diff --git a/patches/boringssl/.patches b/patches/boringssl/.patches index 1bea01e3e02f5..9dffabe3d9651 100644 --- a/patches/boringssl/.patches +++ b/patches/boringssl/.patches @@ -1,6 +1,3 @@ expose_ripemd160.patch -expose_aes-cfb.patch -expose_des-ede3.patch -fix_sync_evp_get_cipherbynid_and_evp_get_cipherbyname.patch -expose_blowfish_ciphers.patch revert_track_ssl_error_zero_return_explicitly.patch +feat_expose_several_extra_cipher_functions.patch diff --git a/patches/boringssl/expose_aes-cfb.patch b/patches/boringssl/expose_aes-cfb.patch deleted file mode 100644 index 4dd7bf3702303..0000000000000 --- a/patches/boringssl/expose_aes-cfb.patch +++ /dev/null @@ -1,71 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Jeremy Apthorp -Date: Fri, 18 Jan 2019 14:23:28 -0800 -Subject: expose aes-{128,256}-cfb - -This exposes AES-CFB ciphers through the EVP APIs. BoringSSL has -implementations for these ciphers, but Node doesn't realise that because -without this patch, they're not listed in the APIs that Node uses. - -This should be upstreamed. See e.g. -https://boringssl-review.googlesource.com/c/boringssl/+/33984 for a -similar patch that was merged upstream. - -diff --git a/crypto/cipher_extra/cipher_extra.c b/crypto/cipher_extra/cipher_extra.c -index 62850ab6a216d401d023f81007fb59a33b4585f3..0c30b0329d32b94b22f342f95035e927797d0aaf 100644 ---- a/crypto/cipher_extra/cipher_extra.c -+++ b/crypto/cipher_extra/cipher_extra.c -@@ -73,6 +73,7 @@ static const struct { - const EVP_CIPHER *(*func)(void); - } kCiphers[] = { - {NID_aes_128_cbc, "aes-128-cbc", EVP_aes_128_cbc}, -+ {NID_aes_128_cfb128, "aes-128-cfb", EVP_aes_128_cfb128}, - {NID_aes_128_ctr, "aes-128-ctr", EVP_aes_128_ctr}, - {NID_aes_128_ecb, "aes-128-ecb", EVP_aes_128_ecb}, - {NID_aes_128_gcm, "aes-128-gcm", EVP_aes_128_gcm}, -@@ -83,6 +84,7 @@ static const struct { - {NID_aes_192_gcm, "aes-192-gcm", EVP_aes_192_gcm}, - {NID_aes_192_ofb128, "aes-192-ofb", EVP_aes_192_ofb}, - {NID_aes_256_cbc, "aes-256-cbc", EVP_aes_256_cbc}, -+ {NID_aes_256_cfb128, "aes-256-cfb", EVP_aes_256_cfb128}, - {NID_aes_256_ctr, "aes-256-ctr", EVP_aes_256_ctr}, - {NID_aes_256_ecb, "aes-256-ecb", EVP_aes_256_ecb}, - {NID_aes_256_gcm, "aes-256-gcm", EVP_aes_256_gcm}, -diff --git a/decrepit/evp/evp_do_all.c b/decrepit/evp/evp_do_all.c -index 852b76bea69988e0b3ac76a17b603128f239dde0..d443f4dc2daea0b7aa86ae75d31d995fae667ba9 100644 ---- a/decrepit/evp/evp_do_all.c -+++ b/decrepit/evp/evp_do_all.c -@@ -20,8 +20,10 @@ void EVP_CIPHER_do_all_sorted(void (*callback)(const EVP_CIPHER *cipher, - const char *unused, void *arg), - void *arg) { - callback(EVP_aes_128_cbc(), "AES-128-CBC", NULL, arg); -+ callback(EVP_aes_128_cfb128(), "AES-128-CFB", NULL, arg); - callback(EVP_aes_192_cbc(), "AES-192-CBC", NULL, arg); - callback(EVP_aes_256_cbc(), "AES-256-CBC", NULL, arg); -+ callback(EVP_aes_256_cfb128(), "AES-256-CFB", NULL, arg); - callback(EVP_aes_128_ctr(), "AES-128-CTR", NULL, arg); - callback(EVP_aes_192_ctr(), "AES-192-CTR", NULL, arg); - callback(EVP_aes_256_ctr(), "AES-256-CTR", NULL, arg); -@@ -44,8 +46,10 @@ void EVP_CIPHER_do_all_sorted(void (*callback)(const EVP_CIPHER *cipher, - - // OpenSSL returns everything twice, the second time in lower case. - callback(EVP_aes_128_cbc(), "aes-128-cbc", NULL, arg); -+ callback(EVP_aes_128_cfb128(), "aes-128-cfb", NULL, arg); - callback(EVP_aes_192_cbc(), "aes-192-cbc", NULL, arg); - callback(EVP_aes_256_cbc(), "aes-256-cbc", NULL, arg); -+ callback(EVP_aes_256_cfb128(), "aes-256-cfb", NULL, arg); - callback(EVP_aes_128_ctr(), "aes-128-ctr", NULL, arg); - callback(EVP_aes_192_ctr(), "aes-192-ctr", NULL, arg); - callback(EVP_aes_256_ctr(), "aes-256-ctr", NULL, arg); -diff --git a/include/openssl/cipher.h b/include/openssl/cipher.h -index 310d7c237fd884ba715e3fa97ccf1393b6d04fbb..66e69d487fbb767438b7d0dfdf3770f54e3cf7b2 100644 ---- a/include/openssl/cipher.h -+++ b/include/openssl/cipher.h -@@ -476,6 +476,7 @@ OPENSSL_EXPORT const EVP_CIPHER *EVP_des_ede3_ecb(void); - - // EVP_aes_128_cfb128 is only available in decrepit. - OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_128_cfb128(void); -+OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_256_cfb128(void); - - // EVP_aes_128_cfb is an alias for |EVP_aes_128_cfb128| and is only available in - // decrepit. diff --git a/patches/boringssl/expose_blowfish_ciphers.patch b/patches/boringssl/expose_blowfish_ciphers.patch deleted file mode 100644 index cb6239201dc4d..0000000000000 --- a/patches/boringssl/expose_blowfish_ciphers.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Jeremy Rose -Date: Wed, 5 Jan 2022 13:08:10 -0800 -Subject: expose blowfish ciphers - -This exposes the (decrepit) blowfish cipher family, bf-cbc, bf-cfb and -bf-ecb through the EVP interface. This adds references to decrepit code -from non-decrepit code, so upstream is unlikely to take the patch. - -diff --git a/crypto/cipher_extra/cipher_extra.c b/crypto/cipher_extra/cipher_extra.c -index cfdb69e3c556fea11aa7c2d28d4b7da524df15c3..95bd172c99874610ec9157c52df4fe0232e78c7f 100644 ---- a/crypto/cipher_extra/cipher_extra.c -+++ b/crypto/cipher_extra/cipher_extra.c -@@ -89,6 +89,9 @@ static const struct { - {NID_aes_256_ecb, "aes-256-ecb", EVP_aes_256_ecb}, - {NID_aes_256_gcm, "aes-256-gcm", EVP_aes_256_gcm}, - {NID_aes_256_ofb128, "aes-256-ofb", EVP_aes_256_ofb}, -+ {NID_bf_cbc, "bf-cbc", EVP_bf_cbc}, -+ {NID_bf_cfb64, "bf-cfb", EVP_bf_cfb}, -+ {NID_bf_ecb, "bf-ecb", EVP_bf_ecb}, - {NID_des_cbc, "des-cbc", EVP_des_cbc}, - {NID_des_ecb, "des-ecb", EVP_des_ecb}, - {NID_des_ede_cbc, "des-ede-cbc", EVP_des_ede_cbc}, -diff --git a/decrepit/evp/evp_do_all.c b/decrepit/evp/evp_do_all.c -index 5e71420b765019edea82a33884ace539cd91bda5..43fc792697519325725e9ce87801c5dc176c70a1 100644 ---- a/decrepit/evp/evp_do_all.c -+++ b/decrepit/evp/evp_do_all.c -@@ -36,6 +36,9 @@ void EVP_CIPHER_do_all_sorted(void (*callback)(const EVP_CIPHER *cipher, - callback(EVP_aes_128_gcm(), "AES-128-GCM", NULL, arg); - callback(EVP_aes_192_gcm(), "AES-192-GCM", NULL, arg); - callback(EVP_aes_256_gcm(), "AES-256-GCM", NULL, arg); -+ callback(EVP_bf_cbc(), "BF-CBC", NULL, arg); -+ callback(EVP_bf_cfb(), "BF-CFB", NULL, arg); -+ callback(EVP_bf_ecb(), "BF-ECB", NULL, arg); - callback(EVP_des_cbc(), "DES-CBC", NULL, arg); - callback(EVP_des_ecb(), "DES-ECB", NULL, arg); - callback(EVP_des_ede(), "DES-EDE", NULL, arg); -@@ -63,6 +66,9 @@ void EVP_CIPHER_do_all_sorted(void (*callback)(const EVP_CIPHER *cipher, - callback(EVP_aes_128_gcm(), "aes-128-gcm", NULL, arg); - callback(EVP_aes_192_gcm(), "aes-192-gcm", NULL, arg); - callback(EVP_aes_256_gcm(), "aes-256-gcm", NULL, arg); -+ callback(EVP_bf_cbc(), "bf-cbc", NULL, arg); -+ callback(EVP_bf_cfb(), "bf-cfb", NULL, arg); -+ callback(EVP_bf_ecb(), "bf-ecb", NULL, arg); - callback(EVP_des_cbc(), "des-cbc", NULL, arg); - callback(EVP_des_ecb(), "des-ecb", NULL, arg); - callback(EVP_des_ede(), "des-ede", NULL, arg); diff --git a/patches/boringssl/expose_des-ede3.patch b/patches/boringssl/expose_des-ede3.patch deleted file mode 100644 index f39665f422805..0000000000000 --- a/patches/boringssl/expose_des-ede3.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Jeremy Rose -Date: Wed, 24 Feb 2021 11:08:34 -0800 -Subject: expose des-ede3 - -This should be upstreamed. - -diff --git a/crypto/cipher_extra/cipher_extra.c b/crypto/cipher_extra/cipher_extra.c -index 0c30b0329d32b94b22f342f95035e927797d0aaf..d97f67fb03756169446edf6b41d3a33fe3ae8205 100644 ---- a/crypto/cipher_extra/cipher_extra.c -+++ b/crypto/cipher_extra/cipher_extra.c -@@ -93,6 +93,7 @@ static const struct { - {NID_des_ecb, "des-ecb", EVP_des_ecb}, - {NID_des_ede_cbc, "des-ede-cbc", EVP_des_ede_cbc}, - {NID_des_ede_ecb, "des-ede", EVP_des_ede}, -+ {NID_des_ede3_ecb, "des-ede3", EVP_des_ede3}, - {NID_des_ede3_cbc, "des-ede3-cbc", EVP_des_ede3_cbc}, - {NID_rc2_cbc, "rc2-cbc", EVP_rc2_cbc}, - {NID_rc4, "rc4", EVP_rc4}, -diff --git a/decrepit/evp/evp_do_all.c b/decrepit/evp/evp_do_all.c -index d443f4dc2daea0b7aa86ae75d31d995fae667ba9..5e71420b765019edea82a33884ace539cd91bda5 100644 ---- a/decrepit/evp/evp_do_all.c -+++ b/decrepit/evp/evp_do_all.c -@@ -39,6 +39,7 @@ void EVP_CIPHER_do_all_sorted(void (*callback)(const EVP_CIPHER *cipher, - callback(EVP_des_cbc(), "DES-CBC", NULL, arg); - callback(EVP_des_ecb(), "DES-ECB", NULL, arg); - callback(EVP_des_ede(), "DES-EDE", NULL, arg); -+ callback(EVP_des_ede3(), "DES-EDE3", NULL, arg); - callback(EVP_des_ede_cbc(), "DES-EDE-CBC", NULL, arg); - callback(EVP_des_ede3_cbc(), "DES-EDE3-CBC", NULL, arg); - callback(EVP_rc2_cbc(), "RC2-CBC", NULL, arg); -@@ -65,6 +66,7 @@ void EVP_CIPHER_do_all_sorted(void (*callback)(const EVP_CIPHER *cipher, - callback(EVP_des_cbc(), "des-cbc", NULL, arg); - callback(EVP_des_ecb(), "des-ecb", NULL, arg); - callback(EVP_des_ede(), "des-ede", NULL, arg); -+ callback(EVP_des_ede3(), "des-ede3", NULL, arg); - callback(EVP_des_ede_cbc(), "des-ede-cbc", NULL, arg); - callback(EVP_des_ede3_cbc(), "des-ede3-cbc", NULL, arg); - callback(EVP_rc2_cbc(), "rc2-cbc", NULL, arg); diff --git a/patches/boringssl/feat_expose_several_extra_cipher_functions.patch b/patches/boringssl/feat_expose_several_extra_cipher_functions.patch new file mode 100644 index 0000000000000..83900671a84cc --- /dev/null +++ b/patches/boringssl/feat_expose_several_extra_cipher_functions.patch @@ -0,0 +1,131 @@ +From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 +From: Shelley Vohr +Date: Wed, 31 May 2023 11:36:48 +0200 +Subject: feat: expose several extra cipher functions + +This patch exposes the following ciphers: + +AES_CFB Ciphers: aes-128-cfb, aes-256-cfb + +Implementations for these ciphers exist but aren't exposed, so they're +unusable without this patch. We should upstream this as similar +patches for implemented cipher functions have been accepted. + +Blowfish Ciphers: bf-cbc, bf-cfb, bf-ecb + +The addition of Blowfish ciphers adds references decrepit code +from non-decrepit code, so upstream is unlikely to take the patch. + +DES Ciphers: des-ede3 + +An implementation for this cipher exists but isn't exposed, so it's +unusable without this patch. Akin to the AES_CFB exposures, we should +upstream this as similar patches for implemented cipher functions have +been accepted. + +RC2 Ciphers: rc2-40-cbc + +It's unclear whether this would be accepted upstream. We should try regardless. + +diff --git a/crypto/cipher_extra/cipher_extra.c b/crypto/cipher_extra/cipher_extra.c +index 62850ab6a216d401d023f81007fb59a33b4585f3..95bd172c99874610ec9157c52df4fe0232e78c7f 100644 +--- a/crypto/cipher_extra/cipher_extra.c ++++ b/crypto/cipher_extra/cipher_extra.c +@@ -73,6 +73,7 @@ static const struct { + const EVP_CIPHER *(*func)(void); + } kCiphers[] = { + {NID_aes_128_cbc, "aes-128-cbc", EVP_aes_128_cbc}, ++ {NID_aes_128_cfb128, "aes-128-cfb", EVP_aes_128_cfb128}, + {NID_aes_128_ctr, "aes-128-ctr", EVP_aes_128_ctr}, + {NID_aes_128_ecb, "aes-128-ecb", EVP_aes_128_ecb}, + {NID_aes_128_gcm, "aes-128-gcm", EVP_aes_128_gcm}, +@@ -83,17 +84,23 @@ static const struct { + {NID_aes_192_gcm, "aes-192-gcm", EVP_aes_192_gcm}, + {NID_aes_192_ofb128, "aes-192-ofb", EVP_aes_192_ofb}, + {NID_aes_256_cbc, "aes-256-cbc", EVP_aes_256_cbc}, ++ {NID_aes_256_cfb128, "aes-256-cfb", EVP_aes_256_cfb128}, + {NID_aes_256_ctr, "aes-256-ctr", EVP_aes_256_ctr}, + {NID_aes_256_ecb, "aes-256-ecb", EVP_aes_256_ecb}, + {NID_aes_256_gcm, "aes-256-gcm", EVP_aes_256_gcm}, + {NID_aes_256_ofb128, "aes-256-ofb", EVP_aes_256_ofb}, ++ {NID_bf_cbc, "bf-cbc", EVP_bf_cbc}, ++ {NID_bf_cfb64, "bf-cfb", EVP_bf_cfb}, ++ {NID_bf_ecb, "bf-ecb", EVP_bf_ecb}, + {NID_des_cbc, "des-cbc", EVP_des_cbc}, + {NID_des_ecb, "des-ecb", EVP_des_ecb}, + {NID_des_ede_cbc, "des-ede-cbc", EVP_des_ede_cbc}, + {NID_des_ede_ecb, "des-ede", EVP_des_ede}, ++ {NID_des_ede3_ecb, "des-ede3", EVP_des_ede3}, + {NID_des_ede3_cbc, "des-ede3-cbc", EVP_des_ede3_cbc}, + {NID_rc2_cbc, "rc2-cbc", EVP_rc2_cbc}, + {NID_rc4, "rc4", EVP_rc4}, ++ {NID_rc2_40_cbc, "rc2-40-cbc", EVP_rc2_40_cbc} + }; + + const EVP_CIPHER *EVP_get_cipherbynid(int nid) { +diff --git a/decrepit/evp/evp_do_all.c b/decrepit/evp/evp_do_all.c +index 852b76bea69988e0b3ac76a17b603128f239dde0..43fc792697519325725e9ce87801c5dc176c70a1 100644 +--- a/decrepit/evp/evp_do_all.c ++++ b/decrepit/evp/evp_do_all.c +@@ -20,8 +20,10 @@ void EVP_CIPHER_do_all_sorted(void (*callback)(const EVP_CIPHER *cipher, + const char *unused, void *arg), + void *arg) { + callback(EVP_aes_128_cbc(), "AES-128-CBC", NULL, arg); ++ callback(EVP_aes_128_cfb128(), "AES-128-CFB", NULL, arg); + callback(EVP_aes_192_cbc(), "AES-192-CBC", NULL, arg); + callback(EVP_aes_256_cbc(), "AES-256-CBC", NULL, arg); ++ callback(EVP_aes_256_cfb128(), "AES-256-CFB", NULL, arg); + callback(EVP_aes_128_ctr(), "AES-128-CTR", NULL, arg); + callback(EVP_aes_192_ctr(), "AES-192-CTR", NULL, arg); + callback(EVP_aes_256_ctr(), "AES-256-CTR", NULL, arg); +@@ -34,9 +36,13 @@ void EVP_CIPHER_do_all_sorted(void (*callback)(const EVP_CIPHER *cipher, + callback(EVP_aes_128_gcm(), "AES-128-GCM", NULL, arg); + callback(EVP_aes_192_gcm(), "AES-192-GCM", NULL, arg); + callback(EVP_aes_256_gcm(), "AES-256-GCM", NULL, arg); ++ callback(EVP_bf_cbc(), "BF-CBC", NULL, arg); ++ callback(EVP_bf_cfb(), "BF-CFB", NULL, arg); ++ callback(EVP_bf_ecb(), "BF-ECB", NULL, arg); + callback(EVP_des_cbc(), "DES-CBC", NULL, arg); + callback(EVP_des_ecb(), "DES-ECB", NULL, arg); + callback(EVP_des_ede(), "DES-EDE", NULL, arg); ++ callback(EVP_des_ede3(), "DES-EDE3", NULL, arg); + callback(EVP_des_ede_cbc(), "DES-EDE-CBC", NULL, arg); + callback(EVP_des_ede3_cbc(), "DES-EDE3-CBC", NULL, arg); + callback(EVP_rc2_cbc(), "RC2-CBC", NULL, arg); +@@ -44,8 +50,10 @@ void EVP_CIPHER_do_all_sorted(void (*callback)(const EVP_CIPHER *cipher, + + // OpenSSL returns everything twice, the second time in lower case. + callback(EVP_aes_128_cbc(), "aes-128-cbc", NULL, arg); ++ callback(EVP_aes_128_cfb128(), "aes-128-cfb", NULL, arg); + callback(EVP_aes_192_cbc(), "aes-192-cbc", NULL, arg); + callback(EVP_aes_256_cbc(), "aes-256-cbc", NULL, arg); ++ callback(EVP_aes_256_cfb128(), "aes-256-cfb", NULL, arg); + callback(EVP_aes_128_ctr(), "aes-128-ctr", NULL, arg); + callback(EVP_aes_192_ctr(), "aes-192-ctr", NULL, arg); + callback(EVP_aes_256_ctr(), "aes-256-ctr", NULL, arg); +@@ -58,9 +66,13 @@ void EVP_CIPHER_do_all_sorted(void (*callback)(const EVP_CIPHER *cipher, + callback(EVP_aes_128_gcm(), "aes-128-gcm", NULL, arg); + callback(EVP_aes_192_gcm(), "aes-192-gcm", NULL, arg); + callback(EVP_aes_256_gcm(), "aes-256-gcm", NULL, arg); ++ callback(EVP_bf_cbc(), "bf-cbc", NULL, arg); ++ callback(EVP_bf_cfb(), "bf-cfb", NULL, arg); ++ callback(EVP_bf_ecb(), "bf-ecb", NULL, arg); + callback(EVP_des_cbc(), "des-cbc", NULL, arg); + callback(EVP_des_ecb(), "des-ecb", NULL, arg); + callback(EVP_des_ede(), "des-ede", NULL, arg); ++ callback(EVP_des_ede3(), "des-ede3", NULL, arg); + callback(EVP_des_ede_cbc(), "des-ede-cbc", NULL, arg); + callback(EVP_des_ede3_cbc(), "des-ede3-cbc", NULL, arg); + callback(EVP_rc2_cbc(), "rc2-cbc", NULL, arg); +diff --git a/include/openssl/cipher.h b/include/openssl/cipher.h +index 310d7c237fd884ba715e3fa97ccf1393b6d04fbb..66e69d487fbb767438b7d0dfdf3770f54e3cf7b2 100644 +--- a/include/openssl/cipher.h ++++ b/include/openssl/cipher.h +@@ -476,6 +476,7 @@ OPENSSL_EXPORT const EVP_CIPHER *EVP_des_ede3_ecb(void); + + // EVP_aes_128_cfb128 is only available in decrepit. + OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_128_cfb128(void); ++OPENSSL_EXPORT const EVP_CIPHER *EVP_aes_256_cfb128(void); + + // EVP_aes_128_cfb is an alias for |EVP_aes_128_cfb128| and is only available in + // decrepit. diff --git a/patches/boringssl/fix_sync_evp_get_cipherbynid_and_evp_get_cipherbyname.patch b/patches/boringssl/fix_sync_evp_get_cipherbynid_and_evp_get_cipherbyname.patch deleted file mode 100644 index e739ae8f70e37..0000000000000 --- a/patches/boringssl/fix_sync_evp_get_cipherbynid_and_evp_get_cipherbyname.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 0000000000000000000000000000000000000000 Mon Sep 17 00:00:00 2001 -From: Shelley Vohr -Date: Mon, 28 Jun 2021 10:41:09 +0200 -Subject: fix: sync EVP_get_cipherbynid and EVP_get_cipherbyname - -This commit syncs the results of EVP_get_cipherbynid and -EVP_get_cipherbyname. Node.js logic assumes that calling EVP_get_cipherbynid -on a NID returned from a call to `getCipherInfo` with the cipher name -will return the same cipher information - this assumption holds in OpenSSL -and should also hold in BoringSSL. - -This will be upstreamed. - -diff --git a/crypto/cipher_extra/cipher_extra.c b/crypto/cipher_extra/cipher_extra.c -index d97f67fb03756169446edf6b41d3a33fe3ae8205..cfdb69e3c556fea11aa7c2d28d4b7da524df15c3 100644 ---- a/crypto/cipher_extra/cipher_extra.c -+++ b/crypto/cipher_extra/cipher_extra.c -@@ -97,6 +97,7 @@ static const struct { - {NID_des_ede3_cbc, "des-ede3-cbc", EVP_des_ede3_cbc}, - {NID_rc2_cbc, "rc2-cbc", EVP_rc2_cbc}, - {NID_rc4, "rc4", EVP_rc4}, -+ {NID_rc2_40_cbc, "rc2-40-cbc", EVP_rc2_40_cbc} - }; - - const EVP_CIPHER *EVP_get_cipherbynid(int nid) {