src: pull in more electron boringssl adjustments

jasnell · targos · commit 9624049414d1 · 2025-02-05T10:35:25.000+01:00
Electron has a number of patches they float in order to build node.js with boringssl. We already incorporate some of those, this brings in more of them. PR-URL: #56858 Reviewed-By: Juan José Arboleda <soyjuanarbol@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
diff --git a/src/crypto/crypto_cipher.cc b/src/crypto/crypto_cipher.cc
@@ -1005,11 +1005,15 @@ void PublicKeyCipher::Cipher(const FunctionCallbackInfo<Value>& args) {
       return ThrowCryptoError(env, ERR_get_error());
     }
 
+#ifndef OPENSSL_IS_BORINGSSL
+    // RSA implicit rejection here is not supported by BoringSSL.
+    // Skip this check when boring is used.
     if (!ctx.setRsaImplicitRejection()) {
       return THROW_ERR_INVALID_ARG_VALUE(
           env,
           "RSA_PKCS1_PADDING is no longer supported for private decryption");
     }
+#endif
   }
 
   const EVP_MD* digest = nullptr;
diff --git a/src/crypto/crypto_dh.cc b/src/crypto/crypto_dh.cc
@@ -7,7 +7,9 @@
 #include "memory_tracker-inl.h"
 #include "ncrypto.h"
 #include "node_errors.h"
+#ifndef OPENSSL_IS_BORINGSSL
 #include "openssl/bnerr.h"
+#endif
 #include "openssl/dh.h"
 #include "threadpoolwork-inl.h"
 #include "v8.h"
@@ -88,11 +90,15 @@ void New(const FunctionCallbackInfo<Value>& args) {
   if (args[0]->IsInt32()) {
     int32_t bits = args[0].As<Int32>()->Value();
     if (bits < 2) {
+#ifndef OPENSSL_IS_BORINGSSL
 #if OPENSSL_VERSION_MAJOR >= 3
       ERR_put_error(ERR_LIB_DH, 0, DH_R_MODULUS_TOO_SMALL, __FILE__, __LINE__);
 #else
       ERR_put_error(ERR_LIB_BN, 0, BN_R_BITS_TOO_SMALL, __FILE__, __LINE__);
-#endif
+#endif  // OPENSSL_VERSION_MAJOR >= 3
+#else   // OPENSSL_IS_BORINGSSL
+      OPENSSL_PUT_ERROR(BN, BN_R_BITS_TOO_SMALL);
+#endif  // OPENSSL_IS_BORINGSSL
       return ThrowCryptoError(env, ERR_get_error(), "Invalid prime length");
     }
 
@@ -105,7 +111,11 @@ void New(const FunctionCallbackInfo<Value>& args) {
     }
     int32_t generator = args[1].As<Int32>()->Value();
     if (generator < 2) {
+#ifndef OPENSSL_IS_BORINGSSL
       ERR_put_error(ERR_LIB_DH, 0, DH_R_BAD_GENERATOR, __FILE__, __LINE__);
+#else
+      OPENSSL_PUT_ERROR(DH, DH_R_BAD_GENERATOR);
+#endif
       return ThrowCryptoError(env, ERR_get_error(), "Invalid generator");
     }
 
@@ -134,12 +144,20 @@ void New(const FunctionCallbackInfo<Value>& args) {
   if (args[1]->IsInt32()) {
     int32_t generator = args[1].As<Int32>()->Value();
     if (generator < 2) {
+#ifndef OPENSSL_IS_BORINGSSL
       ERR_put_error(ERR_LIB_DH, 0, DH_R_BAD_GENERATOR, __FILE__, __LINE__);
+#else
+      OPENSSL_PUT_ERROR(DH, DH_R_BAD_GENERATOR);
+#endif
       return ThrowCryptoError(env, ERR_get_error(), "Invalid generator");
     }
     bn_g = BignumPointer::New();
     if (!bn_g.setWord(generator)) {
+#ifndef OPENSSL_IS_BORINGSSL
       ERR_put_error(ERR_LIB_DH, 0, DH_R_BAD_GENERATOR, __FILE__, __LINE__);
+#else
+      OPENSSL_PUT_ERROR(DH, DH_R_BAD_GENERATOR);
+#endif
       return ThrowCryptoError(env, ERR_get_error(), "Invalid generator");
     }
   } else {
@@ -148,11 +166,19 @@ void New(const FunctionCallbackInfo<Value>& args) {
       return THROW_ERR_OUT_OF_RANGE(env, "generator is too big");
     bn_g = BignumPointer(reinterpret_cast<uint8_t*>(arg1.data()), arg1.size());
     if (!bn_g) {
+#ifndef OPENSSL_IS_BORINGSSL
       ERR_put_error(ERR_LIB_DH, 0, DH_R_BAD_GENERATOR, __FILE__, __LINE__);
+#else
+      OPENSSL_PUT_ERROR(DH, DH_R_BAD_GENERATOR);
+#endif
       return ThrowCryptoError(env, ERR_get_error(), "Invalid generator");
     }
     if (bn_g.getWord() < 2) {
+#ifndef OPENSSL_IS_BORINGSSL
       ERR_put_error(ERR_LIB_DH, 0, DH_R_BAD_GENERATOR, __FILE__, __LINE__);
+#else
+      OPENSSL_PUT_ERROR(DH, DH_R_BAD_GENERATOR);
+#endif
       return ThrowCryptoError(env, ERR_get_error(), "Invalid generator");
     }
   }
@@ -398,14 +424,19 @@ EVPKeyCtxPointer DhKeyGenTraits::Setup(DhKeyPairGenConfig* params) {
     if (!dh) return {};
 
     key_params = EVPKeyPointer::NewDH(std::move(dh));
-  } else if (int* prime_size = std::get_if<int>(&params->params.prime)) {
+  } else if (std::get_if<int>(&params->params.prime)) {
     auto param_ctx = EVPKeyCtxPointer::NewFromID(EVP_PKEY_DH);
+#ifndef OPENSSL_IS_BORINGSSL
+    int* prime_size = std::get_if<int>(&params->params.prime);
     if (!param_ctx.initForParamgen() ||
         !param_ctx.setDhParameters(*prime_size, params->params.generator)) {
       return {};
     }
 
     key_params = param_ctx.paramgen();
+#else
+    return {};
+#endif
   } else {
     UNREACHABLE();
   }
diff --git a/src/crypto/crypto_dsa.cc b/src/crypto/crypto_dsa.cc
@@ -28,6 +28,10 @@ using v8::Value;
 
 namespace crypto {
 EVPKeyCtxPointer DsaKeyGenTraits::Setup(DsaKeyPairGenConfig* params) {
+#ifdef OPENSSL_IS_BORINGSSL
+  // Operation is unsupported in BoringSSL
+  return {};
+#else
   auto param_ctx = EVPKeyCtxPointer::NewFromID(EVP_PKEY_DSA);
 
   if (!param_ctx.initForParamgen() ||
@@ -45,6 +49,7 @@ EVPKeyCtxPointer DsaKeyGenTraits::Setup(DsaKeyPairGenConfig* params) {
   EVPKeyCtxPointer key_ctx = key_params.newCtx();
   if (!key_ctx.initForKeygen()) return {};
   return key_ctx;
+#endif
 }
 
 // Input arguments for DsaKeyPairGenJob
diff --git a/src/crypto/crypto_keys.cc b/src/crypto/crypto_keys.cc
@@ -924,6 +924,10 @@ void KeyObjectHandle::GetAsymmetricKeyType(
 }
 
 bool KeyObjectHandle::CheckEcKeyData() const {
+#ifdef OPENSSL_IS_BORINGSSL
+  // Operation is unsupported on BoringSSL
+  return true;
+#else
   MarkPopErrorOnReturn mark_pop_error_on_return;
 
   const auto& key = data_.GetAsymmetricKey();
@@ -933,6 +937,7 @@ bool KeyObjectHandle::CheckEcKeyData() const {
 
   return data_.GetKeyType() == kKeyTypePrivate ? ctx.privateCheck()
                                                : ctx.publicCheck();
+#endif
 }
 
 void KeyObjectHandle::CheckEcKeyData(const FunctionCallbackInfo<Value>& args) {
diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
@@ -682,29 +682,46 @@ void SecureBuffer(const FunctionCallbackInfo<Value>& args) {
   CHECK(args[0]->IsUint32());
   Environment* env = Environment::GetCurrent(args);
   uint32_t len = args[0].As<Uint32>()->Value();
+#ifndef OPENSSL_IS_BORINGSSL
   void* data = OPENSSL_secure_zalloc(len);
+#else
+  void* data = OPENSSL_malloc(len);
+#endif
   if (data == nullptr) {
     // There's no memory available for the allocation.
     // Return nothing.
     return;
   }
+#ifdef OPENSSL_IS_BORINGSSL
+  memset(data, 0, len);
+#endif
   std::shared_ptr<BackingStore> store =
       ArrayBuffer::NewBackingStore(
           data,
           len,
           [](void* data, size_t len, void* deleter_data) {
+#ifndef OPENSSL_IS_BORINGSSL
             OPENSSL_secure_clear_free(data, len);
+#else
+        OPENSSL_clear_free(data, len);
+#endif
           },
           data);
   Local<ArrayBuffer> buffer = ArrayBuffer::New(env->isolate(), store);
   args.GetReturnValue().Set(Uint8Array::New(buffer, 0, len));
 }
 
 void SecureHeapUsed(const FunctionCallbackInfo<Value>& args) {
+#ifndef OPENSSL_IS_BORINGSSL
   Environment* env = Environment::GetCurrent(args);
   if (CRYPTO_secure_malloc_initialized())
     args.GetReturnValue().Set(
         BigInt::New(env->isolate(), CRYPTO_secure_used()));
+#else
+  // BoringSSL does not have the secure heap and therefore
+  // will always return 0.
+  args.GetReturnValue().Set(BigInt::New(args.GetIsolate(), 0));
+#endif
 }
 }  // namespace
 

Original file line number	Diff line number	Diff line change
`@@ -1005,11 +1005,15 @@ void PublicKeyCipher::Cipher(const FunctionCallbackInfo<Value>& args) {`
`1005`	`1005`	`return ThrowCryptoError(env, ERR_get_error());`
`1006`	`1006`	`}`
`1007`	`1007`
	`1008`	`+#ifndef OPENSSL_IS_BORINGSSL`
	`1009`	`+ // RSA implicit rejection here is not supported by BoringSSL.`
	`1010`	`+ // Skip this check when boring is used.`
`1008`	`1011`	`if (!ctx.setRsaImplicitRejection()) {`
`1009`	`1012`	`return THROW_ERR_INVALID_ARG_VALUE(`
`1010`	`1013`	`env,`
`1011`	`1014`	`"RSA_PKCS1_PADDING is no longer supported for private decryption");`
`1012`	`1015`	`}`
	`1016`	`+#endif`
`1013`	`1017`	`}`
`1014`	`1018`
`1015`	`1019`	`const EVP_MD* digest = nullptr;`
Original file line number	Diff line number	Diff line change
`@@ -924,6 +924,10 @@ void KeyObjectHandle::GetAsymmetricKeyType(`
`924`	`924`	`}`
`925`	`925`
`926`	`926`	`bool KeyObjectHandle::CheckEcKeyData() const {`
	`927`	`+#ifdef OPENSSL_IS_BORINGSSL`
	`928`	`+ // Operation is unsupported on BoringSSL`
	`929`	`+ return true;`
	`930`	`+#else`
`927`	`931`	`MarkPopErrorOnReturn mark_pop_error_on_return;`
`928`	`932`
`929`	`933`	`const auto& key = data_.GetAsymmetricKey();`
`@@ -933,6 +937,7 @@ bool KeyObjectHandle::CheckEcKeyData() const {`
`933`	`937`
`934`	`938`	`return data_.GetKeyType() == kKeyTypePrivate ? ctx.privateCheck()`
`935`	`939`	`: ctx.publicCheck();`
	`940`	`+#endif`
`936`	`941`	`}`
`937`	`942`
`938`	`943`	`void KeyObjectHandle::CheckEcKeyData(const FunctionCallbackInfo<Value>& args) {`