Only in node-v13.4.0.orig: .BUILDING.md.swp Only in node-v13.4.0/deps/v8/third_party/inspector_protocol: __pycache__ Only in node-v13.4.0/deps/v8/third_party/jinja2: __pycache__ Only in node-v13.4.0/deps/v8/third_party/markupsafe: __pycache__ Only in node-v13.4.0/out: Debug Only in node-v13.4.0.orig/out: Makefile Only in node-v13.4.0/out: Release Only in node-v13.4.0/src: .node.cc.swp Only in node-v13.4.0/src: .node.h.swp Only in node-v13.4.0/src: .node_crypto.cc.swp Only in node-v13.4.0/src: .node_crypto.h.swp Only in node-v13.4.0/src: .node_crypto_bio.cc.swp Only in node-v13.4.0/src: .tls_wrap.cc.swp diff -uri node-v13.4.0.orig/src/node_crypto.cc node-v13.4.0/src/node_crypto.cc --- node-v13.4.0.orig/src/node_crypto.cc 2019-12-17 01:41:03.000000000 -0600 +++ node-v13.4.0/src/node_crypto.cc 2020-02-01 06:13:53.000000000 -0600 @@ -104,7 +104,7 @@ using v8::Undefined; using v8::Value; -#ifdef OPENSSL_NO_OCB +#if defined (OPENSSL_NO_OCB) || defined (LIBRESSL_VERSION_NUMBER) # define IS_OCB_MODE(mode) false #else # define IS_OCB_MODE(mode) ((mode) == EVP_CIPH_OCB_MODE) @@ -539,7 +539,15 @@ // A maxVersion of 0 means "any", but OpenSSL may support TLS versions that // Node.js doesn't, so pin the max to what we do support. +#if defined (LIBRESSL_VERSION_NUMBER) +#if defined (LIBRESSL_HAS_TLS1_3) const int MAX_SUPPORTED_VERSION = TLS1_3_VERSION; +#else +const int MAX_SUPPORTED_VERSION = TLS1_2_VERSION; +#endif +#else +const int MAX_SUPPORTED_VERSION = TLS1_3_VERSION; +#endif void SecureContext::Init(const FunctionCallbackInfo& args) { SecureContext* sc; @@ -760,11 +768,13 @@ const node::Utf8Value sigalgs(env->isolate(), args[0]); +#ifndef LIBRESSL_VERSION_NUMBER int rv = SSL_CTX_set1_sigalgs_list(sc->ctx_.get(), *sigalgs); if (rv == 0) { return ThrowCryptoError(env, ERR_get_error()); } +#endif } #ifndef OPENSSL_NO_ENGINE @@ -1181,6 +1191,9 @@ CHECK(args[0]->IsString()); const node::Utf8Value ciphers(args.GetIsolate(), args[0]); +#ifdef LIBRESSL_VERSION_NUMBER + return env->ThrowError("SSL_CTX_set_ciphersuites not supported in libressl"); +#else if (!SSL_CTX_set_ciphersuites(sc->ctx_.get(), *ciphers)) { unsigned long err = ERR_get_error(); // NOLINT(runtime/int) if (!err) { @@ -1190,6 +1203,7 @@ return ThrowCryptoError(env, err); } #endif +#endif } @@ -2078,6 +2092,7 @@ info->Set(env->context(), env->pubkey_string(), pubbuff).Check(); } else if (ec) { const EC_GROUP* group = EC_KEY_get0_group(ec.get()); +#ifndef LIBRESSL_VERSION_NUMBER if (group != nullptr) { int bits = EC_GROUP_order_bits(group); if (bits > 0) { @@ -2085,6 +2100,7 @@ Integer::New(env->isolate(), bits)).Check(); } } +#endif const EC_POINT* pubkey = EC_KEY_get0_public_key(ec.get()); Local buf; @@ -2473,6 +2489,9 @@ template void SSLWrap::GetTLSTicket(const FunctionCallbackInfo& args) { +#ifdef LIBRESSL_VERSION_NUMBER + return; +#else Base* w; ASSIGN_OR_RETURN_UNWRAP(&w, args.Holder()); Environment* env = w->ssl_env(); @@ -2492,6 +2511,7 @@ env, reinterpret_cast(ticket), length).ToLocalChecked(); args.GetReturnValue().Set(buff); +#endif } @@ -2685,7 +2705,11 @@ const char* cipher_name = SSL_CIPHER_get_name(c); info->Set(context, env->name_string(), OneByteString(args.GetIsolate(), cipher_name)).Check(); +#ifdef LIBRESSL_VERSION_NUMBER + const char* cipher_standard_name = "(NONE)"; +#else const char* cipher_standard_name = SSL_CIPHER_standard_name(c); +#endif info->Set(context, env->standard_name_string(), OneByteString(args.GetIsolate(), cipher_standard_name)).Check(); const char* cipher_version = SSL_CIPHER_get_version(c); @@ -2702,8 +2726,12 @@ Environment* env = w->ssl_env(); SSL* ssl = w->ssl_.get(); +#ifdef LIBRESSL_VERSION_NUMBER + int nsig = 0; +#else int nsig = SSL_get_shared_sigalgs(ssl, 0, nullptr, nullptr, nullptr, nullptr, nullptr); +#endif MaybeStackBuffer, 16> ret_arr(nsig); for (int i = 0; i < nsig; i++) { @@ -2711,8 +2739,10 @@ int sign_nid; std::string sig_with_md; +#ifndef LIBRESSL_VERSION_NUMBER SSL_get_shared_sigalgs(ssl, i, &sign_nid, &hash_nid, nullptr, nullptr, nullptr); +#endif switch (sign_nid) { case EVP_PKEY_RSA: @@ -2959,7 +2989,11 @@ info->Set(context, env->servername_string(), str).Check(); } +#ifdef LIBRESSL_VERSION_NUMBER + const bool ocsp = false; +#else const bool ocsp = (SSL_get_tlsext_status_type(s) == TLSEXT_STATUSTYPE_ocsp); +#endif info->Set(context, env->ocsp_request_string(), Boolean::New(env->isolate(), ocsp)).Check(); @@ -3001,7 +3035,11 @@ // NOTE: reference count is not increased by this API methods X509* x509 = SSL_CTX_get0_certificate(sc->ctx_.get()); +#ifdef LIBRESSL_VERSION_NUMBER + EVP_PKEY* pkey = NULL; +#else EVP_PKEY* pkey = SSL_CTX_get0_privatekey(sc->ctx_.get()); +#endif STACK_OF(X509)* chain; rv = SSL_CTX_get0_chain_certs(sc->ctx_.get(), &chain); @@ -3055,6 +3093,9 @@ template int SSLWrap::SetCACerts(SecureContext* sc) { +#ifdef LIBRESSL_VERSION_NUMBER + return 0; +#else int err = SSL_set1_verify_cert_store(ssl_.get(), SSL_CTX_get_cert_store(sc->ctx_.get())); if (err != 1) @@ -3066,6 +3107,7 @@ // NOTE: `SSL_set_client_CA_list` takes the ownership of `list` SSL_set_client_CA_list(ssl_.get(), list); return 1; +#endif } template @@ -3133,7 +3175,12 @@ // OpenSSL might modify the pointer, so we need to make a copy before parsing. const unsigned char* p = der_data; pkey->reset(parse(&p, der_len)); +#ifdef LIBRESSL_VERSION_NUMBER + OPENSSL_cleanse(der_data, der_len); + OPENSSL_free(der_data); +#else OPENSSL_clear_free(der_data, der_len); +#endif return *pkey ? ParseKeyResult::kParseKeyOk : ParseKeyResult::kParseKeyFailed; @@ -3375,12 +3422,22 @@ } ByteSource::~ByteSource() { +#ifdef LIBRESSL_VERSION_NUMBER + OPENSSL_cleanse(allocated_data_, size_); + OPENSSL_free(allocated_data_); +#else OPENSSL_clear_free(allocated_data_, size_); +#endif } ByteSource& ByteSource::operator=(ByteSource&& other) { if (&other != this) { +#ifdef LIBRESSL_VERSION_NUMBER + OPENSSL_cleanse(allocated_data_, size_); + OPENSSL_free(allocated_data_); +#else OPENSSL_clear_free(allocated_data_, size_); +#endif data_ = other.data_; allocated_data_ = other.allocated_data_; other.allocated_data_ = nullptr; @@ -3864,7 +3921,12 @@ abv->CopyContents(mem, key_len); this->symmetric_key_ = std::unique_ptr>(mem, [key_len](char* p) { +#ifdef LIBRESSL_VERSION_NUMBER + OPENSSL_cleanse(p, key_len); + OPENSSL_free(p); +#else OPENSSL_clear_free(p, key_len); +#endif }); this->symmetric_key_len_ = key_len; } @@ -4840,8 +4902,12 @@ ret = EVP_DigestFinal_ex(hash->mdctx_.get(), hash->md_value_, &hash->md_len_); } else { +#ifdef LIBRESSL_VERSION_NUMBER + ret = 0; +#else ret = EVP_DigestFinalXOF(hash->mdctx_.get(), hash->md_value_, hash->md_len_); +#endif } if (ret != 1) { @@ -5019,11 +5085,15 @@ if (base_id == EVP_PKEY_DSA) { DSA* dsa_key = EVP_PKEY_get0_DSA(pkey.get()); // Both r and s are computed mod q, so their width is limited by that of q. +#ifdef LIBRESSL_VERSION_NUMBER + bits = BN_num_bits(dsa_key->q); +#else bits = BN_num_bits(DSA_get0_q(dsa_key)); } else if (base_id == EVP_PKEY_EC) { EC_KEY* ec_key = EVP_PKEY_get0_EC_KEY(pkey.get()); const EC_GROUP* ec_group = EC_KEY_get0_group(ec_key); bits = EC_GROUP_order_bits(ec_group); +#endif } else { return kNoDsaSignature; } @@ -5048,8 +5118,14 @@ AllocatedBuffer buf = env->AllocateManaged(2 * n); unsigned char* data = reinterpret_cast(buf.data()); +#ifdef LIBRESSL_VERSION_NUMBER + const ECDSA_SIG* sig = asn1_sig.get(); + const BIGNUM* r = sig->r; + const BIGNUM* s = sig->s; +#else const BIGNUM* r = ECDSA_SIG_get0_r(asn1_sig.get()); const BIGNUM* s = ECDSA_SIG_get0_s(asn1_sig.get()); +#endif CHECK_EQ(n, static_cast(BN_bn2binpad(r, data, n))); CHECK_EQ(n, static_cast(BN_bn2binpad(s, data + n, n))); @@ -5262,10 +5338,22 @@ const unsigned char* input = reinterpret_cast(data.data()); size_t sig_len; +#ifdef LIBRESSL_VERSION_NUMBER + if (!EVP_DigestSignFinal(mdctx.get(), nullptr, &sig_len)) + return CheckThrow(env, SignBase::Error::kSignPrivateKey); +#else if (!EVP_DigestSign(mdctx.get(), nullptr, &sig_len, input, data.length())) return CheckThrow(env, SignBase::Error::kSignPrivateKey); +#endif AllocatedBuffer signature = env->AllocateManaged(sig_len); +#ifdef LIBRESSL_VERSION_NUMBER + if (!EVP_DigestSignFinal(mdctx.get(), + reinterpret_cast(signature.data()), + &sig_len)) { + return CheckThrow(env, SignBase::Error::kSignPrivateKey); + } +#else if (!EVP_DigestSign(mdctx.get(), reinterpret_cast(signature.data()), &sig_len, @@ -5273,6 +5361,7 @@ data.length())) { return CheckThrow(env, SignBase::Error::kSignPrivateKey); } +#endif signature.Resize(sig_len); @@ -5461,12 +5550,19 @@ } bool verify_result; +#ifdef LIBRESSL_VERSION_NUMBER + const int r = EVP_DigestVerifyFinal( + mdctx.get(), + reinterpret_cast(sig_bytes.get()), + sig_bytes.size()); +#else const int r = EVP_DigestVerify( mdctx.get(), reinterpret_cast(sig_bytes.get()), sig_bytes.size(), reinterpret_cast(data.data()), data.length()); +#endif switch (r) { case 1: verify_result = true; @@ -6350,7 +6446,7 @@ } -#ifndef OPENSSL_NO_SCRYPT +#if !( defined(OPENSSL_NO_SCRYPT) || defined(LIBRESSL_VERSION_NUMBER) ) struct ScryptJob : public CryptoJob { unsigned char* keybuf_data; size_t keybuf_size; @@ -7098,7 +7194,7 @@ } void InitCryptoOnce() { -#ifndef OPENSSL_IS_BORINGSSL +#if !( defined(OPENSSL_IS_BORINGSSL) || defined(LIBRESSL_VERSION_NUMBER) ) OPENSSL_INIT_SETTINGS* settings = OPENSSL_INIT_new(); // --openssl-config=... @@ -7278,7 +7374,7 @@ PublicKeyCipher::Cipher); -#ifndef OPENSSL_NO_SCRYPT +#if !( defined(OPENSSL_NO_SCRYPT) || defined(LIBRESSL_VERSION_NUMBER) ) env->SetMethod(target, "scrypt", Scrypt); #endif // OPENSSL_NO_SCRYPT } diff -uri node-v13.4.0.orig/src/node_crypto.h node-v13.4.0/src/node_crypto.h --- node-v13.4.0.orig/src/node_crypto.h 2019-12-17 01:41:03.000000000 -0600 +++ node-v13.4.0/src/node_crypto.h 2020-02-01 06:10:05.000000000 -0600 @@ -40,6 +40,69 @@ #include #include +/* + * libressl compat + */ +#ifdef LIBRESSL_VERSION_NUMBER +/* defines from opnssl's crypto.h */ +# define OPENSSL_memdup(str, s) \ + BUF_memdup(str, s) +/* defines from opnssl's err.h */ +# define ERR_LIB_OSSL_STORE 44 +# define ERR_LIB_CT 50 +# define ERR_LIB_ASYNC 51 +# define ERR_LIB_KDF 52 +# define ERR_LIB_SM2 53 +/* defines from openssl's evp.h */ +# define EVP_PKEY_X25519 NID_X25519 +# define EVP_PKEY_X448 NID_X448 +# define EVP_PKEY_RSA_PSS NID_rsassaPss +# define EVP_PKEY_ED25519 NID_ED25519 +# define EVP_PKEY_ED448 NID_ED448 +# define EVP_CTRL_AEAD_SET_IVLEN 0x9 +# define EVP_CTRL_AEAD_SET_TAG 0x11 +# define EVP_MD_FLAG_XOF 0x0002 +# define EVP_CTRL_CCM_GET_TAG EVP_CTRL_AEAD_GET_TAG +# define EVP_CTRL_AEAD_GET_TAG 0x10 +/* defines from openssl's evperr.h */ +# define EVP_F_EVP_DIGESTFINALXOF 174 +# define EVP_R_NOT_XOF_OR_INVALID_LENGTH 178 +/* defines from openssl's obj_mac.h */ +#define NID_ED25519 1087 +#define NID_ED448 1088 +#define NID_id_GostR3410_2012_256 979 +#define NID_id_GostR3410_2012_512 980 +/* defines from openssl's rsa.h */ +# define EVP_PKEY_CTX_set_rsa_pss_keygen_saltlen(ctx, len) \ + EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN, \ + EVP_PKEY_CTRL_RSA_PSS_SALTLEN, len, NULL) + +# define EVP_PKEY_CTX_set_rsa_pss_keygen_mgf1_md(ctx, md) \ + EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA_PSS, EVP_PKEY_OP_KEYGEN, \ + EVP_PKEY_CTRL_RSA_MGF1_MD, 0, (void *)(md)) + +# define EVP_PKEY_CTX_set_rsa_oaep_md(ctx, md) \ + EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, \ + EVP_PKEY_CTRL_RSA_OAEP_MD, 0, (void *)(md)) + +# define EVP_PKEY_CTX_set0_rsa_oaep_label(ctx, l, llen) \ + EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA, EVP_PKEY_OP_TYPE_CRYPT, \ + EVP_PKEY_CTRL_RSA_OAEP_LABEL, llen, (void *)(l)) + +# define EVP_PKEY_CTX_set_rsa_pss_keygen_md(ctx, md) \ + EVP_PKEY_CTX_ctrl(ctx, EVP_PKEY_RSA_PSS, \ + EVP_PKEY_OP_KEYGEN, EVP_PKEY_CTRL_MD, \ + 0, (void *)(md)) + +# define EVP_PKEY_CTRL_RSA_OAEP_MD (EVP_PKEY_ALG_CTRL + 9) +# define EVP_PKEY_CTRL_RSA_OAEP_LABEL (EVP_PKEY_ALG_CTRL + 10) +/* defines from opnssl's bn.h */ +# define BN_bn2binpad(a, to, n) \ + BN_bn2bin(a, to) +/* defines from opnssl's ec.h */ +# define OPENSSL_EC_EXPLICIT_CURVE 0x000 +#endif + namespace node { namespace crypto { @@ -618,8 +681,14 @@ } ~Hash() override { - if (md_value_ != nullptr) - OPENSSL_clear_free(md_value_, md_len_); + if (md_value_ != nullptr) { +#ifdef LIBRESSL_VERSION_NUMBER + OPENSSL_cleanse(md_value_, md_len_); + OPENSSL_free(md_value_); +#else + OPENSSL_clear_free(md_value_, md_len_); +#endif + } } private: diff -uri node-v13.4.0.orig/src/node_crypto_bio.cc node-v13.4.0/src/node_crypto_bio.cc --- node-v13.4.0.orig/src/node_crypto_bio.cc 2019-12-17 01:41:03.000000000 -0600 +++ node-v13.4.0/src/node_crypto_bio.cc 2020-02-01 06:19:31.000000000 -0600 @@ -65,7 +65,11 @@ return 0; if (BIO_get_shutdown(bio)) { +#ifdef LIBRESSL_VERSION_NUMBER + if (bio->init && BIO_get_data(bio) != nullptr) { +#else if (BIO_get_init(bio) && BIO_get_data(bio) != nullptr) { +#endif delete FromBIO(bio); BIO_set_data(bio, nullptr); } diff -uri node-v13.4.0.orig/src/tls_wrap.cc node-v13.4.0/src/tls_wrap.cc --- node-v13.4.0.orig/src/tls_wrap.cc 2019-12-17 01:41:03.000000000 -0600 +++ node-v13.4.0/src/tls_wrap.cc 2020-02-04 05:06:18.000000000 -0600 @@ -140,7 +140,11 @@ ConfigureSecureContext(sc_); +#ifdef LIBRESSL_VERSION_NUMBER +/* FIXME: cert callback not implemented in libressl */ +#else SSL_set_cert_cb(ssl_.get(), SSLWrap::SSLCertCallback, this); +#endif if (is_server()) { SSL_set_accept_state(ssl_.get()); @@ -916,8 +920,12 @@ TLSWrap* wrap; ASSIGN_OR_RETURN_UNWRAP(&wrap, args.Holder()); CHECK_NOT_NULL(wrap->sc_); +#ifdef LIBRESSL_VERSION_NUMBER +/* FIXME: keylog_callback not implemented in libressl */ +#else SSL_CTX_set_keylog_callback(wrap->sc_->ctx_.get(), SSLWrap::KeylogCallback); +#endif } // Check required capabilities were not excluded from the OpenSSL build: @@ -935,7 +943,8 @@ TLSWrap* wrap; ASSIGN_OR_RETURN_UNWRAP(&wrap, args.Holder()); -#if HAVE_SSL_TRACE +#ifndef LIBRESSL_VERSION_NUMBER +#if HAVE_SSL_TRACE if (wrap->ssl_) { wrap->bio_trace_.reset(BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT)); SSL_set_msg_callback(wrap->ssl_.get(), [](int write_p, int version, int @@ -952,6 +961,7 @@ SSL_set_msg_callback_arg(wrap->ssl_.get(), wrap->bio_trace_.get()); } #endif +#endif } void TLSWrap::DestroySSL(const FunctionCallbackInfo& args) { Only in node-v13.4.0.orig/test/parallel: test-stdout-close-unref.js