Unable to use RSA_PKCS1_PADDING with v22+ - `--security-revert` suggests CVE-2024-PEND

[SPodjasek]

Version

v22.11.0, v23.1.0

Platform

Linux 6.8.0-47-generic #47-Ubuntu SMP PREEMPT_DYNAMIC Fri Sep 27 21:40:26 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux

Subsystem

No response

What steps will reproduce the bug?

Trying to run this sample code:

import('node:crypto').then(
  ({ constants, generateKeyPairSync, privateDecrypt, publicEncrypt }) => {
    console.log(`Running on ${process.version}`);
    const padding = constants.RSA_PKCS1_PADDING;
    const { publicKey, privateKey } = generateKeyPairSync('rsa', {
      modulusLength: 2048,
    });

    const source = Buffer.from('test');
    const encrypted = publicEncrypt({ key: publicKey, padding }, source);
    const decrypted = privateDecrypt({ key: privateKey, padding }, encrypted);

    console.log(
      source.toString() === decrypted.toString() ? 'Match' : 'Failure'
    );
  }
);

How often does it reproduce? Is there a required condition?

I've tested on v22.0.0, v22.10.0, v22.11.0 and v23.1.0 - all return

TypeError: RSA_PKCS1_PADDING is no longer supported for private decryption, 
  this can be reverted with --security-revert=CVE-2024-PEND

What is the expected behavior? Why is that the expected behavior?

It should run with a warning as v20.17.0

SECURITY WARNING: Reverting CVE-2023-46809: Marvin attack on PKCS#1 padding

What do you see instead?

It complains about unknown CVE

node: Error: Attempt to revert an unknown CVE [CVE-2024-PEND]

Additional information

Complete 'test' session

$ nvm use v20
Now using node v20.17.0 (npm v10.8.3)
$ node test.js                                        
Running on v20.17.0
node:internal/crypto/cipher:79
    return method(data, format, type, passphrase, buffer, padding, oaepHash,
           ^

TypeError: RSA_PKCS1_PADDING is no longer supported for private decryption, this can be reverted with --security-revert=CVE-2023-46809
    at node:internal/crypto/cipher:79:12
    at file:///.../test.js:11:23 {
  code: 'ERR_INVALID_ARG_VALUE'
}

Node.js v20.17.0
$ node --security-revert=CVE-2023-46809 test.js        
SECURITY WARNING: Reverting CVE-2023-46809: Marvin attack on PKCS#1 padding
Running on v20.17.0
Match
$ nvm use v22                                  
Now using node v22.11.0 (npm v10.9.0)
$ node test.js                                 
Running on v22.11.0
node:internal/crypto/cipher:79
    return method(data, format, type, passphrase, buffer, padding, oaepHash,
           ^

TypeError: RSA_PKCS1_PADDING is no longer supported for private decryption, this can be reverted with --security-revert=CVE-2024-PEND
    at node:internal/crypto/cipher:79:12
    at file:///.../test.js:11:23 {
  code: 'ERR_INVALID_ARG_VALUE'
}

Node.js v22.11.0
$ node --security-revert=CVE-2024-PEND test.js 
node: Error: Attempt to revert an unknown CVE [CVE-2024-PEND]
$ nvm use v23                                 
Now using node v23.1.0 (npm v10.9.0)
$ node test.js                                
Running on v23.1.0
node:internal/crypto/cipher:79
    return method(data, format, type, passphrase, buffer, padding, oaepHash,
           ^

TypeError: RSA_PKCS1_PADDING is no longer supported for private decryption, this can be reverted with --security-revert=CVE-2024-PEND
    at node:internal/crypto/cipher:79:12
    at file:///.../test.js:11:23 {
  code: 'ERR_INVALID_ARG_VALUE'
}

Node.js v23.1.0
$ node --security-revert=CVE-2024-PEND test.js
node: Error: Attempt to revert an unknown CVE [CVE-2024-PEND]

[aduh95]

@mhdawson @RafaelGSS git blame points at 54cd268, should the error message mention CVE-2023-46809 instead of CVE-2024-PEND? Or should the error message message be amended to remove the this can be reverted part?

[richardlau]

The this can be reverted part should be removed. The revert was only added to Node.js 21, 20 and 18 (the release lines at the time).

main should not have any reverts

node/src/node_revert.h

Line 14 in d5fa767

* For *main* this list should always be empty!

so it is not possible to revert that fix for Node.js 22 and 23 (which were created later than that fix).

[richardlau]

Opened #55629 to fix the error message.

[SPodjasek]

@richardlau Out of curiosity is it expected that OpenSSL will release patched implementation - or should PKCS #1 v1.5 be considered as obsolete and will never be supported again?
I'm not a crypto expert, but we need to use this implementation for communication with some governmental systems which I guess won't change anything in near future, nor I don't think they'll ever switch to RSA OAEP.

[richardlau]

@SPodjasek AIUI OpenSSL patched 3.2 but do not plan to merge to 3.1 (or 3.0). From our point-of-view we're going to stay on OpenSSL 3.0 for Node.js 22 for as long as possible since OpenSSL 3.0 has long term support (LTS). We'll consider our options when OpenSSL announced their successor LTS to OpenSSL 3.0.

Some Linux distros (e.g. Fedora/RHEL) have patched their OpenSSL implementations -- if you get Node.js on those from their package repositories you'll be linked to those patched implementations.

[SPodjasek]

@richardlau Great, thank you for clarifying that