Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto: disable ssl compression at build time #6582

Merged
merged 5 commits into from
May 5, 2016

Conversation

bnoordhuis
Copy link
Member

@bnoordhuis bnoordhuis commented May 4, 2016

SSL compression was first disabled at runtime in March 2011 in commit
e83c695 ("Disable compression with OpenSSL.") for performance reasons
and was later shown to be vulnerable to information leakage (CRIME.)
Let's stop compiling it in altogether.

This commit removes a broken CHECK from src/node_crypto.cc; broken
because sk_SSL_COMP_num() returns -1 for a NULL stack, not 0.  As a
result, node.js would abort when linked to an OPENSSL_NO_COMP build
of openssl.

PR-URL: nodejs#6582
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
SSL_CIPHER and SSL_METHOD are always const with the version of openssl
that we support, no need to check OPENSSL_VERSION_NUMBER first.

PR-URL: nodejs#6582
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
strcasecmp() is not used in src/node_http_parser.cc so there is no need
to include its header file.

PR-URL: nodejs#6582
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
strcasecmp() is affected by the current locale as configured through
e.g. the LC_ALL environment variable and the setlocale() libc function.

It can result in unpredictable results across systems so replace it with
a function that isn't susceptible to that.

PR-URL: nodejs#6582
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
PURIFY makes OpenSSL zero out some buffers.  It also stops RAND_bytes()
from using the existing contents of the destination buffer as a source
of entropy, which according to some papers, is a possible attack vector
for reducing the overall entropy.

PR-URL: nodejs#6582
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. openssl Issues and PRs related to the OpenSSL dependency. labels May 4, 2016
@indutny
Copy link
Member

indutny commented May 4, 2016

A bit diverse PR, but LGTM

@jasnell
Copy link
Member

jasnell commented May 4, 2016

Yeah, there's a few different things going on in here but nothing that stands out as a concern. LGTM if CI is green. Disabling ssl compression is +++

@addaleax
Copy link
Member

addaleax commented May 5, 2016

LGTM

@bnoordhuis bnoordhuis closed this May 5, 2016
@bnoordhuis bnoordhuis deleted the crypto-fixes branch May 5, 2016 11:05
@bnoordhuis bnoordhuis merged commit a4f94b4 into nodejs:master May 5, 2016
@Fishrock123
Copy link
Contributor

Fishrock123 commented May 5, 2016

@bnoordhuis this isn't stuff that needs to land in v6.1.0, is it?

@bnoordhuis
Copy link
Member Author

bnoordhuis commented May 6, 2016

@Fishrock123 b261178...f6940df could be back-ported, they're arguably bug fixes. Maybe I should've filed a separate PR for those but in my head they were all connected.

@Fishrock123
Copy link
Contributor

I'll just pull them into next weeks release, it's fine.

evanlucas pushed a commit that referenced this pull request May 17, 2016
SSL compression was first disabled at runtime in March 2011 in commit
e83c695 ("Disable compression with OpenSSL.") for performance reasons
and was later shown to be vulnerable to information leakage (CRIME.)
Let's stop compiling it in altogether.

This commit removes a broken CHECK from src/node_crypto.cc; broken
because sk_SSL_COMP_num() returns -1 for a NULL stack, not 0.  As a
result, node.js would abort when linked to an OPENSSL_NO_COMP build
of openssl.

PR-URL: #6582
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
evanlucas pushed a commit that referenced this pull request May 17, 2016
SSL_CIPHER and SSL_METHOD are always const with the version of openssl
that we support, no need to check OPENSSL_VERSION_NUMBER first.

PR-URL: #6582
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
evanlucas pushed a commit that referenced this pull request May 17, 2016
strcasecmp() is not used in src/node_http_parser.cc so there is no need
to include its header file.

PR-URL: #6582
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
evanlucas pushed a commit that referenced this pull request May 17, 2016
strcasecmp() is affected by the current locale as configured through
e.g. the LC_ALL environment variable and the setlocale() libc function.

It can result in unpredictable results across systems so replace it with
a function that isn't susceptible to that.

PR-URL: #6582
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
evanlucas pushed a commit that referenced this pull request May 17, 2016
PURIFY makes OpenSSL zero out some buffers.  It also stops RAND_bytes()
from using the existing contents of the destination buffer as a source
of entropy, which according to some papers, is a possible attack vector
for reducing the overall entropy.

PR-URL: #6582
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
@ahshah
Copy link

ahshah commented May 18, 2016

I'm curious to know why the PURIFY flag is set for nodejs openssl?

@indutny
Copy link
Member

indutny commented May 18, 2016

@ahshah have you seen the comment here ?

@ahshah
Copy link

ahshah commented May 18, 2016

I did- but after your note, I'm unsure what the comment is trying to say.
Is it claiming that an attack vector is created when entropy is reduced (by not using the destination buffer as a source for entropy)?
Or is it claiming that an attack vector is created by using the destination buffer as a source of entropy (because an attack could manipulate the source of entropy)

@indutny
Copy link
Member

indutny commented May 18, 2016

@ahshah latter 😉

@MylesBorins
Copy link
Contributor

@bnoordhuis LTS?

@bnoordhuis
Copy link
Member Author

@thealphanerd This PR could be back-ported in its entirety although technically, dropping SSL compression from the build is a change that could stop some native add-ons from loading.

I've never seen such add-ons though, and if they do exist, they're insecure. You could argue it's better if they stop working altogether.

Commits b261178...f6940df are safe, at any rate.

@MylesBorins
Copy link
Contributor

@bnoordhuis b261178...f6940df is not landing vleanly on v4.x would you be willing to do a manual backport?

@bnoordhuis
Copy link
Member Author

#7660

bnoordhuis added a commit to bnoordhuis/io.js that referenced this pull request Jul 11, 2016
strcasecmp() is not used in src/node_http_parser.cc so there is no need
to include its header file.

PR-URL: nodejs#6582
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
bnoordhuis added a commit to bnoordhuis/io.js that referenced this pull request Jul 11, 2016
strcasecmp() is affected by the current locale as configured through
e.g. the LC_ALL environment variable and the setlocale() libc function.

It can result in unpredictable results across systems so replace it with
a function that isn't susceptible to that.

PR-URL: nodejs#6582
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins pushed a commit that referenced this pull request Jul 12, 2016
strcasecmp() is not used in src/node_http_parser.cc so there is no need
to include its header file.

PR-URL: #6582
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins pushed a commit that referenced this pull request Jul 12, 2016
strcasecmp() is affected by the current locale as configured through
e.g. the LC_ALL environment variable and the setlocale() libc function.

It can result in unpredictable results across systems so replace it with
a function that isn't susceptible to that.

PR-URL: #6582
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins pushed a commit that referenced this pull request Jul 12, 2016
strcasecmp() is not used in src/node_http_parser.cc so there is no need
to include its header file.

PR-URL: #6582
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins pushed a commit that referenced this pull request Jul 12, 2016
strcasecmp() is affected by the current locale as configured through
e.g. the LC_ALL environment variable and the setlocale() libc function.

It can result in unpredictable results across systems so replace it with
a function that isn't susceptible to that.

PR-URL: #6582
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins pushed a commit that referenced this pull request Jul 12, 2016
strcasecmp() is not used in src/node_http_parser.cc so there is no need
to include its header file.

PR-URL: #6582
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins pushed a commit that referenced this pull request Jul 12, 2016
strcasecmp() is affected by the current locale as configured through
e.g. the LC_ALL environment variable and the setlocale() libc function.

It can result in unpredictable results across systems so replace it with
a function that isn't susceptible to that.

PR-URL: #6582
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins pushed a commit that referenced this pull request Jul 12, 2016
strcasecmp() is not used in src/node_http_parser.cc so there is no need
to include its header file.

PR-URL: #6582
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins pushed a commit that referenced this pull request Jul 12, 2016
strcasecmp() is affected by the current locale as configured through
e.g. the LC_ALL environment variable and the setlocale() libc function.

It can result in unpredictable results across systems so replace it with
a function that isn't susceptible to that.

PR-URL: #6582
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins pushed a commit that referenced this pull request Jul 12, 2016
strcasecmp() is not used in src/node_http_parser.cc so there is no need
to include its header file.

PR-URL: #6582
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins pushed a commit that referenced this pull request Jul 12, 2016
strcasecmp() is affected by the current locale as configured through
e.g. the LC_ALL environment variable and the setlocale() libc function.

It can result in unpredictable results across systems so replace it with
a function that isn't susceptible to that.

PR-URL: #6582
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
@MylesBorins MylesBorins mentioned this pull request Jul 12, 2016
MylesBorins pushed a commit that referenced this pull request Jul 14, 2016
strcasecmp() is not used in src/node_http_parser.cc so there is no need
to include its header file.

PR-URL: #6582
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins pushed a commit that referenced this pull request Jul 14, 2016
strcasecmp() is affected by the current locale as configured through
e.g. the LC_ALL environment variable and the setlocale() libc function.

It can result in unpredictable results across systems so replace it with
a function that isn't susceptible to that.

PR-URL: #6582
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins pushed a commit that referenced this pull request Jul 14, 2016
strcasecmp() is not used in src/node_http_parser.cc so there is no need
to include its header file.

PR-URL: #6582
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins pushed a commit that referenced this pull request Jul 14, 2016
strcasecmp() is affected by the current locale as configured through
e.g. the LC_ALL environment variable and the setlocale() libc function.

It can result in unpredictable results across systems so replace it with
a function that isn't susceptible to that.

PR-URL: #6582
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
c++ Issues and PRs that require attention from people who are familiar with C++. openssl Issues and PRs related to the OpenSSL dependency.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

8 participants