crypto: clear error stack in ECDH::BufferToPoint

[rfk]

The ECDH::BufferToPoint function was not clearing the error stack on failure, and the leftover error state could cause subsequent (unrelated) signing operations to fail. This updates the function to use existing error-clearing helpers and seems to resolve the problem for me.

Checklist

• make -j4 test (UNIX), or vcbuild test (Windows) passes
• tests and/or benchmarks are included
• commit message follows commit guidelines

Affected core subsystem(s)

• crypto

[Trott]

Maybe better to use this instead?:

assert.doesNotThrow(() => {
  crypto.createSign('SHA256').sign(ecPrivateKey);
});

[rfk]

thanks, will update

[Trott]

(Although I guess that doesn't check that you get a truthy return value. Could be added as an assertion to the function if it's important.)

[Trott]

/cc @nodejs/crypto

[indutny]

LGTM

[bnoordhuis]

It's not wrong but I'd put this in ECDH::ComputeSecret() and ECDH::SetPublicKey(), the binding functions that call ECDH::BufferToPoint().

Maybe we should simply make it a rule that binding functions must restore the error stack.

[bnoordhuis]

This throws an exception so you still end up in the catch block. The pattern tests usually use is this:

let gotError = false;
try {
  // ...
} catch (e) {
  gotError = true;
  // ...
}
assert(gotError);

[sam-github]

or use https://nodejs.org/api/assert.html#assert_assert_throws_block_error_message

[Trott]

The problem with assert.throws() in this case is that the test case is actually in the catch block. The pattern @bnoordhuis lays out will work as will the way it is currently done in this PR.

[sam-github]

But the test case doesn't have to be in the catch block, or am I just missing something?

assert.throws(() => curve.computeSecret(invalidKey));
const ecPrivateKey = ...;
assert.doesNotThrow(() => crypto.createSign('SHA256').sign(ecPrivateKey));

[rfk]

I like this last one, thanks for the suggestion.

[Trott]

@sam-github Ah, yes, you are right.

[rfk]

Thanks all, rebased to latest master and updated based on @bnoordhuis @sam-github feedback.

[Trott]

CI: https://ci.nodejs.org/job/node-test-pull-request/8367/

[vladikoff]

Will it be possible to uplift this patch to node 4 and 6?

[sam-github]

As a bug fix, it will land on 6.x after being released in 7.x for a while (usually a couple weeks, just to make sure there are no unexpected side effects).

4.x at this point requires an explicit request, we don't release unless we have to. It looks like not clearing the error stack can have wide-reaching consequences, but we prefer to not re-release 4.x unless necessary.

@vladikoff @rfk Do you have a need for this on 4.x? Some description of impact will make it much easier to make the case for it in 4.x

/cc @nodejs/lts

[rfk]

This bug affects our app because we happen to do both RSA signing and ECDH with user-submitted keys, so we recently deployed a workaround to production to guard against this being used as a DoS vector (i.e. deliberately submitting invalid ECDH keys to DoS the RSA signing functionality):

https://github.com/mozilla/fxa-auth-server/pull/1918/files#diff-539df6289b63785f3c1f4660c1db4107R174

I think this workaround means we can live without it on 4.x if we have to, although I'm not 100% confident, and I can't comment on how likely other apps are to be affected in a similar way. Having the fix on 4.x would obviously be preferable to this workaround from our point of view, but I understand that's not a trivial ask :-)

[sam-github]

I think that's bad enough it is worth proposing for 4.x LTS

[indutny]

@sam-github I agree.

[jasnell]

I agree that this is worth backporting to 4.x

[gibfahn]

+1 to backporting to v4.x.

The next question is how urgently it should happen I guess.

[sam-github]

Is this the first thing that might conceivably be targettable at 4.x? Maybe the thing to do is open an issue in nodejs/LTS to update 4.x, and link any candidates. I haven't heard of any others, but I'm not the best source of news on that front.

[MylesBorins]

there is a single commit sitting on v4.x-staging and one or two other random small ones that would be good to include. For the most part I believe we have been on top of backporting anything that would be good to have in a maintenance release... we could theoretically re audit against v6.x to double check

edit: worth mentioning there was a v4.x release last month... but if this warrants a new release it makes sense

[sam-github]

Landed in f666533

[sam-github]

It doesn't cherry-pick clean to 4.x or to 6.x, @rfk would you have the time to backport to 6.x? The process is to open a PR targeting v6.x-staging, title would be (backport 6.x) crypto: clear error stack in ECDH::BufferToPoint.

[sam-github]

@nodejs/lts 4.8.3 was May 2nd, maybe we could do a 4.8.4 on July 2nd (aprox), to give time for any more patches to come in? 2 months seems a reasonable maintenance cadence.

[gibfahn]

Backporting guide is here: https://github.com/nodejs/node/blob/master/doc/guides/backporting-to-release-lines.md

[rfk]

It doesn't cherry-pick clean to 4.x or to 6.x, @rfk would you have the time to backport to 6.x?

Sure, I'll try to take a look later today.

[sam-github]

@rfk Thank you.