diff options
author | Takuro Sato <79583855+takuro-sato@users.noreply.github.com> | 2022-11-17 23:43:03 +0900 |
---|---|---|
committer | Richard Lau <rlau@redhat.com> | 2023-02-14 16:58:41 +0000 |
commit | d0ece3094845c66a69e5cd72be956ae526ae3f11 (patch) | |
tree | b177715eebdb6edd4ca605c772bd667c7d688848 | |
parent | 7fef050447da21194b2df030149676cd88e0abe1 (diff) | |
download | node-new-d0ece3094845c66a69e5cd72be956ae526ae3f11.tar.gz |
crypto: clear OpenSSL error queue after calling X509_verify()
Prior to this commit, functions accessing the OpenSSL error queue did
not work properly after x509.verify() returned false.
Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/375
CVE-ID: CVE-2023-23919
PR-URL: https://github.com/nodejs/node/pull/45377
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=1808596
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Filip Skokan <panva.ip@gmail.com>
-rw-r--r-- | src/crypto/crypto_x509.cc | 2 | ||||
-rw-r--r-- | test/parallel/test-crypto-x509.js | 5 |
2 files changed, 7 insertions, 0 deletions
diff --git a/src/crypto/crypto_x509.cc b/src/crypto/crypto_x509.cc index a8c4255d52..e10694e6dd 100644 --- a/src/crypto/crypto_x509.cc +++ b/src/crypto/crypto_x509.cc @@ -468,6 +468,8 @@ void X509Certificate::Verify(const FunctionCallbackInfo<Value>& args) { ASSIGN_OR_RETURN_UNWRAP(&key, args[0]); CHECK_EQ(key->Data()->GetKeyType(), kKeyTypePublic); + ClearErrorOnReturn clear_error_on_return; + args.GetReturnValue().Set( X509_verify( cert->get(), diff --git a/test/parallel/test-crypto-x509.js b/test/parallel/test-crypto-x509.js index d178235927..b99fc47d4d 100644 --- a/test/parallel/test-crypto-x509.js +++ b/test/parallel/test-crypto-x509.js @@ -187,6 +187,11 @@ const der = Buffer.from( code: 'ERR_INVALID_ARG_VALUE' }); + // Confirm failure of X509Certificate:verify() doesn't affect other functions that use OpenSSL. + assert(!x509.verify(x509.publicKey)); + // This call should not throw. + createPrivateKey(key); + // X509Certificate can be cloned via MessageChannel/MessagePort const mc = new MessageChannel(); mc.port1.onmessage = common.mustCall(({ data }) => { |