|
 |
bd8523 |
From 0bb0ed5712eaa274c0e025c74fe792c56c5c8c7f Mon Sep 17 00:00:00 2001
|
|
|
e23d3e |
From: Zuzana Svetlikova <zsvetlik@redhat.com>
|
|
|
e23d3e |
Date: Wed, 19 Feb 2020 09:33:47 +0000
|
|
|
bd8523 |
Subject: [PATCH] Remove or backport OpenSSL features
|
|
|
0a424e |
|
|
|
bd8523 |
Signed-off-by: rpm-build <rpm-build>
|
|
|
0a424e |
---
|
|
|
bd8523 |
doc/api/cli.md | 26 --
|
|
|
0a424e |
lib/_tls_common.js | 2 +-
|
|
|
0a424e |
lib/internal/crypto/keygen.js | 8 +-
|
|
|
0a424e |
lib/tls.js | 9 +-
|
|
|
e23d3e |
src/env.h | 1 -
|
|
|
0a424e |
src/node_constants.cc | 12 +-
|
|
|
bd8523 |
src/node_crypto.cc | 461 +++++++++++++++++++++++++++++++---
|
|
|
bd8523 |
src/node_crypto.h | 77 ++++++
|
|
|
e23d3e |
src/node_crypto_bio.cc | 29 ++-
|
|
|
bd8523 |
src/node_crypto_common.cc | 32 ++-
|
|
|
bd8523 |
src/node_crypto_common.h | 2 +
|
|
|
0a424e |
src/node_errors.h | 4 +-
|
|
|
0a424e |
src/node_options.cc | 4 +
|
|
|
0a424e |
src/tls_wrap.cc | 2 +
|
|
|
bd8523 |
14 files changed, 592 insertions(+), 77 deletions(-)
|
|
|
0a424e |
|
|
|
13eaef |
diff --git a/doc/api/cli.md b/doc/api/cli.md
|
|
|
bd8523 |
index 5dd5ae4..2ea0732 100644
|
|
|
13eaef |
--- a/doc/api/cli.md
|
|
|
13eaef |
+++ b/doc/api/cli.md
|
|
|
bd8523 |
@@ -753,15 +753,6 @@ added: v4.0.0
|
|
|
e23d3e |
Specify an alternative default TLS cipher list. Requires Node.js to be built
|
|
|
e23d3e |
with crypto support (default).
|
|
|
e23d3e |
|
|
|
e23d3e |
-### `--tls-keylog=file`
|
|
|
e23d3e |
-
|
|
|
e23d3e |
-added: v12.16.0
|
|
|
e23d3e |
--->
|
|
|
e23d3e |
-
|
|
|
e23d3e |
-Log TLS key material to a file. The key material is in NSS `SSLKEYLOGFILE`
|
|
|
e23d3e |
-format and can be used by software (such as Wireshark) to decrypt the TLS
|
|
|
e23d3e |
-traffic.
|
|
|
e23d3e |
-
|
|
|
e23d3e |
### `--tls-max-v1.2`
|
|
|
e23d3e |
|
|
|
e23d3e |
added: v12.0.0
|
|
|
bd8523 |
@@ -770,14 +761,6 @@ added: v12.0.0
|
|
|
13eaef |
Set [`tls.DEFAULT_MAX_VERSION`][] to 'TLSv1.2'. Use to disable support for
|
|
|
13eaef |
TLSv1.3.
|
|
|
e23d3e |
|
|
|
13eaef |
-### `--tls-max-v1.3`
|
|
|
13eaef |
-
|
|
|
13eaef |
-added: v12.0.0
|
|
|
13eaef |
--->
|
|
|
13eaef |
-
|
|
|
13eaef |
-Set default [`tls.DEFAULT_MAX_VERSION`][] to 'TLSv1.3'. Use to enable support
|
|
|
13eaef |
-for TLSv1.3.
|
|
|
13eaef |
-
|
|
|
13eaef |
### `--tls-min-v1.0`
|
|
|
13eaef |
|
|
|
13eaef |
added: v12.0.0
|
|
|
bd8523 |
@@ -803,14 +786,6 @@ Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1.2'. This is the default for
|
|
|
13eaef |
12.x and later, but the option is supported for compatibility with older Node.js
|
|
|
13eaef |
versions.
|
|
|
e23d3e |
|
|
|
13eaef |
-### `--tls-min-v1.3`
|
|
|
13eaef |
-
|
|
|
13eaef |
-added: v12.0.0
|
|
|
13eaef |
--->
|
|
|
13eaef |
-
|
|
|
13eaef |
-Set default [`tls.DEFAULT_MIN_VERSION`][] to 'TLSv1.3'. Use to disable support
|
|
|
13eaef |
-for TLSv1.2, which is not as secure as TLSv1.3.
|
|
|
13eaef |
-
|
|
|
13eaef |
### `--trace-deprecation`
|
|
|
13eaef |
|
|
|
13eaef |
added: v0.8.0
|
|
|
bd8523 |
@@ -1190,7 +1165,6 @@ Node.js options that are allowed are:
|
|
|
e23d3e |
* `--throw-deprecation`
|
|
|
0a424e |
* `--title`
|
|
|
0a424e |
* `--tls-cipher-list`
|
|
|
e23d3e |
-* `--tls-keylog`
|
|
|
0a424e |
* `--tls-max-v1.2`
|
|
|
e23d3e |
* `--tls-max-v1.3`
|
|
|
0a424e |
* `--tls-min-v1.0`
|
|
|
13eaef |
diff --git a/lib/_tls_common.js b/lib/_tls_common.js
|
|
|
e23d3e |
index 9f7747c..32e4a77 100644
|
|
|
13eaef |
--- a/lib/_tls_common.js
|
|
|
13eaef |
+++ b/lib/_tls_common.js
|
|
|
e23d3e |
@@ -52,7 +52,7 @@ function toV(which, v, def) {
|
|
|
13eaef |
if (v === 'TLSv1') return TLS1_VERSION;
|
|
|
13eaef |
if (v === 'TLSv1.1') return TLS1_1_VERSION;
|
|
|
13eaef |
if (v === 'TLSv1.2') return TLS1_2_VERSION;
|
|
|
13eaef |
- if (v === 'TLSv1.3') return TLS1_3_VERSION;
|
|
|
13eaef |
+ if (v === 'TLSv1.3' && TLS1_3_VERSION) return TLS1_3_VERSION;
|
|
|
13eaef |
throw new ERR_TLS_INVALID_PROTOCOL_VERSION(v, which);
|
|
|
13eaef |
}
|
|
|
e23d3e |
|
|
|
13eaef |
diff --git a/lib/internal/crypto/keygen.js b/lib/internal/crypto/keygen.js
|
|
|
bd8523 |
index ced1a06..a8a6897 100644
|
|
|
13eaef |
--- a/lib/internal/crypto/keygen.js
|
|
|
13eaef |
+++ b/lib/internal/crypto/keygen.js
|
|
|
bd8523 |
@@ -12,10 +12,10 @@ const {
|
|
|
13eaef |
generateKeyPairEC,
|
|
|
13eaef |
generateKeyPairNid,
|
|
|
bd8523 |
generateKeyPairDH,
|
|
|
13eaef |
- EVP_PKEY_ED25519,
|
|
|
13eaef |
- EVP_PKEY_ED448,
|
|
|
13eaef |
- EVP_PKEY_X25519,
|
|
|
13eaef |
- EVP_PKEY_X448,
|
|
|
bd8523 |
+ // EVP_PKEY_ED25519,
|
|
|
bd8523 |
+ // EVP_PKEY_ED448,
|
|
|
bd8523 |
+ // EVP_PKEY_X25519,
|
|
|
bd8523 |
+ // EVP_PKEY_X448,
|
|
|
13eaef |
OPENSSL_EC_NAMED_CURVE,
|
|
|
13eaef |
OPENSSL_EC_EXPLICIT_CURVE
|
|
|
13eaef |
} = internalBinding('crypto');
|
|
|
13eaef |
diff --git a/lib/tls.js b/lib/tls.js
|
|
|
bd8523 |
index 2ccbe40..ea5f7c9 100644
|
|
|
13eaef |
--- a/lib/tls.js
|
|
|
13eaef |
+++ b/lib/tls.js
|
|
|
bd8523 |
@@ -66,17 +66,10 @@ else if (getOptionValue('--tls-min-v1.1'))
|
|
|
13eaef |
exports.DEFAULT_MIN_VERSION = 'TLSv1.1';
|
|
|
13eaef |
else if (getOptionValue('--tls-min-v1.2'))
|
|
|
13eaef |
exports.DEFAULT_MIN_VERSION = 'TLSv1.2';
|
|
|
13eaef |
-else if (getOptionValue('--tls-min-v1.3'))
|
|
|
13eaef |
- exports.DEFAULT_MIN_VERSION = 'TLSv1.3';
|
|
|
13eaef |
else
|
|
|
13eaef |
exports.DEFAULT_MIN_VERSION = 'TLSv1.2';
|
|
|
e23d3e |
|
|
|
13eaef |
-if (getOptionValue('--tls-max-v1.3'))
|
|
|
13eaef |
- exports.DEFAULT_MAX_VERSION = 'TLSv1.3';
|
|
|
13eaef |
-else if (getOptionValue('--tls-max-v1.2'))
|
|
|
13eaef |
- exports.DEFAULT_MAX_VERSION = 'TLSv1.2';
|
|
|
13eaef |
-else
|
|
|
13eaef |
- exports.DEFAULT_MAX_VERSION = 'TLSv1.3'; // Will depend on node version.
|
|
|
13eaef |
+exports.DEFAULT_MAX_VERSION = 'TLSv1.2'; // Will depend on node version.
|
|
|
e23d3e |
|
|
|
e23d3e |
|
|
|
13eaef |
exports.getCiphers = internalUtil.cachedResult(
|
|
|
e23d3e |
diff --git a/src/env.h b/src/env.h
|
|
|
bd8523 |
index 6de5ba9..5731afe 100644
|
|
|
e23d3e |
--- a/src/env.h
|
|
|
e23d3e |
+++ b/src/env.h
|
|
|
bd8523 |
@@ -261,7 +261,6 @@ constexpr size_t kFsStatsBufferLength =
|
|
|
e23d3e |
V(host_string, "host") \
|
|
|
e23d3e |
V(hostmaster_string, "hostmaster") \
|
|
|
e23d3e |
V(http_1_1_string, "http/1.1") \
|
|
|
e23d3e |
- V(identity_string, "identity") \
|
|
|
e23d3e |
V(ignore_string, "ignore") \
|
|
|
e23d3e |
V(infoaccess_string, "infoAccess") \
|
|
|
e23d3e |
V(inherit_string, "inherit") \
|
|
|
13eaef |
diff --git a/src/node_constants.cc b/src/node_constants.cc
|
|
|
bd8523 |
index 5d99fa1..eff87ee 100644
|
|
|
13eaef |
--- a/src/node_constants.cc
|
|
|
13eaef |
+++ b/src/node_constants.cc
|
|
|
13eaef |
@@ -956,8 +956,12 @@ void DefineCryptoConstants(Local<Object> target) {
|
|
|
13eaef |
NODE_DEFINE_CONSTANT(target, ENGINE_METHOD_RAND);
|
|
|
13eaef |
# endif
|
|
|
e23d3e |
|
|
|
13eaef |
-# ifdef ENGINE_METHOD_EC
|
|
|
13eaef |
- NODE_DEFINE_CONSTANT(target, ENGINE_METHOD_EC);
|
|
|
13eaef |
+# ifdef ENGINE_METHOD_ECDH
|
|
|
13eaef |
+ NODE_DEFINE_CONSTANT(target, ENGINE_METHOD_ECDH);
|
|
|
13eaef |
+# endif
|
|
|
13eaef |
+
|
|
|
13eaef |
+# ifdef ENGINE_METHOD_ECDSA
|
|
|
13eaef |
+ NODE_DEFINE_CONSTANT(target, ENGINE_METHOD_ECDSA);
|
|
|
13eaef |
# endif
|
|
|
e23d3e |
|
|
|
13eaef |
# ifdef ENGINE_METHOD_CIPHERS
|
|
|
13eaef |
@@ -968,6 +972,10 @@ void DefineCryptoConstants(Local<Object> target) {
|
|
|
13eaef |
NODE_DEFINE_CONSTANT(target, ENGINE_METHOD_DIGESTS);
|
|
|
13eaef |
# endif
|
|
|
e23d3e |
|
|
|
13eaef |
+# ifdef ENGINE_METHOD_STORE
|
|
|
13eaef |
+ NODE_DEFINE_CONSTANT(target, ENGINE_METHOD_STORE);
|
|
|
13eaef |
+# endif
|
|
|
13eaef |
+
|
|
|
13eaef |
# ifdef ENGINE_METHOD_PKEY_METHS
|
|
|
13eaef |
NODE_DEFINE_CONSTANT(target, ENGINE_METHOD_PKEY_METHS);
|
|
|
13eaef |
# endif
|
|
|
13eaef |
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
|
|
|
bd8523 |
index f08d68d..34fb29d 100644
|
|
|
13eaef |
--- a/src/node_crypto.cc
|
|
|
13eaef |
+++ b/src/node_crypto.cc
|
|
|
bd8523 |
@@ -56,6 +56,7 @@
|
|
|
13eaef |
#include <cstring>
|
|
|
e23d3e |
|
|
|
13eaef |
#include <algorithm>
|
|
|
13eaef |
+#include <atomic>
|
|
|
13eaef |
#include <memory>
|
|
|
13eaef |
#include <utility>
|
|
|
13eaef |
#include <vector>
|
|
|
bd8523 |
@@ -105,6 +106,213 @@ using v8::Value;
|
|
|
bd8523 |
# define IS_OCB_MODE(mode) ((mode) == EVP_CIPH_OCB_MODE)
|
|
|
bd8523 |
#endif
|
|
|
e23d3e |
|
|
|
13eaef |
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
|
13eaef |
+static void DH_get0_pqg(const DH* dh, const BIGNUM** p, const BIGNUM** q,
|
|
|
13eaef |
+ const BIGNUM** g) {
|
|
|
13eaef |
+ if (p != nullptr) {
|
|
|
13eaef |
+ *p = dh->p;
|
|
|
13eaef |
+ }
|
|
|
13eaef |
+ if (q != nullptr) {
|
|
|
13eaef |
+ *q = dh->q;
|
|
|
13eaef |
+ }
|
|
|
13eaef |
+ if (g != nullptr) {
|
|
|
13eaef |
+ *g = dh->g;
|
|
|
13eaef |
+ }
|
|
|
13eaef |
+}
|
|
|
13eaef |
+
|
|
|
13eaef |
+static int DH_set0_pqg(DH* dh, BIGNUM* p, BIGNUM* q, BIGNUM* g) {
|
|
|
13eaef |
+ if ((dh->p == nullptr && p == nullptr) ||
|
|
|
13eaef |
+ (dh->g == nullptr && g == nullptr)) {
|
|
|
13eaef |
+ return 0;
|
|
|
13eaef |
+ }
|
|
|
13eaef |
+
|
|
|
13eaef |
+ if (p != nullptr) {
|
|
|
13eaef |
+ BN_free(dh->p);
|
|
|
13eaef |
+ dh->p = p;
|
|
|
13eaef |
+ }
|
|
|
13eaef |
+ if (q != nullptr) {
|
|
|
13eaef |
+ BN_free(dh->q);
|
|
|
13eaef |
+ dh->q = q;
|
|
|
13eaef |
+ }
|
|
|
13eaef |
+ if (g != nullptr) {
|
|
|
13eaef |
+ BN_free(dh->g);
|
|
|
13eaef |
+ dh->g = g;
|
|
|
13eaef |
+ }
|
|
|
13eaef |
+
|
|
|
13eaef |
+ return 1;
|
|
|
13eaef |
+}
|
|
|
13eaef |
+
|
|
|
13eaef |
+static void DH_get0_key(const DH* dh, const BIGNUM** pub_key,
|
|
|
13eaef |
+ const BIGNUM** priv_key) {
|
|
|
13eaef |
+ if (pub_key != nullptr) {
|
|
|
13eaef |
+ *pub_key = dh->pub_key;
|
|
|
13eaef |
+ }
|
|
|
13eaef |
+ if (priv_key != nullptr) {
|
|
|
13eaef |
+ *priv_key = dh->priv_key;
|
|
|
13eaef |
+ }
|
|
|
13eaef |
+}
|
|
|
13eaef |
+
|
|
|
13eaef |
+static int DH_set0_key(DH* dh, BIGNUM* pub_key, BIGNUM* priv_key) {
|
|
|
13eaef |
+ if (pub_key != nullptr) {
|
|
|
13eaef |
+ BN_free(dh->pub_key);
|
|
|
13eaef |
+ dh->pub_key = pub_key;
|
|
|
13eaef |
+ }
|
|
|
13eaef |
+ if (priv_key != nullptr) {
|
|
|
13eaef |
+ BN_free(dh->priv_key);
|
|
|
13eaef |
+ dh->priv_key = priv_key;
|
|
|
13eaef |
+ }
|
|
|
13eaef |
+
|
|
|
13eaef |
+ return 1;
|
|
|
13eaef |
+}
|
|
|
13eaef |
+
|
|
|
13eaef |
+static int EVP_PKEY_up_ref(EVP_PKEY *pkey) {
|
|
|
13eaef |
+ int refcount = std::atomic_fetch_add_explicit(
|
|
|
13eaef |
+ reinterpret_cast<std::atomic<int>*>(&pkey->references),
|
|
|
13eaef |
+ 1,
|
|
|
13eaef |
+ std::memory_order_relaxed
|
|
|
13eaef |
+ ) + 1;
|
|
|
13eaef |
+ return (refcount > 1) ? 1 : 0;
|
|
|
13eaef |
+}
|
|
|
13eaef |
+static unsigned long EVP_MD_meth_get_flags(const EVP_MD *md) {
|
|
|
13eaef |
+ return md->flags;
|
|
|
13eaef |
+}
|
|
|
13eaef |
+static int EVP_DigestSign(
|
|
|
13eaef |
+ EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen,
|
|
|
13eaef |
+ const unsigned char *tbs, size_t tbslen)
|
|
|
13eaef |
+{
|
|
|
13eaef |
+ if (sigret != nullptr && EVP_DigestSignUpdate(ctx, tbs, tbslen) <= 0) {
|
|
|
13eaef |
+ return 0;
|
|
|
13eaef |
+ }
|
|
|
13eaef |
+ return EVP_DigestSignFinal(ctx, sigret, siglen);
|
|
|
13eaef |
+}
|
|
|
13eaef |
+static int EVP_DigestVerify(
|
|
|
13eaef |
+ EVP_MD_CTX *ctx, const unsigned char *sigret,
|
|
|
13eaef |
+ size_t siglen, const unsigned char *tbs, size_t tbslen)
|
|
|
13eaef |
+{
|
|
|
13eaef |
+ if (EVP_DigestVerifyUpdate(ctx, tbs, tbslen) <= 0) {
|
|
|
13eaef |
+ return -1;
|
|
|
13eaef |
+ }
|
|
|
13eaef |
+ return EVP_DigestVerifyFinal(ctx, sigret, siglen);
|
|
|
13eaef |
+}
|
|
|
13eaef |
+
|
|
|
13eaef |
+static const SSL_METHOD* TLS_method() { return SSLv23_method(); }
|
|
|
13eaef |
+
|
|
|
13eaef |
+static void SSL_SESSION_get0_ticket(const SSL_SESSION* s,
|
|
|
13eaef |
+ const unsigned char** tick, size_t* len) {
|
|
|
13eaef |
+ *len = s->tlsext_ticklen;
|
|
|
13eaef |
+ if (tick != nullptr) {
|
|
|
13eaef |
+ *tick = s->tlsext_tick;
|
|
|
13eaef |
+ }
|
|
|
13eaef |
+}
|
|
|
13eaef |
+
|
|
|
13eaef |
+#define SSL_get_tlsext_status_type(ssl) (ssl->tlsext_status_type)
|
|
|
13eaef |
+
|
|
|
13eaef |
+static int X509_STORE_up_ref(X509_STORE* store) {
|
|
|
13eaef |
+ CRYPTO_add(&store->references, 1, CRYPTO_LOCK_X509_STORE);
|
|
|
13eaef |
+ return 1;
|
|
|
13eaef |
+}
|
|
|
13eaef |
+
|
|
|
13eaef |
+static int X509_up_ref(X509* cert) {
|
|
|
13eaef |
+ CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
|
|
|
13eaef |
+ return 1;
|
|
|
13eaef |
+}
|
|
|
13eaef |
+
|
|
|
13eaef |
+HMAC_CTX* HMAC_CTX_new() {
|
|
|
13eaef |
+ HMAC_CTX* ctx = Malloc<HMAC_CTX>(1);
|
|
|
13eaef |
+ HMAC_CTX_init(ctx);
|
|
|
13eaef |
+ return ctx;
|
|
|
13eaef |
+}
|
|
|
13eaef |
+
|
|
|
13eaef |
+// Disable all TLS version lower than the version argument
|
|
|
13eaef |
+int SSL_CTX_set_min_proto_version(SSL_CTX *ctx, int version) {
|
|
|
13eaef |
+ switch (version) {
|
|
|
13eaef |
+ case TLS1_2_VERSION:
|
|
|
13eaef |
+ SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1);
|
|
|
13eaef |
+ [[fallthrough]];
|
|
|
13eaef |
+
|
|
|
13eaef |
+ case TLS1_1_VERSION:
|
|
|
13eaef |
+ SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1);
|
|
|
13eaef |
+ [[fallthrough]];
|
|
|
13eaef |
+
|
|
|
13eaef |
+ case TLS1_VERSION:
|
|
|
13eaef |
+ SSL_CTX_set_options(ctx, SSL_OP_NO_SSLv3|SSL_OP_NO_SSLv2);
|
|
|
13eaef |
+ return 1;
|
|
|
13eaef |
+
|
|
|
13eaef |
+ default:
|
|
|
13eaef |
+ return 0; // unsupported
|
|
|
13eaef |
+ }
|
|
|
13eaef |
+}
|
|
|
13eaef |
+// Extract minimum supported version. Should be inverse of the setter above.
|
|
|
13eaef |
+int SSL_CTX_get_min_proto_version(SSL_CTX *ctx) {
|
|
|
13eaef |
+ static const auto full_mask = SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1;
|
|
|
13eaef |
+
|
|
|
13eaef |
+ auto opts = SSL_CTX_get_options(ctx);
|
|
|
13eaef |
+
|
|
|
13eaef |
+ switch (opts & full_mask) {
|
|
|
13eaef |
+ case SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1 | SSL_OP_NO_TLSv1_1:
|
|
|
13eaef |
+ return TLS1_2_VERSION;
|
|
|
13eaef |
+
|
|
|
13eaef |
+ case SSL_OP_NO_SSLv3 | SSL_OP_NO_TLSv1:
|
|
|
13eaef |
+ return TLS1_1_VERSION;
|
|
|
13eaef |
+
|
|
|
13eaef |
+ case SSL_OP_NO_SSLv3:
|
|
|
13eaef |
+ return TLS1_VERSION;
|
|
|
13eaef |
+
|
|
|
13eaef |
+ default:
|
|
|
13eaef |
+ return 0;
|
|
|
13eaef |
+ }
|
|
|
13eaef |
+}
|
|
|
13eaef |
+
|
|
|
13eaef |
+// Disable all TLS version higher than the version argument
|
|
|
13eaef |
+int SSL_CTX_set_max_proto_version(SSL_CTX *ctx, int version) {
|
|
|
13eaef |
+ switch (version) {
|
|
|
13eaef |
+ case TLS1_VERSION:
|
|
|
13eaef |
+ SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_1);
|
|
|
13eaef |
+ [[fallthrough]];
|
|
|
13eaef |
+
|
|
|
13eaef |
+ case TLS1_1_VERSION:
|
|
|
13eaef |
+ SSL_CTX_set_options(ctx, SSL_OP_NO_TLSv1_2);
|
|
|
13eaef |
+ [[fallthrough]];
|
|
|
13eaef |
+
|
|
|
13eaef |
+ case TLS1_2_VERSION:
|
|
|
13eaef |
+ return 1;
|
|
|
13eaef |
+
|
|
|
13eaef |
+ default:
|
|
|
13eaef |
+ return 0; // unsupported
|
|
|
13eaef |
+ }
|
|
|
13eaef |
+}
|
|
|
13eaef |
+// Extract maximum supported version. Should be inverse of the setter above.
|
|
|
13eaef |
+int SSL_CTX_get_max_proto_version(SSL_CTX *ctx) {
|
|
|
13eaef |
+ static const auto full_mask = SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2;
|
|
|
13eaef |
+
|
|
|
13eaef |
+ auto opts = SSL_CTX_get_options(ctx);
|
|
|
13eaef |
+ switch (opts & full_mask) {
|
|
|
13eaef |
+ case SSL_OP_NO_TLSv1_1 | SSL_OP_NO_TLSv1_2:
|
|
|
13eaef |
+ return TLS1_VERSION;
|
|
|
13eaef |
+
|
|
|
13eaef |
+ case SSL_OP_NO_TLSv1_2:
|
|
|
13eaef |
+ return TLS1_1_VERSION;
|
|
|
13eaef |
+
|
|
|
13eaef |
+ default:
|
|
|
13eaef |
+ return 0;
|
|
|
13eaef |
+ }
|
|
|
13eaef |
+}
|
|
|
13eaef |
+
|
|
|
bd8523 |
+stack_st_X509_OBJECT *X509_STORE_get0_objects(X509_STORE *store) {
|
|
|
bd8523 |
+ return store->objs;
|
|
|
bd8523 |
+}
|
|
|
bd8523 |
+
|
|
|
bd8523 |
+int X509_OBJECT_get_type(X509_OBJECT *object) {
|
|
|
bd8523 |
+ return object->type;
|
|
|
bd8523 |
+}
|
|
|
bd8523 |
+
|
|
|
bd8523 |
+X509 *X509_OBJECT_get0_X509(X509_OBJECT *object) {
|
|
|
bd8523 |
+ return (object->type == X509_LU_X509) ? object->data.x509 : nullptr;
|
|
|
bd8523 |
+}
|
|
|
bd8523 |
+
|
|
|
13eaef |
+#endif // OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
|
13eaef |
+
|
|
|
13eaef |
+
|
|
|
13eaef |
static const char* const root_certs[] = {
|
|
|
13eaef |
#include "node_root_certs.h" // NOLINT(build/include_order)
|
|
|
13eaef |
};
|
|
|
bd8523 |
@@ -123,7 +331,11 @@ template int SSLWrap<TLSWrap>::SetCACerts(SecureContext* sc);
|
|
|
bd8523 |
template void SSLWrap<TLSWrap>::MemoryInfo(MemoryTracker* tracker) const;
|
|
|
bd8523 |
template SSL_SESSION* SSLWrap<TLSWrap>::GetSessionCallback(
|
|
|
bd8523 |
SSL* s,
|
|
|
13eaef |
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
|
13eaef |
+ unsigned char* key,
|
|
|
13eaef |
+#else
|
|
|
13eaef |
const unsigned char* key,
|
|
|
bd8523 |
+#endif
|
|
|
13eaef |
int len,
|
|
|
13eaef |
int* copy);
|
|
|
13eaef |
template int SSLWrap<TLSWrap>::NewSessionCallback(SSL* s,
|
|
|
bd8523 |
@@ -145,6 +357,36 @@ template int SSLWrap<TLSWrap>::SelectALPNCallback(
|
|
|
13eaef |
unsigned int inlen,
|
|
|
13eaef |
void* arg);
|
|
|
e23d3e |
|
|
|
13eaef |
+
|
|
|
bd8523 |
+// Provide locking mechanism for OpenSSL
|
|
|
13eaef |
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
|
13eaef |
+static Mutex* mutexes;
|
|
|
13eaef |
+
|
|
|
13eaef |
+static void crypto_threadid_cb(CRYPTO_THREADID* tid) {
|
|
|
13eaef |
+ static_assert(sizeof(uv_thread_t) <= sizeof(void*),
|
|
|
13eaef |
+ "uv_thread_t does not fit in a pointer");
|
|
|
13eaef |
+ CRYPTO_THREADID_set_pointer(tid, reinterpret_cast<void*>(uv_thread_self()));
|
|
|
13eaef |
+}
|
|
|
13eaef |
+
|
|
|
13eaef |
+
|
|
|
13eaef |
+static void crypto_lock_init(void) {
|
|
|
13eaef |
+ mutexes = new Mutex[CRYPTO_num_locks()];
|
|
|
13eaef |
+}
|
|
|
13eaef |
+
|
|
|
13eaef |
+
|
|
|
13eaef |
+static void crypto_lock_cb(int mode, int n, const char* file, int line) {
|
|
|
13eaef |
+ CHECK(!(mode & CRYPTO_LOCK) ^ !(mode & CRYPTO_UNLOCK));
|
|
|
13eaef |
+ CHECK(!(mode & CRYPTO_READ) ^ !(mode & CRYPTO_WRITE));
|
|
|
13eaef |
+
|
|
|
13eaef |
+ auto mutex = &mutexes[n];
|
|
|
13eaef |
+ if (mode & CRYPTO_LOCK)
|
|
|
13eaef |
+ mutex->Lock();
|
|
|
13eaef |
+ else
|
|
|
13eaef |
+ mutex->Unlock();
|
|
|
13eaef |
+}
|
|
|
13eaef |
+#endif
|
|
|
13eaef |
+
|
|
|
13eaef |
+
|
|
|
13eaef |
static int PasswordCallback(char* buf, int size, int rwflag, void* u) {
|
|
|
13eaef |
const char* passphrase = static_cast<char*>(u);
|
|
|
13eaef |
if (passphrase != nullptr) {
|
|
|
bd8523 |
@@ -276,15 +518,10 @@ Maybe<bool> Decorate(Environment* env, Local<Object> obj,
|
|
|
13eaef |
V(COMP) \
|
|
|
13eaef |
V(ECDSA) \
|
|
|
13eaef |
V(ECDH) \
|
|
|
13eaef |
- V(OSSL_STORE) \
|
|
|
13eaef |
V(FIPS) \
|
|
|
13eaef |
V(CMS) \
|
|
|
13eaef |
V(TS) \
|
|
|
13eaef |
V(HMAC) \
|
|
|
13eaef |
- V(CT) \
|
|
|
13eaef |
- V(ASYNC) \
|
|
|
13eaef |
- V(KDF) \
|
|
|
13eaef |
- V(SM2) \
|
|
|
13eaef |
V(USER) \
|
|
|
e23d3e |
|
|
|
13eaef |
#define V(name) case ERR_LIB_##name: lib = #name "_"; break;
|
|
|
bd8523 |
@@ -524,9 +761,13 @@ void SecureContext::New(const FunctionCallbackInfo<Value>& args) {
|
|
|
13eaef |
new SecureContext(env, args.This());
|
|
|
13eaef |
}
|
|
|
e23d3e |
|
|
|
13eaef |
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
13eaef |
// A maxVersion of 0 means "any", but OpenSSL may support TLS versions that
|
|
|
13eaef |
// Node.js doesn't, so pin the max to what we do support.
|
|
|
13eaef |
const int MAX_SUPPORTED_VERSION = TLS1_3_VERSION;
|
|
|
13eaef |
+#else
|
|
|
13eaef |
+const int MAX_SUPPORTED_VERSION = TLS1_2_VERSION;
|
|
|
13eaef |
+#endif
|
|
|
e23d3e |
|
|
|
13eaef |
void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
|
|
|
13eaef |
SecureContext* sc;
|
|
|
bd8523 |
@@ -539,7 +780,7 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
|
|
|
e23d3e |
|
|
|
13eaef |
int min_version = args[1].As<Int32>()->Value();
|
|
|
13eaef |
int max_version = args[2].As<Int32>()->Value();
|
|
|
13eaef |
- const SSL_METHOD* method = TLS_method();
|
|
|
13eaef |
+ const SSL_METHOD* method = SSLv23_method();
|
|
|
e23d3e |
|
|
|
13eaef |
if (max_version == 0)
|
|
|
13eaef |
max_version = MAX_SUPPORTED_VERSION;
|
|
|
bd8523 |
@@ -573,54 +814,57 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
|
|
|
13eaef |
max_version = TLS1_2_VERSION;
|
|
|
13eaef |
} else if (strcmp(*sslmethod, "SSLv23_server_method") == 0) {
|
|
|
13eaef |
max_version = TLS1_2_VERSION;
|
|
|
13eaef |
- method = TLS_server_method();
|
|
|
13eaef |
+ method = SSLv23_server_method();
|
|
|
13eaef |
} else if (strcmp(*sslmethod, "SSLv23_client_method") == 0) {
|
|
|
13eaef |
max_version = TLS1_2_VERSION;
|
|
|
13eaef |
- method = TLS_client_method();
|
|
|
13eaef |
+ method = SSLv23_client_method();
|
|
|
13eaef |
} else if (strcmp(*sslmethod, "TLS_method") == 0) {
|
|
|
13eaef |
min_version = 0;
|
|
|
13eaef |
max_version = MAX_SUPPORTED_VERSION;
|
|
|
13eaef |
} else if (strcmp(*sslmethod, "TLS_server_method") == 0) {
|
|
|
13eaef |
min_version = 0;
|
|
|
13eaef |
max_version = MAX_SUPPORTED_VERSION;
|
|
|
13eaef |
- method = TLS_server_method();
|
|
|
13eaef |
+ method = SSLv23_server_method();
|
|
|
13eaef |
} else if (strcmp(*sslmethod, "TLS_client_method") == 0) {
|
|
|
13eaef |
min_version = 0;
|
|
|
13eaef |
max_version = MAX_SUPPORTED_VERSION;
|
|
|
13eaef |
- method = TLS_client_method();
|
|
|
13eaef |
+ method = SSLv23_client_method();
|
|
|
13eaef |
} else if (strcmp(*sslmethod, "TLSv1_method") == 0) {
|
|
|
13eaef |
min_version = TLS1_VERSION;
|
|
|
13eaef |
max_version = TLS1_VERSION;
|
|
|
13eaef |
+ method = TLSv1_method();
|
|
|
13eaef |
} else if (strcmp(*sslmethod, "TLSv1_server_method") == 0) {
|
|
|
13eaef |
min_version = TLS1_VERSION;
|
|
|
13eaef |
max_version = TLS1_VERSION;
|
|
|
13eaef |
- method = TLS_server_method();
|
|
|
13eaef |
+ method = TLSv1_server_method();
|
|
|
13eaef |
} else if (strcmp(*sslmethod, "TLSv1_client_method") == 0) {
|
|
|
13eaef |
min_version = TLS1_VERSION;
|
|
|
13eaef |
max_version = TLS1_VERSION;
|
|
|
13eaef |
- method = TLS_client_method();
|
|
|
13eaef |
+ method = TLSv1_client_method();
|
|
|
13eaef |
} else if (strcmp(*sslmethod, "TLSv1_1_method") == 0) {
|
|
|
13eaef |
min_version = TLS1_1_VERSION;
|
|
|
13eaef |
max_version = TLS1_1_VERSION;
|
|
|
13eaef |
+ method = TLSv1_1_method();
|
|
|
13eaef |
} else if (strcmp(*sslmethod, "TLSv1_1_server_method") == 0) {
|
|
|
13eaef |
min_version = TLS1_1_VERSION;
|
|
|
13eaef |
max_version = TLS1_1_VERSION;
|
|
|
13eaef |
- method = TLS_server_method();
|
|
|
13eaef |
+ method = TLSv1_1_server_method();
|
|
|
13eaef |
} else if (strcmp(*sslmethod, "TLSv1_1_client_method") == 0) {
|
|
|
13eaef |
min_version = TLS1_1_VERSION;
|
|
|
13eaef |
max_version = TLS1_1_VERSION;
|
|
|
13eaef |
- method = TLS_client_method();
|
|
|
13eaef |
+ method = TLSv1_1_client_method();
|
|
|
13eaef |
} else if (strcmp(*sslmethod, "TLSv1_2_method") == 0) {
|
|
|
13eaef |
min_version = TLS1_2_VERSION;
|
|
|
13eaef |
max_version = TLS1_2_VERSION;
|
|
|
13eaef |
+ method = TLSv1_2_method();
|
|
|
13eaef |
} else if (strcmp(*sslmethod, "TLSv1_2_server_method") == 0) {
|
|
|
13eaef |
min_version = TLS1_2_VERSION;
|
|
|
13eaef |
max_version = TLS1_2_VERSION;
|
|
|
13eaef |
- method = TLS_server_method();
|
|
|
13eaef |
+ method = TLSv1_2_server_method();
|
|
|
13eaef |
} else if (strcmp(*sslmethod, "TLSv1_2_client_method") == 0) {
|
|
|
13eaef |
min_version = TLS1_2_VERSION;
|
|
|
13eaef |
max_version = TLS1_2_VERSION;
|
|
|
13eaef |
- method = TLS_client_method();
|
|
|
13eaef |
+ method = TLSv1_2_client_method();
|
|
|
13eaef |
} else {
|
|
|
13eaef |
const std::string msg("Unknown method: ");
|
|
|
13eaef |
THROW_ERR_TLS_INVALID_PROTOCOL_METHOD(env, (msg + * sslmethod).c_str());
|
|
|
bd8523 |
@@ -650,9 +894,16 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
|
|
|
13eaef |
SSL_SESS_CACHE_NO_INTERNAL |
|
|
|
13eaef |
SSL_SESS_CACHE_NO_AUTO_CLEAR);
|
|
|
e23d3e |
|
|
|
13eaef |
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
|
13eaef |
+ if (max_version == 0) {
|
|
|
13eaef |
+ // Selecting some secureProtocol methods allows the TLS version to be "any
|
|
|
13eaef |
+ // supported", but we don't support TLSv1.3, even if OpenSSL does.
|
|
|
13eaef |
+ max_version = TLS1_2_VERSION;
|
|
|
13eaef |
+ }
|
|
|
13eaef |
+#endif
|
|
|
13eaef |
SSL_CTX_set_min_proto_version(sc->ctx_.get(), min_version);
|
|
|
13eaef |
SSL_CTX_set_max_proto_version(sc->ctx_.get(), max_version);
|
|
|
13eaef |
-
|
|
|
13eaef |
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
13eaef |
// OpenSSL 1.1.0 changed the ticket key size, but the OpenSSL 1.0.x size was
|
|
|
13eaef |
// exposed in the public API. To retain compatibility, install a callback
|
|
|
13eaef |
// which restores the old algorithm.
|
|
|
bd8523 |
@@ -662,6 +913,7 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
|
|
|
13eaef |
return env->ThrowError("Error generating ticket keys");
|
|
|
13eaef |
}
|
|
|
13eaef |
SSL_CTX_set_tlsext_ticket_key_cb(sc->ctx_.get(), TicketCompatibilityCallback);
|
|
|
13eaef |
+#endif
|
|
|
13eaef |
}
|
|
|
e23d3e |
|
|
|
e23d3e |
|
|
|
bd8523 |
@@ -1151,6 +1403,7 @@ void SecureContext::SetCiphers(const FunctionCallbackInfo<Value>& args) {
|
|
|
13eaef |
CHECK_EQ(args.Length(), 1);
|
|
|
13eaef |
CHECK(args[0]->IsString());
|
|
|
e23d3e |
|
|
|
13eaef |
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
13eaef |
const node::Utf8Value ciphers(args.GetIsolate(), args[0]);
|
|
|
13eaef |
if (!SSL_CTX_set_cipher_list(sc->ctx_.get(), *ciphers)) {
|
|
|
13eaef |
unsigned long err = ERR_get_error(); // NOLINT(runtime/int)
|
|
|
bd8523 |
@@ -1162,6 +1415,32 @@ void SecureContext::SetCiphers(const FunctionCallbackInfo<Value>& args) {
|
|
|
13eaef |
// that's actually an error.
|
|
|
13eaef |
return;
|
|
|
13eaef |
}
|
|
|
13eaef |
+#else
|
|
|
13eaef |
+ // Note: set_ciphersuites() is for TLSv1.3 and was introduced in openssl
|
|
|
13eaef |
+ // 1.1.1, set_cipher_list() is for TLSv1.2 and earlier.
|
|
|
13eaef |
+ //
|
|
|
13eaef |
+ // In openssl 1.1.0, set_cipher_list() would error if it resulted in no
|
|
|
13eaef |
+ // TLSv1.2 (and earlier) cipher suites, and there is no TLSv1.3 support.
|
|
|
13eaef |
+ //
|
|
|
13eaef |
+ // In openssl 1.1.1, set_cipher_list() will not error if it results in no
|
|
|
13eaef |
+ // TLSv1.2 cipher suites if there are any TLSv1.3 cipher suites, which there
|
|
|
13eaef |
+ // are by default. There will be an error later, during the handshake, but
|
|
|
13eaef |
+ // that results in an async error event, rather than a sync error thrown,
|
|
|
13eaef |
+ // which is a semver-major change for the tls API.
|
|
|
13eaef |
+ //
|
|
|
13eaef |
+ // Since we don't currently support TLSv1.3, work around this by removing the
|
|
|
13eaef |
+ // TLSv1.3 cipher suites, so we get backwards compatible synchronous errors.
|
|
|
13eaef |
+ const node::Utf8Value ciphers(args.GetIsolate(), args[0]);
|
|
|
13eaef |
+ if (
|
|
|
13eaef |
+#if defined(TLS1_3_VERSION) && !defined(OPENSSL_IS_BORINGSSL)
|
|
|
13eaef |
+ !SSL_CTX_set_ciphersuites(sc->ctx_.get(), "") ||
|
|
|
13eaef |
+#endif
|
|
|
13eaef |
+ !SSL_CTX_set_cipher_list(sc->ctx_.get(), *ciphers)) {
|
|
|
13eaef |
+ unsigned long err = ERR_get_error(); // NOLINT(runtime/int)
|
|
|
13eaef |
+ if (!err) {
|
|
|
13eaef |
+ return env->ThrowError("Failed to set ciphers");
|
|
|
13eaef |
+ }
|
|
|
13eaef |
+#endif
|
|
|
bd8523 |
return ThrowCryptoError(env, err, "Failed to set ciphers");
|
|
|
13eaef |
}
|
|
|
13eaef |
}
|
|
|
bd8523 |
@@ -1179,6 +1458,11 @@ void SecureContext::SetECDHCurve(const FunctionCallbackInfo<Value>& args) {
|
|
|
e23d3e |
|
|
|
13eaef |
node::Utf8Value curve(env->isolate(), args[0]);
|
|
|
e23d3e |
|
|
|
13eaef |
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
|
13eaef |
+ SSL_CTX_set_options(sc->ctx_.get(), SSL_OP_SINGLE_ECDH_USE);
|
|
|
13eaef |
+ SSL_CTX_set_ecdh_auto(sc->ctx_.get(), 1);
|
|
|
13eaef |
+#endif
|
|
|
13eaef |
+
|
|
|
13eaef |
if (strcmp(*curve, "auto") == 0)
|
|
|
13eaef |
return;
|
|
|
e23d3e |
|
|
|
bd8523 |
@@ -1481,9 +1765,17 @@ void SecureContext::GetTicketKeys(const FunctionCallbackInfo<Value>& args) {
|
|
|
13eaef |
ASSIGN_OR_RETURN_UNWRAP(&wrap, args.Holder());
|
|
|
e23d3e |
|
|
|
13eaef |
Local<Object> buff = Buffer::New(wrap->env(), 48).ToLocalChecked();
|
|
|
13eaef |
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
13eaef |
memcpy(Buffer::Data(buff), wrap->ticket_key_name_, 16);
|
|
|
13eaef |
memcpy(Buffer::Data(buff) + 16, wrap->ticket_key_hmac_, 16);
|
|
|
13eaef |
memcpy(Buffer::Data(buff) + 32, wrap->ticket_key_aes_, 16);
|
|
|
13eaef |
+#else
|
|
|
13eaef |
+ if (SSL_CTX_set_tlsext_ticket_keys(wrap->ctx_.get(),
|
|
|
13eaef |
+ Buffer::Data(buff),
|
|
|
13eaef |
+ Buffer::Length(buff)) != 1) {
|
|
|
13eaef |
+ return wrap->env()->ThrowError("Failed to fetch tls ticket keys");
|
|
|
13eaef |
+ }
|
|
|
13eaef |
+#endif
|
|
|
e23d3e |
|
|
|
13eaef |
args.GetReturnValue().Set(buff);
|
|
|
13eaef |
#endif // !def(OPENSSL_NO_TLSEXT) && def(SSL_CTX_get_tlsext_ticket_keys)
|
|
|
bd8523 |
@@ -1519,6 +1811,14 @@ void SecureContext::SetTicketKeys(const FunctionCallbackInfo<Value>& args) {
|
|
|
e23d3e |
|
|
|
e23d3e |
|
|
|
13eaef |
void SecureContext::SetFreeListLength(const FunctionCallbackInfo<Value>& args) {
|
|
|
13eaef |
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
|
13eaef |
+ // |freelist_max_len| was removed in OpenSSL 1.1.0. In that version OpenSSL
|
|
|
13eaef |
+ // mallocs and frees buffers directly, without the use of a freelist.
|
|
|
13eaef |
+ SecureContext* wrap;
|
|
|
13eaef |
+ ASSIGN_OR_RETURN_UNWRAP(&wrap, args.Holder());
|
|
|
13eaef |
+
|
|
|
13eaef |
+ wrap->ctx_->freelist_max_len = args[0].As<Int32>()->Value();
|
|
|
13eaef |
+#endif
|
|
|
13eaef |
}
|
|
|
e23d3e |
|
|
|
e23d3e |
|
|
|
bd8523 |
@@ -1621,6 +1921,7 @@ int SecureContext::TicketKeyCallback(SSL* ssl,
|
|
|
13eaef |
}
|
|
|
e23d3e |
|
|
|
e23d3e |
|
|
|
13eaef |
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
13eaef |
int SecureContext::TicketCompatibilityCallback(SSL* ssl,
|
|
|
13eaef |
unsigned char* name,
|
|
|
13eaef |
unsigned char* iv,
|
|
|
bd8523 |
@@ -1655,6 +1956,7 @@ int SecureContext::TicketCompatibilityCallback(SSL* ssl,
|
|
|
13eaef |
}
|
|
|
13eaef |
return 1;
|
|
|
13eaef |
}
|
|
|
13eaef |
+#endif
|
|
|
e23d3e |
|
|
|
e23d3e |
|
|
|
13eaef |
void SecureContext::CtxGetter(const FunctionCallbackInfo<Value>& info) {
|
|
|
bd8523 |
@@ -1737,7 +2039,11 @@ void SSLWrap<Base>::ConfigureSecureContext(SecureContext* sc) {
|
|
|
e23d3e |
|
|
|
bd8523 |
template <class Base>
|
|
|
bd8523 |
SSL_SESSION* SSLWrap<Base>::GetSessionCallback(SSL* s,
|
|
|
13eaef |
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
|
13eaef |
+ unsigned char* key,
|
|
|
13eaef |
+#else
|
|
|
13eaef |
const unsigned char* key,
|
|
|
bd8523 |
+#endif
|
|
|
13eaef |
int len,
|
|
|
13eaef |
int* copy) {
|
|
|
13eaef |
Base* w = static_cast<Base*>(SSL_get_app_data(s));
|
|
|
bd8523 |
@@ -3362,14 +3668,17 @@ Local<Value> KeyObject::GetAsymmetricKeyType() const {
|
|
|
13eaef |
switch (EVP_PKEY_id(this->asymmetric_key_.get())) {
|
|
|
13eaef |
case EVP_PKEY_RSA:
|
|
|
13eaef |
return env()->crypto_rsa_string();
|
|
|
13eaef |
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
13eaef |
case EVP_PKEY_RSA_PSS:
|
|
|
13eaef |
return env()->crypto_rsa_pss_string();
|
|
|
13eaef |
+#endif
|
|
|
13eaef |
case EVP_PKEY_DSA:
|
|
|
13eaef |
return env()->crypto_dsa_string();
|
|
|
bd8523 |
case EVP_PKEY_DH:
|
|
|
bd8523 |
return env()->crypto_dh_string();
|
|
|
13eaef |
case EVP_PKEY_EC:
|
|
|
13eaef |
return env()->crypto_ec_string();
|
|
|
13eaef |
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
13eaef |
case EVP_PKEY_ED25519:
|
|
|
13eaef |
return env()->crypto_ed25519_string();
|
|
|
13eaef |
case EVP_PKEY_ED448:
|
|
|
bd8523 |
@@ -3378,6 +3687,7 @@ Local<Value> KeyObject::GetAsymmetricKeyType() const {
|
|
|
13eaef |
return env()->crypto_x25519_string();
|
|
|
13eaef |
case EVP_PKEY_X448:
|
|
|
13eaef |
return env()->crypto_x448_string();
|
|
|
13eaef |
+#endif
|
|
|
13eaef |
default:
|
|
|
13eaef |
return Undefined(env()->isolate());
|
|
|
13eaef |
}
|
|
|
bd8523 |
@@ -3685,10 +3995,10 @@ bool CipherBase::InitAuthenticated(const char* cipher_type, int iv_len,
|
|
|
13eaef |
CHECK(IsAuthenticatedMode());
|
|
|
13eaef |
MarkPopErrorOnReturn mark_pop_error_on_return;
|
|
|
e23d3e |
|
|
|
13eaef |
- if (!EVP_CIPHER_CTX_ctrl(ctx_.get(),
|
|
|
13eaef |
- EVP_CTRL_AEAD_SET_IVLEN,
|
|
|
13eaef |
- iv_len,
|
|
|
13eaef |
- nullptr)) {
|
|
|
13eaef |
+ // TODO(tniessen) Use EVP_CTRL_AEAD_SET_IVLEN when migrating to OpenSSL 1.1.0
|
|
|
13eaef |
+ static_assert(EVP_CTRL_CCM_SET_IVLEN == EVP_CTRL_GCM_SET_IVLEN,
|
|
|
13eaef |
+ "OpenSSL constants differ between GCM and CCM");
|
|
|
13eaef |
+ if (!EVP_CIPHER_CTX_ctrl(ctx_.get(), EVP_CTRL_GCM_SET_IVLEN, iv_len, nullptr)) {
|
|
|
13eaef |
env()->ThrowError("Invalid IV length");
|
|
|
13eaef |
return false;
|
|
|
13eaef |
}
|
|
|
bd8523 |
@@ -4036,8 +4346,12 @@ bool CipherBase::Final(AllocatedBuffer* out) {
|
|
|
13eaef |
CHECK(mode == EVP_CIPH_GCM_MODE);
|
|
|
13eaef |
auth_tag_len_ = sizeof(auth_tag_);
|
|
|
13eaef |
}
|
|
|
13eaef |
- CHECK_EQ(1, EVP_CIPHER_CTX_ctrl(ctx_.get(), EVP_CTRL_AEAD_GET_TAG,
|
|
|
13eaef |
- auth_tag_len_,
|
|
|
13eaef |
+// CHECK_EQ(1, EVP_CIPHER_CTX_ctrl(ctx_.get(), EVP_CTRL_AEAD_GET_TAG,
|
|
|
13eaef |
+// auth_tag_len_,
|
|
|
13eaef |
+ // TOOD(tniessen) Use EVP_CTRL_AEAP_GET_TAG in OpenSSL 1.1.0
|
|
|
13eaef |
+ static_assert(EVP_CTRL_CCM_GET_TAG == EVP_CTRL_GCM_GET_TAG,
|
|
|
13eaef |
+ "OpenSSL constants differ between GCM and CCM");
|
|
|
13eaef |
+ CHECK_EQ(1, EVP_CIPHER_CTX_ctrl(ctx_.get(), EVP_CTRL_GCM_GET_TAG, auth_tag_len_,
|
|
|
13eaef |
reinterpret_cast<unsigned char*>(auth_tag_)));
|
|
|
13eaef |
}
|
|
|
13eaef |
}
|
|
|
bd8523 |
@@ -4345,8 +4659,12 @@ void Hash::HashDigest(const FunctionCallbackInfo<Value>& args) {
|
|
|
13eaef |
ret = EVP_DigestFinal_ex(hash->mdctx_.get(), hash->md_value_,
|
|
|
13eaef |
&hash->md_len_);
|
|
|
13eaef |
} else {
|
|
|
13eaef |
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
13eaef |
ret = EVP_DigestFinalXOF(hash->mdctx_.get(), hash->md_value_,
|
|
|
13eaef |
hash->md_len_);
|
|
|
13eaef |
+#else
|
|
|
13eaef |
+ return env->ThrowError("Unsupported XOF digest");
|
|
|
13eaef |
+#endif // OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
13eaef |
}
|
|
|
e23d3e |
|
|
|
13eaef |
if (ret != 1) {
|
|
|
bd8523 |
@@ -4376,12 +4694,14 @@ void Hash::HashDigest(const FunctionCallbackInfo<Value>& args) {
|
|
|
e23d3e |
|
|
|
13eaef |
SignBase::Error SignBase::Init(const char* sign_type) {
|
|
|
13eaef |
CHECK_NULL(mdctx_);
|
|
|
13eaef |
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
13eaef |
// Historically, "dss1" and "DSS1" were DSA aliases for SHA-1
|
|
|
13eaef |
// exposed through the public API.
|
|
|
13eaef |
if (strcmp(sign_type, "dss1") == 0 ||
|
|
|
13eaef |
strcmp(sign_type, "DSS1") == 0) {
|
|
|
13eaef |
sign_type = "SHA1";
|
|
|
13eaef |
}
|
|
|
13eaef |
+#endif
|
|
|
13eaef |
const EVP_MD* md = EVP_get_digestbyname(sign_type);
|
|
|
13eaef |
if (md == nullptr)
|
|
|
13eaef |
return kSignUnknownDigest;
|
|
|
bd8523 |
@@ -4457,9 +4777,14 @@ static bool ApplyRSAOptions(const ManagedEVPPKey& pkey,
|
|
|
13eaef |
EVP_PKEY_CTX* pkctx,
|
|
|
13eaef |
int padding,
|
|
|
13eaef |
const Maybe<int>& salt_len) {
|
|
|
13eaef |
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
13eaef |
if (EVP_PKEY_id(pkey.get()) == EVP_PKEY_RSA ||
|
|
|
13eaef |
EVP_PKEY_id(pkey.get()) == EVP_PKEY_RSA2 ||
|
|
|
13eaef |
EVP_PKEY_id(pkey.get()) == EVP_PKEY_RSA_PSS) {
|
|
|
13eaef |
+#else
|
|
|
13eaef |
+ if (EVP_PKEY_id(pkey.get()) == EVP_PKEY_RSA ||
|
|
|
13eaef |
+ EVP_PKEY_id(pkey.get()) == EVP_PKEY_RSA2) {
|
|
|
13eaef |
+#endif
|
|
|
13eaef |
if (EVP_PKEY_CTX_set_rsa_padding(pkctx, padding) <= 0)
|
|
|
13eaef |
return false;
|
|
|
13eaef |
if (padding == RSA_PKCS1_PSS_PADDING && salt_len.IsJust()) {
|
|
|
bd8523 |
@@ -4518,9 +4843,13 @@ void Sign::SignUpdate(const FunctionCallbackInfo<Value>& args) {
|
|
|
13eaef |
sign->CheckThrow(err);
|
|
|
13eaef |
}
|
|
|
e23d3e |
|
|
|
13eaef |
-static int GetDefaultSignPadding(const ManagedEVPPKey& key) {
|
|
|
13eaef |
+static int GetDefaultSignPadding([[maybe_unused]] const ManagedEVPPKey& key) {
|
|
|
13eaef |
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
|
13eaef |
+ return RSA_PKCS1_PADDING;
|
|
|
13eaef |
+#else
|
|
|
13eaef |
return EVP_PKEY_id(key.get()) == EVP_PKEY_RSA_PSS ? RSA_PKCS1_PSS_PADDING :
|
|
|
13eaef |
RSA_PKCS1_PADDING;
|
|
|
e23d3e |
+#endif // OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
|
13eaef |
}
|
|
|
e23d3e |
|
|
|
e23d3e |
static const unsigned int kNoDsaSignature = static_cast<unsigned int>(-1);
|
|
|
bd8523 |
@@ -4910,6 +5239,9 @@ void Verify::VerifyFinal(const FunctionCallbackInfo<Value>& args) {
|
|
|
bd8523 |
if (signature.get() == nullptr)
|
|
|
bd8523 |
return verify->CheckThrow(Error::kSignMalformedSignature);
|
|
|
bd8523 |
}
|
|
|
bd8523 |
+#else // OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
bd8523 |
+ ByteSource signature = ByteSource::Foreign(hbuf.data(), hbuf.length());
|
|
|
bd8523 |
+#endif
|
|
|
bd8523 |
|
|
|
bd8523 |
bool verify_result;
|
|
|
bd8523 |
Error err = verify->VerifyFinal(pkey, signature, padding,
|
|
|
bd8523 |
@@ -5165,11 +5497,15 @@ bool DiffieHellman::Init(int primeLength, int g) {
|
|
|
bd8523 |
bool DiffieHellman::Init(const char* p, int p_len, int g) {
|
|
|
bd8523 |
dh_.reset(DH_new());
|
|
|
bd8523 |
if (p_len <= 0) {
|
|
|
bd8523 |
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
bd8523 |
BNerr(BN_F_BN_GENERATE_PRIME_EX, BN_R_BITS_TOO_SMALL);
|
|
|
bd8523 |
+#endif // OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
bd8523 |
return false;
|
|
|
bd8523 |
}
|
|
|
bd8523 |
if (g <= 1) {
|
|
|
bd8523 |
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
bd8523 |
DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_BAD_GENERATOR);
|
|
|
bd8523 |
+#endif // OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
bd8523 |
return false;
|
|
|
bd8523 |
}
|
|
|
bd8523 |
BIGNUM* bn_p =
|
|
|
bd8523 |
@@ -5188,11 +5524,15 @@ bool DiffieHellman::Init(const char* p, int p_len, int g) {
|
|
|
bd8523 |
bool DiffieHellman::Init(const char* p, int p_len, const char* g, int g_len) {
|
|
|
bd8523 |
dh_.reset(DH_new());
|
|
|
bd8523 |
if (p_len <= 0) {
|
|
|
bd8523 |
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
bd8523 |
BNerr(BN_F_BN_GENERATE_PRIME_EX, BN_R_BITS_TOO_SMALL);
|
|
|
bd8523 |
+#endif // OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
bd8523 |
return false;
|
|
|
bd8523 |
}
|
|
|
bd8523 |
if (g_len <= 0) {
|
|
|
bd8523 |
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
bd8523 |
DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_BAD_GENERATOR);
|
|
|
bd8523 |
+#endif // OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
bd8523 |
return false;
|
|
|
bd8523 |
}
|
|
|
bd8523 |
BIGNUM* bn_g =
|
|
|
bd8523 |
@@ -5842,9 +6182,24 @@ struct PBKDF2Job : public CryptoJob {
|
|
|
13eaef |
}
|
|
|
e23d3e |
|
|
|
13eaef |
inline void DoThreadPoolWork() override {
|
|
|
13eaef |
- auto salt_data = reinterpret_cast<const unsigned char*>(salt.data());
|
|
|
13eaef |
+ static const auto *empty = "";
|
|
|
13eaef |
+
|
|
|
13eaef |
+ auto pass_data = reinterpret_cast<const char *>(empty);
|
|
|
13eaef |
+ auto pass_size = int(0);
|
|
|
13eaef |
+ auto salt_data = reinterpret_cast<const unsigned char *>(empty);
|
|
|
13eaef |
+ auto salt_size = int(0);
|
|
|
13eaef |
+
|
|
|
13eaef |
+ if (pass.size() > 0) {
|
|
|
13eaef |
+ pass_data = pass.data();
|
|
|
13eaef |
+ pass_size = pass.size();
|
|
|
13eaef |
+ }
|
|
|
13eaef |
+ if (salt.size() > 0) {
|
|
|
13eaef |
+ salt_data = reinterpret_cast<const unsigned char *>(salt.data());
|
|
|
13eaef |
+ salt_size = salt.size();
|
|
|
13eaef |
+ }
|
|
|
13eaef |
+
|
|
|
13eaef |
const bool ok =
|
|
|
13eaef |
- PKCS5_PBKDF2_HMAC(pass.data(), pass.size(), salt_data, salt.size(),
|
|
|
13eaef |
+ PKCS5_PBKDF2_HMAC(pass_data, pass_size, salt_data, salt_size,
|
|
|
13eaef |
iteration_count, digest, keybuf_size, keybuf_data);
|
|
|
13eaef |
success = Just(ok);
|
|
|
13eaef |
Cleanse();
|
|
|
bd8523 |
@@ -6027,6 +6382,7 @@ class RSAKeyPairGenerationConfig : public KeyPairGenerationConfig {
|
|
|
13eaef |
const unsigned int exponent_;
|
|
|
13eaef |
};
|
|
|
e23d3e |
|
|
|
13eaef |
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
13eaef |
class RSAPSSKeyPairGenerationConfig : public RSAKeyPairGenerationConfig {
|
|
|
13eaef |
public:
|
|
|
13eaef |
RSAPSSKeyPairGenerationConfig(unsigned int modulus_bits,
|
|
|
bd8523 |
@@ -6068,6 +6424,7 @@ class RSAPSSKeyPairGenerationConfig : public RSAKeyPairGenerationConfig {
|
|
|
13eaef |
const EVP_MD* mgf1_md_;
|
|
|
13eaef |
const int saltlen_;
|
|
|
13eaef |
};
|
|
|
13eaef |
+#endif
|
|
|
e23d3e |
|
|
|
13eaef |
class DSAKeyPairGenerationConfig : public KeyPairGenerationConfig {
|
|
|
13eaef |
public:
|
|
|
bd8523 |
@@ -6143,6 +6500,7 @@ class ECKeyPairGenerationConfig : public KeyPairGenerationConfig {
|
|
|
13eaef |
const int param_encoding_;
|
|
|
13eaef |
};
|
|
|
e23d3e |
|
|
|
13eaef |
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
13eaef |
class NidKeyPairGenerationConfig : public KeyPairGenerationConfig {
|
|
|
13eaef |
public:
|
|
|
13eaef |
explicit NidKeyPairGenerationConfig(int id) : id_(id) {}
|
|
|
bd8523 |
@@ -6154,6 +6512,7 @@ class NidKeyPairGenerationConfig : public KeyPairGenerationConfig {
|
|
|
13eaef |
private:
|
|
|
13eaef |
const int id_;
|
|
|
13eaef |
};
|
|
|
13eaef |
+#endif
|
|
|
e23d3e |
|
|
|
bd8523 |
// TODO(tniessen): Use std::variant instead.
|
|
|
bd8523 |
// Diffie-Hellman can either generate keys using a fixed prime, or by first
|
|
|
bd8523 |
@@ -6357,6 +6716,7 @@ void GenerateKeyPairRSA(const FunctionCallbackInfo<Value>& args) {
|
|
|
13eaef |
GenerateKeyPair(args, 2, std::move(config));
|
|
|
13eaef |
}
|
|
|
e23d3e |
|
|
|
13eaef |
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
13eaef |
void GenerateKeyPairRSAPSS(const FunctionCallbackInfo<Value>& args) {
|
|
|
13eaef |
Environment* env = Environment::GetCurrent(args);
|
|
|
e23d3e |
|
|
|
bd8523 |
@@ -6394,6 +6754,7 @@ void GenerateKeyPairRSAPSS(const FunctionCallbackInfo<Value>& args) {
|
|
|
13eaef |
md, mgf1_md, saltlen));
|
|
|
13eaef |
GenerateKeyPair(args, 5, std::move(config));
|
|
|
13eaef |
}
|
|
|
13eaef |
+#endif
|
|
|
e23d3e |
|
|
|
13eaef |
void GenerateKeyPairDSA(const FunctionCallbackInfo<Value>& args) {
|
|
|
13eaef |
CHECK(args[0]->IsUint32());
|
|
|
bd8523 |
@@ -6425,6 +6786,7 @@ void GenerateKeyPairEC(const FunctionCallbackInfo<Value>& args) {
|
|
|
13eaef |
GenerateKeyPair(args, 2, std::move(config));
|
|
|
13eaef |
}
|
|
|
e23d3e |
|
|
|
13eaef |
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
13eaef |
void GenerateKeyPairNid(const FunctionCallbackInfo<Value>& args) {
|
|
|
13eaef |
CHECK(args[0]->IsInt32());
|
|
|
13eaef |
const int id = args[0].As<Int32>()->Value();
|
|
|
bd8523 |
@@ -6432,6 +6794,7 @@ void GenerateKeyPairNid(const FunctionCallbackInfo<Value>& args) {
|
|
|
13eaef |
new NidKeyPairGenerationConfig(id));
|
|
|
13eaef |
GenerateKeyPair(args, 1, std::move(config));
|
|
|
13eaef |
}
|
|
|
13eaef |
+#endif
|
|
|
e23d3e |
|
|
|
bd8523 |
void GenerateKeyPairDH(const FunctionCallbackInfo<Value>& args) {
|
|
|
bd8523 |
Environment* env = Environment::GetCurrent(args);
|
|
|
bd8523 |
@@ -6477,6 +6840,7 @@ void GetSSLCiphers(const FunctionCallbackInfo<Value>& args) {
|
|
|
bd8523 |
CHECK(ssl);
|
|
|
e23d3e |
|
|
|
bd8523 |
STACK_OF(SSL_CIPHER)* ciphers = SSL_get_ciphers(ssl.get());
|
|
|
13eaef |
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
13eaef |
// TLSv1.3 ciphers aren't listed by EVP. There are only 5, we could just
|
|
|
13eaef |
// document them, but since there are only 5, easier to just add them manually
|
|
|
13eaef |
// and not have to explain their absence in the API docs. They are lower-cased
|
|
|
bd8523 |
@@ -6488,19 +6852,26 @@ void GetSSLCiphers(const FunctionCallbackInfo<Value>& args) {
|
|
|
bd8523 |
"tls_aes_128_ccm_8_sha256",
|
|
|
bd8523 |
"tls_aes_128_ccm_sha256"
|
|
|
bd8523 |
};
|
|
|
bd8523 |
+#endif
|
|
|
bd8523 |
|
|
|
bd8523 |
const int n = sk_SSL_CIPHER_num(ciphers);
|
|
|
bd8523 |
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
bd8523 |
std::vector<Local<Value>> arr(n + arraysize(TLS13_CIPHERS));
|
|
|
bd8523 |
+#else
|
|
|
bd8523 |
+ std::vector<Local<Value>> arr(n);
|
|
|
bd8523 |
+#endif
|
|
|
bd8523 |
|
|
|
bd8523 |
for (int i = 0; i < n; ++i) {
|
|
|
bd8523 |
const SSL_CIPHER* cipher = sk_SSL_CIPHER_value(ciphers, i);
|
|
|
bd8523 |
arr[i] = OneByteString(env->isolate(), SSL_CIPHER_get_name(cipher));
|
|
|
bd8523 |
}
|
|
|
bd8523 |
|
|
|
bd8523 |
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
bd8523 |
for (unsigned i = 0; i < arraysize(TLS13_CIPHERS); ++i) {
|
|
|
bd8523 |
const char* name = TLS13_CIPHERS[i];
|
|
|
bd8523 |
arr[n + i] = OneByteString(env->isolate(), name);
|
|
|
13eaef |
}
|
|
|
13eaef |
+#endif
|
|
|
e23d3e |
|
|
|
bd8523 |
args.GetReturnValue().Set(Array::New(env->isolate(), arr.data(), arr.size()));
|
|
|
13eaef |
}
|
|
|
bd8523 |
@@ -6803,7 +7174,7 @@ void TimingSafeEqual(const FunctionCallbackInfo<Value>& args) {
|
|
|
0a424e |
}
|
|
|
e23d3e |
|
|
|
0a424e |
void InitCryptoOnce() {
|
|
|
0a424e |
-#ifndef OPENSSL_IS_BORINGSSL
|
|
|
0a424e |
+#if !defined(OPENSSL_IS_BORINGSSL) && OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
0a424e |
OPENSSL_INIT_SETTINGS* settings = OPENSSL_INIT_new();
|
|
|
e23d3e |
|
|
|
0a424e |
// --openssl-config=...
|
|
|
bd8523 |
@@ -6815,7 +7186,35 @@ void InitCryptoOnce() {
|
|
|
0a424e |
OPENSSL_init_ssl(0, settings);
|
|
|
0a424e |
OPENSSL_INIT_free(settings);
|
|
|
0a424e |
settings = nullptr;
|
|
|
0a424e |
-#endif
|
|
|
0a424e |
+#else // !defined(OPENSSL_IS_BORINGSSL) && OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
0a424e |
+ SSL_load_error_strings();
|
|
|
0a424e |
+ OPENSSL_no_config();
|
|
|
0a424e |
+
|
|
|
0a424e |
+ // --openssl-config=...
|
|
|
0a424e |
+ if (!per_process::cli_options->openssl_config.empty()) {
|
|
|
0a424e |
+ OPENSSL_load_builtin_modules();
|
|
|
0a424e |
+#ifndef OPENSSL_NO_ENGINE
|
|
|
0a424e |
+ ENGINE_load_builtin_engines();
|
|
|
0a424e |
+#endif // OPENSSL_NO_ENGINE
|
|
|
0a424e |
+ ERR_clear_error();
|
|
|
0a424e |
+
|
|
|
0a424e |
+ const char *conf = per_process::cli_options->openssl_config.c_str();
|
|
|
0a424e |
+ CONF_modules_load_file(conf, nullptr, CONF_MFLAGS_DEFAULT_SECTION);
|
|
|
0a424e |
+ auto err = ERR_get_error();
|
|
|
0a424e |
+ if (err != 0) {
|
|
|
0a424e |
+ fprintf(stderr, "openssl config failed: %s\n", ERR_error_string(err, nullptr));
|
|
|
0a424e |
+ CHECK_NE(err, 0);
|
|
|
0a424e |
+ }
|
|
|
0a424e |
+ }
|
|
|
0a424e |
+
|
|
|
0a424e |
+ // Initialize the whole library
|
|
|
0a424e |
+ SSL_library_init();
|
|
|
0a424e |
+ OpenSSL_add_all_algorithms();
|
|
|
0a424e |
+ // Allocate mutex array and set appropriate callbacks
|
|
|
13eaef |
+ crypto_lock_init();
|
|
|
13eaef |
+ CRYPTO_set_locking_callback(crypto_lock_cb);
|
|
|
13eaef |
+ CRYPTO_THREADID_set_callback(crypto_threadid_cb);
|
|
|
0a424e |
+#endif // !defined(OPENSSL_IS_BORINGSSL) && OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
e23d3e |
|
|
|
13eaef |
#ifdef NODE_FIPS_MODE
|
|
|
13eaef |
/* Override FIPS settings in cnf file, if needed. */
|
|
|
bd8523 |
@@ -6938,15 +7337,21 @@ void Initialize(Local<Object> target,
|
|
|
e23d3e |
|
|
|
13eaef |
env->SetMethod(target, "pbkdf2", PBKDF2);
|
|
|
13eaef |
env->SetMethod(target, "generateKeyPairRSA", GenerateKeyPairRSA);
|
|
|
13eaef |
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
13eaef |
env->SetMethod(target, "generateKeyPairRSAPSS", GenerateKeyPairRSAPSS);
|
|
|
13eaef |
+#endif
|
|
|
13eaef |
env->SetMethod(target, "generateKeyPairDSA", GenerateKeyPairDSA);
|
|
|
13eaef |
env->SetMethod(target, "generateKeyPairEC", GenerateKeyPairEC);
|
|
|
13eaef |
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
13eaef |
env->SetMethod(target, "generateKeyPairNid", GenerateKeyPairNid);
|
|
|
bd8523 |
+#endif
|
|
|
bd8523 |
env->SetMethod(target, "generateKeyPairDH", GenerateKeyPairDH);
|
|
|
bd8523 |
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
13eaef |
NODE_DEFINE_CONSTANT(target, EVP_PKEY_ED25519);
|
|
|
13eaef |
NODE_DEFINE_CONSTANT(target, EVP_PKEY_ED448);
|
|
|
13eaef |
NODE_DEFINE_CONSTANT(target, EVP_PKEY_X25519);
|
|
|
13eaef |
NODE_DEFINE_CONSTANT(target, EVP_PKEY_X448);
|
|
|
13eaef |
+#endif
|
|
|
13eaef |
NODE_DEFINE_CONSTANT(target, OPENSSL_EC_NAMED_CURVE);
|
|
|
13eaef |
NODE_DEFINE_CONSTANT(target, OPENSSL_EC_EXPLICIT_CURVE);
|
|
|
13eaef |
NODE_DEFINE_CONSTANT(target, kKeyEncodingPKCS1);
|
|
|
13eaef |
diff --git a/src/node_crypto.h b/src/node_crypto.h
|
|
|
bd8523 |
index 772a34a..f61ad3d 100644
|
|
|
13eaef |
--- a/src/node_crypto.h
|
|
|
13eaef |
+++ b/src/node_crypto.h
|
|
|
bd8523 |
@@ -35,10 +35,77 @@
|
|
|
e23d3e |
|
|
|
13eaef |
#include <openssl/err.h>
|
|
|
13eaef |
#include <openssl/ssl.h>
|
|
|
e23d3e |
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
e23d3e |
#include <openssl/bn.h>
|
|
|
e23d3e |
#include <openssl/dh.h>
|
|
|
e23d3e |
#include <openssl/ec.h>
|
|
|
e23d3e |
#include <openssl/rsa.h>
|
|
|
e23d3e |
+#endif
|
|
|
e23d3e |
+
|
|
|
13eaef |
+// OpenSSL backport shims
|
|
|
13eaef |
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
|
13eaef |
+
|
|
|
13eaef |
+// Declare what OpenSSL features we do not support
|
|
|
13eaef |
+// Pretending we are BoringSSL can also help
|
|
|
13eaef |
+#define OPENSSL_IS_BORINGSSL
|
|
|
13eaef |
+#define OPENSSL_NO_OCB
|
|
|
13eaef |
+#define OPENSSL_NO_SCRYPT
|
|
|
13eaef |
+
|
|
|
13eaef |
+#define EVP_CTRL_AEAD_SET_TAG EVP_CTRL_CCM_SET_TAG
|
|
|
13eaef |
+#define EVP_MD_CTX_free EVP_MD_CTX_destroy
|
|
|
13eaef |
+#define EVP_MD_CTX_new EVP_MD_CTX_create
|
|
|
13eaef |
+
|
|
|
13eaef |
+// Values from upstream
|
|
|
13eaef |
+#define OPENSSL_EC_EXPLICIT_CURVE 0x0
|
|
|
13eaef |
+#define NID_chacha20_poly1305 1018
|
|
|
13eaef |
+#define EVP_MD_FLAG_XOF 0x0002
|
|
|
13eaef |
+#define EVP_F_EVP_DIGESTFINALXOF 0
|
|
|
13eaef |
+#define EVP_R_NOT_XOF_OR_INVALID_LENGTH 178
|
|
|
13eaef |
+
|
|
|
13eaef |
+inline void EVP_CIPHER_CTX_free(EVP_CIPHER_CTX* ctx) { EVP_CIPHER_CTX_cleanup(ctx); }
|
|
|
13eaef |
+inline void HMAC_CTX_free(HMAC_CTX* ctx) { if (ctx == nullptr) { return; } HMAC_CTX_cleanup(ctx); free(ctx); }
|
|
|
13eaef |
+inline void OPENSSL_clear_free(void* ptr, size_t len) {
|
|
|
13eaef |
+ if (ptr == nullptr) { return; }
|
|
|
13eaef |
+ OPENSSL_cleanse(ptr, len);
|
|
|
13eaef |
+ OPENSSL_free(ptr);
|
|
|
13eaef |
+}
|
|
|
13eaef |
+
|
|
|
13eaef |
+inline int BN_bn2binpad(const BIGNUM* a, unsigned char *to, int tolen) {
|
|
|
13eaef |
+ if (tolen < 0 || to == nullptr) { return -1; }
|
|
|
13eaef |
+ OPENSSL_cleanse(to, tolen);
|
|
|
13eaef |
+ return BN_bn2bin(a, to);
|
|
|
13eaef |
+}
|
|
|
bd8523 |
+
|
|
|
bd8523 |
+inline void RSA_get0_key(const RSA* r, const BIGNUM** n, const BIGNUM** e,
|
|
|
bd8523 |
+ const BIGNUM** d) {
|
|
|
bd8523 |
+ if (n != nullptr) {
|
|
|
bd8523 |
+ *n = r->n;
|
|
|
bd8523 |
+ }
|
|
|
bd8523 |
+ if (e != nullptr) {
|
|
|
bd8523 |
+ *e = r->e;
|
|
|
bd8523 |
+ }
|
|
|
bd8523 |
+ if (d != nullptr) {
|
|
|
bd8523 |
+ *d = r->d;
|
|
|
bd8523 |
+ }
|
|
|
bd8523 |
+}
|
|
|
bd8523 |
+
|
|
|
bd8523 |
+inline int EC_GROUP_order_bits(const EC_GROUP *group) {
|
|
|
bd8523 |
+ int num_bits = 0;
|
|
|
bd8523 |
+ BIGNUM *order = BN_new();
|
|
|
bd8523 |
+ BN_CTX *ctx = BN_CTX_new();
|
|
|
bd8523 |
+ if (order == nullptr || ctx == nullptr) { goto end; }
|
|
|
bd8523 |
+
|
|
|
bd8523 |
+ if (EC_GROUP_get_order(group, order, ctx) != 1) { goto end; }
|
|
|
bd8523 |
+ num_bits = BN_num_bits(order);
|
|
|
bd8523 |
+
|
|
|
bd8523 |
+end:
|
|
|
bd8523 |
+ BN_CTX_free(ctx), ctx = nullptr;
|
|
|
bd8523 |
+ BN_free(order), order = nullptr;
|
|
|
bd8523 |
+
|
|
|
bd8523 |
+ return num_bits;
|
|
|
bd8523 |
+}
|
|
|
bd8523 |
+
|
|
|
13eaef |
+#endif // OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
|
e23d3e |
|
|
|
13eaef |
namespace node {
|
|
|
13eaef |
namespace crypto {
|
|
|
bd8523 |
@@ -230,10 +297,17 @@ class SSLWrap {
|
|
|
13eaef |
static void ConfigureSecureContext(SecureContext* sc);
|
|
|
13eaef |
static void AddMethods(Environment* env, v8::Local<v8::FunctionTemplate> t);
|
|
|
e23d3e |
|
|
|
13eaef |
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
|
13eaef |
+ static SSL_SESSION* GetSessionCallback(SSL* s,
|
|
|
13eaef |
+ unsigned char* key,
|
|
|
13eaef |
+ int len,
|
|
|
13eaef |
+ int* copy);
|
|
|
13eaef |
+#else
|
|
|
13eaef |
static SSL_SESSION* GetSessionCallback(SSL* s,
|
|
|
13eaef |
const unsigned char* key,
|
|
|
13eaef |
int len,
|
|
|
13eaef |
int* copy);
|
|
|
13eaef |
+#endif
|
|
|
13eaef |
static int NewSessionCallback(SSL* s, SSL_SESSION* sess);
|
|
|
13eaef |
static void KeylogCallback(const SSL* s, const char* line);
|
|
|
13eaef |
static void OnClientHello(void* arg,
|
|
|
bd8523 |
@@ -353,6 +427,9 @@ class ByteSource {
|
|
|
bd8523 |
size_t size_ = 0;
|
|
|
bd8523 |
|
|
|
bd8523 |
ByteSource(const char* data, char* allocated_data, size_t size);
|
|
|
bd8523 |
+public:
|
|
|
bd8523 |
+ static ByteSource Allocated(char* data, size_t size);
|
|
|
bd8523 |
+ static ByteSource Foreign(const char* data, size_t size);
|
|
|
bd8523 |
};
|
|
|
bd8523 |
|
|
|
bd8523 |
enum PKEncodingType {
|
|
|
13eaef |
diff --git a/src/node_crypto_bio.cc b/src/node_crypto_bio.cc
|
|
|
bd8523 |
index 55f5e8a..72af159 100644
|
|
|
13eaef |
--- a/src/node_crypto_bio.cc
|
|
|
13eaef |
+++ b/src/node_crypto_bio.cc
|
|
|
13eaef |
@@ -30,8 +30,18 @@
|
|
|
13eaef |
namespace node {
|
|
|
13eaef |
namespace crypto {
|
|
|
e23d3e |
|
|
|
13eaef |
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
|
13eaef |
+#define BIO_set_data(bio, data) bio->ptr = data
|
|
|
13eaef |
+#define BIO_get_data(bio) bio->ptr
|
|
|
13eaef |
+#define BIO_set_shutdown(bio, shutdown_) bio->shutdown = shutdown_
|
|
|
13eaef |
+#define BIO_get_shutdown(bio) bio->shutdown
|
|
|
13eaef |
+#define BIO_set_init(bio, init_) bio->init = init_
|
|
|
13eaef |
+#define BIO_get_init(bio) bio->init
|
|
|
13eaef |
+#endif
|
|
|
13eaef |
+
|
|
|
13eaef |
+
|
|
|
13eaef |
BIOPointer NodeBIO::New(Environment* env) {
|
|
|
13eaef |
- BIOPointer bio(BIO_new(GetMethod()));
|
|
|
13eaef |
+ BIOPointer bio(BIO_new(const_cast<BIO_METHOD*>(GetMethod())));
|
|
|
13eaef |
if (bio && env != nullptr)
|
|
|
13eaef |
NodeBIO::FromBIO(bio.get())->env_ = env;
|
|
|
13eaef |
return bio;
|
|
|
13eaef |
@@ -221,6 +231,22 @@ long NodeBIO::Ctrl(BIO* bio, int cmd, long num, // NOLINT(runtime/int)
|
|
|
e23d3e |
|
|
|
e23d3e |
|
|
|
13eaef |
const BIO_METHOD* NodeBIO::GetMethod() {
|
|
|
13eaef |
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
|
13eaef |
+ static const BIO_METHOD method = {
|
|
|
13eaef |
+ BIO_TYPE_MEM,
|
|
|
13eaef |
+ "node.js SSL buffer",
|
|
|
13eaef |
+ Write,
|
|
|
13eaef |
+ Read,
|
|
|
13eaef |
+ Puts,
|
|
|
13eaef |
+ Gets,
|
|
|
13eaef |
+ Ctrl,
|
|
|
13eaef |
+ New,
|
|
|
13eaef |
+ Free,
|
|
|
13eaef |
+ nullptr
|
|
|
13eaef |
+ };
|
|
|
13eaef |
+
|
|
|
13eaef |
+ return &method;
|
|
|
13eaef |
+#else
|
|
|
13eaef |
// This is called from InitCryptoOnce() to avoid race conditions during
|
|
|
13eaef |
// initialization.
|
|
|
13eaef |
static BIO_METHOD* method = nullptr;
|
|
|
13eaef |
@@ -237,6 +263,7 @@ const BIO_METHOD* NodeBIO::GetMethod() {
|
|
|
13eaef |
}
|
|
|
e23d3e |
|
|
|
13eaef |
return method;
|
|
|
13eaef |
+#endif
|
|
|
13eaef |
}
|
|
|
e23d3e |
|
|
|
e23d3e |
|
|
|
bd8523 |
diff --git a/src/node_crypto_common.cc b/src/node_crypto_common.cc
|
|
|
bd8523 |
index 3b35ee1..e33e52e 100644
|
|
|
bd8523 |
--- a/src/node_crypto_common.cc
|
|
|
bd8523 |
+++ b/src/node_crypto_common.cc
|
|
|
bd8523 |
@@ -55,10 +55,11 @@ int SSL_CTX_get_issuer(SSL_CTX* ctx, X509* cert, X509** issuer) {
|
|
|
bd8523 |
}
|
|
|
bd8523 |
|
|
|
bd8523 |
void LogSecret(
|
|
|
bd8523 |
- const SSLPointer& ssl,
|
|
|
bd8523 |
- const char* name,
|
|
|
bd8523 |
- const unsigned char* secret,
|
|
|
bd8523 |
- size_t secretlen) {
|
|
|
bd8523 |
+ [[maybe_unused]] const SSLPointer& ssl,
|
|
|
bd8523 |
+ [[maybe_unused]] const char* name,
|
|
|
bd8523 |
+ [[maybe_unused]] const unsigned char* secret,
|
|
|
bd8523 |
+ [[maybe_unused]] size_t secretlen) {
|
|
|
bd8523 |
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
bd8523 |
auto keylog_cb = SSL_CTX_get_keylog_callback(SSL_get_SSL_CTX(ssl.get()));
|
|
|
bd8523 |
unsigned char crandom[32];
|
|
|
bd8523 |
|
|
|
bd8523 |
@@ -73,6 +74,7 @@ void LogSecret(
|
|
|
bd8523 |
line += " " + StringBytes::hex_encode(
|
|
|
bd8523 |
reinterpret_cast<const char*>(secret), secretlen);
|
|
|
bd8523 |
keylog_cb(ssl.get(), line.c_str());
|
|
|
bd8523 |
+#endif
|
|
|
bd8523 |
}
|
|
|
bd8523 |
|
|
|
bd8523 |
bool SetALPN(const SSLPointer& ssl, const std::string& alpn) {
|
|
|
bd8523 |
@@ -195,7 +197,11 @@ std::string GetCertificateCN(X509* cert) {
|
|
|
bd8523 |
ASN1_STRING* cn_str = X509_NAME_ENTRY_get_data(cn);
|
|
|
bd8523 |
if (cn_str != nullptr) {
|
|
|
bd8523 |
return std::string(reinterpret_cast<const char*>(
|
|
|
bd8523 |
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
bd8523 |
ASN1_STRING_get0_data(cn_str)));
|
|
|
bd8523 |
+#else // OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
bd8523 |
+ ASN1_STRING_data(cn_str)));
|
|
|
bd8523 |
+#endif // OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
bd8523 |
}
|
|
|
bd8523 |
}
|
|
|
bd8523 |
}
|
|
|
bd8523 |
@@ -238,6 +244,7 @@ int UseSNIContext(const SSLPointer& ssl, BaseObjectPtr<SecureContext> context) {
|
|
|
bd8523 |
return err;
|
|
|
bd8523 |
}
|
|
|
bd8523 |
|
|
|
bd8523 |
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
bd8523 |
const char* GetClientHelloALPN(const SSLPointer& ssl) {
|
|
|
bd8523 |
const unsigned char* buf;
|
|
|
bd8523 |
size_t len;
|
|
|
bd8523 |
@@ -284,13 +291,18 @@ const char* GetClientHelloServerName(const SSLPointer& ssl) {
|
|
|
bd8523 |
return nullptr;
|
|
|
bd8523 |
return reinterpret_cast<const char*>(buf + 5);
|
|
|
bd8523 |
}
|
|
|
bd8523 |
+#endif // OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
bd8523 |
|
|
|
bd8523 |
const char* GetServerName(SSL* ssl) {
|
|
|
bd8523 |
return SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);
|
|
|
bd8523 |
}
|
|
|
bd8523 |
|
|
|
bd8523 |
bool SetGroups(SecureContext* sc, const char* groups) {
|
|
|
bd8523 |
+#if OPENSSL_VERSION_NUMBER >= 0x10101000L
|
|
|
bd8523 |
return SSL_CTX_set1_groups_list(**sc, groups) == 1;
|
|
|
bd8523 |
+#else // OPENSSL_VERSION_NUMBER >= 0x10101000L
|
|
|
bd8523 |
+ return SSL_CTX_set1_curves_list(**sc, groups) == 1;
|
|
|
bd8523 |
+#endif // OPENSSL_VERSION_NUMBER >= 0x10101000L
|
|
|
bd8523 |
}
|
|
|
bd8523 |
|
|
|
bd8523 |
const char* X509ErrorCode(long err) { // NOLINT(runtime/int)
|
|
|
bd8523 |
@@ -609,7 +621,11 @@ MaybeLocal<Value> GetValidTo(
|
|
|
bd8523 |
Environment* env,
|
|
|
bd8523 |
X509* cert,
|
|
|
bd8523 |
const BIOPointer& bio) {
|
|
|
bd8523 |
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
|
bd8523 |
+ ASN1_TIME_print(bio.get(), X509_get_notAfter(cert));
|
|
|
bd8523 |
+#else
|
|
|
bd8523 |
ASN1_TIME_print(bio.get(), X509_get0_notAfter(cert));
|
|
|
bd8523 |
+#endif
|
|
|
bd8523 |
return ToV8Value(env, bio);
|
|
|
bd8523 |
}
|
|
|
bd8523 |
|
|
|
bd8523 |
@@ -617,7 +633,11 @@ MaybeLocal<Value> GetValidFrom(
|
|
|
bd8523 |
Environment* env,
|
|
|
bd8523 |
X509* cert,
|
|
|
bd8523 |
const BIOPointer& bio) {
|
|
|
bd8523 |
+#if OPENSSL_VERSION_NUMBER < 0x10100000L
|
|
|
bd8523 |
+ ASN1_TIME_print(bio.get(), X509_get_notBefore(cert));
|
|
|
bd8523 |
+#else
|
|
|
bd8523 |
ASN1_TIME_print(bio.get(), X509_get0_notBefore(cert));
|
|
|
bd8523 |
+#endif
|
|
|
bd8523 |
return ToV8Value(env, bio);
|
|
|
bd8523 |
}
|
|
|
bd8523 |
|
|
|
bd8523 |
@@ -768,6 +788,7 @@ MaybeLocal<Value> GetCipherVersion(Environment* env, const SSLPointer& ssl) {
|
|
|
bd8523 |
return GetCipherVersion(env, SSL_get_current_cipher(ssl.get()));
|
|
|
bd8523 |
}
|
|
|
bd8523 |
|
|
|
bd8523 |
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
bd8523 |
MaybeLocal<Array> GetClientHelloCiphers(
|
|
|
bd8523 |
Environment* env,
|
|
|
bd8523 |
const SSLPointer& ssl) {
|
|
|
bd8523 |
@@ -800,6 +821,7 @@ MaybeLocal<Array> GetClientHelloCiphers(
|
|
|
bd8523 |
Local<Array> ret = Array::New(env->isolate(), ciphers.out(), count);
|
|
|
bd8523 |
return scope.Escape(ret);
|
|
|
bd8523 |
}
|
|
|
bd8523 |
+#endif // OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
bd8523 |
|
|
|
bd8523 |
|
|
|
bd8523 |
MaybeLocal<Object> GetCipherInfo(Environment* env, const SSLPointer& ssl) {
|
|
|
bd8523 |
@@ -849,8 +871,10 @@ MaybeLocal<Object> GetEphemeralKey(Environment* env, const SSLPointer& ssl) {
|
|
|
bd8523 |
}
|
|
|
bd8523 |
break;
|
|
|
bd8523 |
case EVP_PKEY_EC:
|
|
|
bd8523 |
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
bd8523 |
case EVP_PKEY_X25519:
|
|
|
bd8523 |
case EVP_PKEY_X448:
|
|
|
bd8523 |
+#endif
|
|
|
bd8523 |
{
|
|
|
bd8523 |
const char* curve_name;
|
|
|
bd8523 |
if (kid == EVP_PKEY_EC) {
|
|
|
bd8523 |
diff --git a/src/node_crypto_common.h b/src/node_crypto_common.h
|
|
|
bd8523 |
index c373a97..bdf25e7 100644
|
|
|
bd8523 |
--- a/src/node_crypto_common.h
|
|
|
bd8523 |
+++ b/src/node_crypto_common.h
|
|
|
bd8523 |
@@ -73,9 +73,11 @@ long VerifyPeerCertificate( // NOLINT(runtime/int)
|
|
|
bd8523 |
|
|
|
bd8523 |
int UseSNIContext(const SSLPointer& ssl, BaseObjectPtr<SecureContext> context);
|
|
|
bd8523 |
|
|
|
bd8523 |
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
bd8523 |
const char* GetClientHelloALPN(const SSLPointer& ssl);
|
|
|
bd8523 |
|
|
|
bd8523 |
const char* GetClientHelloServerName(const SSLPointer& ssl);
|
|
|
bd8523 |
+#endif // OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
bd8523 |
|
|
|
bd8523 |
const char* GetServerName(SSL* ssl);
|
|
|
bd8523 |
|
|
|
13eaef |
diff --git a/src/node_errors.h b/src/node_errors.h
|
|
|
bd8523 |
index f79b87a..ad8c272 100644
|
|
|
13eaef |
--- a/src/node_errors.h
|
|
|
13eaef |
+++ b/src/node_errors.h
|
|
|
bd8523 |
@@ -158,8 +158,8 @@ inline v8::Local<v8::Value> ERR_STRING_TOO_LONG(v8::Isolate* isolate) {
|
|
|
e23d3e |
|
|
|
13eaef |
#define THROW_AND_RETURN_IF_NOT_STRING(env, val, prefix) \
|
|
|
13eaef |
do { \
|
|
|
13eaef |
- if (!val->IsString()) \
|
|
|
13eaef |
- return node::THROW_ERR_INVALID_ARG_TYPE(env, \
|
|
|
13eaef |
+ if (!(val)->IsString()) \
|
|
|
13eaef |
+ return node::THROW_ERR_INVALID_ARG_TYPE((env), \
|
|
|
13eaef |
prefix " must be a string"); \
|
|
|
13eaef |
} while (0)
|
|
|
e23d3e |
|
|
|
13eaef |
diff --git a/src/node_options.cc b/src/node_options.cc
|
|
|
bd8523 |
index 8b3a161..17a7e34 100644
|
|
|
13eaef |
--- a/src/node_options.cc
|
|
|
13eaef |
+++ b/src/node_options.cc
|
|
|
bd8523 |
@@ -524,10 +524,12 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
|
|
|
13eaef |
"set default TLS minimum to TLSv1.2 (default: TLSv1.2)",
|
|
|
13eaef |
&EnvironmentOptions::tls_min_v1_2,
|
|
|
13eaef |
kAllowedInEnvironment);
|
|
|
13eaef |
+#ifdef TLS1_3_VERSION
|
|
|
13eaef |
AddOption("--tls-min-v1.3",
|
|
|
13eaef |
"set default TLS minimum to TLSv1.3 (default: TLSv1.2)",
|
|
|
13eaef |
&EnvironmentOptions::tls_min_v1_3,
|
|
|
13eaef |
kAllowedInEnvironment);
|
|
|
13eaef |
+#endif // TLS1_3_VERSION
|
|
|
13eaef |
AddOption("--tls-max-v1.2",
|
|
|
13eaef |
"set default TLS maximum to TLSv1.2 (default: TLSv1.3)",
|
|
|
13eaef |
&EnvironmentOptions::tls_max_v1_2,
|
|
|
bd8523 |
@@ -536,10 +538,12 @@ EnvironmentOptionsParser::EnvironmentOptionsParser() {
|
|
|
13eaef |
// - 11.x and below: TLS1.3 is opt-in with --tls-max-v1.3
|
|
|
13eaef |
// - 12.x: TLS1.3 is opt-out with --tls-max-v1.2
|
|
|
13eaef |
// In either case, support both options they are uniformly available.
|
|
|
13eaef |
+#ifdef TLS1_3_VERSION
|
|
|
13eaef |
AddOption("--tls-max-v1.3",
|
|
|
13eaef |
"set default TLS maximum to TLSv1.3 (default: TLSv1.3)",
|
|
|
13eaef |
&EnvironmentOptions::tls_max_v1_3,
|
|
|
13eaef |
kAllowedInEnvironment);
|
|
|
13eaef |
+#endif // TLS1_3_VERSION
|
|
|
13eaef |
}
|
|
|
e23d3e |
|
|
|
13eaef |
PerIsolateOptionsParser::PerIsolateOptionsParser(
|
|
|
13eaef |
diff --git a/src/tls_wrap.cc b/src/tls_wrap.cc
|
|
|
bd8523 |
index 39dcf53..8fda8b9 100644
|
|
|
13eaef |
--- a/src/tls_wrap.cc
|
|
|
13eaef |
+++ b/src/tls_wrap.cc
|
|
|
bd8523 |
@@ -939,11 +939,13 @@ void TLSWrap::EnableSessionCallbacks(
|
|
|
e23d3e |
|
|
|
13eaef |
void TLSWrap::EnableKeylogCallback(
|
|
|
13eaef |
const FunctionCallbackInfo<Value>& args) {
|
|
|
13eaef |
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
13eaef |
TLSWrap* wrap;
|
|
|
13eaef |
ASSIGN_OR_RETURN_UNWRAP(&wrap, args.Holder());
|
|
|
13eaef |
CHECK_NOT_NULL(wrap->sc_);
|
|
|
13eaef |
SSL_CTX_set_keylog_callback(wrap->sc_->ctx_.get(),
|
|
|
13eaef |
SSLWrap<TLSWrap>::KeylogCallback);
|
|
|
13eaef |
+#endif // OPENSSL_VERSION_NUMBER >= 0x10100000L
|
|
|
13eaef |
}
|
|
|
e23d3e |
|
|
|
13eaef |
// Check required capabilities were not excluded from the OpenSSL build:
|
|
|
e23d3e |
--
|
|
|
bd8523 |
2.26.2
|
|
|
0a424e |
|