crypto: add RSA-PSS params to asymmetricKeyDetails

nodejs/node#39851
electron · Sep 8, 2021 · 126464f · 126464f
1 parent 5086c5b
commit 126464f
Show file tree

Hide file tree

Showing 3 changed files with 56 additions and 0 deletions.
diff --git a/patches/boringssl/.patches b/patches/boringssl/.patches
@@ -2,3 +2,4 @@ expose_ripemd160.patch
 expose_aes-cfb.patch
 expose_des-ede3.patch
 fix_sync_evp_get_cipherbynid_and_evp_get_cipherbyname.patch
+add_maskhash_to_rsa_pss_params_st_for_compat.patch
diff --git a/patches/boringssl/add_maskhash_to_rsa_pss_params_st_for_compat.patch b/patches/boringssl/add_maskhash_to_rsa_pss_params_st_for_compat.patch
@@ -0,0 +1,26 @@
+From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
+From: Shelley Vohr <shelley.vohr@gmail.com>
+Date: Wed, 8 Sep 2021 10:59:51 +0200
+Subject: Add maskHash to rsa_pss_params_st for compat
+
+This CL adds a maskHash member to the rsa_pss_params_st struct for
+increased compatibility with OpenSSL.
+
+Node.js recently began to make use of this member in
+https://github.com/nodejs/node/pull/39851
+and without this member Electron sees compilation errors.
+
+Upstreamed at https://boringssl-review.googlesource.com/c/boringssl/+/49365
+
+diff --git a/include/openssl/x509.h b/include/openssl/x509.h
+index fa333ca057dd8e90a3e38c51db6269815de7b85f..0f4a6d79514739fb4c719f9e5b41db364e775417 100644
+--- a/include/openssl/x509.h
++++ b/include/openssl/x509.h
+@@ -1949,6 +1949,7 @@ typedef struct rsa_pss_params_st {
+   X509_ALGOR *maskGenAlgorithm;
+   ASN1_INTEGER *saltLength;
+   ASN1_INTEGER *trailerField;
++  X509_ALGOR *maskHash;
+ } RSA_PSS_PARAMS;
+
+ DECLARE_ASN1_FUNCTIONS(RSA_PSS_PARAMS)
diff --git a/patches/node/fix_handle_boringssl_and_openssl_incompatibilities.patch b/patches/node/fix_handle_boringssl_and_openssl_incompatibilities.patch
@@ -221,6 +221,35 @@ index 7cb4513f9ad0eaadd055b169520ae1e5073b7e2d..50a6663966cdb147a702df21240fa449
    if (!params->prime) {
      THROW_ERR_CRYPTO_OPERATION_FAILED(env, "could not generate prime");
      return Nothing<bool>();
+diff --git a/src/crypto/crypto_rsa.cc b/src/crypto/crypto_rsa.cc
+index 1bbf9a1753e4e2d82c55c4187489c22867d1d9bb..585af1674e129dc4d1c918d29fe9915bac8b4163 100644
+--- a/src/crypto/crypto_rsa.cc
++++ b/src/crypto/crypto_rsa.cc
+@@ -566,7 +566,7 @@ Maybe<bool> GetRsaKeyDetail(
+     // In that case, RSA_get0_pss_params does not return nullptr but all fields
+     // of the returned RSA_PSS_PARAMS will be set to nullptr.
+
+-    const RSA_PSS_PARAMS* params = RSA_get0_pss_params(rsa);
++    const RSA_PSS_PARAMS* params = nullptr; // RSA_get0_pss_params(rsa);
+     if (params != nullptr) {
+       int hash_nid = NID_sha1;
+       int mgf_nid = NID_mgf1;
+@@ -607,10 +607,11 @@ Maybe<bool> GetRsaKeyDetail(
+       }
+
+       if (params->saltLength != nullptr) {
+-        if (ASN1_INTEGER_get_int64(&salt_length, params->saltLength) != 1) {
+-          ThrowCryptoError(env, ERR_get_error(), "ASN1_INTEGER_get_in64 error");
+-          return Nothing<bool>();
+-        }
++        // TODO(codebytere): Upstream a shim to BoringSSL?
++        // if (ASN1_INTEGER_get_int64(&salt_length, params->saltLength) != 1) {
++        //   ThrowCryptoError(env, ERR_get_error(), "ASN1_INTEGER_get_in64 error");
++        //   return Nothing<bool>();
++        // }
+       }
+
+       if (target
 diff --git a/src/crypto/crypto_sig.cc b/src/crypto/crypto_sig.cc
 index 7846df17ffbe8b5ea3a685c46f73b5d28ad64b1f..2bf12b8b4a7e16adf9c1f58d72ae4f59a0b2b2a4 100644
 --- a/src/crypto/crypto_sig.cc