mirror of
https://github.com/electron/electron.git
synced 2026-01-09 15:38:08 -05:00
93f4a93e12
* chore: bump node in DEPS to v22.13.1 * chore: fixup GN build file * https://github.com/nodejs/node/pull/55529 * https://github.com/nodejs/node/pull/55798 * https://github.com/nodejs/node/pull/55530 * module: simplify --inspect-brk handling https://github.com/nodejs/node/pull/55679 * src: fix outdated js2c.cc references https://github.com/nodejs/node/pull/56133 * crypto: include openssl/rand.h explicitly https://github.com/nodejs/node/pull/55425 * build: use variable for crypto dep path https://github.com/nodejs/node/pull/55928 * crypto: fix RSA_PKCS1_PADDING error message https://github.com/nodejs/node/pull/55629 * build: use variable for simdutf path https://github.com/nodejs/node/pull/56196 * test,crypto: make crypto tests work with BoringSSL https://github.com/nodejs/node/pull/55491 * fix: suppress clang -Wdeprecated-declarations in libuv https://github.com/libuv/libuv/pull/4486 * deps: update libuv to 1.49.1 https://github.com/nodejs/node/pull/55114 * test: make test-node-output-v8-warning more flexible https://github.com/nodejs/node/pull/55401 * [v22.x] Revert "v8: enable maglev on supported architectures" https://github.com/nodejs/node/pull/54384 * fix: potential WIN32_LEAN_AND_MEAN redefinition https://github.com/c-ares/c-ares/pull/869 * deps: update nghttp2 to 1.64.0 https://github.com/nodejs/node/pull/55559 * src: provide workaround for container-overflow https://github.com/nodejs/node/pull/55591 * build: use variable for simdutf path https://github.com/nodejs/node/pull/56196 * chore: fixup patch indices * fixup! module: simplify --inspect-brk handling * lib: fix fs.readdir recursive async https://github.com/nodejs/node/pull/56041 * lib: avoid excluding symlinks in recursive fs.readdir with filetypes https://github.com/nodejs/node/pull/55714/ This doesn't currently play well with ASAR - this should be fixed in a follow up * test: disable CJS permission test for config.main This has diverged as a result of our revert of src,lb: reducing C++ calls of esm legacy main resolve * fixup! lib: fix fs.readdir recursive async * deps: update libuv to 1.49.1 https://github.com/nodejs/node/pull/55114 --------- Co-authored-by: electron-roller[bot] <84116207+electron-roller[bot]@users.noreply.github.com> Co-authored-by: Shelley Vohr <shelley.vohr@gmail.com>
623 lines
24 KiB
Diff
623 lines
24 KiB
Diff
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
|
|
From: Shelley Vohr <shelley.vohr@gmail.com>
|
|
Date: Wed, 12 Feb 2020 15:08:04 -0800
|
|
Subject: fix: handle BoringSSL and OpenSSL incompatibilities
|
|
|
|
This patch corrects for imcompatibilities between OpenSSL, which Node.js uses,
|
|
and BoringSSL which Electron uses via Chromium. Each incompatibility typically has
|
|
~2 paths forward:
|
|
* Upstream a shim or adapted implementation to BoringSSL
|
|
* Alter Node.js functionality to something which both libraries can handle.
|
|
|
|
Where possible, we should seek to make this patch as minimal as possible.
|
|
|
|
Upstreams:
|
|
- https://github.com/nodejs/node/pull/39054
|
|
- https://github.com/nodejs/node/pull/39138
|
|
- https://github.com/nodejs/node/pull/39136
|
|
|
|
diff --git a/deps/ncrypto/ncrypto.cc b/deps/ncrypto/ncrypto.cc
|
|
index ac2d771555126a4f43b8c3a3fd299d40019e6622..769fe636ef2b5d02ecc9ff753e64d93ea5075700 100644
|
|
--- a/deps/ncrypto/ncrypto.cc
|
|
+++ b/deps/ncrypto/ncrypto.cc
|
|
@@ -11,9 +11,6 @@
|
|
#if OPENSSL_VERSION_MAJOR >= 3
|
|
#include <openssl/provider.h>
|
|
#endif
|
|
-#ifdef OPENSSL_IS_BORINGSSL
|
|
-#include "dh-primes.h"
|
|
-#endif // OPENSSL_IS_BORINGSSL
|
|
|
|
namespace ncrypto {
|
|
namespace {
|
|
@@ -708,7 +705,7 @@ bool SafeX509SubjectAltNamePrint(const BIOPointer& out, X509_EXTENSION* ext) {
|
|
|
|
bool ok = true;
|
|
|
|
- for (int i = 0; i < sk_GENERAL_NAME_num(names); i++) {
|
|
+ for (size_t i = 0; i < sk_GENERAL_NAME_num(names); i++) {
|
|
GENERAL_NAME* gen = sk_GENERAL_NAME_value(names, i);
|
|
|
|
if (i != 0) BIO_write(out.get(), ", ", 2);
|
|
@@ -732,7 +729,7 @@ bool SafeX509InfoAccessPrint(const BIOPointer& out, X509_EXTENSION* ext) {
|
|
|
|
bool ok = true;
|
|
|
|
- for (int i = 0; i < sk_ACCESS_DESCRIPTION_num(descs); i++) {
|
|
+ for (size_t i = 0; i < sk_ACCESS_DESCRIPTION_num(descs); i++) {
|
|
ACCESS_DESCRIPTION* desc = sk_ACCESS_DESCRIPTION_value(descs, i);
|
|
|
|
if (i != 0) BIO_write(out.get(), "\n", 1);
|
|
@@ -874,13 +871,17 @@ BIOPointer X509View::getValidTo() const {
|
|
|
|
int64_t X509View::getValidToTime() const {
|
|
struct tm tp;
|
|
- ASN1_TIME_to_tm(X509_get0_notAfter(cert_), &tp);
|
|
+#ifndef OPENSSL_IS_BORINGSSL
|
|
+ ASN1_TIME_to_tm(X509_get0_notAfter(cert_), &tp);
|
|
+#endif
|
|
return PortableTimeGM(&tp);
|
|
}
|
|
|
|
int64_t X509View::getValidFromTime() const {
|
|
struct tm tp;
|
|
+#ifndef OPENSSL_IS_BORINGSSL
|
|
ASN1_TIME_to_tm(X509_get0_notBefore(cert_), &tp);
|
|
+#endif
|
|
return PortableTimeGM(&tp);
|
|
}
|
|
|
|
@@ -1085,7 +1086,11 @@ BIOPointer BIOPointer::NewMem() {
|
|
}
|
|
|
|
BIOPointer BIOPointer::NewSecMem() {
|
|
- return BIOPointer(BIO_new(BIO_s_secmem()));
|
|
+#ifdef OPENSSL_IS_BORINGSSL
|
|
+ return BIOPointer(BIO_new(BIO_s_mem()));
|
|
+#else
|
|
+ return BIOPointer(BIO_new(BIO_s_secmem()));
|
|
+#endif
|
|
}
|
|
|
|
BIOPointer BIOPointer::New(const BIO_METHOD* method) {
|
|
@@ -1149,8 +1154,10 @@ BignumPointer DHPointer::FindGroup(const std::string_view name,
|
|
#define V(n, p) \
|
|
if (EqualNoCase(name, n)) return BignumPointer(p(nullptr));
|
|
if (option != FindGroupOption::NO_SMALL_PRIMES) {
|
|
+#ifndef OPENSSL_IS_BORINGSSL
|
|
V("modp1", BN_get_rfc2409_prime_768);
|
|
V("modp2", BN_get_rfc2409_prime_1024);
|
|
+#endif
|
|
V("modp5", BN_get_rfc3526_prime_1536);
|
|
}
|
|
V("modp14", BN_get_rfc3526_prime_2048);
|
|
@@ -1223,11 +1230,13 @@ DHPointer::CheckPublicKeyResult DHPointer::checkPublicKey(
|
|
int codes = 0;
|
|
if (DH_check_pub_key(dh_.get(), pub_key.get(), &codes) != 1)
|
|
return DHPointer::CheckPublicKeyResult::CHECK_FAILED;
|
|
+#ifndef OPENSSL_IS_BORINGSSL
|
|
if (codes & DH_CHECK_PUBKEY_TOO_SMALL) {
|
|
return DHPointer::CheckPublicKeyResult::TOO_SMALL;
|
|
} else if (codes & DH_CHECK_PUBKEY_TOO_SMALL) {
|
|
return DHPointer::CheckPublicKeyResult::TOO_LARGE;
|
|
- } else if (codes != 0) {
|
|
+#endif
|
|
+ if (codes != 0) {
|
|
return DHPointer::CheckPublicKeyResult::INVALID;
|
|
}
|
|
return CheckPublicKeyResult::NONE;
|
|
diff --git a/deps/ncrypto/ncrypto.h b/deps/ncrypto/ncrypto.h
|
|
index fffa75ec718facc61cebf48f33ddc3909b9b9413..19757016a4f50e2f656a76bf60cb87e601845afe 100644
|
|
--- a/deps/ncrypto/ncrypto.h
|
|
+++ b/deps/ncrypto/ncrypto.h
|
|
@@ -516,17 +516,21 @@ class DHPointer final {
|
|
UNABLE_TO_CHECK_GENERATOR = DH_UNABLE_TO_CHECK_GENERATOR,
|
|
NOT_SUITABLE_GENERATOR = DH_NOT_SUITABLE_GENERATOR,
|
|
Q_NOT_PRIME = DH_CHECK_Q_NOT_PRIME,
|
|
+#ifndef OPENSSL_IS_BORINGSSL
|
|
INVALID_Q = DH_CHECK_INVALID_Q_VALUE,
|
|
INVALID_J = DH_CHECK_INVALID_J_VALUE,
|
|
+#endif
|
|
CHECK_FAILED = 512,
|
|
};
|
|
CheckResult check();
|
|
|
|
enum class CheckPublicKeyResult {
|
|
NONE,
|
|
+#ifndef OPENSSL_IS_BORINGSSL
|
|
TOO_SMALL = DH_R_CHECK_PUBKEY_TOO_SMALL,
|
|
TOO_LARGE = DH_R_CHECK_PUBKEY_TOO_LARGE,
|
|
- INVALID = DH_R_CHECK_PUBKEY_INVALID,
|
|
+#endif
|
|
+ INVALID = DH_R_INVALID_PUBKEY,
|
|
CHECK_FAILED = 512,
|
|
};
|
|
// Check to see if the given public key is suitable for this DH instance.
|
|
diff --git a/node.gni b/node.gni
|
|
index 245a43920c7baf000ba63192a84a4c3fd219be7d..56a554175b805c1703f13d62041f8c80d6e94dd9 100644
|
|
--- a/node.gni
|
|
+++ b/node.gni
|
|
@@ -11,7 +11,7 @@ declare_args() {
|
|
node_v8_path = "//v8"
|
|
|
|
# The location of OpenSSL - use the one from node's deps by default.
|
|
- node_openssl_path = "$node_path/deps/openssl"
|
|
+ node_openssl_path = "//third_party/boringssl"
|
|
|
|
# The location of simdutf - use the one from node's deps by default.
|
|
node_simdutf_path = "$node_path/deps/simdutf"
|
|
diff --git a/src/crypto/crypto_cipher.cc b/src/crypto/crypto_cipher.cc
|
|
index c7588583530cf291946d01cec807390d987706cf..495fb92355a7eadc2f7ec885a3b529988bb3bd02 100644
|
|
--- a/src/crypto/crypto_cipher.cc
|
|
+++ b/src/crypto/crypto_cipher.cc
|
|
@@ -1080,7 +1080,7 @@ void PublicKeyCipher::Cipher(const FunctionCallbackInfo<Value>& args) {
|
|
if (EVP_PKEY_decrypt_init(ctx.get()) <= 0) {
|
|
return ThrowCryptoError(env, ERR_get_error());
|
|
}
|
|
-
|
|
+#ifndef OPENSSL_IS_BORINGSSL
|
|
int rsa_pkcs1_implicit_rejection =
|
|
EVP_PKEY_CTX_ctrl_str(ctx.get(), "rsa_pkcs1_implicit_rejection", "1");
|
|
// From the doc -2 means that the option is not supported.
|
|
@@ -1095,6 +1095,7 @@ void PublicKeyCipher::Cipher(const FunctionCallbackInfo<Value>& args) {
|
|
env,
|
|
"RSA_PKCS1_PADDING is no longer supported for private decryption");
|
|
}
|
|
+#endif
|
|
}
|
|
|
|
const EVP_MD* digest = nullptr;
|
|
diff --git a/src/crypto/crypto_common.cc b/src/crypto/crypto_common.cc
|
|
index 43a126f863779d3f364f92bd237039474b489845..77a3caee93049f65faef37e93b871c467ebca7e5 100644
|
|
--- a/src/crypto/crypto_common.cc
|
|
+++ b/src/crypto/crypto_common.cc
|
|
@@ -134,7 +134,7 @@ const char* GetClientHelloALPN(const SSLPointer& ssl) {
|
|
const unsigned char* buf;
|
|
size_t len;
|
|
size_t rem;
|
|
-
|
|
+#ifndef OPENSSL_IS_BORINGSSL
|
|
if (!SSL_client_hello_get0_ext(
|
|
ssl.get(),
|
|
TLSEXT_TYPE_application_layer_protocol_negotiation,
|
|
@@ -147,13 +147,15 @@ const char* GetClientHelloALPN(const SSLPointer& ssl) {
|
|
len = (buf[0] << 8) | buf[1];
|
|
if (len + 2 != rem) return nullptr;
|
|
return reinterpret_cast<const char*>(buf + 3);
|
|
+#endif
|
|
+ return nullptr;
|
|
}
|
|
|
|
const char* GetClientHelloServerName(const SSLPointer& ssl) {
|
|
const unsigned char* buf;
|
|
size_t len;
|
|
size_t rem;
|
|
-
|
|
+#ifndef OPENSSL_IS_BORINGSSL
|
|
if (!SSL_client_hello_get0_ext(
|
|
ssl.get(),
|
|
TLSEXT_TYPE_server_name,
|
|
@@ -175,6 +177,8 @@ const char* GetClientHelloServerName(const SSLPointer& ssl) {
|
|
if (len + 2 > rem)
|
|
return nullptr;
|
|
return reinterpret_cast<const char*>(buf + 5);
|
|
+#endif
|
|
+ return nullptr;
|
|
}
|
|
|
|
const char* GetServerName(SSL* ssl) {
|
|
@@ -282,7 +286,7 @@ StackOfX509 CloneSSLCerts(X509Pointer&& cert,
|
|
if (!peer_certs) return StackOfX509();
|
|
if (cert && !sk_X509_push(peer_certs.get(), cert.release()))
|
|
return StackOfX509();
|
|
- for (int i = 0; i < sk_X509_num(ssl_certs); i++) {
|
|
+ for (size_t i = 0; i < sk_X509_num(ssl_certs); i++) {
|
|
X509Pointer cert(X509_dup(sk_X509_value(ssl_certs, i)));
|
|
if (!cert || !sk_X509_push(peer_certs.get(), cert.get()))
|
|
return StackOfX509();
|
|
@@ -298,7 +302,7 @@ MaybeLocal<Object> AddIssuerChainToObject(X509Pointer* cert,
|
|
Environment* const env) {
|
|
cert->reset(sk_X509_delete(peer_certs.get(), 0));
|
|
for (;;) {
|
|
- int i;
|
|
+ size_t i;
|
|
for (i = 0; i < sk_X509_num(peer_certs.get()); i++) {
|
|
ncrypto::X509View ca(sk_X509_value(peer_certs.get(), i));
|
|
if (!cert->view().isIssuedBy(ca)) continue;
|
|
@@ -384,14 +388,14 @@ MaybeLocal<Array> GetClientHelloCiphers(
|
|
Environment* env,
|
|
const SSLPointer& ssl) {
|
|
EscapableHandleScope scope(env->isolate());
|
|
- const unsigned char* buf;
|
|
- size_t len = SSL_client_hello_get0_ciphers(ssl.get(), &buf);
|
|
+ // const unsigned char* buf = nullptr;
|
|
+ size_t len = 0; // SSL_client_hello_get0_ciphers(ssl.get(), &buf);
|
|
size_t count = len / 2;
|
|
MaybeStackBuffer<Local<Value>, 16> ciphers(count);
|
|
int j = 0;
|
|
for (size_t n = 0; n < len; n += 2) {
|
|
- const SSL_CIPHER* cipher = SSL_CIPHER_find(ssl.get(), buf);
|
|
- buf += 2;
|
|
+ const SSL_CIPHER* cipher = nullptr; // SSL_CIPHER_find(ssl.get(), buf);
|
|
+ // buf += 2;
|
|
Local<Object> obj = Object::New(env->isolate());
|
|
if (!Set(env->context(),
|
|
obj,
|
|
@@ -444,8 +448,11 @@ MaybeLocal<Object> GetEphemeralKey(Environment* env, const SSLPointer& ssl) {
|
|
|
|
EscapableHandleScope scope(env->isolate());
|
|
Local<Object> info = Object::New(env->isolate());
|
|
+#ifndef OPENSSL_IS_BORINGSSL
|
|
if (!SSL_get_peer_tmp_key(ssl.get(), &raw_key)) return scope.Escape(info);
|
|
-
|
|
+#else
|
|
+ if (!SSL_get_server_tmp_key(ssl.get(), &raw_key)) return scope.Escape(info);
|
|
+#endif
|
|
Local<Context> context = env->context();
|
|
crypto::EVPKeyPointer key(raw_key);
|
|
|
|
diff --git a/src/crypto/crypto_context.cc b/src/crypto/crypto_context.cc
|
|
index aa5fc61f19e435b4833f3f49df10fa1edf2142c7..0a338b018a4ec20cb5bce250faf60d3f3bf192d4 100644
|
|
--- a/src/crypto/crypto_context.cc
|
|
+++ b/src/crypto/crypto_context.cc
|
|
@@ -94,7 +94,7 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx,
|
|
// the CA certificates.
|
|
SSL_CTX_clear_extra_chain_certs(ctx);
|
|
|
|
- for (int i = 0; i < sk_X509_num(extra_certs); i++) {
|
|
+ for (size_t i = 0; i < sk_X509_num(extra_certs); i++) {
|
|
X509* ca = sk_X509_value(extra_certs, i);
|
|
|
|
// NOTE: Increments reference count on `ca`
|
|
@@ -920,11 +920,12 @@ void SecureContext::SetDHParam(const FunctionCallbackInfo<Value>& args) {
|
|
// If the user specified "auto" for dhparams, the JavaScript layer will pass
|
|
// true to this function instead of the original string. Any other string
|
|
// value will be interpreted as custom DH parameters below.
|
|
+#ifndef OPENSSL_IS_BORINGSSL
|
|
if (args[0]->IsTrue()) {
|
|
CHECK(SSL_CTX_set_dh_auto(sc->ctx_.get(), true));
|
|
return;
|
|
}
|
|
-
|
|
+#endif
|
|
DHPointer dh;
|
|
{
|
|
BIOPointer bio(LoadBIO(env, args[0]));
|
|
@@ -1150,7 +1151,7 @@ void SecureContext::LoadPKCS12(const FunctionCallbackInfo<Value>& args) {
|
|
}
|
|
|
|
// Add CA certs too
|
|
- for (int i = 0; i < sk_X509_num(extra_certs.get()); i++) {
|
|
+ for (size_t i = 0; i < sk_X509_num(extra_certs.get()); i++) {
|
|
X509* ca = sk_X509_value(extra_certs.get(), i);
|
|
|
|
X509_STORE_add_cert(sc->GetCertStoreOwnedByThisSecureContext(), ca);
|
|
diff --git a/src/crypto/crypto_dh.cc b/src/crypto/crypto_dh.cc
|
|
index d760a0d3ea1d12184a558f5e87cb22043d26a0f5..f973941b3b9ea954f35f2ea135f8ee3d77b98958 100644
|
|
--- a/src/crypto/crypto_dh.cc
|
|
+++ b/src/crypto/crypto_dh.cc
|
|
@@ -7,7 +7,9 @@
|
|
#include "memory_tracker-inl.h"
|
|
#include "ncrypto.h"
|
|
#include "node_errors.h"
|
|
+#ifndef OPENSSL_IS_BORINGSSL
|
|
#include "openssl/bnerr.h"
|
|
+#endif
|
|
#include "openssl/dh.h"
|
|
#include "threadpoolwork-inl.h"
|
|
#include "v8.h"
|
|
@@ -86,11 +88,7 @@ void New(const FunctionCallbackInfo<Value>& args) {
|
|
if (args[0]->IsInt32()) {
|
|
int32_t bits = args[0].As<Int32>()->Value();
|
|
if (bits < 2) {
|
|
-#if OPENSSL_VERSION_MAJOR >= 3
|
|
- ERR_put_error(ERR_LIB_DH, 0, DH_R_MODULUS_TOO_SMALL, __FILE__, __LINE__);
|
|
-#else
|
|
- ERR_put_error(ERR_LIB_BN, 0, BN_R_BITS_TOO_SMALL, __FILE__, __LINE__);
|
|
-#endif
|
|
+ OPENSSL_PUT_ERROR(BN, BN_R_BITS_TOO_SMALL);
|
|
return ThrowCryptoError(env, ERR_get_error(), "Invalid prime length");
|
|
}
|
|
|
|
@@ -103,7 +101,7 @@ void New(const FunctionCallbackInfo<Value>& args) {
|
|
}
|
|
int32_t generator = args[1].As<Int32>()->Value();
|
|
if (generator < 2) {
|
|
- ERR_put_error(ERR_LIB_DH, 0, DH_R_BAD_GENERATOR, __FILE__, __LINE__);
|
|
+ OPENSSL_PUT_ERROR(DH, DH_R_BAD_GENERATOR);
|
|
return ThrowCryptoError(env, ERR_get_error(), "Invalid generator");
|
|
}
|
|
|
|
@@ -132,12 +130,12 @@ void New(const FunctionCallbackInfo<Value>& args) {
|
|
if (args[1]->IsInt32()) {
|
|
int32_t generator = args[1].As<Int32>()->Value();
|
|
if (generator < 2) {
|
|
- ERR_put_error(ERR_LIB_DH, 0, DH_R_BAD_GENERATOR, __FILE__, __LINE__);
|
|
+ OPENSSL_PUT_ERROR(DH, DH_R_BAD_GENERATOR);
|
|
return ThrowCryptoError(env, ERR_get_error(), "Invalid generator");
|
|
}
|
|
bn_g = BignumPointer::New();
|
|
if (!bn_g.setWord(generator)) {
|
|
- ERR_put_error(ERR_LIB_DH, 0, DH_R_BAD_GENERATOR, __FILE__, __LINE__);
|
|
+ OPENSSL_PUT_ERROR(DH, DH_R_BAD_GENERATOR);
|
|
return ThrowCryptoError(env, ERR_get_error(), "Invalid generator");
|
|
}
|
|
} else {
|
|
@@ -146,11 +144,11 @@ void New(const FunctionCallbackInfo<Value>& args) {
|
|
return THROW_ERR_OUT_OF_RANGE(env, "generator is too big");
|
|
bn_g = BignumPointer(reinterpret_cast<uint8_t*>(arg1.data()), arg1.size());
|
|
if (!bn_g) {
|
|
- ERR_put_error(ERR_LIB_DH, 0, DH_R_BAD_GENERATOR, __FILE__, __LINE__);
|
|
+ OPENSSL_PUT_ERROR(DH, DH_R_BAD_GENERATOR);
|
|
return ThrowCryptoError(env, ERR_get_error(), "Invalid generator");
|
|
}
|
|
if (bn_g.getWord() < 2) {
|
|
- ERR_put_error(ERR_LIB_DH, 0, DH_R_BAD_GENERATOR, __FILE__, __LINE__);
|
|
+ OPENSSL_PUT_ERROR(DH, DH_R_BAD_GENERATOR);
|
|
return ThrowCryptoError(env, ERR_get_error(), "Invalid generator");
|
|
}
|
|
}
|
|
@@ -258,15 +256,17 @@ void ComputeSecret(const FunctionCallbackInfo<Value>& args) {
|
|
BignumPointer key(key_buf.data(), key_buf.size());
|
|
|
|
switch (dh.checkPublicKey(key)) {
|
|
- case DHPointer::CheckPublicKeyResult::INVALID:
|
|
- // Fall-through
|
|
case DHPointer::CheckPublicKeyResult::CHECK_FAILED:
|
|
return THROW_ERR_CRYPTO_INVALID_KEYTYPE(env,
|
|
"Unspecified validation error");
|
|
+#ifndef OPENSSL_IS_BORINGSSL
|
|
case DHPointer::CheckPublicKeyResult::TOO_SMALL:
|
|
return THROW_ERR_CRYPTO_INVALID_KEYLEN(env, "Supplied key is too small");
|
|
case DHPointer::CheckPublicKeyResult::TOO_LARGE:
|
|
return THROW_ERR_CRYPTO_INVALID_KEYLEN(env, "Supplied key is too large");
|
|
+#endif
|
|
+ case DHPointer::CheckPublicKeyResult::INVALID:
|
|
+ return THROW_ERR_CRYPTO_INVALID_KEYTYPE(env, "Supplied key is invalid");
|
|
case DHPointer::CheckPublicKeyResult::NONE:
|
|
break;
|
|
}
|
|
@@ -398,9 +398,11 @@ EVPKeyCtxPointer DhKeyGenTraits::Setup(DhKeyPairGenConfig* params) {
|
|
key_params = EVPKeyPointer::New();
|
|
CHECK(key_params);
|
|
CHECK_EQ(EVP_PKEY_assign_DH(key_params.get(), dh.release()), 1);
|
|
- } else if (int* prime_size = std::get_if<int>(¶ms->params.prime)) {
|
|
+ } else if (std::get_if<int>(¶ms->params.prime)) {
|
|
EVPKeyCtxPointer param_ctx(EVP_PKEY_CTX_new_id(EVP_PKEY_DH, nullptr));
|
|
EVP_PKEY* raw_params = nullptr;
|
|
+#ifndef OPENSSL_IS_BORINGSSL
|
|
+ int* prime_size = std::get_if<int>(¶ms->params.prime);
|
|
if (!param_ctx ||
|
|
EVP_PKEY_paramgen_init(param_ctx.get()) <= 0 ||
|
|
EVP_PKEY_CTX_set_dh_paramgen_prime_len(
|
|
@@ -414,6 +416,9 @@ EVPKeyCtxPointer DhKeyGenTraits::Setup(DhKeyPairGenConfig* params) {
|
|
}
|
|
|
|
key_params = EVPKeyPointer(raw_params);
|
|
+#else
|
|
+ return EVPKeyCtxPointer();
|
|
+#endif
|
|
} else {
|
|
UNREACHABLE();
|
|
}
|
|
diff --git a/src/crypto/crypto_dsa.cc b/src/crypto/crypto_dsa.cc
|
|
index b557de774117e442d7f429e92d63a6e1faa236fd..0aca233ced39269b09c383e5b32d85cf36260a1e 100644
|
|
--- a/src/crypto/crypto_dsa.cc
|
|
+++ b/src/crypto/crypto_dsa.cc
|
|
@@ -40,7 +40,7 @@ namespace crypto {
|
|
EVPKeyCtxPointer DsaKeyGenTraits::Setup(DsaKeyPairGenConfig* params) {
|
|
EVPKeyCtxPointer param_ctx(EVP_PKEY_CTX_new_id(EVP_PKEY_DSA, nullptr));
|
|
EVP_PKEY* raw_params = nullptr;
|
|
-
|
|
+#ifndef OPENSSL_IS_BORINGSSL
|
|
if (!param_ctx ||
|
|
EVP_PKEY_paramgen_init(param_ctx.get()) <= 0 ||
|
|
EVP_PKEY_CTX_set_dsa_paramgen_bits(
|
|
@@ -55,7 +55,9 @@ EVPKeyCtxPointer DsaKeyGenTraits::Setup(DsaKeyPairGenConfig* params) {
|
|
return EVPKeyCtxPointer();
|
|
}
|
|
}
|
|
-
|
|
+#else
|
|
+ return EVPKeyCtxPointer();
|
|
+#endif
|
|
if (EVP_PKEY_paramgen(param_ctx.get(), &raw_params) <= 0)
|
|
return EVPKeyCtxPointer();
|
|
|
|
diff --git a/src/crypto/crypto_keys.cc b/src/crypto/crypto_keys.cc
|
|
index ac4103400e1e293909e7c524f4a1422c5f04e707..c44c11cbd533350d8bf149032c658d5585303b7d 100644
|
|
--- a/src/crypto/crypto_keys.cc
|
|
+++ b/src/crypto/crypto_keys.cc
|
|
@@ -945,6 +945,7 @@ void KeyObjectHandle::GetAsymmetricKeyType(
|
|
}
|
|
|
|
bool KeyObjectHandle::CheckEcKeyData() const {
|
|
+#ifndef OPENSSL_IS_BORINGSSL
|
|
MarkPopErrorOnReturn mark_pop_error_on_return;
|
|
|
|
const auto& key = data_.GetAsymmetricKey();
|
|
@@ -961,6 +962,9 @@ bool KeyObjectHandle::CheckEcKeyData() const {
|
|
#else
|
|
return EVP_PKEY_public_check(ctx.get()) == 1;
|
|
#endif
|
|
+#else
|
|
+ return true;
|
|
+#endif
|
|
}
|
|
|
|
void KeyObjectHandle::CheckEcKeyData(const FunctionCallbackInfo<Value>& args) {
|
|
diff --git a/src/crypto/crypto_random.cc b/src/crypto/crypto_random.cc
|
|
index b59e394d9a7e2c19fdf1f2b0177753ff488da0fa..91218f49da5392c6f769495ee7f9275a47ce09b1 100644
|
|
--- a/src/crypto/crypto_random.cc
|
|
+++ b/src/crypto/crypto_random.cc
|
|
@@ -134,7 +134,7 @@ Maybe<void> RandomPrimeTraits::AdditionalConfig(
|
|
|
|
params->bits = bits;
|
|
params->safe = safe;
|
|
- params->prime = BignumPointer::NewSecure();
|
|
+ params->prime = BignumPointer::New();
|
|
if (!params->prime) {
|
|
THROW_ERR_CRYPTO_OPERATION_FAILED(env, "could not generate prime");
|
|
return Nothing<void>();
|
|
diff --git a/src/crypto/crypto_rsa.cc b/src/crypto/crypto_rsa.cc
|
|
index 6d360554b31d53a597d61fcbd660f703a903ca21..86fafe98222d4c18f062032d80104f3ef00dbc01 100644
|
|
--- a/src/crypto/crypto_rsa.cc
|
|
+++ b/src/crypto/crypto_rsa.cc
|
|
@@ -608,10 +608,13 @@ Maybe<void> GetRsaKeyDetail(Environment* env,
|
|
}
|
|
|
|
if (params->saltLength != nullptr) {
|
|
+#ifndef OPENSSL_IS_BORINGSSL
|
|
+ // TODO(codebytere): Upstream a shim to BoringSSL?
|
|
if (ASN1_INTEGER_get_int64(&salt_length, params->saltLength) != 1) {
|
|
ThrowCryptoError(env, ERR_get_error(), "ASN1_INTEGER_get_in64 error");
|
|
return Nothing<void>();
|
|
}
|
|
+#endif
|
|
}
|
|
|
|
if (target
|
|
diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
|
|
index 12ee0cde0897024bccb0face49053544a0bcfcd7..8a6a36a3c31532ed585c287ba8cee14026d315b4 100644
|
|
--- a/src/crypto/crypto_util.cc
|
|
+++ b/src/crypto/crypto_util.cc
|
|
@@ -495,24 +495,15 @@ Maybe<void> Decorate(Environment* env,
|
|
V(BIO) \
|
|
V(PKCS7) \
|
|
V(X509V3) \
|
|
- V(PKCS12) \
|
|
V(RAND) \
|
|
- V(DSO) \
|
|
V(ENGINE) \
|
|
V(OCSP) \
|
|
V(UI) \
|
|
V(COMP) \
|
|
V(ECDSA) \
|
|
V(ECDH) \
|
|
- V(OSSL_STORE) \
|
|
- V(FIPS) \
|
|
- V(CMS) \
|
|
- V(TS) \
|
|
V(HMAC) \
|
|
- V(CT) \
|
|
- V(ASYNC) \
|
|
- V(KDF) \
|
|
- V(SM2) \
|
|
+ V(HKDF) \
|
|
V(USER) \
|
|
|
|
#define V(name) case ERR_LIB_##name: lib = #name "_"; break;
|
|
@@ -654,7 +645,7 @@ void SecureBuffer(const FunctionCallbackInfo<Value>& args) {
|
|
CHECK(args[0]->IsUint32());
|
|
Environment* env = Environment::GetCurrent(args);
|
|
uint32_t len = args[0].As<Uint32>()->Value();
|
|
- void* data = OPENSSL_secure_zalloc(len);
|
|
+ void* data = OPENSSL_malloc(len);
|
|
if (data == nullptr) {
|
|
// There's no memory available for the allocation.
|
|
// Return nothing.
|
|
@@ -665,7 +656,7 @@ void SecureBuffer(const FunctionCallbackInfo<Value>& args) {
|
|
data,
|
|
len,
|
|
[](void* data, size_t len, void* deleter_data) {
|
|
- OPENSSL_secure_clear_free(data, len);
|
|
+ OPENSSL_clear_free(data, len);
|
|
},
|
|
data);
|
|
Local<ArrayBuffer> buffer = ArrayBuffer::New(env->isolate(), store);
|
|
@@ -673,10 +664,12 @@ void SecureBuffer(const FunctionCallbackInfo<Value>& args) {
|
|
}
|
|
|
|
void SecureHeapUsed(const FunctionCallbackInfo<Value>& args) {
|
|
+#ifndef OPENSSL_IS_BORINGSSL
|
|
Environment* env = Environment::GetCurrent(args);
|
|
if (CRYPTO_secure_malloc_initialized())
|
|
args.GetReturnValue().Set(
|
|
BigInt::New(env->isolate(), CRYPTO_secure_used()));
|
|
+#endif
|
|
}
|
|
} // namespace
|
|
|
|
diff --git a/src/env.h b/src/env.h
|
|
index 16312e548e526b80ec9a230bc3c772f45685b61f..0a3f09ebc7e2e7c1f8b9499d4439e2ca90b86810 100644
|
|
--- a/src/env.h
|
|
+++ b/src/env.h
|
|
@@ -50,7 +50,7 @@
|
|
#include "uv.h"
|
|
#include "v8.h"
|
|
|
|
-#if HAVE_OPENSSL
|
|
+#if HAVE_OPENSSL && OPENSSL_VERSION_MAJOR >= 3
|
|
#include <openssl/evp.h>
|
|
#endif
|
|
|
|
@@ -1062,7 +1062,7 @@ class Environment final : public MemoryRetainer {
|
|
kExitInfoFieldCount
|
|
};
|
|
|
|
-#if HAVE_OPENSSL
|
|
+#if HAVE_OPENSSL// && !defined(OPENSSL_IS_BORINGSSL)
|
|
#if OPENSSL_VERSION_MAJOR >= 3
|
|
// We declare another alias here to avoid having to include crypto_util.h
|
|
using EVPMDPointer = DeleteFnPtr<EVP_MD, EVP_MD_free>;
|
|
diff --git a/src/node_metadata.h b/src/node_metadata.h
|
|
index c59e65ad1fe3fac23f1fc25ca77e6133d1ccaccd..f2f07434e076e2977755ef7dac7d489aedb760b0 100644
|
|
--- a/src/node_metadata.h
|
|
+++ b/src/node_metadata.h
|
|
@@ -6,7 +6,7 @@
|
|
#include <string>
|
|
#include "node_version.h"
|
|
|
|
-#if HAVE_OPENSSL
|
|
+#if 0
|
|
#include <openssl/crypto.h>
|
|
#if NODE_OPENSSL_HAS_QUIC
|
|
#include <openssl/quic.h>
|
|
diff --git a/src/node_options.cc b/src/node_options.cc
|
|
index a03daec2bd74d7857d38238ea0479e36e054a7a3..f70e0917f6caa66210107cdb2ef891685563ba96 100644
|
|
--- a/src/node_options.cc
|
|
+++ b/src/node_options.cc
|
|
@@ -6,7 +6,7 @@
|
|
#include "node_external_reference.h"
|
|
#include "node_internals.h"
|
|
#include "node_sea.h"
|
|
-#if HAVE_OPENSSL
|
|
+#if HAVE_OPENSSL && !defined(OPENSSL_IS_BORINGSSL)
|
|
#include "openssl/opensslv.h"
|
|
#endif
|
|
|
|
diff --git a/src/node_options.h b/src/node_options.h
|
|
index ab6ea77b2e9ce54af44e21c29fcba929f117c41b..23923ccd645e810d84b0a08e57e486d012b5796b 100644
|
|
--- a/src/node_options.h
|
|
+++ b/src/node_options.h
|
|
@@ -11,7 +11,7 @@
|
|
#include "node_mutex.h"
|
|
#include "util.h"
|
|
|
|
-#if HAVE_OPENSSL
|
|
+#if 0
|
|
#include "openssl/opensslv.h"
|
|
#endif
|
|
|
|
diff --git a/unofficial.gni b/unofficial.gni
|
|
index 3632d5bd21e277fcbd8d62dc65598a7f7c87f00e..08a4ed939fb1482a897def94128282fdfd63dc62 100644
|
|
--- a/unofficial.gni
|
|
+++ b/unofficial.gni
|
|
@@ -151,7 +151,6 @@ template("node_gn_build") {
|
|
]
|
|
deps = [
|
|
":run_node_js2c",
|
|
- "deps/brotli",
|
|
"deps/cares",
|
|
"deps/histogram",
|
|
"deps/llhttp",
|
|
@@ -161,6 +160,8 @@ template("node_gn_build") {
|
|
"deps/sqlite",
|
|
"deps/uvwasi",
|
|
"//third_party/zlib",
|
|
+ "//third_party/brotli:dec",
|
|
+ "//third_party/brotli:enc",
|
|
"$node_simdutf_path",
|
|
"$node_v8_path:v8_libplatform",
|
|
]
|