Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

src: fix CSPRNG when length exceeds INT_MAX #47515

Merged

Conversation

tniessen
Copy link
Member

CSPRNG implicitly casts the size_t length argument to a signed int when calling RAND_bytes(), which leaves it up to the caller to ensure that the length argument actually fits into such a signed int. However, not all call sites explicitly ensure that, which could lead to subtle bugs.

In OpenSSL 3, use RAND_bytes_ex() instead, which does not require casting the length to a signed int.

In OpenSSL 1.1.1, RAND_bytes_ex() is not supported, thus we have to process blocks of size INT_MAX one by one.

CSPRNG implicitly casts the size_t length argument to a signed int when
calling RAND_bytes(), which leaves it up to the caller to ensure that
the length argument actually fits into such a signed int. However, not
all call sites explicitly ensure that, which could lead to subtle bugs.

In OpenSSL 3, use RAND_bytes_ex() instead, which does not require
casting the length to a signed int.

In OpenSSL 1.1.1, RAND_bytes_ex() is not supported, thus we have to
process blocks of size INT_MAX one by one.
@tniessen tniessen added crypto Issues and PRs related to the crypto subsystem. c++ Issues and PRs that require attention from people who are familiar with C++. openssl Issues and PRs related to the OpenSSL dependency. security Issues and PRs related to security. labels Apr 11, 2023
@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/crypto

@nodejs-github-bot nodejs-github-bot added the needs-ci PRs that need a full CI run. label Apr 11, 2023
Copy link
Member

@bnoordhuis bnoordhuis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I could live with just returning {false} instead of complicating the code with a retry loop. There's simply no valid use case for requesting that much random data.

@tniessen
Copy link
Member Author

@bnoordhuis The added complexity only exists in the OpenSSL 1.1.1 section, which will be removed in about half a year. Until then, it ensures that the behavior is consistent across OpenSSL 3 / OpenSSL 1.1.1.

@bnoordhuis
Copy link
Member

It's your call. It's just that I wouldn't bend over backwards to accommodate a pathological edge case.

@tniessen tniessen added the request-ci Add this label to start a Jenkins CI on a PR. label Apr 12, 2023
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Apr 12, 2023
@nodejs-github-bot

This comment was marked as outdated.

@nodejs-github-bot

This comment was marked as outdated.

@nodejs-github-bot

This comment was marked as outdated.

@nodejs-github-bot
Copy link
Collaborator

@tniessen tniessen added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Apr 13, 2023
tniessen added a commit to tniessen/node that referenced this pull request Apr 14, 2023
This restriction was due to an implementation detail in CSPRNG(). Now
that CSPRNG() properly handles lengths exceeding INT_MAX, remove this
artificial restriction.

Refs: nodejs#47515
@tniessen tniessen added the commit-queue Add this label to land a pull request using GitHub Actions. label Apr 15, 2023
@nodejs-github-bot nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Apr 15, 2023
@nodejs-github-bot nodejs-github-bot merged commit 8833099 into nodejs:main Apr 15, 2023
@nodejs-github-bot
Copy link
Collaborator

Landed in 8833099

nodejs-github-bot pushed a commit that referenced this pull request Apr 17, 2023
This restriction was due to an implementation detail in CSPRNG(). Now
that CSPRNG() properly handles lengths exceeding INT_MAX, remove this
artificial restriction.

Refs: #47515
PR-URL: #47559
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Filip Skokan <[email protected]>
targos pushed a commit that referenced this pull request May 2, 2023
CSPRNG implicitly casts the size_t length argument to a signed int when
calling RAND_bytes(), which leaves it up to the caller to ensure that
the length argument actually fits into such a signed int. However, not
all call sites explicitly ensure that, which could lead to subtle bugs.

In OpenSSL 3, use RAND_bytes_ex() instead, which does not require
casting the length to a signed int.

In OpenSSL 1.1.1, RAND_bytes_ex() is not supported, thus we have to
process blocks of size INT_MAX one by one.

PR-URL: #47515
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: James M Snell <[email protected]>
targos pushed a commit that referenced this pull request May 2, 2023
This restriction was due to an implementation detail in CSPRNG(). Now
that CSPRNG() properly handles lengths exceeding INT_MAX, remove this
artificial restriction.

Refs: #47515
PR-URL: #47559
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Filip Skokan <[email protected]>
@targos targos mentioned this pull request May 2, 2023
tniessen added a commit to tniessen/node that referenced this pull request May 18, 2023
Now that CSPRNG() does not silently fail when the length exceeds
INT_MAX anymore, there is no need for the two relevant assertions
in SecretKeyGenTraits anymore.

Refs: nodejs#47515
nodejs-github-bot pushed a commit that referenced this pull request May 24, 2023
Now that CSPRNG() does not silently fail when the length exceeds
INT_MAX anymore, there is no need for the two relevant assertions
in SecretKeyGenTraits anymore.

Refs: #47515
PR-URL: #48053
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Filip Skokan <[email protected]>
targos pushed a commit that referenced this pull request May 30, 2023
Now that CSPRNG() does not silently fail when the length exceeds
INT_MAX anymore, there is no need for the two relevant assertions
in SecretKeyGenTraits anymore.

Refs: #47515
PR-URL: #48053
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Filip Skokan <[email protected]>
danielleadams pushed a commit that referenced this pull request Jul 6, 2023
CSPRNG implicitly casts the size_t length argument to a signed int when
calling RAND_bytes(), which leaves it up to the caller to ensure that
the length argument actually fits into such a signed int. However, not
all call sites explicitly ensure that, which could lead to subtle bugs.

In OpenSSL 3, use RAND_bytes_ex() instead, which does not require
casting the length to a signed int.

In OpenSSL 1.1.1, RAND_bytes_ex() is not supported, thus we have to
process blocks of size INT_MAX one by one.

PR-URL: #47515
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: James M Snell <[email protected]>
danielleadams pushed a commit that referenced this pull request Jul 6, 2023
This restriction was due to an implementation detail in CSPRNG(). Now
that CSPRNG() properly handles lengths exceeding INT_MAX, remove this
artificial restriction.

Refs: #47515
PR-URL: #47559
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Filip Skokan <[email protected]>
MoLow pushed a commit to MoLow/node that referenced this pull request Jul 6, 2023
CSPRNG implicitly casts the size_t length argument to a signed int when
calling RAND_bytes(), which leaves it up to the caller to ensure that
the length argument actually fits into such a signed int. However, not
all call sites explicitly ensure that, which could lead to subtle bugs.

In OpenSSL 3, use RAND_bytes_ex() instead, which does not require
casting the length to a signed int.

In OpenSSL 1.1.1, RAND_bytes_ex() is not supported, thus we have to
process blocks of size INT_MAX one by one.

PR-URL: nodejs#47515
Reviewed-By: Richard Lau <[email protected]>
Reviewed-By: James M Snell <[email protected]>
MoLow pushed a commit to MoLow/node that referenced this pull request Jul 6, 2023
This restriction was due to an implementation detail in CSPRNG(). Now
that CSPRNG() properly handles lengths exceeding INT_MAX, remove this
artificial restriction.

Refs: nodejs#47515
PR-URL: nodejs#47559
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Filip Skokan <[email protected]>
Ceres6 pushed a commit to Ceres6/node that referenced this pull request Aug 14, 2023
Now that CSPRNG() does not silently fail when the length exceeds
INT_MAX anymore, there is no need for the two relevant assertions
in SecretKeyGenTraits anymore.

Refs: nodejs#47515
PR-URL: nodejs#48053
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Filip Skokan <[email protected]>
Ceres6 pushed a commit to Ceres6/node that referenced this pull request Aug 14, 2023
Now that CSPRNG() does not silently fail when the length exceeds
INT_MAX anymore, there is no need for the two relevant assertions
in SecretKeyGenTraits anymore.

Refs: nodejs#47515
PR-URL: nodejs#48053
Reviewed-By: Luigi Pinca <[email protected]>
Reviewed-By: Filip Skokan <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
author ready PRs that have at least one approval, no pending requests for changes, and a CI started. c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem. needs-ci PRs that need a full CI run. openssl Issues and PRs related to the OpenSSL dependency. security Issues and PRs related to security.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants