delta/node-new.git/src/node_crypto_clienthello.cc, branch Ninja.py-StringIO github.com: nodejs/node.git tls: support TLSv1.3 2019-03-20T14:48:25+00:00 Sam Roberts vieuxtech@gmail.com 2018-11-29T01:58:08+00:00 42dbaed4605f44c393a057aad75a31cac1d0e5f5 This introduces TLS1.3 support and makes it the default max protocol, but also supports CLI/NODE_OPTIONS switches to disable it if necessary. TLS1.3 is a major update to the TLS protocol, with many security enhancements. It should be preferred over TLS1.2 whenever possible. TLS1.3 is different enough that even though the OpenSSL APIs are technically API/ABI compatible, that when TLS1.3 is negotiated, the timing of protocol records and of callbacks broke assumptions hard-coded into the 'tls' module. This change introduces no API incompatibilities when TLS1.2 is negotiated. It is the intention that it be backported to current and LTS release lines with the default maximum TLS protocol reset to 'TLSv1.2'. This will allow users of those lines to explicitly enable TLS1.3 if they want. API incompatibilities between TLS1.2 and TLS1.3 are: - Renegotiation is not supported by TLS1.3 protocol, attempts to call `.renegotiate()` will always fail. - Compiling against a system OpenSSL lower than 1.1.1 is no longer supported (OpenSSL-1.1.0 used to be supported with configure flags). - Variations of `conn.write('data'); conn.destroy()` have undefined behaviour according to the streams API. They may or may not send the 'data', and may or may not cause a ERR_STREAM_DESTROYED error to be emitted. This has always been true, but conditions under which the write suceeds is slightly but observably different when TLS1.3 is negotiated vs when TLS1.2 or below is negotiated. - If TLS1.3 is negotiated, and a server calls `conn.end()` in its 'secureConnection' listener without any data being written, the client will not receive session tickets (no 'session' events will be emitted, and `conn.getSession()` will never return a resumable session). - The return value of `conn.getSession()` API may not return a resumable session if called right after the handshake. The effect will be that clients using the legacy `getSession()` API will resume sessions if TLS1.2 is negotiated, but will do full handshakes if TLS1.3 is negotiated. See https://github.com/nodejs/node/pull/25831 for more information. PR-URL: https://github.com/nodejs/node/pull/26209 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Rod Vagg <rod@vagg.org> 
This introduces TLS1.3 support and makes it the default max protocol,
but also supports CLI/NODE_OPTIONS switches to disable it if necessary.

TLS1.3 is a major update to the TLS protocol, with many security
enhancements. It should be preferred over TLS1.2 whenever possible.

TLS1.3 is different enough that even though the OpenSSL APIs are
technically API/ABI compatible, that when TLS1.3 is negotiated, the
timing of protocol records and of callbacks broke assumptions hard-coded
into the 'tls' module.

This change introduces no API incompatibilities when TLS1.2 is
negotiated. It is the intention that it be backported to current and LTS
release lines with the default maximum TLS protocol reset to 'TLSv1.2'.
This will allow users of those lines to explicitly enable TLS1.3 if they
want.

API incompatibilities between TLS1.2 and TLS1.3 are:

- Renegotiation is not supported by TLS1.3 protocol, attempts to call
`.renegotiate()` will always fail.

- Compiling against a system OpenSSL lower than 1.1.1 is no longer
supported (OpenSSL-1.1.0 used to be supported with configure flags).

- Variations of `conn.write('data'); conn.destroy()` have undefined
behaviour according to the streams API. They may or may not send the
'data', and may or may not cause a ERR_STREAM_DESTROYED error to be
emitted. This has always been true, but conditions under which the write
suceeds is slightly but observably different when TLS1.3 is negotiated
vs when TLS1.2 or below is negotiated.

- If TLS1.3 is negotiated, and a server calls `conn.end()` in its
'secureConnection' listener without any data being written, the client
will not receive session tickets (no 'session' events will be emitted,
and `conn.getSession()` will never return a resumable session).

- The return value of `conn.getSession()` API may not return a resumable
session if called right after the handshake. The effect will be that
clients using the legacy `getSession()` API will resume sessions if
TLS1.2 is negotiated, but will do full handshakes if TLS1.3 is
negotiated.  See https://github.com/nodejs/node/pull/25831 for more
information.

PR-URL: https://github.com/nodejs/node/pull/26209
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Rod Vagg <rod@vagg.org>
src: de-lint header usage 2019-03-12T13:57:19+00:00 Refael Ackermann refack@gmail.com 2019-02-25T22:27:19+00:00 f2064dfc1fee2daa0537bc27d79d5aa0f734faaf PR-URL: https://github.com/nodejs/node/pull/26306 Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> 
PR-URL: https://github.com/nodejs/node/pull/26306
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
tls: remove unused ocsp extension parsing 2018-12-28T20:57:24+00:00 Sam Roberts vieuxtech@gmail.com 2018-12-19T21:57:27+00:00 08387b245ecfe5fb736d2d6753b880e644a4f3e2 The OCSP info from parsing the TLS ClientHello has not been used since 550c263, remove it. See: https://github.com/nodejs/node/pull/1464 PR-URL: https://github.com/nodejs/node/pull/25153 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Anatoli Papirovski <apapirovski@mac.com> 
The OCSP info from parsing the TLS ClientHello has not been used since
550c263, remove it.

See: https://github.com/nodejs/node/pull/1464

PR-URL: https://github.com/nodejs/node/pull/25153
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Anatoli Papirovski <apapirovski@mac.com>
crypto: replace gotos 2018-10-01T18:36:22+00:00 Tobias Nießen tniessen@tnie.de 2018-09-27T18:10:15+00:00 640172d24d299aebed2a95bdaa3905a6d8350643 PR-URL: https://github.com/nodejs/node/pull/23132 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Denys Otrishko <shishugi@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: James M Snell <jasnell@gmail.com> 
PR-URL: https://github.com/nodejs/node/pull/23132
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Denys Otrishko <shishugi@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
src: refactor crypto code with RAII cleanup 2018-09-28T04:34:54+00:00 Gireesh Punathil gpunathi@in.ibm.com 2018-09-22T07:43:34+00:00 406e3ad212995614168eb4baa514353edac2dcf8 use more idiomatic expressions with RAII primitives, instead of old style goto PR-URL: https://github.com/nodejs/node/pull/23014 Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de> 
use more idiomatic expressions with RAII primitives,
instead of old style goto

PR-URL: https://github.com/nodejs/node/pull/23014

Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Joyee Cheung <joyeec9h3@gmail.com>
Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
src: do not include x.h if x-inl.h is included 2017-10-30T10:56:38+00:00 Joyee Cheung joyeec9h3@gmail.com 2017-10-27T08:10:02+00:00 cdb263d3baebfe366fb817c6ae14202f8832c04d PR-URL: https://github.com/nodejs/node/pull/16548 Fixes: https://github.com/nodejs/node/issues/16519 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com> Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> 
PR-URL: https://github.com/nodejs/node/pull/16548
Fixes: https://github.com/nodejs/node/issues/16519
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Gireesh Punathil <gpunathi@in.ibm.com>
Reviewed-By: Daniel Bevenius <daniel.bevenius@gmail.com>
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
src: move crypto_bio/clienthello to crypto ns 2017-06-30T05:23:25+00:00 Daniel Bevenius daniel.bevenius@gmail.com 2017-06-28T07:30:30+00:00 08109a3ca12ddcd86167aa88e697cfed5923326d Currently, node_crypto_bio and node_crypto_clienthello are not in the crypto namespace but simply in the node namespace. Not sure if this was intentional or not, but I think it would make sense to move them to be consistent. PR-URL: https://github.com/nodejs/node/pull/13957 Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: James M Snell <jasnell@gmail.com> 
Currently, node_crypto_bio and node_crypto_clienthello are not in the
crypto namespace but simply in the node namespace. Not sure if this was
intentional or not, but I think it would make sense to move them to be
consistent.

PR-URL: https://github.com/nodejs/node/pull/13957
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
src: remove unnecessary return statement 2017-05-22T05:22:51+00:00 Daniel Bevenius daniel.bevenius@gmail.com 2017-05-18T06:29:43+00:00 762b0358b3f5de55a74fe40403964774f80ad33d I think the code would be a little clearer if the return statement was removed here since End() does not return any value and neither does ParseHeader. PR-URL: https://github.com/nodejs/node/pull/13094 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Refael Ackermann <refack@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> 
I think the code would be a little clearer if the return statement
was removed here since End() does not return any value and neither
does ParseHeader.

PR-URL: https://github.com/nodejs/node/pull/13094
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Sakthipriyan Vairamani <thechargingvolcano@gmail.com
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Refael Ackermann <refack@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com>
src: remove unused node_buffer.h include 2017-05-22T03:45:45+00:00 Daniel Bevenius daniel.bevenius@gmail.com 2017-05-18T06:56:35+00:00 7a15eefbba113cd0df99b420de1718aa7a01afa8 I can't find any usage of Buffer in this file and think the include can be removed. PR-URL: https://github.com/nodejs/node/pull/13095 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> 
I can't find any usage of Buffer in this file and think the include
can be removed.

PR-URL: https://github.com/nodejs/node/pull/13095
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
meta: restore original copyright header 2017-03-10T19:23:48+00:00 James M Snell jasnell@gmail.com 2017-01-03T21:16:48+00:00 98e54b0bd4854bdb3e2949d1b6b20d6777fb7cde A prior io.js era commit inappropriately removed the original copyright statements from the source. This restores those in any files still remaining from that edit. Ref: https://github.com/nodejs/TSC/issues/174 Ref: https://github.com/nodejs/node/pull/10599 PR-URL: https://github.com/nodejs/node/pull/10155 Note: This PR was required, reviewed-by and approved by the Node.js Foundation Legal Committee and the TSC. There is no `Approved-By:` meta data. 
A prior io.js era commit inappropriately removed the
original copyright statements from the source. This
restores those in any files still remaining from that
edit.

Ref: https://github.com/nodejs/TSC/issues/174
Ref: https://github.com/nodejs/node/pull/10599
PR-URL: https://github.com/nodejs/node/pull/10155

Note: This PR was required, reviewed-by and approved
by the Node.js Foundation Legal Committee and the TSC.
There is no `Approved-By:` meta data.