From a5034702f5189426939af760b11a039a8cbf5f63 Mon Sep 17 00:00:00 2001 From: Mateusz Krawczuk Date: Wed, 17 Jun 2020 17:29:06 +0200 Subject: [PATCH] crypto: add OP flag constants added in OpenSSL v1.1.1 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit PR-URL: https://github.com/nodejs/node/pull/33929 Reviewed-By: James M Snell Reviewed-By: Alba Mendez Reviewed-By: Tobias Nießen --- doc/api/crypto.md | 25 +++++++++++++++++++++++++ src/node_constants.cc | 20 ++++++++++++++++++++ 2 files changed, 45 insertions(+) diff --git a/doc/api/crypto.md b/doc/api/crypto.md index 17c2e26d9569d1..13048337e0ba66 100644 --- a/doc/api/crypto.md +++ b/doc/api/crypto.md @@ -3184,6 +3184,11 @@ the `crypto`, `tls`, and `https` modules and are generally specific to OpenSSL. https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html for detail. + + SSL_OP_ALLOW_NO_DHE_KEX + Instructs OpenSSL to allow a non-[EC]DHE-based key exchange mode + for TLS v1.3 + SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION Allows legacy insecure renegotiation between OpenSSL and unpatched @@ -3256,10 +3261,18 @@ the `crypto`, `tls`, and `https` modules and are generally specific to OpenSSL. SSL_OP_NO_COMPRESSION Instructs OpenSSL to disable support for SSL/TLS compression. + + SSL_OP_NO_ENCRYPT_THEN_MAC + Instructs OpenSSL to disable encrypt-then-MAC. + SSL_OP_NO_QUERY_MTU + + SSL_OP_NO_RENEGOTIATION + Instructs OpenSSL to disable renegotiation. + SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION Instructs OpenSSL to always start a new session when performing @@ -3288,6 +3301,10 @@ the `crypto`, `tls`, and `https` modules and are generally specific to OpenSSL. SSL_OP_NO_TLSv1_2 Instructs OpenSSL to turn off TLS v1.2 + + + SSL_OP_NO_TLSv1_3 + Instructs OpenSSL to turn off TLS v1.3 SSL_OP_PKCS1_CHECK_1 @@ -3296,6 +3313,14 @@ the `crypto`, `tls`, and `https` modules and are generally specific to OpenSSL. SSL_OP_PKCS1_CHECK_2 + + SSL_OP_PRIORITIZE_CHACHA + Instructs OpenSSL server to prioritize ChaCha20Poly1305 + when client does. + This option has no effect if + SSL_OP_CIPHER_SERVER_PREFERENCE + is not enabled. + SSL_OP_SINGLE_DH_USE Instructs OpenSSL to always create a new key when using diff --git a/src/node_constants.cc b/src/node_constants.cc index 5d99fa181a0472..38c8f2738b4bad 100644 --- a/src/node_constants.cc +++ b/src/node_constants.cc @@ -806,6 +806,10 @@ void DefineCryptoConstants(Local target) { NODE_DEFINE_CONSTANT(target, SSL_OP_ALL); #endif +#ifdef SSL_OP_ALLOW_NO_DHE_KEX + NODE_DEFINE_CONSTANT(target, SSL_OP_ALLOW_NO_DHE_KEX); +#endif + #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION NODE_DEFINE_CONSTANT(target, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION); #endif @@ -870,10 +874,18 @@ void DefineCryptoConstants(Local target) { NODE_DEFINE_CONSTANT(target, SSL_OP_NO_COMPRESSION); #endif +#ifdef SSL_OP_NO_ENCRYPT_THEN_MAC + NODE_DEFINE_CONSTANT(target, SSL_OP_NO_ENCRYPT_THEN_MAC); +#endif + #ifdef SSL_OP_NO_QUERY_MTU NODE_DEFINE_CONSTANT(target, SSL_OP_NO_QUERY_MTU); #endif +#ifdef SSL_OP_NO_RENEGOTIATION + NODE_DEFINE_CONSTANT(target, SSL_OP_NO_RENEGOTIATION); +#endif + #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION NODE_DEFINE_CONSTANT(target, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); #endif @@ -902,6 +914,10 @@ void DefineCryptoConstants(Local target) { NODE_DEFINE_CONSTANT(target, SSL_OP_NO_TLSv1_2); #endif +#ifdef SSL_OP_NO_TLSv1_3 + NODE_DEFINE_CONSTANT(target, SSL_OP_NO_TLSv1_3); +#endif + #ifdef SSL_OP_PKCS1_CHECK_1 NODE_DEFINE_CONSTANT(target, SSL_OP_PKCS1_CHECK_1); #endif @@ -910,6 +926,10 @@ void DefineCryptoConstants(Local target) { NODE_DEFINE_CONSTANT(target, SSL_OP_PKCS1_CHECK_2); #endif +#ifdef SSL_OP_PRIORITIZE_CHACHA + NODE_DEFINE_CONSTANT(target, SSL_OP_PRIORITIZE_CHACHA); +#endif + #ifdef SSL_OP_SINGLE_DH_USE NODE_DEFINE_CONSTANT(target, SSL_OP_SINGLE_DH_USE); #endif