src: cleanup crypto more

* Use ncrypto APIs where appropriate
* Remove obsolete no-longer used functions
* Improve error handling a bit
* move secure heap handling to ncrypto
  To simplify handling of boringssl/openssl, move secure
  heap impl to ncrypto. Overall the reduces the complexity
  of the code in crypto_util by eliminating additional
  ifdef branches.
* simplify CryptoErrorStore::ToException a bit
* simplify error handling in crypto_common
* move curve utility methods to ncrypto
* verify that released DataPointers aren't on secure heap
  The ByteSource does not currently know how to free a DataPointer
  allocated on the secure heap, so just verify.
  DataPointers on the secure heap are not something that users can
  allocate on their own. Their use is rare. Eventually ByteSource
  is going to be refactored around ncrypto APIs so these additional
  checks should be temporary.
* simplify some ifdefs that are covered by ncrypto
* cleanup some obsolete includes in crypto_util

PR-URL: #57323
Reviewed-By: Yagiz Nizipli <[email protected]>

Author: jasnell

deps/ncrypto/ncrypto.cc

@@ -111,20 +111,64 @@ DataPointer DataPointer::Alloc(size_t len) {
 #endif
 }
 
+DataPointer DataPointer::SecureAlloc(size_t len) {
+#ifndef OPENSSL_IS_BORINGSSL
+  auto ptr = OPENSSL_secure_zalloc(len);
+  if (ptr == nullptr) return {};
+  return DataPointer(ptr, len, true);
+#else
+  // BoringSSL does not implement the OPENSSL_secure_zalloc API.
+  auto ptr = OPENSSL_malloc(len);
+  if (ptr == nullptr) return {};
+  memset(ptr, 0, len);
+  return DataPointer(ptr, len);
+#endif
+}
+
+size_t DataPointer::GetSecureHeapUsed() {
+#ifndef OPENSSL_IS_BORINGSSL
+  return CRYPTO_secure_malloc_initialized() ? CRYPTO_secure_used() : 0;
+#else
+  // BoringSSL does not have the secure heap and therefore
+  // will always return 0.
+  return 0;
+#endif
+}
+
+DataPointer::InitSecureHeapResult DataPointer::TryInitSecureHeap(size_t amount,
+                                                                 size_t min) {
+#ifndef OPENSSL_IS_BORINGSSL
+  switch (CRYPTO_secure_malloc_init(amount, min)) {
+    case 0:
+      return InitSecureHeapResult::FAILED;
+    case 2:
+      return InitSecureHeapResult::UNABLE_TO_MEMORY_MAP;
+    case 1:
+      return InitSecureHeapResult::OK;
+    default:
+      return InitSecureHeapResult::FAILED;
+  }
+#else
+  // BoringSSL does not actually support the secure heap
+  return InitSecureHeapResult::FAILED;
+#endif
+}
+
 DataPointer DataPointer::Copy(const Buffer<const void>& buffer) {
   return DataPointer(OPENSSL_memdup(buffer.data, buffer.len), buffer.len);
 }
 
-DataPointer::DataPointer(void* data, size_t length)
-    : data_(data), len_(length) {}
+DataPointer::DataPointer(void* data, size_t length, bool secure)
+    : data_(data), len_(length), secure_(secure) {}
 
-DataPointer::DataPointer(const Buffer<void>& buffer)
-    : data_(buffer.data), len_(buffer.len) {}
+DataPointer::DataPointer(const Buffer<void>& buffer, bool secure)
+    : data_(buffer.data), len_(buffer.len), secure_(secure) {}
 
 DataPointer::DataPointer(DataPointer&& other) noexcept
-    : data_(other.data_), len_(other.len_) {
+    : data_(other.data_), len_(other.len_), secure_(other.secure_) {
   other.data_ = nullptr;
   other.len_ = 0;
+  other.secure_ = false;
 }
 
 DataPointer& DataPointer::operator=(DataPointer&& other) noexcept {
@@ -144,7 +188,11 @@ void DataPointer::zero() {
 
 void DataPointer::reset(void* data, size_t length) {
   if (data_ != nullptr) {
-    OPENSSL_clear_free(data_, len_);
+    if (secure_) {
+      OPENSSL_secure_clear_free(data_, len_);
+    } else {
+      OPENSSL_clear_free(data_, len_);
+    }
   }
   data_ = data;
   len_ = length;
@@ -175,6 +223,7 @@ DataPointer DataPointer::resize(size_t len) {
 
 // ============================================================================
 bool isFipsEnabled() {
+  ClearErrorOnReturn clear_error_on_return;
 #if OPENSSL_VERSION_MAJOR >= 3
   return EVP_default_properties_is_fips_enabled(nullptr) == 1;
 #else
@@ -186,30 +235,31 @@ bool setFipsEnabled(bool enable, CryptoErrorList* errors) {
   if (isFipsEnabled() == enable) return true;
   ClearErrorOnReturn clearErrorOnReturn(errors);
 #if OPENSSL_VERSION_MAJOR >= 3
-  return EVP_default_properties_enable_fips(nullptr, enable ? 1 : 0) == 1;
+  return EVP_default_properties_enable_fips(nullptr, enable ? 1 : 0) == 1 &&
+         EVP_default_properties_is_fips_enabled(nullptr);
 #else
   return FIPS_mode_set(enable ? 1 : 0) == 1;
 #endif
 }
 
 bool testFipsEnabled() {
+  ClearErrorOnReturn clear_error_on_return;
 #if OPENSSL_VERSION_MAJOR >= 3
   OSSL_PROVIDER* fips_provider = nullptr;
   if (OSSL_PROVIDER_available(nullptr, "fips")) {
     fips_provider = OSSL_PROVIDER_load(nullptr, "fips");
   }
-  const auto enabled = fips_provider == nullptr                 ? 0
-                       : OSSL_PROVIDER_self_test(fips_provider) ? 1
-                                                                : 0;
+  if (fips_provider == nullptr) return false;
+  int result = OSSL_PROVIDER_self_test(fips_provider);
+  OSSL_PROVIDER_unload(fips_provider);
+  return result;
 #else
 #ifdef OPENSSL_FIPS
-  const auto enabled = FIPS_selftest() ? 1 : 0;
+  return FIPS_selftest();
 #else  // OPENSSL_FIPS
-  const auto enabled = 0;
+  return false;
 #endif  // OPENSSL_FIPS
 #endif
-
-  return enabled;
 }
 
 // ============================================================================
@@ -2689,6 +2739,21 @@ std::optional<std::string_view> SSLPointer::getCipherVersion() const {
   return SSL_CIPHER_get_version(cipher);
 }
 
+std::optional<int> SSLPointer::getSecurityLevel() {
+#ifndef OPENSSL_IS_BORINGSSL
+  auto ctx = SSLCtxPointer::New();
+  if (!ctx) return std::nullopt;
+
+  auto ssl = SSLPointer::New(ctx);
+  if (!ssl) return std::nullopt;
+
+  return SSL_get_security_level(ssl);
+#else
+  // for BoringSSL assume the same as the default
+  return OPENSSL_TLS_SECURITY_LEVEL;
+#endif  // OPENSSL_IS_BORINGSSL
+}
+
 SSLCtxPointer::SSLCtxPointer(SSL_CTX* ctx) : ctx_(ctx) {}
 
 SSLCtxPointer::SSLCtxPointer(SSLCtxPointer&& other) noexcept
@@ -3290,6 +3355,10 @@ EVPKeyCtxPointer EVPKeyCtxPointer::New(const EVPKeyPointer& key) {
 }
 
 EVPKeyCtxPointer EVPKeyCtxPointer::NewFromID(int id) {
+#ifdef OPENSSL_IS_BORINGSSL
+  // DSA keys are not supported with BoringSSL
+  if (id == EVP_PKEY_DSA) return {};
+#endif
   return EVPKeyCtxPointer(EVP_PKEY_CTX_new_id(id, nullptr));
 }
 
@@ -3852,6 +3921,26 @@ int Ec::getCurve() const {
   return EC_GROUP_get_curve_name(getGroup());
 }
 
+int Ec::GetCurveIdFromName(std::string_view name) {
+  int nid = EC_curve_nist2nid(name.data());
+  if (nid == NID_undef) {
+    nid = OBJ_sn2nid(name.data());
+  }
+  return nid;
+}
+
+bool Ec::GetCurves(Ec::GetCurveCallback callback) {
+  const size_t count = EC_get_builtin_curves(nullptr, 0);
+  std::vector<EC_builtin_curve> curves(count);
+  if (EC_get_builtin_curves(curves.data(), count) != count) {
+    return false;
+  }
+  for (auto curve : curves) {
+    if (!callback(OBJ_nid2sn(curve.nid))) return false;
+  }
+  return true;
+}
+
 // ============================================================================
 
 EVPMDCtxPointer::EVPMDCtxPointer() : ctx_(nullptr) {}

deps/ncrypto/ncrypto.h

@@ -469,6 +469,11 @@ class Ec final {
   inline operator bool() const { return ec_ != nullptr; }
   inline operator OSSL3_CONST EC_KEY*() const { return ec_; }
 
+  static int GetCurveIdFromName(std::string_view name);
+
+  using GetCurveCallback = std::function<bool(std::string_view)>;
+  static bool GetCurves(GetCurveCallback callback);
+
  private:
   OSSL3_CONST EC_KEY* ec_ = nullptr;
 };
@@ -480,9 +485,31 @@ class DataPointer final {
   static DataPointer Alloc(size_t len);
   static DataPointer Copy(const Buffer<const void>& buffer);
 
+  // Attempts to allocate the buffer space using the secure heap, if
+  // supported/enabled. If the secure heap is disabled, then this
+  // ends up being equivalent to Alloc(len). Note that allocation
+  // will fail if there is not enough free space remaining in the
+  // secure heap space.
+  static DataPointer SecureAlloc(size_t len);
+
+  // If the secure heap is enabled, returns the amount of data that
+  // has been allocated from the heap.
+  static size_t GetSecureHeapUsed();
+
+  enum class InitSecureHeapResult {
+    FAILED,
+    UNABLE_TO_MEMORY_MAP,
+    OK,
+  };
+
+  // Attempt to initialize the secure heap. The secure heap is not
+  // supported on all operating systems and whenever boringssl is
+  // used.
+  static InitSecureHeapResult TryInitSecureHeap(size_t amount, size_t min);
+
   DataPointer() = default;
-  explicit DataPointer(void* data, size_t len);
-  explicit DataPointer(const Buffer<void>& buffer);
+  explicit DataPointer(void* data, size_t len, bool secure = false);
+  explicit DataPointer(const Buffer<void>& buffer, bool secure = false);
   DataPointer(DataPointer&& other) noexcept;
   DataPointer& operator=(DataPointer&& other) noexcept;
   NCRYPTO_DISALLOW_COPY(DataPointer)
@@ -518,9 +545,12 @@ class DataPointer final {
     };
   }
 
+  bool isSecure() const { return secure_; }
+
  private:
   void* data_ = nullptr;
   size_t len_ = 0;
+  bool secure_ = false;
 };
 
 class BIOPointer final {
@@ -1048,6 +1078,8 @@ class SSLPointer final {
 
   std::optional<uint32_t> verifyPeerCertificate() const;
 
+  static std::optional<int> getSecurityLevel();
+
   void getCiphers(std::function<void(const std::string_view)> cb) const;
 
   static SSLPointer New(const SSLCtxPointer& ctx);

src/crypto/crypto_common.cc

@@ -255,11 +255,10 @@ MaybeLocal<Object> GetEphemeralKey(Environment* env, const SSLPointer& ssl) {
 MaybeLocal<Object> ECPointToBuffer(Environment* env,
                                    const EC_GROUP* group,
                                    const EC_POINT* point,
-                                   point_conversion_form_t form,
-                                   const char** error) {
+                                   point_conversion_form_t form) {
   size_t len = EC_POINT_point2oct(group, point, form, nullptr, 0, nullptr);
   if (len == 0) {
-    if (error != nullptr) *error = "Failed to get public key length";
+    THROW_ERR_CRYPTO_OPERATION_FAILED(env, "Failed to get public key length");
     return MaybeLocal<Object>();
   }
 
@@ -273,7 +272,7 @@ MaybeLocal<Object> ECPointToBuffer(Environment* env,
                            bs->ByteLength(),
                            nullptr);
   if (len == 0) {
-    if (error != nullptr) *error = "Failed to get public key";
+    THROW_ERR_CRYPTO_OPERATION_FAILED(env, "Failed to get public key");
     return MaybeLocal<Object>();
   }
 

src/crypto/crypto_common.h

@@ -35,12 +35,10 @@ v8::MaybeLocal<v8::Value> GetPeerCert(Environment* env,
                                       bool abbreviated = false,
                                       bool is_server = false);
 
-v8::MaybeLocal<v8::Object> ECPointToBuffer(
-    Environment* env,
-    const EC_GROUP* group,
-    const EC_POINT* point,
-    point_conversion_form_t form,
-    const char** error);
+v8::MaybeLocal<v8::Object> ECPointToBuffer(Environment* env,
+                                           const EC_GROUP* group,
+                                           const EC_POINT* point,
+                                           point_conversion_form_t form);
 
 }  // namespace crypto
 }  // namespace node

src/crypto/crypto_dh.cc

@@ -55,11 +55,17 @@ void DiffieHellman::MemoryInfo(MemoryTracker* tracker) const {
 
 namespace {
 MaybeLocal<Value> DataPointerToBuffer(Environment* env, DataPointer&& data) {
+  struct Flag {
+    bool secure;
+  };
   auto backing = ArrayBuffer::NewBackingStore(
       data.get(),
       data.size(),
-      [](void* data, size_t len, void* ptr) { DataPointer free_me(data, len); },
-      nullptr);
+      [](void* data, size_t len, void* ptr) {
+        std::unique_ptr<Flag> flag(static_cast<Flag*>(ptr));
+        DataPointer free_me(data, len, flag->secure);
+      },
+      new Flag{data.isSecure()});
   data.release();
 
   auto ab = ArrayBuffer::New(env->isolate(), std::move(backing));
@@ -482,6 +488,7 @@ ByteSource StatelessDiffieHellmanThreadsafe(const EVPKeyPointer& our_key,
                                             const EVPKeyPointer& their_key) {
   auto dp = DHPointer::stateless(our_key, their_key);
   if (!dp) return {};
+  DCHECK(!dp.isSecure());
 
   return ByteSource::Allocated(dp.release());
 }

src/crypto/crypto_dsa.cc

@@ -28,13 +28,9 @@ using v8::Value;
 
 namespace crypto {
 EVPKeyCtxPointer DsaKeyGenTraits::Setup(DsaKeyPairGenConfig* params) {
-#ifdef OPENSSL_IS_BORINGSSL
-  // Operation is unsupported in BoringSSL
-  return {};
-#else
   auto param_ctx = EVPKeyCtxPointer::NewFromID(EVP_PKEY_DSA);
 
-  if (!param_ctx.initForParamgen() ||
+  if (!param_ctx || !param_ctx.initForParamgen() ||
       !param_ctx.setDsaParameters(
           params->params.modulus_bits,
           params->params.divisor_bits != -1
@@ -49,7 +45,6 @@ EVPKeyCtxPointer DsaKeyGenTraits::Setup(DsaKeyPairGenConfig* params) {
   EVPKeyCtxPointer key_ctx = key_params.newCtx();
   if (!key_ctx.initForKeygen()) return {};
   return key_ctx;
-#endif
 }
 
 // Input arguments for DsaKeyPairGenJob