Lines 116-121
Link Here
|
116 |
using v8::Value; |
116 |
using v8::Value; |
117 |
|
117 |
|
118 |
|
118 |
|
|
|
119 |
#if OPENSSL_VERSION_NUMBER < 0x10100000L |
120 |
static void RSA_get0_key(const RSA* r, const BIGNUM** n, const BIGNUM** e, |
121 |
const BIGNUM** d) { |
122 |
if (n != nullptr) { |
123 |
*n = r->n; |
124 |
} |
125 |
if (e != nullptr) { |
126 |
*e = r->e; |
127 |
} |
128 |
if (d != nullptr) { |
129 |
*d = r->d; |
130 |
} |
131 |
} |
132 |
|
133 |
static void DH_get0_pqg(const DH* dh, const BIGNUM** p, const BIGNUM** q, |
134 |
const BIGNUM** g) { |
135 |
if (p != nullptr) { |
136 |
*p = dh->p; |
137 |
} |
138 |
if (q != nullptr) { |
139 |
*q = dh->q; |
140 |
} |
141 |
if (g != nullptr) { |
142 |
*g = dh->g; |
143 |
} |
144 |
} |
145 |
|
146 |
static int DH_set0_pqg(DH* dh, BIGNUM* p, BIGNUM* q, BIGNUM* g) { |
147 |
if ((dh->p == nullptr && p == nullptr) || |
148 |
(dh->g == nullptr && g == nullptr)) { |
149 |
return 0; |
150 |
} |
151 |
|
152 |
if (p != nullptr) { |
153 |
BN_free(dh->p); |
154 |
dh->p = p; |
155 |
} |
156 |
if (q != nullptr) { |
157 |
BN_free(dh->q); |
158 |
dh->q = q; |
159 |
} |
160 |
if (g != nullptr) { |
161 |
BN_free(dh->g); |
162 |
dh->g = g; |
163 |
} |
164 |
|
165 |
return 1; |
166 |
} |
167 |
|
168 |
static void DH_get0_key(const DH* dh, const BIGNUM** pub_key, |
169 |
const BIGNUM** priv_key) { |
170 |
if (pub_key != nullptr) { |
171 |
*pub_key = dh->pub_key; |
172 |
} |
173 |
if (priv_key != nullptr) { |
174 |
*priv_key = dh->priv_key; |
175 |
} |
176 |
} |
177 |
|
178 |
static int DH_set0_key(DH* dh, BIGNUM* pub_key, BIGNUM* priv_key) { |
179 |
if (pub_key != nullptr) { |
180 |
BN_free(dh->pub_key); |
181 |
dh->pub_key = pub_key; |
182 |
} |
183 |
if (priv_key != nullptr) { |
184 |
BN_free(dh->priv_key); |
185 |
dh->priv_key = priv_key; |
186 |
} |
187 |
|
188 |
return 1; |
189 |
} |
190 |
|
191 |
static const SSL_METHOD* TLS_method() { return SSLv23_method(); } |
192 |
|
193 |
static void SSL_SESSION_get0_ticket(const SSL_SESSION* s, |
194 |
const unsigned char** tick, size_t* len) { |
195 |
*len = s->tlsext_ticklen; |
196 |
if (tick != nullptr) { |
197 |
*tick = s->tlsext_tick; |
198 |
} |
199 |
} |
200 |
|
201 |
#define SSL_get_tlsext_status_type(ssl) (ssl->tlsext_status_type) |
202 |
|
203 |
#if !defined(OPENSSL_IS_BORINGSSL) |
204 |
static int X509_STORE_up_ref(X509_STORE* store) { |
205 |
CRYPTO_add(&store->references, 1, CRYPTO_LOCK_X509_STORE); |
206 |
return 1; |
207 |
} |
208 |
|
209 |
static int X509_up_ref(X509* cert) { |
210 |
CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509); |
211 |
return 1; |
212 |
} |
213 |
#endif // !OPENSSL_IS_BORINGSSL |
214 |
|
215 |
#define EVP_MD_CTX_new EVP_MD_CTX_create |
216 |
#define EVP_MD_CTX_free EVP_MD_CTX_destroy |
217 |
|
218 |
HMAC_CTX* HMAC_CTX_new() { |
219 |
HMAC_CTX* ctx = Malloc<HMAC_CTX>(1); |
220 |
HMAC_CTX_init(ctx); |
221 |
return ctx; |
222 |
} |
223 |
|
224 |
void HMAC_CTX_free(HMAC_CTX* ctx) { |
225 |
if (ctx == nullptr) { |
226 |
return; |
227 |
} |
228 |
HMAC_CTX_cleanup(ctx); |
229 |
free(ctx); |
230 |
} |
231 |
#endif // OPENSSL_VERSION_NUMBER < 0x10100000L |
232 |
|
119 |
// Subject DER of CNNIC ROOT CA and CNNIC EV ROOT CA are taken from |
233 |
// Subject DER of CNNIC ROOT CA and CNNIC EV ROOT CA are taken from |
120 |
// https://hg.mozilla.org/mozilla-central/file/98820360ab66/security/ |
234 |
// https://hg.mozilla.org/mozilla-central/file/98820360ab66/security/ |
121 |
// certverifier/NSSCertDBTrustDomain.cpp#l672 |
235 |
// certverifier/NSSCertDBTrustDomain.cpp#l672 |
Lines 144-151
Link Here
|
144 |
d2i_X509_NAME(nullptr, &cnnic_ev_p, |
258 |
d2i_X509_NAME(nullptr, &cnnic_ev_p, |
145 |
sizeof(CNNIC_EV_ROOT_CA_SUBJECT_DATA)-1); |
259 |
sizeof(CNNIC_EV_ROOT_CA_SUBJECT_DATA)-1); |
146 |
|
260 |
|
147 |
static Mutex* mutexes; |
|
|
148 |
|
149 |
static const char* const root_certs[] = { |
261 |
static const char* const root_certs[] = { |
150 |
#include "node_root_certs.h" // NOLINT(build/include_order) |
262 |
#include "node_root_certs.h" // NOLINT(build/include_order) |
151 |
}; |
263 |
}; |
Lines 160-170
Link Here
|
160 |
template void SSLWrap<TLSWrap>::InitNPN(SecureContext* sc); |
272 |
template void SSLWrap<TLSWrap>::InitNPN(SecureContext* sc); |
161 |
template void SSLWrap<TLSWrap>::SetSNIContext(SecureContext* sc); |
273 |
template void SSLWrap<TLSWrap>::SetSNIContext(SecureContext* sc); |
162 |
template int SSLWrap<TLSWrap>::SetCACerts(SecureContext* sc); |
274 |
template int SSLWrap<TLSWrap>::SetCACerts(SecureContext* sc); |
|
|
275 |
#if OPENSSL_VERSION_NUMBER < 0x10100000L |
163 |
template SSL_SESSION* SSLWrap<TLSWrap>::GetSessionCallback( |
276 |
template SSL_SESSION* SSLWrap<TLSWrap>::GetSessionCallback( |
164 |
SSL* s, |
277 |
SSL* s, |
165 |
unsigned char* key, |
278 |
unsigned char* key, |
166 |
int len, |
279 |
int len, |
167 |
int* copy); |
280 |
int* copy); |
|
|
281 |
#else |
282 |
template SSL_SESSION* SSLWrap<TLSWrap>::GetSessionCallback( |
283 |
SSL* s, |
284 |
const unsigned char* key, |
285 |
int len, |
286 |
int* copy); |
287 |
#endif |
168 |
template int SSLWrap<TLSWrap>::NewSessionCallback(SSL* s, |
288 |
template int SSLWrap<TLSWrap>::NewSessionCallback(SSL* s, |
169 |
SSL_SESSION* sess); |
289 |
SSL_SESSION* sess); |
170 |
template void SSLWrap<TLSWrap>::OnClientHello( |
290 |
template void SSLWrap<TLSWrap>::OnClientHello( |
Lines 204-209
Link Here
|
204 |
void* arg); |
324 |
void* arg); |
205 |
#endif // TLSEXT_TYPE_application_layer_protocol_negotiation |
325 |
#endif // TLSEXT_TYPE_application_layer_protocol_negotiation |
206 |
|
326 |
|
|
|
327 |
#if OPENSSL_VERSION_NUMBER < 0x10100000L |
328 |
static Mutex* mutexes; |
329 |
|
207 |
static void crypto_threadid_cb(CRYPTO_THREADID* tid) { |
330 |
static void crypto_threadid_cb(CRYPTO_THREADID* tid) { |
208 |
static_assert(sizeof(uv_thread_t) <= sizeof(void*), |
331 |
static_assert(sizeof(uv_thread_t) <= sizeof(void*), |
209 |
"uv_thread_t does not fit in a pointer"); |
332 |
"uv_thread_t does not fit in a pointer"); |
Lines 226-231
Link Here
|
226 |
else |
349 |
else |
227 |
mutex->Unlock(); |
350 |
mutex->Unlock(); |
228 |
} |
351 |
} |
|
|
352 |
#endif |
229 |
|
353 |
|
230 |
|
354 |
|
231 |
static int PasswordCallback(char *buf, int size, int rwflag, void *u) { |
355 |
static int PasswordCallback(char *buf, int size, int rwflag, void *u) { |
Lines 429-440
Link Here
|
429 |
ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder()); |
553 |
ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder()); |
430 |
Environment* env = sc->env(); |
554 |
Environment* env = sc->env(); |
431 |
|
555 |
|
432 |
const SSL_METHOD* method = SSLv23_method(); |
556 |
const SSL_METHOD* method = TLS_method(); |
433 |
|
557 |
|
434 |
if (args.Length() == 1 && args[0]->IsString()) { |
558 |
if (args.Length() == 1 && args[0]->IsString()) { |
435 |
const node::Utf8Value sslmethod(env->isolate(), args[0]); |
559 |
const node::Utf8Value sslmethod(env->isolate(), args[0]); |
436 |
|
560 |
|
437 |
// Note that SSLv2 and SSLv3 are disallowed but SSLv2_method and friends |
561 |
// Note that SSLv2 and SSLv3 are disallowed but SSLv23_method and friends |
438 |
// are still accepted. They are OpenSSL's way of saying that all known |
562 |
// are still accepted. They are OpenSSL's way of saying that all known |
439 |
// protocols are supported unless explicitly disabled (which we do below |
563 |
// protocols are supported unless explicitly disabled (which we do below |
440 |
// for SSLv2 and SSLv3.) |
564 |
// for SSLv2 and SSLv3.) |
Lines 482-488
Link Here
|
482 |
sc->ctx_ = SSL_CTX_new(method); |
606 |
sc->ctx_ = SSL_CTX_new(method); |
483 |
SSL_CTX_set_app_data(sc->ctx_, sc); |
607 |
SSL_CTX_set_app_data(sc->ctx_, sc); |
484 |
|
608 |
|
485 |
// Disable SSLv2 in the case when method == SSLv23_method() and the |
609 |
// Disable SSLv2 in the case when method == TLS_method() and the |
486 |
// cipher list contains SSLv2 ciphers (not the default, should be rare.) |
610 |
// cipher list contains SSLv2 ciphers (not the default, should be rare.) |
487 |
// The bundled OpenSSL doesn't have SSLv2 support but the system OpenSSL may. |
611 |
// The bundled OpenSSL doesn't have SSLv2 support but the system OpenSSL may. |
488 |
// SSLv3 is disabled because it's susceptible to downgrade attacks (POODLE.) |
612 |
// SSLv3 is disabled because it's susceptible to downgrade attacks (POODLE.) |
Lines 496-501
Link Here
|
496 |
SSL_SESS_CACHE_NO_AUTO_CLEAR); |
620 |
SSL_SESS_CACHE_NO_AUTO_CLEAR); |
497 |
SSL_CTX_sess_set_get_cb(sc->ctx_, SSLWrap<Connection>::GetSessionCallback); |
621 |
SSL_CTX_sess_set_get_cb(sc->ctx_, SSLWrap<Connection>::GetSessionCallback); |
498 |
SSL_CTX_sess_set_new_cb(sc->ctx_, SSLWrap<Connection>::NewSessionCallback); |
622 |
SSL_CTX_sess_set_new_cb(sc->ctx_, SSLWrap<Connection>::NewSessionCallback); |
|
|
623 |
|
624 |
#if OPENSSL_VERSION_NUMBER >= 0x10100000L |
625 |
// OpenSSL 1.1.0 changed the ticket key size, but the OpenSSL 1.0.x size was |
626 |
// exposed in the public API. To retain compatibility, install a callback |
627 |
// which restores the old algorithm. |
628 |
if (RAND_bytes(sc->ticket_key_name_, sizeof(sc->ticket_key_name_)) <= 0 || |
629 |
RAND_bytes(sc->ticket_key_hmac_, sizeof(sc->ticket_key_hmac_)) <= 0 || |
630 |
RAND_bytes(sc->ticket_key_aes_, sizeof(sc->ticket_key_aes_)) <= 0) { |
631 |
return env->ThrowError("Error generating ticket keys"); |
632 |
} |
633 |
SSL_CTX_set_tlsext_ticket_key_cb(sc->ctx_, |
634 |
SecureContext::TicketCompatibilityCallback); |
635 |
#endif |
499 |
} |
636 |
} |
500 |
|
637 |
|
501 |
|
638 |
|
Lines 573-591
Link Here
|
573 |
|
710 |
|
574 |
|
711 |
|
575 |
int SSL_CTX_get_issuer(SSL_CTX* ctx, X509* cert, X509** issuer) { |
712 |
int SSL_CTX_get_issuer(SSL_CTX* ctx, X509* cert, X509** issuer) { |
576 |
int ret; |
|
|
577 |
|
578 |
X509_STORE* store = SSL_CTX_get_cert_store(ctx); |
713 |
X509_STORE* store = SSL_CTX_get_cert_store(ctx); |
579 |
X509_STORE_CTX store_ctx; |
714 |
X509_STORE_CTX* store_ctx = X509_STORE_CTX_new(); |
580 |
|
715 |
int ret = store_ctx != nullptr && |
581 |
ret = X509_STORE_CTX_init(&store_ctx, store, nullptr, nullptr); |
716 |
X509_STORE_CTX_init(store_ctx, store, nullptr, nullptr) == 1 && |
582 |
if (!ret) |
717 |
X509_STORE_CTX_get1_issuer(issuer, store_ctx, cert) == 1; |
583 |
goto end; |
718 |
X509_STORE_CTX_free(store_ctx); |
584 |
|
|
|
585 |
ret = X509_STORE_CTX_get1_issuer(issuer, &store_ctx, cert); |
586 |
X509_STORE_CTX_cleanup(&store_ctx); |
587 |
|
588 |
end: |
589 |
return ret; |
719 |
return ret; |
590 |
} |
720 |
} |
591 |
|
721 |
|
Lines 676-682
Link Here
|
676 |
x = PEM_read_bio_X509_AUX(in, nullptr, NoPasswordCallback, nullptr); |
806 |
x = PEM_read_bio_X509_AUX(in, nullptr, NoPasswordCallback, nullptr); |
677 |
|
807 |
|
678 |
if (x == nullptr) { |
808 |
if (x == nullptr) { |
679 |
SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB); |
|
|
680 |
return 0; |
809 |
return 0; |
681 |
} |
810 |
} |
682 |
|
811 |
|
Lines 687-693
Link Here
|
687 |
// Read extra certs |
816 |
// Read extra certs |
688 |
STACK_OF(X509)* extra_certs = sk_X509_new_null(); |
817 |
STACK_OF(X509)* extra_certs = sk_X509_new_null(); |
689 |
if (extra_certs == nullptr) { |
818 |
if (extra_certs == nullptr) { |
690 |
SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_MALLOC_FAILURE); |
|
|
691 |
goto done; |
819 |
goto done; |
692 |
} |
820 |
} |
693 |
|
821 |
|
Lines 770-791
Link Here
|
770 |
} |
898 |
} |
771 |
|
899 |
|
772 |
|
900 |
|
773 |
#if OPENSSL_VERSION_NUMBER < 0x10100000L && !defined(OPENSSL_IS_BORINGSSL) |
|
|
774 |
// This section contains OpenSSL 1.1.0 functions reimplemented for OpenSSL |
775 |
// 1.0.2 so that the following code can be written without lots of #if lines. |
776 |
|
777 |
static int X509_STORE_up_ref(X509_STORE* store) { |
778 |
CRYPTO_add(&store->references, 1, CRYPTO_LOCK_X509_STORE); |
779 |
return 1; |
780 |
} |
781 |
|
782 |
static int X509_up_ref(X509* cert) { |
783 |
CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509); |
784 |
return 1; |
785 |
} |
786 |
#endif // OPENSSL_VERSION_NUMBER < 0x10100000L && !OPENSSL_IS_BORINGSSL |
787 |
|
788 |
|
789 |
static X509_STORE* NewRootCertStore() { |
901 |
static X509_STORE* NewRootCertStore() { |
790 |
static std::vector<X509*> root_certs_vector; |
902 |
static std::vector<X509*> root_certs_vector; |
791 |
if (root_certs_vector.empty()) { |
903 |
if (root_certs_vector.empty()) { |
Lines 975-982
Link Here
|
975 |
|
1087 |
|
976 |
node::Utf8Value curve(env->isolate(), args[0]); |
1088 |
node::Utf8Value curve(env->isolate(), args[0]); |
977 |
|
1089 |
|
|
|
1090 |
#if OPENSSL_VERSION_NUMBER < 0x10100000L |
978 |
SSL_CTX_set_options(sc->ctx_, SSL_OP_SINGLE_ECDH_USE); |
1091 |
SSL_CTX_set_options(sc->ctx_, SSL_OP_SINGLE_ECDH_USE); |
979 |
SSL_CTX_set_ecdh_auto(sc->ctx_, 1); |
1092 |
SSL_CTX_set_ecdh_auto(sc->ctx_, 1); |
|
|
1093 |
#endif |
980 |
|
1094 |
|
981 |
if (strcmp(*curve, "auto") == 0) |
1095 |
if (strcmp(*curve, "auto") == 0) |
982 |
return; |
1096 |
return; |
Lines 1008-1014
Link Here
|
1008 |
if (dh == nullptr) |
1122 |
if (dh == nullptr) |
1009 |
return; |
1123 |
return; |
1010 |
|
1124 |
|
1011 |
const int size = BN_num_bits(dh->p); |
1125 |
const BIGNUM* p; |
|
|
1126 |
DH_get0_pqg(dh, &p, nullptr, nullptr); |
1127 |
const int size = BN_num_bits(p); |
1012 |
if (size < 1024) { |
1128 |
if (size < 1024) { |
1013 |
return env->ThrowError("DH parameter is less than 1024 bits"); |
1129 |
return env->ThrowError("DH parameter is less than 1024 bits"); |
1014 |
} else if (size < 2048) { |
1130 |
} else if (size < 2048) { |
Lines 1193-1203
Link Here
|
1193 |
ASSIGN_OR_RETURN_UNWRAP(&wrap, args.Holder()); |
1309 |
ASSIGN_OR_RETURN_UNWRAP(&wrap, args.Holder()); |
1194 |
|
1310 |
|
1195 |
Local<Object> buff = Buffer::New(wrap->env(), 48).ToLocalChecked(); |
1311 |
Local<Object> buff = Buffer::New(wrap->env(), 48).ToLocalChecked(); |
|
|
1312 |
#if OPENSSL_VERSION_NUMBER >= 0x10100000L |
1313 |
memcpy(Buffer::Data(buff), wrap->ticket_key_name_, 16); |
1314 |
memcpy(Buffer::Data(buff) + 16, wrap->ticket_key_hmac_, 16); |
1315 |
memcpy(Buffer::Data(buff) + 32, wrap->ticket_key_aes_, 16); |
1316 |
#else |
1196 |
if (SSL_CTX_get_tlsext_ticket_keys(wrap->ctx_, |
1317 |
if (SSL_CTX_get_tlsext_ticket_keys(wrap->ctx_, |
1197 |
Buffer::Data(buff), |
1318 |
Buffer::Data(buff), |
1198 |
Buffer::Length(buff)) != 1) { |
1319 |
Buffer::Length(buff)) != 1) { |
1199 |
return wrap->env()->ThrowError("Failed to fetch tls ticket keys"); |
1320 |
return wrap->env()->ThrowError("Failed to fetch tls ticket keys"); |
1200 |
} |
1321 |
} |
|
|
1322 |
#endif |
1201 |
|
1323 |
|
1202 |
args.GetReturnValue().Set(buff); |
1324 |
args.GetReturnValue().Set(buff); |
1203 |
#endif // !def(OPENSSL_NO_TLSEXT) && def(SSL_CTX_get_tlsext_ticket_keys) |
1325 |
#endif // !def(OPENSSL_NO_TLSEXT) && def(SSL_CTX_get_tlsext_ticket_keys) |
Lines 1220-1230
Link Here
|
1220 |
return env->ThrowTypeError("Ticket keys length must be 48 bytes"); |
1342 |
return env->ThrowTypeError("Ticket keys length must be 48 bytes"); |
1221 |
} |
1343 |
} |
1222 |
|
1344 |
|
|
|
1345 |
#if OPENSSL_VERSION_NUMBER >= 0x10100000L |
1346 |
memcpy(wrap->ticket_key_name_, Buffer::Data(args[0]), 16); |
1347 |
memcpy(wrap->ticket_key_hmac_, Buffer::Data(args[0]) + 16, 16); |
1348 |
memcpy(wrap->ticket_key_aes_, Buffer::Data(args[0]) + 32, 16); |
1349 |
#else |
1223 |
if (SSL_CTX_set_tlsext_ticket_keys(wrap->ctx_, |
1350 |
if (SSL_CTX_set_tlsext_ticket_keys(wrap->ctx_, |
1224 |
Buffer::Data(args[0]), |
1351 |
Buffer::Data(args[0]), |
1225 |
Buffer::Length(args[0])) != 1) { |
1352 |
Buffer::Length(args[0])) != 1) { |
1226 |
return env->ThrowError("Failed to fetch tls ticket keys"); |
1353 |
return env->ThrowError("Failed to fetch tls ticket keys"); |
1227 |
} |
1354 |
} |
|
|
1355 |
#endif |
1228 |
|
1356 |
|
1229 |
args.GetReturnValue().Set(true); |
1357 |
args.GetReturnValue().Set(true); |
1230 |
#endif // !def(OPENSSL_NO_TLSEXT) && def(SSL_CTX_get_tlsext_ticket_keys) |
1358 |
#endif // !def(OPENSSL_NO_TLSEXT) && def(SSL_CTX_get_tlsext_ticket_keys) |
Lines 1335-1340
Link Here
|
1335 |
} |
1463 |
} |
1336 |
|
1464 |
|
1337 |
|
1465 |
|
|
|
1466 |
#if OPENSSL_VERSION_NUMBER >= 0x10100000L |
1467 |
int SecureContext::TicketCompatibilityCallback(SSL* ssl, |
1468 |
unsigned char* name, |
1469 |
unsigned char* iv, |
1470 |
EVP_CIPHER_CTX* ectx, |
1471 |
HMAC_CTX* hctx, |
1472 |
int enc) { |
1473 |
SecureContext* sc = static_cast<SecureContext*>( |
1474 |
SSL_CTX_get_app_data(SSL_get_SSL_CTX(ssl))); |
1475 |
|
1476 |
if (enc) { |
1477 |
memcpy(name, sc->ticket_key_name_, sizeof(sc->ticket_key_name_)); |
1478 |
if (RAND_bytes(iv, 16) <= 0 || |
1479 |
EVP_EncryptInit_ex(ectx, EVP_aes_128_cbc(), nullptr, |
1480 |
sc->ticket_key_aes_, iv) <= 0 || |
1481 |
HMAC_Init_ex(hctx, sc->ticket_key_hmac_, sizeof(sc->ticket_key_hmac_), |
1482 |
EVP_sha256(), nullptr) <= 0) { |
1483 |
return -1; |
1484 |
} |
1485 |
return 1; |
1486 |
} |
1487 |
|
1488 |
if (memcmp(name, sc->ticket_key_name_, sizeof(sc->ticket_key_name_)) != 0) { |
1489 |
// The ticket key name does not match. Discard the ticket. |
1490 |
return 0; |
1491 |
} |
1492 |
|
1493 |
if (EVP_DecryptInit_ex(ectx, EVP_aes_128_cbc(), nullptr, sc->ticket_key_aes_, |
1494 |
iv) <= 0 || |
1495 |
HMAC_Init_ex(hctx, sc->ticket_key_hmac_, sizeof(sc->ticket_key_hmac_), |
1496 |
EVP_sha256(), nullptr) <= 0) { |
1497 |
return -1; |
1498 |
} |
1499 |
return 1; |
1500 |
} |
1501 |
#endif |
1338 |
|
1502 |
|
1339 |
|
1503 |
|
1340 |
void SecureContext::CtxGetter(Local<String> property, |
1504 |
void SecureContext::CtxGetter(Local<String> property, |
Lines 1439-1449
Link Here
|
1439 |
} |
1603 |
} |
1440 |
|
1604 |
|
1441 |
|
1605 |
|
|
|
1606 |
#if OPENSSL_VERSION_NUMBER < 0x10100000L |
1442 |
template <class Base> |
1607 |
template <class Base> |
1443 |
SSL_SESSION* SSLWrap<Base>::GetSessionCallback(SSL* s, |
1608 |
SSL_SESSION* SSLWrap<Base>::GetSessionCallback(SSL* s, |
1444 |
unsigned char* key, |
1609 |
unsigned char* key, |
1445 |
int len, |
1610 |
int len, |
1446 |
int* copy) { |
1611 |
int* copy) { |
|
|
1612 |
#else |
1613 |
template <class Base> |
1614 |
SSL_SESSION* SSLWrap<Base>::GetSessionCallback(SSL* s, |
1615 |
const unsigned char* key, |
1616 |
int len, |
1617 |
int* copy) { |
1618 |
#endif |
1447 |
Base* w = static_cast<Base*>(SSL_get_app_data(s)); |
1619 |
Base* w = static_cast<Base*>(SSL_get_app_data(s)); |
1448 |
|
1620 |
|
1449 |
*copy = 0; |
1621 |
*copy = 0; |
Lines 1620-1633
Link Here
|
1620 |
rsa = EVP_PKEY_get1_RSA(pkey); |
1792 |
rsa = EVP_PKEY_get1_RSA(pkey); |
1621 |
|
1793 |
|
1622 |
if (rsa != nullptr) { |
1794 |
if (rsa != nullptr) { |
1623 |
BN_print(bio, rsa->n); |
1795 |
const BIGNUM* n; |
|
|
1796 |
const BIGNUM* e; |
1797 |
RSA_get0_key(rsa, &n, &e, nullptr); |
1798 |
BN_print(bio, n); |
1624 |
BIO_get_mem_ptr(bio, &mem); |
1799 |
BIO_get_mem_ptr(bio, &mem); |
1625 |
info->Set(env->modulus_string(), |
1800 |
info->Set(env->modulus_string(), |
1626 |
String::NewFromUtf8(env->isolate(), mem->data, |
1801 |
String::NewFromUtf8(env->isolate(), mem->data, |
1627 |
String::kNormalString, mem->length)); |
1802 |
String::kNormalString, mem->length)); |
1628 |
(void) BIO_reset(bio); |
1803 |
(void) BIO_reset(bio); |
1629 |
|
1804 |
|
1630 |
uint64_t exponent_word = static_cast<uint64_t>(BN_get_word(rsa->e)); |
1805 |
uint64_t exponent_word = static_cast<uint64_t>(BN_get_word(e)); |
1631 |
uint32_t lo = static_cast<uint32_t>(exponent_word); |
1806 |
uint32_t lo = static_cast<uint32_t>(exponent_word); |
1632 |
uint32_t hi = static_cast<uint32_t>(exponent_word >> 32); |
1807 |
uint32_t hi = static_cast<uint32_t>(exponent_word >> 32); |
1633 |
if (hi == 0) { |
1808 |
if (hi == 0) { |
Lines 1953-1965
Link Here
|
1953 |
Environment* env = w->ssl_env(); |
2128 |
Environment* env = w->ssl_env(); |
1954 |
|
2129 |
|
1955 |
SSL_SESSION* sess = SSL_get_session(w->ssl_); |
2130 |
SSL_SESSION* sess = SSL_get_session(w->ssl_); |
1956 |
if (sess == nullptr || sess->tlsext_tick == nullptr) |
2131 |
if (sess == nullptr) |
|
|
2132 |
return; |
2133 |
|
2134 |
const unsigned char *ticket; |
2135 |
size_t length; |
2136 |
SSL_SESSION_get0_ticket(sess, &ticket, &length); |
2137 |
|
2138 |
if (ticket == nullptr) |
1957 |
return; |
2139 |
return; |
1958 |
|
2140 |
|
1959 |
Local<Object> buff = Buffer::Copy( |
2141 |
Local<Object> buff = Buffer::Copy( |
1960 |
env, |
2142 |
env, reinterpret_cast<const char*>(ticket), length).ToLocalChecked(); |
1961 |
reinterpret_cast<char*>(sess->tlsext_tick), |
|
|
1962 |
sess->tlsext_ticklen).ToLocalChecked(); |
1963 |
|
2143 |
|
1964 |
args.GetReturnValue().Set(buff); |
2144 |
args.GetReturnValue().Set(buff); |
1965 |
} |
2145 |
} |
Lines 2150-2158
Link Here
|
2150 |
Local<Object> info = Object::New(env->isolate()); |
2330 |
Local<Object> info = Object::New(env->isolate()); |
2151 |
const char* cipher_name = SSL_CIPHER_get_name(c); |
2331 |
const char* cipher_name = SSL_CIPHER_get_name(c); |
2152 |
info->Set(env->name_string(), OneByteString(args.GetIsolate(), cipher_name)); |
2332 |
info->Set(env->name_string(), OneByteString(args.GetIsolate(), cipher_name)); |
2153 |
const char* cipher_version = SSL_CIPHER_get_version(c); |
|
|
2154 |
info->Set(env->version_string(), |
2333 |
info->Set(env->version_string(), |
2155 |
OneByteString(args.GetIsolate(), cipher_version)); |
2334 |
OneByteString(args.GetIsolate(), "TLSv1/SSLv3")); |
2156 |
args.GetReturnValue().Set(info); |
2335 |
args.GetReturnValue().Set(info); |
2157 |
} |
2336 |
} |
2158 |
|
2337 |
|
Lines 2332-2351
Link Here
|
2332 |
unsigned alpn_protos_len = Buffer::Length(alpn_buffer); |
2511 |
unsigned alpn_protos_len = Buffer::Length(alpn_buffer); |
2333 |
int status = SSL_select_next_proto(const_cast<unsigned char**>(out), outlen, |
2512 |
int status = SSL_select_next_proto(const_cast<unsigned char**>(out), outlen, |
2334 |
alpn_protos, alpn_protos_len, in, inlen); |
2513 |
alpn_protos, alpn_protos_len, in, inlen); |
2335 |
|
2514 |
// According to 3.2. Protocol Selection of RFC7301, fatal |
2336 |
switch (status) { |
2515 |
// no_application_protocol alert shall be sent but OpenSSL 1.0.2 does not |
2337 |
case OPENSSL_NPN_NO_OVERLAP: |
2516 |
// support it yet. See |
2338 |
// According to 3.2. Protocol Selection of RFC7301, |
2517 |
// https://rt.openssl.org/Ticket/Display.html?id=3463&user=guest&pass=guest |
2339 |
// fatal no_application_protocol alert shall be sent |
2518 |
return status == OPENSSL_NPN_NEGOTIATED ? SSL_TLSEXT_ERR_OK |
2340 |
// but current openssl does not support it yet. See |
2519 |
: SSL_TLSEXT_ERR_NOACK; |
2341 |
// https://rt.openssl.org/Ticket/Display.html?id=3463&user=guest&pass=guest |
|
|
2342 |
// Instead, we send a warning alert for now. |
2343 |
return SSL_TLSEXT_ERR_ALERT_WARNING; |
2344 |
case OPENSSL_NPN_NEGOTIATED: |
2345 |
return SSL_TLSEXT_ERR_OK; |
2346 |
default: |
2347 |
return SSL_TLSEXT_ERR_ALERT_FATAL; |
2348 |
} |
2349 |
} |
2520 |
} |
2350 |
#endif // TLSEXT_TYPE_application_layer_protocol_negotiation |
2521 |
#endif // TLSEXT_TYPE_application_layer_protocol_negotiation |
2351 |
|
2522 |
|
Lines 2486-2492
Link Here
|
2486 |
|
2657 |
|
2487 |
bool ocsp = false; |
2658 |
bool ocsp = false; |
2488 |
#ifdef NODE__HAVE_TLSEXT_STATUS_CB |
2659 |
#ifdef NODE__HAVE_TLSEXT_STATUS_CB |
2489 |
ocsp = s->tlsext_status_type == TLSEXT_STATUSTYPE_ocsp; |
2660 |
ocsp = SSL_get_tlsext_status_type(s) == TLSEXT_STATUSTYPE_ocsp; |
2490 |
#endif |
2661 |
#endif |
2491 |
|
2662 |
|
2492 |
info->Set(env->ocsp_request_string(), Boolean::New(env->isolate(), ocsp)); |
2663 |
info->Set(env->ocsp_request_string(), Boolean::New(env->isolate(), ocsp)); |
Lines 3363-3369
Link Here
|
3363 |
} |
3534 |
} |
3364 |
#endif // NODE_FIPS_MODE |
3535 |
#endif // NODE_FIPS_MODE |
3365 |
|
3536 |
|
3366 |
CHECK_EQ(initialised_, false); |
3537 |
CHECK_EQ(ctx_, nullptr); |
3367 |
const EVP_CIPHER* const cipher = EVP_get_cipherbyname(cipher_type); |
3538 |
const EVP_CIPHER* const cipher = EVP_get_cipherbyname(cipher_type); |
3368 |
if (cipher == nullptr) { |
3539 |
if (cipher == nullptr) { |
3369 |
return env()->ThrowError("Unknown cipher"); |
3540 |
return env()->ThrowError("Unknown cipher"); |
Lines 3381-3391
Link Here
|
3381 |
key, |
3552 |
key, |
3382 |
iv); |
3553 |
iv); |
3383 |
|
3554 |
|
3384 |
EVP_CIPHER_CTX_init(&ctx_); |
3555 |
ctx_ = EVP_CIPHER_CTX_new(); |
3385 |
const bool encrypt = (kind_ == kCipher); |
3556 |
const bool encrypt = (kind_ == kCipher); |
3386 |
EVP_CipherInit_ex(&ctx_, cipher, nullptr, nullptr, nullptr, encrypt); |
3557 |
EVP_CipherInit_ex(ctx_, cipher, nullptr, nullptr, nullptr, encrypt); |
3387 |
|
3558 |
|
3388 |
int mode = EVP_CIPHER_CTX_mode(&ctx_); |
3559 |
int mode = EVP_CIPHER_CTX_mode(ctx_); |
3389 |
if (encrypt && (mode == EVP_CIPH_CTR_MODE || mode == EVP_CIPH_GCM_MODE || |
3560 |
if (encrypt && (mode == EVP_CIPH_CTR_MODE || mode == EVP_CIPH_GCM_MODE || |
3390 |
mode == EVP_CIPH_CCM_MODE)) { |
3561 |
mode == EVP_CIPH_CCM_MODE)) { |
3391 |
ProcessEmitWarning(env(), "Use Cipheriv for counter mode of %s", |
3562 |
ProcessEmitWarning(env(), "Use Cipheriv for counter mode of %s", |
Lines 3393-3409
Link Here
|
3393 |
} |
3564 |
} |
3394 |
|
3565 |
|
3395 |
if (mode == EVP_CIPH_WRAP_MODE) |
3566 |
if (mode == EVP_CIPH_WRAP_MODE) |
3396 |
EVP_CIPHER_CTX_set_flags(&ctx_, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW); |
3567 |
EVP_CIPHER_CTX_set_flags(ctx_, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW); |
3397 |
|
3568 |
|
3398 |
CHECK_EQ(1, EVP_CIPHER_CTX_set_key_length(&ctx_, key_len)); |
3569 |
CHECK_EQ(1, EVP_CIPHER_CTX_set_key_length(ctx_, key_len)); |
3399 |
|
3570 |
|
3400 |
EVP_CipherInit_ex(&ctx_, |
3571 |
EVP_CipherInit_ex(ctx_, |
3401 |
nullptr, |
3572 |
nullptr, |
3402 |
nullptr, |
3573 |
nullptr, |
3403 |
reinterpret_cast<unsigned char*>(key), |
3574 |
reinterpret_cast<unsigned char*>(key), |
3404 |
reinterpret_cast<unsigned char*>(iv), |
3575 |
reinterpret_cast<unsigned char*>(iv), |
3405 |
kind_ == kCipher); |
3576 |
kind_ == kCipher); |
3406 |
initialised_ = true; |
|
|
3407 |
} |
3577 |
} |
3408 |
|
3578 |
|
3409 |
|
3579 |
|
Lines 3446-3477
Link Here
|
3446 |
return env()->ThrowError("Invalid IV length"); |
3616 |
return env()->ThrowError("Invalid IV length"); |
3447 |
} |
3617 |
} |
3448 |
|
3618 |
|
3449 |
EVP_CIPHER_CTX_init(&ctx_); |
3619 |
ctx_ = EVP_CIPHER_CTX_new(); |
3450 |
|
3620 |
|
3451 |
if (mode == EVP_CIPH_WRAP_MODE) |
3621 |
if (mode == EVP_CIPH_WRAP_MODE) |
3452 |
EVP_CIPHER_CTX_set_flags(&ctx_, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW); |
3622 |
EVP_CIPHER_CTX_set_flags(ctx_, EVP_CIPHER_CTX_FLAG_WRAP_ALLOW); |
3453 |
|
3623 |
|
3454 |
const bool encrypt = (kind_ == kCipher); |
3624 |
const bool encrypt = (kind_ == kCipher); |
3455 |
EVP_CipherInit_ex(&ctx_, cipher, nullptr, nullptr, nullptr, encrypt); |
3625 |
EVP_CipherInit_ex(ctx_, cipher, nullptr, nullptr, nullptr, encrypt); |
3456 |
|
3626 |
|
3457 |
if (is_gcm_mode && |
3627 |
if (is_gcm_mode && |
3458 |
!EVP_CIPHER_CTX_ctrl(&ctx_, EVP_CTRL_GCM_SET_IVLEN, iv_len, nullptr)) { |
3628 |
!EVP_CIPHER_CTX_ctrl(ctx_, EVP_CTRL_GCM_SET_IVLEN, iv_len, nullptr)) { |
3459 |
EVP_CIPHER_CTX_cleanup(&ctx_); |
3629 |
EVP_CIPHER_CTX_free(ctx_); |
|
|
3630 |
ctx_ = nullptr; |
3460 |
return env()->ThrowError("Invalid IV length"); |
3631 |
return env()->ThrowError("Invalid IV length"); |
3461 |
} |
3632 |
} |
3462 |
|
3633 |
|
3463 |
if (!EVP_CIPHER_CTX_set_key_length(&ctx_, key_len)) { |
3634 |
if (!EVP_CIPHER_CTX_set_key_length(ctx_, key_len)) { |
3464 |
EVP_CIPHER_CTX_cleanup(&ctx_); |
3635 |
EVP_CIPHER_CTX_free(ctx_); |
|
|
3636 |
ctx_ = nullptr; |
3465 |
return env()->ThrowError("Invalid key length"); |
3637 |
return env()->ThrowError("Invalid key length"); |
3466 |
} |
3638 |
} |
3467 |
|
3639 |
|
3468 |
EVP_CipherInit_ex(&ctx_, |
3640 |
EVP_CipherInit_ex(ctx_, |
3469 |
nullptr, |
3641 |
nullptr, |
3470 |
nullptr, |
3642 |
nullptr, |
3471 |
reinterpret_cast<const unsigned char*>(key), |
3643 |
reinterpret_cast<const unsigned char*>(key), |
3472 |
reinterpret_cast<const unsigned char*>(iv), |
3644 |
reinterpret_cast<const unsigned char*>(iv), |
3473 |
kind_ == kCipher); |
3645 |
kind_ == kCipher); |
3474 |
initialised_ = true; |
|
|
3475 |
} |
3646 |
} |
3476 |
|
3647 |
|
3477 |
|
3648 |
|
Lines 3499-3506
Link Here
|
3499 |
|
3670 |
|
3500 |
bool CipherBase::IsAuthenticatedMode() const { |
3671 |
bool CipherBase::IsAuthenticatedMode() const { |
3501 |
// Check if this cipher operates in an AEAD mode that we support. |
3672 |
// Check if this cipher operates in an AEAD mode that we support. |
3502 |
CHECK_EQ(initialised_, true); |
3673 |
CHECK_NE(ctx_, nullptr); |
3503 |
const EVP_CIPHER* const cipher = EVP_CIPHER_CTX_cipher(&ctx_); |
3674 |
const EVP_CIPHER* const cipher = EVP_CIPHER_CTX_cipher(ctx_); |
3504 |
int mode = EVP_CIPHER_mode(cipher); |
3675 |
int mode = EVP_CIPHER_mode(cipher); |
3505 |
return mode == EVP_CIPH_GCM_MODE; |
3676 |
return mode == EVP_CIPH_GCM_MODE; |
3506 |
} |
3677 |
} |
Lines 3512-3518
Link Here
|
3512 |
ASSIGN_OR_RETURN_UNWRAP(&cipher, args.Holder()); |
3683 |
ASSIGN_OR_RETURN_UNWRAP(&cipher, args.Holder()); |
3513 |
|
3684 |
|
3514 |
// Only callable after Final and if encrypting. |
3685 |
// Only callable after Final and if encrypting. |
3515 |
if (cipher->initialised_ || |
3686 |
if (cipher->ctx_ || |
3516 |
cipher->kind_ != kCipher || |
3687 |
cipher->kind_ != kCipher || |
3517 |
cipher->auth_tag_len_ == 0) { |
3688 |
cipher->auth_tag_len_ == 0) { |
3518 |
return env->ThrowError("Attempting to get auth tag in unsupported state"); |
3689 |
return env->ThrowError("Attempting to get auth tag in unsupported state"); |
Lines 3533-3539
Link Here
|
3533 |
CipherBase* cipher; |
3704 |
CipherBase* cipher; |
3534 |
ASSIGN_OR_RETURN_UNWRAP(&cipher, args.Holder()); |
3705 |
ASSIGN_OR_RETURN_UNWRAP(&cipher, args.Holder()); |
3535 |
|
3706 |
|
3536 |
if (!cipher->initialised_ || |
3707 |
if (!cipher->ctx_ || |
3537 |
!cipher->IsAuthenticatedMode() || |
3708 |
!cipher->IsAuthenticatedMode() || |
3538 |
cipher->kind_ != kDecipher) { |
3709 |
cipher->kind_ != kDecipher) { |
3539 |
return env->ThrowError("Attempting to set auth tag in unsupported state"); |
3710 |
return env->ThrowError("Attempting to set auth tag in unsupported state"); |
Lines 3551-3560
Link Here
|
3551 |
|
3722 |
|
3552 |
|
3723 |
|
3553 |
bool CipherBase::SetAAD(const char* data, unsigned int len) { |
3724 |
bool CipherBase::SetAAD(const char* data, unsigned int len) { |
3554 |
if (!initialised_ || !IsAuthenticatedMode()) |
3725 |
if (!ctx_ || !IsAuthenticatedMode()) |
3555 |
return false; |
3726 |
return false; |
3556 |
int outlen; |
3727 |
int outlen; |
3557 |
if (!EVP_CipherUpdate(&ctx_, |
3728 |
if (!EVP_CipherUpdate(ctx_, |
3558 |
nullptr, |
3729 |
nullptr, |
3559 |
&outlen, |
3730 |
&outlen, |
3560 |
reinterpret_cast<const unsigned char*>(data), |
3731 |
reinterpret_cast<const unsigned char*>(data), |
Lines 3582-3602
Link Here
|
3582 |
int len, |
3753 |
int len, |
3583 |
unsigned char** out, |
3754 |
unsigned char** out, |
3584 |
int* out_len) { |
3755 |
int* out_len) { |
3585 |
if (!initialised_) |
3756 |
if (!ctx_) |
3586 |
return 0; |
3757 |
return 0; |
3587 |
|
3758 |
|
3588 |
// on first update: |
3759 |
// on first update: |
3589 |
if (kind_ == kDecipher && IsAuthenticatedMode() && auth_tag_len_ > 0) { |
3760 |
if (kind_ == kDecipher && IsAuthenticatedMode() && auth_tag_len_ > 0) { |
3590 |
EVP_CIPHER_CTX_ctrl(&ctx_, |
3761 |
EVP_CIPHER_CTX_ctrl(ctx_, |
3591 |
EVP_CTRL_GCM_SET_TAG, |
3762 |
EVP_CTRL_GCM_SET_TAG, |
3592 |
auth_tag_len_, |
3763 |
auth_tag_len_, |
3593 |
reinterpret_cast<unsigned char*>(auth_tag_)); |
3764 |
reinterpret_cast<unsigned char*>(auth_tag_)); |
3594 |
auth_tag_len_ = 0; |
3765 |
auth_tag_len_ = 0; |
3595 |
} |
3766 |
} |
3596 |
|
3767 |
|
3597 |
*out_len = len + EVP_CIPHER_CTX_block_size(&ctx_); |
3768 |
*out_len = len + EVP_CIPHER_CTX_block_size(ctx_); |
3598 |
*out = Malloc<unsigned char>(static_cast<size_t>(*out_len)); |
3769 |
*out = Malloc<unsigned char>(static_cast<size_t>(*out_len)); |
3599 |
return EVP_CipherUpdate(&ctx_, |
3770 |
return EVP_CipherUpdate(ctx_, |
3600 |
*out, |
3771 |
*out, |
3601 |
out_len, |
3772 |
out_len, |
3602 |
reinterpret_cast<const unsigned char*>(data), |
3773 |
reinterpret_cast<const unsigned char*>(data), |
Lines 3644-3652
Link Here
|
3644 |
|
3815 |
|
3645 |
|
3816 |
|
3646 |
bool CipherBase::SetAutoPadding(bool auto_padding) { |
3817 |
bool CipherBase::SetAutoPadding(bool auto_padding) { |
3647 |
if (!initialised_) |
3818 |
if (!ctx_) |
3648 |
return false; |
3819 |
return false; |
3649 |
return EVP_CIPHER_CTX_set_padding(&ctx_, auto_padding); |
3820 |
return EVP_CIPHER_CTX_set_padding(ctx_, auto_padding); |
3650 |
} |
3821 |
} |
3651 |
|
3822 |
|
3652 |
|
3823 |
|
Lines 3662-3683
Link Here
|
3662 |
|
3833 |
|
3663 |
|
3834 |
|
3664 |
bool CipherBase::Final(unsigned char** out, int *out_len) { |
3835 |
bool CipherBase::Final(unsigned char** out, int *out_len) { |
3665 |
if (!initialised_) |
3836 |
if (!ctx_) |
3666 |
return false; |
3837 |
return false; |
3667 |
|
3838 |
|
3668 |
*out = Malloc<unsigned char>( |
3839 |
*out = Malloc<unsigned char>( |
3669 |
static_cast<size_t>(EVP_CIPHER_CTX_block_size(&ctx_))); |
3840 |
static_cast<size_t>(EVP_CIPHER_CTX_block_size(ctx_))); |
3670 |
int r = EVP_CipherFinal_ex(&ctx_, *out, out_len); |
3841 |
int r = EVP_CipherFinal_ex(ctx_, *out, out_len); |
3671 |
|
3842 |
|
3672 |
if (r == 1 && kind_ == kCipher && IsAuthenticatedMode()) { |
3843 |
if (r == 1 && kind_ == kCipher && IsAuthenticatedMode()) { |
3673 |
auth_tag_len_ = sizeof(auth_tag_); |
3844 |
auth_tag_len_ = sizeof(auth_tag_); |
3674 |
r = EVP_CIPHER_CTX_ctrl(&ctx_, EVP_CTRL_GCM_GET_TAG, auth_tag_len_, |
3845 |
r = EVP_CIPHER_CTX_ctrl(ctx_, EVP_CTRL_GCM_GET_TAG, auth_tag_len_, |
3675 |
reinterpret_cast<unsigned char*>(auth_tag_)); |
3846 |
reinterpret_cast<unsigned char*>(auth_tag_)); |
3676 |
CHECK_EQ(r, 1); |
3847 |
CHECK_EQ(r, 1); |
3677 |
} |
3848 |
} |
3678 |
|
3849 |
|
3679 |
EVP_CIPHER_CTX_cleanup(&ctx_); |
3850 |
EVP_CIPHER_CTX_free(ctx_); |
3680 |
initialised_ = false; |
3851 |
ctx_ = nullptr; |
3681 |
|
3852 |
|
3682 |
return r == 1; |
3853 |
return r == 1; |
3683 |
} |
3854 |
} |
Lines 3688-3694
Link Here
|
3688 |
|
3859 |
|
3689 |
CipherBase* cipher; |
3860 |
CipherBase* cipher; |
3690 |
ASSIGN_OR_RETURN_UNWRAP(&cipher, args.Holder()); |
3861 |
ASSIGN_OR_RETURN_UNWRAP(&cipher, args.Holder()); |
3691 |
if (!cipher->initialised_) return env->ThrowError("Unsupported state"); |
3862 |
if (!cipher->ctx_) return env->ThrowError("Unsupported state"); |
3692 |
|
3863 |
|
3693 |
unsigned char* out_value = nullptr; |
3864 |
unsigned char* out_value = nullptr; |
3694 |
int out_len = -1; |
3865 |
int out_len = -1; |
Lines 3720-3725
Link Here
|
3720 |
} |
3891 |
} |
3721 |
|
3892 |
|
3722 |
|
3893 |
|
|
|
3894 |
Hmac::~Hmac() { |
3895 |
HMAC_CTX_free(ctx_); |
3896 |
} |
3897 |
|
3898 |
|
3723 |
void Hmac::Initialize(Environment* env, v8::Local<v8::Object> target) { |
3899 |
void Hmac::Initialize(Environment* env, v8::Local<v8::Object> target) { |
3724 |
Local<FunctionTemplate> t = env->NewFunctionTemplate(New); |
3900 |
Local<FunctionTemplate> t = env->NewFunctionTemplate(New); |
3725 |
|
3901 |
|
Lines 3747-3760
Link Here
|
3747 |
if (md == nullptr) { |
3923 |
if (md == nullptr) { |
3748 |
return env()->ThrowError("Unknown message digest"); |
3924 |
return env()->ThrowError("Unknown message digest"); |
3749 |
} |
3925 |
} |
3750 |
HMAC_CTX_init(&ctx_); |
|
|
3751 |
if (key_len == 0) { |
3926 |
if (key_len == 0) { |
3752 |
key = ""; |
3927 |
key = ""; |
3753 |
} |
3928 |
} |
3754 |
if (!HMAC_Init_ex(&ctx_, key, key_len, md, nullptr)) { |
3929 |
ctx_ = HMAC_CTX_new(); |
|
|
3930 |
if (ctx_ == nullptr || |
3931 |
!HMAC_Init_ex(ctx_, key, key_len, md, nullptr)) { |
3932 |
HMAC_CTX_free(ctx_); |
3933 |
ctx_ = nullptr; |
3755 |
return ThrowCryptoError(env(), ERR_get_error()); |
3934 |
return ThrowCryptoError(env(), ERR_get_error()); |
3756 |
} |
3935 |
} |
3757 |
initialised_ = true; |
|
|
3758 |
} |
3936 |
} |
3759 |
|
3937 |
|
3760 |
|
3938 |
|
Lines 3778-3786
Link Here
|
3778 |
|
3956 |
|
3779 |
|
3957 |
|
3780 |
bool Hmac::HmacUpdate(const char* data, int len) { |
3958 |
bool Hmac::HmacUpdate(const char* data, int len) { |
3781 |
if (!initialised_) |
3959 |
if (!ctx_) |
3782 |
return false; |
3960 |
return false; |
3783 |
int r = HMAC_Update(&ctx_, reinterpret_cast<const unsigned char*>(data), len); |
3961 |
int r = HMAC_Update(ctx_, reinterpret_cast<const unsigned char*>(data), len); |
3784 |
return r == 1; |
3962 |
return r == 1; |
3785 |
} |
3963 |
} |
3786 |
|
3964 |
|
Lines 3831-3840
Link Here
|
3831 |
unsigned char md_value[EVP_MAX_MD_SIZE]; |
4009 |
unsigned char md_value[EVP_MAX_MD_SIZE]; |
3832 |
unsigned int md_len = 0; |
4010 |
unsigned int md_len = 0; |
3833 |
|
4011 |
|
3834 |
if (hmac->initialised_) { |
4012 |
if (hmac->ctx_) { |
3835 |
HMAC_Final(&hmac->ctx_, md_value, &md_len); |
4013 |
HMAC_Final(hmac->ctx_, md_value, &md_len); |
3836 |
HMAC_CTX_cleanup(&hmac->ctx_); |
4014 |
HMAC_CTX_free(hmac->ctx_); |
3837 |
hmac->initialised_ = false; |
4015 |
hmac->ctx_ = nullptr; |
3838 |
} |
4016 |
} |
3839 |
|
4017 |
|
3840 |
Local<Value> error; |
4018 |
Local<Value> error; |
Lines 3853-3858
Link Here
|
3853 |
} |
4031 |
} |
3854 |
|
4032 |
|
3855 |
|
4033 |
|
|
|
4034 |
Hash::~Hash() { |
4035 |
EVP_MD_CTX_free(mdctx_); |
4036 |
} |
4037 |
|
4038 |
|
3856 |
void Hash::Initialize(Environment* env, v8::Local<v8::Object> target) { |
4039 |
void Hash::Initialize(Environment* env, v8::Local<v8::Object> target) { |
3857 |
Local<FunctionTemplate> t = env->NewFunctionTemplate(New); |
4040 |
Local<FunctionTemplate> t = env->NewFunctionTemplate(New); |
3858 |
|
4041 |
|
Lines 3887-3906
Link Here
|
3887 |
const EVP_MD* md = EVP_get_digestbyname(hash_type); |
4070 |
const EVP_MD* md = EVP_get_digestbyname(hash_type); |
3888 |
if (md == nullptr) |
4071 |
if (md == nullptr) |
3889 |
return false; |
4072 |
return false; |
3890 |
EVP_MD_CTX_init(&mdctx_); |
4073 |
mdctx_ = EVP_MD_CTX_new(); |
3891 |
if (EVP_DigestInit_ex(&mdctx_, md, nullptr) <= 0) { |
4074 |
if (mdctx_ == nullptr || |
|
|
4075 |
EVP_DigestInit_ex(mdctx_, md, nullptr) <= 0) { |
4076 |
EVP_MD_CTX_free(mdctx_); |
4077 |
mdctx_ = nullptr; |
3892 |
return false; |
4078 |
return false; |
3893 |
} |
4079 |
} |
3894 |
initialised_ = true; |
|
|
3895 |
finalized_ = false; |
4080 |
finalized_ = false; |
3896 |
return true; |
4081 |
return true; |
3897 |
} |
4082 |
} |
3898 |
|
4083 |
|
3899 |
|
4084 |
|
3900 |
bool Hash::HashUpdate(const char* data, int len) { |
4085 |
bool Hash::HashUpdate(const char* data, int len) { |
3901 |
if (!initialised_) |
4086 |
if (!mdctx_) |
3902 |
return false; |
4087 |
return false; |
3903 |
EVP_DigestUpdate(&mdctx_, data, len); |
4088 |
EVP_DigestUpdate(mdctx_, data, len); |
3904 |
return true; |
4089 |
return true; |
3905 |
} |
4090 |
} |
3906 |
|
4091 |
|
Lines 3965-3972
Link Here
|
3965 |
unsigned char md_value[EVP_MAX_MD_SIZE]; |
4150 |
unsigned char md_value[EVP_MAX_MD_SIZE]; |
3966 |
unsigned int md_len; |
4151 |
unsigned int md_len; |
3967 |
|
4152 |
|
3968 |
EVP_DigestFinal_ex(&hash->mdctx_, md_value, &md_len); |
4153 |
EVP_DigestFinal_ex(hash->mdctx_, md_value, &md_len); |
3969 |
EVP_MD_CTX_cleanup(&hash->mdctx_); |
|
|
3970 |
hash->finalized_ = true; |
4154 |
hash->finalized_ = true; |
3971 |
|
4155 |
|
3972 |
Local<Value> error; |
4156 |
Local<Value> error; |
Lines 3985-3990
Link Here
|
3985 |
} |
4169 |
} |
3986 |
|
4170 |
|
3987 |
|
4171 |
|
|
|
4172 |
SignBase::~SignBase() { |
4173 |
EVP_MD_CTX_free(mdctx_); |
4174 |
} |
4175 |
|
4176 |
|
4177 |
SignBase::Error SignBase::Init(const char* sign_type) { |
4178 |
CHECK_EQ(mdctx_, nullptr); |
4179 |
#if OPENSSL_VERSION_NUMBER >= 0x10100000L |
4180 |
// Historically, "dss1" and "DSS1" were DSA aliases for SHA-1 |
4181 |
// exposed through the public API. |
4182 |
if (strcmp(sign_type, "dss1") == 0 || |
4183 |
strcmp(sign_type, "DSS1") == 0) { |
4184 |
sign_type = "SHA1"; |
4185 |
} |
4186 |
#endif |
4187 |
const EVP_MD* md = EVP_get_digestbyname(sign_type); |
4188 |
if (md == nullptr) |
4189 |
return kSignUnknownDigest; |
4190 |
|
4191 |
mdctx_ = EVP_MD_CTX_new(); |
4192 |
if (mdctx_ == nullptr || |
4193 |
!EVP_DigestInit_ex(mdctx_, md, nullptr)) { |
4194 |
EVP_MD_CTX_free(mdctx_); |
4195 |
mdctx_ = nullptr; |
4196 |
return kSignInit; |
4197 |
} |
4198 |
|
4199 |
return kSignOk; |
4200 |
} |
4201 |
|
4202 |
|
4203 |
SignBase::Error SignBase::Update(const char* data, int len) { |
4204 |
if (!mdctx_) |
4205 |
return kSignNotInitialised; |
4206 |
if (!EVP_DigestUpdate(mdctx_, data, len)) |
4207 |
return kSignUpdate; |
4208 |
return kSignOk; |
4209 |
} |
4210 |
|
4211 |
|
3988 |
void SignBase::CheckThrow(SignBase::Error error) { |
4212 |
void SignBase::CheckThrow(SignBase::Error error) { |
3989 |
HandleScope scope(env()->isolate()); |
4213 |
HandleScope scope(env()->isolate()); |
3990 |
|
4214 |
|
Lines 4058-4078
Link Here
|
4058 |
} |
4282 |
} |
4059 |
|
4283 |
|
4060 |
|
4284 |
|
4061 |
SignBase::Error Sign::SignInit(const char* sign_type) { |
|
|
4062 |
CHECK_EQ(initialised_, false); |
4063 |
const EVP_MD* md = EVP_get_digestbyname(sign_type); |
4064 |
if (md == nullptr) |
4065 |
return kSignUnknownDigest; |
4066 |
|
4067 |
EVP_MD_CTX_init(&mdctx_); |
4068 |
if (!EVP_DigestInit_ex(&mdctx_, md, nullptr)) |
4069 |
return kSignInit; |
4070 |
initialised_ = true; |
4071 |
|
4072 |
return kSignOk; |
4073 |
} |
4074 |
|
4075 |
|
4076 |
void Sign::SignInit(const FunctionCallbackInfo<Value>& args) { |
4285 |
void Sign::SignInit(const FunctionCallbackInfo<Value>& args) { |
4077 |
Sign* sign; |
4286 |
Sign* sign; |
4078 |
ASSIGN_OR_RETURN_UNWRAP(&sign, args.Holder()); |
4287 |
ASSIGN_OR_RETURN_UNWRAP(&sign, args.Holder()); |
Lines 4085-4100
Link Here
|
4085 |
THROW_AND_RETURN_IF_NOT_STRING(args[0], "Sign type"); |
4294 |
THROW_AND_RETURN_IF_NOT_STRING(args[0], "Sign type"); |
4086 |
|
4295 |
|
4087 |
const node::Utf8Value sign_type(args.GetIsolate(), args[0]); |
4296 |
const node::Utf8Value sign_type(args.GetIsolate(), args[0]); |
4088 |
sign->CheckThrow(sign->SignInit(*sign_type)); |
4297 |
sign->CheckThrow(sign->Init(*sign_type)); |
4089 |
} |
|
|
4090 |
|
4091 |
|
4092 |
SignBase::Error Sign::SignUpdate(const char* data, int len) { |
4093 |
if (!initialised_) |
4094 |
return kSignNotInitialised; |
4095 |
if (!EVP_DigestUpdate(&mdctx_, data, len)) |
4096 |
return kSignUpdate; |
4097 |
return kSignOk; |
4098 |
} |
4298 |
} |
4099 |
|
4299 |
|
4100 |
|
4300 |
|
Lines 4112-4122
Link Here
|
4112 |
StringBytes::InlineDecoder decoder; |
4312 |
StringBytes::InlineDecoder decoder; |
4113 |
if (!decoder.Decode(env, args[0].As<String>(), args[1], UTF8)) |
4313 |
if (!decoder.Decode(env, args[0].As<String>(), args[1], UTF8)) |
4114 |
return; |
4314 |
return; |
4115 |
err = sign->SignUpdate(decoder.out(), decoder.size()); |
4315 |
err = sign->Update(decoder.out(), decoder.size()); |
4116 |
} else { |
4316 |
} else { |
4117 |
char* buf = Buffer::Data(args[0]); |
4317 |
char* buf = Buffer::Data(args[0]); |
4118 |
size_t buflen = Buffer::Length(args[0]); |
4318 |
size_t buflen = Buffer::Length(args[0]); |
4119 |
err = sign->SignUpdate(buf, buflen); |
4319 |
err = sign->Update(buf, buflen); |
4120 |
} |
4320 |
} |
4121 |
|
4321 |
|
4122 |
sign->CheckThrow(err); |
4322 |
sign->CheckThrow(err); |
Lines 4160-4166
Link Here
|
4160 |
unsigned int* sig_len, |
4360 |
unsigned int* sig_len, |
4161 |
int padding, |
4361 |
int padding, |
4162 |
int salt_len) { |
4362 |
int salt_len) { |
4163 |
if (!initialised_) |
4363 |
if (!mdctx_) |
4164 |
return kSignNotInitialised; |
4364 |
return kSignNotInitialised; |
4165 |
|
4365 |
|
4166 |
BIO* bp = nullptr; |
4366 |
BIO* bp = nullptr; |
Lines 4205-4222
Link Here
|
4205 |
} |
4405 |
} |
4206 |
#endif // NODE_FIPS_MODE |
4406 |
#endif // NODE_FIPS_MODE |
4207 |
|
4407 |
|
4208 |
if (Node_SignFinal(&mdctx_, sig, sig_len, pkey, padding, salt_len)) |
4408 |
if (Node_SignFinal(mdctx_, sig, sig_len, pkey, padding, salt_len)) |
4209 |
fatal = false; |
4409 |
fatal = false; |
4210 |
|
4410 |
|
4211 |
initialised_ = false; |
|
|
4212 |
|
4213 |
exit: |
4411 |
exit: |
4214 |
if (pkey != nullptr) |
4412 |
if (pkey != nullptr) |
4215 |
EVP_PKEY_free(pkey); |
4413 |
EVP_PKEY_free(pkey); |
4216 |
if (bp != nullptr) |
4414 |
if (bp != nullptr) |
4217 |
BIO_free_all(bp); |
4415 |
BIO_free_all(bp); |
4218 |
|
4416 |
|
4219 |
EVP_MD_CTX_cleanup(&mdctx_); |
4417 |
EVP_MD_CTX_free(mdctx_); |
|
|
4418 |
mdctx_ = nullptr; |
4220 |
|
4419 |
|
4221 |
if (fatal) |
4420 |
if (fatal) |
4222 |
return kSignPrivateKey; |
4421 |
return kSignPrivateKey; |
Lines 4291-4311
Link Here
|
4291 |
} |
4490 |
} |
4292 |
|
4491 |
|
4293 |
|
4492 |
|
4294 |
SignBase::Error Verify::VerifyInit(const char* verify_type) { |
|
|
4295 |
CHECK_EQ(initialised_, false); |
4296 |
const EVP_MD* md = EVP_get_digestbyname(verify_type); |
4297 |
if (md == nullptr) |
4298 |
return kSignUnknownDigest; |
4299 |
|
4300 |
EVP_MD_CTX_init(&mdctx_); |
4301 |
if (!EVP_DigestInit_ex(&mdctx_, md, nullptr)) |
4302 |
return kSignInit; |
4303 |
initialised_ = true; |
4304 |
|
4305 |
return kSignOk; |
4306 |
} |
4307 |
|
4308 |
|
4309 |
void Verify::VerifyInit(const FunctionCallbackInfo<Value>& args) { |
4493 |
void Verify::VerifyInit(const FunctionCallbackInfo<Value>& args) { |
4310 |
Verify* verify; |
4494 |
Verify* verify; |
4311 |
ASSIGN_OR_RETURN_UNWRAP(&verify, args.Holder()); |
4495 |
ASSIGN_OR_RETURN_UNWRAP(&verify, args.Holder()); |
Lines 4318-4335
Link Here
|
4318 |
THROW_AND_RETURN_IF_NOT_STRING(args[0], "Verify type"); |
4502 |
THROW_AND_RETURN_IF_NOT_STRING(args[0], "Verify type"); |
4319 |
|
4503 |
|
4320 |
const node::Utf8Value verify_type(args.GetIsolate(), args[0]); |
4504 |
const node::Utf8Value verify_type(args.GetIsolate(), args[0]); |
4321 |
verify->CheckThrow(verify->VerifyInit(*verify_type)); |
4505 |
verify->CheckThrow(verify->Init(*verify_type)); |
4322 |
} |
|
|
4323 |
|
4324 |
|
4325 |
SignBase::Error Verify::VerifyUpdate(const char* data, int len) { |
4326 |
if (!initialised_) |
4327 |
return kSignNotInitialised; |
4328 |
|
4329 |
if (!EVP_DigestUpdate(&mdctx_, data, len)) |
4330 |
return kSignUpdate; |
4331 |
|
4332 |
return kSignOk; |
4333 |
} |
4506 |
} |
4334 |
|
4507 |
|
4335 |
|
4508 |
|
Lines 4347-4357
Link Here
|
4347 |
StringBytes::InlineDecoder decoder; |
4520 |
StringBytes::InlineDecoder decoder; |
4348 |
if (!decoder.Decode(env, args[0].As<String>(), args[1], UTF8)) |
4521 |
if (!decoder.Decode(env, args[0].As<String>(), args[1], UTF8)) |
4349 |
return; |
4522 |
return; |
4350 |
err = verify->VerifyUpdate(decoder.out(), decoder.size()); |
4523 |
err = verify->Update(decoder.out(), decoder.size()); |
4351 |
} else { |
4524 |
} else { |
4352 |
char* buf = Buffer::Data(args[0]); |
4525 |
char* buf = Buffer::Data(args[0]); |
4353 |
size_t buflen = Buffer::Length(args[0]); |
4526 |
size_t buflen = Buffer::Length(args[0]); |
4354 |
err = verify->VerifyUpdate(buf, buflen); |
4527 |
err = verify->Update(buf, buflen); |
4355 |
} |
4528 |
} |
4356 |
|
4529 |
|
4357 |
verify->CheckThrow(err); |
4530 |
verify->CheckThrow(err); |
Lines 4365-4371
Link Here
|
4365 |
int padding, |
4538 |
int padding, |
4366 |
int saltlen, |
4539 |
int saltlen, |
4367 |
bool* verify_result) { |
4540 |
bool* verify_result) { |
4368 |
if (!initialised_) |
4541 |
if (!mdctx_) |
4369 |
return kSignNotInitialised; |
4542 |
return kSignNotInitialised; |
4370 |
|
4543 |
|
4371 |
EVP_PKEY* pkey = nullptr; |
4544 |
EVP_PKEY* pkey = nullptr; |
Lines 4410-4416
Link Here
|
4410 |
goto exit; |
4583 |
goto exit; |
4411 |
} |
4584 |
} |
4412 |
|
4585 |
|
4413 |
if (!EVP_DigestFinal_ex(&mdctx_, m, &m_len)) { |
4586 |
if (!EVP_DigestFinal_ex(mdctx_, m, &m_len)) { |
4414 |
goto exit; |
4587 |
goto exit; |
4415 |
} |
4588 |
} |
4416 |
|
4589 |
|
Lines 4423-4429
Link Here
|
4423 |
goto err; |
4596 |
goto err; |
4424 |
if (!ApplyRSAOptions(pkey, pkctx, padding, saltlen)) |
4597 |
if (!ApplyRSAOptions(pkey, pkctx, padding, saltlen)) |
4425 |
goto err; |
4598 |
goto err; |
4426 |
if (EVP_PKEY_CTX_set_signature_md(pkctx, mdctx_.digest) <= 0) |
4599 |
if (EVP_PKEY_CTX_set_signature_md(pkctx, EVP_MD_CTX_md(mdctx_)) <= 0) |
4427 |
goto err; |
4600 |
goto err; |
4428 |
r = EVP_PKEY_verify(pkctx, |
4601 |
r = EVP_PKEY_verify(pkctx, |
4429 |
reinterpret_cast<const unsigned char*>(sig), |
4602 |
reinterpret_cast<const unsigned char*>(sig), |
Lines 4442-4449
Link Here
|
4442 |
if (x509 != nullptr) |
4615 |
if (x509 != nullptr) |
4443 |
X509_free(x509); |
4616 |
X509_free(x509); |
4444 |
|
4617 |
|
4445 |
EVP_MD_CTX_cleanup(&mdctx_); |
4618 |
EVP_MD_CTX_free(mdctx_); |
4446 |
initialised_ = false; |
4619 |
mdctx_ = nullptr; |
4447 |
|
4620 |
|
4448 |
if (fatal) |
4621 |
if (fatal) |
4449 |
return kSignPublicKey; |
4622 |
return kSignPublicKey; |
Lines 4695-4704
Link Here
|
4695 |
|
4868 |
|
4696 |
bool DiffieHellman::Init(const char* p, int p_len, int g) { |
4869 |
bool DiffieHellman::Init(const char* p, int p_len, int g) { |
4697 |
dh = DH_new(); |
4870 |
dh = DH_new(); |
4698 |
dh->p = BN_bin2bn(reinterpret_cast<const unsigned char*>(p), p_len, 0); |
4871 |
BIGNUM* bn_p = |
4699 |
dh->g = BN_new(); |
4872 |
BN_bin2bn(reinterpret_cast<const unsigned char*>(p), p_len, nullptr); |
4700 |
if (!BN_set_word(dh->g, g)) |
4873 |
BIGNUM* bn_g = BN_new(); |
|
|
4874 |
if (!BN_set_word(bn_g, g) || |
4875 |
!DH_set0_pqg(dh, bn_p, nullptr, bn_g)) { |
4876 |
BN_free(bn_p); |
4877 |
BN_free(bn_g); |
4701 |
return false; |
4878 |
return false; |
|
|
4879 |
} |
4702 |
bool result = VerifyContext(); |
4880 |
bool result = VerifyContext(); |
4703 |
if (!result) |
4881 |
if (!result) |
4704 |
return false; |
4882 |
return false; |
Lines 4709-4716
Link Here
|
4709 |
|
4887 |
|
4710 |
bool DiffieHellman::Init(const char* p, int p_len, const char* g, int g_len) { |
4888 |
bool DiffieHellman::Init(const char* p, int p_len, const char* g, int g_len) { |
4711 |
dh = DH_new(); |
4889 |
dh = DH_new(); |
4712 |
dh->p = BN_bin2bn(reinterpret_cast<const unsigned char*>(p), p_len, 0); |
4890 |
BIGNUM *bn_p = BN_bin2bn(reinterpret_cast<const unsigned char*>(p), p_len, 0); |
4713 |
dh->g = BN_bin2bn(reinterpret_cast<const unsigned char*>(g), g_len, 0); |
4891 |
BIGNUM *bn_g = BN_bin2bn(reinterpret_cast<const unsigned char*>(g), g_len, 0); |
|
|
4892 |
if (!DH_set0_pqg(dh, bn_p, nullptr, bn_g)) { |
4893 |
BN_free(bn_p); |
4894 |
BN_free(bn_g); |
4895 |
return false; |
4896 |
} |
4714 |
bool result = VerifyContext(); |
4897 |
bool result = VerifyContext(); |
4715 |
if (!result) |
4898 |
if (!result) |
4716 |
return false; |
4899 |
return false; |
Lines 4798-4819
Link Here
|
4798 |
return ThrowCryptoError(env, ERR_get_error(), "Key generation failed"); |
4981 |
return ThrowCryptoError(env, ERR_get_error(), "Key generation failed"); |
4799 |
} |
4982 |
} |
4800 |
|
4983 |
|
4801 |
size_t size = BN_num_bytes(diffieHellman->dh->pub_key); |
4984 |
const BIGNUM* pub_key; |
|
|
4985 |
DH_get0_key(diffieHellman->dh, &pub_key, nullptr); |
4986 |
size_t size = BN_num_bytes(pub_key); |
4802 |
char* data = Malloc(size); |
4987 |
char* data = Malloc(size); |
4803 |
BN_bn2bin(diffieHellman->dh->pub_key, reinterpret_cast<unsigned char*>(data)); |
4988 |
BN_bn2bin(pub_key, reinterpret_cast<unsigned char*>(data)); |
4804 |
args.GetReturnValue().Set(Buffer::New(env, data, size).ToLocalChecked()); |
4989 |
args.GetReturnValue().Set(Buffer::New(env, data, size).ToLocalChecked()); |
4805 |
} |
4990 |
} |
4806 |
|
4991 |
|
4807 |
|
4992 |
|
4808 |
void DiffieHellman::GetField(const FunctionCallbackInfo<Value>& args, |
4993 |
void DiffieHellman::GetField(const FunctionCallbackInfo<Value>& args, |
4809 |
BIGNUM* (DH::*field), const char* err_if_null) { |
4994 |
const BIGNUM* (*get_field)(const DH*), |
|
|
4995 |
const char* err_if_null) { |
4810 |
Environment* env = Environment::GetCurrent(args); |
4996 |
Environment* env = Environment::GetCurrent(args); |
4811 |
|
4997 |
|
4812 |
DiffieHellman* dh; |
4998 |
DiffieHellman* dh; |
4813 |
ASSIGN_OR_RETURN_UNWRAP(&dh, args.Holder()); |
4999 |
ASSIGN_OR_RETURN_UNWRAP(&dh, args.Holder()); |
4814 |
if (!dh->initialised_) return env->ThrowError("Not initialized"); |
5000 |
if (!dh->initialised_) return env->ThrowError("Not initialized"); |
4815 |
|
5001 |
|
4816 |
const BIGNUM* num = (dh->dh)->*field; |
5002 |
const BIGNUM* num = get_field(dh->dh); |
4817 |
if (num == nullptr) return env->ThrowError(err_if_null); |
5003 |
if (num == nullptr) return env->ThrowError(err_if_null); |
4818 |
|
5004 |
|
4819 |
size_t size = BN_num_bytes(num); |
5005 |
size_t size = BN_num_bytes(num); |
Lines 4823-4846
Link Here
|
4823 |
} |
5009 |
} |
4824 |
|
5010 |
|
4825 |
void DiffieHellman::GetPrime(const FunctionCallbackInfo<Value>& args) { |
5011 |
void DiffieHellman::GetPrime(const FunctionCallbackInfo<Value>& args) { |
4826 |
GetField(args, &DH::p, "p is null"); |
5012 |
GetField(args, [](const DH* dh) -> const BIGNUM* { |
|
|
5013 |
const BIGNUM* p; |
5014 |
DH_get0_pqg(dh, &p, nullptr, nullptr); |
5015 |
return p; |
5016 |
}, "p is null"); |
4827 |
} |
5017 |
} |
4828 |
|
5018 |
|
4829 |
|
5019 |
|
4830 |
void DiffieHellman::GetGenerator(const FunctionCallbackInfo<Value>& args) { |
5020 |
void DiffieHellman::GetGenerator(const FunctionCallbackInfo<Value>& args) { |
4831 |
GetField(args, &DH::g, "g is null"); |
5021 |
GetField(args, [](const DH* dh) -> const BIGNUM* { |
|
|
5022 |
const BIGNUM* g; |
5023 |
DH_get0_pqg(dh, nullptr, nullptr, &g); |
5024 |
return g; |
5025 |
}, "g is null"); |
4832 |
} |
5026 |
} |
4833 |
|
5027 |
|
4834 |
|
5028 |
|
4835 |
void DiffieHellman::GetPublicKey(const FunctionCallbackInfo<Value>& args) { |
5029 |
void DiffieHellman::GetPublicKey(const FunctionCallbackInfo<Value>& args) { |
4836 |
GetField(args, &DH::pub_key, |
5030 |
GetField(args, [](const DH* dh) -> const BIGNUM* { |
4837 |
"No public key - did you forget to generate one?"); |
5031 |
const BIGNUM* pub_key; |
|
|
5032 |
DH_get0_key(dh, &pub_key, nullptr); |
5033 |
return pub_key; |
5034 |
}, "No public key - did you forget to generate one?"); |
4838 |
} |
5035 |
} |
4839 |
|
5036 |
|
4840 |
|
5037 |
|
4841 |
void DiffieHellman::GetPrivateKey(const FunctionCallbackInfo<Value>& args) { |
5038 |
void DiffieHellman::GetPrivateKey(const FunctionCallbackInfo<Value>& args) { |
4842 |
GetField(args, &DH::priv_key, |
5039 |
GetField(args, [](const DH* dh) -> const BIGNUM* { |
4843 |
"No private key - did you forget to generate one?"); |
5040 |
const BIGNUM* priv_key; |
|
|
5041 |
DH_get0_key(dh, nullptr, &priv_key); |
5042 |
return priv_key; |
5043 |
}, "No private key - did you forget to generate one?"); |
4844 |
} |
5044 |
} |
4845 |
|
5045 |
|
4846 |
|
5046 |
|
Lines 4916-4931
Link Here
|
4916 |
args.GetReturnValue().Set(rc); |
5116 |
args.GetReturnValue().Set(rc); |
4917 |
} |
5117 |
} |
4918 |
|
5118 |
|
4919 |
|
|
|
4920 |
void DiffieHellman::SetKey(const v8::FunctionCallbackInfo<v8::Value>& args, |
5119 |
void DiffieHellman::SetKey(const v8::FunctionCallbackInfo<v8::Value>& args, |
4921 |
BIGNUM* (DH::*field), const char* what) { |
5120 |
void (*set_field)(DH*, BIGNUM*), const char* what) { |
4922 |
Environment* env = Environment::GetCurrent(args); |
5121 |
Environment* env = Environment::GetCurrent(args); |
4923 |
|
5122 |
|
4924 |
DiffieHellman* dh; |
5123 |
DiffieHellman* dh; |
4925 |
ASSIGN_OR_RETURN_UNWRAP(&dh, args.Holder()); |
5124 |
ASSIGN_OR_RETURN_UNWRAP(&dh, args.Holder()); |
4926 |
if (!dh->initialised_) return env->ThrowError("Not initialized"); |
5125 |
if (!dh->initialised_) return env->ThrowError("Not initialized"); |
4927 |
|
5126 |
|
4928 |
BIGNUM** num = &((dh->dh)->*field); |
|
|
4929 |
char errmsg[64]; |
5127 |
char errmsg[64]; |
4930 |
|
5128 |
|
4931 |
if (args.Length() == 0) { |
5129 |
if (args.Length() == 0) { |
Lines 4938-4956
Link Here
|
4938 |
return env->ThrowTypeError(errmsg); |
5136 |
return env->ThrowTypeError(errmsg); |
4939 |
} |
5137 |
} |
4940 |
|
5138 |
|
4941 |
*num = BN_bin2bn(reinterpret_cast<unsigned char*>(Buffer::Data(args[0])), |
5139 |
BIGNUM* num = |
4942 |
Buffer::Length(args[0]), *num); |
5140 |
BN_bin2bn(reinterpret_cast<unsigned char*>(Buffer::Data(args[0])), |
4943 |
CHECK_NE(*num, nullptr); |
5141 |
Buffer::Length(args[0]), nullptr); |
|
|
5142 |
CHECK_NE(num, nullptr); |
5143 |
set_field(dh->dh, num); |
4944 |
} |
5144 |
} |
4945 |
|
5145 |
|
4946 |
|
5146 |
|
4947 |
void DiffieHellman::SetPublicKey(const FunctionCallbackInfo<Value>& args) { |
5147 |
void DiffieHellman::SetPublicKey(const FunctionCallbackInfo<Value>& args) { |
4948 |
SetKey(args, &DH::pub_key, "Public key"); |
5148 |
SetKey(args, [](DH* dh, BIGNUM* num) { DH_set0_key(dh, num, nullptr); }, |
|
|
5149 |
"Public key"); |
4949 |
} |
5150 |
} |
4950 |
|
5151 |
|
4951 |
|
|
|
4952 |
void DiffieHellman::SetPrivateKey(const FunctionCallbackInfo<Value>& args) { |
5152 |
void DiffieHellman::SetPrivateKey(const FunctionCallbackInfo<Value>& args) { |
4953 |
SetKey(args, &DH::priv_key, "Private key"); |
5153 |
#if OPENSSL_VERSION_NUMBER >= 0x10100000L && \ |
|
|
5154 |
OPENSSL_VERSION_NUMBER < 0x10100070L |
5155 |
// Older versions of OpenSSL 1.1.0 have a DH_set0_key which does not work for |
5156 |
// Node. See https://github.com/openssl/openssl/pull/4384. |
5157 |
#error "OpenSSL 1.1.0 revisions before 1.1.0g are not supported" |
5158 |
#endif |
5159 |
SetKey(args, [](DH* dh, BIGNUM* num) { DH_set0_key(dh, nullptr, num); }, |
5160 |
"Private key"); |
4954 |
} |
5161 |
} |
4955 |
|
5162 |
|
4956 |
|
5163 |
|
Lines 5738-5744
Link Here
|
5738 |
void GetSSLCiphers(const FunctionCallbackInfo<Value>& args) { |
5945 |
void GetSSLCiphers(const FunctionCallbackInfo<Value>& args) { |
5739 |
Environment* env = Environment::GetCurrent(args); |
5946 |
Environment* env = Environment::GetCurrent(args); |
5740 |
|
5947 |
|
5741 |
SSL_CTX* ctx = SSL_CTX_new(TLSv1_server_method()); |
5948 |
SSL_CTX* ctx = SSL_CTX_new(TLS_method()); |
5742 |
if (ctx == nullptr) { |
5949 |
if (ctx == nullptr) { |
5743 |
return env->ThrowError("SSL_CTX_new() failed."); |
5950 |
return env->ThrowError("SSL_CTX_new() failed."); |
5744 |
} |
5951 |
} |
Lines 6028-6036
Link Here
|
6028 |
SSL_library_init(); |
6235 |
SSL_library_init(); |
6029 |
OpenSSL_add_all_algorithms(); |
6236 |
OpenSSL_add_all_algorithms(); |
6030 |
|
6237 |
|
|
|
6238 |
#if OPENSSL_VERSION_NUMBER < 0x10100000L |
6031 |
crypto_lock_init(); |
6239 |
crypto_lock_init(); |
6032 |
CRYPTO_set_locking_callback(crypto_lock_cb); |
6240 |
CRYPTO_set_locking_callback(crypto_lock_cb); |
6033 |
CRYPTO_THREADID_set_callback(crypto_threadid_cb); |
6241 |
CRYPTO_THREADID_set_callback(crypto_threadid_cb); |
|
|
6242 |
#endif |
6034 |
|
6243 |
|
6035 |
#ifdef NODE_FIPS_MODE |
6244 |
#ifdef NODE_FIPS_MODE |
6036 |
/* Override FIPS settings in cnf file, if needed. */ |
6245 |
/* Override FIPS settings in cnf file, if needed. */ |