mirror of
https://github.com/nodejs/node.git
synced 2024-12-01 16:10:02 +01:00
5ba868f024
This adds a new `--tls-cipher-list` command line switch that can be used to override the built-in default cipher list. The intent of this is to make it possible to enforce an alternative default cipher list at the process level. Overriding the default cipher list is still permitted at the application level by changing the value of `require('tls').DEFAULT_CIPHERS`. As part of the change, the built in default list is moved out of tls.js and into node_constants.h and node_constants.cc. Two new constants are added to require('constants'): * defaultCipherList (the active default cipher list) * defaultCoreCipherList (the built-in default cipher list) A test case and doc changes are included. A new NODE_DEFINE_STRING_CONSTANT macro is also created in node_internals.h When node_constants is initialized, it will pick up either the passed in command line switch or fallback to the default built-in suite. Within joyent/node, this change had originaly been wrapped up with a number of other related commits involving the removal of the RC4 cipher. This breaks out this isolated change. /cc @mhdawson, @misterdjules, @trevnorris, @indutny, @rvagg Reviewed By: Ben Noordhuis <ben@strongloop.com> PR-URL: https://github.com/nodejs/node/pull/2412
232 lines
7.0 KiB
JavaScript
232 lines
7.0 KiB
JavaScript
'use strict';
|
|
|
|
const net = require('net');
|
|
const url = require('url');
|
|
const util = require('util');
|
|
const binding = process.binding('crypto');
|
|
const Buffer = require('buffer').Buffer;
|
|
const constants = require('constants');
|
|
|
|
// Allow {CLIENT_RENEG_LIMIT} client-initiated session renegotiations
|
|
// every {CLIENT_RENEG_WINDOW} seconds. An error event is emitted if more
|
|
// renegotations are seen. The settings are applied to all remote client
|
|
// connections.
|
|
exports.CLIENT_RENEG_LIMIT = 3;
|
|
exports.CLIENT_RENEG_WINDOW = 600;
|
|
|
|
exports.SLAB_BUFFER_SIZE = 10 * 1024 * 1024;
|
|
|
|
exports.DEFAULT_CIPHERS = constants.defaultCipherList;
|
|
|
|
exports.DEFAULT_ECDH_CURVE = 'prime256v1';
|
|
|
|
exports.getCiphers = function() {
|
|
const names = binding.getSSLCiphers();
|
|
// Drop all-caps names in favor of their lowercase aliases,
|
|
var ctx = {};
|
|
names.forEach(function(name) {
|
|
if (/^[0-9A-Z\-]+$/.test(name)) name = name.toLowerCase();
|
|
ctx[name] = true;
|
|
});
|
|
return Object.getOwnPropertyNames(ctx).sort();
|
|
};
|
|
|
|
// Convert protocols array into valid OpenSSL protocols list
|
|
// ("\x06spdy/2\x08http/1.1\x08http/1.0")
|
|
exports.convertNPNProtocols = function convertNPNProtocols(NPNProtocols, out) {
|
|
// If NPNProtocols is Array - translate it into buffer
|
|
if (Array.isArray(NPNProtocols)) {
|
|
var buff = new Buffer(NPNProtocols.reduce(function(p, c) {
|
|
return p + 1 + Buffer.byteLength(c);
|
|
}, 0));
|
|
|
|
NPNProtocols.reduce(function(offset, c) {
|
|
var clen = Buffer.byteLength(c);
|
|
buff[offset] = clen;
|
|
buff.write(c, offset + 1);
|
|
|
|
return offset + 1 + clen;
|
|
}, 0);
|
|
|
|
NPNProtocols = buff;
|
|
}
|
|
|
|
// If it's already a Buffer - store it
|
|
if (NPNProtocols instanceof Buffer) {
|
|
out.NPNProtocols = NPNProtocols;
|
|
}
|
|
};
|
|
|
|
exports.checkServerIdentity = function checkServerIdentity(host, cert) {
|
|
// Create regexp to much hostnames
|
|
function regexpify(host, wildcards) {
|
|
// Add trailing dot (make hostnames uniform)
|
|
if (!/\.$/.test(host)) host += '.';
|
|
|
|
// The same applies to hostname with more than one wildcard,
|
|
// if hostname has wildcard when wildcards are not allowed,
|
|
// or if there are less than two dots after wildcard (i.e. *.com or *d.com)
|
|
//
|
|
// also
|
|
//
|
|
// "The client SHOULD NOT attempt to match a presented identifier in
|
|
// which the wildcard character comprises a label other than the
|
|
// left-most label (e.g., do not match bar.*.example.net)."
|
|
// RFC6125
|
|
if (!wildcards && /\*/.test(host) || /[\.\*].*\*/.test(host) ||
|
|
/\*/.test(host) && !/\*.*\..+\..+/.test(host)) {
|
|
return /$./;
|
|
}
|
|
|
|
// Replace wildcard chars with regexp's wildcard and
|
|
// escape all characters that have special meaning in regexps
|
|
// (i.e. '.', '[', '{', '*', and others)
|
|
var re = host.replace(
|
|
/\*([a-z0-9\\-_\.])|[\.,\-\\\^\$+?*\[\]\(\):!\|{}]/g,
|
|
function(all, sub) {
|
|
if (sub) return '[a-z0-9\\-_]*' + (sub === '-' ? '\\-' : sub);
|
|
return '\\' + all;
|
|
});
|
|
|
|
return new RegExp('^' + re + '$', 'i');
|
|
}
|
|
|
|
var dnsNames = [],
|
|
uriNames = [],
|
|
ips = [],
|
|
matchCN = true,
|
|
valid = false,
|
|
reason = 'Unknown reason';
|
|
|
|
// There're several names to perform check against:
|
|
// CN and altnames in certificate extension
|
|
// (DNS names, IP addresses, and URIs)
|
|
//
|
|
// Walk through altnames and generate lists of those names
|
|
if (cert.subjectaltname) {
|
|
cert.subjectaltname.split(/, /g).forEach(function(altname) {
|
|
var option = altname.match(/^(DNS|IP Address|URI):(.*)$/);
|
|
if (!option)
|
|
return;
|
|
if (option[1] === 'DNS') {
|
|
dnsNames.push(option[2]);
|
|
} else if (option[1] === 'IP Address') {
|
|
ips.push(option[2]);
|
|
} else if (option[1] === 'URI') {
|
|
var uri = url.parse(option[2]);
|
|
if (uri) uriNames.push(uri.hostname);
|
|
}
|
|
});
|
|
}
|
|
|
|
// If hostname is an IP address, it should be present in the list of IP
|
|
// addresses.
|
|
if (net.isIP(host)) {
|
|
valid = ips.some(function(ip) {
|
|
return ip === host;
|
|
});
|
|
if (!valid) {
|
|
reason = util.format('IP: %s is not in the cert\'s list: %s',
|
|
host,
|
|
ips.join(', '));
|
|
}
|
|
} else if (cert.subject) {
|
|
// Transform hostname to canonical form
|
|
if (!/\.$/.test(host)) host += '.';
|
|
|
|
// Otherwise check all DNS/URI records from certificate
|
|
// (with allowed wildcards)
|
|
dnsNames = dnsNames.map(function(name) {
|
|
return regexpify(name, true);
|
|
});
|
|
|
|
// Wildcards ain't allowed in URI names
|
|
uriNames = uriNames.map(function(name) {
|
|
return regexpify(name, false);
|
|
});
|
|
|
|
dnsNames = dnsNames.concat(uriNames);
|
|
|
|
if (dnsNames.length > 0) matchCN = false;
|
|
|
|
// Match against Common Name (CN) only if no supported identifiers are
|
|
// present.
|
|
//
|
|
// "As noted, a client MUST NOT seek a match for a reference identifier
|
|
// of CN-ID if the presented identifiers include a DNS-ID, SRV-ID,
|
|
// URI-ID, or any application-specific identifier types supported by the
|
|
// client."
|
|
// RFC6125
|
|
if (matchCN) {
|
|
var commonNames = cert.subject.CN;
|
|
if (Array.isArray(commonNames)) {
|
|
for (var i = 0, k = commonNames.length; i < k; ++i) {
|
|
dnsNames.push(regexpify(commonNames[i], true));
|
|
}
|
|
} else {
|
|
dnsNames.push(regexpify(commonNames, true));
|
|
}
|
|
}
|
|
|
|
valid = dnsNames.some(function(re) {
|
|
return re.test(host);
|
|
});
|
|
|
|
if (!valid) {
|
|
if (cert.subjectaltname) {
|
|
reason = util.format('Host: %s is not in the cert\'s altnames: %s',
|
|
host,
|
|
cert.subjectaltname);
|
|
} else {
|
|
reason = util.format('Host: %s is not cert\'s CN: %s',
|
|
host,
|
|
cert.subject.CN);
|
|
}
|
|
}
|
|
} else {
|
|
reason = 'Cert is empty';
|
|
}
|
|
|
|
if (!valid) {
|
|
var err = new Error(
|
|
util.format('Hostname/IP doesn\'t match certificate\'s altnames: %j',
|
|
reason));
|
|
err.reason = reason;
|
|
err.host = host;
|
|
err.cert = cert;
|
|
return err;
|
|
}
|
|
};
|
|
|
|
// Example:
|
|
// C=US\nST=CA\nL=SF\nO=Joyent\nOU=Node.js\nCN=ca1\nemailAddress=ry@clouds.org
|
|
exports.parseCertString = function parseCertString(s) {
|
|
var out = {};
|
|
var parts = s.split('\n');
|
|
for (var i = 0, len = parts.length; i < len; i++) {
|
|
var sepIndex = parts[i].indexOf('=');
|
|
if (sepIndex > 0) {
|
|
var key = parts[i].slice(0, sepIndex);
|
|
var value = parts[i].slice(sepIndex + 1);
|
|
if (key in out) {
|
|
if (!Array.isArray(out[key])) {
|
|
out[key] = [out[key]];
|
|
}
|
|
out[key].push(value);
|
|
} else {
|
|
out[key] = value;
|
|
}
|
|
}
|
|
}
|
|
return out;
|
|
};
|
|
|
|
// Public API
|
|
exports.createSecureContext = require('_tls_common').createSecureContext;
|
|
exports.SecureContext = require('_tls_common').SecureContext;
|
|
exports.TLSSocket = require('_tls_wrap').TLSSocket;
|
|
exports.Server = require('_tls_wrap').Server;
|
|
exports.createServer = require('_tls_wrap').createServer;
|
|
exports.connect = require('_tls_wrap').connect;
|
|
exports.createSecurePair = require('_tls_legacy').createSecurePair;
|