From 7466bd08707fce44c75de53f77747162490c76fe Mon Sep 17 00:00:00 2001 From: Jeremy Rose Date: Wed, 5 Jan 2022 13:11:02 -0800 Subject: [PATCH 1/6] feat: expose blowfish cipher family Closes #20238 --- patches/boringssl/.patches | 1 + .../boringssl/expose_blowfish_ciphers.patch | 47 +++++++++++++++++++ spec/node-spec.js | 6 +++ 3 files changed, 54 insertions(+) create mode 100644 patches/boringssl/expose_blowfish_ciphers.patch diff --git a/patches/boringssl/.patches b/patches/boringssl/.patches index a812a6b79a6dc..a6b762255d86e 100644 --- a/patches/boringssl/.patches +++ b/patches/boringssl/.patches @@ -2,3 +2,4 @@ expose_ripemd160.patch expose_aes-cfb.patch expose_des-ede3.patch fix_sync_evp_get_cipherbynid_and_evp_get_cipherbyname.patch +expose_blowfish_ciphers.patch diff --git a/patches/boringssl/expose_blowfish_ciphers.patch b/patches/boringssl/expose_blowfish_ciphers.patch new file mode 100644 index 0000000000000..8378532f56676 --- /dev/null +++ b/patches/boringssl/expose_blowfish_ciphers.patch @@ -0,0 +1,47 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Jeremy Rose +Date: Wed, 5 Jan 2022 13:08:10 -0800 +Subject: expose blowfish ciphers + +This exposes the (decrepit) blowfish cipher family, bf-cbc, bf-cfb and +bf-ecb through the EVP interface. This adds references to decrepit code +from non-decrepit code, so upstream is unlikely to take the patch. + +diff --git a/crypto/cipher_extra/cipher_extra.c b/crypto/cipher_extra/cipher_extra.c +index cfdb69e3c556fea11aa7c2d28d4b7da524df15c3..a040bee3de5187c9009a2d5bf3cb59d7f10d797a 100644 +--- a/crypto/cipher_extra/cipher_extra.c ++++ b/crypto/cipher_extra/cipher_extra.c +@@ -89,6 +89,9 @@ static const struct { + {NID_aes_256_ecb, "aes-256-ecb", EVP_aes_256_ecb}, + {NID_aes_256_gcm, "aes-256-gcm", EVP_aes_256_gcm}, + {NID_aes_256_ofb128, "aes-256-ofb", EVP_aes_256_ofb}, ++ {NID_bf_cbc, "bf-cbc", EVP_bf_cbc}, ++ {NID_bf_cbc, "bf-cfb", EVP_bf_cfb}, ++ {NID_bf_cbc, "bf-ecb", EVP_bf_ecb}, + {NID_des_cbc, "des-cbc", EVP_des_cbc}, + {NID_des_ecb, "des-ecb", EVP_des_ecb}, + {NID_des_ede_cbc, "des-ede-cbc", EVP_des_ede_cbc}, +diff --git a/decrepit/evp/evp_do_all.c b/decrepit/evp/evp_do_all.c +index 5e71420b765019edea82a33884ace539cd91bda5..43fc792697519325725e9ce87801c5dc176c70a1 100644 +--- a/decrepit/evp/evp_do_all.c ++++ b/decrepit/evp/evp_do_all.c +@@ -36,6 +36,9 @@ void EVP_CIPHER_do_all_sorted(void (*callback)(const EVP_CIPHER *cipher, + callback(EVP_aes_128_gcm(), "AES-128-GCM", NULL, arg); + callback(EVP_aes_192_gcm(), "AES-192-GCM", NULL, arg); + callback(EVP_aes_256_gcm(), "AES-256-GCM", NULL, arg); ++ callback(EVP_bf_cbc(), "BF-CBC", NULL, arg); ++ callback(EVP_bf_cfb(), "BF-CFB", NULL, arg); ++ callback(EVP_bf_ecb(), "BF-ECB", NULL, arg); + callback(EVP_des_cbc(), "DES-CBC", NULL, arg); + callback(EVP_des_ecb(), "DES-ECB", NULL, arg); + callback(EVP_des_ede(), "DES-EDE", NULL, arg); +@@ -63,6 +66,9 @@ void EVP_CIPHER_do_all_sorted(void (*callback)(const EVP_CIPHER *cipher, + callback(EVP_aes_128_gcm(), "aes-128-gcm", NULL, arg); + callback(EVP_aes_192_gcm(), "aes-192-gcm", NULL, arg); + callback(EVP_aes_256_gcm(), "aes-256-gcm", NULL, arg); ++ callback(EVP_bf_cbc(), "bf-cbc", NULL, arg); ++ callback(EVP_bf_cfb(), "bf-cfb", NULL, arg); ++ callback(EVP_bf_ecb(), "bf-ecb", NULL, arg); + callback(EVP_des_cbc(), "des-cbc", NULL, arg); + callback(EVP_des_ecb(), "des-ecb", NULL, arg); + callback(EVP_des_ede(), "des-ede", NULL, arg); diff --git a/spec/node-spec.js b/spec/node-spec.js index 7437143554a66..05af8764c08c6 100644 --- a/spec/node-spec.js +++ b/spec/node-spec.js @@ -396,6 +396,12 @@ describe('node feature', () => { require('crypto').createCipheriv('aes-256-cfb', '0123456789abcdef0123456789abcdef', '0123456789abcdef'); }); + it('should be able to create a bf-{cbc,cfb,ecb} ciphers', () => { + require('crypto').createCipheriv('bf-cbc', Buffer.from('0123456789abcdef'), Buffer.from('01234567')); + require('crypto').createCipheriv('bf-cfb', Buffer.from('0123456789abcdef'), Buffer.from('01234567')); + require('crypto').createCipheriv('bf-ecb', Buffer.from('0123456789abcdef'), Buffer.from('01234567')); + }); + it('should list des-ede-cbc in getCiphers', () => { expect(require('crypto').getCiphers()).to.include('des-ede-cbc'); }); From 9436329b2f0a4aea90819896955ef3c837ac6df3 Mon Sep 17 00:00:00 2001 From: Jeremy Rose Date: Thu, 6 Jan 2022 09:31:47 -0800 Subject: [PATCH 2/6] update build.gn --- patches/chromium/boringssl_build_gn.patch | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/patches/chromium/boringssl_build_gn.patch b/patches/chromium/boringssl_build_gn.patch index 62338330e98d4..6c7789e509db9 100644 --- a/patches/chromium/boringssl_build_gn.patch +++ b/patches/chromium/boringssl_build_gn.patch @@ -6,10 +6,10 @@ Subject: boringssl BUILD.gn Build BoringSSL with some extra functions that nodejs needs. diff --git a/third_party/boringssl/BUILD.gn b/third_party/boringssl/BUILD.gn -index 68654482b9133cfd6e1e8b94fb5781f62fd44145..81f8bb74fae4d4f039dd41980bf2549c2b667aee 100644 +index 68654482b9133cfd6e1e8b94fb5781f62fd44145..08a42fd486e1bc94bd8f8fb84ad7029a26981005 100644 --- a/third_party/boringssl/BUILD.gn +++ b/third_party/boringssl/BUILD.gn -@@ -47,6 +47,19 @@ config("no_asm_config") { +@@ -47,6 +47,20 @@ config("no_asm_config") { all_sources = crypto_sources + ssl_sources all_headers = crypto_headers + ssl_headers @@ -21,9 +21,10 @@ index 68654482b9133cfd6e1e8b94fb5781f62fd44145..81f8bb74fae4d4f039dd41980bf2549c + ] + + all_sources += [ ++ "src/decrepit/blowfish/blowfish.c", ++ "src/decrepit/cfb/cfb.c", + "src/decrepit/ripemd/internal.h", + "src/decrepit/ripemd/ripemd.c", -+ "src/decrepit/cfb/cfb.c", + ] +} From 783b4f6c534cd5db199e8dd91167c56af723be01 Mon Sep 17 00:00:00 2001 From: Jeremy Rose Date: Mon, 10 Jan 2022 09:57:33 -0800 Subject: [PATCH 3/6] fix nids in cipher list --- patches/boringssl/expose_blowfish_ciphers.patch | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/patches/boringssl/expose_blowfish_ciphers.patch b/patches/boringssl/expose_blowfish_ciphers.patch index 8378532f56676..a94def93a3908 100644 --- a/patches/boringssl/expose_blowfish_ciphers.patch +++ b/patches/boringssl/expose_blowfish_ciphers.patch @@ -8,7 +8,7 @@ bf-ecb through the EVP interface. This adds references to decrepit code from non-decrepit code, so upstream is unlikely to take the patch. diff --git a/crypto/cipher_extra/cipher_extra.c b/crypto/cipher_extra/cipher_extra.c -index cfdb69e3c556fea11aa7c2d28d4b7da524df15c3..a040bee3de5187c9009a2d5bf3cb59d7f10d797a 100644 +index cfdb69e3c556fea11aa7c2d28d4b7da524df15c3..0fff20a131cc383ac7e403bd19009adcc047fee8 100644 --- a/crypto/cipher_extra/cipher_extra.c +++ b/crypto/cipher_extra/cipher_extra.c @@ -89,6 +89,9 @@ static const struct { @@ -16,8 +16,8 @@ index cfdb69e3c556fea11aa7c2d28d4b7da524df15c3..a040bee3de5187c9009a2d5bf3cb59d7 {NID_aes_256_gcm, "aes-256-gcm", EVP_aes_256_gcm}, {NID_aes_256_ofb128, "aes-256-ofb", EVP_aes_256_ofb}, + {NID_bf_cbc, "bf-cbc", EVP_bf_cbc}, -+ {NID_bf_cbc, "bf-cfb", EVP_bf_cfb}, -+ {NID_bf_cbc, "bf-ecb", EVP_bf_ecb}, ++ {NID_bf_cfb, "bf-cfb", EVP_bf_cfb}, ++ {NID_bf_ecb, "bf-ecb", EVP_bf_ecb}, {NID_des_cbc, "des-cbc", EVP_des_cbc}, {NID_des_ecb, "des-ecb", EVP_des_ecb}, {NID_des_ede_cbc, "des-ede-cbc", EVP_des_ede_cbc}, From 68699515fb147dd871ec3b45c55719c112f8918b Mon Sep 17 00:00:00 2001 From: Jeremy Rose Date: Mon, 10 Jan 2022 10:39:54 -0800 Subject: [PATCH 4/6] fix nid name for bf-cfb --- patches/boringssl/expose_blowfish_ciphers.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/patches/boringssl/expose_blowfish_ciphers.patch b/patches/boringssl/expose_blowfish_ciphers.patch index a94def93a3908..d48f9ee105cad 100644 --- a/patches/boringssl/expose_blowfish_ciphers.patch +++ b/patches/boringssl/expose_blowfish_ciphers.patch @@ -16,7 +16,7 @@ index cfdb69e3c556fea11aa7c2d28d4b7da524df15c3..0fff20a131cc383ac7e403bd19009adc {NID_aes_256_gcm, "aes-256-gcm", EVP_aes_256_gcm}, {NID_aes_256_ofb128, "aes-256-ofb", EVP_aes_256_ofb}, + {NID_bf_cbc, "bf-cbc", EVP_bf_cbc}, -+ {NID_bf_cfb, "bf-cfb", EVP_bf_cfb}, ++ {NID_bf_cfb64, "bf-cfb", EVP_bf_cfb}, + {NID_bf_ecb, "bf-ecb", EVP_bf_ecb}, {NID_des_cbc, "des-cbc", EVP_des_cbc}, {NID_des_ecb, "des-ecb", EVP_des_ecb}, From f006123743068590c83c136c787a1ac36d415c9a Mon Sep 17 00:00:00 2001 From: PatchUp <73610968+patchup[bot]@users.noreply.github.com> Date: Mon, 10 Jan 2022 18:50:50 +0000 Subject: [PATCH 5/6] chore: update patches --- patches/boringssl/expose_blowfish_ciphers.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/patches/boringssl/expose_blowfish_ciphers.patch b/patches/boringssl/expose_blowfish_ciphers.patch index d48f9ee105cad..cb6239201dc4d 100644 --- a/patches/boringssl/expose_blowfish_ciphers.patch +++ b/patches/boringssl/expose_blowfish_ciphers.patch @@ -8,7 +8,7 @@ bf-ecb through the EVP interface. This adds references to decrepit code from non-decrepit code, so upstream is unlikely to take the patch. diff --git a/crypto/cipher_extra/cipher_extra.c b/crypto/cipher_extra/cipher_extra.c -index cfdb69e3c556fea11aa7c2d28d4b7da524df15c3..0fff20a131cc383ac7e403bd19009adcc047fee8 100644 +index cfdb69e3c556fea11aa7c2d28d4b7da524df15c3..95bd172c99874610ec9157c52df4fe0232e78c7f 100644 --- a/crypto/cipher_extra/cipher_extra.c +++ b/crypto/cipher_extra/cipher_extra.c @@ -89,6 +89,9 @@ static const struct { From 19c1d9227742ce4c2ce0a14b2f6a9a4554e9a038 Mon Sep 17 00:00:00 2001 From: PatchUp <73610968+patchup[bot]@users.noreply.github.com> Date: Tue, 11 Jan 2022 00:58:03 +0000 Subject: [PATCH 6/6] chore: update patches --- patches/chromium/boringssl_build_gn.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/patches/chromium/boringssl_build_gn.patch b/patches/chromium/boringssl_build_gn.patch index f02545f0064c1..309ff79d0a556 100644 --- a/patches/chromium/boringssl_build_gn.patch +++ b/patches/chromium/boringssl_build_gn.patch @@ -6,7 +6,7 @@ Subject: boringssl BUILD.gn Build BoringSSL with some extra functions that nodejs needs. diff --git a/third_party/boringssl/BUILD.gn b/third_party/boringssl/BUILD.gn -index 91ce539f2cdf3c17645126088ecb00e36befd1b8..8f3c9ccc10f8204c21d1f28444eef77724255aa9 100644 +index 91ce539f2cdf3c17645126088ecb00e36befd1b8..8e1d78fdb56372836cea73e35cb4e03059cf5ec5 100644 --- a/third_party/boringssl/BUILD.gn +++ b/third_party/boringssl/BUILD.gn @@ -47,6 +47,20 @@ config("no_asm_config") {