Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

tls: add option to override signature algorithms #29598

Closed
wants to merge 1 commit into from

Conversation

OYTIS
Copy link
Contributor

@OYTIS OYTIS commented Sep 18, 2019

Passes the list down to SSL_CTX_set1_sigalgs_list.

My use case for this is using crypto hardware that has limited support for different algorithms (e.g. no RSA-PSS or no MD hashes) through an OpenSSL engine (enabled in another PR).

Can have other applications like hardening the server by disallowing short hashes, or disabling RSA-PKCS1 even when connecting via tls v1.2.

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. labels Sep 18, 2019
Copy link
Member

@addaleax addaleax left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good code-wise, /cc @nodejs/crypto

doc/api/tls.md Show resolved Hide resolved
@sam-github sam-github added the semver-minor PRs that contain new features and should be released in the next minor version. label Sep 18, 2019
Copy link
Contributor

@sam-github sam-github left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, this has been requested a couple times.

doc/api/tls.md Outdated Show resolved Hide resolved
lib/_tls_common.js Outdated Show resolved Hide resolved
doc/api/tls.md Show resolved Hide resolved
lib/_tls_wrap.js Outdated Show resolved Hide resolved
src/node_crypto.cc Outdated Show resolved Hide resolved
test/parallel/test-tls-set-sigalgs.js Outdated Show resolved Hide resolved
test/parallel/test-tls-set-sigalgs.js Outdated Show resolved Hide resolved
@nodejs-github-bot
Copy link
Collaborator

@OYTIS
Copy link
Contributor Author

OYTIS commented Sep 18, 2019

Also, on freebsd:

17:33:56 not ok 2319 parallel/test-worker-message-port-message-before-close
17:33:56   ---
17:33:56   duration_ms: 120.81
17:33:56   severity: fail
17:33:56   exitcode: -15
17:33:56   stack: |-
17:33:56     timeout
17:33:56   ...

Probably is not related to this PR (don't have a FreeBSD environment to tell for sure unfortunately).

Copy link
Member

@bnoordhuis bnoordhuis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The PR itself LGTM but I think it would be good to also have an API to query the signature algorithms.

src/node_crypto.cc Outdated Show resolved Hide resolved
test/parallel/test-tls-set-sigalgs.js Outdated Show resolved Hide resolved
@sam-github
Copy link
Contributor

node.js is indeed inconsistently sloppy with its treatment of falsy values, and the code here is internally consistent, but the sloppiness has caused problems in various APIs (26af728), and is slowly getting better (04633ee), but better type-checking can be semver-major, so I'd prefer we not introduce new code that allows 0 and false to be accepted (and silently ignored) by an argument with a documented type of STRING.

@OYTIS
Copy link
Contributor Author

OYTIS commented Sep 19, 2019

@bnoordhuis Thank you, I missed that function, added a better test.

Other fixes coming soon.

@OYTIS
Copy link
Contributor Author

OYTIS commented Sep 20, 2019

OK, I believe everything is fixed now. Arrays of sigalgs are still not supported though, I understand it was optional (and should better go together with the respective fix for ciphers). CI failure seems unrelated.

Copy link
Contributor

@sam-github sam-github left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A couple nits, but looks pretty good, almost ready to land.

doc/api/tls.md Outdated Show resolved Hide resolved
doc/api/tls.md Show resolved Hide resolved
lib/_tls_common.js Outdated Show resolved Hide resolved
lib/_tls_wrap.js Outdated Show resolved Hide resolved
src/node_crypto.cc Outdated Show resolved Hide resolved
src/node_crypto.cc Outdated Show resolved Hide resolved
@nodejs-github-bot
Copy link
Collaborator

@sam-github
Copy link
Contributor

The travis failure looks completely unrelated, I kicked of a full CI.

@nodejs/streams , FYI:

=== release test-stream-writable-write-writev-finish ===
272Path: parallel/test-stream-writable-write-writev-finish
273--- stderr ---
274assert.js:129
275  throw err;
276  ^
277
278AssertionError [ERR_ASSERTION]: function should not have been called at /home/travis/build/nodejs/node/test/parallel/test-stream-writable-write-writev-finish.js:18
279    at Writable.mustNotCall (/home/travis/build/nodejs/node/test/common/index.js:429:12)
280    at Writable.emit (events.js:209:13)
281    at prefinish (_stream_writable.js:645:14)
282    at finishMaybe (_stream_writable.js:653:5)
283    at endWritable (_stream_writable.js:673:3)
284    at Writable.end (_stream_writable.js:596:5)
285    at Object.<anonymous> (/home/travis/build/nodejs/node/test/parallel/test-stream-writable-write-writev-finish.js:23:12)
286    at Module._compile (internal/modules/cjs/loader.js:943:30)
287    at Object.Module._extensions..js (internal/modules/cjs/loader.js:960:10)
288    at Module.load (internal/modules/cjs/loader.js:796:32) {
289  generatedMessage: false,
290  code: 'ERR_ASSERTION',
291  actual: undefined,
292  expected: undefined,
293  operator: 'fail'
294}
295Command: out/Release/node /home/travis/build/nodejs/node/test/parallel/test-stream-writable-write-writev-finish.js

src/node_crypto.cc Outdated Show resolved Hide resolved
src/node_crypto.cc Outdated Show resolved Hide resolved
doc/api/tls.md Show resolved Hide resolved
@OYTIS
Copy link
Contributor Author

OYTIS commented Sep 23, 2019

@addaleax Thank you for the review, all should be fixed now.

@addaleax
Copy link
Member

and please also add an entry to the top of the changes section for tls.createSecureContext() below.

I think this is still missing :) We generally document when a new option has been added, so that people can figure out what versions provide a certain functionality.

@OYTIS
Copy link
Contributor Author

OYTIS commented Sep 23, 2019

Done, thank you.

Copy link
Member

@addaleax addaleax left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@sam-github Can you take another look? This seems ready to me.

doc/api/tls.md Outdated Show resolved Hide resolved
@nodejs-github-bot
Copy link
Collaborator

Passes the list down to SSL_CTX_set1_sigalgs_list.

Option to get the list of shared signature algorithms
from a TLS socket added as well for testing.

Signed-off-by: Anton Gerasimov <agerasimov@twilio.com>
@OYTIS
Copy link
Contributor Author

OYTIS commented Sep 23, 2019

The Jenkins failure is because of the error @addaleax pointed me to, needs restarting.

@nodejs-github-bot
Copy link
Collaborator

@OYTIS
Copy link
Contributor Author

OYTIS commented Sep 23, 2019

Not sure what these *linked* tests are, but it seems these results are also old.

@Trott
Copy link
Member

Trott commented Sep 24, 2019

Landed in 0c32ca9

@Trott Trott closed this Sep 24, 2019
Trott pushed a commit that referenced this pull request Sep 24, 2019
Passes the list down to SSL_CTX_set1_sigalgs_list.

Option to get the list of shared signature algorithms
from a TLS socket added as well for testing.

Signed-off-by: Anton Gerasimov <agerasimov@twilio.com>

PR-URL: #29598
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
@Trott
Copy link
Member

Trott commented Sep 24, 2019

Thanks for the contribution! 🎉

BridgeAR pushed a commit that referenced this pull request Sep 24, 2019
Passes the list down to SSL_CTX_set1_sigalgs_list.

Option to get the list of shared signature algorithms
from a TLS socket added as well for testing.

Signed-off-by: Anton Gerasimov <agerasimov@twilio.com>

PR-URL: #29598
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
BridgeAR added a commit that referenced this pull request Sep 24, 2019
Notable changes:

* crypto:
  * Add `oaepLabel` option #29489
* deps:
  * Update V8 to 7.7.299.11 #28918
    * More efficient memory handling
    * Stack trace serialization got faster
    * The `Intl.NumberFormat` API gained new functionality
    * For more information: https://v8.dev/blog/v8-release-77
* events:
  * Add support for `EventTarget` in `once`
    #29498
* fs:
  * Expose memory file mapping flag `UV_FS_O_FILEMAP`
    #29260
* inspector:
  * New API - `Session.connectToMainThread`
    #28870
* process:
  * Initial SourceMap support via `env.NODE_V8_COVERAGE`
    #28960
* stream:
  * Make `_write()` optional when `_writev()` is implemented
    #29639
* tls:
  * Add option to override signature algorithms
    #29598
* util:
  * Add `encodeInto` to `TextEncoder`
    #29524
* worker:
  * The `worker_thread` module is now stable
    #29512
@BridgeAR BridgeAR mentioned this pull request Sep 24, 2019
BridgeAR pushed a commit that referenced this pull request Sep 25, 2019
Passes the list down to SSL_CTX_set1_sigalgs_list.

Option to get the list of shared signature algorithms
from a TLS socket added as well for testing.

Signed-off-by: Anton Gerasimov <agerasimov@twilio.com>

PR-URL: #29598
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
BridgeAR added a commit that referenced this pull request Sep 25, 2019
Notable changes:

* crypto:
  * Add `oaepLabel` option #29489
* deps:
  * Update V8 to 7.7.299.11 #28918
    * More efficient memory handling
    * Stack trace serialization got faster
    * The `Intl.NumberFormat` API gained new functionality
    * For more information: https://v8.dev/blog/v8-release-77
* events:
  * Add support for `EventTarget` in `once`
    #29498
* fs:
  * Expose memory file mapping flag `UV_FS_O_FILEMAP`
    #29260
* inspector:
  * New API - `Session.connectToMainThread`
    #28870
* process:
  * Initial SourceMap support via `env.NODE_V8_COVERAGE`
    #28960
* stream:
  * Make `_write()` optional when `_writev()` is implemented
    #29639
* tls:
  * Add option to override signature algorithms
    #29598
* util:
  * Add `encodeInto` to `TextEncoder`
    #29524
* worker:
  * The `worker_thread` module is now stable
    #29512

PR-URL: #29695
BridgeAR added a commit that referenced this pull request Sep 25, 2019
Notable changes:

* crypto:
  * Add `oaepLabel` option #29489
* deps:
  * Update V8 to 7.7.299.11 #28918
    * More efficient memory handling
    * Stack trace serialization got faster
    * The `Intl.NumberFormat` API gained new functionality
    * For more information: https://v8.dev/blog/v8-release-77
* events:
  * Add support for `EventTarget` in `once`
    #29498
* fs:
  * Expose memory file mapping flag `UV_FS_O_FILEMAP`
    #29260
* inspector:
  * New API - `Session.connectToMainThread`
    #28870
* process:
  * Initial SourceMap support via `env.NODE_V8_COVERAGE`
    #28960
* stream:
  * Make `_write()` optional when `_writev()` is implemented
    #29639
* tls:
  * Add option to override signature algorithms
    #29598
* util:
  * Add `encodeInto` to `TextEncoder`
    #29524
* worker:
  * The `worker_thread` module is now stable
    #29512

PR-URL: #29695
agl pushed a commit to google/boringssl that referenced this pull request Oct 22, 2019
Node.js recently added an option to override signature algorithms in nodejs/node#29598
which make use of several NIDs and SSL_get_shared_sigalgs. This CL adds
NIDs for Ed448 (but does not implement it) and a shim function for
SSL_get_shared_sigalgs that simply returns 0. This enables Electron to
reduce its patch surface.

Change-Id: I833d30b0248ca68ebce4767dd58d5f087fd1e18e
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/38404
Reviewed-by: David Benjamin <davidben@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. semver-minor PRs that contain new features and should be released in the next minor version.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants