-
Notifications
You must be signed in to change notification settings - Fork 29.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support both OpenSSL 1.1.0 and 1.0.2 #16130
Commits on Nov 2, 2017
-
crypto: use X509_STORE_CTX_new
In OpenSSL 1.1.0, X509_STORE_CTX is opaque and thus cannot be stack-allocated. This works in OpenSSL 1.1.0 and 1.0.2. Adapted from PR
Configuration menu - View commit details
-
Copy full SHA for 684e25c - Browse repository at this point
Copy the full SHA 684e25cView commit details -
crypto: make node_crypto_bio 1.1.0-compatible.
This is cherry-picked from PR nodejs#8491 and then tidied up. The original had an unnecessarily large diff and messed up some public/private bits.
Configuration menu - View commit details
-
Copy full SHA for e9e70ba - Browse repository at this point
Copy the full SHA e9e70baView commit details -
crypto: estimate kExternalSize based on a build of OpenSSL 1.1.0f.
The exact sizes are not particularly important (the original value was missing all the objects hanging off anyway), only that V8 garbage collector be aware that there is some memory usage beyond the sockets themselves.
Configuration menu - View commit details
-
Copy full SHA for 2e11a4b - Browse repository at this point
Copy the full SHA 2e11a4bView commit details -
crypto: remove unnecessary SSLerr calls
These are OpenSSL-internal APIs that are no longer accessible in 1.1.0 and weren't necessary. OpenSSL will push its own errors and, if it doesn't, the calling code would handle it anyway.
Configuration menu - View commit details
-
Copy full SHA for f7cc8d4 - Browse repository at this point
Copy the full SHA f7cc8d4View commit details -
crypto: account for new 1.1.0 SSL APIs
This is cherry-picked from PR nodejs#8491 and tidied up. This change does *not* account for the larger ticket key in OpenSSL 1.1.0. That will be done in a follow-up commit as the 48-byte ticket key is part of Node's public API.
Configuration menu - View commit details
-
Copy full SHA for 382ffc7 - Browse repository at this point
Copy the full SHA 382ffc7View commit details -
crypto: test DiffieHellman keys work without a public half.
Add a regression test for openssl/openssl#4384.
Configuration menu - View commit details
-
Copy full SHA for 4b51882 - Browse repository at this point
Copy the full SHA 4b51882View commit details -
crypto: use RSA and DH accessors.
Parts of this were cherry-picked from PR nodejs#8491. Note that this only works with OpenSSL 1.0.2 or 1.1.0g or later. 1.1.0g is, as of writing, not yet released, but the fix is on the branch. See openssl/openssl#4384.
Configuration menu - View commit details
-
Copy full SHA for 4db2314 - Browse repository at this point
Copy the full SHA 4db2314View commit details -
crypto: no need for locking callbacks in OpenSSL 1.1.0.
The callbacks are all no-ops in OpenSSL 1.1.0. This isn't necessary (the functions still exist for compatibility), but silences some warnings and avoids allocating a few unused mutexes.
Configuration menu - View commit details
-
Copy full SHA for 17d6752 - Browse repository at this point
Copy the full SHA 17d6752View commit details -
crypto: make CipherBase 1.1.0-compatible
In OpenSSL 1.1.0, EVP_CIPHER_CTX must be heap-allocated. Once we're heap-allocating them, there's no need in a separate initialised_ bit. The presence of ctx_ is sufficient.
Configuration menu - View commit details
-
Copy full SHA for cbf147f - Browse repository at this point
Copy the full SHA cbf147fView commit details -
crypto: make Hash 1.1.0-compatible
Likewise, 1.1.0 requires EVP_MD_CTX be heap-allocated.
Configuration menu - View commit details
-
Copy full SHA for 9947d57 - Browse repository at this point
Copy the full SHA 9947d57View commit details -
crypto: make SignBase compatible with OpenSSL 1.1.0
1.1.0 requires EVP_MD_CTX be heap-allocated. In doing so, move the Init and Update hooks to shared code because they are the same between Verify and Sign.
Configuration menu - View commit details
-
Copy full SHA for 95f56be - Browse repository at this point
Copy the full SHA 95f56beView commit details -
crypto: Make Hmac 1.1.0-compatible
1.1.0 requries HMAC_CTX be heap-allocated.
Configuration menu - View commit details
-
Copy full SHA for e2f6b96 - Browse repository at this point
Copy the full SHA e2f6b96View commit details -
crypto: add compatibility logic for "DSS1" and "dss1"
In OpenSSL 1.1.0, EVP_dss1() is removed. These hash names were exposed in Node's public API, so add compatibility hooks for them.
Configuration menu - View commit details
-
Copy full SHA for 52a4334 - Browse repository at this point
Copy the full SHA 52a4334View commit details -
crypto: hard-code tlsSocket.getCipher().version
This align the documentation with reality. This API never did what Node claims it did. The SSL_CIPHER_get_version function just isn't useful. In OpenSSL 1.0.2, it always returned the string "TLSv1/SSLv3" for anything but SSLv2 ciphers, which Node does not support. Note how test-tls-multi-pfx.js claims that ECDHE-ECDSA-AES256-GCM-SHA384 was added in TLSv1/SSLv3 which is not true. That cipher is new as of TLS 1.2. The OpenSSL 1.0.2 implementation is: char *SSL_CIPHER_get_version(const SSL_CIPHER *c) { int i; if (c == NULL) return ("(NONE)"); i = (int)(c->id >> 24L); if (i == 3) return ("TLSv1/SSLv3"); else if (i == 2) return ("SSLv2"); else return ("unknown"); } In OpenSSL 1.1.0, SSL_CIPHER_get_version changed to actually behave as Node documented it, but this changes the semantics of the function and breaks tests. The cipher's minimum protocol version is not a useful notion to return to the caller here, so just hardcode the string at "TLSv1/SSLv3" and document it as legacy.
Configuration menu - View commit details
-
Copy full SHA for 8b0b970 - Browse repository at this point
Copy the full SHA 8b0b970View commit details -
test: update test expectations for OpenSSL 1.1.0.
Some errors in the two versions are different. The test-tls-no-sslv3 one because OpenSSL 1.1.x finally does version negotiation properly. 1.0.x's logic was somewhat weird and resulted in very inconsistent errors for SSLv3 in particular. Also the function codes are capitalized differently, but function codes leak implementation details, so don't assert on them to begin with.
Configuration menu - View commit details
-
Copy full SHA for 974dd52 - Browse repository at this point
Copy the full SHA 974dd52View commit details -
test: remove sha from test expectations.
"sha" in OpenSSL refers to SHA-0 which was removed from OpenSSL 1.1.0 and is insecure. Replace it with SHA-256 which is present in both 1.0.2 and 1.1.0. Short of shipping a reimplementation in Node, this is an unavoidable behavior change with 1.1.0.
Configuration menu - View commit details
-
Copy full SHA for 272fcbc - Browse repository at this point
Copy the full SHA 272fcbcView commit details -
crypto: emulate OpenSSL 1.0.x ticket scheme in 1.1.x
OpenSSL 1.0.x used a 48-byte ticket key, but OpenSSL 1.1.x made it larger by using a larger HMAC-SHA256 key and using AES-256-CBC to encrypt. However, Node's public API exposes the 48-byte key. Implement the ticket key callback to restore the OpenSSL 1.0.x behavior.
Configuration menu - View commit details
-
Copy full SHA for 4fc521a - Browse repository at this point
Copy the full SHA 4fc521aView commit details -
test: test with a larger RSA key
OpenSSL 1.1.0 rejects RSA keys smaller than 1024 bits by default. Fix the tests to use larger ones. This test only cares that the PEM blob be missing a trailing newline. Certificate adapted from test/fixtures/cert.pem.
Configuration menu - View commit details
-
Copy full SHA for 6b49375 - Browse repository at this point
Copy the full SHA 6b49375View commit details -
test: revise test-tls-econnreset
This test is testing what happens to the server if the client shuts off the connection (so the server sees ECONNRESET), but the way it does it is convoluted. It uses a static RSA key exchange with a tiny (384-bit) RSA key. The server doesn't notice (since it is static RSA, the client acts on the key first), so the client tries to encrypt a premaster and fails: rsa routines:RSA_padding_add_PKCS1_type_2:data too large for key size SSL routines:ssl3_send_client_key_exchange:bad rsa encrypt OpenSSL happens not to send an alert in this case, so we get ECONNRESET with no alert. This is quite fragile and, notably, breaks in OpenSSL 1.1.0 now that small RSA keys are rejected by libssl. Instead, test by just connecting a TCP socket and immediately closing it.
Configuration menu - View commit details
-
Copy full SHA for b98fb15 - Browse repository at this point
Copy the full SHA b98fb15View commit details -
crypto: don't call deprecated ECDH APIs in 1.1.0
These are both no-ops in OpenSSL 1.1.0.
Configuration menu - View commit details
-
Copy full SHA for f913eae - Browse repository at this point
Copy the full SHA f913eaeView commit details -
test: configure certs in tests
OpenSSL 1.1.0 disables anonymous ciphers unless building with enable-weak-crypto. Avoid unnecessary dependencies on these ciphers in tests.
Configuration menu - View commit details
-
Copy full SHA for 6e1033b - Browse repository at this point
Copy the full SHA 6e1033bView commit details -
test: fix test-https-agent-session-eviction for 1.1.0
This test is testing the workaround for an OpenSSL 1.0.x bug, which was fixed in 1.1.0. With the bug fixed, the test expectations need to change slightly.
Configuration menu - View commit details
-
Copy full SHA for af94ddd - Browse repository at this point
Copy the full SHA af94dddView commit details -
crypto: make ALPN behave the same in 1.0.2 and 1.1.0
This is kind of hairy. OpenSSL 1.0.2 ignored the return value and always treated everything as SSL_TLSEXT_ERR_NOACK (so the comment was wrong and Node was never sending a warning alert). OpenSSL 1.1.0 honors SSL_TLSEXT_ERR_NOACK vs SSL_TLSEXT_ERR_FATAL_ALERT and treats everything unknown as SSL_TLSEXT_ERR_FATAL_ALERT. Since this is a behavior change (tests break too), start by aligning everything on SSL_TLSEXT_ERR_NOACK. If sending no_application_protocol is desirable in the future, this can by changed to SSL_TLSEXT_ERR_FATAL_ALERT with whatever deprecation process is appropriate. However, note that, contrary to https://rt.openssl.org/Ticket/Display.html?id=3463#txn-54498, SSL_TLSEXT_ERR_FATAL_ALERT is *not* useful to a server with no fallback protocol. Even if such mismatches were rejected, such a server must *still* account for the fallback protocol case when the client does not advertise ALPN at all. Thus this may not be worth bothering.
Configuration menu - View commit details
-
Copy full SHA for 8c432ee - Browse repository at this point
Copy the full SHA 8c432eeView commit details -
crypto: clear some easy SSL_METHOD deprecation warnings
Fixing the rest will be rather involved. I think the cleanest option is to deprecate the method string APIs which are weird to begin with.
Configuration menu - View commit details
-
Copy full SHA for 4bdd2b1 - Browse repository at this point
Copy the full SHA 4bdd2b1View commit details -
test: fix flakiness in test-http2-create-client-connect
The first group of tests makes one more connection and leave the server alive for longer. Otherwise the test is just catching that the server has closed the socket, depending on timing. This does not quite make the test pass yet, however. There are some quirks with how the http2 code handles errors which actually affect 1.0.2 as well.
Configuration menu - View commit details
-
Copy full SHA for 61f5494 - Browse repository at this point
Copy the full SHA 61f5494View commit details -
crypto: deprecate {ecdhCurve: false}.
This doesn't work in OpenSSL 1.1.0. Per discussion on the PR, it is preferable to just deprecate this setting. Deprecate it and skip the test in OpenSSL 1.1.0.
Configuration menu - View commit details
-
Copy full SHA for b1f5264 - Browse repository at this point
Copy the full SHA b1f5264View commit details