Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto: prevent Sign::SignFinal from crashing #21815

Closed
wants to merge 2 commits into from
Closed

crypto: prevent Sign::SignFinal from crashing #21815

wants to merge 2 commits into from

Conversation

tniessen
Copy link
Member

@tniessen tniessen commented Jul 14, 2018
edited
Loading

The validation logic could be tricked into assuming an option was valid using malicious getters, leading to an invalid value being passed to the C++ layer, thus crashing the process.

Copy this into the REPL to crash the process:

const key = `-----BEGIN RSA PRIVATE KEY-----
             MIICXQIBAAKBgQDx3wdzpq2rvwm3Ucun1qAD/ClB+wW+RhR1nVix286QvaNqePAd
             CAwwLL82NqXcVQRbQ4s95splQnwvjgkFdKVXFTjPKKJI5aV3wSRN61EBVPdYpCre
             535yfG/uDysZFCnVQdnCZ1tnXAR8BirxCNjHqbVyIyBGjsNoNCEPb2R35QIDAQAB
             AoGBAJNem9C4ftrFNGtQ2DB0Udz7uDuucepkErUy4MbFsc947GfENjDKJXr42Kx0
             kYx09ImS1vUpeKpH3xiuhwqe7tm4FsCBg4TYqQle14oxxm7TNeBwwGC3OB7hiokb
             aAjbPZ1hAuNs6ms3Ybvvj6Lmxzx42m8O5DXCG2/f+KMvaNUhAkEA/ekrOsWkNoW9
             2n3m+msdVuxeek4B87EoTOtzCXb1dybIZUVv4J48VAiM43hhZHWZck2boD/hhwjC
             M5NWd4oY6QJBAPPcgBVNdNZSZ8hR4ogI4nzwWrQhl9MRbqqtfOn2TK/tjMv10ALg
             lPmn3SaPSNRPKD2hoLbFuHFERlcS79pbCZ0CQQChX3PuIna/gDitiJ8oQLOg7xEM
             wk9TRiDK4kl2lnhjhe6PDpaQN4E4F0cTuwqLAoLHtrNWIcOAQvzKMrYdu1MhAkBm
             Et3qDMnjDAs05lGT72QeN90/mPAcASf5eTTYGahv21cb6IBxM+AnwAPpqAAsHhYR
             9h13Y7uYbaOjvuF23LRhAkBoI9eaSMn+l81WXOVUHnzh3ZwB4GuTyxMXXNOhuiFd
             0z4LKAMh99Z4xQmqSoEkXsfM4KPpfhYjF/bwIcP5gOei
             -----END RSA PRIVATE KEY-----`;

crypto.createSign('SHA256').update('Test123').sign({
  counter: 0,
  get padding() {
    if (++this.counter < 3)
      return crypto.constants.RSA_PKCS1_PSS_PADDING;
    return null;
  },
  key
});

@tniessen
crypto: prevent Sign::SignFinal from crashing
7da7e9f 
The validation logic could be tricked into assuming an option was
valid using malicious getters, leading to an invalid value being
passed to the C++ layer, thus crashing the process.
@nodejs-github-bot
Copy link
Collaborator

@tniessen build started: https://ci.nodejs.org/blue/organizations/jenkins/node-test-pull-request-lite-pipeline/detail/node-test-pull-request-lite-pipeline/276/pipeline

@nodejs-github-bot nodejs-github-bot added the crypto Issues and PRs related to the crypto subsystem. label Jul 14, 2018
@tniessen
Copy link
Member Author

CI: https://ci.nodejs.org/job/node-test-pull-request/15878/
CC @nodejs/crypto.

@tniessen tniessen added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Jul 15, 2018
tniessen added a commit to tniessen/node that referenced this pull request Jul 17, 2018
@tniessen
crypto: prevent Sign::SignFinal from crashing
43cc6bc 
The validation logic could be tricked into assuming an option was
valid using malicious getters, leading to an invalid value being
passed to the C++ layer, thus crashing the process.

PR-URL: nodejs#21815
Reviewed-By: Anna Henningsen <[email protected]>
Reviewed-By: Tiancheng "Timothy" Gu <[email protected]>
Reviewed-By: Ujjwal Sharma <[email protected]>
@tniessen
Copy link
Member Author

Landed in 43cc6bc.

@tniessen tniessen closed this Jul 17, 2018
targos pushed a commit that referenced this pull request Jul 18, 2018
@tniessen @targos
crypto: prevent Sign::SignFinal from crashing
d9825c7 
The validation logic could be tricked into assuming an option was
valid using malicious getters, leading to an invalid value being
passed to the C++ layer, thus crashing the process.

PR-URL: #21815
Reviewed-By: Anna Henningsen <[email protected]>
Reviewed-By: Tiancheng "Timothy" Gu <[email protected]>
Reviewed-By: Ujjwal Sharma <[email protected]>
@targos targos mentioned this pull request Jul 18, 2018
Merged
This was referenced Jul 18, 2018
Closed
Closed
Closed
Closed
Closed
@tniessen tniessen removed the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Sep 12, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ryzokuken ryzokuken ryzokuken approved these changes

@TimothyGu TimothyGu TimothyGu approved these changes

@addaleax addaleax addaleax approved these changes

Assignees
No one assigned
Labels
crypto Issues and PRs related to the crypto subsystem.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@tniessen @nodejs-github-bot @addaleax @TimothyGu @ryzokuken