-
Notifications
You must be signed in to change notification settings - Fork 29.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto: clear OpenSSL error queue after calling X509_verify() #45377
Conversation
Prior to this commit, functions accessing the OpenSSL error queue did not work properly after x509.verify() returned false.
Review requested:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As this function is currently implemented, it ignores the difference between errors and verification failure. As such, this change appears logical. (Whether the current behavior is the best choice is a separate question.)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for your contribution.
It seems that the email address you are using to commit your changes is not associated with your GitHub account; we highly recommend that you either add the commit email address to your GitHub account (not to your public GitHub profile!) or that you re-commit your changes with an email address of your choice that is connected to your GitHub account. Note that you can add multiple email addresses to the same GitHub account.
Co-authored-by: Tobias Nießen <tniessen@tnie.de>
Co-authored-by: Tobias Nießen <tniessen@tnie.de>
Thanks for the recommendation. I added the email to my GitHub account. |
This comment was marked as outdated.
This comment was marked as outdated.
@takuro-sato Thank you for your contribution! I noticed it is your first. Congratulations 🎉 |
Landed in 405ea2a |
#45495 follows this up, fixing the same problem with |
Prior to this commit, functions accessing the OpenSSL error queue did not work properly after x509.verify() returned false. PR-URL: #45377 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Filip Skokan <panva.ip@gmail.com>
Prior to this commit, functions accessing the OpenSSL error queue did not work properly after x509.verify() returned false. PR-URL: nodejs#45377 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Filip Skokan <panva.ip@gmail.com>
Hi there, Is there any chance that this (as well as the other issue with private keys) may be backported to Node 18? |
Prior to this commit, functions accessing the OpenSSL error queue did not work properly after x509.verify() returned false. PR-URL: #45377 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Filip Skokan <panva.ip@gmail.com>
Prior to this commit, functions accessing the OpenSSL error queue did not work properly after x509.verify() returned false. PR-URL: #45377 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Filip Skokan <panva.ip@gmail.com>
Prior to this commit, functions accessing the OpenSSL error queue did not work properly after x509.verify() returned false. PR-URL: #45377 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Filip Skokan <panva.ip@gmail.com>
Prior to this commit, functions accessing the OpenSSL error queue did not work properly after x509.verify() returned false. PR-URL: #45377 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Filip Skokan <panva.ip@gmail.com>
Prior to this commit, functions accessing the OpenSSL error queue did not work properly after x509.verify() returned false. Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/375 CVE-ID: CVE-2023-23919 PR-URL: nodejs/node#45377 Refs: https://hackerone.com/bugs?subject=nodejs&report_id=1808596 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Filip Skokan <panva.ip@gmail.com>
Prior to this commit, functions accessing the OpenSSL error queue did not work properly after x509.verify() returned false. Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/375 CVE-ID: CVE-2023-23919 PR-URL: nodejs/node#45377 Refs: https://hackerone.com/bugs?subject=nodejs&report_id=1808596 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Filip Skokan <panva.ip@gmail.com>
Prior to this commit, functions accessing the OpenSSL error queue did not work properly after x509.verify() returned false.
Example code to reproduce the bug
output:
{ namedCurve: 'prime256v1' } true false node:internal/crypto/keys:620 handle.init(kKeyTypePrivate, data, format, type, passphrase); ^ Error: error:0200008A:rsa routines::invalid padding at Object.createPrivateKey (node:internal/crypto/keys:620:12) at Object.<anonymous> (/home/takuro/Projects/dev_node/bug.js:76:8) at Module._compile (node:internal/modules/cjs/loader:1159:14) at Module._extensions..js (node:internal/modules/cjs/loader:1213:10) at Module.load (node:internal/modules/cjs/loader:1037:32) at Module._load (node:internal/modules/cjs/loader:878:12) at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:82:12) at node:internal/main/run_main_module:23:47 { opensslErrorStack: [ 'error:06880006:asn1 encoding routines::EVP lib', 'error:1C880004:Provider routines::RSA lib', 'error:02000072:rsa routines::padding check failed' ], library: 'rsa routines', reason: 'invalid padding', code: 'ERR_OSSL_RSA_INVALID_PADDING' } Node.js v19.0.1
Note
I got an error when I ran
make -j4 test
locally, but I believe it's not related to this PR because I got the same one with the latest main and v19.0.1.