Skip to content
/ node Public
forked from nodejs/node
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

meta: move one or more collaborators to emeritus #1

Open
wants to merge 5 commits into
base: malterlib
Choose a base branch
from
+191 −166
Open

meta: move one or more collaborators to emeritus #1

Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
87a91d7
Add "from_certificate" setting for ecdhCurve option
erikolofsson Aug 3, 2018
76133ee
Fix BoringSSL compile errors
erikolofsson Feb 7, 2020
c69a0f0
Remove DST Root CA X3 from root certificates
erikolofsson Sep 30, 2021
822f439
Fix clang miscompile
erikolofsson Oct 20, 2021
9e61be6
meta: move one or more collaborators to emeritus
github-actions[bot] Nov 15, 2021
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Next Next commit
Add "from_certificate" setting for ecdhCurve option
@erikolofsson
erikolofsson committed Oct 20, 2021

Verified

This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Verified
Learn about vigilant mode
commit 87a91d708934b1ae152314c2035192d0d27c5321
118 changes: 118 additions & 0 deletions src/node_crypto.cc
View file
Original file line number Diff line number Diff line change
@@ -1200,6 +1200,121 @@ void SecureContext::SetCiphers(const FunctionCallbackInfo<Value>& args) {
}
}

static void set_settings_from_certificate(Environment* env, SSL_CTX* const context) {
int curveName = 0;

auto privateKey = SSL_CTX_get0_privatekey(context);
if (privateKey) {
if (auto keyRSA = EVP_PKEY_get1_RSA(privateKey)) {
auto RSASize = RSA_size(keyRSA) * 8;
RSA_free(keyRSA);
// Match curve security to security of RSA key
if (RSASize >= 12288)
curveName = NID_secp521r1;
else if (RSASize >= 4096)
curveName = NID_secp384r1;
else
curveName = NID_X9_62_prime256v1;
} else if (auto keyEC = EVP_PKEY_get1_EC_KEY(privateKey)) {
curveName = EC_GROUP_get_curve_name(EC_KEY_get0_group(keyEC));
if (!curveName)
curveName = NID_secp521r1;
EC_KEY_free(keyEC);
}
}

if (curveName) {
EC_KEY *curveKey = EC_KEY_new_by_curve_name(curveName);
if (curveKey) {
SSL_CTX_set_options(context, SSL_OP_SINGLE_ECDH_USE);
if (SSL_CTX_set_tmp_ecdh(context, curveKey) != 1)
SSL_CTX_set_ecdh_auto(context, 1);
EC_KEY_free(curveKey);
} else
SSL_CTX_set_ecdh_auto(context, 1);
}

static const int supportedCurves[] = {
NID_secp521r1
, NID_secp384r1
#ifdef OPENSSL_IS_BORINGSSL
, NID_X25519
#endif
, NID_X9_62_prime256v1
};

if (!SSL_CTX_set1_curves(context, supportedCurves, sizeof(supportedCurves)
/ sizeof(supportedCurves[0]))) {
return env->ThrowError("Failed to set supported curves on ssl context");
}

#ifdef OPENSSL_IS_BORINGSSL
static const uint16_t s_DefaultAlgos[] = {
SSL_SIGN_ECDSA_SECP521R1_SHA512
, SSL_SIGN_RSA_PSS_SHA512
, SSL_SIGN_RSA_PKCS1_SHA512
, SSL_SIGN_ECDSA_SECP384R1_SHA384
, SSL_SIGN_RSA_PSS_SHA384
, SSL_SIGN_RSA_PKCS1_SHA384
, SSL_SIGN_ECDSA_SECP256R1_SHA256
, SSL_SIGN_RSA_PSS_SHA256
, SSL_SIGN_RSA_PKCS1_SHA256
};

size_t num_algos = sizeof(s_DefaultAlgos) / sizeof(s_DefaultAlgos[0]);
const uint16_t *algos = s_DefaultAlgos;

switch (curveName)
{
case NID_secp521r1: break;
case NID_secp384r1:
{
static const uint16_t s_CustomAlgos[] =
{
SSL_SIGN_ECDSA_SECP384R1_SHA384
, SSL_SIGN_RSA_PSS_SHA384
, SSL_SIGN_RSA_PKCS1_SHA384
, SSL_SIGN_ECDSA_SECP521R1_SHA512
, SSL_SIGN_RSA_PSS_SHA512
, SSL_SIGN_RSA_PKCS1_SHA512
, SSL_SIGN_ECDSA_SECP256R1_SHA256
, SSL_SIGN_RSA_PSS_SHA256
, SSL_SIGN_RSA_PKCS1_SHA256
};
num_algos = sizeof(s_CustomAlgos) / sizeof(s_CustomAlgos[0]);
algos = s_CustomAlgos;
}
break;
case NID_X9_62_prime256v1:
case NID_X25519:
{
static const uint16_t s_CustomAlgos[] =
{
SSL_SIGN_ECDSA_SECP256R1_SHA256
, SSL_SIGN_RSA_PSS_SHA256
, SSL_SIGN_RSA_PKCS1_SHA256
, SSL_SIGN_ECDSA_SECP384R1_SHA384
, SSL_SIGN_RSA_PSS_SHA384
, SSL_SIGN_RSA_PKCS1_SHA384
, SSL_SIGN_ECDSA_SECP521R1_SHA512
, SSL_SIGN_RSA_PSS_SHA512
, SSL_SIGN_RSA_PKCS1_SHA512
};
num_algos = sizeof(s_CustomAlgos) / sizeof(s_CustomAlgos[0]);
algos = s_CustomAlgos;
}
break;
}

if (!SSL_CTX_set_signing_algorithm_prefs(context, algos, num_algos)) {
return env->ThrowError("Failed to set preferred signing algorithms on ssl context");
}

if (!SSL_CTX_set_verify_algorithm_prefs(context, algos, num_algos)) {
return env->ThrowError("Failed to set preferred verify algorithms on ssl context");
}
#endif
}

void SecureContext::SetECDHCurve(const FunctionCallbackInfo<Value>& args) {
SecureContext* sc;
@@ -1213,6 +1328,9 @@ void SecureContext::SetECDHCurve(const FunctionCallbackInfo<Value>& args) {

node::Utf8Value curve(env->isolate(), args[0]);

if (strcmp(*curve, "from_certificate") == 0)
return set_settings_from_certificate(env, sc->ctx_);

if (strcmp(*curve, "auto") == 0)
return;