From bcbd35a48d00c915690682b546e6c282bd15150b Mon Sep 17 00:00:00 2001 From: Sam Roberts Date: Wed, 27 Mar 2019 12:10:21 -0700 Subject: [PATCH] crypto: add openssl specific error properties MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Don't force the user to parse the long-style OpenSSL error message, decorate the error with the library, reason, code, function. PR-URL: https://github.com/nodejs/node/pull/26868 Reviewed-By: Anna Henningsen Reviewed-By: Ben Noordhuis Reviewed-By: Tobias Nießen --- doc/api/errors.md | 28 +++++- src/node_crypto.cc | 115 ++++++++++++++++++++++- src/tls_wrap.cc | 2 +- src/util-inl.h | 11 +++ src/util.h | 4 + test/parallel/test-crypto-dh.js | 13 ++- test/parallel/test-crypto-key-objects.js | 8 +- test/parallel/test-crypto-padding.js | 14 ++- test/parallel/test-crypto-rsa-dsa.js | 10 +- test/parallel/test-crypto-stream.js | 7 +- test/parallel/test-crypto.js | 18 ++-- 11 files changed, 206 insertions(+), 24 deletions(-) diff --git a/doc/api/errors.md b/doc/api/errors.md index 0161853774367d..d41de694961ca5 100644 --- a/doc/api/errors.md +++ b/doc/api/errors.md @@ -186,10 +186,6 @@ circumstance of why the error occurred. `Error` objects capture a "stack trace" detailing the point in the code at which the `Error` was instantiated, and may provide a text description of the error. -For crypto only, `Error` objects will include the OpenSSL error stack in a -separate property called `opensslErrorStack` if it is available when the error -is thrown. - All errors generated by Node.js, including all System and JavaScript errors, will either be instances of, or inherit from, the `Error` class. @@ -589,6 +585,30 @@ program. For a comprehensive list, see the [`errno`(3) man page][]. encountered by [`http`][] or [`net`][] — often a sign that a `socket.end()` was not properly called. +## OpenSSL Errors + +Errors originating in `crypto` or `tls` are of class `Error`, and in addition to +the standard `.code` and `.message` properties, may have some additional +OpenSSL-specific properties. + +### error.opensslErrorStack + +An array of errors that can give context to where in the OpenSSL library an +error originates from. + +### error.function + +The OpenSSL function the error originates in. + +### error.library + +The OpenSSL library the error originates in. + +### error.reason + +A human-readable string describing the reason for the error. + + ## Node.js Error Codes diff --git a/src/node_crypto.cc b/src/node_crypto.cc index 8b5e6dee2fc3ee..c86414fc6296b0 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -212,6 +212,113 @@ static int NoPasswordCallback(char* buf, int size, int rwflag, void* u) { } +// namespace node::crypto::error +namespace error { +void Decorate(Environment* env, Local obj, + unsigned long err) { // NOLINT(runtime/int) + if (err == 0) return; // No decoration possible. + + const char* ls = ERR_lib_error_string(err); + const char* fs = ERR_func_error_string(err); + const char* rs = ERR_reason_error_string(err); + + Isolate* isolate = env->isolate(); + Local context = isolate->GetCurrentContext(); + + if (ls != nullptr) { + if (obj->Set(context, env->library_string(), + OneByteString(isolate, ls)).IsNothing()) { + return; + } + } + if (fs != nullptr) { + if (obj->Set(context, env->function_string(), + OneByteString(isolate, fs)).IsNothing()) { + return; + } + } + if (rs != nullptr) { + if (obj->Set(context, env->reason_string(), + OneByteString(isolate, rs)).IsNothing()) { + return; + } + + // SSL has no API to recover the error name from the number, so we + // transform reason strings like "this error" to "ERR_SSL_THIS_ERROR", + // which ends up being close to the original error macro name. + std::string reason(rs); + + for (auto& c : reason) { + if (c == ' ') + c = '_'; + else + c = ToUpper(c); + } + +#define OSSL_ERROR_CODES_MAP(V) \ + V(SYS) \ + V(BN) \ + V(RSA) \ + V(DH) \ + V(EVP) \ + V(BUF) \ + V(OBJ) \ + V(PEM) \ + V(DSA) \ + V(X509) \ + V(ASN1) \ + V(CONF) \ + V(CRYPTO) \ + V(EC) \ + V(SSL) \ + V(BIO) \ + V(PKCS7) \ + V(X509V3) \ + V(PKCS12) \ + V(RAND) \ + V(DSO) \ + V(ENGINE) \ + V(OCSP) \ + V(UI) \ + V(COMP) \ + V(ECDSA) \ + V(ECDH) \ + V(OSSL_STORE) \ + V(FIPS) \ + V(CMS) \ + V(TS) \ + V(HMAC) \ + V(CT) \ + V(ASYNC) \ + V(KDF) \ + V(SM2) \ + V(USER) \ + +#define V(name) case ERR_LIB_##name: lib = #name "_"; break; + const char* lib = ""; + const char* prefix = "OSSL_"; + switch (ERR_GET_LIB(err)) { OSSL_ERROR_CODES_MAP(V) } +#undef V +#undef OSSL_ERROR_CODES_MAP + // Don't generate codes like "ERR_OSSL_SSL_". + if (lib && strcmp(lib, "SSL_") == 0) + prefix = ""; + + // All OpenSSL reason strings fit in a single 80-column macro definition, + // all prefix lengths are <= 10, and ERR_OSSL_ is 9, so 128 is more than + // sufficient. + char code[128]; + snprintf(code, sizeof(code), "ERR_%s%s%s", prefix, lib, reason.c_str()); + + if (obj->Set(env->isolate()->GetCurrentContext(), + env->code_string(), + OneByteString(env->isolate(), code)).IsNothing()) + return; + } +} +} // namespace error + + struct CryptoErrorVector : public std::vector { inline void Capture() { clear(); @@ -258,6 +365,8 @@ struct CryptoErrorVector : public std::vector { void ThrowCryptoError(Environment* env, unsigned long err, // NOLINT(runtime/int) + // Default, only used if there is no SSL `err` which can + // be used to create a long-style message string. const char* message = nullptr) { char message_buffer[128] = {0}; if (err != 0 || message == nullptr) { @@ -270,7 +379,11 @@ void ThrowCryptoError(Environment* env, .ToLocalChecked(); CryptoErrorVector errors; errors.Capture(); - auto exception = errors.ToException(env, exception_string); + Local exception = errors.ToException(env, exception_string); + Local obj; + if (!exception->ToObject(env->context()).ToLocal(&obj)) + return; + error::Decorate(env, obj, err); env->isolate()->ThrowException(exception); } diff --git a/src/tls_wrap.cc b/src/tls_wrap.cc index 59400d8f3a4a72..14802b1dfb74b8 100644 --- a/src/tls_wrap.cc +++ b/src/tls_wrap.cc @@ -453,7 +453,7 @@ Local TLSWrap::GetSSLError(int status, int* err, std::string* msg) { if (c == ' ') c = '_'; else - c = ::toupper(c); + c = ToUpper(c); } obj->Set(context, env()->code_string(), OneByteString(isolate, ("ERR_SSL_" + code).c_str())) diff --git a/src/util-inl.h b/src/util-inl.h index 5b59f25bc5ff16..99d470205e1ce7 100644 --- a/src/util-inl.h +++ b/src/util-inl.h @@ -274,6 +274,17 @@ std::string ToLower(const std::string& in) { return out; } +char ToUpper(char c) { + return c >= 'a' && c <= 'z' ? (c - 'a') + 'A' : c; +} + +std::string ToUpper(const std::string& in) { + std::string out(in.size(), 0); + for (size_t i = 0; i < in.size(); ++i) + out[i] = ToUpper(in[i]); + return out; +} + bool StringEqualNoCase(const char* a, const char* b) { do { if (*a == '\0') diff --git a/src/util.h b/src/util.h index 56b2bc83382698..a9de8f8636c11b 100644 --- a/src/util.h +++ b/src/util.h @@ -284,6 +284,10 @@ inline void SwapBytes64(char* data, size_t nbytes); inline char ToLower(char c); inline std::string ToLower(const std::string& in); +// toupper() is locale-sensitive. Use ToUpper() instead. +inline char ToUpper(char c); +inline std::string ToUpper(const std::string& in); + // strcasecmp() is locale-sensitive. Use StringEqualNoCase() instead. inline bool StringEqualNoCase(const char* a, const char* b); diff --git a/test/parallel/test-crypto-dh.js b/test/parallel/test-crypto-dh.js index ead77d6a30c811..69d18f458e60bd 100644 --- a/test/parallel/test-crypto-dh.js +++ b/test/parallel/test-crypto-dh.js @@ -91,8 +91,13 @@ const secret4 = dh4.computeSecret(key2, 'hex', 'base64'); assert.strictEqual(secret1, secret4); -const wrongBlockLength = - /^Error: error:0606506D:digital envelope routines:EVP_DecryptFinal_ex:wrong final block length$/; +const wrongBlockLength = { + message: 'error:0606506D:digital envelope' + + ' routines:EVP_DecryptFinal_ex:wrong final block length', + code: 'ERR_OSSL_EVP_WRONG_FINAL_BLOCK_LENGTH', + library: 'digital envelope routines', + reason: 'wrong final block length' +}; // Run this one twice to make sure that the dh3 clears its error properly { @@ -111,7 +116,7 @@ const wrongBlockLength = assert.throws(() => { dh3.computeSecret(''); -}, /^Error: Supplied key is too small$/); +}, { message: 'Supplied key is too small' }); // Create a shared using a DH group. const alice = crypto.createDiffieHellmanGroup('modp5'); @@ -260,7 +265,7 @@ if (availableCurves.has('prime256v1') && availableCurves.has('secp256k1')) { assert.throws(() => { ecdh4.setPublicKey(ecdh3.getPublicKey()); - }, /^Error: Failed to convert Buffer to EC_POINT$/); + }, { message: 'Failed to convert Buffer to EC_POINT' }); // Verify that we can use ECDH without having to use newly generated keys. const ecdh5 = crypto.createECDH('secp256k1'); diff --git a/test/parallel/test-crypto-key-objects.js b/test/parallel/test-crypto-key-objects.js index fb1c3de1d7e224..c9cb90d408500f 100644 --- a/test/parallel/test-crypto-key-objects.js +++ b/test/parallel/test-crypto-key-objects.js @@ -165,7 +165,13 @@ const privatePem = fixtures.readSync('test_rsa_privkey.pem', 'ascii'); // This should not cause a crash: https://github.com/nodejs/node/issues/25247 assert.throws(() => { createPrivateKey({ key: '' }); - }, /null/); + }, { + message: 'error:2007E073:BIO routines:BIO_new_mem_buf:null parameter', + code: 'ERR_OSSL_BIO_NULL_PARAMETER', + reason: 'null parameter', + library: 'BIO routines', + function: 'BIO_new_mem_buf', + }); } [ diff --git a/test/parallel/test-crypto-padding.js b/test/parallel/test-crypto-padding.js index d4a5b95cec9242..909c014bd0f87a 100644 --- a/test/parallel/test-crypto-padding.js +++ b/test/parallel/test-crypto-padding.js @@ -82,7 +82,12 @@ assert.strictEqual(enc(EVEN_LENGTH_PLAIN, true), EVEN_LENGTH_ENCRYPTED); assert.throws(function() { // Input must have block length %. enc(ODD_LENGTH_PLAIN, false); -}, /data not multiple of block length/); +}, { + message: 'error:0607F08A:digital envelope routines:EVP_EncryptFinal_ex:' + + 'data not multiple of block length', + code: 'ERR_OSSL_EVP_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH', + reason: 'data not multiple of block length', +}); assert.strictEqual( enc(EVEN_LENGTH_PLAIN, false), EVEN_LENGTH_ENCRYPTED_NOPAD @@ -99,7 +104,12 @@ assert.strictEqual(dec(EVEN_LENGTH_ENCRYPTED, false).length, 48); assert.throws(function() { // Must have at least 1 byte of padding (PKCS): assert.strictEqual(dec(EVEN_LENGTH_ENCRYPTED_NOPAD, true), EVEN_LENGTH_PLAIN); -}, /bad decrypt/); +}, { + message: 'error:06065064:digital envelope routines:EVP_DecryptFinal_ex:' + + 'bad decrypt', + reason: 'bad decrypt', + code: 'ERR_OSSL_EVP_BAD_DECRYPT', +}); // No-pad encrypted string should return the same: assert.strictEqual( diff --git a/test/parallel/test-crypto-rsa-dsa.js b/test/parallel/test-crypto-rsa-dsa.js index 589fa57a1c9e77..143b7c2c41276a 100644 --- a/test/parallel/test-crypto-rsa-dsa.js +++ b/test/parallel/test-crypto-rsa-dsa.js @@ -24,8 +24,14 @@ const dsaKeyPemEncrypted = fixtures.readSync('test_dsa_privkey_encrypted.pem', const rsaPkcs8KeyPem = fixtures.readSync('test_rsa_pkcs8_privkey.pem'); const dsaPkcs8KeyPem = fixtures.readSync('test_dsa_pkcs8_privkey.pem'); -const decryptError = - /^Error: error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt$/; +const decryptError = { + message: 'error:06065064:digital envelope routines:EVP_DecryptFinal_ex:' + + 'bad decrypt', + code: 'ERR_OSSL_EVP_BAD_DECRYPT', + reason: 'bad decrypt', + function: 'EVP_DecryptFinal_ex', + library: 'digital envelope routines', +}; // Test RSA encryption/decryption { diff --git a/test/parallel/test-crypto-stream.js b/test/parallel/test-crypto-stream.js index 9430084bbee179..2d005c89db3f09 100644 --- a/test/parallel/test-crypto-stream.js +++ b/test/parallel/test-crypto-stream.js @@ -71,8 +71,11 @@ const cipher = crypto.createCipheriv('aes-128-cbc', key, iv); const decipher = crypto.createDecipheriv('aes-128-cbc', badkey, iv); cipher.pipe(decipher) - .on('error', common.mustCall(function end(err) { - assert(/bad decrypt/.test(err)); + .on('error', common.expectsError({ + message: /bad decrypt/, + function: 'EVP_DecryptFinal_ex', + library: 'digital envelope routines', + reason: 'bad decrypt', })); cipher.end('Papaya!'); // Should not cause an unhandled exception. diff --git a/test/parallel/test-crypto.js b/test/parallel/test-crypto.js index 005a733c0779d9..1952f8908acb03 100644 --- a/test/parallel/test-crypto.js +++ b/test/parallel/test-crypto.js @@ -238,15 +238,19 @@ assert.throws(function() { // This would inject errors onto OpenSSL's error stack crypto.createSign('sha1').sign(sha1_privateKey); }, (err) => { + // Do the standard checks, but then do some custom checks afterwards. + assert.throws(() => { throw err; }, { + message: 'error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag', + library: 'asn1 encoding routines', + function: 'asn1_check_tlen', + reason: 'wrong tag', + code: 'ERR_OSSL_ASN1_WRONG_TAG', + }); // Throws crypto error, so there is an opensslErrorStack property. // The openSSL stack should have content. - if ((err instanceof Error) && - /asn1 encoding routines:[^:]*:wrong tag/.test(err) && - err.opensslErrorStack !== undefined && - Array.isArray(err.opensslErrorStack) && - err.opensslErrorStack.length > 0) { - return true; - } + assert(Array.isArray(err.opensslErrorStack)); + assert(err.opensslErrorStack.length > 0); + return true; }); // Make sure memory isn't released before being returned