crypto: support multiple ECDH curves and auto

[rogaps]

Using SSL_CTX_set1_curves_list() (OpenSSL 1.0.2+), this allows to set
colon separated ECDH curve names in SecureContext's ecdhCurve option.
The option can also be set to "auto" to select the curve automatically
from list built in OpenSSL by enabling SSL_CTX_set_ecdh_auto()
(OpenSSL 1.0.2+).
Refs: #15054

Checklist

• make -j4 test (UNIX), or vcbuild test (Windows) passes
• tests and/or benchmarks are included
• documentation is changed or added
• commit message follows commit guidelines

Affected core subsystem(s)

crypto

[mscdex]

I'm not sure we should be implicitly selecting our own hardcoded curve in this case for "auto." If the intent is to use the value of tls.DEFAULT_ECDH_CURVE, we would probably need to dynamically read that value since it could be changed by end users. However, we should probably throw an error instead when we see "auto" and the appropriate OpenSSL API is not available.

[rogaps]

My intention was to use tls.DEFAULT_ECDH_CURVE's value but displaying error is perhaps better if auto is actually not supported the version of OpenSSL.

[mscdex]

Minor nit: we use defined() below but not here. I think we should be consistent.

[rogaps]

Sure. I will update it.

[mscdex]

/cc @nodejs/crypto

[BridgeAR]

PTAL @nodejs/crypto

[jasnell]

The copyright header block should not be added to new files

[jasnell]

Please make use of the new require('common/fixtures') utility here.

[jasnell]

The 127.0.0.1 host can be omitted

[jasnell]

Not really a fan of multiline template literals and we've tried to avoid their use in the past.

[jasnell]

Ditto here... the copyright header should not be included.

[jasnell]

Getting closer! Left a few comments.

[tniessen]

Mostly LGTM, will do a review when @jasnell's comments were addressed.

[bnoordhuis]

I don't think you have to do this #define dance; the versions of openssl we support, support this API.

[bnoordhuis]

Likewise.

[bnoordhuis]

One (possibly academic) drawback to SSL_CTX_set1_curves_list() is that it won't let you set more than ~30 curves.

I.e., options = { ecdhCurve: crypto.getCurves().join(':') } won't work because there are over 80 different curves.

[rogaps]

Supported curves are listed here. Does the documentation need to mention the lists?

[bnoordhuis]

Yes, I think that's a good idea. I was initially going to suggest to just refer readers to the relevant RFCs but on second thought, that would work okay for Brainpool (RFC 7027) but RFC 4492 is too much of a grab bag of different algorithms.

[bnoordhuis]

Why was this removed?

[tniessen]

fwiw it was moved up

[rogaps]

Thanks for the reviews. I will address them.

[jasnell]

LGTM if @bnoordhuis is happy also.

[tniessen]

LGTM if CI passes: https://ci.nodejs.org/job/node-test-pull-request/10098/

[bnoordhuis]

Thanks, LGTM.

[BridgeAR]

JS and doc LGTM

[BridgeAR]

Nit: (non blocking) assert.ifError is actually meant as callback replacement. Therefore you do not have to wrap it in a function and can use it as client.on("error", assert.ifError) instead. The same in the other test.

[BridgeAR]

I am OK with this but in general - would it not be much nicer to use an Array instead of a colon separated string? And we could also allow a Boolean where false is used instead of the string "false" for deactivation and true for "auto"?

[jasnell]

would it not be much nicer to use an Array

Perhaps, but using the :-delimited string is consistent with openssl in general. Perhaps as a separate PR support for an Array input can be added.

[jasnell]

This is failing significantly on FIPS...

not ok 1445 parallel/test-tls-ecdh-multiple
  ---
  duration_ms: 0.412
  severity: fail
  stack: |-
    _tls_common.js:142
        c.context.setECDHCurve(options.ecdhCurve);
                  ^
    
    Error: Failed to set ECDH curve
        at Object.createSecureContext (_tls_common.js:142:15)
        at new Server (_tls_wrap.js:805:25)
        at Object.exports.createServer (_tls_wrap.js:898:10)
        at Object.<anonymous> (/home/iojs/build/workspace/node-test-commit-linux-fips/nodes/ubuntu1404-64/test/parallel/test-tls-ecdh-multiple.js:30:20)
        at Module._compile (module.js:600:30)
        at Object.Module._extensions..js (module.js:611:10)
        at Module.load (module.js:521:32)
        at tryModuleLoad (module.js:484:12)
        at Function.Module._load (module.js:476:3)
        at Function.Module.runMain (module.js:641:10)
  ...

ping @mhdawson @gibfahn

[rogaps]

@jasnell I overlooked FIPS mode doesn't support brainpoolP256r1.

[mhdawson]

@rogaps I assume you are just going to update the tests so that they don't try to use brainpoolP256r1 when in FIPs mode. Although maybe you have already updated.

[rogaps]

@mhdawson Sure. I will update the tests for some unsupported curves.

[jasnell]

Landed in 873e5bd

[gibfahn]

@nodejs/lts

Post-mortem on this, it contained an accidental breaking change (which brought the code in line with the docs), changing the default curve setting from prime256v1 to auto. I think reverting at this point would do more harm than good, but it is causing problems for users. The change in default will be reverted in 10.x (as a semver-major).

One thing that would help would be @sam-github 's suggestion in #16853 (comment), which is adding aNODE_OPTIONS option that allows users to change the default back to auto without needing to change dependency code.

Quite a few people have hit this, so IMO we should prioritize getting this fixed and backported to 8.x and 6.x.