@mscdex @bnoordhuis Note last commit, all the checks for DH_NOT_SUITABLE_GENERATOR in test/parallel/test-crypto-dh.js fail with openssl 1.1.1d, because of the removal in openssl/openssl#9363 of https://github.com/openssl/openssl/blob/2500c093aa1e9c90c11c415053c0a27a00661d0d/crypto/dh/dh_check.c#L143-L154

https://github.com/bernd-edlinger/openssl/blob/9087476b536dd13fe99fdd36773234923cea78bb/CHANGES#L12-L16 describes this a security improvement, to avoid leaking data, as well as

The main motivation for this was that RFC 7919 parameters use an order q subgroup as well,
but those did not pass the DH_check sanity test, however those parameters are perfectly sane.

• Change DH parameters to generate the order q subgroup instead of 2q openssl/openssl#9363 (comment)

In Node.js, the tests have been refactored multiple times, but the original code was introduced by @mscdex in nodejs/node-v0.x-archive#7086 in response to a feature request, nodejs/node-v0.x-archive#2338

@bnoordhuis and others had concerns that simply allowing these params was risky, thus the exposure of the verification codes for (elective) sanity checks. Those checks don't appear possible anymore.

I find literally zero use of this error code, or even the property, in the rest of the Node.js code base, so we have no internal dependency on it. I don't pretend to knowing enough group theory to understand what's at issue here.

Should I simply remove the tests, as in the last WIP commit, or should I report this upstream to OpenSSL, or something else?

/to @nodejs/crypto

CI: https://ci.nodejs.org/job/node-test-pull-request/25480/

in response to a feature request, nodejs/node-v0.x-archive#2338

My PR was a response to my own feature request here. My reference to that other issue was in discussion about handling of the 'error' or OpenSSL errors in general.

I don't personally use verifyError, but as long as the accepting of custom generators is still allowed like before, I'm happy.

@mscdex thanks for the references.

Are you OK with the changes in 9607205, to just ignore the code since it never is set?

I don't know enough about it to be sure, it could be that the generator values in the tests have to be updated in order to trigger DH_NOT_SUITABLE_GENERATOR?

This avoids leaking bit 0 of the private key.

I'm not sure I understand openssl/openssl#9363: bit 0 is always 1 because it's a prime > 2, isn't it?

Apropos the DH_NOT_SUITABLE_GENERATOR tests, we can either:

1. remove them
2. use different values (i.e., g=2 and g=5 don't work anymore but g=1 or g>p still should)
3. do the modulo checks ourselves (in C++ or in BigInt JS land), at least for now

This PR is supposed to eventually end up in the LTS branch, right? That would make (3) the most attractive for BC reasons but I'm willing to be convinced I'm wrong. :-)

cc @tniessen - perhaps you have an opinion?

I polled OpenSSL for a comment: openssl/openssl#9363 (comment)

I'm averse to indefinitely floating changes on OpenSSL that reverse their API decisions without a very, very compelling reason (which would beg the question of why the change isn't pushed back to OpenSSL).

So, there is a 4th/5th option:

4.:

• use different generators in master so code paths are tested
• use a compatibility patch on 10.x and 12.x so they have no change in behaviour, but the patch will EOL when the respective LTS release lines EOL

5. Do 4, minus the patch, and only add the patch if someone actually notices and cares.

My impression from reading the code and discussion is that the feature allows uses of DH generators in a way that that the code isn't meaningful to, and that for the unsafe params the API isn't used, so doesn't help much. In other words -- anyone using custom DH params probably knows what they are doing already.

I would argue that this is not an API change, but a bug fix in OpenSSL. It used to return that it's not a suitable generator while it was.

As I understand this, the feature request was to make it possible to load keys that OpenSSL used to reject, but now accepts.

CI: https://ci.nodejs.org/job/node-test-pull-request/25522/

CI: https://ci.nodejs.org/job/node-test-pull-request/25527/

LGTM but note that this breaks the ubuntu1604_sharedlibs_openssl111_x64 buildbot for obvious reasons.

I don't have good suggestions on what to do here. 16.04 ships openssl 1.02 so that means the shared library build is one we provide ourselves? Can we upgrade it when this PR is merged?

The sharedlibs builds run in a docker container defined in https://github.com/nodejs/build/blob/master/ansible/roles/docker/templates/ubuntu1604_sharedlibs.Dockerfile.j2. Currently we're using 1.1.1b (for openssl 1.1.1). If we update it to 1.1.1d will things break before this PR lands on all release lines that currently run in that container?

Yes, I noticed the breakage. I'm not exactly sure what to do, its kindof tough when openssl changes behaviour mid-release line. My temptation would be to rewrite the tests so they pass against openssl 1.1.1c and before, as well as openssl 1.1.1d and later. The docker sharedlib test failure is valid, IMO, we should either fix it, or remove that test from CI if we don't care.

Version-sniffing process.versions.openssl is an option. Another is to take the buildbot offline until all release lines have upgraded.

(I'm not saying that's the best option, mind you, but it's an option.)

CI: https://ci.nodejs.org/job/node-test-pull-request/25586/

CI: https://ci.nodejs.org/job/node-test-pull-request/25607/

CI: https://ci.nodejs.org/job/node-test-pull-request/25649/

@nodejs/crypto needs another reviewer

@nodejs/crypto -- needs one more review, please

cc: @nodejs/tsc

Thanks @addaleax

Landed in 7ce316e...3473e58