-
Notifications
You must be signed in to change notification settings - Fork 29.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
crypto: disable ssl compression at build time #6582
Conversation
SSL compression was first disabled at runtime in March 2011 in commit e83c695 ("Disable compression with OpenSSL.") for performance reasons and was later shown to be vulnerable to information leakage (CRIME.) Let's stop compiling it in altogether. This commit removes a broken CHECK from src/node_crypto.cc; broken because sk_SSL_COMP_num() returns -1 for a NULL stack, not 0. As a result, node.js would abort when linked to an OPENSSL_NO_COMP build of openssl. PR-URL: nodejs#6582 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
SSL_CIPHER and SSL_METHOD are always const with the version of openssl that we support, no need to check OPENSSL_VERSION_NUMBER first. PR-URL: nodejs#6582 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
strcasecmp() is not used in src/node_http_parser.cc so there is no need to include its header file. PR-URL: nodejs#6582 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
strcasecmp() is affected by the current locale as configured through e.g. the LC_ALL environment variable and the setlocale() libc function. It can result in unpredictable results across systems so replace it with a function that isn't susceptible to that. PR-URL: nodejs#6582 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
PURIFY makes OpenSSL zero out some buffers. It also stops RAND_bytes() from using the existing contents of the destination buffer as a source of entropy, which according to some papers, is a possible attack vector for reducing the overall entropy. PR-URL: nodejs#6582 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
A bit diverse PR, but LGTM |
Yeah, there's a few different things going on in here but nothing that stands out as a concern. LGTM if CI is green. Disabling ssl compression is +++ |
LGTM |
@bnoordhuis this isn't stuff that needs to land in v6.1.0, is it? |
@Fishrock123 b261178...f6940df could be back-ported, they're arguably bug fixes. Maybe I should've filed a separate PR for those but in my head they were all connected. |
I'll just pull them into next weeks release, it's fine. |
SSL compression was first disabled at runtime in March 2011 in commit e83c695 ("Disable compression with OpenSSL.") for performance reasons and was later shown to be vulnerable to information leakage (CRIME.) Let's stop compiling it in altogether. This commit removes a broken CHECK from src/node_crypto.cc; broken because sk_SSL_COMP_num() returns -1 for a NULL stack, not 0. As a result, node.js would abort when linked to an OPENSSL_NO_COMP build of openssl. PR-URL: #6582 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
SSL_CIPHER and SSL_METHOD are always const with the version of openssl that we support, no need to check OPENSSL_VERSION_NUMBER first. PR-URL: #6582 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
strcasecmp() is not used in src/node_http_parser.cc so there is no need to include its header file. PR-URL: #6582 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
strcasecmp() is affected by the current locale as configured through e.g. the LC_ALL environment variable and the setlocale() libc function. It can result in unpredictable results across systems so replace it with a function that isn't susceptible to that. PR-URL: #6582 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
PURIFY makes OpenSSL zero out some buffers. It also stops RAND_bytes() from using the existing contents of the destination buffer as a source of entropy, which according to some papers, is a possible attack vector for reducing the overall entropy. PR-URL: #6582 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
I'm curious to know why the PURIFY flag is set for nodejs openssl? |
I did- but after your note, I'm unsure what the comment is trying to say. |
@ahshah latter 😉 |
@bnoordhuis LTS? |
@thealphanerd This PR could be back-ported in its entirety although technically, dropping SSL compression from the build is a change that could stop some native add-ons from loading. I've never seen such add-ons though, and if they do exist, they're insecure. You could argue it's better if they stop working altogether. Commits b261178...f6940df are safe, at any rate. |
@bnoordhuis b261178...f6940df is not landing vleanly on v4.x would you be willing to do a manual backport? |
strcasecmp() is not used in src/node_http_parser.cc so there is no need to include its header file. PR-URL: nodejs#6582 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
strcasecmp() is affected by the current locale as configured through e.g. the LC_ALL environment variable and the setlocale() libc function. It can result in unpredictable results across systems so replace it with a function that isn't susceptible to that. PR-URL: nodejs#6582 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
strcasecmp() is not used in src/node_http_parser.cc so there is no need to include its header file. PR-URL: #6582 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
strcasecmp() is affected by the current locale as configured through e.g. the LC_ALL environment variable and the setlocale() libc function. It can result in unpredictable results across systems so replace it with a function that isn't susceptible to that. PR-URL: #6582 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
strcasecmp() is not used in src/node_http_parser.cc so there is no need to include its header file. PR-URL: #6582 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
strcasecmp() is affected by the current locale as configured through e.g. the LC_ALL environment variable and the setlocale() libc function. It can result in unpredictable results across systems so replace it with a function that isn't susceptible to that. PR-URL: #6582 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
strcasecmp() is not used in src/node_http_parser.cc so there is no need to include its header file. PR-URL: #6582 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
strcasecmp() is affected by the current locale as configured through e.g. the LC_ALL environment variable and the setlocale() libc function. It can result in unpredictable results across systems so replace it with a function that isn't susceptible to that. PR-URL: #6582 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
strcasecmp() is not used in src/node_http_parser.cc so there is no need to include its header file. PR-URL: #6582 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
strcasecmp() is affected by the current locale as configured through e.g. the LC_ALL environment variable and the setlocale() libc function. It can result in unpredictable results across systems so replace it with a function that isn't susceptible to that. PR-URL: #6582 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
strcasecmp() is not used in src/node_http_parser.cc so there is no need to include its header file. PR-URL: #6582 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
strcasecmp() is affected by the current locale as configured through e.g. the LC_ALL environment variable and the setlocale() libc function. It can result in unpredictable results across systems so replace it with a function that isn't susceptible to that. PR-URL: #6582 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
strcasecmp() is not used in src/node_http_parser.cc so there is no need to include its header file. PR-URL: #6582 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
strcasecmp() is affected by the current locale as configured through e.g. the LC_ALL environment variable and the setlocale() libc function. It can result in unpredictable results across systems so replace it with a function that isn't susceptible to that. PR-URL: #6582 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
strcasecmp() is not used in src/node_http_parser.cc so there is no need to include its header file. PR-URL: #6582 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
strcasecmp() is affected by the current locale as configured through e.g. the LC_ALL environment variable and the setlocale() libc function. It can result in unpredictable results across systems so replace it with a function that isn't susceptible to that. PR-URL: #6582 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
R=@nodejs/crypto
CI: https://ci.nodejs.org/job/node-test-pull-request/2508/