From 147d5ed69532f0b861bfcd73f3e1424b6919318e Mon Sep 17 00:00:00 2001 From: Sam Roberts Date: Mon, 3 Jun 2019 00:10:01 +0200 Subject: [PATCH 1/2] src: remove TLS code for unsupported OpenSSLs Versions of OpenSSL lower than 1.1.1 are no longer supported, so remove ifdefs for previous versions. --- src/node_crypto.cc | 6 ------ src/node_crypto.h | 35 +++++++---------------------------- src/node_crypto_bio.cc | 27 --------------------------- 3 files changed, 7 insertions(+), 61 deletions(-) diff --git a/src/node_crypto.cc b/src/node_crypto.cc index a5710dc33b62b9..813e1fc485c86c 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -5564,12 +5564,6 @@ void DiffieHellman::SetPublicKey(const FunctionCallbackInfo& args) { } void DiffieHellman::SetPrivateKey(const FunctionCallbackInfo& args) { -#if OPENSSL_VERSION_NUMBER >= 0x10100000L && \ - OPENSSL_VERSION_NUMBER < 0x10100070L -// Older versions of OpenSSL 1.1.0 have a DH_set0_key which does not work for -// Node. See https://github.com/openssl/openssl/pull/4384. -#error "OpenSSL 1.1.0 revisions before 1.1.0g are not supported" -#endif SetKey(args, [](DH* dh, BIGNUM* num) { return DH_set0_key(dh, nullptr, num); }, "Private key"); diff --git a/src/node_crypto.h b/src/node_crypto.h index 849b80f4e06268..aa29585533c62a 100644 --- a/src/node_crypto.h +++ b/src/node_crypto.h @@ -108,20 +108,13 @@ class SecureContext : public BaseObject { static const int kTicketKeyNameIndex = 3; static const int kTicketKeyIVIndex = 4; -#if OPENSSL_VERSION_NUMBER >= 0x10100000L unsigned char ticket_key_name_[16]; unsigned char ticket_key_aes_[16]; unsigned char ticket_key_hmac_[16]; -#endif protected: -#if OPENSSL_VERSION_NUMBER < 0x10100000L - static const int64_t kExternalSize = sizeof(SSL_CTX); -#else - // OpenSSL 1.1.0 has opaque structures. This is an estimate based on the size - // as of OpenSSL 1.1.0f. - static const int64_t kExternalSize = 872; -#endif + // OpenSSL structures are opaque. This is sizeof(SSL_CTX) for OpenSSL 1.1.1b: + static const int64_t kExternalSize = 1024; static void New(const v8::FunctionCallbackInfo& args); static void Init(const v8::FunctionCallbackInfo& args); @@ -167,14 +160,12 @@ class SecureContext : public BaseObject { HMAC_CTX* hctx, int enc); -#if OPENSSL_VERSION_NUMBER >= 0x10100000L static int TicketCompatibilityCallback(SSL* ssl, unsigned char* name, unsigned char* iv, EVP_CIPHER_CTX* ectx, HMAC_CTX* hctx, int enc); -#endif SecureContext(Environment* env, v8::Local wrap) : BaseObject(env, wrap) { @@ -229,32 +220,20 @@ class SSLWrap { protected: typedef void (*CertCb)(void* arg); -#if OPENSSL_VERSION_NUMBER < 0x10100000L - // Size allocated by OpenSSL: one for SSL structure, one for SSL3_STATE and - // some for buffers. + // OpenSSL structures are opaque. Estimate SSL memory size for OpenSSL 1.1.1b: + // SSL: 6224 + // SSL->SSL3_STATE: 1040 + // ...some buffers: 42 * 1024 // NOTE: Actually it is much more than this - static const int64_t kExternalSize = - sizeof(SSL) + sizeof(SSL3_STATE) + 42 * 1024; -#else - // OpenSSL 1.1.0 has opaque structures. This is an estimate based on the size - // as of OpenSSL 1.1.0f. - static const int64_t kExternalSize = 4448 + 1024 + 42 * 1024; -#endif + static const int64_t kExternalSize = 6224 + 1040 + 42 * 1024; static void ConfigureSecureContext(SecureContext* sc); static void AddMethods(Environment* env, v8::Local t); -#if OPENSSL_VERSION_NUMBER < 0x10100000L - static SSL_SESSION* GetSessionCallback(SSL* s, - unsigned char* key, - int len, - int* copy); -#else static SSL_SESSION* GetSessionCallback(SSL* s, const unsigned char* key, int len, int* copy); -#endif static int NewSessionCallback(SSL* s, SSL_SESSION* sess); static void KeylogCallback(const SSL* s, const char* line); static void OnClientHello(void* arg, diff --git a/src/node_crypto_bio.cc b/src/node_crypto_bio.cc index 9f06801c3ae20c..fc143043ba56b1 100644 --- a/src/node_crypto_bio.cc +++ b/src/node_crypto_bio.cc @@ -30,16 +30,6 @@ namespace node { namespace crypto { -#if OPENSSL_VERSION_NUMBER < 0x10100000L -#define BIO_set_data(bio, data) bio->ptr = data -#define BIO_get_data(bio) bio->ptr -#define BIO_set_shutdown(bio, shutdown_) bio->shutdown = shutdown_ -#define BIO_get_shutdown(bio) bio->shutdown -#define BIO_set_init(bio, init_) bio->init = init_ -#define BIO_get_init(bio) bio->init -#endif - - BIOPointer NodeBIO::New(Environment* env) { BIOPointer bio(BIO_new(GetMethod())); if (bio && env != nullptr) @@ -231,22 +221,6 @@ long NodeBIO::Ctrl(BIO* bio, int cmd, long num, // NOLINT(runtime/int) const BIO_METHOD* NodeBIO::GetMethod() { -#if OPENSSL_VERSION_NUMBER < 0x10100000L - static const BIO_METHOD method = { - BIO_TYPE_MEM, - "node.js SSL buffer", - Write, - Read, - Puts, - Gets, - Ctrl, - New, - Free, - nullptr - }; - - return &method; -#else // This is called from InitCryptoOnce() to avoid race conditions during // initialization. static BIO_METHOD* method = nullptr; @@ -263,7 +237,6 @@ const BIO_METHOD* NodeBIO::GetMethod() { } return method; -#endif } From cd8cf1a3bdd06cbfe9590f29a429293af14e5f1c Mon Sep 17 00:00:00 2001 From: Sam Roberts Date: Sun, 2 Jun 2019 20:01:05 +0200 Subject: [PATCH 2/2] test: remove workaround for unsupported OpenSSLs Workaround added in d9b9229d98afb4b is no longer needed, since OpenSSL versions lower than 1.1.1 are unsupported. --- .../test-https-agent-session-eviction.js | 42 ++++--------------- 1 file changed, 7 insertions(+), 35 deletions(-) diff --git a/test/parallel/test-https-agent-session-eviction.js b/test/parallel/test-https-agent-session-eviction.js index 8e13b150bb1362..3f5cd36e8b1799 100644 --- a/test/parallel/test-https-agent-session-eviction.js +++ b/test/parallel/test-https-agent-session-eviction.js @@ -7,10 +7,8 @@ const { readKey } = require('../common/fixtures'); if (!common.hasCrypto) common.skip('missing crypto'); -const assert = require('assert'); const https = require('https'); -const { OPENSSL_VERSION_NUMBER, SSL_OP_NO_TICKET } = - require('crypto').constants; +const { SSL_OP_NO_TICKET } = require('crypto').constants; const options = { key: readKey('agent1-key.pem'), @@ -60,38 +58,12 @@ function second(server, session) { res.resume(); }); - if (OPENSSL_VERSION_NUMBER >= 0x10100000) { - // Although we have a TLS 1.2 session to offer to the TLS 1.0 server, - // connection to the TLS 1.0 server should work. - req.on('response', common.mustCall(function(res) { - // The test is now complete for OpenSSL 1.1.0. - server.close(); - })); - } else { - // OpenSSL 1.0.x mistakenly locked versions based on the session it was - // offering. This causes this sequent request to fail. Let it fail, but - // test that this is mitigated on the next try by invalidating the session. - req.on('error', common.mustCall(function(err) { - assert(/wrong version number/.test(err.message)); - - req.on('close', function() { - third(server); - }); - })); - } - req.end(); -} - -// Try one more time - session should be evicted! -function third(server) { - const req = https.request({ - port: server.address().port, - rejectUnauthorized: false - }, function(res) { - res.resume(); - assert(!req.socket.isSessionReused()); + // Although we have a TLS 1.2 session to offer to the TLS 1.0 server, + // connection to the TLS 1.0 server should work. + req.on('response', common.mustCall(function(res) { + // The test is now complete for OpenSSL 1.1.0. server.close(); - }); - req.on('error', common.mustNotCall()); + })); + req.end(); }