nodejs
diff --git a/‎node.gypi‎
Lines changed: 5 additions & 1 deletion b/‎node.gypi‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎src/crypto/crypto_cipher.cc‎
Lines changed: 10 additions & 1 deletion b/‎src/crypto/crypto_cipher.cc‎
Lines changed: 10 additions & 1 deletion
diff --git a/‎src/crypto/crypto_dsa.cc‎
Lines changed: 1 addition & 1 deletion b/‎src/crypto/crypto_dsa.cc‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/crypto/crypto_ec.cc‎
Lines changed: 24 additions & 16 deletions b/‎src/crypto/crypto_ec.cc‎
Lines changed: 24 additions & 16 deletions
diff --git a/‎src/crypto/crypto_hkdf.cc‎
Lines changed: 3 additions & 3 deletions b/‎src/crypto/crypto_hkdf.cc‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎src/crypto/crypto_keygen.h‎
Lines changed: 3 additions & 0 deletions b/‎src/crypto/crypto_keygen.h‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎src/crypto/crypto_keys.cc‎
Lines changed: 2 additions & 0 deletions b/‎src/crypto/crypto_keys.cc‎
Lines changed: 2 additions & 0 deletions
diff --git a/‎src/crypto/crypto_keys.h‎
Lines changed: 1 addition & 1 deletion b/‎src/crypto/crypto_keys.h‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/crypto/crypto_rsa.cc‎
Lines changed: 4 additions & 4 deletions b/‎src/crypto/crypto_rsa.cc‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎src/crypto/crypto_sig.cc‎
Lines changed: 10 additions & 8 deletions b/‎src/crypto/crypto_sig.cc‎
Lines changed: 10 additions & 8 deletions
@@ -361,7 +361,11 @@
               ],
             }],
           ],
-        }]]
+        }, {
+          # Set 1.0.0 as the API compability level to avoid the
+          # deprecation warnings when using OpenSSL 3.0.
+	  'defines': ['OPENSSL_API_COMPAT=0x10000000L'],
+	}]]
 
     }, {
       'defines': [ 'HAVE_OPENSSL=0' ]
 
@@ -342,8 +342,11 @@ void CipherBase::Init(const char* cipher_type,
                       unsigned int auth_tag_len) {
   HandleScope scope(env()->isolate());
   MarkPopErrorOnReturn mark_pop_error_on_return;
-
+#if OPENSSL_VERSION_MAJOR >= 3
+  if (EVP_default_properties_is_fips_enabled(nullptr)) {
+#else
   if (FIPS_mode()) {
+#endif
     return THROW_ERR_CRYPTO_UNSUPPORTED_OPERATION(env(),
         "crypto.createCipher() is not supported in FIPS mode.");
   }
@@ -527,7 +530,13 @@ bool CipherBase::InitAuthenticated(
     }
 
     // TODO(tniessen) Support CCM decryption in FIPS mode
+
+#if OPENSSL_VERSION_MAJOR >= 3
+    if (mode == EVP_CIPH_CCM_MODE && kind_ == kDecipher &&
+        EVP_default_properties_is_fips_enabled(nullptr)) {
+#else
     if (mode == EVP_CIPH_CCM_MODE && kind_ == kDecipher && FIPS_mode()) {
+#endif
       THROW_ERR_CRYPTO_UNSUPPORTED_OPERATION(env(),
           "CCM encryption not supported in FIPS mode");
       return false;
 
@@ -138,7 +138,7 @@ Maybe<bool> GetDsaKeyDetail(
   int type = EVP_PKEY_id(m_pkey.get());
   CHECK(type == EVP_PKEY_DSA);
 
-  DSA* dsa = EVP_PKEY_get0_DSA(m_pkey.get());
+  const DSA* dsa = EVP_PKEY_get0_DSA(m_pkey.get());
   CHECK_NOT_NULL(dsa);
 
   DSA_get0_pqg(dsa, &p, &q, nullptr);
 
@@ -463,19 +463,22 @@ bool ECDHBitsTraits::DeriveBits(
 
   char* data = nullptr;
   size_t len = 0;
+  ManagedEVPPKey m_privkey = params.private_->GetAsymmetricKey();
+  ManagedEVPPKey m_pubkey = params.public_->GetAsymmetricKey();
 
   switch (params.id_) {
     case EVP_PKEY_X25519:
       // Fall through
     case EVP_PKEY_X448: {
-      EVPKeyCtxPointer ctx(
-          EVP_PKEY_CTX_new(
-              params.private_->GetAsymmetricKey().get(),
-              nullptr));
+      EVPKeyCtxPointer ctx = nullptr;
+      {
+        ctx.reset(EVP_PKEY_CTX_new(m_privkey.get(), nullptr));
+      }
+      Mutex::ScopedLock pub_lock(*m_pubkey.mutex());
       if (EVP_PKEY_derive_init(ctx.get()) <= 0 ||
           EVP_PKEY_derive_set_peer(
               ctx.get(),
-              params.public_->GetAsymmetricKey().get()) <= 0 ||
+              m_pubkey.get()) <= 0 ||
           EVP_PKEY_derive(ctx.get(), nullptr, &len) <= 0) {
         return false;
       }
@@ -492,10 +495,14 @@ bool ECDHBitsTraits::DeriveBits(
       break;
     }
     default: {
-      const EC_KEY* private_key =
-          EVP_PKEY_get0_EC_KEY(params.private_->GetAsymmetricKey().get());
-      const EC_KEY* public_key =
-          EVP_PKEY_get0_EC_KEY(params.public_->GetAsymmetricKey().get());
+      const EC_KEY* private_key;
+      {
+        Mutex::ScopedLock priv_lock(*m_privkey.mutex());
+        private_key = EVP_PKEY_get0_EC_KEY(m_privkey.get());
+      }
+
+      Mutex::ScopedLock pub_lock(*m_pubkey.mutex());
+      const EC_KEY* public_key = EVP_PKEY_get0_EC_KEY(m_pubkey.get());
 
       const EC_GROUP* group = EC_KEY_get0_group(private_key);
       if (group == nullptr)
@@ -607,7 +614,7 @@ WebCryptoKeyExportStatus EC_Raw_Export(
   CHECK(m_pkey);
   Mutex::ScopedLock lock(*m_pkey.mutex());
 
-  EC_KEY* ec_key = EVP_PKEY_get0_EC_KEY(m_pkey.get());
+  const EC_KEY* ec_key = EVP_PKEY_get0_EC_KEY(m_pkey.get());
 
   unsigned char* data;
   size_t len = 0;
@@ -627,10 +634,10 @@ WebCryptoKeyExportStatus EC_Raw_Export(
     }
     CHECK_NOT_NULL(fn);
     // Get the size of the raw key data
-    if (fn(key_data->GetAsymmetricKey().get(), nullptr, &len) == 0)
+    if (fn(m_pkey.get(), nullptr, &len) == 0)
       return WebCryptoKeyExportStatus::INVALID_KEY_TYPE;
     data = MallocOpenSSL<unsigned char>(len);
-    if (fn(key_data->GetAsymmetricKey().get(), data, &len) == 0)
+    if (fn(m_pkey.get(), data, &len) == 0)
       return WebCryptoKeyExportStatus::INVALID_KEY_TYPE;
   } else {
     if (key_data->GetKeyType() != kKeyTypePublic)
@@ -696,7 +703,7 @@ Maybe<bool> ExportJWKEcKey(
   Mutex::ScopedLock lock(*m_pkey.mutex());
   CHECK_EQ(EVP_PKEY_id(m_pkey.get()), EVP_PKEY_EC);
 
-  EC_KEY* ec = EVP_PKEY_get0_EC_KEY(m_pkey.get());
+  const EC_KEY* ec = EVP_PKEY_get0_EC_KEY(m_pkey.get());
   CHECK_NOT_NULL(ec);
 
   const EC_POINT* pub = EC_KEY_get0_public_key(ec);
@@ -751,6 +758,7 @@ Maybe<bool> ExportJWKEdKey(
     std::shared_ptr<KeyObjectData> key,
     Local<Object> target) {
   ManagedEVPPKey pkey = key->GetAsymmetricKey();
+  Mutex::ScopedLock lock(*pkey.mutex());
 
   const char* curve = nullptr;
   switch (EVP_PKEY_id(pkey.get())) {
@@ -902,7 +910,7 @@ Maybe<bool> GetEcKeyDetail(
   Mutex::ScopedLock lock(*m_pkey.mutex());
   CHECK_EQ(EVP_PKEY_id(m_pkey.get()), EVP_PKEY_EC);
 
-  EC_KEY* ec = EVP_PKEY_get0_EC_KEY(m_pkey.get());
+  const EC_KEY* ec = EVP_PKEY_get0_EC_KEY(m_pkey.get());
   CHECK_NOT_NULL(ec);
 
   const EC_GROUP* group = EC_KEY_get0_group(ec);
@@ -919,8 +927,8 @@ Maybe<bool> GetEcKeyDetail(
 // implementation here is a adapted from Chromium's impl here:
 // https://github.com/chromium/chromium/blob/7af6cfd/components/webcrypto/algorithms/ecdsa.cc
 
-size_t GroupOrderSize(ManagedEVPPKey key) {
-  EC_KEY* ec = EVP_PKEY_get0_EC_KEY(key.get());
+size_t GroupOrderSize(const ManagedEVPPKey& key) {
+  const EC_KEY* ec = EVP_PKEY_get0_EC_KEY(key.get());
   CHECK_NOT_NULL(ec);
   const EC_GROUP* group = EC_KEY_get0_group(ec);
   BignumPointer order(BN_new());
 
@@ -110,15 +110,15 @@ bool HKDFTraits::DeriveBits(
       !EVP_PKEY_CTX_set_hkdf_md(ctx.get(), params.digest) ||
       !EVP_PKEY_CTX_set1_hkdf_salt(
         ctx.get(),
-        params.salt.get(),
+        reinterpret_cast<const unsigned char*>(params.salt.get()),
         params.salt.size()) ||
       !EVP_PKEY_CTX_set1_hkdf_key(
         ctx.get(),
-        params.key->GetSymmetricKey(),
+        reinterpret_cast<const unsigned char*>(params.key->GetSymmetricKey()),
         params.key->GetSymmetricKeySize()) ||
       !EVP_PKEY_CTX_add1_hkdf_info(
         ctx.get(),
-        params.info.get(),
+        reinterpret_cast<const unsigned char*>(params.info.get()),
         params.info.size())) {
     return false;
   }
 
@@ -235,6 +235,9 @@ struct KeyPairGenConfig final : public MemoryRetainer {
   AlgorithmParams params;
 
   KeyPairGenConfig() = default;
+  ~KeyPairGenConfig() {
+    Mutex::ScopedLock priv_lock(*key.mutex());
+  }
 
   explicit KeyPairGenConfig(KeyPairGenConfig&& other) noexcept
       : public_key_encoding(other.public_key_encoding),
 
@@ -559,6 +559,8 @@ ManagedEVPPKey::ManagedEVPPKey(const ManagedEVPPKey& that) {
 }
 
 ManagedEVPPKey& ManagedEVPPKey::operator=(const ManagedEVPPKey& that) {
+  Mutex::ScopedLock lock(*that.mutex_);
+
   pkey_.reset(that.get());
 
   if (pkey_)
 
@@ -74,7 +74,7 @@ struct PrivateKeyEncodingConfig : public AsymmetricKeyEncodingConfig {
 // use.
 class ManagedEVPPKey : public MemoryRetainer {
  public:
-  ManagedEVPPKey() = default;
+  ManagedEVPPKey() : mutex_(std::make_shared<Mutex>()) {}
   explicit ManagedEVPPKey(EVPKeyPointer&& pkey);
   ManagedEVPPKey(const ManagedEVPPKey& that);
   ManagedEVPPKey& operator=(const ManagedEVPPKey& that);
 
@@ -371,11 +371,11 @@ Maybe<bool> ExportJWKRsaKey(
 
   // TODO(tniessen): Remove the "else" branch once we drop support for OpenSSL
   // versions older than 1.1.1e via FIPS / dynamic linking.
-  RSA* rsa;
+  const RSA* rsa;
   if (OpenSSL_version_num() >= 0x1010105fL) {
     rsa = EVP_PKEY_get0_RSA(m_pkey.get());
   } else {
-    rsa = static_cast<RSA*>(EVP_PKEY_get0(m_pkey.get()));
+    rsa = static_cast<const RSA*>(EVP_PKEY_get0(m_pkey.get()));
   }
   CHECK_NOT_NULL(rsa);
 
@@ -520,11 +520,11 @@ Maybe<bool> GetRsaKeyDetail(
 
   // TODO(tniessen): Remove the "else" branch once we drop support for OpenSSL
   // versions older than 1.1.1e via FIPS / dynamic linking.
-  RSA* rsa;
+  const RSA* rsa;
   if (OpenSSL_version_num() >= 0x1010105fL) {
     rsa = EVP_PKEY_get0_RSA(m_pkey.get());
   } else {
-    rsa = static_cast<RSA*>(EVP_PKEY_get0(m_pkey.get()));
+    rsa = static_cast<const RSA*>(EVP_PKEY_get0(m_pkey.get()));
   }
   CHECK_NOT_NULL(rsa);
 
 
@@ -28,8 +28,13 @@ namespace crypto {
 namespace {
 bool ValidateDSAParameters(EVP_PKEY* key) {
   /* Validate DSA2 parameters from FIPS 186-4 */
+#if OPENSSL_VERSION_MAJOR >= 3
+  if (EVP_default_properties_is_fips_enabled(nullptr) &&
+      EVP_PKEY_DSA == EVP_PKEY_base_id(key)) {
+#else
   if (FIPS_mode() && EVP_PKEY_DSA == EVP_PKEY_base_id(key)) {
-    DSA* dsa = EVP_PKEY_get0_DSA(key);
+#endif
+    const DSA* dsa = EVP_PKEY_get0_DSA(key);
     const BIGNUM* p;
     DSA_get0_pqg(dsa, &p, nullptr, nullptr);
     size_t L = BN_num_bits(p);
@@ -103,11 +108,11 @@ unsigned int GetBytesOfRS(const ManagedEVPPKey& pkey) {
   int bits, base_id = EVP_PKEY_base_id(pkey.get());
 
   if (base_id == EVP_PKEY_DSA) {
-    DSA* dsa_key = EVP_PKEY_get0_DSA(pkey.get());
+    const DSA* dsa_key = EVP_PKEY_get0_DSA(pkey.get());
     // Both r and s are computed mod q, so their width is limited by that of q.
     bits = BN_num_bits(DSA_get0_q(dsa_key));
   } else if (base_id == EVP_PKEY_EC) {
-    EC_KEY* ec_key = EVP_PKEY_get0_EC_KEY(pkey.get());
+    const EC_KEY* ec_key = EVP_PKEY_get0_EC_KEY(pkey.get());
     const EC_GROUP* ec_group = EC_KEY_get0_group(ec_key);
     bits = EC_GROUP_order_bits(ec_group);
   } else {
@@ -873,7 +878,7 @@ bool SignTraits::DeriveBits(
     case SignConfiguration::kSign: {
       size_t len;
       unsigned char* data = nullptr;
-      if (IsOneShot(params.key->GetAsymmetricKey())) {
+      if (IsOneShot(m_pkey)) {
         EVP_DigestSign(
             context.get(),
             nullptr,
@@ -905,10 +910,7 @@ bool SignTraits::DeriveBits(
           return false;
 
         if (UseP1363Encoding(m_pkey, params.dsa_encoding)) {
-          *out = ConvertSignatureToP1363(
-              env,
-              params.key->GetAsymmetricKey(),
-              buf);
+          *out = ConvertSignatureToP1363(env, m_pkey, buf);
         } else {
           buf.Resize(len);
           *out = std::move(buf);
Original file line number	Diff line number	Diff line change
`@@ -559,6 +559,8 @@ ManagedEVPPKey::ManagedEVPPKey(const ManagedEVPPKey& that) {`
`559`	`559`	`}`
`560`	`560`
`561`	`561`	`ManagedEVPPKey& ManagedEVPPKey::operator=(const ManagedEVPPKey& that) {`
	`562`	`+ Mutex::ScopedLock lock(*that.mutex_);`
	`563`	`+`
`562`	`564`	`pkey_.reset(that.get());`
`563`	`565`
`564`	`566`	`if (pkey_)`