Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update openssl1.1.1d #29550

Closed
wants to merge 4 commits into from
Closed

Conversation

sam-github
Copy link
Contributor

@sam-github sam-github commented Sep 13, 2019

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • tests and/or benchmarks are included
  • documentation is changed or added
  • commit message follows commit guidelines

@nodejs-github-bot nodejs-github-bot added the openssl Issues and PRs related to the OpenSSL dependency. label Sep 13, 2019
@sam-github
Copy link
Contributor Author

@mscdex @bnoordhuis Note last commit, all the checks for DH_NOT_SUITABLE_GENERATOR in test/parallel/test-crypto-dh.js fail with openssl 1.1.1d, because of the removal in openssl/openssl#9363 of https://github.com/openssl/openssl/blob/2500c093aa1e9c90c11c415053c0a27a00661d0d/crypto/dh/dh_check.c#L143-L154

https://github.com/bernd-edlinger/openssl/blob/9087476b536dd13fe99fdd36773234923cea78bb/CHANGES#L12-L16 describes this a security improvement, to avoid leaking data, as well as

The main motivation for this was that RFC 7919 parameters use an order q subgroup as well,
but those did not pass the DH_check sanity test, however those parameters are perfectly sane.

In Node.js, the tests have been refactored multiple times, but the original code was introduced by @mscdex in nodejs/node-v0.x-archive#7086 in response to a feature request, nodejs/node-v0.x-archive#2338

@bnoordhuis and others had concerns that simply allowing these params was risky, thus the exposure of the verification codes for (elective) sanity checks. Those checks don't appear possible anymore.

I find literally zero use of this error code, or even the property, in the rest of the Node.js code base, so we have no internal dependency on it. I don't pretend to knowing enough group theory to understand what's at issue here.

Should I simply remove the tests, as in the last WIP commit, or should I report this upstream to OpenSSL, or something else?

/to @nodejs/crypto

@nodejs-github-bot
Copy link
Collaborator

@mscdex
Copy link
Contributor

mscdex commented Sep 13, 2019

in response to a feature request, nodejs/node-v0.x-archive#2338

My PR was a response to my own feature request here. My reference to that other issue was in discussion about handling of the 'error' or OpenSSL errors in general.

@mscdex
Copy link
Contributor

mscdex commented Sep 13, 2019

I don't personally use verifyError, but as long as the accepting of custom generators is still allowed like before, I'm happy.

@sam-github
Copy link
Contributor Author

@mscdex thanks for the references.

Are you OK with the changes in 9607205, to just ignore the code since it never is set?

@mscdex
Copy link
Contributor

mscdex commented Sep 14, 2019

I don't know enough about it to be sure, it could be that the generator values in the tests have to be updated in order to trigger DH_NOT_SUITABLE_GENERATOR?

@bnoordhuis
Copy link
Member

This avoids leaking bit 0 of the private key.

I'm not sure I understand openssl/openssl#9363: bit 0 is always 1 because it's a prime > 2, isn't it?

Apropos the DH_NOT_SUITABLE_GENERATOR tests, we can either:

  1. remove them
  2. use different values (i.e., g=2 and g=5 don't work anymore but g=1 or g>p still should)
  3. do the modulo checks ourselves (in C++ or in BigInt JS land), at least for now

This PR is supposed to eventually end up in the LTS branch, right? That would make (3) the most attractive for BC reasons but I'm willing to be convinced I'm wrong. :-)

cc @tniessen - perhaps you have an opinion?

@sam-github
Copy link
Contributor Author

sam-github commented Sep 16, 2019

I polled OpenSSL for a comment: openssl/openssl#9363 (comment)

I'm averse to indefinitely floating changes on OpenSSL that reverse their API decisions without a very, very compelling reason (which would beg the question of why the change isn't pushed back to OpenSSL).

So, there is a 4th/5th option:

4.:

  • use different generators in master so code paths are tested
  • use a compatibility patch on 10.x and 12.x so they have no change in behaviour, but the patch will EOL when the respective LTS release lines EOL
  1. Do 4, minus the patch, and only add the patch if someone actually notices and cares.

My impression from reading the code and discussion is that the feature allows uses of DH generators in a way that that the code isn't meaningful to, and that for the unsafe params the API isn't used, so doesn't help much. In other words -- anyone using custom DH params probably knows what they are doing already.

@kroeckx
Copy link

kroeckx commented Sep 16, 2019

I would argue that this is not an API change, but a bug fix in OpenSSL. It used to return that it's not a suitable generator while it was.

As I understand this, the feature request was to make it possible to load keys that OpenSSL used to reject, but now accepts.

@sam-github sam-github marked this pull request as ready for review September 17, 2019 20:52
@nodejs-github-bot
Copy link
Collaborator

@nodejs-github-bot
Copy link
Collaborator

Copy link
Member

@bnoordhuis bnoordhuis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM but note that this breaks the ubuntu1604_sharedlibs_openssl111_x64 buildbot for obvious reasons.

I don't have good suggestions on what to do here. 16.04 ships openssl 1.02 so that means the shared library build is one we provide ourselves? Can we upgrade it when this PR is merged?


// Confirm DH_check() results are exposed for optional examination.
const bad_dh = crypto.createDiffieHellman('02', 'hex');
assert.strictEqual(bad_dh.verifyError, DH_CHECK_P_NOT_PRIME |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Millions of mathematicians weep tonight....

@richardlau
Copy link
Member

richardlau commented Sep 18, 2019

LGTM but note that this breaks the ubuntu1604_sharedlibs_openssl111_x64 buildbot for obvious reasons.

I don't have good suggestions on what to do here. 16.04 ships openssl 1.02 so that means the shared library build is one we provide ourselves? Can we upgrade it when this PR is merged?

The sharedlibs builds run in a docker container defined in https://github.com/nodejs/build/blob/master/ansible/roles/docker/templates/ubuntu1604_sharedlibs.Dockerfile.j2. Currently we're using 1.1.1b (for openssl 1.1.1). If we update it to 1.1.1d will things break before this PR lands on all release lines that currently run in that container?

@sam-github
Copy link
Contributor Author

Yes, I noticed the breakage. I'm not exactly sure what to do, its kindof tough when openssl changes behaviour mid-release line. My temptation would be to rewrite the tests so they pass against openssl 1.1.1c and before, as well as openssl 1.1.1d and later. The docker sharedlib test failure is valid, IMO, we should either fix it, or remove that test from CI if we don't care.

@bnoordhuis
Copy link
Member

Version-sniffing process.versions.openssl is an option. Another is to take the buildbot offline until all release lines have upgraded.

(I'm not saying that's the best option, mind you, but it's an option.)

This updates all sources in deps/openssl/openssl by:
    $ cd deps/openssl/
    $ rm -rf openssl
    $ tar zxf ~/tmp/openssl-1.1.0h.tar.gz
    $ mv openssl-1.1.0h openssl
    $ git add --all openssl
    $ git commit openssl
After an OpenSSL source update, all the config files need to be regenerated and
comitted by:
    $ cd deps/openssl/config
    $ make
    $ git add deps/openssl/config/archs
    $ git add deps/openssl/openssl/crypto/include/internal/bn_conf.h
    $ git add deps/openssl/openssl/crypto/include/internal/dso_conf.h
    $ git add deps/openssl/openssl/include/openssl/opensslconf.h
    $ git commit
OpenSSL 1.1.1d no longer generates warnings for some DH groups that used
to be considered unsafe. See below for discussion. This is considered a
bug fix.

See:
- openssl/openssl#9363
- openssl/openssl#9363 (comment)
@nodejs-github-bot
Copy link
Collaborator

@nodejs-github-bot
Copy link
Collaborator

@nodejs-github-bot
Copy link
Collaborator

@sam-github
Copy link
Contributor Author

@nodejs/crypto needs another reviewer

@sam-github
Copy link
Contributor Author

@nodejs/crypto -- needs one more review, please

@sam-github
Copy link
Contributor Author

cc: @nodejs/tsc

@sam-github
Copy link
Contributor Author

Thanks @addaleax

Landed in 7ce316e...3473e58

@sam-github sam-github closed this Oct 1, 2019
sam-github added a commit that referenced this pull request Oct 1, 2019
This updates all sources in deps/openssl/openssl by:
    $ cd deps/openssl/
    $ rm -rf openssl
    $ tar zxf ~/tmp/openssl-1.1.0h.tar.gz
    $ mv openssl-1.1.0h openssl
    $ git add --all openssl
    $ git commit openssl

PR-URL: #29550
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
sam-github added a commit that referenced this pull request Oct 1, 2019
After an OpenSSL source update, all the config files need to be
regenerated and comitted by:
    $ cd deps/openssl/config
    $ make
    $ git add deps/openssl/config/archs
    $ git add deps/openssl/openssl/crypto/include/internal/bn_conf.h
    $ git add deps/openssl/openssl/crypto/include/internal/dso_conf.h
    $ git add deps/openssl/openssl/include/openssl/opensslconf.h
    $ git commit

PR-URL: #29550
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
sam-github added a commit that referenced this pull request Oct 1, 2019
OpenSSL 1.1.1d no longer generates warnings for some DH groups that used
to be considered unsafe. See below for discussion. This is considered a
bug fix.

See:
- openssl/openssl#9363
- openssl/openssl#9363 (comment)

PR-URL: #29550
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
BridgeAR pushed a commit that referenced this pull request Oct 9, 2019
This updates all sources in deps/openssl/openssl by:
    $ cd deps/openssl/
    $ rm -rf openssl
    $ tar zxf ~/tmp/openssl-1.1.0h.tar.gz
    $ mv openssl-1.1.0h openssl
    $ git add --all openssl
    $ git commit openssl

PR-URL: #29550
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
BridgeAR pushed a commit that referenced this pull request Oct 9, 2019
After an OpenSSL source update, all the config files need to be
regenerated and comitted by:
    $ cd deps/openssl/config
    $ make
    $ git add deps/openssl/config/archs
    $ git add deps/openssl/openssl/crypto/include/internal/bn_conf.h
    $ git add deps/openssl/openssl/crypto/include/internal/dso_conf.h
    $ git add deps/openssl/openssl/include/openssl/opensslconf.h
    $ git commit

PR-URL: #29550
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
BridgeAR pushed a commit that referenced this pull request Oct 9, 2019
OpenSSL 1.1.1d no longer generates warnings for some DH groups that used
to be considered unsafe. See below for discussion. This is considered a
bug fix.

See:
- openssl/openssl#9363
- openssl/openssl#9363 (comment)

PR-URL: #29550
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
@BridgeAR BridgeAR mentioned this pull request Oct 10, 2019
sam-github added a commit to sam-github/node that referenced this pull request Oct 11, 2019
OpenSSL 1.1.1d no longer generates warnings for some DH groups that used
to be considered unsafe. See below for discussion. This is considered a
bug fix.

See:
- openssl/openssl#9363
- openssl/openssl#9363 (comment)

PR-URL: nodejs#29550
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
BethGriggs pushed a commit that referenced this pull request Oct 16, 2019
OpenSSL 1.1.1d no longer generates warnings for some DH groups that used
to be considered unsafe. See below for discussion. This is considered a
bug fix.

See:
- openssl/openssl#9363
- openssl/openssl#9363 (comment)

PR-URL: #29550
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
@BethGriggs BethGriggs mentioned this pull request Oct 18, 2019
@sam-github sam-github deleted the update-openssl1.1.1d branch November 28, 2019 22:14
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
openssl Issues and PRs related to the OpenSSL dependency.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants