Attachment 612078 Details for Bug 613344 – experimental libressl patch

[patch] experimental libressl patch

node-v13.4.0-libressl-experimental.patch (text/plain), 16.10 KB, created by Sandino Araico Sanchez on 2020-02-06 12:21:28 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Sandino Araico Sanchez

Created: 2020-02-06 12:21:28 UTC

Size: 16.10 KB

patch

obsolete

>Only in node-v13.4.0.orig: .BUILDING.md.swp
>Only in node-v13.4.0/deps/v8/third_party/inspector_protocol: __pycache__
>Only in node-v13.4.0/deps/v8/third_party/jinja2: __pycache__
>Only in node-v13.4.0/deps/v8/third_party/markupsafe: __pycache__
>Only in node-v13.4.0/out: Debug
>Only in node-v13.4.0.orig/out: Makefile
>Only in node-v13.4.0/out: Release
>Only in node-v13.4.0/src: .node.cc.swp
>Only in node-v13.4.0/src: .node.h.swp
>Only in node-v13.4.0/src: .node_crypto.cc.swp
>Only in node-v13.4.0/src: .node_crypto.h.swp
>Only in node-v13.4.0/src: .node_crypto_bio.cc.swp
>Only in node-v13.4.0/src: .tls_wrap.cc.swp
>diff -uri node-v13.4.0.orig/src/node_crypto.cc node-v13.4.0/src/node_crypto.cc
>--- node-v13.4.0.orig/src/node_crypto.cc	2019-12-17 01:41:03.000000000 -0600
>+++ node-v13.4.0/src/node_crypto.cc	2020-02-01 06:13:53.000000000 -0600
>@@ -104,7 +104,7 @@
> using v8::Undefined;
> using v8::Value;
> 
>-#ifdef OPENSSL_NO_OCB
>+#if defined (OPENSSL_NO_OCB) || defined (LIBRESSL_VERSION_NUMBER)
> # define IS_OCB_MODE(mode) false
> #else
> # define IS_OCB_MODE(mode) ((mode) == EVP_CIPH_OCB_MODE)
>@@ -539,7 +539,15 @@
> 
> // A maxVersion of 0 means "any", but OpenSSL may support TLS versions that
> // Node.js doesn't, so pin the max to what we do support.
>+#if defined (LIBRESSL_VERSION_NUMBER) 
>+#if defined (LIBRESSL_HAS_TLS1_3)
> const int MAX_SUPPORTED_VERSION = TLS1_3_VERSION;
>+#else
>+const int MAX_SUPPORTED_VERSION = TLS1_2_VERSION;
>+#endif
>+#else
>+const int MAX_SUPPORTED_VERSION = TLS1_3_VERSION;
>+#endif
> 
> void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
>   SecureContext* sc;
>@@ -760,11 +768,13 @@
> 
>   const node::Utf8Value sigalgs(env->isolate(), args[0]);
> 
>+#ifndef LIBRESSL_VERSION_NUMBER
>   int rv = SSL_CTX_set1_sigalgs_list(sc->ctx_.get(), *sigalgs);
> 
>   if (rv == 0) {
>     return ThrowCryptoError(env, ERR_get_error());
>   }
>+#endif
> }
> 
> #ifndef OPENSSL_NO_ENGINE
>@@ -1181,6 +1191,9 @@
>   CHECK(args[0]->IsString());
> 
>   const node::Utf8Value ciphers(args.GetIsolate(), args[0]);
>+#ifdef LIBRESSL_VERSION_NUMBER
>+      return env->ThrowError("SSL_CTX_set_ciphersuites not supported in libressl");
>+#else
>   if (!SSL_CTX_set_ciphersuites(sc->ctx_.get(), *ciphers)) {
>     unsigned long err = ERR_get_error();  // NOLINT(runtime/int)
>     if (!err) {
>@@ -1190,6 +1203,7 @@
>     return ThrowCryptoError(env, err);
>   }
> #endif
>+#endif
> }
> 
> 
>@@ -2078,6 +2092,7 @@
>     info->Set(env->context(), env->pubkey_string(), pubbuff).Check();
>   } else if (ec) {
>     const EC_GROUP* group = EC_KEY_get0_group(ec.get());
>+#ifndef LIBRESSL_VERSION_NUMBER
>     if (group != nullptr) {
>       int bits = EC_GROUP_order_bits(group);
>       if (bits > 0) {
>@@ -2085,6 +2100,7 @@
>                   Integer::New(env->isolate(), bits)).Check();
>       }
>     }
>+#endif
> 
>     const EC_POINT* pubkey = EC_KEY_get0_public_key(ec.get());
>     Local<Object> buf;
>@@ -2473,6 +2489,9 @@
> 
> template <class Base>
> void SSLWrap<Base>::GetTLSTicket(const FunctionCallbackInfo<Value>& args) {
>+#ifdef LIBRESSL_VERSION_NUMBER
>+  return;
>+#else  
>   Base* w;
>   ASSIGN_OR_RETURN_UNWRAP(&w, args.Holder());
>   Environment* env = w->ssl_env();
>@@ -2492,6 +2511,7 @@
>       env, reinterpret_cast<const char*>(ticket), length).ToLocalChecked();
> 
>   args.GetReturnValue().Set(buff);
>+#endif
> }
> 
> 
>@@ -2685,7 +2705,11 @@
>   const char* cipher_name = SSL_CIPHER_get_name(c);
>   info->Set(context, env->name_string(),
>             OneByteString(args.GetIsolate(), cipher_name)).Check();
>+#ifdef LIBRESSL_VERSION_NUMBER
>+  const char* cipher_standard_name = "(NONE)";
>+#else
>   const char* cipher_standard_name = SSL_CIPHER_standard_name(c);
>+#endif
>   info->Set(context, env->standard_name_string(),
>             OneByteString(args.GetIsolate(), cipher_standard_name)).Check();
>   const char* cipher_version = SSL_CIPHER_get_version(c);
>@@ -2702,8 +2726,12 @@
>   Environment* env = w->ssl_env();
> 
>   SSL* ssl = w->ssl_.get();
>+#ifdef LIBRESSL_VERSION_NUMBER
>+  int nsig = 0;
>+#else
>   int nsig = SSL_get_shared_sigalgs(ssl, 0, nullptr, nullptr, nullptr, nullptr,
>                                     nullptr);
>+#endif
>   MaybeStackBuffer<Local<Value>, 16> ret_arr(nsig);
> 
>   for (int i = 0; i < nsig; i++) {
>@@ -2711,8 +2739,10 @@
>     int sign_nid;
>     std::string sig_with_md;
> 
>+#ifndef LIBRESSL_VERSION_NUMBER
>     SSL_get_shared_sigalgs(ssl, i, &sign_nid, &hash_nid, nullptr, nullptr,
>                            nullptr);
>+#endif
> 
>     switch (sign_nid) {
>       case EVP_PKEY_RSA:
>@@ -2959,7 +2989,11 @@
>     info->Set(context, env->servername_string(), str).Check();
>   }
> 
>+#ifdef LIBRESSL_VERSION_NUMBER
>+  const bool ocsp = false;
>+#else
>   const bool ocsp = (SSL_get_tlsext_status_type(s) == TLSEXT_STATUSTYPE_ocsp);
>+#endif
>   info->Set(context, env->ocsp_request_string(),
>             Boolean::New(env->isolate(), ocsp)).Check();
> 
>@@ -3001,7 +3035,11 @@
> 
>     // NOTE: reference count is not increased by this API methods
>     X509* x509 = SSL_CTX_get0_certificate(sc->ctx_.get());
>+#ifdef LIBRESSL_VERSION_NUMBER
>+    EVP_PKEY* pkey = NULL;
>+#else    
>     EVP_PKEY* pkey = SSL_CTX_get0_privatekey(sc->ctx_.get());
>+#endif
>     STACK_OF(X509)* chain;
> 
>     rv = SSL_CTX_get0_chain_certs(sc->ctx_.get(), &chain);
>@@ -3055,6 +3093,9 @@
> 
> template <class Base>
> int SSLWrap<Base>::SetCACerts(SecureContext* sc) {
>+#ifdef LIBRESSL_VERSION_NUMBER
>+  return 0;
>+#else
>   int err = SSL_set1_verify_cert_store(ssl_.get(),
>                                        SSL_CTX_get_cert_store(sc->ctx_.get()));
>   if (err != 1)
>@@ -3066,6 +3107,7 @@
>   // NOTE: `SSL_set_client_CA_list` takes the ownership of `list`
>   SSL_set_client_CA_list(ssl_.get(), list);
>   return 1;
>+#endif
> }
> 
> template <class Base>
>@@ -3133,7 +3175,12 @@
>   // OpenSSL might modify the pointer, so we need to make a copy before parsing.
>   const unsigned char* p = der_data;
>   pkey->reset(parse(&p, der_len));
>+#ifdef LIBRESSL_VERSION_NUMBER
>+  OPENSSL_cleanse(der_data, der_len);
>+  OPENSSL_free(der_data);
>+#else 
>   OPENSSL_clear_free(der_data, der_len);
>+#endif
> 
>   return *pkey ? ParseKeyResult::kParseKeyOk :
>                  ParseKeyResult::kParseKeyFailed;
>@@ -3375,12 +3422,22 @@
> }
> 
> ByteSource::~ByteSource() {
>+#ifdef LIBRESSL_VERSION_NUMBER
>+  OPENSSL_cleanse(allocated_data_, size_);
>+  OPENSSL_free(allocated_data_);
>+#else 
>   OPENSSL_clear_free(allocated_data_, size_);
>+#endif
> }
> 
> ByteSource& ByteSource::operator=(ByteSource&& other) {
>   if (&other != this) {
>+#ifdef LIBRESSL_VERSION_NUMBER
>+    OPENSSL_cleanse(allocated_data_, size_);
>+    OPENSSL_free(allocated_data_);
>+#else 
>     OPENSSL_clear_free(allocated_data_, size_);
>+#endif
>     data_ = other.data_;
>     allocated_data_ = other.allocated_data_;
>     other.allocated_data_ = nullptr;
>@@ -3864,7 +3921,12 @@
>   abv->CopyContents(mem, key_len);
>   this->symmetric_key_ = std::unique_ptr<char, std::function<void(char*)>>(mem,
>       [key_len](char* p) {
>+#ifdef LIBRESSL_VERSION_NUMBER
>+        OPENSSL_cleanse(p, key_len);
>+        OPENSSL_free(p);
>+#else 
>         OPENSSL_clear_free(p, key_len);
>+#endif
>       });
>   this->symmetric_key_len_ = key_len;
> }
>@@ -4840,8 +4902,12 @@
>       ret = EVP_DigestFinal_ex(hash->mdctx_.get(), hash->md_value_,
>                                &hash->md_len_);
>     } else {
>+#ifdef LIBRESSL_VERSION_NUMBER
>+      ret = 0;
>+#else
>       ret = EVP_DigestFinalXOF(hash->mdctx_.get(), hash->md_value_,
>                                hash->md_len_);
>+#endif
>     }
> 
>     if (ret != 1) {
>@@ -5019,11 +5085,15 @@
>   if (base_id == EVP_PKEY_DSA) {
>     DSA* dsa_key = EVP_PKEY_get0_DSA(pkey.get());
>     // Both r and s are computed mod q, so their width is limited by that of q.
>+#ifdef LIBRESSL_VERSION_NUMBER
>+    bits = BN_num_bits(dsa_key->q);
>+#else
>     bits = BN_num_bits(DSA_get0_q(dsa_key));
>   } else if (base_id == EVP_PKEY_EC) {
>     EC_KEY* ec_key = EVP_PKEY_get0_EC_KEY(pkey.get());
>     const EC_GROUP* ec_group = EC_KEY_get0_group(ec_key);
>     bits = EC_GROUP_order_bits(ec_group);
>+#endif
>   } else {
>     return kNoDsaSignature;
>   }
>@@ -5048,8 +5118,14 @@
>   AllocatedBuffer buf = env->AllocateManaged(2 * n);
>   unsigned char* data = reinterpret_cast<unsigned char*>(buf.data());
> 
>+#ifdef LIBRESSL_VERSION_NUMBER
>+  const ECDSA_SIG* sig = asn1_sig.get();
>+  const BIGNUM* r = sig->r;
>+  const BIGNUM* s = sig->s;
>+#else
>   const BIGNUM* r = ECDSA_SIG_get0_r(asn1_sig.get());
>   const BIGNUM* s = ECDSA_SIG_get0_s(asn1_sig.get());
>+#endif
>   CHECK_EQ(n, static_cast<unsigned int>(BN_bn2binpad(r, data, n)));
>   CHECK_EQ(n, static_cast<unsigned int>(BN_bn2binpad(s, data + n, n)));
> 
>@@ -5262,10 +5338,22 @@
>   const unsigned char* input =
>     reinterpret_cast<const unsigned char*>(data.data());
>   size_t sig_len;
>+#ifdef LIBRESSL_VERSION_NUMBER
>+  if (!EVP_DigestSignFinal(mdctx.get(), nullptr, &sig_len))
>+    return CheckThrow(env, SignBase::Error::kSignPrivateKey);
>+#else
>   if (!EVP_DigestSign(mdctx.get(), nullptr, &sig_len, input, data.length()))
>     return CheckThrow(env, SignBase::Error::kSignPrivateKey);
>+#endif
> 
>   AllocatedBuffer signature = env->AllocateManaged(sig_len);
>+#ifdef LIBRESSL_VERSION_NUMBER
>+  if (!EVP_DigestSignFinal(mdctx.get(),
>+                      reinterpret_cast<unsigned char*>(signature.data()),
>+                      &sig_len)) {
>+    return CheckThrow(env, SignBase::Error::kSignPrivateKey);
>+  }
>+#else
>   if (!EVP_DigestSign(mdctx.get(),
>                       reinterpret_cast<unsigned char*>(signature.data()),
>                       &sig_len,
>@@ -5273,6 +5361,7 @@
>                       data.length())) {
>     return CheckThrow(env, SignBase::Error::kSignPrivateKey);
>   }
>+#endif
> 
>   signature.Resize(sig_len);
> 
>@@ -5461,12 +5550,19 @@
>   }
> 
>   bool verify_result;
>+#ifdef LIBRESSL_VERSION_NUMBER
>+  const int r = EVP_DigestVerifyFinal(
>+    mdctx.get(),
>+    reinterpret_cast<const unsigned char*>(sig_bytes.get()),
>+    sig_bytes.size());
>+#else
>   const int r = EVP_DigestVerify(
>     mdctx.get(),
>     reinterpret_cast<const unsigned char*>(sig_bytes.get()),
>     sig_bytes.size(),
>     reinterpret_cast<const unsigned char*>(data.data()),
>     data.length());
>+#endif
>   switch (r) {
>     case 1:
>       verify_result = true;
>@@ -6350,7 +6446,7 @@
> }
> 
> 
>-#ifndef OPENSSL_NO_SCRYPT
>+#if !( defined(OPENSSL_NO_SCRYPT) || defined(LIBRESSL_VERSION_NUMBER) )
> struct ScryptJob : public CryptoJob {
>   unsigned char* keybuf_data;
>   size_t keybuf_size;
>@@ -7098,7 +7194,7 @@
> }
> 
> void InitCryptoOnce() {
>-#ifndef OPENSSL_IS_BORINGSSL
>+#if !( defined(OPENSSL_IS_BORINGSSL) || defined(LIBRESSL_VERSION_NUMBER) )
>   OPENSSL_INIT_SETTINGS* settings = OPENSSL_INIT_new();
> 
>   // --openssl-config=...
>@@ -7278,7 +7374,7 @@
>                  PublicKeyCipher::Cipher<PublicKeyCipher::kPublic,
>                                          EVP_PKEY_verify_recover_init,
>                                          EVP_PKEY_verify_recover>);
>-#ifndef OPENSSL_NO_SCRYPT
>+#if !( defined(OPENSSL_NO_SCRYPT) || defined(LIBRESSL_VERSION_NUMBER) )
>   env->SetMethod(target, "scrypt", Scrypt);
> #endif  // OPENSSL_NO_SCRYPT
> }
>diff -uri node-v13.4.0.orig/src/node_crypto.h node-v13.4.0/src/node_crypto.h
>--- node-v13.4.0.orig/src/node_crypto.h	2019-12-17 01:41:03.000000000 -0600
>+++ node-v13.4.0/src/node_crypto.h	2020-02-01 06:10:05.000000000 -0600
>@@ -40,6 +40,69 @@
> #include <openssl/ec.h>
> #include <openssl/rsa.h>
> 
>+/* 
>+ * libressl compat 
>+ */ 
>+#ifdef LIBRESSL_VERSION_NUMBER
>+/* defines from opnssl's crypto.h */
>+# define OPENSSL_memdup(str, s) \
>+        BUF_memdup(str, s)
>+/* defines from opnssl's err.h */
>+# define ERR_LIB_OSSL_STORE      44
>+# define ERR_LIB_CT              50
>+# define ERR_LIB_ASYNC           51
>+# define ERR_LIB_KDF             52
>+# define ERR_LIB_SM2             53
>+/* defines from openssl's evp.h */
>+# define EVP_PKEY_X25519 NID_X25519
>+# define EVP_PKEY_X448 NID_X448
>+# define EVP_PKEY_RSA_PSS NID_rsassaPss
>+# define EVP_PKEY_ED25519 NID_ED25519
>+# define EVP_PKEY_ED448 NID_ED448
>+# define         EVP_CTRL_AEAD_SET_IVLEN         0x9
>+# define         EVP_CTRL_AEAD_SET_TAG           0x11
>+#  define EVP_MD_FLAG_XOF         0x0002
>+# define         EVP_CTRL_CCM_GET_TAG            EVP_CTRL_AEAD_GET_TAG
>+# define         EVP_CTRL_AEAD_GET_TAG           0x10
>+/* defines from openssl's evperr.h */
>+# define EVP_F_EVP_DIGESTFINALXOF                         174
>+# define EVP_R_NOT_XOF_OR_INVALID_LENGTH                  178
>+/* defines from openssl's obj_mac.h */
>+#define NID_ED25519             1087
>+#define NID_ED448               1088
>+#define NID_id_GostR3410_2012_256               979
>+#define NID_id_GostR3410_2012_512               980
>+/* defines from openssl's rsa.h */
>+# define EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(ctx, len) \
>+        EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN, \
>+                          EVP_PKEY_CTRL_RSA_PSS_SALTLEN, len, NULL)
>+
>+# define  EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md(ctx, md) \
>+        EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN, \
>+                          EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)(md))
>+
>+# define  EVP_PKEY_CTX_set_rsa_oaep_md(ctx, md) \
>+        EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,  \
>+                          EVP_PKEY_CTRL_RSA_OAEP_MD, 0, (void *)(md))
>+
>+# define  EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, l, llen) \
>+        EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT,  \
>+                          EVP_PKEY_CTRL_RSA_OAEP_LABEL, llen, (void *)(l))
>+
>+# define  EVP_PKEY_CTX_set_rsa_pss_keygen_md(ctx, md) \
>+        EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA_PSS,  \
>+                          EVP_PKEY_OP_KEYGEN, EVP_PKEY_CTRL_MD,  \
>+                          0, (void *)(md))
>+
>+# define EVP_PKEY_CTRL_RSA_OAEP_MD       (EVP_PKEY_ALG_CTRL + 9)
>+# define EVP_PKEY_CTRL_RSA_OAEP_LABEL    (EVP_PKEY_ALG_CTRL + 10)
>+/* defines from opnssl's bn.h */
>+# define BN_bn2binpad(a, to, n) \
>+		BN_bn2bin(a, to)
>+/* defines from opnssl's ec.h */
>+# define OPENSSL_EC_EXPLICIT_CURVE  0x000
>+#endif
>+
> namespace node {
> namespace crypto {
> 
>@@ -618,8 +681,14 @@
>   }
> 
>   ~Hash() override {
>-    if (md_value_ != nullptr)
>-      OPENSSL_clear_free(md_value_, md_len_);
>+    if (md_value_ != nullptr) {
>+#ifdef LIBRESSL_VERSION_NUMBER
>+		OPENSSL_cleanse(md_value_, md_len_);
>+		OPENSSL_free(md_value_);
>+#else 
>+      	OPENSSL_clear_free(md_value_, md_len_);
>+#endif
>+	}
>   }
> 
>  private:
>diff -uri node-v13.4.0.orig/src/node_crypto_bio.cc node-v13.4.0/src/node_crypto_bio.cc
>--- node-v13.4.0.orig/src/node_crypto_bio.cc	2019-12-17 01:41:03.000000000 -0600
>+++ node-v13.4.0/src/node_crypto_bio.cc	2020-02-01 06:19:31.000000000 -0600
>@@ -65,7 +65,11 @@
>     return 0;
> 
>   if (BIO_get_shutdown(bio)) {
>+#ifdef LIBRESSL_VERSION_NUMBER
>+    if (bio->init && BIO_get_data(bio) != nullptr) {
>+#else
>     if (BIO_get_init(bio) && BIO_get_data(bio) != nullptr) {
>+#endif
>       delete FromBIO(bio);
>       BIO_set_data(bio, nullptr);
>     }
>diff -uri node-v13.4.0.orig/src/tls_wrap.cc node-v13.4.0/src/tls_wrap.cc
>--- node-v13.4.0.orig/src/tls_wrap.cc	2019-12-17 01:41:03.000000000 -0600
>+++ node-v13.4.0/src/tls_wrap.cc	2020-02-04 05:06:18.000000000 -0600
>@@ -140,7 +140,11 @@
> 
>   ConfigureSecureContext(sc_);
> 
>+#ifdef LIBRESSL_VERSION_NUMBER
>+/* FIXME: cert callback not implemented in libressl */
>+#else
>   SSL_set_cert_cb(ssl_.get(), SSLWrap<TLSWrap>::SSLCertCallback, this);
>+#endif
> 
>   if (is_server()) {
>     SSL_set_accept_state(ssl_.get());
>@@ -916,8 +920,12 @@
>   TLSWrap* wrap;
>   ASSIGN_OR_RETURN_UNWRAP(&wrap, args.Holder());
>   CHECK_NOT_NULL(wrap->sc_);
>+#ifdef LIBRESSL_VERSION_NUMBER
>+/* FIXME: keylog_callback not implemented in libressl */
>+#else
>   SSL_CTX_set_keylog_callback(wrap->sc_->ctx_.get(),
>       SSLWrap<TLSWrap>::KeylogCallback);
>+#endif
> }
> 
> // Check required capabilities were not excluded from the OpenSSL build:
>@@ -935,7 +943,8 @@
>   TLSWrap* wrap;
>   ASSIGN_OR_RETURN_UNWRAP(&wrap, args.Holder());
> 
>-#if HAVE_SSL_TRACE
>+#ifndef LIBRESSL_VERSION_NUMBER
>+#if HAVE_SSL_TRACE 
>   if (wrap->ssl_) {
>     wrap->bio_trace_.reset(BIO_new_fp(stderr,  BIO_NOCLOSE | BIO_FP_TEXT));
>     SSL_set_msg_callback(wrap->ssl_.get(), [](int write_p, int version, int
>@@ -952,6 +961,7 @@
>     SSL_set_msg_callback_arg(wrap->ssl_.get(), wrap->bio_trace_.get());
>   }
> #endif
>+#endif
> }
> 
> void TLSWrap::DestroySSL(const FunctionCallbackInfo<Value>& args) {
>Only in node-v13.4.0.orig/test/parallel: test-stdout-close-unref.js

Actions: View | Diff

Attachments on bug 613344: 543960 | 610150 | 612078