New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: crash creating private key with unsupported algorithm #31087
Conversation
8d3f292
to
bbd171c
Compare
I would like to ask a question, why does nodejs 16.4.1 not raise crashes. In my results, it is correct, e.g: Does that mean that the problem has been fixed in the new version of the Nodejs code? |
@BlackHole1 this is outlined in my PR body - Electron uses BoringSSL and Node.js uses OpenSSL. So this will fail in Electron where it would work in Node.js because the underlying crypto libraries differ. |
Release Notes Persisted
|
I have automatically backported this PR to "16-x-y", please check out #31136 |
I have automatically backported this PR to "15-x-y", please check out #31137 |
Description of Change
Closes #31064.
Fixed an issue where some calls to
crypto.createPrivateKey
made with algorithms unsupported by BoringSSL cause a crash when invoking methods on their return values. This was happening because BoringSSL shims some algorithms but doesn't implement them and so attempts to create keys with them will fail (see:evp.h#L835-837
)Node.js returns false in
initEdRaw
(seecrypto_keys.cc#L1106
)but then does nothing with the return value, meaning that if no pkey is created successfully that a key object will still be returned. However, attempts to use the
data_
field will crash the process asdata_
is never assigned. This is fixed by checking the return value ofinitEdRaw
at the JavaScript level and throwing an error if the function returns false.cc @deermichel
Checklist
npm test
passesRelease Notes
Notes: Fixed an issue where some calls to
crypto.createPrivateKey
made with algorithms unsupported by BoringSSL cause a crash when invoking methods on their return values.