From ecc7511cd622821e95ee7386a0f308c568791127 Mon Sep 17 00:00:00 2001 From: Shelley Vohr Date: Fri, 14 May 2021 13:53:29 +0200 Subject: [PATCH] crypto: implement randomuuid https://github.com/nodejs/node/pull/36729 --- ...ment_out_incompatible_crypto_modules.patch | 2 +- .../fix_use_crypto_impls_for_compat.patch | 35 ++++++++++++++++--- 2 files changed, 32 insertions(+), 5 deletions(-) diff --git a/patches/node/fix_comment_out_incompatible_crypto_modules.patch b/patches/node/fix_comment_out_incompatible_crypto_modules.patch index abcf45a0bd3a6..7600e74b402d1 100644 --- a/patches/node/fix_comment_out_incompatible_crypto_modules.patch +++ b/patches/node/fix_comment_out_incompatible_crypto_modules.patch @@ -9,7 +9,7 @@ with what's exposed through BoringSSL. I plan to upstream parts of this or otherwise introduce shims to reduce friction. diff --git a/src/node_crypto.cc b/src/node_crypto.cc -index c0baf86802a67f00830c81d325f448bcea7d4e40..c2fd0f94eeb1aeaecdb18e80268ef1fb84c5c8c2 100644 +index c119b2314f18d1710bb3cbf1910c86ff994ec951..58554799b50097972405e40f593d089236bca961 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -5207,11 +5207,11 @@ bool DiffieHellman::Init(int primeLength, int g) { diff --git a/patches/node/fix_use_crypto_impls_for_compat.patch b/patches/node/fix_use_crypto_impls_for_compat.patch index 2a14b777cec4a..ebbf624f884f8 100644 --- a/patches/node/fix_use_crypto_impls_for_compat.patch +++ b/patches/node/fix_use_crypto_impls_for_compat.patch @@ -3,12 +3,21 @@ From: Shelley Vohr Date: Wed, 12 Feb 2020 15:08:04 -0800 Subject: fix: use crypto impls for compat -BoringSSL does not export DSA_get0_q. This patch works around that problem -by using the implementations of those functions as found in the OpenSSL repo. -I plan to try and upstream a version of this. +BoringSSL does not export DSA_get0_q, OPENSSL_secure_malloc, or +OPENSSL_secure_clear_free. + +This patch works around the DSA_get0_q problem by using the +implementations of that function as found in the OpenSSL repo. + +Node.js added the malloc/free incompatibilities in https://github.com/nodejs/node/pull/36729 +though they don't use secure heap at the moment. This makes it equivalent +to swap these out with OPENSSL_malloc and OPENSSL_clear_free at present. +We can revisit this once that happens and determine a more mutually +compatible path forward either by upstreaming a shim to BoringSSL or +adapting Node.js. diff --git a/src/node_crypto.cc b/src/node_crypto.cc -index 79e781fb3e6ec63334c2c5d4b24d2a6049be79fc..c0baf86802a67f00830c81d325f448bcea7d4e40 100644 +index 79e781fb3e6ec63334c2c5d4b24d2a6049be79fc..c119b2314f18d1710bb3cbf1910c86ff994ec951 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -4574,7 +4574,7 @@ static unsigned int GetBytesOfRS(const ManagedEVPPKey& pkey) { @@ -20,3 +29,21 @@ index 79e781fb3e6ec63334c2c5d4b24d2a6049be79fc..c0baf86802a67f00830c81d325f448bc } else if (base_id == EVP_PKEY_EC) { EC_KEY* ec_key = EVP_PKEY_get0_EC_KEY(pkey.get()); const EC_GROUP* ec_group = EC_KEY_get0_group(ec_key); +@@ -6949,7 +6949,7 @@ void SecureBuffer(const FunctionCallbackInfo& args) { + CHECK(args[0]->IsUint32()); + Environment* env = Environment::GetCurrent(args); + uint32_t len = args[0].As()->Value(); +- char* data = static_cast(OPENSSL_secure_malloc(len)); ++ char* data = static_cast(OPENSSL_malloc(len)); + if (data == nullptr) { + // There's no memory available for the allocation. + // Return nothing. +@@ -6961,7 +6961,7 @@ void SecureBuffer(const FunctionCallbackInfo& args) { + data, + len, + [](void* data, size_t len, void* deleter_data) { +- OPENSSL_secure_clear_free(data, len); ++ OPENSSL_clear_free(data, len); + }, + data); + Local buffer = ArrayBuffer::New(env->isolate(), store);