From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 From: Shelley Vohr Date: Wed, 12 Feb 2020 15:08:04 -0800 Subject: fix: handle BoringSSL and OpenSSL incompatibilities This patch corrects for imcompatibilities between OpenSSL, which Node.js uses, and BoringSSL which Electron uses via Chromium. Each incompatibility typically has ~2 paths forward: * Upstream a shim or adapted implementation to BoringSSL * Alter Node.js functionality to something which both libraries can handle. Where possible, we should seek to make this patch as minimal as possible. Upstreams: - https://github.com/nodejs/node/pull/39054 - https://github.com/nodejs/node/pull/39138 - https://github.com/nodejs/node/pull/39136 diff --git a/deps/ncrypto/ncrypto.cc b/deps/ncrypto/ncrypto.cc index eb3533bb4623b152605c3c590f37f086cce5f073..ded231aeaa15af22845704cfcc7d24a44bd88f8e 100644 --- a/deps/ncrypto/ncrypto.cc +++ b/deps/ncrypto/ncrypto.cc @@ -6,13 +6,11 @@ #include #include #include +#include #include #if OPENSSL_VERSION_MAJOR >= 3 #include #endif -#ifdef OPENSSL_IS_BORINGSSL -#include "dh-primes.h" -#endif // OPENSSL_IS_BORINGSSL namespace ncrypto { namespace { @@ -665,7 +663,7 @@ bool SafeX509SubjectAltNamePrint(const BIOPointer& out, X509_EXTENSION* ext) { bool ok = true; - for (int i = 0; i < sk_GENERAL_NAME_num(names); i++) { + for (size_t i = 0; i < sk_GENERAL_NAME_num(names); i++) { GENERAL_NAME* gen = sk_GENERAL_NAME_value(names, i); if (i != 0) @@ -691,7 +689,7 @@ bool SafeX509InfoAccessPrint(const BIOPointer& out, X509_EXTENSION* ext) { bool ok = true; - for (int i = 0; i < sk_ACCESS_DESCRIPTION_num(descs); i++) { + for (size_t i = 0; i < sk_ACCESS_DESCRIPTION_num(descs); i++) { ACCESS_DESCRIPTION* desc = sk_ACCESS_DESCRIPTION_value(descs, i); if (i != 0) @@ -1002,7 +1000,11 @@ BIOPointer BIOPointer::NewMem() { } BIOPointer BIOPointer::NewSecMem() { +#ifdef OPENSSL_IS_BORINGSSL + return BIOPointer(BIO_new(BIO_s_mem())); +#else return BIOPointer(BIO_new(BIO_s_secmem())); +#endif } BIOPointer BIOPointer::New(const BIO_METHOD* method) { @@ -1057,8 +1059,10 @@ BignumPointer DHPointer::FindGroup(const std::string_view name, FindGroupOption option) { #define V(n, p) if (EqualNoCase(name, n)) return BignumPointer(p(nullptr)); if (option != FindGroupOption::NO_SMALL_PRIMES) { +#ifndef OPENSSL_IS_BORINGSSL V("modp1", BN_get_rfc2409_prime_768); V("modp2", BN_get_rfc2409_prime_1024); +#endif V("modp5", BN_get_rfc3526_prime_1536); } V("modp14", BN_get_rfc3526_prime_2048); @@ -1130,11 +1134,13 @@ DHPointer::CheckPublicKeyResult DHPointer::checkPublicKey(const BignumPointer& p int codes = 0; if (DH_check_pub_key(dh_.get(), pub_key.get(), &codes) != 1) return DHPointer::CheckPublicKeyResult::CHECK_FAILED; +#ifndef OPENSSL_IS_BORINGSSL if (codes & DH_CHECK_PUBKEY_TOO_SMALL) { return DHPointer::CheckPublicKeyResult::TOO_SMALL; } else if (codes & DH_CHECK_PUBKEY_TOO_SMALL) { return DHPointer::CheckPublicKeyResult::TOO_LARGE; - } else if (codes != 0) { +#endif + if (codes != 0) { return DHPointer::CheckPublicKeyResult::INVALID; } return CheckPublicKeyResult::NONE; diff --git a/deps/ncrypto/ncrypto.h b/deps/ncrypto/ncrypto.h index 661c996889d0a89c1c38658a0933fcf5e3cdc1b9..1261d5d99fdf4e17b8dec66660028ce184f1cf89 100644 --- a/deps/ncrypto/ncrypto.h +++ b/deps/ncrypto/ncrypto.h @@ -413,8 +413,8 @@ public: #ifndef OPENSSL_IS_BORINGSSL TOO_SMALL = DH_R_CHECK_PUBKEY_TOO_SMALL, TOO_LARGE = DH_R_CHECK_PUBKEY_TOO_LARGE, - INVALID = DH_R_CHECK_PUBKEY_INVALID, #endif + INVALID = DH_R_INVALID_PUBKEY, CHECK_FAILED = 512, }; // Check to see if the given public key is suitable for this DH instance. diff --git a/deps/ncrypto/unofficial.gni b/deps/ncrypto/unofficial.gni index ea024af73e215b3cad5f08796ac405f419530c86..41061b524eea74330b8d2452635a38c48f21386b 100644 --- a/deps/ncrypto/unofficial.gni +++ b/deps/ncrypto/unofficial.gni @@ -27,6 +27,6 @@ template("ncrypto_gn_build") { forward_variables_from(invoker, "*") public_configs = [ ":ncrypto_config" ] sources = gypi_values.ncrypto_sources - deps = [ "../openssl" ] + deps = [ "$node_crypto_path" ] } } diff --git a/node.gni b/node.gni index 32709b860ccb12d8d1e75342a65dda0b86129b21..18d58591e3d0f1f3512db00033c3410a65702864 100644 --- a/node.gni +++ b/node.gni @@ -10,6 +10,8 @@ declare_args() { # The location of V8, use the one from node's deps by default. node_v8_path = "//v8" + node_crypto_path = "//third_party/boringssl" + # The NODE_MODULE_VERSION defined in node_version.h. node_module_version = exec_script("$node_path/tools/getmoduleversion.py", [], "value") diff --git a/src/crypto/crypto_cipher.cc b/src/crypto/crypto_cipher.cc index fe35a8e0f6bbb7ab515a0343a7ed046c44e86474..43a7abbf237d8d809953e302b83755a3283a1bf4 100644 --- a/src/crypto/crypto_cipher.cc +++ b/src/crypto/crypto_cipher.cc @@ -1078,7 +1078,7 @@ void PublicKeyCipher::Cipher(const FunctionCallbackInfo& args) { if (EVP_PKEY_decrypt_init(ctx.get()) <= 0) { return ThrowCryptoError(env, ERR_get_error()); } - +#ifndef OPENSSL_IS_BORINGSSL int rsa_pkcs1_implicit_rejection = EVP_PKEY_CTX_ctrl_str(ctx.get(), "rsa_pkcs1_implicit_rejection", "1"); // From the doc -2 means that the option is not supported. @@ -1094,6 +1094,7 @@ void PublicKeyCipher::Cipher(const FunctionCallbackInfo& args) { "RSA_PKCS1_PADDING is no longer supported for private decryption," " this can be reverted with --security-revert=CVE-2024-PEND"); } +#endif } const EVP_MD* digest = nullptr; diff --git a/src/crypto/crypto_common.cc b/src/crypto/crypto_common.cc index 6a967702b22df0eb8aa10e853fd232794955860d..31058cccc6ffeed6b09aaecda320ee2f15849ec8 100644 --- a/src/crypto/crypto_common.cc +++ b/src/crypto/crypto_common.cc @@ -134,7 +134,7 @@ const char* GetClientHelloALPN(const SSLPointer& ssl) { const unsigned char* buf; size_t len; size_t rem; - +#ifndef OPENSSL_IS_BORINGSSL if (!SSL_client_hello_get0_ext( ssl.get(), TLSEXT_TYPE_application_layer_protocol_negotiation, @@ -147,13 +147,15 @@ const char* GetClientHelloALPN(const SSLPointer& ssl) { len = (buf[0] << 8) | buf[1]; if (len + 2 != rem) return nullptr; return reinterpret_cast(buf + 3); +#endif + return nullptr; } const char* GetClientHelloServerName(const SSLPointer& ssl) { const unsigned char* buf; size_t len; size_t rem; - +#ifndef OPENSSL_IS_BORINGSSL if (!SSL_client_hello_get0_ext( ssl.get(), TLSEXT_TYPE_server_name, @@ -175,6 +177,8 @@ const char* GetClientHelloServerName(const SSLPointer& ssl) { if (len + 2 > rem) return nullptr; return reinterpret_cast(buf + 5); +#endif + return nullptr; } const char* GetServerName(SSL* ssl) { @@ -282,7 +286,7 @@ StackOfX509 CloneSSLCerts(X509Pointer&& cert, if (!peer_certs) return StackOfX509(); if (cert && !sk_X509_push(peer_certs.get(), cert.release())) return StackOfX509(); - for (int i = 0; i < sk_X509_num(ssl_certs); i++) { + for (size_t i = 0; i < sk_X509_num(ssl_certs); i++) { X509Pointer cert(X509_dup(sk_X509_value(ssl_certs, i))); if (!cert || !sk_X509_push(peer_certs.get(), cert.get())) return StackOfX509(); @@ -298,7 +302,7 @@ MaybeLocal AddIssuerChainToObject(X509Pointer* cert, Environment* const env) { cert->reset(sk_X509_delete(peer_certs.get(), 0)); for (;;) { - int i; + size_t i; for (i = 0; i < sk_X509_num(peer_certs.get()); i++) { ncrypto::X509View ca(sk_X509_value(peer_certs.get(), i)); if (!cert->view().isIssuedBy(ca)) continue; @@ -384,14 +388,14 @@ MaybeLocal GetClientHelloCiphers( Environment* env, const SSLPointer& ssl) { EscapableHandleScope scope(env->isolate()); - const unsigned char* buf; - size_t len = SSL_client_hello_get0_ciphers(ssl.get(), &buf); + // const unsigned char* buf = nullptr; + size_t len = 0; // SSL_client_hello_get0_ciphers(ssl.get(), &buf); size_t count = len / 2; MaybeStackBuffer, 16> ciphers(count); int j = 0; for (size_t n = 0; n < len; n += 2) { - const SSL_CIPHER* cipher = SSL_CIPHER_find(ssl.get(), buf); - buf += 2; + const SSL_CIPHER* cipher = nullptr; // SSL_CIPHER_find(ssl.get(), buf); + // buf += 2; Local obj = Object::New(env->isolate()); if (!Set(env->context(), obj, @@ -444,8 +448,11 @@ MaybeLocal GetEphemeralKey(Environment* env, const SSLPointer& ssl) { EscapableHandleScope scope(env->isolate()); Local info = Object::New(env->isolate()); +#ifndef OPENSSL_IS_BORINGSSL if (!SSL_get_peer_tmp_key(ssl.get(), &raw_key)) return scope.Escape(info); - +#else + if (!SSL_get_server_tmp_key(ssl.get(), &raw_key)) return scope.Escape(info); +#endif Local context = env->context(); crypto::EVPKeyPointer key(raw_key); diff --git a/src/crypto/crypto_context.cc b/src/crypto/crypto_context.cc index c924a54639e8c22d765dc240dffacfffb200ca0c..287afcc792a0a2b7e19126ee9a48ebe21cc8844e 100644 --- a/src/crypto/crypto_context.cc +++ b/src/crypto/crypto_context.cc @@ -94,7 +94,7 @@ int SSL_CTX_use_certificate_chain(SSL_CTX* ctx, // the CA certificates. SSL_CTX_clear_extra_chain_certs(ctx); - for (int i = 0; i < sk_X509_num(extra_certs); i++) { + for (size_t i = 0; i < sk_X509_num(extra_certs); i++) { X509* ca = sk_X509_value(extra_certs, i); // NOTE: Increments reference count on `ca` @@ -920,11 +920,12 @@ void SecureContext::SetDHParam(const FunctionCallbackInfo& args) { // If the user specified "auto" for dhparams, the JavaScript layer will pass // true to this function instead of the original string. Any other string // value will be interpreted as custom DH parameters below. +#ifndef OPENSSL_IS_BORINGSSL if (args[0]->IsTrue()) { CHECK(SSL_CTX_set_dh_auto(sc->ctx_.get(), true)); return; } - +#endif DHPointer dh; { BIOPointer bio(LoadBIO(env, args[0])); @@ -1150,7 +1151,7 @@ void SecureContext::LoadPKCS12(const FunctionCallbackInfo& args) { } // Add CA certs too - for (int i = 0; i < sk_X509_num(extra_certs.get()); i++) { + for (size_t i = 0; i < sk_X509_num(extra_certs.get()); i++) { X509* ca = sk_X509_value(extra_certs.get(), i); X509_STORE_add_cert(sc->GetCertStoreOwnedByThisSecureContext(), ca); diff --git a/src/crypto/crypto_dh.cc b/src/crypto/crypto_dh.cc index e5664dfa2bc7e11922fa965f28acdf21470d1147..33ffbbb85d05f5356183e3aa1ca23707c5629b5d 100644 --- a/src/crypto/crypto_dh.cc +++ b/src/crypto/crypto_dh.cc @@ -7,7 +7,9 @@ #include "memory_tracker-inl.h" #include "ncrypto.h" #include "node_errors.h" +#ifndef OPENSSL_IS_BORINGSSL #include "openssl/bnerr.h" +#endif #include "openssl/dh.h" #include "threadpoolwork-inl.h" #include "v8.h" @@ -86,11 +88,7 @@ void New(const FunctionCallbackInfo& args) { if (args[0]->IsInt32()) { int32_t bits = args[0].As()->Value(); if (bits < 2) { -#if OPENSSL_VERSION_MAJOR >= 3 - ERR_put_error(ERR_LIB_DH, 0, DH_R_MODULUS_TOO_SMALL, __FILE__, __LINE__); -#else - ERR_put_error(ERR_LIB_BN, 0, BN_R_BITS_TOO_SMALL, __FILE__, __LINE__); -#endif + OPENSSL_PUT_ERROR(BN, BN_R_BITS_TOO_SMALL); return ThrowCryptoError(env, ERR_get_error(), "Invalid prime length"); } @@ -103,7 +101,7 @@ void New(const FunctionCallbackInfo& args) { } int32_t generator = args[1].As()->Value(); if (generator < 2) { - ERR_put_error(ERR_LIB_DH, 0, DH_R_BAD_GENERATOR, __FILE__, __LINE__); + OPENSSL_PUT_ERROR(DH, DH_R_BAD_GENERATOR); return ThrowCryptoError(env, ERR_get_error(), "Invalid generator"); } @@ -132,12 +130,12 @@ void New(const FunctionCallbackInfo& args) { if (args[1]->IsInt32()) { int32_t generator = args[1].As()->Value(); if (generator < 2) { - ERR_put_error(ERR_LIB_DH, 0, DH_R_BAD_GENERATOR, __FILE__, __LINE__); + OPENSSL_PUT_ERROR(DH, DH_R_BAD_GENERATOR); return ThrowCryptoError(env, ERR_get_error(), "Invalid generator"); } bn_g = BignumPointer::New(); if (!bn_g.setWord(generator)) { - ERR_put_error(ERR_LIB_DH, 0, DH_R_BAD_GENERATOR, __FILE__, __LINE__); + OPENSSL_PUT_ERROR(DH, DH_R_BAD_GENERATOR); return ThrowCryptoError(env, ERR_get_error(), "Invalid generator"); } } else { @@ -146,11 +144,11 @@ void New(const FunctionCallbackInfo& args) { return THROW_ERR_OUT_OF_RANGE(env, "generator is too big"); bn_g = BignumPointer(reinterpret_cast(arg1.data()), arg1.size()); if (!bn_g) { - ERR_put_error(ERR_LIB_DH, 0, DH_R_BAD_GENERATOR, __FILE__, __LINE__); + OPENSSL_PUT_ERROR(DH, DH_R_BAD_GENERATOR); return ThrowCryptoError(env, ERR_get_error(), "Invalid generator"); } if (bn_g.getWord() < 2) { - ERR_put_error(ERR_LIB_DH, 0, DH_R_BAD_GENERATOR, __FILE__, __LINE__); + OPENSSL_PUT_ERROR(DH, DH_R_BAD_GENERATOR); return ThrowCryptoError(env, ERR_get_error(), "Invalid generator"); } } @@ -258,15 +256,17 @@ void ComputeSecret(const FunctionCallbackInfo& args) { BignumPointer key(key_buf.data(), key_buf.size()); switch (dh.checkPublicKey(key)) { - case DHPointer::CheckPublicKeyResult::INVALID: - // Fall-through case DHPointer::CheckPublicKeyResult::CHECK_FAILED: return THROW_ERR_CRYPTO_INVALID_KEYTYPE(env, "Unspecified validation error"); +#ifndef OPENSSL_IS_BORINGSSL case DHPointer::CheckPublicKeyResult::TOO_SMALL: return THROW_ERR_CRYPTO_INVALID_KEYLEN(env, "Supplied key is too small"); case DHPointer::CheckPublicKeyResult::TOO_LARGE: return THROW_ERR_CRYPTO_INVALID_KEYLEN(env, "Supplied key is too large"); +#endif + case DHPointer::CheckPublicKeyResult::INVALID: + return THROW_ERR_CRYPTO_INVALID_KEYTYPE(env, "Supplied key is invalid"); case DHPointer::CheckPublicKeyResult::NONE: break; } @@ -398,9 +398,11 @@ EVPKeyCtxPointer DhKeyGenTraits::Setup(DhKeyPairGenConfig* params) { key_params = EVPKeyPointer(EVP_PKEY_new()); CHECK(key_params); CHECK_EQ(EVP_PKEY_assign_DH(key_params.get(), dh.release()), 1); - } else if (int* prime_size = std::get_if(¶ms->params.prime)) { + } else if (std::get_if(¶ms->params.prime)) { EVPKeyCtxPointer param_ctx(EVP_PKEY_CTX_new_id(EVP_PKEY_DH, nullptr)); EVP_PKEY* raw_params = nullptr; +#ifndef OPENSSL_IS_BORINGSSL + int* prime_size = std::get_if(¶ms->params.prime); if (!param_ctx || EVP_PKEY_paramgen_init(param_ctx.get()) <= 0 || EVP_PKEY_CTX_set_dh_paramgen_prime_len( @@ -414,6 +416,9 @@ EVPKeyCtxPointer DhKeyGenTraits::Setup(DhKeyPairGenConfig* params) { } key_params = EVPKeyPointer(raw_params); +#else + return EVPKeyCtxPointer(); +#endif } else { UNREACHABLE(); } diff --git a/src/crypto/crypto_dsa.cc b/src/crypto/crypto_dsa.cc index 5d081863cf2dcdcf8c2d09db6060eeb5e78c452f..67523ec1c406e345945e1dde663c784c43a1c624 100644 --- a/src/crypto/crypto_dsa.cc +++ b/src/crypto/crypto_dsa.cc @@ -40,7 +40,7 @@ namespace crypto { EVPKeyCtxPointer DsaKeyGenTraits::Setup(DsaKeyPairGenConfig* params) { EVPKeyCtxPointer param_ctx(EVP_PKEY_CTX_new_id(EVP_PKEY_DSA, nullptr)); EVP_PKEY* raw_params = nullptr; - +#ifndef OPENSSL_IS_BORINGSSL if (!param_ctx || EVP_PKEY_paramgen_init(param_ctx.get()) <= 0 || EVP_PKEY_CTX_set_dsa_paramgen_bits( @@ -55,7 +55,9 @@ EVPKeyCtxPointer DsaKeyGenTraits::Setup(DsaKeyPairGenConfig* params) { return EVPKeyCtxPointer(); } } - +#else + return EVPKeyCtxPointer(); +#endif if (EVP_PKEY_paramgen(param_ctx.get(), &raw_params) <= 0) return EVPKeyCtxPointer(); diff --git a/src/crypto/crypto_keys.cc b/src/crypto/crypto_keys.cc index 8488fc57faaf722174032c5a927d150c76120d60..c51efc92d4818ee7701b4725585fb7e1d2d644ad 100644 --- a/src/crypto/crypto_keys.cc +++ b/src/crypto/crypto_keys.cc @@ -1204,6 +1204,7 @@ void KeyObjectHandle::GetAsymmetricKeyType( } bool KeyObjectHandle::CheckEcKeyData() const { +#ifndef OPENSSL_IS_BORINGSSL MarkPopErrorOnReturn mark_pop_error_on_return; const auto& key = data_.GetAsymmetricKey(); @@ -1220,6 +1221,9 @@ bool KeyObjectHandle::CheckEcKeyData() const { #else return EVP_PKEY_public_check(ctx.get()) == 1; #endif +#else + return true; +#endif } void KeyObjectHandle::CheckEcKeyData(const FunctionCallbackInfo& args) { diff --git a/src/crypto/crypto_random.cc b/src/crypto/crypto_random.cc index b59e394d9a7e2c19fdf1f2b0177753ff488da0fa..91218f49da5392c6f769495ee7f9275a47ce09b1 100644 --- a/src/crypto/crypto_random.cc +++ b/src/crypto/crypto_random.cc @@ -134,7 +134,7 @@ Maybe RandomPrimeTraits::AdditionalConfig( params->bits = bits; params->safe = safe; - params->prime = BignumPointer::NewSecure(); + params->prime = BignumPointer::New(); if (!params->prime) { THROW_ERR_CRYPTO_OPERATION_FAILED(env, "could not generate prime"); return Nothing(); diff --git a/src/crypto/crypto_rsa.cc b/src/crypto/crypto_rsa.cc index 02e8e24b4054afd4c3ca797c19a78927319a0d9e..d2a931a3f8f9490fe17ef8a82d0204ee2cca409d 100644 --- a/src/crypto/crypto_rsa.cc +++ b/src/crypto/crypto_rsa.cc @@ -608,10 +608,11 @@ Maybe GetRsaKeyDetail(Environment* env, } if (params->saltLength != nullptr) { - if (ASN1_INTEGER_get_int64(&salt_length, params->saltLength) != 1) { - ThrowCryptoError(env, ERR_get_error(), "ASN1_INTEGER_get_in64 error"); - return Nothing(); - } + // TODO(codebytere): Upstream a shim to BoringSSL? + // if (ASN1_INTEGER_get_int64(&salt_length, params->saltLength) != 1) { + // ThrowCryptoError(env, ERR_get_error(), "ASN1_INTEGER_get_in64 error"); + // return Nothing(); + // } } if (target diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc index 793c196f8ce538c66b20611d00e12392ff9e878b..ee81048caab4ccfe26ea9e677782c9c955d162a9 100644 --- a/src/crypto/crypto_util.cc +++ b/src/crypto/crypto_util.cc @@ -495,24 +495,15 @@ Maybe Decorate(Environment* env, V(BIO) \ V(PKCS7) \ V(X509V3) \ - V(PKCS12) \ V(RAND) \ - V(DSO) \ V(ENGINE) \ V(OCSP) \ V(UI) \ V(COMP) \ V(ECDSA) \ V(ECDH) \ - V(OSSL_STORE) \ - V(FIPS) \ - V(CMS) \ - V(TS) \ V(HMAC) \ - V(CT) \ - V(ASYNC) \ - V(KDF) \ - V(SM2) \ + V(HKDF) \ V(USER) \ #define V(name) case ERR_LIB_##name: lib = #name "_"; break; @@ -654,7 +645,7 @@ void SecureBuffer(const FunctionCallbackInfo& args) { CHECK(args[0]->IsUint32()); Environment* env = Environment::GetCurrent(args); uint32_t len = args[0].As()->Value(); - void* data = OPENSSL_secure_zalloc(len); + void* data = OPENSSL_malloc(len); if (data == nullptr) { // There's no memory available for the allocation. // Return nothing. @@ -665,7 +656,7 @@ void SecureBuffer(const FunctionCallbackInfo& args) { data, len, [](void* data, size_t len, void* deleter_data) { - OPENSSL_secure_clear_free(data, len); + OPENSSL_clear_free(data, len); }, data); Local buffer = ArrayBuffer::New(env->isolate(), store); @@ -673,10 +664,12 @@ void SecureBuffer(const FunctionCallbackInfo& args) { } void SecureHeapUsed(const FunctionCallbackInfo& args) { +#ifndef OPENSSL_IS_BORINGSSL Environment* env = Environment::GetCurrent(args); if (CRYPTO_secure_malloc_initialized()) args.GetReturnValue().Set( BigInt::New(env->isolate(), CRYPTO_secure_used())); +#endif } } // namespace diff --git a/src/env.h b/src/env.h index fc8dbd615255851cad90e1d8ffe225f5e0c6a718..49ca9c0042ccf22ad1fffa54f05fd443cbc681ba 100644 --- a/src/env.h +++ b/src/env.h @@ -50,7 +50,7 @@ #include "uv.h" #include "v8.h" -#if HAVE_OPENSSL +#if HAVE_OPENSSL && OPENSSL_VERSION_MAJOR >= 3 #include #endif @@ -1073,7 +1073,7 @@ class Environment final : public MemoryRetainer { kExitInfoFieldCount }; -#if HAVE_OPENSSL +#if HAVE_OPENSSL// && !defined(OPENSSL_IS_BORINGSSL) #if OPENSSL_VERSION_MAJOR >= 3 // We declare another alias here to avoid having to include crypto_util.h using EVPMDPointer = DeleteFnPtr; diff --git a/src/node_metadata.h b/src/node_metadata.h index c59e65ad1fe3fac23f1fc25ca77e6133d1ccaccd..f2f07434e076e2977755ef7dac7d489aedb760b0 100644 --- a/src/node_metadata.h +++ b/src/node_metadata.h @@ -6,7 +6,7 @@ #include #include "node_version.h" -#if HAVE_OPENSSL +#if 0 #include #if NODE_OPENSSL_HAS_QUIC #include diff --git a/src/node_options.cc b/src/node_options.cc index cfc599ec9a6197231c3469d318f02c620cdb03a8..29630fcccc3bd9d24ad6aec64bef2fedfc3c4031 100644 --- a/src/node_options.cc +++ b/src/node_options.cc @@ -6,7 +6,7 @@ #include "node_external_reference.h" #include "node_internals.h" #include "node_sea.h" -#if HAVE_OPENSSL +#if HAVE_OPENSSL && !defined(OPENSSL_IS_BORINGSSL) #include "openssl/opensslv.h" #endif diff --git a/src/node_options.h b/src/node_options.h index 9e656a2815045aa5da7eb267708c03058be9f362..600e0850f01e01024414d42b25605f256200540a 100644 --- a/src/node_options.h +++ b/src/node_options.h @@ -11,7 +11,7 @@ #include "node_mutex.h" #include "util.h" -#if HAVE_OPENSSL +#if 0 #include "openssl/opensslv.h" #endif diff --git a/unofficial.gni b/unofficial.gni index de6ff5548ca5282199b7d85c11941c1fa351a9d9..3d8b7957e791ce2fa2a8d0937a87b6010087803d 100644 --- a/unofficial.gni +++ b/unofficial.gni @@ -145,7 +145,6 @@ template("node_gn_build") { ] deps = [ ":run_node_js2c", - "deps/brotli", "deps/cares", "deps/histogram", "deps/llhttp", @@ -156,6 +155,8 @@ template("node_gn_build") { "deps/sqlite", "deps/uvwasi", "//third_party/zlib", + "//third_party/brotli:dec", + "//third_party/brotli:enc", "$node_v8_path:v8_libplatform", ] @@ -182,10 +183,8 @@ template("node_gn_build") { deps += [ "//third_party/icu" ] } if (node_use_openssl) { - deps += [ - "deps/ncrypto", - "//third_party/boringssl" - ] + deps += [ "deps/ncrypto" ] + public_deps += [ "$node_crypto_path" ] sources += gypi_values.node_crypto_sources } if (node_enable_inspector) {