2014-11-22 16:59:48 +01:00
|
|
|
'use strict';
|
|
|
|
|
2016-06-08 17:18:26 +02:00
|
|
|
const internalUtil = require('internal/util');
|
|
|
|
internalUtil.assertCrypto(exports);
|
2016-03-09 00:31:31 +01:00
|
|
|
|
2015-01-21 17:36:59 +01:00
|
|
|
const net = require('net');
|
|
|
|
const url = require('url');
|
2015-04-07 10:37:13 +02:00
|
|
|
const binding = process.binding('crypto');
|
2015-05-29 19:35:43 +02:00
|
|
|
const Buffer = require('buffer').Buffer;
|
2013-05-22 20:32:54 +02:00
|
|
|
|
2012-02-15 19:26:43 +01:00
|
|
|
// Allow {CLIENT_RENEG_LIMIT} client-initiated session renegotiations
|
|
|
|
// every {CLIENT_RENEG_WINDOW} seconds. An error event is emitted if more
|
|
|
|
// renegotations are seen. The settings are applied to all remote client
|
|
|
|
// connections.
|
2012-02-19 00:01:35 +01:00
|
|
|
exports.CLIENT_RENEG_LIMIT = 3;
|
2012-02-15 19:26:43 +01:00
|
|
|
exports.CLIENT_RENEG_WINDOW = 600;
|
|
|
|
|
2013-01-22 14:27:05 +01:00
|
|
|
exports.SLAB_BUFFER_SIZE = 10 * 1024 * 1024;
|
|
|
|
|
2016-05-02 19:27:12 +02:00
|
|
|
exports.DEFAULT_CIPHERS =
|
|
|
|
process.binding('constants').crypto.defaultCipherList;
|
2014-03-07 00:27:01 +01:00
|
|
|
|
|
|
|
exports.DEFAULT_ECDH_CURVE = 'prime256v1';
|
|
|
|
|
2016-06-08 17:18:26 +02:00
|
|
|
exports.getCiphers = internalUtil.cachedResult(() => {
|
|
|
|
return internalUtil.filterDuplicateStrings(binding.getSSLCiphers(), true);
|
|
|
|
});
|
2013-03-19 00:16:55 +01:00
|
|
|
|
2011-04-14 05:53:39 +02:00
|
|
|
// Convert protocols array into valid OpenSSL protocols list
|
|
|
|
// ("\x06spdy/2\x08http/1.1\x08http/1.0")
|
2015-04-23 08:25:15 +02:00
|
|
|
function convertProtocols(protocols) {
|
2016-09-13 12:38:29 +02:00
|
|
|
const lens = new Array(protocols.length);
|
2016-06-09 00:47:18 +02:00
|
|
|
const buff = Buffer.allocUnsafe(protocols.reduce((p, c, i) => {
|
|
|
|
var len = Buffer.byteLength(c);
|
|
|
|
lens[i] = len;
|
|
|
|
return p + 1 + len;
|
2015-04-23 08:25:15 +02:00
|
|
|
}, 0));
|
2011-04-14 05:53:39 +02:00
|
|
|
|
2016-06-09 00:47:18 +02:00
|
|
|
var offset = 0;
|
|
|
|
for (var i = 0, c = protocols.length; i < c; i++) {
|
|
|
|
buff[offset++] = lens[i];
|
|
|
|
buff.write(protocols[i], offset);
|
|
|
|
offset += lens[i];
|
|
|
|
}
|
2011-04-14 05:53:39 +02:00
|
|
|
|
2015-04-23 08:25:15 +02:00
|
|
|
return buff;
|
2016-01-15 09:53:11 +01:00
|
|
|
}
|
2015-04-23 08:25:15 +02:00
|
|
|
|
2016-05-09 08:04:17 +02:00
|
|
|
exports.convertNPNProtocols = function(protocols, out) {
|
2015-04-23 08:25:15 +02:00
|
|
|
// If protocols is Array - translate it into buffer
|
|
|
|
if (Array.isArray(protocols)) {
|
2016-08-10 21:16:06 +02:00
|
|
|
out.NPNProtocols = convertProtocols(protocols);
|
|
|
|
} else if (protocols instanceof Buffer) {
|
|
|
|
// Copy new buffer not to be modified by user.
|
|
|
|
out.NPNProtocols = Buffer.from(protocols);
|
2011-04-14 05:53:39 +02:00
|
|
|
}
|
2015-04-23 08:25:15 +02:00
|
|
|
};
|
2011-04-14 05:53:39 +02:00
|
|
|
|
2015-04-23 08:25:15 +02:00
|
|
|
exports.convertALPNProtocols = function(protocols, out) {
|
|
|
|
// If protocols is Array - translate it into buffer
|
|
|
|
if (Array.isArray(protocols)) {
|
2016-08-10 21:16:06 +02:00
|
|
|
out.ALPNProtocols = convertProtocols(protocols);
|
|
|
|
} else if (protocols instanceof Buffer) {
|
|
|
|
// Copy new buffer not to be modified by user.
|
2016-01-26 00:00:06 +01:00
|
|
|
out.ALPNProtocols = Buffer.from(protocols);
|
2011-04-14 05:53:39 +02:00
|
|
|
}
|
2013-06-13 15:36:00 +02:00
|
|
|
};
|
2012-07-05 21:50:21 +02:00
|
|
|
|
2013-06-13 15:36:00 +02:00
|
|
|
exports.checkServerIdentity = function checkServerIdentity(host, cert) {
|
2012-07-11 21:54:20 +02:00
|
|
|
// Create regexp to much hostnames
|
|
|
|
function regexpify(host, wildcards) {
|
|
|
|
// Add trailing dot (make hostnames uniform)
|
2016-03-17 05:23:52 +01:00
|
|
|
if (!host || !host.endsWith('.')) host += '.';
|
2012-07-11 21:54:20 +02:00
|
|
|
|
|
|
|
// The same applies to hostname with more than one wildcard,
|
|
|
|
// if hostname has wildcard when wildcards are not allowed,
|
|
|
|
// or if there are less than two dots after wildcard (i.e. *.com or *d.com)
|
2013-01-15 00:29:46 +01:00
|
|
|
//
|
|
|
|
// also
|
|
|
|
//
|
|
|
|
// "The client SHOULD NOT attempt to match a presented identifier in
|
|
|
|
// which the wildcard character comprises a label other than the
|
|
|
|
// left-most label (e.g., do not match bar.*.example.net)."
|
|
|
|
// RFC6125
|
|
|
|
if (!wildcards && /\*/.test(host) || /[\.\*].*\*/.test(host) ||
|
2012-07-11 21:54:20 +02:00
|
|
|
/\*/.test(host) && !/\*.*\..+\..+/.test(host)) {
|
|
|
|
return /$./;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Replace wildcard chars with regexp's wildcard and
|
|
|
|
// escape all characters that have special meaning in regexps
|
|
|
|
// (i.e. '.', '[', '{', '*', and others)
|
|
|
|
var re = host.replace(
|
2012-07-20 20:07:16 +02:00
|
|
|
/\*([a-z0-9\\-_\.])|[\.,\-\\\^\$+?*\[\]\(\):!\|{}]/g,
|
|
|
|
function(all, sub) {
|
|
|
|
if (sub) return '[a-z0-9\\-_]*' + (sub === '-' ? '\\-' : sub);
|
|
|
|
return '\\' + all;
|
|
|
|
});
|
2012-07-11 21:54:20 +02:00
|
|
|
|
|
|
|
return new RegExp('^' + re + '$', 'i');
|
|
|
|
}
|
|
|
|
|
2016-01-12 22:04:50 +01:00
|
|
|
var dnsNames = [];
|
|
|
|
var uriNames = [];
|
|
|
|
const ips = [];
|
|
|
|
var matchCN = true;
|
|
|
|
var valid = false;
|
|
|
|
var reason = 'Unknown reason';
|
2012-07-11 21:54:20 +02:00
|
|
|
|
|
|
|
// There're several names to perform check against:
|
|
|
|
// CN and altnames in certificate extension
|
|
|
|
// (DNS names, IP addresses, and URIs)
|
|
|
|
//
|
|
|
|
// Walk through altnames and generate lists of those names
|
|
|
|
if (cert.subjectaltname) {
|
|
|
|
cert.subjectaltname.split(/, /g).forEach(function(altname) {
|
2014-06-22 17:34:47 +02:00
|
|
|
var option = altname.match(/^(DNS|IP Address|URI):(.*)$/);
|
|
|
|
if (!option)
|
|
|
|
return;
|
|
|
|
if (option[1] === 'DNS') {
|
|
|
|
dnsNames.push(option[2]);
|
|
|
|
} else if (option[1] === 'IP Address') {
|
|
|
|
ips.push(option[2]);
|
|
|
|
} else if (option[1] === 'URI') {
|
|
|
|
var uri = url.parse(option[2]);
|
2012-07-11 21:54:20 +02:00
|
|
|
if (uri) uriNames.push(uri.hostname);
|
|
|
|
}
|
|
|
|
});
|
|
|
|
}
|
|
|
|
|
|
|
|
// If hostname is an IP address, it should be present in the list of IP
|
|
|
|
// addresses.
|
|
|
|
if (net.isIP(host)) {
|
|
|
|
valid = ips.some(function(ip) {
|
|
|
|
return ip === host;
|
|
|
|
});
|
2014-04-14 18:08:38 +02:00
|
|
|
if (!valid) {
|
2015-10-20 22:29:18 +02:00
|
|
|
reason = `IP: ${host} is not in the cert's list: ${ips.join(', ')}`;
|
2014-04-14 18:08:38 +02:00
|
|
|
}
|
2015-08-10 17:55:37 +02:00
|
|
|
} else if (cert.subject) {
|
2012-07-11 21:54:20 +02:00
|
|
|
// Transform hostname to canonical form
|
2016-03-17 05:23:52 +01:00
|
|
|
if (!host || !host.endsWith('.')) host += '.';
|
2012-07-11 21:54:20 +02:00
|
|
|
|
|
|
|
// Otherwise check all DNS/URI records from certificate
|
|
|
|
// (with allowed wildcards)
|
|
|
|
dnsNames = dnsNames.map(function(name) {
|
|
|
|
return regexpify(name, true);
|
|
|
|
});
|
|
|
|
|
|
|
|
// Wildcards ain't allowed in URI names
|
|
|
|
uriNames = uriNames.map(function(name) {
|
|
|
|
return regexpify(name, false);
|
|
|
|
});
|
|
|
|
|
|
|
|
dnsNames = dnsNames.concat(uriNames);
|
|
|
|
|
2013-01-15 00:29:46 +01:00
|
|
|
if (dnsNames.length > 0) matchCN = false;
|
|
|
|
|
2013-04-04 21:10:53 +02:00
|
|
|
// Match against Common Name (CN) only if no supported identifiers are
|
|
|
|
// present.
|
2013-01-15 00:29:46 +01:00
|
|
|
//
|
|
|
|
// "As noted, a client MUST NOT seek a match for a reference identifier
|
|
|
|
// of CN-ID if the presented identifiers include a DNS-ID, SRV-ID,
|
|
|
|
// URI-ID, or any application-specific identifier types supported by the
|
|
|
|
// client."
|
|
|
|
// RFC6125
|
|
|
|
if (matchCN) {
|
|
|
|
var commonNames = cert.subject.CN;
|
2015-01-29 02:05:53 +01:00
|
|
|
if (Array.isArray(commonNames)) {
|
2013-01-15 00:29:46 +01:00
|
|
|
for (var i = 0, k = commonNames.length; i < k; ++i) {
|
|
|
|
dnsNames.push(regexpify(commonNames[i], true));
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
dnsNames.push(regexpify(commonNames, true));
|
2012-08-12 21:46:56 +02:00
|
|
|
}
|
|
|
|
}
|
2012-07-11 21:54:20 +02:00
|
|
|
|
|
|
|
valid = dnsNames.some(function(re) {
|
|
|
|
return re.test(host);
|
|
|
|
});
|
2014-04-14 18:08:38 +02:00
|
|
|
|
|
|
|
if (!valid) {
|
|
|
|
if (cert.subjectaltname) {
|
2015-10-20 22:29:18 +02:00
|
|
|
reason =
|
|
|
|
`Host: ${host} is not in the cert's altnames: ` +
|
|
|
|
`${cert.subjectaltname}`;
|
2014-04-14 18:08:38 +02:00
|
|
|
} else {
|
2015-10-20 22:29:18 +02:00
|
|
|
reason = `Host: ${host} is not cert's CN: ${cert.subject.CN}`;
|
2014-04-14 18:08:38 +02:00
|
|
|
}
|
|
|
|
}
|
2015-08-10 17:55:37 +02:00
|
|
|
} else {
|
|
|
|
reason = 'Cert is empty';
|
2012-07-11 21:54:20 +02:00
|
|
|
}
|
|
|
|
|
2014-04-14 18:08:38 +02:00
|
|
|
if (!valid) {
|
|
|
|
var err = new Error(
|
2015-10-20 22:29:18 +02:00
|
|
|
`Hostname/IP doesn't match certificate's altnames: "${reason}"`);
|
2014-04-14 18:08:38 +02:00
|
|
|
err.reason = reason;
|
|
|
|
err.host = host;
|
|
|
|
err.cert = cert;
|
|
|
|
return err;
|
|
|
|
}
|
2010-12-09 09:10:16 +01:00
|
|
|
};
|
|
|
|
|
2011-08-26 13:00:40 +02:00
|
|
|
// Example:
|
|
|
|
// C=US\nST=CA\nL=SF\nO=Joyent\nOU=Node.js\nCN=ca1\nemailAddress=ry@clouds.org
|
2013-06-13 15:36:00 +02:00
|
|
|
exports.parseCertString = function parseCertString(s) {
|
2010-12-18 20:18:33 +01:00
|
|
|
var out = {};
|
2011-08-26 13:00:40 +02:00
|
|
|
var parts = s.split('\n');
|
|
|
|
for (var i = 0, len = parts.length; i < len; i++) {
|
2010-12-18 20:18:33 +01:00
|
|
|
var sepIndex = parts[i].indexOf('=');
|
|
|
|
if (sepIndex > 0) {
|
|
|
|
var key = parts[i].slice(0, sepIndex);
|
|
|
|
var value = parts[i].slice(sepIndex + 1);
|
2012-03-03 10:46:45 +01:00
|
|
|
if (key in out) {
|
2015-01-29 02:05:53 +01:00
|
|
|
if (!Array.isArray(out[key])) {
|
2012-03-03 10:46:45 +01:00
|
|
|
out[key] = [out[key]];
|
|
|
|
}
|
|
|
|
out[key].push(value);
|
|
|
|
} else {
|
|
|
|
out[key] = value;
|
|
|
|
}
|
2010-12-18 20:18:33 +01:00
|
|
|
}
|
|
|
|
}
|
|
|
|
return out;
|
2010-12-09 09:35:16 +01:00
|
|
|
};
|
2011-01-07 19:57:39 +01:00
|
|
|
|
2013-06-13 15:36:00 +02:00
|
|
|
// Public API
|
2014-03-07 00:27:01 +01:00
|
|
|
exports.createSecureContext = require('_tls_common').createSecureContext;
|
|
|
|
exports.SecureContext = require('_tls_common').SecureContext;
|
2013-07-03 09:46:01 +02:00
|
|
|
exports.TLSSocket = require('_tls_wrap').TLSSocket;
|
2013-06-13 15:36:00 +02:00
|
|
|
exports.Server = require('_tls_wrap').Server;
|
|
|
|
exports.createServer = require('_tls_wrap').createServer;
|
|
|
|
exports.connect = require('_tls_wrap').connect;
|
2014-11-10 06:09:58 +01:00
|
|
|
exports.createSecurePair = require('_tls_legacy').createSecurePair;
|