Skip to content

Commit

Permalink
crypto: restrict PBKDF2 args to signed int
Browse files Browse the repository at this point in the history
OpenSSL internally represents the output length and the iteration count
as signed integers, which is why node's C++ implementation expects these
arguments to fit into signed integers as well. The JavaScript validation
logic, however, only requires the arguments to be unsigned 32-bit
integers, which is a superset of non-negative (signed) 32-bit integers.

Change the JavaScript validation to match the expectation within C++.

Fixes: #44570
PR-URL: #44575
Reviewed-By: Filip Skokan <panva.ip@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com>
  • Loading branch information
tniessen authored and RafaelGSS committed Sep 26, 2022
1 parent eaa675d commit 26f25c9
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 4 deletions.
7 changes: 5 additions & 2 deletions lib/internal/crypto/pbkdf2.js
Original file line number Diff line number Diff line change
Expand Up @@ -15,6 +15,7 @@ const {

const {
validateFunction,
validateInt32,
validateInteger,
validateString,
validateUint32,
Expand Down Expand Up @@ -91,8 +92,10 @@ function check(password, salt, iterations, keylen, digest) {

password = getArrayBufferOrView(password, 'password');
salt = getArrayBufferOrView(salt, 'salt');
validateUint32(iterations, 'iterations', true);
validateUint32(keylen, 'keylen');
// OpenSSL uses a signed int to represent these values, so we are restricted
// to the 31-bit range here (which is plenty).
validateInt32(iterations, 'iterations', 1);
validateInt32(keylen, 'keylen', 0);

return { password, salt, iterations, keylen, digest };
}
Expand Down
4 changes: 2 additions & 2 deletions test/parallel/test-crypto-pbkdf2.js
Original file line number Diff line number Diff line change
Expand Up @@ -63,7 +63,7 @@ assert.throws(
}
);

for (const iterations of [-1, 0]) {
for (const iterations of [-1, 0, 2147483648]) {
assert.throws(
() => crypto.pbkdf2Sync('password', 'salt', iterations, 20, 'sha1'),
{
Expand Down Expand Up @@ -98,7 +98,7 @@ for (const iterations of [-1, 0]) {
});
});

[-1, 4294967297].forEach((input) => {
[-1, 2147483648, 4294967296].forEach((input) => {
assert.throws(
() => {
crypto.pbkdf2('password', 'salt', 1, input, 'sha256',
Expand Down

0 comments on commit 26f25c9

Please sign in to comment.