search

PrismarineJS / node-minecraft-protocol

Parse and serialize minecraft packets, plus authentication and encryption.
https://prismarinejs.github.io/node-minecraft-protocol/
BSD 3-Clause "New" or "Revised" License
1.2k stars 241 forks source link

TypeError: RSA_PKCS1_PADDING is no longer supported for private decryption #1293

Open Metro420yt opened 3 months ago

Metro420yt commented 3 months ago

[x] The FAQ doesn't contain a resolution to my issue

Versions

Detailed description of a problem

when trying to connect, on login.js line 120 the padding "crypto.constants.RSA_PKCS1_PADDING" throws an error, due to CVE-2023-46809

TypeError: RSA_PKCS1_PADDING is no longer supported for private decryption, this can be reverted with --security-revert=CVE-2023-46809
    at Client.onEncryptionKeyResponse ([...]\minecraft-protocol\src\server\login.js:120:39)
    ...

Current code

createServer({
    version: '1.12.2',
    port: 25565,
    beforePing: (response) => {
        if (properties.enableStatus === false) return;
        response.favicon = favicon;
    },
})

Expected behavior

wasnt sure if there was a way to fix this, or if its just a part of the encryption method

edit: the error is silent, and the server just responds "Disconnected" and i should clarify, im not sure if its possible to use another encryption method or not

Additional context

originally was using node v20.11.1, but updated at some point to see if it would help

passing "--security-revert=CVE-2023-46809" gives another error

was an issue caused by doing npm audit --force

extremeheat commented 3 months ago

Seems like a bug in nodejs.

Caused by https://github.com/nodejs/node/commit/54cd268059626800dbe1e02a88b28d9538cf5587

You can open an issue in https://github.com/nodejs/node for it

extremeheat commented 2 months ago

Being discussed in https://github.com/nodejs/node/issues/52017

extremeheat commented 2 months ago

Proposed programmatic way to re-enable is being discussed in https://github.com/nodejs/node/pull/52090, pure js workaround snippet to fix mentioned in https://github.com/nodejs/node/issues/52017#issuecomment-1987369610

IceTank commented 2 months ago

So, it looks like the node team decided to remove the padding feature? Is there a programmatic fix for it that could be added to nmp? I don't want to parse node arguments to all my applications.

extremeheat commented 2 months ago

Read the linked issue/PR, I left a comment on https://github.com/nodejs/node/issues/52017#issuecomment-2080906420.

Ideally the standard lib of a language doesn't do breaking updates to remove functionality in minor versions, but that's what seems to be the case at the moment (for security reasons). There is a PR to add a code based toggle to re-enable the funcionality, but it's not for sure that will be merged. This may require using the nodeRSA workaround snippet posted in nodejs/node#52017.

IceTank commented 2 months ago

Read the linked issue/PR, I left a comment on nodejs/node#52017 (comment).

Ideally the standard lib of a language doesn't do breaking updates to remove functionality in minor versions, but that's what seems to be the case at the moment (for security reasons). There is a PR to add a code based toggle to re-enable the funcionality, but it's not for sure that will be merged. This may require using the nodeRSA workaround snippet posted in nodejs/node#52017.

I think we should go for the nodeRSA workaround for the time being because Node-Minecraft-Protocol does not work right now with the latest LTS versions of Node.

extremeheat commented 1 month ago

Yeah, https://github.com/nodejs/node/issues/52017#issuecomment-1987369610 should have the relevant code to do it