Comments (13)
To decrypt, you need to use createDecipheriv()
instead of createCipheriv()
. You then need to call decipher.setAuthTag()
with the correct authentication tag, which you can obtain from the the original cipher
after encryption as cipher.getAuthTag()
.
from help.
it does absolutely the same if i use createDecipheriv()
.
So decryption works without AuthTag and the issue is relevant.
i have changed the code for your convenience.
from help.
@tniessen please test it out because it's critical security issue.
from help.
@egorbeliy In Node.js 22, I am seeing this error when running your code:
Uncaught Error: Unsupported state or unable to authenticate data
at Decipheriv.final (node:internal/crypto/cipher:184:29)
at decrypt (REPL14:4:70)
from help.
But for me it works well, is node version the same?
tsc aes-issue.ts
node aes-issue.js
Feel free to check the video PoC https://drive.google.com/file/d/1HRQW7toSjHuPTrF4b6s5XoS1Kb1msSzM/view?usp=sharing
from help.
- Node.js 21 is not supported anymore, so instead please test with Node.js 20 or Node.js 22.
- If there is a difference in behavior across versions of Node.js, it is likely due to differences in behavior across versions of OpenSSL. Since much of the
node:crypto
module is a thin wrapper around OpenSSL, we generally don't provide stronger security guarantees than OpenSSL. In other words, if this issue exists in a supported version of Node.js, it will be necessary to demonstrate that the issue does not also exist in OpenSSL. - If you are right and this is a security issue, then this was reported in violation of our security policies.
from help.
so i got the same behaviour on v20 and v22.
Basically i got your point, you won't check it.
thanks.
from help.
@egorbeliy Alright, I'll give it another try. Here's the code I am using (main.mjs
):
import { createCipheriv, createDecipheriv, randomBytes } from 'node:crypto';
const algorithm = 'aes-256-gcm';
const keyHex = '9b25a4b717d0c827c926565758b99b89a24f83c03a6a8319fb0fc809787ae929';
const ivHex = 'ded281917f01b9d5f0a5abce';
const key = Buffer.from(keyHex, 'hex');
const iv = Buffer.from(ivHex, 'hex');
const encrypt = (text) => {
const cipher = createCipheriv(algorithm, key, iv);
const start = cipher.update(text, 'utf8');
const end = cipher.final();
return Buffer.concat([start, end]).toString('base64');
};
const encrypted = encrypt('testValue');
console.assert(encrypted === 'njvgROnsKdsG');
console.log('encrypted ---- ', encrypted);
const decrypt = (encrypted) => {
const buffer = Buffer.from(encrypted, 'base64');
const decipher = createDecipheriv(algorithm, key, iv);
const decrypted = Buffer.concat([decipher.update(buffer), decipher.final()]);
return decrypted.toString('utf8');
};
const decrypted = decrypt(encrypted);
console.log('decrypted ---- ', decrypted);
Here's what happens in Node.js 22.3.0 on Linux 6.1.92-1-MANJARO:
$ cat package.json
{
"dependencies": {
"typescript": "^5.5.3"
}
}
$ node -v
v22.3.0
$ node -p process.versions.openssl
3.3.1
$ node main.mjs
encrypted ---- njvgROnsKdsG
node:internal/crypto/cipher:184
const ret = this[kHandle].final();
^
Error: Unsupported state or unable to authenticate data
at Decipheriv.final (node:internal/crypto/cipher:184:29)
at decrypt (file:///home/tniessen/testgcm/main.mjs:22:70)
at file:///home/tniessen/testgcm/main.mjs:26:19
at ModuleJob.run (node:internal/modules/esm/module_job:262:25)
at async ModuleLoader.import (node:internal/modules/esm/loader:474:24)
at async asyncRunEntryPointWithESMLoader (node:internal/modules/run_main:109:5)
Node.js v22.3.0
Here's what happens in Node.js 22.1.0 on Windows 10:
encrypted ---- njvgROnsKdsG
node:internal/crypto/cipher:184
const ret = this[kHandle].final();
^
Error: Unsupported state or unable to authenticate data
at Decipheriv.final (node:internal/crypto/cipher:184:29)
at decrypt (file:///C:/Users/Tobias/main.mjs:22:70)
at file:///C:/Users/Tobias/main.mjs:26:19
at ModuleJob.run (node:internal/modules/esm/module_job:262:25)
at async ModuleLoader.import (node:internal/modules/esm/loader:474:24)
at async asyncRunEntryPointWithESMLoader (node:internal/modules/run_main:119:5)
Node.js v22.1.0
Here's what happens in Node.js 20.15.0 on Linux 6.5.0-1022-azure:
$ node main.mjs
encrypted ---- njvgROnsKdsG
node:internal/crypto/cipher:193
const ret = this[kHandle].final();
^
Error: Unsupported state or unable to authenticate data
at Decipheriv.final (node:internal/crypto/cipher:193:29)
at decrypt (file:///home/tniessen/dev/dblp/main.mjs:22:70)
at file:///home/tniessen/dev/dblp/main.mjs:26:19
at ModuleJob.run (node:internal/modules/esm/module_job:222:25)
at async ModuleLoader.import (node:internal/modules/esm/loader:316:24)
at async asyncRunEntryPointWithESMLoader (node:internal/modules/run_main:123:5)
Node.js v20.15.0
Could you please test the code I provided above to avoid any dependency on third-party tools, such as typescript?
from help.
don't see the reason to test your code, coz i've reported the bug with my own.
thanks for your help.
from help.
@egorbeliy I was trying to help. If you don't want to debug this issue together, there is not much I can do for you.
from help.
don't see the reason to test your code, coz i've reported the bug with my own.
thanks for your help.
Also, please note that @tniessen's code is nearly identical to yours——so any discrepancies between your execution and his will help to debug and address the issue (as @tniessen said).
This information is crucial in the process of this issue, and without it, there's not much that be done to help.
from help.
Hey @egorbeliy, I see you closed the issue. If you've resolved the issue, could you let us know how, so that anyone with this problem in the future can have an easier time resolving?
from help.
hi @RedYetiDev.
We issue was using createCipheriv() to encrypt and decrypt.
Thanks a lot @tniessen.
from help.
Related Issues (20)
- Failed to Build 22.3.0 on raspberry pi bookworm HOT 3
- Single executable applications | Error: Couldn't write executable HOT 6
- node js taking long time to retrieve 11577 records from db2 Z/os using using ibm_db module HOT 1
- b244d.msi is showing during installation instead of Node.js HOT 1
- Parse Error: Invalid character in chunk size HOT 1
- My computer's CPU is AMD 9754, with 128 cores and 256 logic processors. But why does nodejs get 64 through os. cpu(). length? How to obtain the correct logical processor HOT 4
- npm doesn't work in PowerShell, only npm.cmd does HOT 23
- Strings subsystem generate (hard to detect) memory-leakages. Garbage Collector update request HOT 35
- Does Node.js Buffer.alloc not occupy memory space when it is not filled HOT 3
- ExecSync command fails without any error in the command being executed HOT 6
- Handling "Unhandled 'error' event emitted" HOT 1
- CONOUT$ no longer available for Node 22? HOT 1
- TZ env variable is not working properly since Mexico remove DST HOT 2
- Need help deploying (no package.json apparently, even though i do) HOT 1
- Error while open exe file HOT 19
- Issue downloading yaml file HOT 2
- How to verify the signed message against the signature with raw ec public key only HOT 1
- stream.pipeline adds many close listeners, which can easily lead to MaxListenersExceededWarning HOT 2
- Failed to cross-complie fully-static nodejs with arm-linux-gnueabihf complier HOT 4
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from help.