tls: add option to override signature algorithms #29598
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nodejs-github-bot
added
c++
addaleax
reviewed
Sep 18, 2019
sam-github
added
the
semver-minor
sam-github
suggested changes
Sep 18, 2019
|
Also, on freebsd: Probably is not related to this PR (don't have a FreeBSD environment to tell for sure unfortunately). |
bnoordhuis
approved these changes
Sep 18, 2019
|
node.js is indeed inconsistently sloppy with its treatment of falsy values, and the code here is internally consistent, but the sloppiness has caused problems in various APIs (26af728), and is slowly getting better (04633ee), but better type-checking can be semver-major, so I'd prefer we not introduce new code that allows |
|
@bnoordhuis Thank you, I missed that function, added a better test. Other fixes coming soon. |
|
OK, I believe everything is fixed now. Arrays of sigalgs are still not supported though, I understand it was optional (and should better go together with the respective fix for |
sam-github
reviewed
Sep 20, 2019
|
The travis failure looks completely unrelated, I kicked of a full CI. @nodejs/streams , FYI: |
addaleax
approved these changes
Sep 20, 2019
|
@addaleax Thank you for the review, all should be fixed now. |
I think this is still missing :) We generally document when a new option has been added, so that people can figure out what versions provide a certain functionality. |
|
Done, thank you. |
addaleax
reviewed
Sep 23, 2019
There was a problem hiding this comment.
@sam-github Can you take another look? This seems ready to me.
Passes the list down to SSL_CTX_set1_sigalgs_list. Option to get the list of shared signature algorithms from a TLS socket added as well for testing. Signed-off-by: Anton Gerasimov <[email protected]>
|
The Jenkins failure is because of the error @addaleax pointed me to, needs restarting. |
|
Not sure what these |
sam-github
approved these changes
Sep 23, 2019
|
Landed in 0c32ca9 |
Trott
pushed a commit
that referenced
this pull request
Sep 24, 2019
Passes the list down to SSL_CTX_set1_sigalgs_list. Option to get the list of shared signature algorithms from a TLS socket added as well for testing. Signed-off-by: Anton Gerasimov <[email protected]> PR-URL: #29598 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Anna Henningsen <[email protected]>
|
Thanks for the contribution! 🎉 |
BridgeAR
pushed a commit
that referenced
this pull request
Sep 24, 2019
Passes the list down to SSL_CTX_set1_sigalgs_list. Option to get the list of shared signature algorithms from a TLS socket added as well for testing. Signed-off-by: Anton Gerasimov <[email protected]> PR-URL: #29598 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Anna Henningsen <[email protected]>
BridgeAR
added a commit
that referenced
this pull request
Sep 24, 2019
Notable changes: * crypto: * Add `oaepLabel` option #29489 * deps: * Update V8 to 7.7.299.11 #28918 * More efficient memory handling * Stack trace serialization got faster * The `Intl.NumberFormat` API gained new functionality * For more information: https://v8.dev/blog/v8-release-77 * events: * Add support for `EventTarget` in `once` #29498 * fs: * Expose memory file mapping flag `UV_FS_O_FILEMAP` #29260 * inspector: * New API - `Session.connectToMainThread` #28870 * process: * Initial SourceMap support via `env.NODE_V8_COVERAGE` #28960 * stream: * Make `_write()` optional when `_writev()` is implemented #29639 * tls: * Add option to override signature algorithms #29598 * util: * Add `encodeInto` to `TextEncoder` #29524 * worker: * The `worker_thread` module is now stable #29512
Merged
BridgeAR
pushed a commit
that referenced
this pull request
Sep 25, 2019
Passes the list down to SSL_CTX_set1_sigalgs_list. Option to get the list of shared signature algorithms from a TLS socket added as well for testing. Signed-off-by: Anton Gerasimov <[email protected]> PR-URL: #29598 Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Anna Henningsen <[email protected]>
BridgeAR
added a commit
that referenced
this pull request
Sep 25, 2019
Notable changes: * crypto: * Add `oaepLabel` option #29489 * deps: * Update V8 to 7.7.299.11 #28918 * More efficient memory handling * Stack trace serialization got faster * The `Intl.NumberFormat` API gained new functionality * For more information: https://v8.dev/blog/v8-release-77 * events: * Add support for `EventTarget` in `once` #29498 * fs: * Expose memory file mapping flag `UV_FS_O_FILEMAP` #29260 * inspector: * New API - `Session.connectToMainThread` #28870 * process: * Initial SourceMap support via `env.NODE_V8_COVERAGE` #28960 * stream: * Make `_write()` optional when `_writev()` is implemented #29639 * tls: * Add option to override signature algorithms #29598 * util: * Add `encodeInto` to `TextEncoder` #29524 * worker: * The `worker_thread` module is now stable #29512 PR-URL: #29695
BridgeAR
added a commit
that referenced
this pull request
Sep 25, 2019
Notable changes: * crypto: * Add `oaepLabel` option #29489 * deps: * Update V8 to 7.7.299.11 #28918 * More efficient memory handling * Stack trace serialization got faster * The `Intl.NumberFormat` API gained new functionality * For more information: https://v8.dev/blog/v8-release-77 * events: * Add support for `EventTarget` in `once` #29498 * fs: * Expose memory file mapping flag `UV_FS_O_FILEMAP` #29260 * inspector: * New API - `Session.connectToMainThread` #28870 * process: * Initial SourceMap support via `env.NODE_V8_COVERAGE` #28960 * stream: * Make `_write()` optional when `_writev()` is implemented #29639 * tls: * Add option to override signature algorithms #29598 * util: * Add `encodeInto` to `TextEncoder` #29524 * worker: * The `worker_thread` module is now stable #29512 PR-URL: #29695
This was referenced Sep 25, 2019
ghost
mentioned this pull request
agl
pushed a commit
to google/boringssl
that referenced
this pull request
Oct 22, 2019
Node.js recently added an option to override signature algorithms in nodejs/node#29598 which make use of several NIDs and SSL_get_shared_sigalgs. This CL adds NIDs for Ed448 (but does not implement it) and a shim function for SSL_get_shared_sigalgs that simply returns 0. This enables Electron to reduce its patch surface. Change-Id: I833d30b0248ca68ebce4767dd58d5f087fd1e18e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/38404 Reviewed-by: David Benjamin <[email protected]> Commit-Queue: David Benjamin <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Passes the list down to SSL_CTX_set1_sigalgs_list.
My use case for this is using crypto hardware that has limited support for different algorithms (e.g. no
RSA-PSSor no MD hashes) through an OpenSSL engine (enabled in another PR).Can have other applications like hardening the server by disallowing short hashes, or disabling RSA-PKCS1 even when connecting via tls v1.2.