-
Notifications
You must be signed in to change notification settings - Fork 30.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
tls: add option to override signature algorithms #29598
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good code-wise, /cc @nodejs/crypto
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, this has been requested a couple times.
Also, on freebsd:
Probably is not related to this PR (don't have a FreeBSD environment to tell for sure unfortunately). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The PR itself LGTM but I think it would be good to also have an API to query the signature algorithms.
node.js is indeed inconsistently sloppy with its treatment of falsy values, and the code here is internally consistent, but the sloppiness has caused problems in various APIs (26af728), and is slowly getting better (04633ee), but better type-checking can be semver-major, so I'd prefer we not introduce new code that allows |
@bnoordhuis Thank you, I missed that function, added a better test. Other fixes coming soon. |
OK, I believe everything is fixed now. Arrays of sigalgs are still not supported though, I understand it was optional (and should better go together with the respective fix for |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A couple nits, but looks pretty good, almost ready to land.
The travis failure looks completely unrelated, I kicked of a full CI. @nodejs/streams , FYI:
|
@addaleax Thank you for the review, all should be fixed now. |
I think this is still missing :) We generally document when a new option has been added, so that people can figure out what versions provide a certain functionality. |
Done, thank you. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sam-github Can you take another look? This seems ready to me.
Passes the list down to SSL_CTX_set1_sigalgs_list. Option to get the list of shared signature algorithms from a TLS socket added as well for testing. Signed-off-by: Anton Gerasimov <agerasimov@twilio.com>
The Jenkins failure is because of the error @addaleax pointed me to, needs restarting. |
Not sure what these |
Landed in 0c32ca9 |
Passes the list down to SSL_CTX_set1_sigalgs_list. Option to get the list of shared signature algorithms from a TLS socket added as well for testing. Signed-off-by: Anton Gerasimov <agerasimov@twilio.com> PR-URL: #29598 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Anna Henningsen <anna@addaleax.net>
Thanks for the contribution! 🎉 |
Passes the list down to SSL_CTX_set1_sigalgs_list. Option to get the list of shared signature algorithms from a TLS socket added as well for testing. Signed-off-by: Anton Gerasimov <agerasimov@twilio.com> PR-URL: #29598 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Anna Henningsen <anna@addaleax.net>
Notable changes: * crypto: * Add `oaepLabel` option #29489 * deps: * Update V8 to 7.7.299.11 #28918 * More efficient memory handling * Stack trace serialization got faster * The `Intl.NumberFormat` API gained new functionality * For more information: https://v8.dev/blog/v8-release-77 * events: * Add support for `EventTarget` in `once` #29498 * fs: * Expose memory file mapping flag `UV_FS_O_FILEMAP` #29260 * inspector: * New API - `Session.connectToMainThread` #28870 * process: * Initial SourceMap support via `env.NODE_V8_COVERAGE` #28960 * stream: * Make `_write()` optional when `_writev()` is implemented #29639 * tls: * Add option to override signature algorithms #29598 * util: * Add `encodeInto` to `TextEncoder` #29524 * worker: * The `worker_thread` module is now stable #29512
Passes the list down to SSL_CTX_set1_sigalgs_list. Option to get the list of shared signature algorithms from a TLS socket added as well for testing. Signed-off-by: Anton Gerasimov <agerasimov@twilio.com> PR-URL: #29598 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Anna Henningsen <anna@addaleax.net>
Notable changes: * crypto: * Add `oaepLabel` option #29489 * deps: * Update V8 to 7.7.299.11 #28918 * More efficient memory handling * Stack trace serialization got faster * The `Intl.NumberFormat` API gained new functionality * For more information: https://v8.dev/blog/v8-release-77 * events: * Add support for `EventTarget` in `once` #29498 * fs: * Expose memory file mapping flag `UV_FS_O_FILEMAP` #29260 * inspector: * New API - `Session.connectToMainThread` #28870 * process: * Initial SourceMap support via `env.NODE_V8_COVERAGE` #28960 * stream: * Make `_write()` optional when `_writev()` is implemented #29639 * tls: * Add option to override signature algorithms #29598 * util: * Add `encodeInto` to `TextEncoder` #29524 * worker: * The `worker_thread` module is now stable #29512 PR-URL: #29695
Notable changes: * crypto: * Add `oaepLabel` option #29489 * deps: * Update V8 to 7.7.299.11 #28918 * More efficient memory handling * Stack trace serialization got faster * The `Intl.NumberFormat` API gained new functionality * For more information: https://v8.dev/blog/v8-release-77 * events: * Add support for `EventTarget` in `once` #29498 * fs: * Expose memory file mapping flag `UV_FS_O_FILEMAP` #29260 * inspector: * New API - `Session.connectToMainThread` #28870 * process: * Initial SourceMap support via `env.NODE_V8_COVERAGE` #28960 * stream: * Make `_write()` optional when `_writev()` is implemented #29639 * tls: * Add option to override signature algorithms #29598 * util: * Add `encodeInto` to `TextEncoder` #29524 * worker: * The `worker_thread` module is now stable #29512 PR-URL: #29695
Node.js recently added an option to override signature algorithms in nodejs/node#29598 which make use of several NIDs and SSL_get_shared_sigalgs. This CL adds NIDs for Ed448 (but does not implement it) and a shim function for SSL_get_shared_sigalgs that simply returns 0. This enables Electron to reduce its patch surface. Change-Id: I833d30b0248ca68ebce4767dd58d5f087fd1e18e Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/38404 Reviewed-by: David Benjamin <davidben@google.com> Commit-Queue: David Benjamin <davidben@google.com>
Passes the list down to SSL_CTX_set1_sigalgs_list.
My use case for this is using crypto hardware that has limited support for different algorithms (e.g. no
RSA-PSS
or no MD hashes) through an OpenSSL engine (enabled in another PR).Can have other applications like hardening the server by disallowing short hashes, or disabling RSA-PKCS1 even when connecting via tls v1.2.