@ronomon/crypto-async - npm Package Compare versions

Comparing version 4.0.0 to 5.0.0

common.js

@@ -74,12 +74,2 @@ const Node = {
     var ivSize = algorithm.ivSize;
-    if (aead) {
-      ivSize = Math.ceil(random() * algorithm.ivSize);
-      // For ChaCha20-Poly1305, GCM and OCB, all with 12-byte IVs, this can
-      // test the upper limit of 16-bytes, 16-bytes and 15-bytes respectively:
-      // We disabled this test when it discovered the ChaCha20-Poly1305 CVE.
-      // Our binding now prohibits more than 96-bits for any of these ciphers.
-      // if (algorithm.ivSize === 12 && random() < 0.5) {
-      //   ivSize += (/-ocb$/i.test(algorithm.name) ? 3 : 4);
-      // }
-    }
     var sourceSize = randomSize();
@@ -86,0 +76,0 @@ var targetSize = sourceSize + CIPHER_BLOCK_MAX;

package.json

 {
   "name": "@ronomon/crypto-async",
-  "version": "4.0.0",
+  "version": "5.0.0",
   "description": "Fast, reliable cipher, hash and hmac methods executed in Node's threadpool for multi-core throughput.",
@@ -5,0 +5,0 @@ "main": "index.js",

README.md

@@ -481,3 +481,3 @@ # @ronomon/crypto-async
 
-* [CVE-2019-1543: chacha20-poly1305 fails to detect IV tampering, where IV > 12 and IV <= CHACHA_CTR_SIZE](https://github.com/openssl/openssl/issues/8345)
+* [CVE-2019-1543: chacha20-poly1305 fails to detect IV tampering, where IV > 12 and IV <= CHACHA_CTR_SIZE](https://www.openssl.org/news/secadv/20190306.txt)
 
@@ -484,0 +484,0 @@ * [EVP_CTRL_AEAD_SET_TAG fails for OCB](https://github.com/openssl/openssl/issues/8331)

test.js

@@ -328,24 +328,22 @@ var assert = require('assert');
         ]);
-        if (method === 'cipher' && key === 'keySize') {
-          check('E_KEY_INVALID', [0, algorithm.keySize - 1]);
-        }
-        if (key === 'ivSize') {
-          check('E_IV_INVALID', [0]);
-          if (algorithm.tagSize === 0) {
-            check('E_IV_INVALID', [algorithm.ivSize - 1]);
+        if (method === 'cipher') {
+          if (key === 'keySize') {
+            check('E_KEY_INVALID', [0, algorithm.keySize - 1]);
           }
-        }
-        if (key === 'aadSize') {
-          if (algorithm.tagSize === 0) {
-            check('E_AAD_INVALID', [2]);
+          if (key === 'ivSize') {
+            check('E_IV_INVALID', [0, algorithm.ivSize - 1]);
           }
-        }
-        if (key === 'tagSize') {
-          if (algorithm.tagSize) {
-            check('E_TAG_INVALID', [0]);
-          } else {
-            check('E_TAG_INVALID', [1]);
+          if (key === 'aadSize') {
+            if (algorithm.tagSize === 0) {
+              check('E_AAD_INVALID', [2]);
+            }
           }
+          if (key === 'tagSize') {
+            if (algorithm.tagSize) {
+              check('E_TAG_INVALID', [0]);
+            } else {
+              check('E_TAG_INVALID', [1]);
+            }
+          }
         }
-        return;
       }
@@ -352,0 +350,0 @@ }

Fixed alerts

Major refactor

Supply chain risk

Package has recently undergone a major refactor. It may be unstable or indicate significant internal changes. Use caution when updating to versions that include significant changes.

Found 1 instance in 1 package

Improved metrics

Number of medium supply chain risk alerts

1

decreased by-50%

Worsened metrics

Total package byte prevSize

99109

decreased by-1.62%

Lines of code

1369

decreased by-0.87%

No dependency changes