[v10.x backport] TLS1.3 (and dependent PRs) #27432
Closed
Commits on Apr 29, 2019
-
deps: update OpenSSL upgrade process
Particularly, ensure that the commit messages are self-explanatory so that reviewers can understand that the large commits are the result of a simple repeatable process. This should make them easier to review. See: nodejs#26327 (comment) PR-URL: nodejs#26378 Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Richard Lau <[email protected]>
-
deps: upgrade openssl sources to 1.1.1b
This updates all sources in deps/openssl/openssl with openssl-1.1.1b. PR-URL: nodejs#26327 Reviewed-By: Gireesh Punathil <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]>
-
deps: openssl-1.1.1b no longer packages .gitignore
Since its not packaged, we don't have to delete it, and the Makefile and update can become a (tiny) bit simpler. PR-URL: nodejs#26327 Reviewed-By: Gireesh Punathil <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]>
-
deps: add ARM64 Windows support in openssl
This adds ARM64 Windows support in the OpenSSL build system. Since OpenSSL's ARM64 Windows support does not have support for ASM-- that is, VC-WIN64-ARM inherits from VC-noCE-common which has no ASM files--`openssl_no_asm.gypi` is always used for building. This essentially forces the 'no-asm' Configure flag. PR-URL: nodejs#26001 Fixes: nodejs#25998 Reviewed-By: James M Snell <[email protected]> Reviewed-By: Sam Roberts <[email protected]> Signed-off-by: Beth Griggs <[email protected]>
-
deps: add s390 asm rules for OpenSSL-1.1.1
This is a floating patch against OpenSSL-1.1.1 to generate asm files with Makefile rules. PR-URL: nodejs#25381 Reviewed-By: Daniel Bevenius <[email protected]> Reviewed-By: Shigeki Ohtsu <[email protected]> Backport-PR-URL: nodejs#25688
-
deps: update archs files for OpenSSL-1.1.1b
`cd deps/openssl/config; make` updates all archs dependant files. PR-URL: nodejs#26327 Reviewed-By: Gireesh Punathil <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]>
-
tls: support changing credentials dynamically
This commit adds a setSecureContext() method to TLS servers. In order to maintain backwards compatibility, the method takes the options needed to create a new SecureContext, rather than an instance of SecureContext. Fixes: nodejs#4464 Refs: nodejs#10349 Refs: nodejs/help#603 Refs: nodejs#15115 PR-URL: nodejs#23644 Reviewed-By: Ben Noordhuis <[email protected]>
-
tls: get the local certificate after tls handshake
Add an API to get the local certificate chosen during TLS handshake from the SSL context. Fix: nodejs#24095 PR-URL: nodejs#24261 Fixes: nodejs#24095 Reviewed-By: Ben Noordhuis <[email protected]> Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Daniel Bevenius <[email protected]>
-
tls: fix initRead socket argument name
"wrapped" argument is the caller's "socket", not its "wrap", and its referred to as "socket" in the comments, so call it that. PR-URL: nodejs#25153 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Anatoli Papirovski <[email protected]>
-
tls: do not confuse session and session ID
session ID was named session in C++ and key in JS, Name them after what they are, as the 'newSession' event docs do. PR-URL: nodejs#25153 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Anatoli Papirovski <[email protected]>
-
src: use consistent names for JSStream
Its confusing to call a js class with a handle a "Wrap", usually it's the C++ handle that is called a Wrap (tcp_wrap, tls_wrap, ...). Its derived from Socket, and makes a JS stream look like a Socket, so call it that. Also, remove use of lib/_stream_wrap.js so it can be deprecated some time. PR-URL: nodejs#25153 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Anatoli Papirovski <[email protected]>
-
tls: remove unused ocsp extension parsing
The OCSP info from parsing the TLS ClientHello has not been used since 550c263, remove it. See: nodejs#1464 PR-URL: nodejs#25153 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Tobias Nießen <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Anatoli Papirovski <[email protected]>
-
src: in-source comments and minor TLS cleanups
Renamed some internal C++ methods and properties for consistency, and commented SSL I/O. - Rename waiting_new_session_ after is_waiting_new_session(), instead of using reverse naming (new_session_wait_), and change "waiting" to "awaiting". - Make TLSWrap::ClearIn() return void, the value is never used. - Fix a getTicketKeys() cut-n-paste error. Since it doesn't use the arguments, remove them from the js wrapper. - Remove call of setTicketKeys(getTicketKeys()), its a no-op. PR-URL: nodejs#25713 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Michael Dawson <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]>
-
tls: introduce client 'session' event
OpenSSL has supported async notification of sessions and tickets since 1.1.0 using SSL_CTX_sess_set_new_cb(), for all versions of TLS. Using the async API is optional for TLS1.2 and below, but for TLS1.3 it will be mandatory. Future-proof applications should start to use async notification immediately. In the future, for TLS1.3, applications that don't use the async API will silently, but gracefully, fail to resume sessions and instead do a full handshake. See: https://wiki.openssl.org/index.php/TLS1.3#Sessions PR-URL: nodejs#25831 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Fedor Indutny <[email protected]>
-
tls: do not free cert in
.getCertificate()The documentation of `SSL_get_certificate` states that it returns an internal pointer that must not be freed by the caller. Therefore, using a smart pointer to take ownership is incorrect. Refs: https://man.openbsd.org/SSL_get_certificate.3 Refs: nodejs#24261 Fixes: https://github.com/nodejs-private/security/issues/217 PR-URL: nodejs#25490 Reviewed-By: Daniel Bevenius <[email protected]> Reviewed-By: Colin Ihrig <[email protected]> Reviewed-By: James M Snell <[email protected]> Reviewed-By: Sam Roberts <[email protected]> Reviewed-By: Luigi Pinca <[email protected]>
-
src: remove unused TLWrap::EnableTrace()
Declaration is unused, it was added by mistake in 46c5c33. PR-URL: nodejs#25861 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Anna Henningsen <[email protected]>
-
src: organize TLSWrap declarations by parent
Make it clear which of the multiple interfaces a TLSWrap method is implementing by grouping and commenting the related methods. PR-URL: nodejs#25861 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Anna Henningsen <[email protected]>
-
tls: don't shadow the tls global with a local
`tls` shadows the global `tls` require, and isn't indicative of the arument type. PR-URL: nodejs#25861 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Anna Henningsen <[email protected]>
-
src: const_cast is necessary for 1.1.1, not 0.9.7
The const_cast used to be necessary for SSL_get_app_data() in OpenSSL 0.9.7, but node doesn't compile against OpenSSL versions that old. However, now it's needed for the recently introduced SSL_renegotiate_pending(), which is not const-correct as of 1.1.1a. PR-URL: nodejs#25861 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Anna Henningsen <[email protected]>
-
src: refactor SSLError case statement
- Don't use both break and return simultaneously. - Use case:/UNREACHABLE() to enforce that all cases are handled, instead of CHECK(). Backport-PR-URL: nodejs#25968 PR-URL: nodejs#25861 Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Michael Dawson <[email protected]>
-
tls: support "BEGIN TRUSTED CERTIFICATE" for ca:
Support the same PEM certificate formats for the ca: option to tls.createSecureContext() that are supported by openssl when loading a CAfile. Fixes: nodejs#24761 PR-URL: nodejs#24733 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Ben Noordhuis <[email protected]>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.