diff options
author | Ben Noordhuis <info@bnoordhuis.nl> | 2018-03-17 05:13:47 +0100 |
---|---|---|
committer | Ben Noordhuis <info@bnoordhuis.nl> | 2018-03-27 16:22:37 +0200 |
commit | 5bfbe5ceaecb6412b176db446caf00f77f84bae7 (patch) | |
tree | 4c3a6696de1c1116046144473cac5e1389564790 /src | |
parent | b3f23910a25613eb289fe4b338f83783a9f731b3 (diff) | |
download | android-node-v8-5bfbe5ceaecb6412b176db446caf00f77f84bae7.tar.gz android-node-v8-5bfbe5ceaecb6412b176db446caf00f77f84bae7.tar.bz2 android-node-v8-5bfbe5ceaecb6412b176db446caf00f77f84bae7.zip |
tls: drop NPN (next protocol negotiation) support
NPN has been superseded by ALPN. Chrome and Firefox removed support for
NPN in 2016 and 2017 respectively to no ill effect.
Fixes: https://github.com/nodejs/node/issues/14602
PR-URL: https://github.com/nodejs/node/pull/19403
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Diffstat (limited to 'src')
-rw-r--r-- | src/env.h | 2 | ||||
-rw-r--r-- | src/node.cc | 7 | ||||
-rw-r--r-- | src/node_constants.cc | 5 | ||||
-rw-r--r-- | src/node_crypto.cc | 182 | ||||
-rw-r--r-- | src/node_crypto.h | 18 | ||||
-rw-r--r-- | src/tls_wrap.cc | 2 |
6 files changed, 5 insertions, 211 deletions
@@ -103,8 +103,6 @@ struct PackageConfig { V(contextify_context_private_symbol, "node:contextify:context") \ V(contextify_global_private_symbol, "node:contextify:global") \ V(decorated_private_symbol, "node:decorated") \ - V(npn_buffer_private_symbol, "node:npnBuffer") \ - V(selected_npn_buffer_private_symbol, "node:selectedNpnBuffer") \ V(napi_env, "node:napi:env") \ V(napi_wrapper, "node:napi:wrapper") \ diff --git a/src/node.cc b/src/node.cc index c0ae99f423..b508433115 100644 --- a/src/node.cc +++ b/src/node.cc @@ -2824,13 +2824,6 @@ static Local<Object> GetFeatures(Environment* env) { // TODO(bnoordhuis) ping libuv obj->Set(FIXED_ONE_BYTE_STRING(env->isolate(), "ipv6"), True(env->isolate())); -#ifndef OPENSSL_NO_NEXTPROTONEG - Local<Boolean> tls_npn = True(env->isolate()); -#else - Local<Boolean> tls_npn = False(env->isolate()); -#endif - obj->Set(FIXED_ONE_BYTE_STRING(env->isolate(), "tls_npn"), tls_npn); - #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation Local<Boolean> tls_alpn = True(env->isolate()); #else diff --git a/src/node_constants.cc b/src/node_constants.cc index 9ecffead53..2eaf622da7 100644 --- a/src/node_constants.cc +++ b/src/node_constants.cc @@ -971,11 +971,6 @@ void DefineOpenSSLConstants(Local<Object> target) { NODE_DEFINE_CONSTANT(target, DH_NOT_SUITABLE_GENERATOR); #endif -#ifndef OPENSSL_NO_NEXTPROTONEG -#define NPN_ENABLED 1 - NODE_DEFINE_CONSTANT(target, NPN_ENABLED); -#endif - #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation #define ALPN_ENABLED 1 NODE_DEFINE_CONSTANT(target, ALPN_ENABLED); diff --git a/src/node_crypto.cc b/src/node_crypto.cc index 7bc8e2b3de..57dbe6861d 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -81,7 +81,6 @@ using v8::DontDelete; using v8::EscapableHandleScope; using v8::Exception; using v8::External; -using v8::False; using v8::FunctionCallbackInfo; using v8::FunctionTemplate; using v8::HandleScope; @@ -231,7 +230,7 @@ static X509_STORE* root_cert_store; // Just to generate static methods template void SSLWrap<TLSWrap>::AddMethods(Environment* env, Local<FunctionTemplate> t); -template void SSLWrap<TLSWrap>::InitNPN(SecureContext* sc); +template void SSLWrap<TLSWrap>::ConfigureSecureContext(SecureContext* sc); template void SSLWrap<TLSWrap>::SetSNIContext(SecureContext* sc); template int SSLWrap<TLSWrap>::SetCACerts(SecureContext* sc); #if OPENSSL_VERSION_NUMBER < 0x10100000L @@ -253,21 +252,6 @@ template void SSLWrap<TLSWrap>::OnClientHello( void* arg, const ClientHelloParser::ClientHello& hello); -#ifndef OPENSSL_NO_NEXTPROTONEG -template int SSLWrap<TLSWrap>::AdvertiseNextProtoCallback( - SSL* s, - const unsigned char** data, - unsigned int* len, - void* arg); -template int SSLWrap<TLSWrap>::SelectNextProtoCallback( - SSL* s, - unsigned char** out, - unsigned char* outlen, - const unsigned char* in, - unsigned int inlen, - void* arg); -#endif - #ifdef NODE__HAVE_TLSEXT_STATUS_CB template int SSLWrap<TLSWrap>::TLSExtStatusCallback(SSL* s, void* arg); #endif @@ -1593,31 +1577,13 @@ void SSLWrap<Base>::AddMethods(Environment* env, Local<FunctionTemplate> t) { env->SetProtoMethod(t, "setMaxSendFragment", SetMaxSendFragment); #endif // SSL_set_max_send_fragment -#ifndef OPENSSL_NO_NEXTPROTONEG - env->SetProtoMethod(t, "getNegotiatedProtocol", GetNegotiatedProto); -#endif // OPENSSL_NO_NEXTPROTONEG - -#ifndef OPENSSL_NO_NEXTPROTONEG - env->SetProtoMethod(t, "setNPNProtocols", SetNPNProtocols); -#endif - env->SetProtoMethod(t, "getALPNNegotiatedProtocol", GetALPNNegotiatedProto); env->SetProtoMethod(t, "setALPNProtocols", SetALPNProtocols); } template <class Base> -void SSLWrap<Base>::InitNPN(SecureContext* sc) { -#ifndef OPENSSL_NO_NEXTPROTONEG - // Server should advertise NPN protocols - SSL_CTX_set_next_protos_advertised_cb(sc->ctx_, - AdvertiseNextProtoCallback, - nullptr); - // Client should select protocol from list of advertised - // If server supports NPN - SSL_CTX_set_next_proto_select_cb(sc->ctx_, SelectNextProtoCallback, nullptr); -#endif // OPENSSL_NO_NEXTPROTONEG - +void SSLWrap<Base>::ConfigureSecureContext(SecureContext* sc) { #ifdef NODE__HAVE_TLSEXT_STATUS_CB // OCSP stapling SSL_CTX_set_tlsext_status_cb(sc->ctx_, TLSExtStatusCallback); @@ -2474,148 +2440,6 @@ void SSLWrap<Base>::GetProtocol(const FunctionCallbackInfo<Value>& args) { } -#ifndef OPENSSL_NO_NEXTPROTONEG -template <class Base> -int SSLWrap<Base>::AdvertiseNextProtoCallback(SSL* s, - const unsigned char** data, - unsigned int* len, - void* arg) { - Base* w = static_cast<Base*>(SSL_get_app_data(s)); - Environment* env = w->env(); - HandleScope handle_scope(env->isolate()); - Context::Scope context_scope(env->context()); - - auto npn_buffer = - w->object()->GetPrivate( - env->context(), - env->npn_buffer_private_symbol()).ToLocalChecked(); - - if (npn_buffer->IsUndefined()) { - // No initialization - no NPN protocols - *data = reinterpret_cast<const unsigned char*>(""); - *len = 0; - } else { - CHECK(Buffer::HasInstance(npn_buffer)); - *data = reinterpret_cast<const unsigned char*>(Buffer::Data(npn_buffer)); - *len = Buffer::Length(npn_buffer); - } - - return SSL_TLSEXT_ERR_OK; -} - - -template <class Base> -int SSLWrap<Base>::SelectNextProtoCallback(SSL* s, - unsigned char** out, - unsigned char* outlen, - const unsigned char* in, - unsigned int inlen, - void* arg) { - Base* w = static_cast<Base*>(SSL_get_app_data(s)); - Environment* env = w->env(); - HandleScope handle_scope(env->isolate()); - Context::Scope context_scope(env->context()); - - auto npn_buffer = - w->object()->GetPrivate( - env->context(), - env->npn_buffer_private_symbol()).ToLocalChecked(); - - if (npn_buffer->IsUndefined()) { - // We should at least select one protocol - // If server is using NPN - *out = reinterpret_cast<unsigned char*>(const_cast<char*>("http/1.1")); - *outlen = 8; - - // set status: unsupported - CHECK( - w->object()->SetPrivate( - env->context(), - env->selected_npn_buffer_private_symbol(), - False(env->isolate())).FromJust()); - - return SSL_TLSEXT_ERR_OK; - } - - CHECK(Buffer::HasInstance(npn_buffer)); - const unsigned char* npn_protos = - reinterpret_cast<const unsigned char*>(Buffer::Data(npn_buffer)); - size_t len = Buffer::Length(npn_buffer); - - int status = SSL_select_next_proto(out, outlen, in, inlen, npn_protos, len); - Local<Value> result; - switch (status) { - case OPENSSL_NPN_UNSUPPORTED: - result = Null(env->isolate()); - break; - case OPENSSL_NPN_NEGOTIATED: - result = OneByteString(env->isolate(), *out, *outlen); - break; - case OPENSSL_NPN_NO_OVERLAP: - result = False(env->isolate()); - break; - default: - break; - } - - CHECK( - w->object()->SetPrivate( - env->context(), - env->selected_npn_buffer_private_symbol(), - result).FromJust()); - - return SSL_TLSEXT_ERR_OK; -} - - -template <class Base> -void SSLWrap<Base>::GetNegotiatedProto( - const FunctionCallbackInfo<Value>& args) { - Base* w; - ASSIGN_OR_RETURN_UNWRAP(&w, args.Holder()); - Environment* env = w->env(); - - if (w->is_client()) { - auto selected_npn_buffer = - w->object()->GetPrivate( - env->context(), - env->selected_npn_buffer_private_symbol()).ToLocalChecked(); - args.GetReturnValue().Set(selected_npn_buffer); - return; - } - - const unsigned char* npn_proto; - unsigned int npn_proto_len; - - SSL_get0_next_proto_negotiated(w->ssl_, &npn_proto, &npn_proto_len); - - if (!npn_proto) - return args.GetReturnValue().Set(false); - - args.GetReturnValue().Set( - OneByteString(args.GetIsolate(), npn_proto, npn_proto_len)); -} - - -template <class Base> -void SSLWrap<Base>::SetNPNProtocols(const FunctionCallbackInfo<Value>& args) { - Base* w; - ASSIGN_OR_RETURN_UNWRAP(&w, args.Holder()); - Environment* env = w->env(); - - if (args.Length() < 1) - return env->ThrowTypeError("NPN protocols argument is mandatory"); - - THROW_AND_RETURN_IF_NOT_BUFFER(args[0], "NPN protocols"); - - CHECK( - w->object()->SetPrivate( - env->context(), - env->npn_buffer_private_symbol(), - args[0]).FromJust()); -} -#endif // OPENSSL_NO_NEXTPROTONEG - #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation template <class Base> int SSLWrap<Base>::SelectALPNCallback(SSL* s, @@ -2883,7 +2707,7 @@ void SSLWrap<Base>::DestroySSL() { template <class Base> void SSLWrap<Base>::SetSNIContext(SecureContext* sc) { - InitNPN(sc); + ConfigureSecureContext(sc); CHECK_EQ(SSL_set_SSL_CTX(ssl_, sc->ctx_), sc->ctx_); SetCACerts(sc); diff --git a/src/node_crypto.h b/src/node_crypto.h index 1b2170ef85..c8cf558d60 100644 --- a/src/node_crypto.h +++ b/src/node_crypto.h @@ -249,7 +249,7 @@ class SSLWrap { static const int64_t kExternalSize = 4448 + 1024 + 42 * 1024; #endif - static void InitNPN(SecureContext* sc); + static void ConfigureSecureContext(SecureContext* sc); static void AddMethods(Environment* env, v8::Local<v8::FunctionTemplate> t); #if OPENSSL_VERSION_NUMBER < 0x10100000L @@ -295,22 +295,6 @@ class SSLWrap { const v8::FunctionCallbackInfo<v8::Value>& args); #endif // SSL_set_max_send_fragment -#ifndef OPENSSL_NO_NEXTPROTONEG - static void GetNegotiatedProto( - const v8::FunctionCallbackInfo<v8::Value>& args); - static void SetNPNProtocols(const v8::FunctionCallbackInfo<v8::Value>& args); - static int AdvertiseNextProtoCallback(SSL* s, - const unsigned char** data, - unsigned int* len, - void* arg); - static int SelectNextProtoCallback(SSL* s, - unsigned char** out, - unsigned char* outlen, - const unsigned char* in, - unsigned int inlen, - void* arg); -#endif // OPENSSL_NO_NEXTPROTONEG - static void GetALPNNegotiatedProto( const v8::FunctionCallbackInfo<v8::Value>& args); static void SetALPNProtocols(const v8::FunctionCallbackInfo<v8::Value>& args); diff --git a/src/tls_wrap.cc b/src/tls_wrap.cc index cddef66c44..05154d6ff5 100644 --- a/src/tls_wrap.cc +++ b/src/tls_wrap.cc @@ -135,7 +135,7 @@ void TLSWrap::InitSSL() { } #endif // SSL_CTRL_SET_TLSEXT_SERVERNAME_CB - InitNPN(sc_); + ConfigureSecureContext(sc_); SSL_set_cert_cb(ssl_, SSLWrap<TLSWrap>::SSLCertCallback, this); |