From 694787826863eaf613f8f624e1a4bb5a8cf87aeb Mon Sep 17 00:00:00 2001 From: James M Snell Date: Sat, 1 Feb 2025 10:09:56 -0800 Subject: [PATCH] src: pull in more electron boringssl adjustments MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Electron has a number of patches they float in order to build node.js with boringssl. We already incorporate some of those, this brings in more of them. PR-URL: https://github.com/nodejs/node/pull/56858 Reviewed-By: Juan José Arboleda Reviewed-By: Yagiz Nizipli --- src/crypto/crypto_cipher.cc | 4 ++++ src/crypto/crypto_dh.cc | 35 +++++++++++++++++++++++++++++++++-- src/crypto/crypto_dsa.cc | 5 +++++ src/crypto/crypto_keys.cc | 5 +++++ src/crypto/crypto_util.cc | 17 +++++++++++++++++ 5 files changed, 64 insertions(+), 2 deletions(-) diff --git a/src/crypto/crypto_cipher.cc b/src/crypto/crypto_cipher.cc index 85996f605a9c52..1bf91b37e8b3a6 100644 --- a/src/crypto/crypto_cipher.cc +++ b/src/crypto/crypto_cipher.cc @@ -1005,11 +1005,15 @@ void PublicKeyCipher::Cipher(const FunctionCallbackInfo& args) { return ThrowCryptoError(env, ERR_get_error()); } +#ifndef OPENSSL_IS_BORINGSSL + // RSA implicit rejection here is not supported by BoringSSL. + // Skip this check when boring is used. if (!ctx.setRsaImplicitRejection()) { return THROW_ERR_INVALID_ARG_VALUE( env, "RSA_PKCS1_PADDING is no longer supported for private decryption"); } +#endif } const EVP_MD* digest = nullptr; diff --git a/src/crypto/crypto_dh.cc b/src/crypto/crypto_dh.cc index 3cfcc42a989f55..fb794792aae521 100644 --- a/src/crypto/crypto_dh.cc +++ b/src/crypto/crypto_dh.cc @@ -7,7 +7,9 @@ #include "memory_tracker-inl.h" #include "ncrypto.h" #include "node_errors.h" +#ifndef OPENSSL_IS_BORINGSSL #include "openssl/bnerr.h" +#endif #include "openssl/dh.h" #include "threadpoolwork-inl.h" #include "v8.h" @@ -88,11 +90,15 @@ void New(const FunctionCallbackInfo& args) { if (args[0]->IsInt32()) { int32_t bits = args[0].As()->Value(); if (bits < 2) { +#ifndef OPENSSL_IS_BORINGSSL #if OPENSSL_VERSION_MAJOR >= 3 ERR_put_error(ERR_LIB_DH, 0, DH_R_MODULUS_TOO_SMALL, __FILE__, __LINE__); #else ERR_put_error(ERR_LIB_BN, 0, BN_R_BITS_TOO_SMALL, __FILE__, __LINE__); -#endif +#endif // OPENSSL_VERSION_MAJOR >= 3 +#else // OPENSSL_IS_BORINGSSL + OPENSSL_PUT_ERROR(BN, BN_R_BITS_TOO_SMALL); +#endif // OPENSSL_IS_BORINGSSL return ThrowCryptoError(env, ERR_get_error(), "Invalid prime length"); } @@ -105,7 +111,11 @@ void New(const FunctionCallbackInfo& args) { } int32_t generator = args[1].As()->Value(); if (generator < 2) { +#ifndef OPENSSL_IS_BORINGSSL ERR_put_error(ERR_LIB_DH, 0, DH_R_BAD_GENERATOR, __FILE__, __LINE__); +#else + OPENSSL_PUT_ERROR(DH, DH_R_BAD_GENERATOR); +#endif return ThrowCryptoError(env, ERR_get_error(), "Invalid generator"); } @@ -134,12 +144,20 @@ void New(const FunctionCallbackInfo& args) { if (args[1]->IsInt32()) { int32_t generator = args[1].As()->Value(); if (generator < 2) { +#ifndef OPENSSL_IS_BORINGSSL ERR_put_error(ERR_LIB_DH, 0, DH_R_BAD_GENERATOR, __FILE__, __LINE__); +#else + OPENSSL_PUT_ERROR(DH, DH_R_BAD_GENERATOR); +#endif return ThrowCryptoError(env, ERR_get_error(), "Invalid generator"); } bn_g = BignumPointer::New(); if (!bn_g.setWord(generator)) { +#ifndef OPENSSL_IS_BORINGSSL ERR_put_error(ERR_LIB_DH, 0, DH_R_BAD_GENERATOR, __FILE__, __LINE__); +#else + OPENSSL_PUT_ERROR(DH, DH_R_BAD_GENERATOR); +#endif return ThrowCryptoError(env, ERR_get_error(), "Invalid generator"); } } else { @@ -148,11 +166,19 @@ void New(const FunctionCallbackInfo& args) { return THROW_ERR_OUT_OF_RANGE(env, "generator is too big"); bn_g = BignumPointer(reinterpret_cast(arg1.data()), arg1.size()); if (!bn_g) { +#ifndef OPENSSL_IS_BORINGSSL ERR_put_error(ERR_LIB_DH, 0, DH_R_BAD_GENERATOR, __FILE__, __LINE__); +#else + OPENSSL_PUT_ERROR(DH, DH_R_BAD_GENERATOR); +#endif return ThrowCryptoError(env, ERR_get_error(), "Invalid generator"); } if (bn_g.getWord() < 2) { +#ifndef OPENSSL_IS_BORINGSSL ERR_put_error(ERR_LIB_DH, 0, DH_R_BAD_GENERATOR, __FILE__, __LINE__); +#else + OPENSSL_PUT_ERROR(DH, DH_R_BAD_GENERATOR); +#endif return ThrowCryptoError(env, ERR_get_error(), "Invalid generator"); } } @@ -398,14 +424,19 @@ EVPKeyCtxPointer DhKeyGenTraits::Setup(DhKeyPairGenConfig* params) { if (!dh) return {}; key_params = EVPKeyPointer::NewDH(std::move(dh)); - } else if (int* prime_size = std::get_if(¶ms->params.prime)) { + } else if (std::get_if(¶ms->params.prime)) { auto param_ctx = EVPKeyCtxPointer::NewFromID(EVP_PKEY_DH); +#ifndef OPENSSL_IS_BORINGSSL + int* prime_size = std::get_if(¶ms->params.prime); if (!param_ctx.initForParamgen() || !param_ctx.setDhParameters(*prime_size, params->params.generator)) { return {}; } key_params = param_ctx.paramgen(); +#else + return {}; +#endif } else { UNREACHABLE(); } diff --git a/src/crypto/crypto_dsa.cc b/src/crypto/crypto_dsa.cc index 05f370ce70ea13..8aacb995f78989 100644 --- a/src/crypto/crypto_dsa.cc +++ b/src/crypto/crypto_dsa.cc @@ -28,6 +28,10 @@ using v8::Value; namespace crypto { EVPKeyCtxPointer DsaKeyGenTraits::Setup(DsaKeyPairGenConfig* params) { +#ifdef OPENSSL_IS_BORINGSSL + // Operation is unsupported in BoringSSL + return {}; +#else auto param_ctx = EVPKeyCtxPointer::NewFromID(EVP_PKEY_DSA); if (!param_ctx.initForParamgen() || @@ -45,6 +49,7 @@ EVPKeyCtxPointer DsaKeyGenTraits::Setup(DsaKeyPairGenConfig* params) { EVPKeyCtxPointer key_ctx = key_params.newCtx(); if (!key_ctx.initForKeygen()) return {}; return key_ctx; +#endif } // Input arguments for DsaKeyPairGenJob diff --git a/src/crypto/crypto_keys.cc b/src/crypto/crypto_keys.cc index 2ec1589c41621a..5413d931e78b0e 100644 --- a/src/crypto/crypto_keys.cc +++ b/src/crypto/crypto_keys.cc @@ -924,6 +924,10 @@ void KeyObjectHandle::GetAsymmetricKeyType( } bool KeyObjectHandle::CheckEcKeyData() const { +#ifdef OPENSSL_IS_BORINGSSL + // Operation is unsupported on BoringSSL + return true; +#else MarkPopErrorOnReturn mark_pop_error_on_return; const auto& key = data_.GetAsymmetricKey(); @@ -933,6 +937,7 @@ bool KeyObjectHandle::CheckEcKeyData() const { return data_.GetKeyType() == kKeyTypePrivate ? ctx.privateCheck() : ctx.publicCheck(); +#endif } void KeyObjectHandle::CheckEcKeyData(const FunctionCallbackInfo& args) { diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc index f53cbfbac486fb..032b07fbaad27b 100644 --- a/src/crypto/crypto_util.cc +++ b/src/crypto/crypto_util.cc @@ -682,18 +682,29 @@ void SecureBuffer(const FunctionCallbackInfo& args) { CHECK(args[0]->IsUint32()); Environment* env = Environment::GetCurrent(args); uint32_t len = args[0].As()->Value(); +#ifndef OPENSSL_IS_BORINGSSL void* data = OPENSSL_secure_zalloc(len); +#else + void* data = OPENSSL_malloc(len); +#endif if (data == nullptr) { // There's no memory available for the allocation. // Return nothing. return; } +#ifdef OPENSSL_IS_BORINGSSL + memset(data, 0, len); +#endif std::shared_ptr store = ArrayBuffer::NewBackingStore( data, len, [](void* data, size_t len, void* deleter_data) { +#ifndef OPENSSL_IS_BORINGSSL OPENSSL_secure_clear_free(data, len); +#else + OPENSSL_clear_free(data, len); +#endif }, data); Local buffer = ArrayBuffer::New(env->isolate(), store); @@ -701,10 +712,16 @@ void SecureBuffer(const FunctionCallbackInfo& args) { } void SecureHeapUsed(const FunctionCallbackInfo& args) { +#ifndef OPENSSL_IS_BORINGSSL Environment* env = Environment::GetCurrent(args); if (CRYPTO_secure_malloc_initialized()) args.GetReturnValue().Set( BigInt::New(env->isolate(), CRYPTO_secure_used())); +#else + // BoringSSL does not have the secure heap and therefore + // will always return 0. + args.GetReturnValue().Set(BigInt::New(args.GetIsolate(), 0)); +#endif } } // namespace