From 338901851f23e9d42b86fe88bed99bada47e099c Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
Date: Fri, 2 Oct 2020 13:00:17 +0200
Subject: [PATCH] Use OpenSSL 1.0 API
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
- Pass non-const pointer to BIO_new
In legacy OpenSSL, the method parameter for BIO_new is not marked const,
although the function does not need it to be mutable.
This is likely an oversight in the interface.
The provided "fix" is potentially dangerous,
as casting away `const`-ness is potentially an undefined behaviour.
Since the code around assumes it is constant anyway,
it *should* be fine here – but use with care.
- Remove const-classifier for SSL_SESSION callback argument
In legacy OpenSSL, the parameter is expected to be mutable.
Using `const` prevents passing the method as a function pointer
to other OpenSSL API functions.
- Sanitize inputs into PBKDF2
Signed-off-by: Jan Staněk <jstanek@redhat.com>
---
src/node_crypto.cc | 26 ++++++++++++++++++++++++--
src/node_crypto.h | 4 ++++
src/node_crypto_bio.cc | 4 ++++
3 files changed, 32 insertions(+), 2 deletions(-)
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
index 5783500b16..23c460ee49 100644
--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@@ -123,7 +123,11 @@ template int SSLWrap<TLSWrap>::SetCACerts(SecureContext* sc);
template void SSLWrap<TLSWrap>::MemoryInfo(MemoryTracker* tracker) const;
template SSL_SESSION* SSLWrap<TLSWrap>::GetSessionCallback(
SSL* s,
+#if OPENSSL_IS_LEGACY
+ unsigned char *key,
+#else
const unsigned char* key,
+#endif
int len,
int* copy);
template int SSLWrap<TLSWrap>::NewSessionCallback(SSL* s,
@@ -1755,7 +1759,11 @@ void SSLWrap<Base>::ConfigureSecureContext(SecureContext* sc) {
template <class Base>
SSL_SESSION* SSLWrap<Base>::GetSessionCallback(SSL* s,
+#if OPENSSL_IS_LEGACY
+ unsigned char* key,
+#else
const unsigned char* key,
+#endif
int len,
int* copy) {
Base* w = static_cast<Base*>(SSL_get_app_data(s));
@@ -5845,9 +5853,23 @@ struct PBKDF2Job : public CryptoJob {
}
inline void DoThreadPoolWork() override {
- auto salt_data = reinterpret_cast<const unsigned char*>(salt.data());
+ static const char * const empty = "";
+
+ auto pass_data = reinterpret_cast<const char *>(empty);
+ auto pass_size = int(0);
+ auto salt_data = reinterpret_cast<const unsigned char *>(empty);
+ auto salt_size = int(0);
+
+ if (pass.size() > 0) {
+ pass_data = pass.data(), pass_size = pass.size();
+ }
+ if (salt.size() > 0) {
+ salt_data = reinterpret_cast<const unsigned char *>(salt.data());
+ salt_size = salt.size();
+ }
+
const bool ok =
- PKCS5_PBKDF2_HMAC(pass.data(), pass.size(), salt_data, salt.size(),
+ PKCS5_PBKDF2_HMAC(pass_data, pass_size, salt_data, salt_size,
iteration_count, digest, keybuf_size, keybuf_data);
success = Just(ok);
Cleanse();
diff --git a/src/node_crypto.h b/src/node_crypto.h
index ec86debfea..5e8e6ac000 100644
--- a/src/node_crypto.h
+++ b/src/node_crypto.h
@@ -233,7 +233,11 @@ class SSLWrap {
static void AddMethods(Environment* env, v8::Local<v8::FunctionTemplate> t);
static SSL_SESSION* GetSessionCallback(SSL* s,
+#if OPENSSL_IS_LEGACY
+ unsigned char* key,
+#else // OPENSSL_IS_LEGACY
const unsigned char* key,
+#endif // OPENSSL_IS_LEGACY
int len,
int* copy);
static int NewSessionCallback(SSL* s, SSL_SESSION* sess);
diff --git a/src/node_crypto_bio.cc b/src/node_crypto_bio.cc
index 55f5e8a5a3..c2a44fdb86 100644
--- a/src/node_crypto_bio.cc
+++ b/src/node_crypto_bio.cc
@@ -31,7 +31,11 @@ namespace node {
namespace crypto {
BIOPointer NodeBIO::New(Environment* env) {
+#if OPENSSL_IS_LEGACY
+ BIOPointer bio(BIO_new(const_cast<BIO_METHOD *>(GetMethod())));
+#else
BIOPointer bio(BIO_new(GetMethod()));
+#endif
if (bio && env != nullptr)
NodeBIO::FromBIO(bio.get())->env_ = env;
return bio;
--
2.26.2