From e8c199def7a0db81a7151711f6683d20670679f4 Mon Sep 17 00:00:00 2001 From: Mateusz Krawczuk Date: Wed, 17 Jun 2020 17:29:06 +0200 Subject: [PATCH 1/2] crypto: add OP flag constants added in OpenSSL v1.1.1 --- doc/api/crypto.md | 24 ++++++++++++++++++++++++ src/node_constants.cc | 20 ++++++++++++++++++++ 2 files changed, 44 insertions(+) diff --git a/doc/api/crypto.md b/doc/api/crypto.md index 5d32ea41e6e208..57ab91d43af14d 100644 --- a/doc/api/crypto.md +++ b/doc/api/crypto.md @@ -3182,6 +3182,11 @@ the `crypto`, `tls`, and `https` modules and are generally specific to OpenSSL. https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html for detail. + + SSL_OP_ALLOW_NO_DHE_KEX + Instructs OpenSSL to allow a non-[EC]DHE-based key exchane mode + for TLS v1.3 + SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION Allows legacy insecure renegotiation between OpenSSL and unpatched @@ -3254,10 +3259,18 @@ the `crypto`, `tls`, and `https` modules and are generally specific to OpenSSL. SSL_OP_NO_COMPRESSION Instructs OpenSSL to disable support for SSL/TLS compression. + + SSL_OP_NO_ENCRYPT_THEN_MAC + Instructs OpenSSL to disable encrypt-then-MAC. + SSL_OP_NO_QUERY_MTU + + SSL_OP_NO_RENEGOTIATION + Instructs OpenSSL to disable renegotiation. + SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION Instructs OpenSSL to always start a new session when performing @@ -3286,6 +3299,10 @@ the `crypto`, `tls`, and `https` modules and are generally specific to OpenSSL. SSL_OP_NO_TLSv1_2 Instructs OpenSSL to turn off TLS v1.2 + + + SSL_OP_NO_TLSv1_3 + Instructs OpenSSL to turn off TLS v1.3 SSL_OP_PKCS1_CHECK_1 @@ -3294,6 +3311,13 @@ the `crypto`, `tls`, and `https` modules and are generally specific to OpenSSL. SSL_OP_PKCS1_CHECK_2 + + SSL_OP_PRIORITIZE_CHACHA + Instructs OpenSSL server to prioritize ChaCha20Poly1305 + when client does. + This option has no effect if SSL_OP_CIPHER_SERVER_PREFERENCE + is not enabled. + SSL_OP_SINGLE_DH_USE Instructs OpenSSL to always create a new key when using diff --git a/src/node_constants.cc b/src/node_constants.cc index 5d99fa181a0472..38c8f2738b4bad 100644 --- a/src/node_constants.cc +++ b/src/node_constants.cc @@ -806,6 +806,10 @@ void DefineCryptoConstants(Local target) { NODE_DEFINE_CONSTANT(target, SSL_OP_ALL); #endif +#ifdef SSL_OP_ALLOW_NO_DHE_KEX + NODE_DEFINE_CONSTANT(target, SSL_OP_ALLOW_NO_DHE_KEX); +#endif + #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION NODE_DEFINE_CONSTANT(target, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION); #endif @@ -870,10 +874,18 @@ void DefineCryptoConstants(Local target) { NODE_DEFINE_CONSTANT(target, SSL_OP_NO_COMPRESSION); #endif +#ifdef SSL_OP_NO_ENCRYPT_THEN_MAC + NODE_DEFINE_CONSTANT(target, SSL_OP_NO_ENCRYPT_THEN_MAC); +#endif + #ifdef SSL_OP_NO_QUERY_MTU NODE_DEFINE_CONSTANT(target, SSL_OP_NO_QUERY_MTU); #endif +#ifdef SSL_OP_NO_RENEGOTIATION + NODE_DEFINE_CONSTANT(target, SSL_OP_NO_RENEGOTIATION); +#endif + #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION NODE_DEFINE_CONSTANT(target, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); #endif @@ -902,6 +914,10 @@ void DefineCryptoConstants(Local target) { NODE_DEFINE_CONSTANT(target, SSL_OP_NO_TLSv1_2); #endif +#ifdef SSL_OP_NO_TLSv1_3 + NODE_DEFINE_CONSTANT(target, SSL_OP_NO_TLSv1_3); +#endif + #ifdef SSL_OP_PKCS1_CHECK_1 NODE_DEFINE_CONSTANT(target, SSL_OP_PKCS1_CHECK_1); #endif @@ -910,6 +926,10 @@ void DefineCryptoConstants(Local target) { NODE_DEFINE_CONSTANT(target, SSL_OP_PKCS1_CHECK_2); #endif +#ifdef SSL_OP_PRIORITIZE_CHACHA + NODE_DEFINE_CONSTANT(target, SSL_OP_PRIORITIZE_CHACHA); +#endif + #ifdef SSL_OP_SINGLE_DH_USE NODE_DEFINE_CONSTANT(target, SSL_OP_SINGLE_DH_USE); #endif From d92b03a22a9efe74f002516f59ede5445b02743d Mon Sep 17 00:00:00 2001 From: Mateusz Krawczuk Date: Thu, 18 Jun 2020 18:01:00 +0200 Subject: [PATCH 2/2] fixup! --- doc/api/crypto.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/doc/api/crypto.md b/doc/api/crypto.md index 57ab91d43af14d..21fde944efac9b 100644 --- a/doc/api/crypto.md +++ b/doc/api/crypto.md @@ -3184,7 +3184,7 @@ the `crypto`, `tls`, and `https` modules and are generally specific to OpenSSL. SSL_OP_ALLOW_NO_DHE_KEX - Instructs OpenSSL to allow a non-[EC]DHE-based key exchane mode + Instructs OpenSSL to allow a non-[EC]DHE-based key exchange mode for TLS v1.3 @@ -3315,7 +3315,8 @@ the `crypto`, `tls`, and `https` modules and are generally specific to OpenSSL. SSL_OP_PRIORITIZE_CHACHA Instructs OpenSSL server to prioritize ChaCha20Poly1305 when client does. - This option has no effect if SSL_OP_CIPHER_SERVER_PREFERENCE + This option has no effect if + SSL_OP_CIPHER_SERVER_PREFERENCE is not enabled.