From 255cd7e57218bee655eba90085de425a20d892b6 Mon Sep 17 00:00:00 2001 From: Sam Roberts Date: Mon, 3 Jun 2019 11:48:25 -0700 Subject: [PATCH] tls: expose IETF name for current cipher suite MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit OpenSSL has its own legacy names, but knowing the IETF name is useful when trouble-shooting, or looking for more information on the cipher. PR-URL: https://github.com/nodejs/node/pull/30637 Reviewed-By: Colin Ihrig Reviewed-By: Tobias Nießen Reviewed-By: David Carlier Reviewed-By: Yorkie Liu Reviewed-By: Ben Noordhuis Reviewed-By: Anna Henningsen Reviewed-By: James M Snell Reviewed-By: Luigi Pinca --- doc/api/tls.md | 15 +++++++++++++-- src/env.h | 1 + src/node_crypto.cc | 3 +++ test/parallel/test-tls-getcipher.js | 4 ++++ test/parallel/test-tls-multi-key.js | 2 ++ test/parallel/test-tls-multi-pfx.js | 2 ++ 6 files changed, 25 insertions(+), 2 deletions(-) diff --git a/doc/api/tls.md b/doc/api/tls.md index 8fa601096bc779..7473c11a68b91f 100644 --- a/doc/api/tls.md +++ b/doc/api/tls.md @@ -827,16 +827,27 @@ changes: pr-url: https://github.com/nodejs/node/pull/26625 description: Return the minimum cipher version, instead of a fixed string (`'TLSv1/SSLv3'`). + - version: REPLACEME + pr-url: https://github.com/nodejs/node/pull/30637 + description: Return the IETF cipher name as `standardName`. --> * Returns: {Object} - * `name` {string} The name of the cipher suite. + * `name` {string} OpenSSL name for the cipher suite. + * `standardName` {string} IETF name for the cipher suite. * `version` {string} The minimum TLS protocol version supported by this cipher suite. Returns an object containing information on the negotiated cipher suite. -For example: `{ name: 'AES256-SHA', version: 'TLSv1.2' }`. +For example: +```json +{ + "name": "AES128-SHA256", + "standardName": "TLS_RSA_WITH_AES_128_CBC_SHA256", + "version": "TLSv1.2" +} +``` See [SSL_CIPHER_get_name](https://www.openssl.org/docs/man1.1.1/man3/SSL_CIPHER_get_name.html) diff --git a/src/env.h b/src/env.h index c25a03ea1e520a..b3f1243f77584b 100644 --- a/src/env.h +++ b/src/env.h @@ -351,6 +351,7 @@ constexpr size_t kFsStatsBufferLength = V(sni_context_string, "sni_context") \ V(source_string, "source") \ V(stack_string, "stack") \ + V(standard_name_string, "standardName") \ V(start_time_string, "startTime") \ V(status_string, "status") \ V(stdio_string, "stdio") \ diff --git a/src/node_crypto.cc b/src/node_crypto.cc index 2d965bcbff5ea0..3f771793e2c874 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -2685,6 +2685,9 @@ void SSLWrap::GetCipher(const FunctionCallbackInfo& args) { const char* cipher_name = SSL_CIPHER_get_name(c); info->Set(context, env->name_string(), OneByteString(args.GetIsolate(), cipher_name)).Check(); + const char* cipher_standard_name = SSL_CIPHER_standard_name(c); + info->Set(context, env->standard_name_string(), + OneByteString(args.GetIsolate(), cipher_standard_name)).Check(); const char* cipher_version = SSL_CIPHER_get_version(c); info->Set(context, env->version_string(), OneByteString(args.GetIsolate(), cipher_version)).Check(); diff --git a/test/parallel/test-tls-getcipher.js b/test/parallel/test-tls-getcipher.js index 624f8efd24ba6e..744276aa59bf37 100644 --- a/test/parallel/test-tls-getcipher.js +++ b/test/parallel/test-tls-getcipher.js @@ -52,6 +52,7 @@ server.listen(0, '127.0.0.1', common.mustCall(function() { }, common.mustCall(function() { const cipher = this.getCipher(); assert.strictEqual(cipher.name, 'AES128-SHA256'); + assert.strictEqual(cipher.standardName, 'TLS_RSA_WITH_AES_128_CBC_SHA256'); assert.strictEqual(cipher.version, 'TLSv1.2'); this.end(); })); @@ -65,6 +66,8 @@ server.listen(0, '127.0.0.1', common.mustCall(function() { }, common.mustCall(function() { const cipher = this.getCipher(); assert.strictEqual(cipher.name, 'ECDHE-RSA-AES128-GCM-SHA256'); + assert.strictEqual(cipher.standardName, + 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'); assert.strictEqual(cipher.version, 'TLSv1.2'); this.end(); })); @@ -86,6 +89,7 @@ tls.createServer({ }, common.mustCall(() => { const cipher = client.getCipher(); assert.strictEqual(cipher.name, 'TLS_AES_128_CCM_8_SHA256'); + assert.strictEqual(cipher.standardName, cipher.name); assert.strictEqual(cipher.version, 'TLSv1.3'); client.end(); })); diff --git a/test/parallel/test-tls-multi-key.js b/test/parallel/test-tls-multi-key.js index c5e66f3980b999..b9eaa05d59feb6 100644 --- a/test/parallel/test-tls-multi-key.js +++ b/test/parallel/test-tls-multi-key.js @@ -157,6 +157,7 @@ function test(options) { }, common.mustCall(function() { assert.deepStrictEqual(ecdsa.getCipher(), { name: 'ECDHE-ECDSA-AES256-GCM-SHA384', + standardName: 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', version: 'TLSv1.2' }); assert.strictEqual(ecdsa.getPeerCertificate().subject.CN, eccCN); @@ -175,6 +176,7 @@ function test(options) { }, common.mustCall(function() { assert.deepStrictEqual(rsa.getCipher(), { name: 'ECDHE-RSA-AES256-GCM-SHA384', + standardName: 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', version: 'TLSv1.2' }); assert.strictEqual(rsa.getPeerCertificate().subject.CN, rsaCN); diff --git a/test/parallel/test-tls-multi-pfx.js b/test/parallel/test-tls-multi-pfx.js index 3b0c0591822adc..c20376a82ad8a8 100644 --- a/test/parallel/test-tls-multi-pfx.js +++ b/test/parallel/test-tls-multi-pfx.js @@ -42,9 +42,11 @@ const server = tls.createServer(options, function(conn) { process.on('exit', function() { assert.deepStrictEqual(ciphers, [{ name: 'ECDHE-ECDSA-AES256-GCM-SHA384', + standardName: 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', version: 'TLSv1.2' }, { name: 'ECDHE-RSA-AES256-GCM-SHA384', + standardName: 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', version: 'TLSv1.2' }]); });