crypto: disable ciphers not supported by EVP (!43532) · Merge requests · Rodrigo Test / Test Group-nodejs / node

Rodrigo Muino Tomonari requested to merge github/fork/AdamMajer/cipher_blacklist into main Jun 22, 2022

OpenSSL lists certain ciphers as not conforming with the standard EVP AEAD interface and these ciphers should be avoided,

aes-128-cbc-hmac-sha1
aes-128-cbc-hmac-sha256
aes-256-cbc-hmac-sha1
aes-256-cbc-hmac-sha256

While experimenting with these, the cipher text produced by Node for aes-128-cbc-hmac-sha1 does not differ from cipher text produced by aes-128-cbc meaning that the HMAC is not automatically taken into account. Since there is no facility to set the HMAC key in Node, it's best to have these disabled when using crypto.Cipher as all usage is wrong by definition.

Fixes: https://github.com/nodejs/node/issues/43040 Reference: https://www.openssl.org/docs/man1.1.1/man3/EVP_aes_128_cbc_hmac_sha1.html

Admin message

Admin message

crypto: disable ciphers not supported by EVP

Merge request reports