Skip to content

Commit e8c9f01

Browse files
bnoordhuisevanlucas
bnoordhuis
authored and
evanlucas
committed
crypto: disable ssl compression at build time
SSL compression was first disabled at runtime in March 2011 in commit e83c695 ("Disable compression with OpenSSL.") for performance reasons and was later shown to be vulnerable to information leakage (CRIME.) Let's stop compiling it in altogether. This commit removes a broken CHECK from src/node_crypto.cc; broken because sk_SSL_COMP_num() returns -1 for a NULL stack, not 0. As a result, node.js would abort when linked to an OPENSSL_NO_COMP build of openssl. PR-URL: #6582 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Fedor Indutny <[email protected]> Reviewed-By: James M Snell <[email protected]>
1 parent 2d67741 commit e8c9f01

File tree

2 files changed

+5
-13
lines changed

2 files changed

+5
-13
lines changed

deps/openssl/openssl.gypi

Lines changed: 3 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -214,10 +214,6 @@
214214
'openssl/crypto/cms/cms_pwri.c',
215215
'openssl/crypto/cms/cms_sd.c',
216216
'openssl/crypto/cms/cms_smime.c',
217-
'openssl/crypto/comp/c_rle.c',
218-
'openssl/crypto/comp/c_zlib.c',
219-
'openssl/crypto/comp/comp_err.c',
220-
'openssl/crypto/comp/comp_lib.c',
221217
'openssl/crypto/conf/conf_api.c',
222218
'openssl/crypto/conf/conf_def.c',
223219
'openssl/crypto/conf/conf_err.c',
@@ -1252,6 +1248,9 @@
12521248
'PURIFY',
12531249
'_REENTRANT',
12541250

1251+
# Compression is not used and considered insecure (CRIME.)
1252+
'OPENSSL_NO_COMP',
1253+
12551254
# SSLv3 is susceptible to downgrade attacks (POODLE.)
12561255
'OPENSSL_NO_SSL3',
12571256

src/node_crypto.cc

Lines changed: 2 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -5721,15 +5721,8 @@ void InitCryptoOnce() {
57215721

57225722

57235723
// Turn off compression. Saves memory and protects against CRIME attacks.
5724-
#if !defined(OPENSSL_NO_COMP)
5725-
#if OPENSSL_VERSION_NUMBER < 0x00908000L
5726-
STACK_OF(SSL_COMP)* comp_methods = SSL_COMP_get_compression_method();
5727-
#else
5728-
STACK_OF(SSL_COMP)* comp_methods = SSL_COMP_get_compression_methods();
5729-
#endif
5730-
sk_SSL_COMP_zero(comp_methods);
5731-
CHECK_EQ(sk_SSL_COMP_num(comp_methods), 0);
5732-
#endif
5724+
// No-op with OPENSSL_NO_COMP builds of OpenSSL.
5725+
sk_SSL_COMP_zero(SSL_COMP_get_compression_methods());
57335726

57345727
#ifndef OPENSSL_NO_ENGINE
57355728
ERR_load_ENGINE_strings();

0 commit comments

Comments
 (0)