Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

src: split CryptoPemCallback into two functions #12827

Closed
wants to merge 5 commits into from
Closed

src: split CryptoPemCallback into two functions #12827

Changes from 4 commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
ec352c1
src: split CryptoPemCallback into two functions
danbev May 3, 2017
281402f
add additional newline for consistency
danbev May 5, 2017
e7da72f
fix bug when len = 1
danbev May 5, 2017
3a59be8
restore support for null passphase
danbev May 6, 2017
9c8e991
update NoPasswordCallback comment
danbev May 6, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
30 changes: 19 additions & 11 deletions src/node_crypto.cc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -228,8 +228,6 @@ static void crypto_lock_cb(int mode, int n, const char* file, int line) {
}


// This callback is used by OpenSSL when it needs to query for the passphrase
// which may be used for encrypted PEM structures.
static int PasswordCallback(char *buf, int size, int rwflag, void *u) {
if (u) {
size_t buflen = static_cast<size_t>(size);
Expand All @@ -243,6 +241,13 @@ static int PasswordCallback(char *buf, int size, int rwflag, void *u) {
}

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add one more newline here, please.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll fix that.


// This callback is used to avoid the default passphrase callback in OpenSSL
// which will typically prompt for the passphrase.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

"the prompting is designed for the openssl CLI, but works poorly for Node.js because it involves synchronous interaction with the controlling terminal, something we never want, and use this function to avoid." <--- Maybe add something like that?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I've added that now, thanks!

static int NoPasswordCallback(char *buf, int size, int rwflag, void *u) {
return 0;
}


void ThrowCryptoError(Environment* env,
unsigned long err, // NOLINT(runtime/int)
const char* default_message = nullptr) {
Expand Down Expand Up @@ -612,7 +617,7 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx,
// that we are interested in
ERR_clear_error();

x = PEM_read_bio_X509_AUX(in, nullptr, PasswordCallback, nullptr);
x = PEM_read_bio_X509_AUX(in, nullptr, NoPasswordCallback, nullptr);

if (x == nullptr) {
SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB);
Expand All @@ -630,7 +635,10 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx,
goto done;
}

while ((extra = PEM_read_bio_X509(in, nullptr, PasswordCallback, nullptr))) {
while ((extra = PEM_read_bio_X509(in,
nullptr,
NoPasswordCallback,
nullptr))) {
if (sk_X509_push(extra_certs, extra))
continue;

Expand Down Expand Up @@ -727,7 +735,7 @@ static X509_STORE* NewRootCertStore() {
if (root_certs_vector.empty()) {
for (size_t i = 0; i < arraysize(root_certs); i++) {
BIO* bp = NodeBIO::NewFixed(root_certs[i], strlen(root_certs[i]));
X509 *x509 = PEM_read_bio_X509(bp, nullptr, PasswordCallback, nullptr);
X509 *x509 = PEM_read_bio_X509(bp, nullptr, NoPasswordCallback, nullptr);
BIO_free(bp);

// Parse errors from the built-in roots are fatal.
Expand Down Expand Up @@ -770,7 +778,7 @@ void SecureContext::AddCACert(const FunctionCallbackInfo<Value>& args) {

X509_STORE* cert_store = SSL_CTX_get_cert_store(sc->ctx_);
while (X509* x509 =
PEM_read_bio_X509(bio, nullptr, PasswordCallback, nullptr)) {
PEM_read_bio_X509(bio, nullptr, NoPasswordCallback, nullptr)) {
if (cert_store == root_cert_store) {
cert_store = NewRootCertStore();
SSL_CTX_set_cert_store(sc->ctx_, cert_store);
Expand Down Expand Up @@ -802,7 +810,7 @@ void SecureContext::AddCRL(const FunctionCallbackInfo<Value>& args) {
return;

X509_CRL* crl =
PEM_read_bio_X509_CRL(bio, nullptr, PasswordCallback, nullptr);
PEM_read_bio_X509_CRL(bio, nullptr, NoPasswordCallback, nullptr);

if (crl == nullptr) {
BIO_free_all(bio);
Expand Down Expand Up @@ -841,7 +849,7 @@ static unsigned long AddCertsFromFile( // NOLINT(runtime/int)
}

while (X509* x509 =
PEM_read_bio_X509(bio, nullptr, PasswordCallback, nullptr)) {
PEM_read_bio_X509(bio, nullptr, NoPasswordCallback, nullptr)) {
X509_STORE_add_cert(store, x509);
X509_free(x509);
}
Expand Down Expand Up @@ -4385,7 +4393,7 @@ SignBase::Error Verify::VerifyFinal(const char* key_pem,
// Split this out into a separate function once we have more than one
// consumer of public keys.
if (strncmp(key_pem, PUBLIC_KEY_PFX, PUBLIC_KEY_PFX_LEN) == 0) {
pkey = PEM_read_bio_PUBKEY(bp, nullptr, PasswordCallback, nullptr);
pkey = PEM_read_bio_PUBKEY(bp, nullptr, NoPasswordCallback, nullptr);
if (pkey == nullptr)
goto exit;
} else if (strncmp(key_pem, PUBRSA_KEY_PFX, PUBRSA_KEY_PFX_LEN) == 0) {
Expand All @@ -4401,7 +4409,7 @@ SignBase::Error Verify::VerifyFinal(const char* key_pem,
goto exit;
} else {
// X.509 fallback
x509 = PEM_read_bio_X509(bp, nullptr, PasswordCallback, nullptr);
x509 = PEM_read_bio_X509(bp, nullptr, NoPasswordCallback, nullptr);
if (x509 == nullptr)
goto exit;

Expand Down Expand Up @@ -4528,7 +4536,7 @@ bool PublicKeyCipher::Cipher(const char* key_pem,
goto exit;
} else if (operation == kPublic &&
strncmp(key_pem, CERTIFICATE_PFX, CERTIFICATE_PFX_LEN) == 0) {
x509 = PEM_read_bio_X509(bp, nullptr, PasswordCallback, nullptr);
x509 = PEM_read_bio_X509(bp, nullptr, NoPasswordCallback, nullptr);
if (x509 == nullptr)
goto exit;

Expand Down