Skip to content

Commit

Permalink
crypto: better crypto error messages
Browse files Browse the repository at this point in the history 
Add openSSL error stack to the exception object thrown from crypto.
The new exception property is only added to the object if the error
stack has not cleared out prior to calling ThrowCryptoError.

PR-URL: #15518
Refs: #5444
Reviewed-By: Sam Roberts <[email protected]>
Reviewed-By: Fedor Indutny <[email protected]>
  • Loading branch information
@gla5001 @MylesBorins
gla5001 authored and MylesBorins committed Oct 3, 2017
1 parent ec56cbe commit 1ed0c77
Show file tree
Hide file tree
Showing 4 changed files with 163 additions and 16 deletions.
4 changes: 4 additions & 0 deletions doc/api/errors.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -192,6 +192,10 @@ circumstance of why the error occurred. `Error` objects capture a "stack trace"
detailing the point in the code at which the `Error` was instantiated, and may
provide a text description of the error.

For crypto only, `Error` objects will include the OpenSSL error stack in a
separate property called `opensslErrorStack` if it is available when the error
is thrown.

All errors generated by Node.js, including all System and JavaScript errors,
will either be instances of, or inherit from, the `Error` class.

Expand Down
1 change: 1 addition & 0 deletions src/env.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -225,6 +225,7 @@ class ModuleWrap;
V(onstreamclose_string, "onstreamclose") \
V(ontrailers_string, "ontrailers") \
V(onwrite_string, "onwrite") \
V(openssl_error_stack, "opensslErrorStack") \
V(output_string, "output") \
V(order_string, "order") \
V(owner_string, "owner") \
Expand Down
60 changes: 56 additions & 4 deletions src/node_crypto.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -255,13 +255,65 @@ void ThrowCryptoError(Environment* env,
unsigned long err, // NOLINT(runtime/int)
const char* default_message = nullptr) {
HandleScope scope(env->isolate());
Local<String> message;

if (err != 0 || default_message == nullptr) {
char errmsg[128] = { 0 };
ERR_error_string_n(err, errmsg, sizeof(errmsg));
env->ThrowError(errmsg);
message = String::NewFromUtf8(env->isolate(), errmsg,
v8::NewStringType::kNormal)
.ToLocalChecked();
} else {
env->ThrowError(default_message);
message = String::NewFromUtf8(env->isolate(), default_message,
v8::NewStringType::kNormal)
.ToLocalChecked();
}

Local<Value> exception_v = Exception::Error(message);
CHECK(!exception_v.IsEmpty());
Local<Object> exception = exception_v.As<Object>();
ERR_STATE* es = ERR_get_state();

if (es->bottom != es->top) {
Local<Array> error_stack = Array::New(env->isolate());
int top = es->top;

// Build the error_stack array to be added to opensslErrorStack property.
for (unsigned int i = 0; es->bottom != es->top;) {
unsigned long err_buf = es->err_buffer[es->top]; // NOLINT(runtime/int)
// Only add error string if there is valid err_buffer.
if (err_buf) {
char tmp_str[256];
ERR_error_string_n(err_buf, tmp_str, sizeof(tmp_str));
error_stack->Set(env->context(), i,
String::NewFromUtf8(env->isolate(), tmp_str,
v8::NewStringType::kNormal)
.ToLocalChecked()).FromJust();
// Only increment if we added to error_stack.
i++;
}

// Since the ERR_STATE is a ring buffer, we need to use modular
// arithmetic to loop back around in the case where bottom is after top.
// Using ERR_NUM_ERRORS macro defined in openssl.
es->top = (((es->top - 1) % ERR_NUM_ERRORS) + ERR_NUM_ERRORS) %
ERR_NUM_ERRORS;
}

// Restore top.
es->top = top;

// Add the opensslErrorStack property to the exception object.
// The new property will look like the following:
// opensslErrorStack: [
// 'error:0906700D:PEM routines:PEM_ASN1_read_bio:ASN1 lib',
// 'error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 err'
// ]
exception->Set(env->context(), env->openssl_error_stack(), error_stack)
.FromJust();
}

env->isolate()->ThrowException(exception);
}


Expand Down Expand Up @@ -4316,8 +4368,6 @@ SignBase::Error Verify::VerifyFinal(const char* key_pem,
if (!initialised_)
return kSignNotInitialised;

ClearErrorOnReturn clear_error_on_return;

EVP_PKEY* pkey = nullptr;
BIO* bp = nullptr;
X509* x509 = nullptr;
Expand Down Expand Up @@ -4406,6 +4456,8 @@ SignBase::Error Verify::VerifyFinal(const char* key_pem,
void Verify::VerifyFinal(const FunctionCallbackInfo<Value>& args) {
Environment* env = Environment::GetCurrent(args);

ClearErrorOnReturn clear_error_on_return;

Verify* verify;
ASSIGN_OR_RETURN_UNWRAP(&verify, args.Holder());

Expand Down
114 changes: 102 additions & 12 deletions test/parallel/test-crypto.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,14 @@ assert.throws(function() {
const context = credentials.context;
const notcontext = { setOptions: context.setOptions, setKey: context.setKey };
tls.createSecureContext({ secureOptions: 1 }, notcontext);
}, /^TypeError: Illegal invocation$/);
}, (err) => {
// Throws TypeError, so there is no opensslErrorStack property.
if ((err instanceof Error) &&
/^TypeError: Illegal invocation$/.test(err) &&
err.opensslErrorStack === undefined) {
return true;
}
});

// PFX tests
assert.doesNotThrow(function() {
Expand All @@ -55,15 +62,36 @@ assert.doesNotThrow(function() {

assert.throws(function() {
tls.createSecureContext({ pfx: certPfx });
}, /^Error: mac verify failure$/);
}, (err) => {
// Throws general Error, so there is no opensslErrorStack property.
if ((err instanceof Error) &&
/^Error: mac verify failure$/.test(err) &&
err.opensslErrorStack === undefined) {
return true;
}
});

assert.throws(function() {
tls.createSecureContext({ pfx: certPfx, passphrase: 'test' });
}, /^Error: mac verify failure$/);
}, (err) => {
// Throws general Error, so there is no opensslErrorStack property.
if ((err instanceof Error) &&
/^Error: mac verify failure$/.test(err) &&
err.opensslErrorStack === undefined) {
return true;
}
});

assert.throws(function() {
tls.createSecureContext({ pfx: 'sample', passphrase: 'test' });
}, /^Error: not enough data$/);
}, (err) => {
// Throws general Error, so there is no opensslErrorStack property.
if ((err instanceof Error) &&
/^Error: not enough data$/.test(err) &&
err.opensslErrorStack === undefined) {
return true;
}
});


// update() should only take buffers / strings
Expand Down Expand Up @@ -135,23 +163,62 @@ testImmutability(crypto.getCurves);
// throw, not assert in C++ land.
assert.throws(function() {
crypto.createCipher('aes192', 'test').update('0', 'hex');
}, common.hasFipsCrypto ? /not supported in FIPS mode/ : /Bad input string/);
}, (err) => {
const errorMessage =
common.hasFipsCrypto ? /not supported in FIPS mode/ : /Bad input string/;
// Throws general Error, so there is no opensslErrorStack property.
if ((err instanceof Error) &&
errorMessage.test(err) &&
err.opensslErrorStack === undefined) {
return true;
}
});

assert.throws(function() {
crypto.createDecipher('aes192', 'test').update('0', 'hex');
}, common.hasFipsCrypto ? /not supported in FIPS mode/ : /Bad input string/);
}, (err) => {
const errorMessage =
common.hasFipsCrypto ? /not supported in FIPS mode/ : /Bad input string/;
// Throws general Error, so there is no opensslErrorStack property.
if ((err instanceof Error) &&
errorMessage.test(err) &&
err.opensslErrorStack === undefined) {
return true;
}
});

assert.throws(function() {
crypto.createHash('sha1').update('0', 'hex');
}, /^TypeError: Bad input string$/);
}, (err) => {
// Throws TypeError, so there is no opensslErrorStack property.
if ((err instanceof Error) &&
/^TypeError: Bad input string$/.test(err) &&
err.opensslErrorStack === undefined) {
return true;
}
});

assert.throws(function() {
crypto.createSign('SHA1').update('0', 'hex');
}, /^TypeError: Bad input string$/);
}, (err) => {
// Throws TypeError, so there is no opensslErrorStack property.
if ((err instanceof Error) &&
/^TypeError: Bad input string$/.test(err) &&
err.opensslErrorStack === undefined) {
return true;
}
});

assert.throws(function() {
crypto.createVerify('SHA1').update('0', 'hex');
}, /^TypeError: Bad input string$/);
}, (err) => {
// Throws TypeError, so there is no opensslErrorStack property.
if ((err instanceof Error) &&
/^TypeError: Bad input string$/.test(err) &&
err.opensslErrorStack === undefined) {
return true;
}
});

assert.throws(function() {
const priv = [
Expand All @@ -164,7 +231,13 @@ assert.throws(function() {
''
].join('\n');
crypto.createSign('SHA256').update('test').sign(priv);
}, /digest too big for rsa key$/);
}, (err) => {
if ((err instanceof Error) &&
/digest too big for rsa key$/.test(err) &&
err.opensslErrorStack === undefined) {
return true;
}
});

assert.throws(function() {
// The correct header inside `test_bad_rsa_privkey.pem` should have been
Expand All @@ -180,14 +253,31 @@ assert.throws(function() {
'ascii');
// this would inject errors onto OpenSSL's error stack
crypto.createSign('sha1').sign(sha1_privateKey);
}, /asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag/);
}, (err) => {
// Throws crypto error, so there is an opensslErrorStack property.
// The openSSL stack should have content.
if ((err instanceof Error) &&
/asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag/.test(err) &&
err.opensslErrorStack !== undefined &&
Array.isArray(err.opensslErrorStack) &&
err.opensslErrorStack.length > 0) {
return true;
}
});

// Make sure memory isn't released before being returned
console.log(crypto.randomBytes(16));

assert.throws(function() {
tls.createSecureContext({ crl: 'not a CRL' });
}, /^Error: Failed to parse CRL$/);
}, (err) => {
// Throws general error, so there is no opensslErrorStack property.
if ((err instanceof Error) &&
/^Error: Failed to parse CRL$/.test(err) &&
err.opensslErrorStack === undefined) {
return true;
}
});

/**
* Check if the stream function uses utf8 as a default encoding.
Expand Down

0 comments on commit 1ed0c77

Please sign in to comment.