Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

parallel.test-crypto-rsa-dsa fails with Missing expected exception #52537

Closed
richardlau opened this issue Apr 15, 2024 · 7 comments
Closed

parallel.test-crypto-rsa-dsa fails with Missing expected exception #52537

richardlau opened this issue Apr 15, 2024 · 7 comments
Labels
flaky-test Issues and PRs related to the tests with unstable failures on the CI. linux Issues and PRs related to the Linux platform.

Comments

@richardlau
Copy link
Member

Test

test-crypto-rsa-dsa

Platform

Linux x64

Console output

08:08:54 not ok 758 parallel/test-crypto-rsa-dsa
08:08:54   ---
08:08:54   duration_ms: 245.73400
08:08:54   severity: fail
08:08:54   exitcode: 1
08:08:54   stack: |-
08:08:54     node:assert:126
08:08:54       throw new AssertionError(obj);
08:08:54       ^
08:08:54     
08:08:54     AssertionError [ERR_ASSERTION]: Missing expected exception.
08:08:54         at test_rsa (/home/iojs/build/workspace/node-test-commit-linux-containered/test/parallel/test-crypto-rsa-dsa.js:226:12)
08:08:54         at Object.<anonymous> (/home/iojs/build/workspace/node-test-commit-linux-containered/test/parallel/test-crypto-rsa-dsa.js:258:1)
08:08:54         at Module._compile (node:internal/modules/cjs/loader:1476:14)
08:08:54         at Module._extensions..js (node:internal/modules/cjs/loader:1555:10)
08:08:54         at Module.load (node:internal/modules/cjs/loader:1288:32)
08:08:54         at Module._load (node:internal/modules/cjs/loader:1104:12)
08:08:54         at Function.executeUserEntryPoint [as runMain] (node:internal/modules/run_main:187:14)
08:08:54         at node:internal/main/run_main_module:28:49 {
08:08:54       generatedMessage: false,
08:08:54       code: 'ERR_ASSERTION',
08:08:54       actual: undefined,
08:08:54       expected: { code: 'ERR_INVALID_ARG_VALUE' },
08:08:54       operator: 'throws'
08:08:54     }
08:08:54     
08:08:54     Node.js v22.0.0-pre
08:08:54   ...

Build links

Additional information

Looks like this test is constantly failing on test-ibm-ubi81_container-x64-1 since yesterday.

@richardlau richardlau added the flaky-test Issues and PRs related to the tests with unstable failures on the CI. label Apr 15, 2024
@github-actions github-actions bot added the linux Issues and PRs related to the Linux platform. label Apr 15, 2024
@richardlau
Copy link
Member Author

richardlau commented Apr 15, 2024

The stack is pointing at the test added in 54cd268 for https://hackerone.com/reports/2269177.

IIRC ubi81_sharedlibs_openssl111fips_x64 builds against the system OpenSSL (i.e. the one in UBI 8). The container was recently redeployed -- I'm wondering if that has picked up a patched system OpenSSL that the test case doesn't pass with.

cc @mhdawson

@richardlau
Copy link
Member Author

The code does a runtime check for whether the OpenSSL implementation supports implicit rejection and conditionally throws an exception based on the check:

int rsa_pkcs1_implicit_rejection =
EVP_PKEY_CTX_ctrl_str(ctx.get(), "rsa_pkcs1_implicit_rejection", "1");
// From the doc -2 means that the option is not supported.
// The default for the option is enabled and if it has been
// specifically disabled we want to respect that so we will
// not throw an error if the option is supported regardless
// of how it is set. The call to set the value
// will not affect what is used since a different context is
// used in the call if the option is supported
if (rsa_pkcs1_implicit_rejection <= 0) {
return THROW_ERR_INVALID_ARG_VALUE(
env,
"RSA_PKCS1_PADDING is no longer supported for private decryption,"
" this can be reverted with --security-revert=CVE-2024-PEND");
}

However the test looks to be always expecting the exception. It may not be easy for the test to do the feature detection without native code.

@richardlau
Copy link
Member Author

@mhdawson Thoughts? Perhaps as a short term fix we can skip the test if built with a dynamically linked OpenSSL?

I presume we'd expect to have to update the test in the future when we update the statically linked OpenSSL to a version that supports the implicit rejection.

@targos
Copy link
Member

targos commented Apr 15, 2024

This is a similar problem to #52196

@richardlau

This comment was marked as outdated.

@targos
Copy link
Member

targos commented Apr 15, 2024

I also rebuilt test-digitalocean-ubi81_container-x64-1 (and all other containers on that host) today.

@richardlau
Copy link
Member Author

I had a quick discussion with @mhdawson who is going to look at if there's a way for the test to detect if the underlying OpenSSL implementation supports implicit rejections.

As a temporary fix to unblock the CI, I've opened #52542 to skip that part of the test if Node.js has been dynamically linked against OpenSSL.

nodejs-github-bot pushed a commit that referenced this issue Apr 15, 2024
As a temporary measure to unblock the CI, skip the RSA implicit
rejection test when Node.js is built against a dynamically linked
OpenSSL.

PR-URL: #52542
Refs: #52537
Refs: nodejs-private/node-private#525
Refs: https://hackerone.com/reports/2269177
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
richardlau added a commit that referenced this issue Apr 17, 2024
As a temporary measure to unblock the CI, skip the RSA implicit
rejection test when Node.js is built against a dynamically linked
OpenSSL.

PR-URL: #52542
Refs: #52537
Refs: nodejs-private/node-private#525
Refs: https://hackerone.com/reports/2269177
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
richardlau added a commit that referenced this issue Apr 17, 2024
As a temporary measure to unblock the CI, skip the RSA implicit
rejection test when Node.js is built against a dynamically linked
OpenSSL.

PR-URL: #52542
Refs: #52537
Refs: nodejs-private/node-private#525
Refs: https://hackerone.com/reports/2269177
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
marco-ippolito pushed a commit that referenced this issue Apr 23, 2024
As a temporary measure to unblock the CI, skip the RSA implicit
rejection test when Node.js is built against a dynamically linked
OpenSSL.

PR-URL: #52542
Refs: #52537
Refs: nodejs-private/node-private#525
Refs: https://hackerone.com/reports/2269177
Reviewed-By: Michaël Zasso <targos@protonmail.com>
Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Michael Dawson <midawson@redhat.com>
mhdawson added a commit to mhdawson/io.js that referenced this issue May 1, 2024
Fixes: nodejs#52537

Signed-off-by: Michael Dawson <midawson@redhat.com>
Ch3nYuY pushed a commit to Ch3nYuY/node that referenced this issue May 8, 2024
Fixes: nodejs#52537

Signed-off-by: Michael Dawson <midawson@redhat.com>
PR-URL: nodejs#52781
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
targos pushed a commit that referenced this issue May 8, 2024
Fixes: #52537

Signed-off-by: Michael Dawson <midawson@redhat.com>
PR-URL: #52781
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
marco-ippolito pushed a commit that referenced this issue Jun 17, 2024
Fixes: #52537

Signed-off-by: Michael Dawson <midawson@redhat.com>
PR-URL: #52781
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
sophoniie pushed a commit to sophoniie/node that referenced this issue Jun 20, 2024
Fixes: nodejs#52537

Signed-off-by: Michael Dawson <midawson@redhat.com>
PR-URL: nodejs#52781
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
bmeck pushed a commit to bmeck/node that referenced this issue Jun 22, 2024
Fixes: nodejs#52537

Signed-off-by: Michael Dawson <midawson@redhat.com>
PR-URL: nodejs#52781
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
flaky-test Issues and PRs related to the tests with unstable failures on the CI. linux Issues and PRs related to the Linux platform.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants