Skip to content

Commit

Permalink
crypto: disable ssl compression at build time
Browse files Browse the repository at this point in the history
SSL compression was first disabled at runtime in March 2011 in commit
e83c695 ("Disable compression with OpenSSL.") for performance reasons
and was later shown to be vulnerable to information leakage (CRIME.)
Let's stop compiling it in altogether.

This commit removes a broken CHECK from src/node_crypto.cc; broken
because sk_SSL_COMP_num() returns -1 for a NULL stack, not 0.  As a
result, node.js would abort when linked to an OPENSSL_NO_COMP build
of openssl.

PR-URL: #6582
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
  • Loading branch information
bnoordhuis authored and evanlucas committed May 17, 2016
1 parent 2d67741 commit e8c9f01
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 13 deletions.
7 changes: 3 additions & 4 deletions deps/openssl/openssl.gypi
Original file line number Diff line number Diff line change
Expand Up @@ -214,10 +214,6 @@
'openssl/crypto/cms/cms_pwri.c',
'openssl/crypto/cms/cms_sd.c',
'openssl/crypto/cms/cms_smime.c',
'openssl/crypto/comp/c_rle.c',
'openssl/crypto/comp/c_zlib.c',
'openssl/crypto/comp/comp_err.c',
'openssl/crypto/comp/comp_lib.c',
'openssl/crypto/conf/conf_api.c',
'openssl/crypto/conf/conf_def.c',
'openssl/crypto/conf/conf_err.c',
Expand Down Expand Up @@ -1252,6 +1248,9 @@
'PURIFY',
'_REENTRANT',

# Compression is not used and considered insecure (CRIME.)
'OPENSSL_NO_COMP',

# SSLv3 is susceptible to downgrade attacks (POODLE.)
'OPENSSL_NO_SSL3',

Expand Down
11 changes: 2 additions & 9 deletions src/node_crypto.cc
Original file line number Diff line number Diff line change
Expand Up @@ -5721,15 +5721,8 @@ void InitCryptoOnce() {


// Turn off compression. Saves memory and protects against CRIME attacks.
#if !defined(OPENSSL_NO_COMP)
#if OPENSSL_VERSION_NUMBER < 0x00908000L
STACK_OF(SSL_COMP)* comp_methods = SSL_COMP_get_compression_method();
#else
STACK_OF(SSL_COMP)* comp_methods = SSL_COMP_get_compression_methods();
#endif
sk_SSL_COMP_zero(comp_methods);
CHECK_EQ(sk_SSL_COMP_num(comp_methods), 0);
#endif
// No-op with OPENSSL_NO_COMP builds of OpenSSL.
sk_SSL_COMP_zero(SSL_COMP_get_compression_methods());

#ifndef OPENSSL_NO_ENGINE
ERR_load_ENGINE_strings();
Expand Down

0 comments on commit e8c9f01

Please sign in to comment.