Blame SOURCES/0002-Use-OpenSSL-1.0-API.patch

b24b2a
From ae4f772872661d6435c27e50937a0c3cbcede43c Mon Sep 17 00:00:00 2001
d744d0
From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
b24b2a
Date: Mon, 23 Nov 2020 11:56:26 +0100
d744d0
Subject: [PATCH] Use OpenSSL 1.0 API
d744d0
MIME-Version: 1.0
d744d0
Content-Type: text/plain; charset=UTF-8
d744d0
Content-Transfer-Encoding: 8bit
d744d0
d744d0
- Pass non-const pointer to BIO_new
d744d0
d744d0
  In legacy OpenSSL, the method parameter for BIO_new is not marked const,
d744d0
  although the function does not need it to be mutable.
d744d0
  This is likely an oversight in the interface.
d744d0
d744d0
  The provided "fix" is potentially dangerous,
d744d0
  as casting away `const`-ness is potentially an undefined behaviour.
d744d0
  Since the code around assumes it is constant anyway,
d744d0
  it *should* be fine here – but use with care.
d744d0
d744d0
- Remove const-classifier for SSL_SESSION callback argument
d744d0
d744d0
  In legacy OpenSSL, the parameter is expected to be mutable.
d744d0
  Using `const` prevents passing the method as a function pointer
d744d0
  to other OpenSSL API functions.
d744d0
b24b2a
- Provide GetCipherValue wrapper for non-const strings
b24b2a
d744d0
- Sanitize inputs into PBKDF2
d744d0
d744d0
Signed-off-by: Jan Staněk <jstanek@redhat.com>
d744d0
---
b24b2a
 src/node_crypto.cc        | 26 ++++++++++++++++++++++++--
b24b2a
 src/node_crypto.h         |  4 ++++
b24b2a
 src/node_crypto_bio.cc    |  4 ++++
b24b2a
 src/node_crypto_common.cc |  8 ++++++++
b24b2a
 4 files changed, 40 insertions(+), 2 deletions(-)
d744d0
d744d0
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
b24b2a
index 90df5f25e0..7be3f77e1a 100644
d744d0
--- a/src/node_crypto.cc
d744d0
+++ b/src/node_crypto.cc
d744d0
@@ -123,7 +123,11 @@ template int SSLWrap<TLSWrap>::SetCACerts(SecureContext* sc);
d744d0
 template void SSLWrap<TLSWrap>::MemoryInfo(MemoryTracker* tracker) const;
d744d0
 template SSL_SESSION* SSLWrap<TLSWrap>::GetSessionCallback(
d744d0
     SSL* s,
d744d0
+#if OPENSSL_IS_LEGACY
d744d0
+    unsigned char *key,
d744d0
+#else
d744d0
     const unsigned char* key,
d744d0
+#endif
d744d0
     int len,
d744d0
     int* copy);
d744d0
 template int SSLWrap<TLSWrap>::NewSessionCallback(SSL* s,
b24b2a
@@ -1746,7 +1750,11 @@ void SSLWrap<Base>::ConfigureSecureContext(SecureContext* sc) {
d744d0
 
d744d0
 template <class Base>
d744d0
 SSL_SESSION* SSLWrap<Base>::GetSessionCallback(SSL* s,
d744d0
+#if OPENSSL_IS_LEGACY
d744d0
+                                               unsigned char* key,
d744d0
+#else
d744d0
                                                const unsigned char* key,
d744d0
+#endif
d744d0
                                                int len,
d744d0
                                                int* copy) {
d744d0
   Base* w = static_cast<Base*>(SSL_get_app_data(s));
b24b2a
@@ -5917,9 +5925,23 @@ struct PBKDF2Job : public CryptoJob {
d744d0
   }
d744d0
 
d744d0
   inline void DoThreadPoolWork() override {
d744d0
-    auto salt_data = reinterpret_cast<const unsigned char*>(salt.data());
d744d0
+    static const char * const empty = "";
d744d0
+
d744d0
+    auto pass_data = reinterpret_cast<const char *>(empty);
d744d0
+    auto pass_size = int(0);
d744d0
+    auto salt_data = reinterpret_cast<const unsigned char *>(empty);
d744d0
+    auto salt_size = int(0);
d744d0
+
d744d0
+    if (pass.size() > 0) {
d744d0
+      pass_data = pass.data(), pass_size = pass.size();
d744d0
+    }
d744d0
+    if (salt.size() > 0) {
d744d0
+      salt_data = reinterpret_cast<const unsigned char *>(salt.data());
d744d0
+      salt_size = salt.size();
d744d0
+    }
d744d0
+
d744d0
     const bool ok =
d744d0
-        PKCS5_PBKDF2_HMAC(pass.data(), pass.size(), salt_data, salt.size(),
d744d0
+        PKCS5_PBKDF2_HMAC(pass_data, pass_size, salt_data, salt_size,
d744d0
                           iteration_count, digest, keybuf_size, keybuf_data);
d744d0
     success = Just(ok);
d744d0
     Cleanse();
d744d0
diff --git a/src/node_crypto.h b/src/node_crypto.h
b24b2a
index 0b9dab833d..7d6417b66f 100644
d744d0
--- a/src/node_crypto.h
d744d0
+++ b/src/node_crypto.h
b24b2a
@@ -234,7 +234,11 @@ class SSLWrap {
d744d0
   static void AddMethods(Environment* env, v8::Local<v8::FunctionTemplate> t);
d744d0
 
d744d0
   static SSL_SESSION* GetSessionCallback(SSL* s,
d744d0
+#if OPENSSL_IS_LEGACY
d744d0
+                                         unsigned char* key,
d744d0
+#else // OPENSSL_IS_LEGACY
d744d0
                                          const unsigned char* key,
d744d0
+#endif // OPENSSL_IS_LEGACY
d744d0
                                          int len,
d744d0
                                          int* copy);
d744d0
   static int NewSessionCallback(SSL* s, SSL_SESSION* sess);
d744d0
diff --git a/src/node_crypto_bio.cc b/src/node_crypto_bio.cc
d744d0
index 55f5e8a5a3..c2a44fdb86 100644
d744d0
--- a/src/node_crypto_bio.cc
d744d0
+++ b/src/node_crypto_bio.cc
d744d0
@@ -31,7 +31,11 @@ namespace node {
d744d0
 namespace crypto {
d744d0
 
d744d0
 BIOPointer NodeBIO::New(Environment* env) {
d744d0
+#if OPENSSL_IS_LEGACY
d744d0
+  BIOPointer bio(BIO_new(const_cast<BIO_METHOD *>(GetMethod())));
d744d0
+#else
d744d0
   BIOPointer bio(BIO_new(GetMethod()));
d744d0
+#endif
d744d0
   if (bio && env != nullptr)
d744d0
     NodeBIO::FromBIO(bio.get())->env_ = env;
d744d0
   return bio;
b24b2a
diff --git a/src/node_crypto_common.cc b/src/node_crypto_common.cc
b24b2a
index 6c3bb0b1b6..d1d9edd6cd 100644
b24b2a
--- a/src/node_crypto_common.cc
b24b2a
+++ b/src/node_crypto_common.cc
b24b2a
@@ -392,6 +392,14 @@ MaybeLocal<Value> GetCipherValue(Environment* env,
b24b2a
 
b24b2a
   return OneByteString(env->isolate(), getstr(cipher));
b24b2a
 }
b24b2a
+MaybeLocal<Value> GetCipherValue(Environment* env,
b24b2a
+    const SSL_CIPHER* cipher,
b24b2a
+    char* (*getstr)(const SSL_CIPHER* cipher)) {
b24b2a
+  if (cipher == nullptr) {
b24b2a
+    return Undefined(env->isolate());
b24b2a
+  }
b24b2a
+  return OneByteString(env->isolate(), const_cast<const char *>(getstr(cipher)));
b24b2a
+}
b24b2a
 
b24b2a
 MaybeLocal<Value> GetCipherName(Environment* env, const SSL_CIPHER* cipher) {
b24b2a
   return GetCipherValue(env, cipher, SSL_CIPHER_get_name);
d744d0
-- 
b24b2a
2.28.0
d744d0