Attachment #555896 for bug #670574





const { SecureContext: NativeSecureContext } = process.binding('crypto');

function SecureContext(secureProtocol, secureOptions, context, min_version,
                       max_version) {
  if (!(this instanceof SecureContext)) {
    return new SecureContext(secureProtocol, secureOptions, context,
                             min_version, max_version);
  }

  if (context) {

    this.context = new NativeSecureContext();

    if (secureProtocol) {
      this.context.init(min_version, max_version, secureProtocol);
    } else {
      this.context.init(min_version, max_version);
    }
  }


  if (options.honorCipherOrder)
    secureOptions |= SSL_OP_CIPHER_SERVER_PREFERENCE;

  const c = new SecureContext(options.secureProtocol, secureOptions, context,
                              options.min_version || tls.DEFAULT_MIN_VERSION,
                              options.max_version || tls.DEFAULT_MAX_VERSION);
  var i;
  var val;


Lines 875-880 function Server(options, listener) { Link Here

(-)a/lib/_tls_wrap.js (+14 lines)
875	ciphers: this.ciphers,	875	ciphers: this.ciphers,
876	ecdhCurve: this.ecdhCurve,	876	ecdhCurve: this.ecdhCurve,
877	dhparam: this.dhparam,	877	dhparam: this.dhparam,
		878	min_version: this.min_version,
		879	max_version: this.max_version,
878	secureProtocol: this.secureProtocol,	880	secureProtocol: this.secureProtocol,
879	secureOptions: this.secureOptions,	881	secureOptions: this.secureOptions,
880	honorCipherOrder: this.honorCipherOrder,	882	honorCipherOrder: this.honorCipherOrder,
Lines 946-951 Server.prototype.setOptions = function(options) { Link Here
946	if (options.clientCertEngine)	948	if (options.clientCertEngine)
947	this.clientCertEngine = options.clientCertEngine;	949	this.clientCertEngine = options.clientCertEngine;
948	if (options.ca) this.ca = options.ca;	950	if (options.ca) this.ca = options.ca;
		951	if (options.min_version) this.min_version = options.min_version;
		952	if (options.max_version) this.max_version = options.max_version;
		953	if (options.min_version)
		954	this.min_version = options.min_version;
		955	else
		956	this.min_version = undefined;
		957
		958	if (options.max_version)
		959	this.max_version = options.max_version;
		960	else
		961	this.max_version = undefined;
		962
949	if (options.secureProtocol) this.secureProtocol = options.secureProtocol;	963	if (options.secureProtocol) this.secureProtocol = options.secureProtocol;
950	if (options.crl) this.crl = options.crl;	964	if (options.crl) this.crl = options.crl;
951	if (options.ciphers) this.ciphers = options.ciphers;	965	if (options.ciphers) this.ciphers = options.ciphers;

Lines 187-192 Agent.prototype.getName = function getName(options) { Link Here

(-)a/lib/https.js (+8 lines)
187	if (options.servername && options.servername !== options.host)	187	if (options.servername && options.servername !== options.host)
188	name += options.servername;	188	name += options.servername;
189		189
		190	name += ':';
		191	if (options.min_version)
		192	name += options.min_version;
		193
		194	name += ':';
		195	if (options.max_version)
		196	name += options.max_version;
		197
190	name += ':';	198	name += ':';
191	if (options.secureProtocol)	199	if (options.secureProtocol)
192	name += options.secureProtocol;	200	name += options.secureProtocol;

Lines 49-54 exports.DEFAULT_CIPHERS = Link Here

(-)a/lib/tls.js (+8 lines)
49		49
50	exports.DEFAULT_ECDH_CURVE = 'auto';	50	exports.DEFAULT_ECDH_CURVE = 'auto';
51		51
		52	// Disable TLS1.3 by default. The only reason for enabling it for now is to work
		53	// on fixing cipher suite incompatibilities with TLS1.2 that prevent node from
		54	// working with TLS1.3 in OpenSSL 1.1.1.
		55	exports.DEFAULT_MAX_VERSION = 'TLSv1.2';
		56
		57	exports.DEFAULT_MIN_VERSION = 'TLSv1';
		58
		59
52	exports.getCiphers = internalUtil.cachedResult(	60	exports.getCiphers = internalUtil.cachedResult(
53	() => internalUtil.filterDuplicateStrings(binding.getSSLCiphers(), true)	61	() => internalUtil.filterDuplicateStrings(binding.getSSLCiphers(), true)
54	);	62	);




}


int string_to_tls_protocol(const char* version_str) {
  int version;

  if (strcmp(version_str, "TLSv1.3") == 0) {
    version = TLS1_3_VERSION;
  } else if (strcmp(version_str, "TLSv1.2") == 0) {
    version = TLS1_2_VERSION;
  } else if (strcmp(version_str, "TLSv1.1") == 0) {
    version = TLS1_1_VERSION;
  } else if (strcmp(version_str, "TLSv1") == 0) {
    version = TLS1_VERSION;
  } else {
    version = 0;
  }
  return version;
}


void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
  SecureContext* sc;
  ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder());


  int min_version = 0;
  int max_version = 0;

  if (args[0]->IsString()) {
    const node::Utf8Value min(env->isolate(), args[0]);
    min_version = string_to_tls_protocol(*min);
  }

  if (args[1]->IsString()) {
    const node::Utf8Value max(env->isolate(), args[1]);
    max_version = string_to_tls_protocol(*max);
  }

  const SSL_METHOD* method = TLS_method();

  if (args.Length() == 3 && args[2]->IsString()) {
    const node::Utf8Value sslmethod(env->isolate(), args[2]);

    // Note that SSLv2 and SSLv3 are disallowed but SSLv23_method and friends
    // are still accepted.  They are OpenSSL's way of saying that all known

Lines 227-233 void TLSWrap::SSLInfoCallback(const SSL* ssl_, int where, int ret) { Link Here

(-)a/src/tls_wrap.cc (-1 / +4 lines)
227	}	227	}
228	}	228	}
229		229
230	if (where & SSL_CB_HANDSHAKE_DONE) {	230	// SSL_CB_HANDSHAKE_START and SSL_CB_HANDSHAKE_DONE are called
		231	// sending HelloRequest in OpenSSL-1.1.1.
		232	// We need to check whether this is in a renegotiation state or not.
		233	if (where & SSL_CB_HANDSHAKE_DONE && !SSL_renegotiate_pending(ssl)) {
231	c->established_ = true;	234	c->established_ = true;
232	Local<Value> callback = object->Get(env->onhandshakedone_string());	235	Local<Value> callback = object->Get(env->onhandshakedone_string());
233	if (callback->IsFunction()) {	236	if (callback->IsFunction()) {

Lines 12-18 const agent = new https.Agent(); Link Here

(-)a/test/parallel/test-https-agent-getname.js (-2 / +2 lines)
12	// empty options	12	// empty options
13	assert.strictEqual(	13	assert.strictEqual(
14	agent.getName({}),	14	agent.getName({}),
15	'localhost:::::::::::::::::'	15	'localhost:::::::::::::::::::'
16	);	16	);
17		17
18	// pass all options arguments	18	// pass all options arguments
Lines 39-43 const options = { Link Here
39	assert.strictEqual(	39	assert.strictEqual(
40	agent.getName(options),	40	agent.getName(options),
41	'0.0.0.0:443:192.168.1.1:ca:cert::ciphers:key:pfx:false:localhost:' +	41	'0.0.0.0:443:192.168.1.1:ca:cert::ciphers:key:pfx:false:localhost:' +
42	'secureProtocol:c,r,l:false:ecdhCurve:dhparam:0:sessionIdContext'	42	'::secureProtocol:c,r,l:false:ecdhCurve:dhparam:0:sessionIdContext'
43	);	43	);

Return to bug 670574

Lines 371-376 void SecureContext::New(const FunctionCallbackInfo<Value>& args) { Link Here

(-)a/src/node_crypto.cc (-2 / +31 lines)
371	}	371	}
372		372
373		373
		374	int string_to_tls_protocol(const char* version_str) {
		375	int version;
		376
		377	if (strcmp(version_str, "TLSv1.3") == 0) {
		378	version = TLS1_3_VERSION;
		379	} else if (strcmp(version_str, "TLSv1.2") == 0) {
		380	version = TLS1_2_VERSION;
		381	} else if (strcmp(version_str, "TLSv1.1") == 0) {
		382	version = TLS1_1_VERSION;
		383	} else if (strcmp(version_str, "TLSv1") == 0) {
		384	version = TLS1_VERSION;
		385	} else {
		386	version = 0;
		387	}
		388	return version;
		389	}
		390
		391
374	void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {	392	void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
375	SecureContext* sc;	393	SecureContext* sc;
376	ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder());	394	ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder());
Lines 378-387 void SecureContext::Init(const FunctionCallbackInfo<Value>& args) { Link Here
378		396
379	int min_version = 0;	397	int min_version = 0;
380	int max_version = 0;	398	int max_version = 0;
		399
		400	if (args[0]->IsString()) {
		401	const node::Utf8Value min(env->isolate(), args[0]);
		402	min_version = string_to_tls_protocol(*min);
		403	}
		404
		405	if (args[1]->IsString()) {
		406	const node::Utf8Value max(env->isolate(), args[1]);
		407	max_version = string_to_tls_protocol(*max);
		408	}
		409
381	const SSL_METHOD* method = TLS_method();	410	const SSL_METHOD* method = TLS_method();
382		411
383	if (args.Length() == 1 && args[0]->IsString()) {	412	if (args.Length() == 3 && args[2]->IsString()) {
384	const node::Utf8Value sslmethod(env->isolate(), args[0]);	413	const node::Utf8Value sslmethod(env->isolate(), args[2]);
385		414
386	// Note that SSLv2 and SSLv3 are disallowed but SSLv23_method and friends	415	// Note that SSLv2 and SSLv3 are disallowed but SSLv23_method and friends
387	// are still accepted. They are OpenSSL's way of saying that all known	416	// are still accepted. They are OpenSSL's way of saying that all known

Lines 36-44 var crypto = null; Link Here

(-)a/lib/_tls_common.js (-5 / +9 lines)
36		36
37	const { SecureContext: NativeSecureContext } = process.binding('crypto');	37	const { SecureContext: NativeSecureContext } = process.binding('crypto');
38		38
39	function SecureContext(secureProtocol, secureOptions, context) {	39	function SecureContext(secureProtocol, secureOptions, context, min_version,
		40	max_version) {
40	if (!(this instanceof SecureContext)) {	41	if (!(this instanceof SecureContext)) {
41	return new SecureContext(secureProtocol, secureOptions, context);	42	return new SecureContext(secureProtocol, secureOptions, context,
		43	min_version, max_version);
42	}	44	}
43		45
44	if (context) {	46	if (context) {
Lines 47-55 function SecureContext(secureProtocol, secureOptions, context) { Link Here
47	this.context = new NativeSecureContext();	49	this.context = new NativeSecureContext();
48		50
49	if (secureProtocol) {	51	if (secureProtocol) {
50	this.context.init(secureProtocol);	52	this.context.init(min_version, max_version, secureProtocol);
51	} else {	53	} else {
52	this.context.init();	54	this.context.init(min_version, max_version);
53	}	55	}
54	}	56	}
55		57
Lines 76-82 exports.createSecureContext = function createSecureContext(options, context) { Link Here
76	if (options.honorCipherOrder)	78	if (options.honorCipherOrder)
77	secureOptions \|= SSL_OP_CIPHER_SERVER_PREFERENCE;	79	secureOptions \|= SSL_OP_CIPHER_SERVER_PREFERENCE;
78		80
79	const c = new SecureContext(options.secureProtocol, secureOptions, context);	81	const c = new SecureContext(options.secureProtocol, secureOptions, context,
		82	options.min_version \|\| tls.DEFAULT_MIN_VERSION,
		83	options.max_version \|\| tls.DEFAULT_MAX_VERSION);
80	var i;	84	var i;
81	var val;	85	var val;
82		86