This repository was archived by the owner on Apr 22, 2023. It is now read-only.
-
-
Notifications
You must be signed in to change notification settings - Fork 7.3k
This repository was archived by the owner on Apr 22, 2023. It is now read-only.
Using crypto functions inside TLS callbacks incorrectly causes TLS failure #4323
Copy link
Copy link
Closed
Description
Test case:
"use strict";
var fs = require('fs');
var tls = require('tls');
var crypto = require('crypto');
var options = {
key: fs.readFileSync('./tls_key.pem'),
cert: fs.readFileSync('./tls_cert.pem'),
}
var server = tls.createServer(options, function (client) {
client.on('error', function (error) {
console.log('client error: ' + error.message);
console.log('stack trace: ' + error.stack);
client.destroy();
});
client.write('secured!\n');
var next = function () {
client.write('finished!\n');
client.end();
}
process.nextTick(function () {
exports.doit(function () {
next();
});
});
});
exports.doit = function (cb) {
var cipher = 'aes128';
var pass = 'foo';
var decipher = crypto.createDecipher(cipher, pass);
var w_dec = decipher.update('fbf973ea86243eae441ae1cb0722cfad975d3df85a8f329841fc26ea01d68ee44b43190fc81ba870aabf510ce4cbfed', 'hex', 'ascii');
try {
w_dec += decipher.final('ascii');
console.log(w_dec);
}
catch (e) {
console.log('decrypt error: ' + e);
}
if (cb) cb();
}
server.listen(3030);Output:
$ openssl s_client -port 3030
secured!
decrypt error: TypeError: DecipherFinal fail
client error: 2799312:error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length:../deps/openssl/openssl/crypto/evp/evp_enc.c:460:
stack trace: Error: 2799312:error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length:../deps/openssl/openssl/crypto/evp/evp_enc.c:460:
at CleartextStream._pusher (tls.js:656:24)
at SlabBuffer.use (tls.js:199:18)
at CleartextStream.CryptoStream._push (tls.js:483:33)
at SecurePair.cycle (tls.js:880:20)
at CleartextStream.CryptoStream.write (tls.js:267:13)
at tls.createServer.next (/usr/lib/node_modules/Haraka/testcase_new.js:19:20)
at /usr/lib/node_modules/Haraka/testcase_new.js:24:17
at Object.exports.doit (/usr/lib/node_modules/Haraka/testcase_new.js:41:13)
at /usr/lib/node_modules/Haraka/testcase_new.js:23:21
at process.startup.processNextTick.process._tickCallback (node.js:244:9)
The EVP_DecryptFinal_ex error above relates to the caught decipher error and not to the TLS connection but it was reported on the TLS client error handlers incorrectly.
If you comment the code that calls the decipher functions then this works as expected. The code also works if the process.nextTick() is removed.
Reactions are currently unavailable
Metadata
Metadata
Assignees
Labels
No labels