Browse Source

crypto: disable ssl compression at build time

SSL compression was first disabled at runtime in March 2011 in commit
e83c6959 ("Disable compression with OpenSSL.") for performance reasons
and was later shown to be vulnerable to information leakage (CRIME.)
Let's stop compiling it in altogether.

This commit removes a broken CHECK from src/node_crypto.cc; broken
because sk_SSL_COMP_num() returns -1 for a NULL stack, not 0.  As a
result, node.js would abort when linked to an OPENSSL_NO_COMP build
of openssl.

PR-URL: https://github.com/nodejs/node/pull/6582
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
process-exit-stdio-flushing
Ben Noordhuis 9 years ago
parent
commit
e6b35f4a86
  1. 7
      deps/openssl/openssl.gypi
  2. 11
      src/node_crypto.cc

7
deps/openssl/openssl.gypi

@ -214,10 +214,6 @@
'openssl/crypto/cms/cms_pwri.c', 'openssl/crypto/cms/cms_pwri.c',
'openssl/crypto/cms/cms_sd.c', 'openssl/crypto/cms/cms_sd.c',
'openssl/crypto/cms/cms_smime.c', 'openssl/crypto/cms/cms_smime.c',
'openssl/crypto/comp/c_rle.c',
'openssl/crypto/comp/c_zlib.c',
'openssl/crypto/comp/comp_err.c',
'openssl/crypto/comp/comp_lib.c',
'openssl/crypto/conf/conf_api.c', 'openssl/crypto/conf/conf_api.c',
'openssl/crypto/conf/conf_def.c', 'openssl/crypto/conf/conf_def.c',
'openssl/crypto/conf/conf_err.c', 'openssl/crypto/conf/conf_err.c',
@ -1252,6 +1248,9 @@
'PURIFY', 'PURIFY',
'_REENTRANT', '_REENTRANT',
# Compression is not used and considered insecure (CRIME.)
'OPENSSL_NO_COMP',
# SSLv3 is susceptible to downgrade attacks (POODLE.) # SSLv3 is susceptible to downgrade attacks (POODLE.)
'OPENSSL_NO_SSL3', 'OPENSSL_NO_SSL3',

11
src/node_crypto.cc

@ -5721,15 +5721,8 @@ void InitCryptoOnce() {
// Turn off compression. Saves memory and protects against CRIME attacks. // Turn off compression. Saves memory and protects against CRIME attacks.
#if !defined(OPENSSL_NO_COMP) // No-op with OPENSSL_NO_COMP builds of OpenSSL.
#if OPENSSL_VERSION_NUMBER < 0x00908000L sk_SSL_COMP_zero(SSL_COMP_get_compression_methods());
STACK_OF(SSL_COMP)* comp_methods = SSL_COMP_get_compression_method();
#else
STACK_OF(SSL_COMP)* comp_methods = SSL_COMP_get_compression_methods();
#endif
sk_SSL_COMP_zero(comp_methods);
CHECK_EQ(sk_SSL_COMP_num(comp_methods), 0);
#endif
#ifndef OPENSSL_NO_ENGINE #ifndef OPENSSL_NO_ENGINE
ERR_load_ENGINE_strings(); ERR_load_ENGINE_strings();

Loading…
Cancel
Save