From f7668fa2aa2781dc57d5423a0cfcfa933539779e Mon Sep 17 00:00:00 2001 From: Shelley Vohr Date: Mon, 8 Nov 2021 15:44:38 +0100 Subject: [PATCH] crypto: trim input for NETSCAPE_SPKI_b64_decode MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit PR-URL: https://github.com/nodejs/node/pull/40757 Reviewed-By: James M Snell Reviewed-By: Colin Ihrig Reviewed-By: Minwoo Jung Reviewed-By: Tobias Nießen Reviewed-By: Richard Lau Reviewed-By: Rich Trott --- src/crypto/crypto_spkac.cc | 27 ++++++++++++++++++++++++--- 1 file changed, 24 insertions(+), 3 deletions(-) diff --git a/src/crypto/crypto_spkac.cc b/src/crypto/crypto_spkac.cc index ed0934513259d3..c29d94edc0f9f9 100644 --- a/src/crypto/crypto_spkac.cc +++ b/src/crypto/crypto_spkac.cc @@ -16,8 +16,15 @@ using v8::Value; namespace crypto { namespace SPKAC { bool VerifySpkac(const ArrayBufferOrViewContents& input) { + size_t length = input.size(); +#ifdef OPENSSL_IS_BORINGSSL + // OpenSSL uses EVP_DecodeBlock, which explicitly removes trailing characters, + // while BoringSSL uses EVP_DecodedLength and EVP_DecodeBase64, which do not. + // As such, we trim those characters here for compatibility. + length = std::string(input.data()).find_last_not_of(" \n\r\t") + 1; +#endif NetscapeSPKIPointer spki( - NETSCAPE_SPKI_b64_decode(input.data(), input.size())); + NETSCAPE_SPKI_b64_decode(input.data(), length)); if (!spki) return false; @@ -45,8 +52,15 @@ ByteSource ExportPublicKey(Environment* env, BIOPointer bio(BIO_new(BIO_s_mem())); if (!bio) return ByteSource(); + size_t length = input.size(); +#ifdef OPENSSL_IS_BORINGSSL + // OpenSSL uses EVP_DecodeBlock, which explicitly removes trailing characters, + // while BoringSSL uses EVP_DecodedLength and EVP_DecodeBase64, which do not. + // As such, we trim those characters here for compatibility. + length = std::string(input.data()).find_last_not_of(" \n\r\t") + 1; +#endif NetscapeSPKIPointer spki( - NETSCAPE_SPKI_b64_decode(input.data(), input.size())); + NETSCAPE_SPKI_b64_decode(input.data(), length)); if (!spki) return ByteSource(); EVPKeyPointer pkey(NETSCAPE_SPKI_get_pubkey(spki.get())); @@ -73,8 +87,15 @@ void ExportPublicKey(const FunctionCallbackInfo& args) { } ByteSource ExportChallenge(const ArrayBufferOrViewContents& input) { + size_t length = input.size(); +#ifdef OPENSSL_IS_BORINGSSL + // OpenSSL uses EVP_DecodeBlock, which explicitly removes trailing characters, + // while BoringSSL uses EVP_DecodedLength and EVP_DecodeBase64, which do not. + // As such, we trim those characters here for compatibility. + length = std::string(input.data()).find_last_not_of(" \n\r\t") + 1; +#endif NetscapeSPKIPointer sp( - NETSCAPE_SPKI_b64_decode(input.data(), input.size())); + NETSCAPE_SPKI_b64_decode(input.data(), length)); if (!sp) return ByteSource();