|
|
f0ceb1 |
From ea610f38a05ca2b256e1f8b1d0dd8b33abc521ec Mon Sep 17 00:00:00 2001
|
|
|
3f476a |
From: =?UTF-8?q?Jan=20Stan=C4=9Bk?= <jstanek@redhat.com>
|
|
|
f0ceb1 |
Date: Wed, 7 Jul 2021 13:37:46 +0200
|
|
|
3f476a |
Subject: [PATCH] Use OpenSSL 1.0 API
|
|
|
3f476a |
MIME-Version: 1.0
|
|
|
3f476a |
Content-Type: text/plain; charset=UTF-8
|
|
|
3f476a |
Content-Transfer-Encoding: 8bit
|
|
|
3f476a |
|
|
|
3f476a |
- Pass non-const pointer to BIO_new
|
|
|
3f476a |
|
|
|
3f476a |
In legacy OpenSSL, the method parameter for BIO_new is not marked const,
|
|
|
3f476a |
although the function does not need it to be mutable.
|
|
|
3f476a |
This is likely an oversight in the interface.
|
|
|
3f476a |
|
|
|
3f476a |
The provided "fix" is potentially dangerous,
|
|
|
3f476a |
as casting away `const`-ness is potentially an undefined behaviour.
|
|
|
3f476a |
Since the code around assumes it is constant anyway,
|
|
|
3f476a |
it *should* be fine here – but use with care.
|
|
|
3f476a |
|
|
|
3f476a |
- Remove const-classifier for SSL_SESSION callback argument
|
|
|
3f476a |
|
|
|
3f476a |
In legacy OpenSSL, the parameter is expected to be mutable.
|
|
|
3f476a |
Using `const` prevents passing the method as a function pointer
|
|
|
3f476a |
to other OpenSSL API functions.
|
|
|
3f476a |
|
|
|
3f476a |
- Sanitize inputs into PBKDF2
|
|
|
3f476a |
|
|
|
3f476a |
- Return const char from SSL_CIPHER_get_version
|
|
|
3f476a |
|
|
|
3f476a |
Signed-off-by: Jan Staněk <jstanek@redhat.com>
|
|
|
3f476a |
---
|
|
|
3f476a |
src/node_crypto.cc | 26 ++++++++++++++++++++++++--
|
|
|
3f476a |
src/node_crypto.h | 4 ++++
|
|
|
3f476a |
src/node_crypto_bio.cc | 4 ++++
|
|
|
3f476a |
src/node_crypto_common.cc | 10 +++++++++-
|
|
|
3f476a |
4 files changed, 41 insertions(+), 3 deletions(-)
|
|
|
3f476a |
|
|
|
3f476a |
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
|
|
|
f0ceb1 |
index dbef9d42f0..c9de7d8a19 100644
|
|
|
3f476a |
--- a/src/node_crypto.cc
|
|
|
3f476a |
+++ b/src/node_crypto.cc
|
|
|
f0ceb1 |
@@ -127,7 +127,11 @@ template int SSLWrap<TLSWrap>::SetCACerts(SecureContext* sc);
|
|
|
3f476a |
template void SSLWrap<TLSWrap>::MemoryInfo(MemoryTracker* tracker) const;
|
|
|
3f476a |
template SSL_SESSION* SSLWrap<TLSWrap>::GetSessionCallback(
|
|
|
3f476a |
SSL* s,
|
|
|
3f476a |
+#if OPENSSL_IS_LEGACY
|
|
|
3f476a |
+ unsigned char *key,
|
|
|
3f476a |
+#else
|
|
|
3f476a |
const unsigned char* key,
|
|
|
3f476a |
+#endif
|
|
|
3f476a |
int len,
|
|
|
3f476a |
int* copy);
|
|
|
3f476a |
template int SSLWrap<TLSWrap>::NewSessionCallback(SSL* s,
|
|
|
f0ceb1 |
@@ -1769,7 +1773,11 @@ void SSLWrap<Base>::ConfigureSecureContext(SecureContext* sc) {
|
|
|
3f476a |
|
|
|
3f476a |
template <class Base>
|
|
|
3f476a |
SSL_SESSION* SSLWrap<Base>::GetSessionCallback(SSL* s,
|
|
|
3f476a |
+#if OPENSSL_IS_LEGACY
|
|
|
3f476a |
+ unsigned char* key,
|
|
|
3f476a |
+#else
|
|
|
3f476a |
const unsigned char* key,
|
|
|
3f476a |
+#endif
|
|
|
3f476a |
int len,
|
|
|
3f476a |
int* copy) {
|
|
|
3f476a |
Base* w = static_cast<Base*>(SSL_get_app_data(s));
|
|
|
f0ceb1 |
@@ -5898,9 +5906,23 @@ struct PBKDF2Job : public CryptoJob {
|
|
|
3f476a |
}
|
|
|
3f476a |
|
|
|
3f476a |
inline void DoThreadPoolWork() override {
|
|
|
3f476a |
- auto salt_data = reinterpret_cast<const unsigned char*>(salt.data());
|
|
|
3f476a |
+ static const char * const empty = "";
|
|
|
3f476a |
+
|
|
|
3f476a |
+ auto pass_data = reinterpret_cast<const char *>(empty);
|
|
|
3f476a |
+ auto pass_size = int(0);
|
|
|
3f476a |
+ auto salt_data = reinterpret_cast<const unsigned char *>(empty);
|
|
|
3f476a |
+ auto salt_size = int(0);
|
|
|
3f476a |
+
|
|
|
3f476a |
+ if (pass.size() > 0) {
|
|
|
3f476a |
+ pass_data = pass.data(), pass_size = pass.size();
|
|
|
3f476a |
+ }
|
|
|
3f476a |
+ if (salt.size() > 0) {
|
|
|
3f476a |
+ salt_data = reinterpret_cast<const unsigned char *>(salt.data());
|
|
|
3f476a |
+ salt_size = salt.size();
|
|
|
3f476a |
+ }
|
|
|
3f476a |
+
|
|
|
3f476a |
const bool ok =
|
|
|
3f476a |
- PKCS5_PBKDF2_HMAC(pass.data(), pass.size(), salt_data, salt.size(),
|
|
|
3f476a |
+ PKCS5_PBKDF2_HMAC(pass_data, pass_size, salt_data, salt_size,
|
|
|
3f476a |
iteration_count, digest, keybuf_size, keybuf_data);
|
|
|
3f476a |
success = Just(ok);
|
|
|
3f476a |
Cleanse();
|
|
|
3f476a |
diff --git a/src/node_crypto.h b/src/node_crypto.h
|
|
|
3f476a |
index d46730c9ba..dbc46fbec8 100644
|
|
|
3f476a |
--- a/src/node_crypto.h
|
|
|
3f476a |
+++ b/src/node_crypto.h
|
|
|
3f476a |
@@ -235,7 +235,11 @@ class SSLWrap {
|
|
|
3f476a |
static void AddMethods(Environment* env, v8::Local<v8::FunctionTemplate> t);
|
|
|
3f476a |
|
|
|
3f476a |
static SSL_SESSION* GetSessionCallback(SSL* s,
|
|
|
3f476a |
+#if OPENSSL_IS_LEGACY
|
|
|
3f476a |
+ unsigned char* key,
|
|
|
3f476a |
+#else // OPENSSL_IS_LEGACY
|
|
|
3f476a |
const unsigned char* key,
|
|
|
3f476a |
+#endif // OPENSSL_IS_LEGACY
|
|
|
3f476a |
int len,
|
|
|
3f476a |
int* copy);
|
|
|
3f476a |
static int NewSessionCallback(SSL* s, SSL_SESSION* sess);
|
|
|
3f476a |
diff --git a/src/node_crypto_bio.cc b/src/node_crypto_bio.cc
|
|
|
3f476a |
index 8c58e31f86..319580c9b6 100644
|
|
|
3f476a |
--- a/src/node_crypto_bio.cc
|
|
|
3f476a |
+++ b/src/node_crypto_bio.cc
|
|
|
3f476a |
@@ -32,7 +32,11 @@ namespace node {
|
|
|
3f476a |
namespace crypto {
|
|
|
3f476a |
|
|
|
3f476a |
BIOPointer NodeBIO::New(Environment* env) {
|
|
|
3f476a |
+#if OPENSSL_IS_LEGACY
|
|
|
3f476a |
+ BIOPointer bio(BIO_new(const_cast<BIO_METHOD *>(GetMethod())));
|
|
|
3f476a |
+#else
|
|
|
3f476a |
BIOPointer bio(BIO_new(GetMethod()));
|
|
|
3f476a |
+#endif
|
|
|
3f476a |
if (bio && env != nullptr)
|
|
|
3f476a |
NodeBIO::FromBIO(bio.get())->env_ = env;
|
|
|
3f476a |
return bio;
|
|
|
3f476a |
diff --git a/src/node_crypto_common.cc b/src/node_crypto_common.cc
|
|
|
3f476a |
index 6473b652ac..da1033fdef 100644
|
|
|
3f476a |
--- a/src/node_crypto_common.cc
|
|
|
3f476a |
+++ b/src/node_crypto_common.cc
|
|
|
3f476a |
@@ -405,7 +405,15 @@ MaybeLocal<Value> GetCipherStandardName(
|
|
|
3f476a |
}
|
|
|
3f476a |
|
|
|
3f476a |
MaybeLocal<Value> GetCipherVersion(Environment* env, const SSL_CIPHER* cipher) {
|
|
|
3f476a |
- return GetCipherValue(env, cipher, SSL_CIPHER_get_version);
|
|
|
3f476a |
+#if OPENSSL_IS_LEGACY
|
|
|
3f476a |
+ auto get_version = [](const SSL_CIPHER *cipher){
|
|
|
3f476a |
+ return const_cast<const char *>(SSL_CIPHER_get_version(cipher));
|
|
|
3f476a |
+ };
|
|
|
3f476a |
+#else // OPENSSL_IS_LEGACY
|
|
|
3f476a |
+ auto get_version = SSL_CIPHER_get_version;
|
|
|
3f476a |
+#endif // OPENSSL_IS_LEGACY
|
|
|
3f476a |
+
|
|
|
3f476a |
+ return GetCipherValue(env, cipher, get_version);
|
|
|
3f476a |
}
|
|
|
3f476a |
|
|
|
3f476a |
StackOfX509 CloneSSLCerts(X509Pointer&& cert,
|
|
|
3f476a |
--
|
|
|
f0ceb1 |
2.31.1
|
|
|
3f476a |
|