Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TypeError: RSA_PKCS1_PADDING is no longer supported for private decryption #1293

Open
Metro420yt opened this issue Mar 19, 2024 · 7 comments · May be fixed by #1319
Open

TypeError: RSA_PKCS1_PADDING is no longer supported for private decryption #1293

Metro420yt opened this issue Mar 19, 2024 · 7 comments · May be fixed by #1319

Comments

@Metro420yt
Copy link

Metro420yt commented Mar 19, 2024

[x] The FAQ doesn't contain a resolution to my issue

Versions

  • minecraft-protocol: 1.47.0
  • server: vanilla 1.12.2
  • node: 21.7.1

Detailed description of a problem

when trying to connect, on login.js line 120 the padding "crypto.constants.RSA_PKCS1_PADDING" throws an error, due to CVE-2023-46809

TypeError: RSA_PKCS1_PADDING is no longer supported for private decryption, this can be reverted with --security-revert=CVE-2023-46809
    at Client.onEncryptionKeyResponse ([...]\minecraft-protocol\src\server\login.js:120:39)
    ...

Current code

createServer({
    version: '1.12.2',
    port: 25565,
    beforePing: (response) => {
        if (properties.enableStatus === false) return;
        response.favicon = favicon;
    },
})

Expected behavior

wasnt sure if there was a way to fix this, or if its just a part of the encryption method

edit: the error is silent, and the server just responds "Disconnected"
and i should clarify, im not sure if its possible to use another encryption method or not

Additional context

originally was using node v20.11.1, but updated at some point to see if it would help

passing "--security-revert=CVE-2023-46809" gives another error

was an issue caused by doing npm audit --force

@extremeheat
Copy link
Member

Seems like a bug in nodejs.

Caused by nodejs/node@54cd268

You can open an issue in https://github.com/nodejs/node for it

@extremeheat
Copy link
Member

Being discussed in nodejs/node#52017

@extremeheat
Copy link
Member

Proposed programmatic way to re-enable is being discussed in nodejs/node#52090, pure js workaround snippet to fix mentioned in nodejs/node#52017 (comment)

@IceTank
Copy link
Contributor

IceTank commented May 5, 2024

So, it looks like the node team decided to remove the padding feature? Is there a programmatic fix for it that could be added to nmp? I don't want to parse node arguments to all my applications.

@extremeheat
Copy link
Member

Read the linked issue/PR, I left a comment on nodejs/node#52017 (comment).

Ideally the standard lib of a language doesn't do breaking updates to remove functionality in minor versions, but that's what seems to be the case at the moment (for security reasons). There is a PR to add a code based toggle to re-enable the funcionality, but it's not for sure that will be merged. This may require using the nodeRSA workaround snippet posted in nodejs/node#52017.

@IceTank
Copy link
Contributor

IceTank commented May 6, 2024

Read the linked issue/PR, I left a comment on nodejs/node#52017 (comment).

Ideally the standard lib of a language doesn't do breaking updates to remove functionality in minor versions, but that's what seems to be the case at the moment (for security reasons). There is a PR to add a code based toggle to re-enable the funcionality, but it's not for sure that will be merged. This may require using the nodeRSA workaround snippet posted in nodejs/node#52017.

I think we should go for the nodeRSA workaround for the time being because Node-Minecraft-Protocol does not work right now with the latest LTS versions of Node.

@extremeheat
Copy link
Member

Yeah, nodejs/node#52017 (comment) should have the relevant code to do it

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants