From 978cd0227f2c4cfd48a2454df6aa70db868254f0 Mon Sep 17 00:00:00 2001
From: James M Snell <jasnell@gmail.com>
Date: Thu, 7 Jan 2021 16:27:29 -0800
Subject: [PATCH 1/2] crypto: fixup bug in keygen error handling

Signed-off-by: James M Snell <jasnell@gmail.com>
---
 lib/internal/crypto/keygen.js | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/lib/internal/crypto/keygen.js b/lib/internal/crypto/keygen.js
index 2b0d58afd663fc..56f06f7a79fe2a 100644
--- a/lib/internal/crypto/keygen.js
+++ b/lib/internal/crypto/keygen.js
@@ -94,13 +94,15 @@ function generateKeyPairSync(type, options) {
 }
 
 function handleError(ret) {
-  if (ret === undefined)
+  if (ret == null)
     return; // async
 
-  const [err, [publicKey, privateKey]] = ret;
+  const [err, keys] = ret;
   if (err !== undefined)
     throw err;
 
+  const [publicKey, privateKey] = keys;
+
   // If no encoding was chosen, return key objects instead.
   return {
     publicKey: wrapKey(publicKey, PublicKeyObject),

From 8ef059853675bd29eddc01190682b909b1523abc Mon Sep 17 00:00:00 2001
From: James M Snell <jasnell@gmail.com>
Date: Mon, 4 Jan 2021 09:06:26 -0800
Subject: [PATCH 2/2] crypto: implement basic secure heap support

Adds two new command line arguments:

* `--secure-heap=n`, which causes node.js to initialize
  an openssl secure heap of `n` bytes on openssl initialization.
* `--secure-heap-min=n`, which specifies the minimum allocation
  from the secure heap.
* A new method `crypto.secureHeapUsed()` that returns details
  about the total and used secure heap allocation.

The secure heap is an openssl feature that allows certain kinds
of potentially sensitive information (such as private key
BigNums) to be allocated from a dedicated memory area that is
protected against pointer over- and underruns.

The secure heap is a fixed size, so it's important that users
pick a large enough size to cover the crypto operations they
intend to utilize.

The secure heap is disabled by default.

Signed-off-by: James M Snell <jasnell@gmail.com>
---
 doc/api/cli.md                                | 37 ++++++++++
 doc/api/crypto.md                             | 15 ++++
 doc/node.1                                    |  7 ++
 lib/crypto.js                                 |  2 +
 lib/internal/crypto/util.js                   | 16 +++++
 src/crypto/crypto_util.cc                     | 28 ++++++++
 src/node_options.cc                           | 24 +++++++
 src/node_options.h                            |  2 +
 test/parallel/test-crypto-secure-heap.js      | 72 +++++++++++++++++++
 ...rocess-env-allowed-flags-are-documented.js | 10 ++-
 10 files changed, 211 insertions(+), 2 deletions(-)
 create mode 100644 test/parallel/test-crypto-secure-heap.js

diff --git a/doc/api/cli.md b/doc/api/cli.md
index c2c2efbcc0eef8..af1d6a7ad09751 100644
--- a/doc/api/cli.md
+++ b/doc/api/cli.md
@@ -848,6 +848,40 @@ Enables report to be generated on uncaught exceptions. Useful when inspecting
 the JavaScript stack in conjunction with native stack and other runtime
 environment data.
 
+### `--secure-heap=n`
+<!-- YAML
+added: REPLACEME
+-->
+
+Initializes an OpenSSL secure heap of `n` bytes. When initialized, the
+secure heap is used for selected types of allocations within OpenSSL
+during key generation and other operations. This is useful, for instance,
+to prevent sensitive information from leaking due to pointer overruns
+or underruns.
+
+The secure heap is a fixed size and cannot be resized at runtime so,
+if used, it is important to select a large enough heap to cover all
+application uses.
+
+The heap size given must be a power of two. Any value less than 2
+will disable the secure heap.
+
+The secure heap is disabled by default.
+
+The secure heap is not available on Windows.
+
+See [`CRYPTO_secure_malloc_init`][] for more details.
+
+### `--secure-heap-min=n`
+<!-- YAML
+added: REPLACEME
+-->
+
+When using `--secure-heap`, the `--secure-heap-min` flag specifies the
+minimum allocation from the secure heap. The minimum value is `2`.
+The maximum value is the lesser of `--secure-heap` or `2147483647`.
+The value given must be a power of two.
+
 ### `--throw-deprecation`
 <!-- YAML
 added: v0.11.14
@@ -1361,6 +1395,8 @@ Node.js options that are allowed are:
 * `--report-signal`
 * `--report-uncaught-exception`
 * `--require`, `-r`
+* `--secure-heap-min`
+* `--secure-heap`
 * `--throw-deprecation`
 * `--title`
 * `--tls-cipher-list`
@@ -1659,6 +1695,7 @@ $ node --max-old-space-size=1536 index.js
 [`--openssl-config`]: #cli_openssl_config_file
 [`Atomics.wait()`]: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Atomics/wait
 [`Buffer`]: buffer.md#buffer_class_buffer
+[`CRYPTO_secure_malloc_init`]: https://www.openssl.org/docs/man1.1.0/man3/CRYPTO_secure_malloc_init.html
 [`NODE_OPTIONS`]: #cli_node_options_options
 [`SlowBuffer`]: buffer.md#buffer_class_slowbuffer
 [`process.setUncaughtExceptionCaptureCallback()`]: process.md#process_process_setuncaughtexceptioncapturecallback_fn
diff --git a/doc/api/crypto.md b/doc/api/crypto.md
index a1030dacedf0af..b7977120fa4924 100644
--- a/doc/api/crypto.md
+++ b/doc/api/crypto.md
@@ -3545,6 +3545,21 @@ const key2 = crypto.scryptSync('password', 'salt', 64, { N: 1024 });
 console.log(key2.toString('hex'));  // '3745e48...aa39b34'
 ```
 
+### `crypto.secureHeapUsed()`
+<!-- YAML
+added: REPLACEME
+-->
+
+* Returns: {Object}
+  * `total` {number} The total allocated secure heap size as specified
+    using the `--secure-heap=n` command-line flag.
+  * `min` {number} The minimum allocation from the secure heap as
+    specified using the `--secure-heap-min` command-line flag.
+  * `used` {number} The total number of bytes currently allocated from
+    the secure heap.
+  * `utilization` {number} The calculated ratio of `used` to `total`
+    allocated bytes.
+
 ### `crypto.setEngine(engine[, flags])`
 <!-- YAML
 added: v0.11.11
diff --git a/doc/node.1 b/doc/node.1
index b2333c6548aed0..63574131878042 100644
--- a/doc/node.1
+++ b/doc/node.1
@@ -359,6 +359,13 @@ Enables
 to be generated on un-caught exceptions. Useful when inspecting JavaScript
 stack in conjunction with native stack and other runtime environment data.
 .
+.It Fl -secure-heap Ns = Ns Ar n
+Specify the size of the OpenSSL secure heap. Any value less than 2 disables
+the secure heap. The default is 0. The value must be a power of two.
+.
+.It Fl -secure-heap-min Ns = Ns Ar n
+Specify the minimum allocation from the OpenSSL secure heap. The default is 2. The value must be a power of two.
+.
 .It Fl -throw-deprecation
 Throw errors for deprecations.
 .
diff --git a/lib/crypto.js b/lib/crypto.js
index a799c935737f84..de21ef76f9ad94 100644
--- a/lib/crypto.js
+++ b/lib/crypto.js
@@ -118,6 +118,7 @@ const {
   setDefaultEncoding,
   setEngine,
   lazyRequire,
+  secureHeapUsed,
 } = require('internal/crypto/util');
 const Certificate = require('internal/crypto/certificate');
 
@@ -230,6 +231,7 @@ module.exports = {
   Sign,
   Verify,
   X509Certificate,
+  secureHeapUsed,
 };
 
 function setFipsDisabled() {
diff --git a/lib/internal/crypto/util.js b/lib/internal/crypto/util.js
index 20d8058e585565..67cb9841928a2d 100644
--- a/lib/internal/crypto/util.js
+++ b/lib/internal/crypto/util.js
@@ -4,6 +4,7 @@ const {
   ArrayPrototypeIncludes,
   ArrayPrototypePush,
   FunctionPrototypeBind,
+  Number,
   Promise,
   StringPrototypeToLowerCase,
   StringPrototypeToUpperCase,
@@ -15,8 +16,11 @@ const {
   getCurves: _getCurves,
   getHashes: _getHashes,
   setEngine: _setEngine,
+  secureHeapUsed: _secureHeapUsed,
 } = internalBinding('crypto');
 
+const { getOptionValue } = require('internal/options');
+
 const {
   crypto: {
     ENGINE_METHOD_ALL
@@ -371,6 +375,17 @@ function validateKeyOps(keyOps, usagesSet) {
   }
 }
 
+function secureHeapUsed() {
+  const val = _secureHeapUsed();
+  if (val === undefined)
+    return { total: 0, used: 0, utilization: 0, min: 0 };
+  const used = Number(_secureHeapUsed());
+  const total = Number(getOptionValue('--secure-heap'));
+  const min = Number(getOptionValue('--secure-heap-min'));
+  const utilization = used / total;
+  return { total, used, utilization, min };
+}
+
 module.exports = {
   getArrayBufferOrView,
   getCiphers,
@@ -402,4 +417,5 @@ module.exports = {
   getStringOption,
   getUsagesUnion,
   getHashLength,
+  secureHeapUsed,
 };
diff --git a/src/crypto/crypto_util.cc b/src/crypto/crypto_util.cc
index 43b154379ae7aa..0a40b1f7bb4c2e 100644
--- a/src/crypto/crypto_util.cc
+++ b/src/crypto/crypto_util.cc
@@ -18,6 +18,7 @@ namespace node {
 
 using v8::ArrayBuffer;
 using v8::BackingStore;
+using v8::BigInt;
 using v8::Context;
 using v8::Exception;
 using v8::FunctionCallbackInfo;
@@ -113,6 +114,25 @@ void InitCryptoOnce() {
   settings = nullptr;
 #endif
 
+#ifndef _WIN32
+  if (per_process::cli_options->secure_heap != 0) {
+    switch (CRYPTO_secure_malloc_init(
+                per_process::cli_options->secure_heap,
+                static_cast<int>(per_process::cli_options->secure_heap_min))) {
+      case 0:
+        fprintf(stderr, "Unable to initialize openssl secure heap.\n");
+        break;
+      case 2:
+        // Not a fatal error but worthy of a warning.
+        fprintf(stderr, "Unable to memory map openssl secure heap.\n");
+        break;
+      case 1:
+        // OK!
+        break;
+    }
+  }
+#endif
+
 #ifdef NODE_FIPS_MODE
   /* Override FIPS settings in cnf file, if needed. */
   unsigned long err = 0;  // NOLINT(runtime/int)
@@ -617,6 +637,13 @@ void SecureBuffer(const FunctionCallbackInfo<Value>& args) {
   Local<ArrayBuffer> buffer = ArrayBuffer::New(env->isolate(), store);
   args.GetReturnValue().Set(Uint8Array::New(buffer, 0, len));
 }
+
+void SecureHeapUsed(const FunctionCallbackInfo<Value>& args) {
+  Environment* env = Environment::GetCurrent(args);
+  if (CRYPTO_secure_malloc_initialized())
+    args.GetReturnValue().Set(
+        BigInt::New(env->isolate(), CRYPTO_secure_used()));
+}
 }  // namespace
 
 namespace Util {
@@ -634,6 +661,7 @@ void Initialize(Environment* env, Local<Object> target) {
   NODE_DEFINE_CONSTANT(target, kCryptoJobSync);
 
   env->SetMethod(target, "secureBuffer", SecureBuffer);
+  env->SetMethod(target, "secureHeapUsed", SecureHeapUsed);
 }
 }  // namespace Util
 
diff --git a/src/node_options.cc b/src/node_options.cc
index e90dcd93231fca..9f59e7ee4f8aa8 100644
--- a/src/node_options.cc
+++ b/src/node_options.cc
@@ -7,6 +7,8 @@
 
 #include <errno.h>
 #include <sstream>
+#include <limits>
+#include <algorithm>
 #include <cstdlib>  // strtoul, errno
 
 using v8::Boolean;
@@ -64,6 +66,20 @@ void PerProcessOptions::CheckOptions(std::vector<std::string>* errors) {
     errors->push_back("either --use-openssl-ca or --use-bundled-ca can be "
                       "used, not both");
   }
+
+  // Any value less than 2 disables use of the secure heap.
+  if (secure_heap >= 2) {
+    if ((secure_heap & (secure_heap - 1)) != 0)
+      errors->push_back("--secure-heap must be a power of 2");
+    secure_heap_min =
+        std::min({
+            secure_heap,
+            secure_heap_min,
+            static_cast<int64_t>(std::numeric_limits<int>::max())});
+    secure_heap_min = std::max(static_cast<int64_t>(2), secure_heap_min);
+    if ((secure_heap_min & (secure_heap_min - 1)) != 0)
+      errors->push_back("--secure-heap-min must be a power of 2");
+  }
 #endif
   if (use_largepages != "off" &&
       use_largepages != "on" &&
@@ -760,6 +776,14 @@ PerProcessOptionsParser::PerProcessOptionsParser(
             &PerProcessOptions::force_fips_crypto,
             kAllowedInEnvironment);
 #endif
+  AddOption("--secure-heap",
+            "total size of the OpenSSL secure heap",
+            &PerProcessOptions::secure_heap,
+            kAllowedInEnvironment);
+  AddOption("--secure-heap-min",
+            "minimum allocation size from the OpenSSL secure heap",
+            &PerProcessOptions::secure_heap_min,
+            kAllowedInEnvironment);
 #endif
   AddOption("--use-largepages",
             "Map the Node.js static code to large pages. Options are "
diff --git a/src/node_options.h b/src/node_options.h
index 84ee8e34bcafcf..555adb246a4b1c 100644
--- a/src/node_options.h
+++ b/src/node_options.h
@@ -236,6 +236,8 @@ class PerProcessOptions : public Options {
 #if HAVE_OPENSSL
   std::string openssl_config;
   std::string tls_cipher_list = DEFAULT_CIPHER_LIST_CORE;
+  int64_t secure_heap = 0;
+  int64_t secure_heap_min = 2;
 #ifdef NODE_OPENSSL_CERT_STORE
   bool ssl_openssl_cert_store = true;
 #else
diff --git a/test/parallel/test-crypto-secure-heap.js b/test/parallel/test-crypto-secure-heap.js
new file mode 100644
index 00000000000000..2a851019b5eb84
--- /dev/null
+++ b/test/parallel/test-crypto-secure-heap.js
@@ -0,0 +1,72 @@
+'use strict';
+
+const common = require('../common');
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+if (common.isWindows)
+  common.skip('Not supported on Windows');
+
+const assert = require('assert');
+const { fork } = require('child_process');
+const fixtures = require('../common/fixtures');
+const {
+  secureHeapUsed,
+  createDiffieHellman,
+} = require('crypto');
+
+if (process.argv[2] === 'child') {
+
+  const a = secureHeapUsed();
+
+  assert(a);
+  assert.strictEqual(typeof a, 'object');
+  assert.strictEqual(a.total, 65536);
+  assert.strictEqual(a.min, 4);
+  assert.strictEqual(a.used, 0);
+
+  {
+    const dh1 = createDiffieHellman(common.hasFipsCrypto ? 1024 : 256);
+    const p1 = dh1.getPrime('buffer');
+    const dh2 = createDiffieHellman(p1, 'buffer');
+    const key1 = dh1.generateKeys();
+    const key2 = dh2.generateKeys('hex');
+    dh1.computeSecret(key2, 'hex', 'base64');
+    dh2.computeSecret(key1, 'latin1', 'buffer');
+
+    const b = secureHeapUsed();
+    assert(b);
+    assert.strictEqual(typeof b, 'object');
+    assert.strictEqual(b.total, 65536);
+    assert.strictEqual(b.min, 4);
+    // The amount used can vary on a number of factors
+    assert(b.used > 0);
+    assert(b.utilization > 0.0);
+  }
+
+  return;
+}
+
+const child = fork(
+  process.argv[1],
+  ['child'],
+  { execArgv: ['--secure-heap=65536', '--secure-heap-min=4'] });
+
+child.on('exit', common.mustCall((code) => {
+  assert.strictEqual(code, 0);
+}));
+
+{
+  const child = fork(fixtures.path('a.js'), {
+    execArgv: ['--secure-heap=3', '--secure-heap-min=3'],
+    stdio: 'pipe'
+  });
+  let res = '';
+  child.on('exit', common.mustCall((code) => {
+    assert.notStrictEqual(code, 0);
+    assert.match(res, /--secure-heap must be a power of 2/);
+    assert.match(res, /--secure-heap-min must be a power of 2/);
+  }));
+  child.stderr.setEncoding('utf8');
+  child.stderr.on('data', (chunk) => res += chunk);
+}
diff --git a/test/parallel/test-process-env-allowed-flags-are-documented.js b/test/parallel/test-process-env-allowed-flags-are-documented.js
index 6f4537bd3e88fa..d830abb7ce4d51 100644
--- a/test/parallel/test-process-env-allowed-flags-are-documented.js
+++ b/test/parallel/test-process-env-allowed-flags-are-documented.js
@@ -43,8 +43,14 @@ for (const line of [...nodeOptionsLines, ...v8OptionsLines]) {
 const conditionalOpts = [
   { include: common.hasCrypto,
     filter: (opt) => {
-      return ['--openssl-config', '--tls-cipher-list', '--use-bundled-ca',
-              '--use-openssl-ca' ].includes(opt);
+      return [
+        '--openssl-config',
+        '--tls-cipher-list',
+        '--use-bundled-ca',
+        '--use-openssl-ca',
+        '--secure-heap',
+        '--secure-heap-min',
+      ].includes(opt);
     } },
   {
     // We are using openssl_is_fips from the configuration because it could be