Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto: Add more keylen sanity checks in pbkdf2 #3029

Closed
wants to merge 1 commit into from

Conversation

johannhof
Copy link

issue #2987 makes the point that crypto.pbkdf2 should not fail silently
and accept invalid but numeric values like NaN and Infinity. We already
check if the keylen is lower than 0, so extending that to NaN and
Infinity should make sense.

Fixes: #2987

@johannhof
Copy link
Author

cc @bnoordhuis

@johannhof johannhof force-pushed the pbkdf2-fail-on-nan branch 2 times, most recently from b9eaa43 to d9d05fc Compare September 23, 2015 16:51
@bnoordhuis
Copy link
Member

@bnoordhuis
Copy link
Member

/cc @nodejs/collaborators - can I have one more LGTM?

@bnoordhuis bnoordhuis added confirmed-bug Issues with confirmed bugs. crypto Issues and PRs related to the crypto subsystem. labels Sep 23, 2015
crypto.pbkdf2('password', 'salt', 1, NaN, assert.fail);
});

// Should not work with NaN key length
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/NaN/negative/

@mscdex
Copy link
Contributor

mscdex commented Sep 23, 2015

One minor nit, otherwise LGTM

// Should not work with Infinity key length
assert.throws(function() {
crypto.pbkdf2('password', 'salt', 1, Infinity, assert.fail);
});
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Check at least the type of error.

@indutny
Copy link
Member

indutny commented Sep 23, 2015

LGTM, except nits from @thefourtheye

issue nodejs#2987 makes the point that crypto.pbkdf2 should not fail silently
and accept invalid but numeric values like NaN and Infinity. We already
check if the keylen is lower than 0, so extending that to NaN and
Infinity should make sense.

Fixes: nodejs#2987
@johannhof
Copy link
Author

@indutny @thefourtheye @mscdex @bnoordhuis Updated, thanks for the remarks :)

@thefourtheye
Copy link
Contributor

LGTM

@johannhof
Copy link
Author

@bnoordhuis wanna merge? :)

thefourtheye pushed a commit that referenced this pull request Sep 25, 2015
issue #2987 makes the point that crypto.pbkdf2 should not fail silently
and accept invalid but numeric values like NaN and Infinity. We already
check if the keylen is lower than 0, so extending that to NaN and
Infinity should make sense.

Fixes: #2987

PR-URL: #3029
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Brian White <mscdex@mscdex.net>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
@thefourtheye
Copy link
Contributor

Thanks @johannhof :-) Landed in 6df47d6

rvagg pushed a commit that referenced this pull request Sep 30, 2015
issue #2987 makes the point that crypto.pbkdf2 should not fail silently
and accept invalid but numeric values like NaN and Infinity. We already
check if the keylen is lower than 0, so extending that to NaN and
Infinity should make sense.

Fixes: #2987

PR-URL: #3029
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Brian White <mscdex@mscdex.net>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
This was referenced Sep 30, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
confirmed-bug Issues with confirmed bugs. crypto Issues and PRs related to the crypto subsystem.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants