|
 |
d744d0 |
From 338901851f23e9d42b86fe88bed99bada47e099c Mon Sep 17 00:00:00 2001
|
|
|
d744d0 |
From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
|
|
|
d744d0 |
Date: Fri, 2 Oct 2020 13:00:17 +0200
|
|
|
d744d0 |
Subject: [PATCH] Use OpenSSL 1.0 API
|
|
|
d744d0 |
MIME-Version: 1.0
|
|
|
d744d0 |
Content-Type: text/plain; charset=UTF-8
|
|
|
d744d0 |
Content-Transfer-Encoding: 8bit
|
|
|
d744d0 |
|
|
|
d744d0 |
- Pass non-const pointer to BIO_new
|
|
|
d744d0 |
|
|
|
d744d0 |
In legacy OpenSSL, the method parameter for BIO_new is not marked const,
|
|
|
d744d0 |
although the function does not need it to be mutable.
|
|
|
d744d0 |
This is likely an oversight in the interface.
|
|
|
d744d0 |
|
|
|
d744d0 |
The provided "fix" is potentially dangerous,
|
|
|
d744d0 |
as casting away `const`-ness is potentially an undefined behaviour.
|
|
|
d744d0 |
Since the code around assumes it is constant anyway,
|
|
|
d744d0 |
it *should* be fine here – but use with care.
|
|
|
d744d0 |
|
|
|
d744d0 |
- Remove const-classifier for SSL_SESSION callback argument
|
|
|
d744d0 |
|
|
|
d744d0 |
In legacy OpenSSL, the parameter is expected to be mutable.
|
|
|
d744d0 |
Using `const` prevents passing the method as a function pointer
|
|
|
d744d0 |
to other OpenSSL API functions.
|
|
|
d744d0 |
|
|
|
d744d0 |
- Sanitize inputs into PBKDF2
|
|
|
d744d0 |
|
|
|
d744d0 |
Signed-off-by: Jan Staněk <jstanek@redhat.com>
|
|
|
d744d0 |
---
|
|
|
d744d0 |
src/node_crypto.cc | 26 ++++++++++++++++++++++++--
|
|
|
d744d0 |
src/node_crypto.h | 4 ++++
|
|
|
d744d0 |
src/node_crypto_bio.cc | 4 ++++
|
|
|
d744d0 |
3 files changed, 32 insertions(+), 2 deletions(-)
|
|
|
d744d0 |
|
|
|
d744d0 |
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
|
|
|
d744d0 |
index 5783500b16..23c460ee49 100644
|
|
|
d744d0 |
--- a/src/node_crypto.cc
|
|
|
d744d0 |
+++ b/src/node_crypto.cc
|
|
|
d744d0 |
@@ -123,7 +123,11 @@ template int SSLWrap<TLSWrap>::SetCACerts(SecureContext* sc);
|
|
|
d744d0 |
template void SSLWrap<TLSWrap>::MemoryInfo(MemoryTracker* tracker) const;
|
|
|
d744d0 |
template SSL_SESSION* SSLWrap<TLSWrap>::GetSessionCallback(
|
|
|
d744d0 |
SSL* s,
|
|
|
d744d0 |
+#if OPENSSL_IS_LEGACY
|
|
|
d744d0 |
+ unsigned char *key,
|
|
|
d744d0 |
+#else
|
|
|
d744d0 |
const unsigned char* key,
|
|
|
d744d0 |
+#endif
|
|
|
d744d0 |
int len,
|
|
|
d744d0 |
int* copy);
|
|
|
d744d0 |
template int SSLWrap<TLSWrap>::NewSessionCallback(SSL* s,
|
|
|
d744d0 |
@@ -1755,7 +1759,11 @@ void SSLWrap<Base>::ConfigureSecureContext(SecureContext* sc) {
|
|
|
d744d0 |
|
|
|
d744d0 |
template <class Base>
|
|
|
d744d0 |
SSL_SESSION* SSLWrap<Base>::GetSessionCallback(SSL* s,
|
|
|
d744d0 |
+#if OPENSSL_IS_LEGACY
|
|
|
d744d0 |
+ unsigned char* key,
|
|
|
d744d0 |
+#else
|
|
|
d744d0 |
const unsigned char* key,
|
|
|
d744d0 |
+#endif
|
|
|
d744d0 |
int len,
|
|
|
d744d0 |
int* copy) {
|
|
|
d744d0 |
Base* w = static_cast<Base*>(SSL_get_app_data(s));
|
|
|
d744d0 |
@@ -5845,9 +5853,23 @@ struct PBKDF2Job : public CryptoJob {
|
|
|
d744d0 |
}
|
|
|
d744d0 |
|
|
|
d744d0 |
inline void DoThreadPoolWork() override {
|
|
|
d744d0 |
- auto salt_data = reinterpret_cast<const unsigned char*>(salt.data());
|
|
|
d744d0 |
+ static const char * const empty = "";
|
|
|
d744d0 |
+
|
|
|
d744d0 |
+ auto pass_data = reinterpret_cast<const char *>(empty);
|
|
|
d744d0 |
+ auto pass_size = int(0);
|
|
|
d744d0 |
+ auto salt_data = reinterpret_cast<const unsigned char *>(empty);
|
|
|
d744d0 |
+ auto salt_size = int(0);
|
|
|
d744d0 |
+
|
|
|
d744d0 |
+ if (pass.size() > 0) {
|
|
|
d744d0 |
+ pass_data = pass.data(), pass_size = pass.size();
|
|
|
d744d0 |
+ }
|
|
|
d744d0 |
+ if (salt.size() > 0) {
|
|
|
d744d0 |
+ salt_data = reinterpret_cast<const unsigned char *>(salt.data());
|
|
|
d744d0 |
+ salt_size = salt.size();
|
|
|
d744d0 |
+ }
|
|
|
d744d0 |
+
|
|
|
d744d0 |
const bool ok =
|
|
|
d744d0 |
- PKCS5_PBKDF2_HMAC(pass.data(), pass.size(), salt_data, salt.size(),
|
|
|
d744d0 |
+ PKCS5_PBKDF2_HMAC(pass_data, pass_size, salt_data, salt_size,
|
|
|
d744d0 |
iteration_count, digest, keybuf_size, keybuf_data);
|
|
|
d744d0 |
success = Just(ok);
|
|
|
d744d0 |
Cleanse();
|
|
|
d744d0 |
diff --git a/src/node_crypto.h b/src/node_crypto.h
|
|
|
d744d0 |
index ec86debfea..5e8e6ac000 100644
|
|
|
d744d0 |
--- a/src/node_crypto.h
|
|
|
d744d0 |
+++ b/src/node_crypto.h
|
|
|
d744d0 |
@@ -233,7 +233,11 @@ class SSLWrap {
|
|
|
d744d0 |
static void AddMethods(Environment* env, v8::Local<v8::FunctionTemplate> t);
|
|
|
d744d0 |
|
|
|
d744d0 |
static SSL_SESSION* GetSessionCallback(SSL* s,
|
|
|
d744d0 |
+#if OPENSSL_IS_LEGACY
|
|
|
d744d0 |
+ unsigned char* key,
|
|
|
d744d0 |
+#else // OPENSSL_IS_LEGACY
|
|
|
d744d0 |
const unsigned char* key,
|
|
|
d744d0 |
+#endif // OPENSSL_IS_LEGACY
|
|
|
d744d0 |
int len,
|
|
|
d744d0 |
int* copy);
|
|
|
d744d0 |
static int NewSessionCallback(SSL* s, SSL_SESSION* sess);
|
|
|
d744d0 |
diff --git a/src/node_crypto_bio.cc b/src/node_crypto_bio.cc
|
|
|
d744d0 |
index 55f5e8a5a3..c2a44fdb86 100644
|
|
|
d744d0 |
--- a/src/node_crypto_bio.cc
|
|
|
d744d0 |
+++ b/src/node_crypto_bio.cc
|
|
|
d744d0 |
@@ -31,7 +31,11 @@ namespace node {
|
|
|
d744d0 |
namespace crypto {
|
|
|
d744d0 |
|
|
|
d744d0 |
BIOPointer NodeBIO::New(Environment* env) {
|
|
|
d744d0 |
+#if OPENSSL_IS_LEGACY
|
|
|
d744d0 |
+ BIOPointer bio(BIO_new(const_cast<BIO_METHOD *>(GetMethod())));
|
|
|
d744d0 |
+#else
|
|
|
d744d0 |
BIOPointer bio(BIO_new(GetMethod()));
|
|
|
d744d0 |
+#endif
|
|
|
d744d0 |
if (bio && env != nullptr)
|
|
|
d744d0 |
NodeBIO::FromBIO(bio.get())->env_ = env;
|
|
|
d744d0 |
return bio;
|
|
|
d744d0 |
--
|
|
|
d744d0 |
2.26.2
|
|
|
d744d0 |
|