delta/node-new.git/src/node_crypto.cc, branch pull-request-doc-updates github.com: nodejs/node.git src: fix data type in node_crypto.cc 2019-02-06T04:26:50+00:00 gengjiawen technicalcute@gmail.com 2019-02-02T09:07:36+00:00 d3ea63921f834d46b13e72a344d8c24833dc75d5 Signed-off-by: gengjiawen <technicalcute@gmail.com> PR-URL: https://github.com/nodejs/node/pull/25889 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> 
Signed-off-by: gengjiawen <technicalcute@gmail.com>

PR-URL: https://github.com/nodejs/node/pull/25889
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
tls: in-line comments and other cleanups 2019-02-05T23:17:53+00:00 Sam Roberts vieuxtech@gmail.com 2019-01-31T22:41:10+00:00 62b4796e369895e614e22bb176702f2499317f4a PR-URL: https://github.com/nodejs/node/pull/25861 Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> 
PR-URL: https://github.com/nodejs/node/pull/25861
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
crypto: don't crash X509ToObject on error 2019-02-05T06:28:09+00:00 David Benjamin davidben@google.com 2019-01-29T05:51:09+00:00 50f9062396f2b30e33f75aeafa72ef2740ad6f16 Use MaybeLocal::ToLocal and don't crash X509ToObject on error. PR-URL: https://github.com/nodejs/node/pull/25717 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> 
Use MaybeLocal::ToLocal and don't crash X509ToObject on error.

PR-URL: https://github.com/nodejs/node/pull/25717
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
crypto: fix malloc mixing in X509ToObject 2019-02-05T06:17:37+00:00 David Benjamin davidben@google.com 2019-01-25T23:27:00+00:00 ebda39a2a9e2b3136154e00a7a40e48b1d130850 EC_KEY_key2buf returns an OPENSSL_malloc'd pointer so it shouldn't be passed into Buffer::New, which expect a libc malloc'd pointer. Instead, factor out the ECDH::GetPublicKey code which uses EC_POINT_point2oct. This preserves the existing behavior where encoding failures are silently ignored, but it is probably safe to CHECK fail them instead. PR-URL: https://github.com/nodejs/node/pull/25717 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> 
EC_KEY_key2buf returns an OPENSSL_malloc'd pointer so it shouldn't be
passed into Buffer::New, which expect a libc malloc'd pointer. Instead,
factor out the ECDH::GetPublicKey code which uses EC_POINT_point2oct.

This preserves the existing behavior where encoding failures are
silently ignored, but it is probably safe to CHECK fail them instead.

PR-URL: https://github.com/nodejs/node/pull/25717
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
tls: introduce client 'session' event 2019-02-02T03:06:58+00:00 Sam Roberts vieuxtech@gmail.com 2019-01-30T20:18:04+00:00 0f8e8f7c6b9e7a8bdae53c831f37b2034d1c9fa7 OpenSSL has supported async notification of sessions and tickets since 1.1.0 using SSL_CTX_sess_set_new_cb(), for all versions of TLS. Using the async API is optional for TLS1.2 and below, but for TLS1.3 it will be mandatory. Future-proof applications should start to use async notification immediately. In the future, for TLS1.3, applications that don't use the async API will silently, but gracefully, fail to resume sessions and instead do a full handshake. See: https://wiki.openssl.org/index.php/TLS1.3#Sessions PR-URL: https://github.com/nodejs/node/pull/25831 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com> 
OpenSSL has supported async notification of sessions and tickets since
1.1.0 using SSL_CTX_sess_set_new_cb(), for all versions of TLS. Using
the async API is optional for TLS1.2 and below, but for TLS1.3 it will
be mandatory. Future-proof applications should start to use async
notification immediately. In the future, for TLS1.3, applications that
don't use the async API will silently, but gracefully, fail to resume
sessions and instead do a full handshake.

See: https://wiki.openssl.org/index.php/TLS1.3#Sessions

PR-URL: https://github.com/nodejs/node/pull/25831
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
crypto: fix public key encoding name in comment 2019-02-01T09:45:20+00:00 David Benjamin davidben@google.com 2019-01-27T16:24:40+00:00 80873ec3c2e18c151ddf1c0d79461c48d367206f PKCS#8 describes an encoding for private keys, not public keys. Using the name as a format usually refers to the PrivateKeyInfo structure it defines. (Or sometimes the EncryptedPrivateKeyInfo variant or the little-used OneAsymmetricKey extension defined in RFC 5958.) None of these structures can hold public keys to begin with. d2i_PUBKEY actually parses the public key analogous format defined in X.509, SubjectPublicKeyInfo. This function already uses "X.509" to refer to an entire certificate, so say SubjectPublicKeyInfo in the comment. (The abbreviation SPKI sometimes refers to SubjectPublicKeyInfo, e.g. in RFC 7469, but it can also an alternate S-expression-based PKI to X.509, Simple Public Key Infrastructure. To avoid confusion, stick with the expanded name.) PR-URL: https://github.com/nodejs/node/pull/25736 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> 
PKCS#8 describes an encoding for private keys, not public keys. Using
the name as a format usually refers to the PrivateKeyInfo structure it
defines. (Or sometimes the EncryptedPrivateKeyInfo variant or the
little-used OneAsymmetricKey extension defined in RFC 5958.) None of
these structures can hold public keys to begin with.

d2i_PUBKEY actually parses the public key analogous format defined in
X.509, SubjectPublicKeyInfo. This function already uses "X.509" to refer
to an entire certificate, so say SubjectPublicKeyInfo in the comment.

(The abbreviation SPKI sometimes refers to SubjectPublicKeyInfo, e.g. in
RFC 7469, but it can also an alternate S-expression-based PKI to X.509,
Simple Public Key Infrastructure. To avoid confusion, stick with the
expanded name.)

PR-URL: https://github.com/nodejs/node/pull/25736
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
src: pass along errors from KeyObject instantiation 2019-01-29T19:02:03+00:00 Anna Henningsen anna@addaleax.net 2019-01-27T13:22:34+00:00 620209628af6c8489300abe5c5b7bee69509ab35 PR-URL: https://github.com/nodejs/node/pull/25734 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Gus Caplan <me@gus.host> 
PR-URL: https://github.com/nodejs/node/pull/25734
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Gus Caplan <me@gus.host>
tls: fix malloc mismatch in SSL_set_tlsext_status_ocsp_resp call 2019-01-29T16:10:34+00:00 David Benjamin davidben@google.com 2019-01-25T04:34:38+00:00 b5304662ed23e81948f33d110bb15fc4f3a72cb1 SSL_set_tlsext_status_ocsp_resp expects the data to be allocated with OPENSSL_malloc, not libc malloc, so use OpenSSLMalloc. Additionally, though OpenSSL doesn't type-check due to it being a macro, the function is documented to take an unsigned char pointer: https://www.openssl.org/docs/man1.1.0/ssl/SSL_set_tlsext_status_ocsp_resp.html (By default, OPENSSL_malloc is the same as libc malloc, but it is possible to customize this.) PR-URL: https://github.com/nodejs/node/pull/25706 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: James M Snell <jasnell@gmail.com> 
SSL_set_tlsext_status_ocsp_resp expects the data to be allocated with
OPENSSL_malloc, not libc malloc, so use OpenSSLMalloc.

Additionally, though OpenSSL doesn't type-check due to it being a macro,
the function is documented to take an unsigned char pointer:
https://www.openssl.org/docs/man1.1.0/ssl/SSL_set_tlsext_status_ocsp_resp.html

(By default, OPENSSL_malloc is the same as libc malloc, but it is
possible to customize this.)

PR-URL: https://github.com/nodejs/node/pull/25706
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Ali Ijaz Sheikh <ofrobots@google.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
src: in-source comments and minor TLS cleanups 2019-01-28T23:27:42+00:00 Sam Roberts vieuxtech@gmail.com 2019-01-16T19:12:30+00:00 46c5c3388d24615d8bcd887bb366d4171e99fdee Renamed some internal C++ methods and properties for consistency, and commented SSL I/O. - Rename waiting_new_session_ after is_waiting_new_session(), instead of using reverse naming (new_session_wait_), and change "waiting" to "awaiting". - Make TLSWrap::ClearIn() return void, the value is never used. - Fix a getTicketKeys() cut-n-paste error. Since it doesn't use the arguments, remove them from the js wrapper. - Remove call of setTicketKeys(getTicketKeys()), its a no-op. PR-URL: https://github.com/nodejs/node/pull/25713 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> 
Renamed some internal C++ methods and properties for consistency, and
commented SSL I/O.

- Rename waiting_new_session_ after is_waiting_new_session(), instead of
  using reverse naming (new_session_wait_), and change "waiting" to
  "awaiting".
- Make TLSWrap::ClearIn() return void, the value is never used.
- Fix a getTicketKeys() cut-n-paste error. Since it doesn't use the
  arguments, remove them from the js wrapper.
- Remove call of setTicketKeys(getTicketKeys()), its a no-op.

PR-URL: https://github.com/nodejs/node/pull/25713
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
tls: make ossl 1.1.1 cipher list throw error 2019-01-22T21:34:01+00:00 Sam Roberts vieuxtech@gmail.com 2018-11-26T20:25:59+00:00 3f419e897ba3b1a412dd300649282ee14d5df361 Make OpenSSL 1.1.1 error during cipher list setting if it would have errored with OpenSSL 1.1.0. Can be dropped after our OpenSSL fixes this upstream. See: https://github.com/openssl/openssl/pull/7759 PR-URL: https://github.com/nodejs/node/pull/25381 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org> 
Make OpenSSL 1.1.1 error during cipher list setting if it would have
errored with OpenSSL 1.1.0.

Can be dropped after our OpenSSL fixes this upstream.

See: https://github.com/openssl/openssl/pull/7759

PR-URL: https://github.com/nodejs/node/pull/25381
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>