Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto.createDecipheriv for aes-128-cbc does not regard setAutoPadding == false #55713

Closed
chrisbald opened this issue Nov 4, 2024 · 4 comments
Closed

crypto.createDecipheriv for aes-128-cbc does not regard setAutoPadding == false #55713

chrisbald opened this issue Nov 4, 2024 · 4 comments
Labels
crypto Issues and PRs related to the crypto subsystem. question Issues that look for answers.

Comments

@chrisbald
Copy link

chrisbald commented Nov 4, 2024
edited by tniessen
Loading

Version

v22.11.0

Platform

Microsoft Windows NT 10.0.19045.0 x64

Subsystem

No response

What steps will reproduce the bug?

import crypto from 'crypto';

const key = Buffer.from('a907507c8b1cf3c0bb2bc1cec426cf69', 'hex');
const iv  = Buffer.from('8c5821332e6f1cf089dbb78c380c9248', 'hex');
const encryptedData = Buffer.from('a9e727b3658f252faeaf5d125a95c1c299fe6532c103b56fe633423bb78a25cb8f66e930aaacc40f04c3ae94183cbfbeb09ab9c952f97d8a5ea055ed304aac07', 'hex');

const decipher = crypto.createDecipheriv('aes-128-cbc', key, iv);
decipher.setAutoPadding = false;

const dec_1 = decipher.update(encryptedData);
const dec_2 = decipher.final();

console.log(`Input length: ${encryptedData.length}; Output length: ${dec_1.length + dec_2.length}`);

console.log('Expected: 4CAD87E30752820F213E64F9492167456D5F02C4518D4BB7ADF291A7F8EAC6FEB352781CF8AD7DF0DEC19B06B6DE98BA92A0FD3BAE72B448520D6E5807153901');
console.log('Result:   ' + dec_1.toString('hex').toUpperCase() + dec_2.toString('hex').toUpperCase());

How often does it reproduce? Is there a required condition?

always

What is the expected behavior? Why is that the expected behavior?

With decipher.setAutoPadding = false; it should be possible to disable padding.
It is expected that the decrypted block in the example does have the same length than the input block.

What do you see instead?

The decrypted block misses 1 byte (0x01) at the end.

Additional information

No response
@preveen-stack preveen-stack added the windows Issues and PRs related to the Windows platform. label Nov 4, 2024
@StefanStojanovic StefanStojanovic added crypto Issues and PRs related to the crypto subsystem. and removed windows Issues and PRs related to the Windows platform. labels Nov 4, 2024
@StefanStojanovic
Copy link
Contributor

I've removed the windows label since the same issue appears when running that code on Linux. Added 'crypto` instead. This is the output I got on Linux:

Input length: 64; Output length: 63
Expected: 4CAD87E30752820F213E64F9492167456D5F02C4518D4BB7ADF291A7F8EAC6FEB352781CF8AD7DF0DEC19B06B6DE98BA92A0FD3BAE72B448520D6E5807153901
Result:   4CAD87E30752820F213E64F9492167456D5F02C4518D4BB7ADF291A7F8EAC6FEB352781CF8AD7DF0DEC19B06B6DE98BA92A0FD3BAE72B448520D6E58071539

@tniessen tniessen added the question Issues that look for answers. label Nov 4, 2024
@tniessen
Copy link
Member

tniessen commented Nov 4, 2024

This is expected. You are not actually calling setAutoPadding(false) but overwriting the function-valued property with the constant false, which has no documented effect. If you actually call setAutoPadding(false) instead, you should be able to disable padding.

@chrisbald
Copy link
Author

Yep, that was my fault.
Sorry for the trouble and thanks for the clarification.

@tniessen
Copy link
Member

tniessen commented Nov 4, 2024

No worries, JavaScript is a horrible language and unfortunately permits this kind of mistake way too easily.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
crypto Issues and PRs related to the crypto subsystem. question Issues that look for answers.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@tniessen @StefanStojanovic @preveen-stack @chrisbald