|
 |
effb77 |
From 58e2804cb0802a751f3b4069252b904eedf17f56 Mon Sep 17 00:00:00 2001
|
|
|
3f476a |
From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
|
|
|
effb77 |
Date: Wed, 13 Jul 2022 14:26:36 +0200
|
|
|
effb77 |
Subject: [PATCH] Use OpenSSL 1.0 API
|
|
|
3f476a |
MIME-Version: 1.0
|
|
|
3f476a |
Content-Type: text/plain; charset=UTF-8
|
|
|
3f476a |
Content-Transfer-Encoding: 8bit
|
|
|
3f476a |
|
|
|
3f476a |
- Pass non-const pointer to BIO_new
|
|
|
3f476a |
|
|
|
3f476a |
In legacy OpenSSL, the method parameter for BIO_new is not marked const,
|
|
|
3f476a |
although the function does not need it to be mutable.
|
|
|
3f476a |
This is likely an oversight in the interface.
|
|
|
3f476a |
|
|
|
3f476a |
The provided "fix" is potentially dangerous,
|
|
|
3f476a |
as casting away `const`-ness is potentially an undefined behaviour.
|
|
|
3f476a |
Since the code around assumes it is constant anyway,
|
|
|
3f476a |
it *should* be fine here – but use with care.
|
|
|
3f476a |
|
|
|
3f476a |
- Remove const-classifier for SSL_SESSION callback argument
|
|
|
3f476a |
|
|
|
3f476a |
In legacy OpenSSL, the parameter is expected to be mutable.
|
|
|
3f476a |
Using `const` prevents passing the method as a function pointer
|
|
|
3f476a |
to other OpenSSL API functions.
|
|
|
3f476a |
|
|
|
3f476a |
- Sanitize inputs into PBKDF2
|
|
|
3f476a |
|
|
|
3f476a |
- Return const char from SSL_CIPHER_get_version
|
|
|
3f476a |
|
|
|
effb77 |
- Use non-const signature for X509 name functions
|
|
|
effb77 |
|
|
|
3f476a |
Signed-off-by: Jan Staněk <jstanek@redhat.com>
|
|
|
3f476a |
---
|
|
|
3f476a |
src/node_crypto.cc | 26 ++++++++++++++++++++++++--
|
|
|
3f476a |
src/node_crypto.h | 4 ++++
|
|
|
3f476a |
src/node_crypto_bio.cc | 4 ++++
|
|
|
effb77 |
src/node_crypto_common.cc | 14 +++++++++++---
|
|
|
effb77 |
4 files changed, 43 insertions(+), 5 deletions(-)
|
|
|
3f476a |
|
|
|
3f476a |
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
|
|
|
effb77 |
index d7c7d06646..de8b26930b 100644
|
|
|
3f476a |
--- a/src/node_crypto.cc
|
|
|
3f476a |
+++ b/src/node_crypto.cc
|
|
|
effb77 |
@@ -133,7 +133,11 @@ template int SSLWrap<TLSWrap>::SetCACerts(SecureContext* sc);
|
|
|
3f476a |
template void SSLWrap<TLSWrap>::MemoryInfo(MemoryTracker* tracker) const;
|
|
|
3f476a |
template SSL_SESSION* SSLWrap<TLSWrap>::GetSessionCallback(
|
|
|
3f476a |
SSL* s,
|
|
|
3f476a |
+#if OPENSSL_IS_LEGACY
|
|
|
3f476a |
+ unsigned char *key,
|
|
|
3f476a |
+#else
|
|
|
3f476a |
const unsigned char* key,
|
|
|
3f476a |
+#endif
|
|
|
3f476a |
int len,
|
|
|
3f476a |
int* copy);
|
|
|
3f476a |
template int SSLWrap<TLSWrap>::NewSessionCallback(SSL* s,
|
|
|
effb77 |
@@ -1785,7 +1789,11 @@ void SSLWrap<Base>::ConfigureSecureContext(SecureContext* sc) {
|
|
|
3f476a |
|
|
|
3f476a |
template <class Base>
|
|
|
3f476a |
SSL_SESSION* SSLWrap<Base>::GetSessionCallback(SSL* s,
|
|
|
3f476a |
+#if OPENSSL_IS_LEGACY
|
|
|
3f476a |
+ unsigned char* key,
|
|
|
3f476a |
+#else
|
|
|
3f476a |
const unsigned char* key,
|
|
|
3f476a |
+#endif
|
|
|
3f476a |
int len,
|
|
|
3f476a |
int* copy) {
|
|
|
3f476a |
Base* w = static_cast<Base*>(SSL_get_app_data(s));
|
|
|
effb77 |
@@ -5908,9 +5916,23 @@ struct PBKDF2Job : public CryptoJob {
|
|
|
3f476a |
}
|
|
|
3f476a |
|
|
|
3f476a |
inline void DoThreadPoolWork() override {
|
|
|
3f476a |
- auto salt_data = reinterpret_cast<const unsigned char*>(salt.data());
|
|
|
3f476a |
+ static const char * const empty = "";
|
|
|
3f476a |
+
|
|
|
3f476a |
+ auto pass_data = reinterpret_cast<const char *>(empty);
|
|
|
3f476a |
+ auto pass_size = int(0);
|
|
|
3f476a |
+ auto salt_data = reinterpret_cast<const unsigned char *>(empty);
|
|
|
3f476a |
+ auto salt_size = int(0);
|
|
|
3f476a |
+
|
|
|
3f476a |
+ if (pass.size() > 0) {
|
|
|
3f476a |
+ pass_data = pass.data(), pass_size = pass.size();
|
|
|
3f476a |
+ }
|
|
|
3f476a |
+ if (salt.size() > 0) {
|
|
|
3f476a |
+ salt_data = reinterpret_cast<const unsigned char *>(salt.data());
|
|
|
3f476a |
+ salt_size = salt.size();
|
|
|
3f476a |
+ }
|
|
|
3f476a |
+
|
|
|
3f476a |
const bool ok =
|
|
|
3f476a |
- PKCS5_PBKDF2_HMAC(pass.data(), pass.size(), salt_data, salt.size(),
|
|
|
3f476a |
+ PKCS5_PBKDF2_HMAC(pass_data, pass_size, salt_data, salt_size,
|
|
|
3f476a |
iteration_count, digest, keybuf_size, keybuf_data);
|
|
|
3f476a |
success = Just(ok);
|
|
|
3f476a |
Cleanse();
|
|
|
3f476a |
diff --git a/src/node_crypto.h b/src/node_crypto.h
|
|
|
3f476a |
index d46730c9ba..dbc46fbec8 100644
|
|
|
3f476a |
--- a/src/node_crypto.h
|
|
|
3f476a |
+++ b/src/node_crypto.h
|
|
|
3f476a |
@@ -235,7 +235,11 @@ class SSLWrap {
|
|
|
3f476a |
static void AddMethods(Environment* env, v8::Local<v8::FunctionTemplate> t);
|
|
|
3f476a |
|
|
|
3f476a |
static SSL_SESSION* GetSessionCallback(SSL* s,
|
|
|
3f476a |
+#if OPENSSL_IS_LEGACY
|
|
|
3f476a |
+ unsigned char* key,
|
|
|
3f476a |
+#else // OPENSSL_IS_LEGACY
|
|
|
3f476a |
const unsigned char* key,
|
|
|
3f476a |
+#endif // OPENSSL_IS_LEGACY
|
|
|
3f476a |
int len,
|
|
|
3f476a |
int* copy);
|
|
|
3f476a |
static int NewSessionCallback(SSL* s, SSL_SESSION* sess);
|
|
|
3f476a |
diff --git a/src/node_crypto_bio.cc b/src/node_crypto_bio.cc
|
|
|
3f476a |
index 8c58e31f86..319580c9b6 100644
|
|
|
3f476a |
--- a/src/node_crypto_bio.cc
|
|
|
3f476a |
+++ b/src/node_crypto_bio.cc
|
|
|
3f476a |
@@ -32,7 +32,11 @@ namespace node {
|
|
|
3f476a |
namespace crypto {
|
|
|
3f476a |
|
|
|
3f476a |
BIOPointer NodeBIO::New(Environment* env) {
|
|
|
3f476a |
+#if OPENSSL_IS_LEGACY
|
|
|
3f476a |
+ BIOPointer bio(BIO_new(const_cast<BIO_METHOD *>(GetMethod())));
|
|
|
3f476a |
+#else
|
|
|
3f476a |
BIOPointer bio(BIO_new(GetMethod()));
|
|
|
3f476a |
+#endif
|
|
|
3f476a |
if (bio && env != nullptr)
|
|
|
3f476a |
NodeBIO::FromBIO(bio.get())->env_ = env;
|
|
|
3f476a |
return bio;
|
|
|
3f476a |
diff --git a/src/node_crypto_common.cc b/src/node_crypto_common.cc
|
|
|
effb77 |
index d43e5af2b5..7d313dd3df 100644
|
|
|
3f476a |
--- a/src/node_crypto_common.cc
|
|
|
3f476a |
+++ b/src/node_crypto_common.cc
|
|
|
effb77 |
@@ -337,7 +337,15 @@ MaybeLocal<Value> GetCipherStandardName(
|
|
|
3f476a |
}
|
|
|
3f476a |
|
|
|
3f476a |
MaybeLocal<Value> GetCipherVersion(Environment* env, const SSL_CIPHER* cipher) {
|
|
|
3f476a |
- return GetCipherValue(env, cipher, SSL_CIPHER_get_version);
|
|
|
3f476a |
+#if OPENSSL_IS_LEGACY
|
|
|
3f476a |
+ auto get_version = [](const SSL_CIPHER *cipher){
|
|
|
3f476a |
+ return const_cast<const char *>(SSL_CIPHER_get_version(cipher));
|
|
|
3f476a |
+ };
|
|
|
3f476a |
+#else // OPENSSL_IS_LEGACY
|
|
|
3f476a |
+ auto get_version = SSL_CIPHER_get_version;
|
|
|
3f476a |
+#endif // OPENSSL_IS_LEGACY
|
|
|
3f476a |
+
|
|
|
3f476a |
+ return GetCipherValue(env, cipher, get_version);
|
|
|
3f476a |
}
|
|
|
3f476a |
|
|
|
3f476a |
StackOfX509 CloneSSLCerts(X509Pointer&& cert,
|
|
|
effb77 |
@@ -845,7 +853,7 @@ v8::MaybeLocal<v8::Value> GetInfoAccessString(
|
|
|
effb77 |
return ToV8Value(env, bio);
|
|
|
effb77 |
}
|
|
|
effb77 |
|
|
|
effb77 |
-template <X509_NAME* get_name(const X509*)>
|
|
|
effb77 |
+template <X509_NAME* get_name(X509*)>
|
|
|
effb77 |
static MaybeLocal<Value> GetX509NameObject(Environment* env, X509* cert) {
|
|
|
effb77 |
X509_NAME* name = get_name(cert);
|
|
|
effb77 |
CHECK_NOT_NULL(name);
|
|
|
effb77 |
@@ -868,7 +876,7 @@ static MaybeLocal<Value> GetX509NameObject(Environment* env, X509* cert) {
|
|
|
effb77 |
// anyway, and multi-value RDNs are rare, i.e., the vast majority of
|
|
|
effb77 |
// Relative Distinguished Names contains a single type-value pair only.
|
|
|
effb77 |
const ASN1_OBJECT* type = X509_NAME_ENTRY_get_object(entry);
|
|
|
effb77 |
- const ASN1_STRING* value = X509_NAME_ENTRY_get_data(entry);
|
|
|
effb77 |
+ ASN1_STRING* value = X509_NAME_ENTRY_get_data(entry);
|
|
|
effb77 |
|
|
|
effb77 |
// If OpenSSL knows the type, use the short name of the type as the key, and
|
|
|
effb77 |
// the numeric representation of the type's OID otherwise.
|
|
|
3f476a |
--
|
|
|
effb77 |
2.36.1
|
|
|
3f476a |
|