From 5e41c022af741444def80967aab6ea0f9ec73057 Mon Sep 17 00:00:00 2001 From: Timothy J Fontaine Date: Fri, 18 Oct 2013 14:14:21 -0700 Subject: [PATCH] crypto: clear errors from verify failure OpenSSL will push errors onto the stack when a verify fails, which can disrupt TLS and other routines if we don't clear the error stack Fixes #6304 --- src/node_crypto.cc | 3 ++ test/simple/test-crypto-verify-failure.js | 81 +++++++++++++++++++++++++++++++ 2 files changed, 84 insertions(+) create mode 100644 test/simple/test-crypto-verify-failure.js diff --git a/src/node_crypto.cc b/src/node_crypto.cc index 409be35..e3ece08 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -3186,6 +3186,9 @@ class Verify : public ObjectWrap { int VerifyFinal(char* key_pem, int key_pemLen, unsigned char* sig, int siglen) { if (!initialised_) return 0; + ClearErrorOnReturn clear_error_on_return; + (void) &clear_error_on_return; // Silence compiler warning. + EVP_PKEY* pkey = NULL; BIO *bp = NULL; X509 *x509 = NULL; diff --git a/test/simple/test-crypto-verify-failure.js b/test/simple/test-crypto-verify-failure.js new file mode 100644 index 0000000..6162d16 --- /dev/null +++ b/test/simple/test-crypto-verify-failure.js @@ -0,0 +1,81 @@ +// Copyright Joyent, Inc. and other Node contributors. +// +// Permission is hereby granted, free of charge, to any person obtaining a +// copy of this software and associated documentation files (the +// "Software"), to deal in the Software without restriction, including +// without limitation the rights to use, copy, modify, merge, publish, +// distribute, sublicense, and/or sell copies of the Software, and to permit +// persons to whom the Software is furnished to do so, subject to the +// following conditions: +// +// The above copyright notice and this permission notice shall be included +// in all copies or substantial portions of the Software. +// +// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS +// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF +// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN +// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, +// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR +// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE +// USE OR OTHER DEALINGS IN THE SOFTWARE. + + + + +var common = require('../common'); +var assert = require('assert'); + +try { + var crypto = require('crypto'); + var tls = require('tls'); +} catch (e) { + console.log('Not compiled with OPENSSL support.'); + process.exit(); +} + +crypto.DEFAULT_ENCODING = 'buffer'; + +var fs = require('fs'); + +var certPem = fs.readFileSync(common.fixturesDir + '/test_cert.pem', 'ascii'); + +var options = { + key: fs.readFileSync(common.fixturesDir + '/keys/agent1-key.pem'), + cert: fs.readFileSync(common.fixturesDir + '/keys/agent1-cert.pem') +}; + +var canSend = true; + +var server = tls.Server(options, function(socket) { + process.nextTick(function() { + console.log('sending'); + socket.destroy(); + verify(); + }); +}); + +var client; + +function verify() { + console.log('verify'); + var verified = crypto.createVerify('RSA-SHA1') + .update('Test') + .verify(certPem, 'asdfasdfas', 'base64'); +} + +server.listen(common.PORT, function() { + client = tls.connect({ + port: common.PORT, + rejectUnauthorized: false + }, function() { + verify(); + }).on('data', function(data) { + console.log(data); + }).on('error', function(err) { + throw err; + }).on('close', function() { + server.close(); + }).resume(); +}); + +server.unref(); -- 2.7.4