mirrors/electron
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

build: combine and elaborate on exposed BoringSSL ciphers (#38506)

Browse source 
build: combine and elaborate on exposed BoringSSL ciphers
This commit is contained in:
Shelley Vohr 2023-05-31 16:30:04 +02:00 committed by GitHub
parent 663497dc6b
commit b454f8c7c1
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
6 changed files with 132 additions and 186 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
patches/boringssl/.patches
View file

@ -1,6 +1,3 @@
expose_ripemd160.patch
expose_aes-cfb.patch
expose_des-ede3.patch
fix_sync_evp_get_cipherbynid_and_evp_get_cipherbyname.patch
expose_blowfish_ciphers.patch
revert_track_ssl_error_zero_return_explicitly.patch
feat_expose_several_extra_cipher_functions.patch

71
patches/boringssl/expose_aes-cfb.patch
View file

@ -1,71 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jeremy Apthorp <nornagon@nornagon.net>
Date: Fri, 18 Jan 2019 14:23:28 -0800
Subject: expose aes-{128,256}-cfb
This exposes AES-CFB ciphers through the EVP APIs. BoringSSL has
implementations for these ciphers, but Node doesn't realise that because
without this patch, they're not listed in the APIs that Node uses.
This should be upstreamed. See e.g.
https://boringssl-review.googlesource.com/c/boringssl/+/33984 for a
similar patch that was merged upstream.
diff --git a/crypto/cipher_extra/cipher_extra.c b/crypto/cipher_extra/cipher_extra.c
index 62850ab6a216d401d023f81007fb59a33b4585f3..0c30b0329d32b94b22f342f95035e927797d0aaf 100644
--- a/crypto/cipher_extra/cipher_extra.c
+++ b/crypto/cipher_extra/cipher_extra.c
@@ -73,6 +73,7 @@ static const struct {
const EVP_CIPHER *(*func)(void);
} kCiphers[] = {
{NID_aes_128_cbc, "aes-128-cbc", EVP_aes_128_cbc},
+ {NID_aes_128_cfb128, "aes-128-cfb", EVP_aes_128_cfb128},
{NID_aes_128_ctr, "aes-128-ctr", EVP_aes_128_ctr},
{NID_aes_128_ecb, "aes-128-ecb", EVP_aes_128_ecb},
{NID_aes_128_gcm, "aes-128-gcm", EVP_aes_128_gcm},
@@ -83,6 +84,7 @@ static const struct {
{NID_aes_192_gcm, "aes-192-gcm", EVP_aes_192_gcm},
{NID_aes_192_ofb128, "aes-192-ofb", EVP_aes_192_ofb},
{NID_aes_256_cbc, "aes-256-cbc", EVP_aes_256_cbc},
+ {NID_aes_256_cfb128, "aes-256-cfb", EVP_aes_256_cfb128},
{NID_aes_256_ctr, "aes-256-ctr", EVP_aes_256_ctr},
{NID_aes_256_ecb, "aes-256-ecb", EVP_aes_256_ecb},
{NID_aes_256_gcm, "aes-256-gcm", EVP_aes_256_gcm},
diff --git a/decrepit/evp/evp_do_all.c b/decrepit/evp/evp_do_all.c
index 852b76bea69988e0b3ac76a17b603128f239dde0..d443f4dc2daea0b7aa86ae75d31d995fae667ba9 100644
--- a/decrepit/evp/evp_do_all.c
+++ b/decrepit/evp/evp_do_all.c
@@ -20,8 +20,10 @@ void EVP_CIPHER_do_all_sorted(void (*callback)(const EVP_CIPHER *cipher,
const char *unused, void *arg),
void *arg) {
callback(EVP_aes_128_cbc(), "AES-128-CBC", NULL, arg);
+ callback(EVP_aes_128_cfb128(), "AES-128-CFB", NULL, arg);
callback(EVP_aes_192_cbc(), "AES-192-CBC", NULL, arg);
callback(EVP_aes_256_cbc(), "AES-256-CBC", NULL, arg);
+ callback(EVP_aes_256_cfb128(), "AES-256-CFB", NULL, arg);
callback(EVP_aes_128_ctr(), "AES-128-CTR", NULL, arg);
callback(EVP_aes_192_ctr(), "AES-192-CTR", NULL, arg);
callback(EVP_aes_256_ctr(), "AES-256-CTR", NULL, arg);
@@ -44,8 +46,10 @@ void EVP_CIPHER_do_all_sorted(void (*callback)(const EVP_CIPHER *cipher,
// OpenSSL returns everything twice, the second time in lower case.
callback(EVP_aes_128_cbc(), "aes-128-cbc", NULL, arg);
+ callback(EVP_aes_128_cfb128(), "aes-128-cfb", NULL, arg);
callback(EVP_aes_192_cbc(), "aes-192-cbc", NULL, arg);
callback(EVP_aes_256_cbc(), "aes-256-cbc", NULL, arg);
+ callback(EVP_aes_256_cfb128(), "aes-256-cfb", NULL, arg);
callback(EVP_aes_128_ctr(), "aes-128-ctr", NULL, arg);
callback(EVP_aes_192_ctr(), "aes-192-ctr", NULL, arg);
callback(EVP_aes_256_ctr(), "aes-256-ctr", NULL, arg);
diff --git a/include/openssl/cipher.h b/include/openssl/cipher.h
index 310d7c237fd884ba715e3fa97ccf1393b6d04fbb..66e69d487fbb767438b7d0dfdf3770f54e3cf7b2 100644
--- a/include/openssl/cipher.h
+++ b/include/openssl/cipher.h
@@ -476,6 +476,7 @@ OPENSSL_EXPORT const EVP_CIPHER *EVP_des_ede3_ecb(void);
// EVP_aes_128_cfb128 is only available in decrepit.
OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_128_cfb128(void);
+OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_256_cfb128(void);
// EVP_aes_128_cfb is an alias for |EVP_aes_128_cfb128| and is only available in
// decrepit.

47
patches/boringssl/expose_blowfish_ciphers.patch
View file

@ -1,47 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jeremy Rose <nornagon@nornagon.net>
Date: Wed, 5 Jan 2022 13:08:10 -0800
Subject: expose blowfish ciphers
This exposes the (decrepit) blowfish cipher family, bf-cbc, bf-cfb and
bf-ecb through the EVP interface. This adds references to decrepit code
from non-decrepit code, so upstream is unlikely to take the patch.
diff --git a/crypto/cipher_extra/cipher_extra.c b/crypto/cipher_extra/cipher_extra.c
index cfdb69e3c556fea11aa7c2d28d4b7da524df15c3..95bd172c99874610ec9157c52df4fe0232e78c7f 100644
--- a/crypto/cipher_extra/cipher_extra.c
+++ b/crypto/cipher_extra/cipher_extra.c
@@ -89,6 +89,9 @@ static const struct {
{NID_aes_256_ecb, "aes-256-ecb", EVP_aes_256_ecb},
{NID_aes_256_gcm, "aes-256-gcm", EVP_aes_256_gcm},
{NID_aes_256_ofb128, "aes-256-ofb", EVP_aes_256_ofb},
+ {NID_bf_cbc, "bf-cbc", EVP_bf_cbc},
+ {NID_bf_cfb64, "bf-cfb", EVP_bf_cfb},
+ {NID_bf_ecb, "bf-ecb", EVP_bf_ecb},
{NID_des_cbc, "des-cbc", EVP_des_cbc},
{NID_des_ecb, "des-ecb", EVP_des_ecb},
{NID_des_ede_cbc, "des-ede-cbc", EVP_des_ede_cbc},
diff --git a/decrepit/evp/evp_do_all.c b/decrepit/evp/evp_do_all.c
index 5e71420b765019edea82a33884ace539cd91bda5..43fc792697519325725e9ce87801c5dc176c70a1 100644
--- a/decrepit/evp/evp_do_all.c
+++ b/decrepit/evp/evp_do_all.c
@@ -36,6 +36,9 @@ void EVP_CIPHER_do_all_sorted(void (*callback)(const EVP_CIPHER *cipher,
callback(EVP_aes_128_gcm(), "AES-128-GCM", NULL, arg);
callback(EVP_aes_192_gcm(), "AES-192-GCM", NULL, arg);
callback(EVP_aes_256_gcm(), "AES-256-GCM", NULL, arg);
+ callback(EVP_bf_cbc(), "BF-CBC", NULL, arg);
+ callback(EVP_bf_cfb(), "BF-CFB", NULL, arg);
+ callback(EVP_bf_ecb(), "BF-ECB", NULL, arg);
callback(EVP_des_cbc(), "DES-CBC", NULL, arg);
callback(EVP_des_ecb(), "DES-ECB", NULL, arg);
callback(EVP_des_ede(), "DES-EDE", NULL, arg);
@@ -63,6 +66,9 @@ void EVP_CIPHER_do_all_sorted(void (*callback)(const EVP_CIPHER *cipher,
callback(EVP_aes_128_gcm(), "aes-128-gcm", NULL, arg);
callback(EVP_aes_192_gcm(), "aes-192-gcm", NULL, arg);
callback(EVP_aes_256_gcm(), "aes-256-gcm", NULL, arg);
+ callback(EVP_bf_cbc(), "bf-cbc", NULL, arg);
+ callback(EVP_bf_cfb(), "bf-cfb", NULL, arg);
+ callback(EVP_bf_ecb(), "bf-ecb", NULL, arg);
callback(EVP_des_cbc(), "des-cbc", NULL, arg);
callback(EVP_des_ecb(), "des-ecb", NULL, arg);
callback(EVP_des_ede(), "des-ede", NULL, arg);

39
patches/boringssl/expose_des-ede3.patch
View file

@ -1,39 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Jeremy Rose <nornagon@nornagon.net>
Date: Wed, 24 Feb 2021 11:08:34 -0800
Subject: expose des-ede3
This should be upstreamed.
diff --git a/crypto/cipher_extra/cipher_extra.c b/crypto/cipher_extra/cipher_extra.c
index 0c30b0329d32b94b22f342f95035e927797d0aaf..d97f67fb03756169446edf6b41d3a33fe3ae8205 100644
--- a/crypto/cipher_extra/cipher_extra.c
+++ b/crypto/cipher_extra/cipher_extra.c
@@ -93,6 +93,7 @@ static const struct {
{NID_des_ecb, "des-ecb", EVP_des_ecb},
{NID_des_ede_cbc, "des-ede-cbc", EVP_des_ede_cbc},
{NID_des_ede_ecb, "des-ede", EVP_des_ede},
+ {NID_des_ede3_ecb, "des-ede3", EVP_des_ede3},
{NID_des_ede3_cbc, "des-ede3-cbc", EVP_des_ede3_cbc},
{NID_rc2_cbc, "rc2-cbc", EVP_rc2_cbc},
{NID_rc4, "rc4", EVP_rc4},
diff --git a/decrepit/evp/evp_do_all.c b/decrepit/evp/evp_do_all.c
index d443f4dc2daea0b7aa86ae75d31d995fae667ba9..5e71420b765019edea82a33884ace539cd91bda5 100644
--- a/decrepit/evp/evp_do_all.c
+++ b/decrepit/evp/evp_do_all.c
@@ -39,6 +39,7 @@ void EVP_CIPHER_do_all_sorted(void (*callback)(const EVP_CIPHER *cipher,
callback(EVP_des_cbc(), "DES-CBC", NULL, arg);
callback(EVP_des_ecb(), "DES-ECB", NULL, arg);
callback(EVP_des_ede(), "DES-EDE", NULL, arg);
+ callback(EVP_des_ede3(), "DES-EDE3", NULL, arg);
callback(EVP_des_ede_cbc(), "DES-EDE-CBC", NULL, arg);
callback(EVP_des_ede3_cbc(), "DES-EDE3-CBC", NULL, arg);
callback(EVP_rc2_cbc(), "RC2-CBC", NULL, arg);
@@ -65,6 +66,7 @@ void EVP_CIPHER_do_all_sorted(void (*callback)(const EVP_CIPHER *cipher,
callback(EVP_des_cbc(), "des-cbc", NULL, arg);
callback(EVP_des_ecb(), "des-ecb", NULL, arg);
callback(EVP_des_ede(), "des-ede", NULL, arg);
+ callback(EVP_des_ede3(), "des-ede3", NULL, arg);
callback(EVP_des_ede_cbc(), "des-ede-cbc", NULL, arg);
callback(EVP_des_ede3_cbc(), "des-ede3-cbc", NULL, arg);
callback(EVP_rc2_cbc(), "rc2-cbc", NULL, arg);

131
patches/boringssl/feat_expose_several_extra_cipher_functions.patch Normal file
View file

@ -0,0 +1,131 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Shelley Vohr <shelley.vohr@gmail.com>
Date: Wed, 31 May 2023 11:36:48 +0200
Subject: feat: expose several extra cipher functions
This patch exposes the following ciphers:
AES_CFB Ciphers: aes-128-cfb, aes-256-cfb
Implementations for these ciphers exist but aren't exposed, so they're
unusable without this patch. We should upstream this as similar
patches for implemented cipher functions have been accepted.
Blowfish Ciphers: bf-cbc, bf-cfb, bf-ecb
The addition of Blowfish ciphers adds references decrepit code
from non-decrepit code, so upstream is unlikely to take the patch.
DES Ciphers: des-ede3
An implementation for this cipher exists but isn't exposed, so it's
unusable without this patch. Akin to the AES_CFB exposures, we should
upstream this as similar patches for implemented cipher functions have
been accepted.
RC2 Ciphers: rc2-40-cbc
It's unclear whether this would be accepted upstream. We should try regardless.
diff --git a/crypto/cipher_extra/cipher_extra.c b/crypto/cipher_extra/cipher_extra.c
index 62850ab6a216d401d023f81007fb59a33b4585f3..95bd172c99874610ec9157c52df4fe0232e78c7f 100644
--- a/crypto/cipher_extra/cipher_extra.c
+++ b/crypto/cipher_extra/cipher_extra.c
@@ -73,6 +73,7 @@ static const struct {
const EVP_CIPHER *(*func)(void);
} kCiphers[] = {
{NID_aes_128_cbc, "aes-128-cbc", EVP_aes_128_cbc},
+ {NID_aes_128_cfb128, "aes-128-cfb", EVP_aes_128_cfb128},
{NID_aes_128_ctr, "aes-128-ctr", EVP_aes_128_ctr},
{NID_aes_128_ecb, "aes-128-ecb", EVP_aes_128_ecb},
{NID_aes_128_gcm, "aes-128-gcm", EVP_aes_128_gcm},
@@ -83,17 +84,23 @@ static const struct {
{NID_aes_192_gcm, "aes-192-gcm", EVP_aes_192_gcm},
{NID_aes_192_ofb128, "aes-192-ofb", EVP_aes_192_ofb},
{NID_aes_256_cbc, "aes-256-cbc", EVP_aes_256_cbc},
+ {NID_aes_256_cfb128, "aes-256-cfb", EVP_aes_256_cfb128},
{NID_aes_256_ctr, "aes-256-ctr", EVP_aes_256_ctr},
{NID_aes_256_ecb, "aes-256-ecb", EVP_aes_256_ecb},
{NID_aes_256_gcm, "aes-256-gcm", EVP_aes_256_gcm},
{NID_aes_256_ofb128, "aes-256-ofb", EVP_aes_256_ofb},
+ {NID_bf_cbc, "bf-cbc", EVP_bf_cbc},
+ {NID_bf_cfb64, "bf-cfb", EVP_bf_cfb},
+ {NID_bf_ecb, "bf-ecb", EVP_bf_ecb},
{NID_des_cbc, "des-cbc", EVP_des_cbc},
{NID_des_ecb, "des-ecb", EVP_des_ecb},
{NID_des_ede_cbc, "des-ede-cbc", EVP_des_ede_cbc},
{NID_des_ede_ecb, "des-ede", EVP_des_ede},
+ {NID_des_ede3_ecb, "des-ede3", EVP_des_ede3},
{NID_des_ede3_cbc, "des-ede3-cbc", EVP_des_ede3_cbc},
{NID_rc2_cbc, "rc2-cbc", EVP_rc2_cbc},
{NID_rc4, "rc4", EVP_rc4},
+ {NID_rc2_40_cbc, "rc2-40-cbc", EVP_rc2_40_cbc}
};
const EVP_CIPHER *EVP_get_cipherbynid(int nid) {
diff --git a/decrepit/evp/evp_do_all.c b/decrepit/evp/evp_do_all.c
index 852b76bea69988e0b3ac76a17b603128f239dde0..43fc792697519325725e9ce87801c5dc176c70a1 100644
--- a/decrepit/evp/evp_do_all.c
+++ b/decrepit/evp/evp_do_all.c
@@ -20,8 +20,10 @@ void EVP_CIPHER_do_all_sorted(void (*callback)(const EVP_CIPHER *cipher,
const char *unused, void *arg),
void *arg) {
callback(EVP_aes_128_cbc(), "AES-128-CBC", NULL, arg);
+ callback(EVP_aes_128_cfb128(), "AES-128-CFB", NULL, arg);
callback(EVP_aes_192_cbc(), "AES-192-CBC", NULL, arg);
callback(EVP_aes_256_cbc(), "AES-256-CBC", NULL, arg);
+ callback(EVP_aes_256_cfb128(), "AES-256-CFB", NULL, arg);
callback(EVP_aes_128_ctr(), "AES-128-CTR", NULL, arg);
callback(EVP_aes_192_ctr(), "AES-192-CTR", NULL, arg);
callback(EVP_aes_256_ctr(), "AES-256-CTR", NULL, arg);
@@ -34,9 +36,13 @@ void EVP_CIPHER_do_all_sorted(void (*callback)(const EVP_CIPHER *cipher,
callback(EVP_aes_128_gcm(), "AES-128-GCM", NULL, arg);
callback(EVP_aes_192_gcm(), "AES-192-GCM", NULL, arg);
callback(EVP_aes_256_gcm(), "AES-256-GCM", NULL, arg);
+ callback(EVP_bf_cbc(), "BF-CBC", NULL, arg);
+ callback(EVP_bf_cfb(), "BF-CFB", NULL, arg);
+ callback(EVP_bf_ecb(), "BF-ECB", NULL, arg);
callback(EVP_des_cbc(), "DES-CBC", NULL, arg);
callback(EVP_des_ecb(), "DES-ECB", NULL, arg);
callback(EVP_des_ede(), "DES-EDE", NULL, arg);
+ callback(EVP_des_ede3(), "DES-EDE3", NULL, arg);
callback(EVP_des_ede_cbc(), "DES-EDE-CBC", NULL, arg);
callback(EVP_des_ede3_cbc(), "DES-EDE3-CBC", NULL, arg);
callback(EVP_rc2_cbc(), "RC2-CBC", NULL, arg);
@@ -44,8 +50,10 @@ void EVP_CIPHER_do_all_sorted(void (*callback)(const EVP_CIPHER *cipher,
// OpenSSL returns everything twice, the second time in lower case.
callback(EVP_aes_128_cbc(), "aes-128-cbc", NULL, arg);
+ callback(EVP_aes_128_cfb128(), "aes-128-cfb", NULL, arg);
callback(EVP_aes_192_cbc(), "aes-192-cbc", NULL, arg);
callback(EVP_aes_256_cbc(), "aes-256-cbc", NULL, arg);
+ callback(EVP_aes_256_cfb128(), "aes-256-cfb", NULL, arg);
callback(EVP_aes_128_ctr(), "aes-128-ctr", NULL, arg);
callback(EVP_aes_192_ctr(), "aes-192-ctr", NULL, arg);
callback(EVP_aes_256_ctr(), "aes-256-ctr", NULL, arg);
@@ -58,9 +66,13 @@ void EVP_CIPHER_do_all_sorted(void (*callback)(const EVP_CIPHER *cipher,
callback(EVP_aes_128_gcm(), "aes-128-gcm", NULL, arg);
callback(EVP_aes_192_gcm(), "aes-192-gcm", NULL, arg);
callback(EVP_aes_256_gcm(), "aes-256-gcm", NULL, arg);
+ callback(EVP_bf_cbc(), "bf-cbc", NULL, arg);
+ callback(EVP_bf_cfb(), "bf-cfb", NULL, arg);
+ callback(EVP_bf_ecb(), "bf-ecb", NULL, arg);
callback(EVP_des_cbc(), "des-cbc", NULL, arg);
callback(EVP_des_ecb(), "des-ecb", NULL, arg);
callback(EVP_des_ede(), "des-ede", NULL, arg);
+ callback(EVP_des_ede3(), "des-ede3", NULL, arg);
callback(EVP_des_ede_cbc(), "des-ede-cbc", NULL, arg);
callback(EVP_des_ede3_cbc(), "des-ede3-cbc", NULL, arg);
callback(EVP_rc2_cbc(), "rc2-cbc", NULL, arg);
diff --git a/include/openssl/cipher.h b/include/openssl/cipher.h
index 310d7c237fd884ba715e3fa97ccf1393b6d04fbb..66e69d487fbb767438b7d0dfdf3770f54e3cf7b2 100644
--- a/include/openssl/cipher.h
+++ b/include/openssl/cipher.h
@@ -476,6 +476,7 @@ OPENSSL_EXPORT const EVP_CIPHER *EVP_des_ede3_ecb(void);
// EVP_aes_128_cfb128 is only available in decrepit.
OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_128_cfb128(void);
+OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_256_cfb128(void);
// EVP_aes_128_cfb is an alias for |EVP_aes_128_cfb128| and is only available in
// decrepit.

25
patches/boringssl/fix_sync_evp_get_cipherbynid_and_evp_get_cipherbyname.patch
View file

@ -1,25 +0,0 @@
From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001
From: Shelley Vohr <shelley.vohr@gmail.com>
Date: Mon, 28 Jun 2021 10:41:09 +0200
Subject: fix: sync EVP_get_cipherbynid and EVP_get_cipherbyname
This commit syncs the results of EVP_get_cipherbynid and
EVP_get_cipherbyname. Node.js logic assumes that calling EVP_get_cipherbynid
on a NID returned from a call to `getCipherInfo` with the cipher name
will return the same cipher information - this assumption holds in OpenSSL
and should also hold in BoringSSL.
This will be upstreamed.
diff --git a/crypto/cipher_extra/cipher_extra.c b/crypto/cipher_extra/cipher_extra.c
index d97f67fb03756169446edf6b41d3a33fe3ae8205..cfdb69e3c556fea11aa7c2d28d4b7da524df15c3 100644
--- a/crypto/cipher_extra/cipher_extra.c
+++ b/crypto/cipher_extra/cipher_extra.c
@@ -97,6 +97,7 @@ static const struct {
{NID_des_ede3_cbc, "des-ede3-cbc", EVP_des_ede3_cbc},
{NID_rc2_cbc, "rc2-cbc", EVP_rc2_cbc},
{NID_rc4, "rc4", EVP_rc4},
+ {NID_rc2_40_cbc, "rc2-40-cbc", EVP_rc2_40_cbc}
};
const EVP_CIPHER *EVP_get_cipherbynid(int nid) {