deps: start working on ncrypto dep

Start moving src/crypto functionality out to a separate dep that can be shared with other projects that need to emulate Node.js crypto behavior. PR-URL: #53803 Reviewed-By: Yagiz Nizipli <[email protected]>

Author: jasnell

Makefile

@@ -175,7 +175,8 @@ with-code-cache test-code-cache:
 out/Makefile: config.gypi common.gypi common_node.gypi node.gyp \
  deps/uv/uv.gyp deps/llhttp/llhttp.gyp deps/zlib/zlib.gyp \
  deps/simdutf/simdutf.gyp deps/ada/ada.gyp deps/nbytes/nbytes.gyp \
- tools/v8_gypfiles/toolchain.gypi tools/v8_gypfiles/features.gypi \
+ tools/v8_gypfiles/toolchain.gypi \
+ tools/v8_gypfiles/features.gypi \
  tools/v8_gypfiles/inspector.gypi tools/v8_gypfiles/v8.gyp
 $(PYTHON) tools/gyp_node.py -f make
 

deps/ncrypto/BUILD.gn

@@ -0,0 +1,14 @@
+##############################################################################
+# #
+# DO NOT EDIT THIS FILE! #
+# #
+##############################################################################
+
+# This file is used by GN for building, which is NOT the build system used for
+# building official binaries.
+# Please modify the gyp files if you are making changes to build system.
+
+import("unofficial.gni")
+
+ncrypto_gn_build("ncrypto"){
+}

deps/ncrypto/README.md

@@ -0,0 +1,5 @@
+# Node.js crypto (ncrypto) library
+
+The `ncrypto` library extracts the base internal implementation of Node.js crypto operations
+that support both `node:crypto` and Web Crypto implementations and makes them available for
+use in other projects that need to emulate Node.js' behavior.

deps/ncrypto/engine.cc

@@ -0,0 +1,92 @@
+#include"ncrypto.h"
+
+namespacencrypto{
+
+// ============================================================================
+// Engine
+
+#ifndef OPENSSL_NO_ENGINE
+EnginePointer::EnginePointer(ENGINE* engine_, bool finish_on_exit_)
+ : engine(engine_),
+ finish_on_exit(finish_on_exit_){}
+
+EnginePointer::EnginePointer(EnginePointer&& other) noexcept
+ : engine(other.engine),
+ finish_on_exit(other.finish_on_exit){
+ other.release();
+}
+
+EnginePointer::~EnginePointer(){reset()}
+
+EnginePointer& EnginePointer::operator=(EnginePointer&& other) noexcept{
+if (this == &other) return *this;
+this->~EnginePointer();
+return *new (this) EnginePointer(std::move(other));
+}
+
+voidEnginePointer::reset(ENGINE* engine_, bool finish_on_exit_){
+if (engine != nullptr){
+if (finish_on_exit){
+// This also does the equivalent of ENGINE_free.
+ENGINE_finish(engine);
+ } else{
+ENGINE_free(engine);
+ }
+ }
+ engine = engine_;
+ finish_on_exit = finish_on_exit_;
+}
+
+ENGINE* EnginePointer::release(){
+ ENGINE* ret = engine;
+ engine = nullptr;
+ finish_on_exit = false;
+return ret;
+}
+
+EnginePointer EnginePointer::getEngineByName(const std::string_view name,
+ CryptoErrorList* errors){
+ MarkPopErrorOnReturn mark_pop_error_on_return(errors);
+ EnginePointer engine(ENGINE_by_id(name.data()));
+if (!engine){
+// Engine not found, try loading dynamically.
+ engine = EnginePointer(ENGINE_by_id("dynamic"));
+if (engine){
+if (!ENGINE_ctrl_cmd_string(engine.get(), "SO_PATH", name.data(), 0) ||
+ !ENGINE_ctrl_cmd_string(engine.get(), "LOAD", nullptr, 0)){
+ engine.reset();
+ }
+ }
+ }
+returnstd::move(engine);
+}
+
+boolEnginePointer::setAsDefault(uint32_t flags, CryptoErrorList* errors){
+if (engine == nullptr) returnfalse;
+ ClearErrorOnReturn clear_error_on_return(errors);
+returnENGINE_set_default(engine, flags) != 0;
+}
+
+boolEnginePointer::init(bool finish_on_exit){
+if (engine == nullptr) returnfalse;
+if (finish_on_exit) setFinishOnExit();
+returnENGINE_init(engine) == 1;
+}
+
+EVPKeyPointer EnginePointer::loadPrivateKey(const std::string_view key_name){
+if (engine == nullptr) returnEVPKeyPointer();
+returnEVPKeyPointer(ENGINE_load_private_key(engine, key_name.data(), nullptr, nullptr));
+}
+
+voidEnginePointer::initEnginesOnce(){
+staticbool initialized = false;
+if (!initialized){
+ENGINE_load_builtin_engines();
+ENGINE_register_all_complete();
+ initialized = true;
+ }
+}
+
+#endif// OPENSSL_NO_ENGINE
+
+} // namespace ncrypto

deps/ncrypto/ncrypto.cc

@@ -0,0 +1,223 @@
+#include"ncrypto.h"
+#include<algorithm>
+#include<cstring>
+#include"openssl/bn.h"
+#if OPENSSL_VERSION_MAJOR >= 3
+#include"openssl/provider.h"
+#endif
+
+namespacencrypto{
+
+// ============================================================================
+
+ClearErrorOnReturn::ClearErrorOnReturn(CryptoErrorList* errors) : errors_(errors){
+ERR_clear_error();
+}
+
+ClearErrorOnReturn::~ClearErrorOnReturn(){
+if (errors_ != nullptr) errors_->capture();
+ERR_clear_error();
+}
+
+intClearErrorOnReturn::peeKError(){returnERR_peek_error()}
+
+MarkPopErrorOnReturn::MarkPopErrorOnReturn(CryptoErrorList* errors) : errors_(errors){
+ERR_set_mark();
+}
+
+MarkPopErrorOnReturn::~MarkPopErrorOnReturn(){
+if (errors_ != nullptr) errors_->capture();
+ERR_pop_to_mark();
+}
+
+intMarkPopErrorOnReturn::peekError(){returnERR_peek_error()}
+
+CryptoErrorList::CryptoErrorList(CryptoErrorList::Option option){
+if (option == Option::CAPTURE_ON_CONSTRUCT) capture();
+}
+
+voidCryptoErrorList::capture(){
+ errors_.clear();
+while(constauto err = ERR_get_error()){
+char buf[256];
+ERR_error_string_n(err, buf, sizeof(buf));
+ errors_.emplace_front(buf);
+ }
+}
+
+voidCryptoErrorList::add(std::string error){
+ errors_.push_back(error);
+}
+
+std::optional<std::string> CryptoErrorList::pop_back(){
+if (errors_.empty()) return std::nullopt;
+ std::string error = errors_.back();
+ errors_.pop_back();
+return error;
+}
+
+std::optional<std::string> CryptoErrorList::pop_front(){
+if (errors_.empty()) return std::nullopt;
+ std::string error = errors_.front();
+ errors_.pop_front();
+return error;
+}
+
+// ============================================================================
+boolisFipsEnabled(){
+#if OPENSSL_VERSION_MAJOR >= 3
+returnEVP_default_properties_is_fips_enabled(nullptr) == 1;
+#else
+returnFIPS_mode() == 1;
+#endif
+}
+
+boolsetFipsEnabled(bool enable, CryptoErrorList* errors){
+if (isFipsEnabled() == enable) returntrue;
+ ClearErrorOnReturn clearErrorOnReturn(errors);
+#if OPENSSL_VERSION_MAJOR >= 3
+returnEVP_default_properties_enable_fips(nullptr, enable ? 1 : 0) == 1;
+#else
+returnFIPS_mode_set(enable ? 1 : 0) == 1;
+#endif
+}
+
+booltestFipsEnabled(){
+#if OPENSSL_VERSION_MAJOR >= 3
+ OSSL_PROVIDER* fips_provider = nullptr;
+if (OSSL_PROVIDER_available(nullptr, "fips")){
+ fips_provider = OSSL_PROVIDER_load(nullptr, "fips");
+ }
+constauto enabled = fips_provider == nullptr ? 0 :
+OSSL_PROVIDER_self_test(fips_provider) ? 1 : 0;
+#else
+#ifdef OPENSSL_FIPS
+constauto enabled = FIPS_selftest() ? 1 : 0;
+#else// OPENSSL_FIPS
+constauto enabled = 0;
+#endif// OPENSSL_FIPS
+#endif
+
+return enabled;
+}
+
+// ============================================================================
+// Bignum
+BignumPointer::BignumPointer(BIGNUM* bignum) : bn_(bignum){}
+
+BignumPointer::BignumPointer(BignumPointer&& other) noexcept
+ : bn_(other.release()){}
+
+BignumPointer& BignumPointer::operator=(BignumPointer&& other) noexcept{
+if (this == &other) return *this;
+this->~BignumPointer();
+return *new (this) BignumPointer(std::move(other));
+}
+
+BignumPointer::~BignumPointer(){reset()}
+
+voidBignumPointer::reset(BIGNUM* bn){
+ bn_.reset(bn);
+}
+
+BIGNUM* BignumPointer::release(){
+return bn_.release();
+}
+
+size_tBignumPointer::byteLength(){
+if (bn_ == nullptr) return0;
+returnBN_num_bytes(bn_.get());
+}
+
+std::vector<uint8_t> BignumPointer::encode(){
+returnencodePadded(bn_.get(), byteLength());
+}
+
+std::vector<uint8_t> BignumPointer::encodePadded(size_t size){
+returnencodePadded(bn_.get(), size);
+}
+
+std::vector<uint8_t> BignumPointer::encode(const BIGNUM* bn){
+returnencodePadded(bn, bn != nullptr ? BN_num_bytes(bn) : 0);
+}
+
+std::vector<uint8_t> BignumPointer::encodePadded(const BIGNUM* bn, size_t s){
+if (bn == nullptr) return std::vector<uint8_t>(0);
+size_t size = std::max(s, static_cast<size_t>(BN_num_bytes(bn)));
+ std::vector<uint8_t> buf(size);
+BN_bn2binpad(bn, buf.data(), size);
+return buf;
+}
+
+bool BignumPointer::operator==(const BignumPointer& other) noexcept{
+if (bn_ == nullptr && other.bn_ != nullptr) returnfalse;
+if (bn_ != nullptr && other.bn_ == nullptr) returnfalse;
+if (bn_ == nullptr && other.bn_ == nullptr) returntrue;
+returnBN_cmp(bn_.get(), other.bn_.get()) == 0;
+}
+
+bool BignumPointer::operator==(const BIGNUM* other) noexcept{
+if (bn_ == nullptr && other != nullptr) returnfalse;
+if (bn_ != nullptr && other == nullptr) returnfalse;
+if (bn_ == nullptr && other == nullptr) returntrue;
+returnBN_cmp(bn_.get(), other) == 0;
+}
+
+// ============================================================================
+// Utility methods
+
+boolCSPRNG(void* buffer, size_t length){
+auto buf = reinterpret_cast<unsignedchar*>(buffer);
+do{
+if (1 == RAND_status()){
+#if OPENSSL_VERSION_MAJOR >= 3
+if (1 == RAND_bytes_ex(nullptr, buf, length, 0)){
+returntrue;
+ }
+#else
+while (length > INT_MAX && 1 == RAND_bytes(buf, INT_MAX)){
+ buf += INT_MAX;
+ length -= INT_MAX;
+ }
+if (length <= INT_MAX && 1 == RAND_bytes(buf, static_cast<int>(length)))
+returntrue;
+#endif
+ }
+#if OPENSSL_VERSION_MAJOR >= 3
+constauto code = ERR_peek_last_error();
+// A misconfigured OpenSSL 3 installation may report 1 from RAND_poll()
+// and RAND_status() but fail in RAND_bytes() if it cannot look up
+// a matching algorithm for the CSPRNG.
+if (ERR_GET_LIB(code) == ERR_LIB_RAND){
+constauto reason = ERR_GET_REASON(code);
+if (reason == RAND_R_ERROR_INSTANTIATING_DRBG ||
+ reason == RAND_R_UNABLE_TO_FETCH_DRBG ||
+ reason == RAND_R_UNABLE_TO_CREATE_DRBG){
+returnfalse;
+ }
+ }
+#endif
+ } while (1 == RAND_poll());
+
+returnfalse;
+}
+
+intNoPasswordCallback(char* buf, int size, int rwflag, void* u){
+return0;
+}
+
+intPasswordCallback(char* buf, int size, int rwflag, void* u){
+const Buffer* passphrase = static_cast<const Buffer*>(u);
+if (passphrase != nullptr){
+size_t buflen = static_cast<size_t>(size);
+size_t len = passphrase->len;
+if (buflen < len)
+return -1;
+memcpy(buf, reinterpret_cast<constchar*>(passphrase->data), len);
+return len;
+ }
+
+return -1;
+}
+
+} // namespace ncrypto

deps/ncrypto/ncrypto.gyp

@@ -0,0 +1,27 @@
+{
+'variables':{
+'ncrypto_sources': [
+'engine.cc',
+'ncrypto.cc',
+'ncrypto.h',
+ ],
+ },
+'targets': [
+{
+'target_name': 'ncrypto',
+'type': 'static_library',
+'include_dirs': ['.'],
+'direct_dependent_settings':{
+'include_dirs': ['.'],
+ },
+'sources': [ '<@(ncrypto_sources)' ],
+'conditions': [
+ ['node_shared_openssl=="false"',{
+'dependencies': [
+'../openssl/openssl.gyp:openssl'
+ ]
+ }],
+ ]
+ },
+ ]
+}