644 --- a/.jshintrc +++ b/.jshintrc @@ -1,33 +1,33 @@ { - "bitwise" : false, // Prohibits the use of bitwise operators (not confuse & with &&) - "curly" : true, // Requires to always put curly braces around blocks in loops and conditionals - "eqeqeq" : false, // Prohibits the use of == and != in favor of === and !== - "eqnull" : true, // Suppresses warnings about == null comparisons - "immed" : true, // Requires immediate invocations to be wrapped in parens e.g. `(function () { } ());` - "latedef" : true, // Prohibits the use of a variable before it was defined - "newcap" : false, // Requires to capitalize names of constructor functions - "noarg" : true, // Prohibits the use of arguments.caller and arguments.callee - "strict" : false, // Requires all functions to run in ECMAScript 5's strict mode - "undef" : true, // Require non-global variables to be declared (prevents global leaks) - "asi" : true, // Suppresses warnings about missing semicolons - "funcscope" : false, - "shadow" : true, - "expr" : true, - "-W041" : true, - "-W018" : true, - "globals": { - "CryptoJS" : true, - "escape" : true, - "unescape" : true, - "Int8Array" : true, - "Int16Array" : true, - "Int32Array" : true, - "Uint8Array" : true, - "Uint16Array" : true, - "Uint32Array" : true, - "Uint8ClampedArray" : true, - "ArrayBuffer" : true, - "Float32Array" : true, - "Float64Array" : true - } + "bitwise": false, // Prohibits the use of bitwise operators (not confuse & with &&) + "curly": true, // Requires to always put curly braces around blocks in loops and conditionals + "eqeqeq": false, // Prohibits the use of == and != in favor of === and !== + "eqnull": true, // Suppresses warnings about == null comparisons + "immed": true, // Requires immediate invocations to be wrapped in parens e.g. `(function () { } ());` + "latedef": false, // Prohibits the use of a variable before it was defined + "newcap": false, // Requires to capitalize names of constructor functions + "noarg": true, // Prohibits the use of arguments.caller and arguments.callee + "strict": false, // Requires all functions to run in ECMAScript 5's strict mode + "undef": true, // Require non-global variables to be declared (prevents global leaks) + "asi": true, // Suppresses warnings about missing semicolons + "funcscope": false, + "shadow": true, + "expr": true, + "-W041": true, + "-W018": true, + "globals": { + "CryptoJS": true, + "escape": true, + "unescape": true, + "Int8Array": true, + "Int16Array": true, + "Int32Array": true, + "Uint8Array": true, + "Uint16Array": true, + "Uint32Array": true, + "Uint8ClampedArray": true, + "ArrayBuffer": true, + "Float32Array": true, + "Float64Array": true + } } diff --git a/grunt/tasks/modularize.js b/grunt/tasks/modularize.js index 6432ba7..0fc3b46 100644 --- a/grunt/tasks/modularize.js +++ b/grunt/tasks/modularize.js @@ -1,4 +1,5 @@ /*jshint node: true*/ +/*jshint esversion: 6*/ var _ = require("lodash"), diff --git a/package.json b/package.json index c05efb5..6be41db 100644 --- a/package.json +++ b/package.json @@ -28,7 +28,7 @@ "grunt-cli": "^1.3.2", "grunt-contrib-clean": "^0.6.0", "grunt-contrib-copy": "^0.6.0", - "grunt-contrib-jshint": "^0.10.0", + "grunt-contrib-jshint": "^2.1.0", "grunt-jsonlint": "^1.0.4", "grunt-update-json": "^0.2.0", "load-grunt-config": "^0.16.0", From e4ac157d8b75b962d6538fc0b996e5d4d5a9466b Mon Sep 17 00:00:00 2001 From: evanvosberg Date: Tue, 11 Feb 2020 11:11:04 +0100 Subject: [PATCH 03/13] Do not convert into float number. --- src/core.js | 14 ++++++-------- 1 file changed, 6 insertions(+), 8 deletions(-) diff --git a/src/core.js b/src/core.js index 50678ad..6f90c42 100644 --- a/src/core.js +++ b/src/core.js @@ -10,14 +10,13 @@ var CryptoJS = CryptoJS || (function (Math, undefined) { * * As Math.random() is cryptographically not safe to use */ - var secureRandom = function () { + var cryptoSecureRandomInt = function () { // Native crypto module on NodeJS environment try { - // Crypto from global object - var crypto = global.crypto; + // Native rypto from global object or import via require + var crypto = global.crypto || require('crypto'); - // Create a random float number between 0 and 1 - return Number('0.' + crypto.randomBytes(3).readUIntBE(0, 3)); + return crypto.randomBytes(4).readInt32LE(); } catch (err) {} // Native crypto module in Browser environment @@ -25,8 +24,7 @@ var CryptoJS = CryptoJS || (function (Math, undefined) { // Support experimental crypto module in IE 11 var crypto = window.crypto || window.msCrypto; - // Create a random float number between 0 and 1 - return Number('0.' + window.crypto.getRandomValues(new Uint32Array(1))[0]); + return (crypto.getRandomValues(new Uint32Array(1))[0]) | 1; } catch (err) {} throw new Error('Native crypto module could not be used to get secure random number.'); @@ -321,7 +319,7 @@ var CryptoJS = CryptoJS || (function (Math, undefined) { var words = []; for (var i = 0; i < nBytes; i += 4) { - words.push((secureRandom() * 0x100000000) | 0); + words.push((cryptoSecureRandomInt()); } return new WordArray.init(words, nBytes); From 7e2710a14c46cbae97f5fda305a5f670fc377c9d Mon Sep 17 00:00:00 2001 From: evanvosberg Date: Tue, 11 Feb 2020 14:20:30 +0100 Subject: [PATCH 04/13] Fix typo in comment. --- src/core.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/core.js b/src/core.js index 6f90c42..109cbd7 100644 --- a/src/core.js +++ b/src/core.js @@ -13,7 +13,7 @@ var CryptoJS = CryptoJS || (function (Math, undefined) { var cryptoSecureRandomInt = function () { // Native crypto module on NodeJS environment try { - // Native rypto from global object or import via require + // Native crypto from global object or import via require var crypto = global.crypto || require('crypto'); return crypto.randomBytes(4).readInt32LE(); From 8623234c1527f1e1bc6984e975e1d14ba5f86799 Mon Sep 17 00:00:00 2001 From: evanvosberg Date: Tue, 11 Feb 2020 14:22:23 +0100 Subject: [PATCH 05/13] Fix syntax typo. --- src/core.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/core.js b/src/core.js index 109cbd7..02ac9dc 100644 --- a/src/core.js +++ b/src/core.js @@ -319,7 +319,7 @@ var CryptoJS = CryptoJS || (function (Math, undefined) { var words = []; for (var i = 0; i < nBytes; i += 4) { - words.push((cryptoSecureRandomInt()); + words.push(cryptoSecureRandomInt()); } return new WordArray.init(words, nBytes); From 0241952f572d5343d40848f17d045aa4e42ec553 Mon Sep 17 00:00:00 2001 From: evanvosberg Date: Tue, 11 Feb 2020 16:04:04 +0100 Subject: [PATCH 06/13] Remove the `| 1` left over from the previous float number operation. --- src/core.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/core.js b/src/core.js index 02ac9dc..c97925b 100644 --- a/src/core.js +++ b/src/core.js @@ -24,7 +24,7 @@ var CryptoJS = CryptoJS || (function (Math, undefined) { // Support experimental crypto module in IE 11 var crypto = window.crypto || window.msCrypto; - return (crypto.getRandomValues(new Uint32Array(1))[0]) | 1; + return crypto.getRandomValues(new Uint32Array(1))[0]; } catch (err) {} throw new Error('Native crypto module could not be used to get secure random number.'); From 20b827da1b70e68180e3fc055a0e1ee43b06843a Mon Sep 17 00:00:00 2001 From: evanvosberg Date: Tue, 11 Feb 2020 16:13:21 +0100 Subject: [PATCH 07/13] Do not simply try catch, cheack availabilty instead. --- src/core.js | 43 ++++++++++++++++++++++++++++++++++--------- 1 file changed, 34 insertions(+), 9 deletions(-) diff --git a/src/core.js b/src/core.js index c97925b..6bfec9b 100644 --- a/src/core.js +++ b/src/core.js @@ -11,22 +11,47 @@ var CryptoJS = CryptoJS || (function (Math, undefined) { * As Math.random() is cryptographically not safe to use */ var cryptoSecureRandomInt = function () { - // Native crypto module on NodeJS environment - try { - // Native crypto from global object or import via require - var crypto = global.crypto || require('crypto'); + var crypto; - return crypto.randomBytes(4).readInt32LE(); + // Native crypto module in Browser environment + try { + if (typeof window !== 'undefined') { + if (window.crypto) { + // Support experimental crypto module in IE 11 + crypto = window.crypto; + } else if (window.msCrypto) { + // Support experimental crypto module in IE 11 + crypto = window.msCrypto; + } + } } catch (err) {} - // Native crypto module in Browser environment + // Native crypto module on NodeJS environment try { - // Support experimental crypto module in IE 11 - var crypto = window.crypto || window.msCrypto; + if (typeof global !== 'undefined' && global.crypto) { + // Native crypto from global + crypto = global.crypto; + } else if (typeof require === 'function') { + // Native crypto import via require + crypto = require('crypto'); + } - return crypto.getRandomValues(new Uint32Array(1))[0]; } catch (err) {} + // Use getRandomValues method + if (crypto && typeof crypto.getRandomValues === 'function') { + try { + return crypto.getRandomValues(new Uint32Array(1))[0]; + } catch (err) {} + } + + // Use randomBytes method + if (crypto && typeof crypto.randomBytes === 'function') { + try { + return crypto.randomBytes(4).readInt32LE(); + } catch (err) {} + } + throw new Error('Native crypto module could not be used to get secure random number.'); }; From 3cbd6c102047abd55f53ccb88d2334d1528ac49f Mon Sep 17 00:00:00 2001 From: evanvosberg Date: Tue, 11 Feb 2020 16:15:25 +0100 Subject: [PATCH 08/13] Update comment. --- src/core.js | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/core.js b/src/core.js index 6bfec9b..cb21eb1 100644 --- a/src/core.js +++ b/src/core.js @@ -17,7 +17,7 @@ var CryptoJS = CryptoJS || (function (Math, undefined) { try { if (typeof window !== 'undefined') { if (window.crypto) { - // Support experimental crypto module in IE 11 + // Use global crypto module crypto = window.crypto; } else if (window.msCrypto) { // Support experimental crypto module in IE 11 @@ -35,7 +35,6 @@ var CryptoJS = CryptoJS || (function (Math, undefined) { // Native crypto import via require crypto = require('crypto'); } - } catch (err) {} // Use getRandomValues method From 4d5da7a916caf52b60b8561f5b35421e9d53f5a2 Mon Sep 17 00:00:00 2001 From: evanvosberg Date: Tue, 11 Feb 2020 19:33:21 +0100 Subject: [PATCH 09/13] Just one if to check whether crypto is defined. --- src/core.js | 24 +++++++++++++----------- 1 file changed, 13 insertions(+), 11 deletions(-) diff --git a/src/core.js b/src/core.js index cb21eb1..e9a32f3 100644 --- a/src/core.js +++ b/src/core.js @@ -37,18 +37,20 @@ var CryptoJS = CryptoJS || (function (Math, undefined) { } } catch (err) {} - // Use getRandomValues method - if (crypto && typeof crypto.getRandomValues === 'function') { - try { - return crypto.getRandomValues(new Uint32Array(1))[0]; - } catch (err) {} - } + if (crypto) { + // Use getRandomValues method + if (typeof crypto.getRandomValues === 'function') { + try { + return crypto.getRandomValues(new Uint32Array(1))[0]; + } catch (err) {} + } - // Use randomBytes method - if (crypto && typeof crypto.randomBytes === 'function') { - try { - return crypto.randomBytes(4).readInt32LE(); - } catch (err) {} + // Use randomBytes method + if (typeof crypto.randomBytes === 'function') { + try { + return crypto.randomBytes(4).readInt32LE(); + } catch (err) {} + } } throw new Error('Native crypto module could not be used to get secure random number.'); From ac288621445018e187e9433c295e2c0ce5367637 Mon Sep 17 00:00:00 2001 From: evanvosberg Date: Tue, 11 Feb 2020 19:40:46 +0100 Subject: [PATCH 10/13] Reduce try catch statements. --- src/core.js | 48 +++++++++++++++++++++++------------------------- 1 file changed, 23 insertions(+), 25 deletions(-) diff --git a/src/core.js b/src/core.js index e9a32f3..9e0950f 100644 --- a/src/core.js +++ b/src/core.js @@ -1,4 +1,4 @@ -/*globals window, global*/ +/*globals window, global, require*/ /** * CryptoJS core components. @@ -13,39 +13,37 @@ var CryptoJS = CryptoJS || (function (Math, undefined) { var cryptoSecureRandomInt = function () { var crypto; - // Native crypto module in Browser environment - try { - if (typeof window !== 'undefined') { - if (window.crypto) { - // Use global crypto module - crypto = window.crypto; - } else if (window.msCrypto) { - // Support experimental crypto module in IE 11 - crypto = window.msCrypto; - } - } - } catch (err) {} - - // Native crypto module on NodeJS environment - try { - if (typeof global !== 'undefined' && global.crypto) { - // Native crypto from global - crypto = global.crypto; - } else if (typeof require === 'function') { - // Native crypto import via require + // Native crypto from window (Browser) + if (typeof window !== 'undefined' && window.crypto) { + crypto = window.crypto; + } + + // Native (experimental IE 11) crypto from window (Browser) + if (!crypto && typeof window !== 'undefined' && window.msCrypto) { + crypto = window.msCrypto; + } + + // Native crypto from global (NodeJS) + if (!crypto && typeof global !== 'undefined' && global.crypto) { + crypto = global.crypto; + } + + // Native crypto import via require (NodeJS) + if (!crypto && typeof require === 'function') { + try { crypto = require('crypto'); - } - } catch (err) {} + } catch (err) {} + } if (crypto) { - // Use getRandomValues method + // Use getRandomValues method (Browser) if (typeof crypto.getRandomValues === 'function') { try { return crypto.getRandomValues(new Uint32Array(1))[0]; } catch (err) {} } - // Use randomBytes method + // Use randomBytes method (NodeJS) if (typeof crypto.randomBytes === 'function') { try { return crypto.randomBytes(4).readInt32LE(); From 7f809c93bd9264d7031d8e629dcc8b9ec3ecc432 Mon Sep 17 00:00:00 2001 From: evanvosberg Date: Tue, 11 Feb 2020 19:58:59 +0100 Subject: [PATCH 11/13] Do not run the detect native crypto module for every cryptoSecureRandomInt call. --- src/core.js | 48 ++++++++++++++++++++++++------------------------ 1 file changed, 24 insertions(+), 24 deletions(-) diff --git a/src/core.js b/src/core.js index 9e0950f..8ba28ed 100644 --- a/src/core.js +++ b/src/core.js @@ -5,36 +5,36 @@ */ var CryptoJS = CryptoJS || (function (Math, undefined) { + var crypto; + + // Native crypto from window (Browser) + if (typeof window !== 'undefined' && window.crypto) { + crypto = window.crypto; + } + + // Native (experimental IE 11) crypto from window (Browser) + if (!crypto && typeof window !== 'undefined' && window.msCrypto) { + crypto = window.msCrypto; + } + + // Native crypto from global (NodeJS) + if (!crypto && typeof global !== 'undefined' && global.crypto) { + crypto = global.crypto; + } + + // Native crypto import via require (NodeJS) + if (!crypto && typeof require === 'function') { + try { + crypto = require('crypto'); + } catch (err) {} + } + /* * Cryptographically secure pseudorandom number generator * * As Math.random() is cryptographically not safe to use */ var cryptoSecureRandomInt = function () { - var crypto; - - // Native crypto from window (Browser) - if (typeof window !== 'undefined' && window.crypto) { - crypto = window.crypto; - } - - // Native (experimental IE 11) crypto from window (Browser) - if (!crypto && typeof window !== 'undefined' && window.msCrypto) { - crypto = window.msCrypto; - } - - // Native crypto from global (NodeJS) - if (!crypto && typeof global !== 'undefined' && global.crypto) { - crypto = global.crypto; - } - - // Native crypto import via require (NodeJS) - if (!crypto && typeof require === 'function') { - try { - crypto = require('crypto'); - } catch (err) {} - } - if (crypto) { // Use getRandomValues method (Browser) if (typeof crypto.getRandomValues === 'function') { From 409ae7696ff0329765d080476dea76813ea21605 Mon Sep 17 00:00:00 2001 From: evanvosberg Date: Tue, 11 Feb 2020 22:25:00 +0100 Subject: [PATCH 12/13] Bump version. --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index 6be41db..6e9bfe2 100644 --- a/package.json +++ b/package.json @@ -2,7 +2,7 @@ "name": "crypto-js", "title": "crypto-js", "description": "JavaScript library of crypto standards.", - "version": "3.2.0", + "version": "3.2.1", "homepage": "http://github.com/brix/crypto-js", "author": { "name": "Evan Vosberg", From 78bde5f9f38895dd5761fb0465b84f79db169645 Mon Sep 17 00:00:00 2001 From: evanvosberg Date: Tue, 11 Feb 2020 22:49:50 +0100 Subject: [PATCH 13/13] Add release notes. --- README.md | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/README.md b/README.md index bccfad7..93d9477 100644 --- a/README.md +++ b/README.md @@ -208,3 +208,28 @@ console.log(decryptedData); // [{id: 1}, {id: 2}] - ```crypto-js/pad-iso97971``` - ```crypto-js/pad-zeropadding``` - ```crypto-js/pad-nopadding``` + + +## Release notes + +### 3.2.1 + +The usage of the native crypto module has been fixed. The import and access of the native crypto module has been improved. + +### 3.2.0 + +In this version `Math.random()` has been replaced by the random methods of the native crypto module. + +For this reason CryptoJS might does not run in some JavaScript environments without native crypto module. Such as IE 10 or before. + +If it's absolute required to run CryptoJS in such an environment, stay with `3.1.x` version. Encrypting and decrypting stays compatible. But keep in mind `3.1.x` versions still use `Math.random()` which is cryptographically not secure, as it's not random enough. + +This version came along with `CRITICAL` `BUG`. + +DO NOT USE THIS VERSION! Please, go for a newer version! + +### 3.1.x + +The `3.1.x` are based on the original CryptoJS, wrapped in CommonJS modules. + +