http_ece - npm Package Compare versions

Comparing version 0.4.1 to 0.4.3

ece.js

@@ -17,2 +17,11 @@ 'use strict';
 
+var keylog;
+if (process.env.ECE_KEYLOG === '1') {
+  keylog = function(m, k) {
+    console.warn(m + ' [' + k.length + ']: ' + base64.encode(k));
+  };
+} else {
+  keylog = function() {};
+}
+
 function HMAC_hash(key, input) {
@@ -49,6 +58,8 @@ var hmac = crypto.createHmac('sha256', key);
 function info(base, context) {
-  return Buffer.concat([
+  var result = Buffer.concat([
     new Buffer('Content-Encoding: ' + base + '\0', 'ascii'),
     context
   ]);
+  keylog('info ' + base, result);
+  return result;
 }
@@ -118,5 +129,8 @@
   }
+  keylog('secret', result.secret);
+  keylog('context', result.context);
   if (params.authSecret) {
     result.secret = HKDF(base64.decode(params.authSecret), result.secret,
-                  info('auth', new Buffer(0)), SHA_256_LENGTH);
+                         info('auth', new Buffer(0)), SHA_256_LENGTH);
+    keylog('authsecret', result.secret);
   }
@@ -127,9 +141,23 @@ return result;
 function deriveKeyAndNonce(params, mode) {
+  var padSize = params.padSize || PAD_SIZE;
   var salt = extractSalt(params.salt);
   var s = extractSecretAndContext(params, mode);
   var prk = HKDF_extract(salt, s.secret);
+  var keyInfo;
+  var nonceInfo;
+  if (padSize === 1) {
+    keyInfo = 'Content-Encoding: aesgcm128';
+    nonceInfo = 'Content-Encoding: nonce';
+  } else if (padSize === 2) {
+    keyInfo = info('aesgcm128', s.context);
+    nonceInfo = info('nonce', s.context);
+  } else {
+    throw new Error('Unable to set context for padSize ' + params.padSize);
+  }
   var result = {
-    key: HKDF_expand(prk, info('aesgcm128', s.context), KEY_LENGTH),
-    nonce: HKDF_expand(prk, info('nonce', s.context), NONCE_LENGTH)
+    key: HKDF_expand(prk, keyInfo, KEY_LENGTH),
+    nonce: HKDF_expand(prk, nonceInfo, NONCE_LENGTH)
   };
+  keylog('key', result.key);
+  keylog('nonce base', result.nonce);
   return result;
@@ -156,2 +184,3 @@ }
   nonce.writeUIntBE(x, nonce.length - 6, 6);
+  keylog('nonce' + counter, nonce);
   return nonce;
@@ -161,2 +190,3 @@ }
 function decryptRecord(key, counter, buffer, padSize) {
+  keylog('decrypt', buffer);
   var nonce = generateNonce(key.nonce, counter);
@@ -167,2 +197,3 @@ var gcm = crypto.createDecipheriv(AES_GCM, key.key, nonce);
   data = Buffer.concat([data, gcm.final()]);
+  keylog('decrypted', data);
   padSize = padSize || PAD_SIZE
@@ -216,2 +247,3 @@ var pad = data.readUIntBE(0, padSize);
 function encryptRecord(key, counter, buffer, pad, padSize) {
+  keylog('encrypt', buffer);
   pad = pad || 0;
@@ -231,3 +263,5 @@ var nonce = generateNonce(key.nonce, counter);
   }
-  return Buffer.concat([epadding, ebuffer, tag]);
+  var encrypted = Buffer.concat([epadding, ebuffer, tag]);
+  keylog('encrypted', encrypted);
+  return encrypted;
 }
@@ -234,0 +268,0 @@

package.json

 {
   "name": "http_ece",
-  "version": "0.4.1",
+  "version": "0.4.3",
   "description": "Encrypted Content-Encoding for HTTP",
@@ -18,3 +18,3 @@ "homepage": "https://github.com/martinthomson/encrypted-content-encoding",
   "scripts": { "test": "node ./test.js" },
-  "engines" : { "node" : ">=0.12" },
+  "engines" : { "node" : ">=4.0.0" },
   "dependencies": {
@@ -21,0 +21,0 @@ "urlsafe-base64": "~1.0.0"

New alerts

Environment variable access

Supply chain risk

Package accesses environment variables, which may be a sign of credential stuffing or data theft.

Found 1 instance in 1 package

Worsened metrics

Total package byte prevSize

11876

decreased by-2.08%

Number of package files

5

decreased by-16.67%

Lines of code

286

decreased by-9.21%

Number of low supply chain risk alerts

1

increased byInfinity%

No dependency changes