nodejs · jasnell · Dec 31, 2024 · Dec 31, 2024 · Dec 31, 2024 · Dec 31, 2024
diff --git a/deps/ncrypto/ncrypto.cc b/deps/ncrypto/ncrypto.cc
diff --git a/deps/ncrypto/ncrypto.h b/deps/ncrypto/ncrypto.h
@@ -13,6 +13,7 @@
 #include <openssl/ssl.h>
 #include <openssl/x509.h>
 #include <cstddef>
+#include <functional>
 #include <list>
 #include <memory>
 #include <optional>
@@ -195,7 +196,7 @@ template <typename T, void (*function)(T*)>
 using DeleteFnPtr = typename FunctionDeleter<T, function>::Pointer;
 
 using BignumCtxPointer = DeleteFnPtr<BN_CTX, BN_CTX_free>;
-using CipherCtxPointer = DeleteFnPtr<EVP_CIPHER_CTX, EVP_CIPHER_CTX_free>;
+using BignumGenCallbackPointer = DeleteFnPtr<BN_GENCB, BN_GENCB_free>;
 using DSAPointer = DeleteFnPtr<DSA, DSA_free>;
 using DSASigPointer = DeleteFnPtr<DSA_SIG, DSA_SIG_free>;
 using ECDSASigPointer = DeleteFnPtr<ECDSA_SIG, ECDSA_SIG_free>;
@@ -209,10 +210,10 @@ using HMACCtxPointer = DeleteFnPtr<HMAC_CTX, HMAC_CTX_free>;
 using NetscapeSPKIPointer = DeleteFnPtr<NETSCAPE_SPKI, NETSCAPE_SPKI_free>;
 using PKCS8Pointer = DeleteFnPtr<PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_free>;
 using RSAPointer = DeleteFnPtr<RSA, RSA_free>;
-using SSLCtxPointer = DeleteFnPtr<SSL_CTX, SSL_CTX_free>;
-using SSLPointer = DeleteFnPtr<SSL, SSL_free>;
 using SSLSessionPointer = DeleteFnPtr<SSL_SESSION, SSL_SESSION_free>;
 
+class CipherCtxPointer;
+
 struct StackOfXASN1Deleter {
   void operator()(STACK_OF(ASN1_OBJECT) * p) const {
     sk_ASN1_OBJECT_pop_free(p, ASN1_OBJECT_free);
@@ -227,6 +228,40 @@ struct Buffer {
   size_t len = 0;
 };
 
+class Cipher final {
+ public:
+  Cipher() = default;
+  Cipher(const EVP_CIPHER* cipher) : cipher_(cipher) {}
+  Cipher(const Cipher&) = default;
+  Cipher& operator=(const Cipher&) = default;
+  inline Cipher& operator=(const EVP_CIPHER* cipher) {
+    cipher_ = cipher;
+    return *this;
+  }
+  NCRYPTO_DISALLOW_MOVE(Cipher)
+
+  inline const EVP_CIPHER* get() const { return cipher_; }
+  inline operator const EVP_CIPHER*() const { return cipher_; }
+  inline operator bool() const { return cipher_ != nullptr; }
+
+  int getNid() const;
+  int getMode() const;
+  int getIvLength() const;
+  int getKeyLength() const;
+  int getBlockSize() const;
+  const std::string_view getModeLabel() const;
+  const std::string_view getName() const;
+
+  bool isSupportedAuthenticatedMode() const;
+
+  static const Cipher FromName(const char* name);
+  static const Cipher FromNid(int nid);
+  static const Cipher FromCtx(const CipherCtxPointer& ctx);
+
+ private:
+  const EVP_CIPHER* cipher_ = nullptr;
+};
+
 // A managed pointer to a buffer of data. When destroyed the underlying
 // buffer will be freed.
 class DataPointer final {
@@ -272,6 +307,7 @@ class BIOPointer final {
   static BIOPointer NewSecMem();
   static BIOPointer New(const BIO_METHOD* method);
   static BIOPointer New(const void* data, size_t len);
+  static BIOPointer New(const BIGNUM* bn);
   static BIOPointer NewFile(std::string_view filename, std::string_view mode);
   static BIOPointer NewFp(FILE* fd, int flags);
 
@@ -350,8 +386,28 @@ class BignumPointer final {
   size_t encodeInto(unsigned char* out) const;
   size_t encodePaddedInto(unsigned char* out, size_t size) const;
 
+  using PrimeCheckCallback = std::function<bool(int, int)>;
+  int isPrime(int checks,
+              PrimeCheckCallback cb = defaultPrimeCheckCallback) const;
+  struct PrimeConfig {
+    int bits;
+    bool safe = false;
+    const BignumPointer& add;
+    const BignumPointer& rem;
+  };
+
+  static BignumPointer NewPrime(
+      const PrimeConfig& params,
+      PrimeCheckCallback cb = defaultPrimeCheckCallback);
+
+  bool generate(const PrimeConfig& params,
+                PrimeCheckCallback cb = defaultPrimeCheckCallback) const;
+
   static BignumPointer New();
   static BignumPointer NewSecure();
+  static BignumPointer NewSub(const BignumPointer& a, const BignumPointer& b);
+  static BignumPointer NewLShift(size_t length);
+
   static DataPointer Encode(const BIGNUM* bn);
   static DataPointer EncodePadded(const BIGNUM* bn, size_t size);
   static size_t EncodePaddedInto(const BIGNUM* bn,
@@ -366,6 +422,53 @@ class BignumPointer final {
 
  private:
   DeleteFnPtr<BIGNUM, BN_clear_free> bn_;
+
+  static bool defaultPrimeCheckCallback(int, int) { return 1; }
+};
+
+class CipherCtxPointer final {
+ public:
+  static CipherCtxPointer New();
+
+  CipherCtxPointer() = default;
+  explicit CipherCtxPointer(EVP_CIPHER_CTX* ctx);
+  CipherCtxPointer(CipherCtxPointer&& other) noexcept;
+  CipherCtxPointer& operator=(CipherCtxPointer&& other) noexcept;
+  NCRYPTO_DISALLOW_COPY(CipherCtxPointer)
+  ~CipherCtxPointer();
+
+  inline bool operator==(std::nullptr_t) const noexcept {
+    return ctx_ == nullptr;
+  }
+  inline operator bool() const { return ctx_ != nullptr; }
+  inline EVP_CIPHER_CTX* get() const { return ctx_.get(); }
+  inline operator EVP_CIPHER_CTX*() const { return ctx_.get(); }
+  void reset(EVP_CIPHER_CTX* ctx = nullptr);
+  EVP_CIPHER_CTX* release();
+
+  void setFlags(int flags);
+  bool setKeyLength(size_t length);
+  bool setIvLength(size_t length);
+  bool setAeadTag(const Buffer<const char>& tag);
+  bool setAeadTagLength(size_t length);
+  bool setPadding(bool padding);
+  bool init(const Cipher& cipher,
+            bool encrypt,
+            const unsigned char* key = nullptr,
+            const unsigned char* iv = nullptr);
+
+  int getBlockSize() const;
+  int getMode() const;
+  int getNid() const;
+
+  bool update(const Buffer<const unsigned char>& in,
+              unsigned char* out,
+              int* out_len,
+              bool finalize = false);
+  bool getAeadTag(size_t len, unsigned char* out);
+
+ private:
+  DeleteFnPtr<EVP_CIPHER_CTX, EVP_CIPHER_CTX_free> ctx_;
 };
 
 class EVPKeyPointer final {
@@ -551,7 +654,85 @@ class DHPointer final {
   DeleteFnPtr<DH, DH_free> dh_;
 };
 
+struct StackOfX509Deleter {
+  void operator()(STACK_OF(X509) * p) const { sk_X509_pop_free(p, X509_free); }
+};
+using StackOfX509 = std::unique_ptr<STACK_OF(X509), StackOfX509Deleter>;
+
 class X509Pointer;
+class X509View;
+
+class SSLCtxPointer final {
+ public:
+  SSLCtxPointer() = default;
+  explicit SSLCtxPointer(SSL_CTX* ctx);
+  SSLCtxPointer(SSLCtxPointer&& other) noexcept;
+  SSLCtxPointer& operator=(SSLCtxPointer&& other) noexcept;
+  NCRYPTO_DISALLOW_COPY(SSLCtxPointer)
+  ~SSLCtxPointer();
+
+  inline bool operator==(std::nullptr_t) const noexcept {
+    return ctx_ == nullptr;
+  }
+  inline operator bool() const { return ctx_ != nullptr; }
+  inline SSL_CTX* get() const { return ctx_.get(); }
+  void reset(SSL_CTX* ctx = nullptr);
+  void reset(const SSL_METHOD* method);
+  SSL_CTX* release();
+
+  bool setGroups(const char* groups);
+  void setStatusCallback(auto callback) {
+    if (!ctx_) return;
+    SSL_CTX_set_tlsext_status_cb(get(), callback);
+    SSL_CTX_set_tlsext_status_arg(get(), nullptr);
+  }
+
+  static SSLCtxPointer NewServer();
+  static SSLCtxPointer NewClient();
+  static SSLCtxPointer New(const SSL_METHOD* method = TLS_method());
+
+ private:
+  DeleteFnPtr<SSL_CTX, SSL_CTX_free> ctx_;
+};
+
+class SSLPointer final {
+ public:
+  SSLPointer() = default;
+  explicit SSLPointer(SSL* ssl);
+  SSLPointer(SSLPointer&& other) noexcept;
+  SSLPointer& operator=(SSLPointer&& other) noexcept;
+  NCRYPTO_DISALLOW_COPY(SSLPointer)
+  ~SSLPointer();
+
+  inline bool operator==(std::nullptr_t) noexcept { return ssl_ == nullptr; }
+  inline operator bool() const { return ssl_ != nullptr; }
+  inline SSL* get() const { return ssl_.get(); }
+  inline operator SSL*() const { return ssl_.get(); }
+  void reset(SSL* ssl = nullptr);
+  SSL* release();
+
+  bool setSession(const SSLSessionPointer& session);
+  bool setSniContext(const SSLCtxPointer& ctx) const;
+
+  const std::string_view getClientHelloAlpn() const;
+  const std::string_view getClientHelloServerName() const;
+
+  std::optional<const std::string_view> getServerName() const;
+  X509View getCertificate() const;
+  EVPKeyPointer getPeerTempKey() const;
+  const SSL_CIPHER* getCipher() const;
+  bool isServer() const;
+
+  std::optional<uint32_t> verifyPeerCertificate() const;
+
+  void getCiphers(std::function<void(const std::string_view)> cb) const;
+
+  static SSLPointer New(const SSLCtxPointer& ctx);
+  static std::optional<const std::string_view> GetServerName(const SSL* ssl);
+
+ private:
+  DeleteFnPtr<SSL, SSL_free> ssl_;
+};
 
 class X509View final {
  public:
@@ -565,6 +746,8 @@ class X509View final {
   NCRYPTO_DISALLOW_MOVE(X509View)
 
   inline X509* get() const { return const_cast<X509*>(cert_); }
+  inline operator X509*() const { return const_cast<X509*>(cert_); }
+  inline operator const X509*() const { return cert_; }
 
   inline bool operator==(std::nullptr_t) noexcept { return cert_ == nullptr; }
   inline operator bool() const { return cert_ != nullptr; }
@@ -589,6 +772,8 @@ class X509View final {
   bool checkPrivateKey(const EVPKeyPointer& pkey) const;
   bool checkPublicKey(const EVPKeyPointer& pkey) const;
 
+  std::optional<std::string> getFingerprint(const EVP_MD* method) const;
+
   X509Pointer clone() const;
 
   enum class CheckMatch {
@@ -624,12 +809,17 @@ class X509Pointer final {
   inline bool operator==(std::nullptr_t) noexcept { return cert_ == nullptr; }
   inline operator bool() const { return cert_ != nullptr; }
   inline X509* get() const { return cert_.get(); }
+  inline operator X509*() const { return cert_.get(); }
+  inline operator const X509*() const { return cert_.get(); }
   void reset(X509* cert = nullptr);
   X509* release();
 
   X509View view() const;
   operator X509View() const { return view(); }
 
+  static std::string_view ErrorCode(int32_t err);
+  static std::string_view ErrorReason(int32_t err);
+
  private:
   DeleteFnPtr<X509, X509_free> cert_;
 };