New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a new option to limit DH key size in tls connect #1831

Closed
wants to merge 3 commits into
base: master
from

Conversation

Projects
None yet
7 participants
@shigeki
Contributor

shigeki commented May 29, 2015

This is the fix of logjam attack for a TLS client. It disable connecting to the TLS server with less than DH key size specified by a new option of minDHkeylen. The default is 1024 bits.

And it also introduces a new public API of TLSSocket.getEphemeralKeyInfo() to show the information of an ephemeral key type, name and length of TLS connection. I think it it good for users to know them. We should prepare future vulnerabilities not only DH but also ECDH.
Unfortunately openssl provided SSL_get_server_tmp_key() on only client so that this API returns an empty object on the server.

The last one is my home work from @bnoordhuis to output warning of setDHParams to console.trace().

Here is a list of logjam fix in openssl, Firefox and Chrome. I think iojs is also better to set minimum key length like this.

R= @bnoordhuis @indutny

@shigeki shigeki changed the title from Fix logjam attack for tls client to Add a new option to limit DH key size in tls connect against logjam attack May 29, 2015

@indutny

This comment has been minimized.

Member

indutny commented May 29, 2015

Are you sure that we are actually vulnerable to the logjam attack? I always thought that we are not doing False Start, so it should not be possible to perform MiTM attack in this case.

@shigeki

This comment has been minimized.

Contributor

shigeki commented May 29, 2015

False Start is the worst case to decrypt DATA in offline.
But the paper of https://weakdh.org/imperfect-forward-secrecy.pdf says

we can keep browser connections alive by sending TLS warning alerts

According the paper, 512 bit DH key can be solved about 90 secs for the server with built-in prime such as apache. The current TLS timeout of iojs is 120 secs which is longer than that.

@indutny

This comment has been minimized.

Member

indutny commented May 29, 2015

@shigeki but this is not logjam anymore, right? I just don't want to say that we was vulnerable to it in the first place, especially if we wasn't.

@shigeki shigeki changed the title from Add a new option to limit DH key size in tls connect against logjam attack to Add a new option to limit DH key size in tls connect May 29, 2015

@shigeki

This comment has been minimized.

Contributor

shigeki commented May 29, 2015

If the wording of logjam only covers export DH cipher, that is right. I did not care about that. I've just changed this PR title to remove the word of logjam. There is no word of logjam in the commit message.

@@ -347,6 +347,11 @@ Creates a new client connection to the given `port` and `host` (old API) or
- `session`: A `Buffer` instance, containing TLS session.
- `minDHkeylen`: Minimum key length of an ephemeral DH parameter to

This comment has been minimized.

@indutny

indutny May 29, 2015

Member

A camel case (minDHKeyLen)? Or even minDHSize

This comment has been minimized.

@shigeki

shigeki May 30, 2015

Contributor

I take minDHSize as it is shorter and more legible.

@@ -743,6 +748,17 @@ See SSL_CIPHER_get_name() and SSL_CIPHER_get_version() in
http://www.openssl.org/docs/ssl/ssl.html#DEALING_WITH_CIPHERS for more
information.
### tlsSocket.getEphemeralKeyInfo()

This comment has been minimized.

@indutny

indutny May 29, 2015

Member

Please add a newline between the title and the content.

This comment has been minimized.

@shigeki

shigeki May 30, 2015

Contributor

Fixed

### tlsSocket.getEphemeralKeyInfo()
Returns an object representing a type, name and key length of an
ephemeral key exchange(PFS) in a client connection. It is only
supported on a client connection not a server. If this is called in a

This comment has been minimized.

@indutny

indutny May 29, 2015

Member

on a server socket, though @bnoordhuis should know better how to say it.

This comment has been minimized.

@shigeki

shigeki May 30, 2015

Contributor

Changed them to the word of server/client socket.

@@ -873,7 +880,8 @@ exports.connect = function(/* [port, host], options, cb */) {
var defaults = {
rejectUnauthorized: '0' !== process.env.NODE_TLS_REJECT_UNAUTHORIZED,
ciphers: tls.DEFAULT_CIPHERS,
checkServerIdentity: tls.checkServerIdentity
checkServerIdentity: tls.checkServerIdentity,
minDHkeylen: 1024

This comment has been minimized.

@indutny

indutny May 29, 2015

Member

Ditto.

This comment has been minimized.

@shigeki

shigeki May 30, 2015

Contributor

Fixed it to minDHSize too.

@@ -761,7 +761,8 @@ void SecureContext::SetDHParam(const FunctionCallbackInfo<Value>& args) {
if (keylen < 1024)
return env->ThrowError("DH parameter is less than 1024 bits");
else if (keylen < 2048)

This comment has been minimized.

@indutny

indutny May 29, 2015

Member

Please add curly braces here, we omit them only for one-liners.

This comment has been minimized.

@shigeki

shigeki May 30, 2015

Contributor

Fixed. and changed the variable name from keylen to size

@@ -816,6 +816,49 @@ void TLSWrap::SetServername(const FunctionCallbackInfo<Value>& args) {
}
void TLSWrap::GetEphemeralKeyInfo(const FunctionCallbackInfo<Value>& args) {

This comment has been minimized.

@indutny

indutny May 29, 2015

Member

May I kindly suggest moving this to SSLWrap class in node_crypto.cc? This way it could be exposed for both _tls_legacy.js and _tls_wrap.js.

This comment has been minimized.

@shigeki

shigeki May 30, 2015

Contributor

moved from TLSWrap to SSLWrap.

if (wrap->is_server())
return args.GetReturnValue().Set(info);
EVP_PKEY *key;

This comment has been minimized.

@indutny

indutny May 29, 2015

Member

EVP_PKEY* key

This comment has been minimized.

@shigeki

shigeki May 30, 2015

Contributor

Fixed

break;
case EVP_PKEY_EC:
{
EC_KEY *ec = EVP_PKEY_get1_EC_KEY(key);

This comment has been minimized.

@indutny

indutny May 29, 2015

Member

EC_KEY* ec

This comment has been minimized.

@shigeki

shigeki May 30, 2015

Contributor

Fixed.

@@ -878,6 +921,8 @@ void TLSWrap::Initialize(Handle<Object> target,
env->SetProtoMethod(t, "setServername", SetServername);
#endif // SSL_CRT_SET_TLSEXT_SERVERNAME_CB
env->SetProtoMethod(t, "getEphemeralKeyInfo", GetEphemeralKeyInfo);

This comment has been minimized.

@indutny

indutny May 29, 2015

Member

This should be moved to node_crypto.cc too.

This comment has been minimized.

@shigeki

shigeki May 30, 2015

Contributor

Fixed.

var client = tls.connect({
minDHkeylen: 2048,
port: common.PORT,
rejectUnauthorized: false

This comment has been minimized.

@indutny

indutny May 29, 2015

Member

Should it be controlled by this parameter? cc @bnoordhuis

nsuccess++;
server.close();
});
if(err) {

This comment has been minimized.

@indutny

indutny May 29, 2015

Member

if (err) {

This comment has been minimized.

@shigeki

shigeki May 30, 2015

Contributor

Fixed

@indutny

This comment has been minimized.

Member

indutny commented May 29, 2015

A couple of nits, otherwise looking great! Good job, @shigeki !

@shigeki shigeki force-pushed the shigeki:fix_LogjamAttack_client branch from 484262e to dd8a2a2 May 30, 2015

@shigeki

This comment has been minimized.

Contributor

shigeki commented May 30, 2015

@bnoordhuis @indutny Thanks for reviewing. According to your comments, I updated them. PTAL.

connection. It returns an empty object when the key exchange is not
ephemeral. As it is only supported on a client socket, it returns null
if this is called on a server socket. The type of 'DH' and 'ECDH' are
supported. The name property is only available in 'ECDH'.

This comment has been minimized.

@bnoordhuis

bnoordhuis May 30, 2015

Member

Femto-nit: maybe reword this to:

The supported types are 'DH' and 'ECDH'.  The `name` property is only available with 'ECDH'.

This comment has been minimized.

@shigeki

shigeki Jun 1, 2015

Contributor

Fixed

@@ -881,6 +889,8 @@ exports.connect = function(/* [port, host], options, cb */) {
options.singleUse = true;
assert(typeof options.checkServerIdentity === 'function');
assert(typeof options.minDHSize === 'number');
assert(options.minDHSize > 0);

This comment has been minimized.

@bnoordhuis

bnoordhuis May 30, 2015

Member

Can you add assert messages? I'd update the options.checkServerIdentity assert as well while you're here.

This comment has been minimized.

@shigeki

shigeki Jun 1, 2015

Contributor

Added assert messages. I also add a new commit to add an assert message for options.checkServerIdentity as in shigeki@e4f02bd. I hope you like it.

const v8::FunctionCallbackInfo<v8::Value>& args) {
Base* w = Unwrap<Base>(args.Holder());
Environment* env = Environment::GetCurrent(args);
HandleScope handle_scope(env->isolate());

This comment has been minimized.

@bnoordhuis

bnoordhuis May 30, 2015

Member

The HandleScope isn't necessary.

This comment has been minimized.

@shigeki

shigeki Jun 1, 2015

Contributor

Let me confirm this. Isn't the HandleScope necessary because Local Object of info passed to ReturnValue and the ReturnValue takes care of the life of info? That means there are no local handles to be disposed within GetEphemeralKeyInfo.

@bnoordhuis

This comment has been minimized.

Member

bnoordhuis commented May 30, 2015

LGTM apart from a couple of nits. Can you rebase and run the CI before landing this? Thanks.

@shigeki shigeki force-pushed the shigeki:fix_LogjamAttack_client branch 3 times, most recently from 8b16dfd to e4f02bd Jun 1, 2015

@jasnell

This comment has been minimized.

Member

jasnell commented Oct 16, 2015

@shigeki

This comment has been minimized.

Contributor

shigeki commented Oct 16, 2015

Sorry for my late response. This is a security enhancement of DH as the same way of Chrome/Firefox. It is not so much threat at the usual use but https://freedom-to-tinker.com/blog/haldermanheninger/how-is-nsa-breaking-so-much-crypto/ says that

Breaking a second 1024-bit prime would allow passive eavesdropping on connections to nearly 20% of the top million HTTPS websites. In other words, a one-time investment in massive computation would make it possible to eavesdrop on trillions of encrypted connections.

so that I think it is worth to have this in order to protect against the nation level attack.
The current patch is revised after the last LGTM and I'm not sure that whether I can land it or not without a new review.

@indutny

This comment has been minimized.

Member

indutny commented Oct 16, 2015

This should be semver-major. It will definitely break code that was connecting to 1024-bit DH servers. Otherwise LGTM

@shigeki shigeki added semver-major and removed semver-minor labels Oct 16, 2015

@shigeki

This comment has been minimized.

Contributor

shigeki commented Oct 16, 2015

@indutny Thanks. I agree it. I've changed label. I rebase this, make tests again and land it after 5.0 start.

@Fishrock123

This comment has been minimized.

Member

Fishrock123 commented Oct 16, 2015

Note: semver-major will have to land before 5.0 or else be delayed until 6.0

@shigeki

This comment has been minimized.

Contributor

shigeki commented Oct 16, 2015

@Fishrock123 Thanks. The current master is already 5.0.0-pre so can I land this now?

@shigeki

This comment has been minimized.

Contributor

shigeki commented Oct 16, 2015

@shigeki

This comment has been minimized.

Contributor

shigeki commented Oct 16, 2015

CI show the following 7 test failures but they are not related to this PR. Otherwise are green.
@Fishrock123 @rvagg Could you give me a timing to land semver-major?

  • ubuntu1404-32
    not ok 42 test-child-process-fork-net2.js
  • vs2013,win2008r2
    not ok 11 test-child-process-fork-regr-gh-2847.js
  • vs2015,win2012r2
    not ok 223 test-http-pipeline-flood.js
  • ppcle-ubuntu1404
    not ok 904 test-debug-args.js
  • ppcbe-fedora20
    not ok 45 test-child-process-fork-regr-gh-2847.js
    not ok 712 test-tick-processor.js
    not ok 904 test-debug-args.js
@Fishrock123

This comment has been minimized.

Member

Fishrock123 commented Oct 16, 2015

@shigeki v5.0 is set to cut probably next week, and semver-major's have been landing on master. If this PR is green as usual it can land on master at any time, but it will only make it into v5 if it lands soon. :)

(This also assumes this has had enough TSC review, which I think it has.)

shigeki pushed a commit that referenced this pull request Oct 16, 2015

Shigeki Ohtsu
tls: add TLSSocket.getEphemeralKeyInfo()
Returns an object representing a type, name and size of an ephemeral
key exchange in a client connection. Currently only DHE and ECHE are
supported.

This api only works on on a client connection. When it is called on a
server connection, null is returned. When its key exchange is not
ephemeral, an empty object is returned.

PR-URL: #1831
Reviewed-By: indutny - Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>

shigeki pushed a commit that referenced this pull request Oct 16, 2015

Shigeki Ohtsu
tls: add minDHSize option to tls.connect()
Add a new option to specifiy a minimum size of an ephemeral DH
parameter to accept a tls connection. Default is 1024 bit.

PR-URL: #1831
Reviewed-By: indutny - Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>

shigeki pushed a commit that referenced this pull request Oct 16, 2015

Shigeki Ohtsu
tls: output warning of setDHParam to console.trace
To make it easy to figure out where the warning comes from.
Also fix style and variable name that was made in #1739.

PR-URL: #1831
Reviewed-By: indutny - Fedor Indutny <fedor.indutny@gmail.com>
Reviewed-By: bnoordhuis - Ben Noordhuis <info@bnoordhuis.nl>
@shigeki

This comment has been minimized.

Contributor

shigeki commented Oct 16, 2015

@Fishrock123 Thanks.
Landed in 6d92eba, f72e178 and 0140e1b to the current master.

@shigeki shigeki closed this Oct 16, 2015

@rvagg rvagg referenced this pull request Oct 21, 2015

Merged

Release proposal: v5.0.0 #3466

rvagg added a commit to rvagg/io.js that referenced this pull request Oct 29, 2015

2015-10-29, Version 5.0.0 (Stable)
Notable changes:

* buffer: (Breaking) Removed both 'raw' and 'raws' encoding types from Buffer,
  these have been deprecated for a long time (Sakthipriyan Vairamani) nodejs#2859.
* console: (Breaking) Values reported by console.time() now have 3 decimals of
  accuracy added (Michaël Zasso) nodejs#3166.
* fs:
  - fs.readFile*(), fs.writeFile*(), and fs.appendFile*() now also accept a file
    descriptor as their first argument (Johannes Wüller) nodejs#3163.
  - (Breaking) In fs.readFile(), if an encoding is specified and the internal
    toString() fails the error is no longer thrown but is passed to the callback
    (Evan Lucas) nodejs#3485.
  - (Breaking) In fs.read() (using the fs.read(fd, length, position, encoding,
    callback) form), if the internal toString() fails the error is no longer
    thrown but is passed to the callback (Evan Lucas) nodejs#3503.
* http:
  - Fixed a bug where pipelined http requests would stall (Fedor Indutny) nodejs#3342.
  - (Breaking) When parsing HTTP, don't add duplicates of the following headers:
    Retry-After, ETag, Last-Modified, Server, Age, Expires. This is in addition
    to the following headers which already block duplicates: Content-Type,
    Content-Length, User-Agent, Referer, Host, Authorization,
    Proxy-Authorization, If-Modified-Since, If-Unmodified-Since, From, Location,
    Max-Forwards (James M Snell) nodejs#3090.
  - (Breaking) The callback argument to OutgoingMessage#setTimeout() must be a
    function or a TypeError is thrown (James M Snell) nodejs#3090.
  - (Breaking) HTTP methods and header names must now conform to the RFC 2616
    "token" rule, a list of allowed characters that excludes control characters
    and a number of separator characters. Specifically, methods and header names
    must now match /^[a-zA-Z0-9_!#$%&'*+.^`|~-]+$/ or a TypeError will be thrown
    (James M Snell) nodejs#2526.
* node:
  - (Breaking) Deprecated the _linklist module (Rich Trott) nodejs#3078.
  - (Breaking) Removed require.paths and require.registerExtension(), both had
    been previously set to throw Error when accessed
    (Sakthipriyan Vairamani) nodejs#2922.
* npm: Upgraded to version 3.3.6 from 2.14.7, see
  https://github.com/npm/npm/releases/tag/v3.3.6 for more details. This is a
  major version bump for npm and it has seen a significant amount of change.
  Please see the original npm v3.0.0 release notes for a list of major changes
  (Rebecca Turner) nodejs#3310.
* src: (Breaking) Bumped NODE_MODULE_VERSION to 47 from 46, this is necessary
  due to the V8 upgrade. Native add-ons will need to be recompiled
  (Rod Vagg) nodejs#3400.
* timers: Attempt to reuse the timer handle for setTimeout().unref(). This fixes
  a long-standing known issue where unrefed timers would perviously hold
  beforeExit open (Fedor Indutny) nodejs#3407.
* tls:
  - Added ALPN Support (Shigeki Ohtsu) nodejs#2564.
  - TLS options can now be passed in an object to createSecurePair()
    (Коренберг Марк) nodejs#2441.
  - (Breaking) The default minimum DH key size for tls.connect() is now 1024
    bits and a warning is shown when DH key size is less than 2048 bits. This a security consideration to prevent "logjam" attacks. A new minDHSize TLS
    option can be used to override the default. (Shigeki Ohtsu) nodejs#1831.
* util:
  - (Breaking) util.p() was deprecated for years, and has now been removed
    (Wyatt Preul) nodejs#3432.
  - (Breaking) util.inherits() can now work with ES6 classes. This is considered
    a breaking change because of potential subtle side-effects caused by a
    change from directly reassigning the prototype of the constructor using
    `ctor.prototype = Object.create(superCtor.prototype, { constructor: { ... } })`
    to using `Object.setPrototypeOf(ctor.prototype, superCtor.prototype)`
    (Michaël Zasso) nodejs#3455.
* v8: (Breaking) Upgraded to 4.6.85.25 from 4.5.103.35 (Ali Ijaz Sheikh) nodejs#3351.
  - Implements the spread operator, see
    https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Spread_operator
    for further information.
  - Implements new.target, see
    https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/new.target
    for further information.
* zlib: Decompression now throws on truncated input (e.g. unexpected end of
  file) (Yuval Brik) nodejs#2595.

PR-URL: nodejs#3466

rvagg added a commit that referenced this pull request Oct 29, 2015

2015-10-29, Version 5.0.0 (Stable)
Notable changes:

* buffer: (Breaking) Removed both 'raw' and 'raws' encoding types from Buffer,
  these have been deprecated for a long time (Sakthipriyan Vairamani) #2859.
* console: (Breaking) Values reported by console.time() now have 3 decimals of
  accuracy added (Michaël Zasso) #3166.
* fs:
  - fs.readFile*(), fs.writeFile*(), and fs.appendFile*() now also accept a file
    descriptor as their first argument (Johannes Wüller) #3163.
  - (Breaking) In fs.readFile(), if an encoding is specified and the internal
    toString() fails the error is no longer thrown but is passed to the callback
    (Evan Lucas) #3485.
  - (Breaking) In fs.read() (using the fs.read(fd, length, position, encoding,
    callback) form), if the internal toString() fails the error is no longer
    thrown but is passed to the callback (Evan Lucas) #3503.
* http:
  - Fixed a bug where pipelined http requests would stall (Fedor Indutny) #3342.
  - (Breaking) When parsing HTTP, don't add duplicates of the following headers:
    Retry-After, ETag, Last-Modified, Server, Age, Expires. This is in addition
    to the following headers which already block duplicates: Content-Type,
    Content-Length, User-Agent, Referer, Host, Authorization,
    Proxy-Authorization, If-Modified-Since, If-Unmodified-Since, From, Location,
    Max-Forwards (James M Snell) #3090.
  - (Breaking) The callback argument to OutgoingMessage#setTimeout() must be a
    function or a TypeError is thrown (James M Snell) #3090.
  - (Breaking) HTTP methods and header names must now conform to the RFC 2616
    "token" rule, a list of allowed characters that excludes control characters
    and a number of separator characters. Specifically, methods and header names
    must now match /^[a-zA-Z0-9_!#$%&'*+.^`|~-]+$/ or a TypeError will be thrown
    (James M Snell) #2526.
* node:
  - (Breaking) Deprecated the _linklist module (Rich Trott) #3078.
  - (Breaking) Removed require.paths and require.registerExtension(), both had
    been previously set to throw Error when accessed
    (Sakthipriyan Vairamani) #2922.
* npm: Upgraded to version 3.3.6 from 2.14.7, see
  https://github.com/npm/npm/releases/tag/v3.3.6 for more details. This is a
  major version bump for npm and it has seen a significant amount of change.
  Please see the original npm v3.0.0 release notes for a list of major changes
  (Rebecca Turner) #3310.
* src: (Breaking) Bumped NODE_MODULE_VERSION to 47 from 46, this is necessary
  due to the V8 upgrade. Native add-ons will need to be recompiled
  (Rod Vagg) #3400.
* timers: Attempt to reuse the timer handle for setTimeout().unref(). This fixes
  a long-standing known issue where unrefed timers would perviously hold
  beforeExit open (Fedor Indutny) #3407.
* tls:
  - Added ALPN Support (Shigeki Ohtsu) #2564.
  - TLS options can now be passed in an object to createSecurePair()
    (Коренберг Марк) #2441.
  - (Breaking) The default minimum DH key size for tls.connect() is now 1024
    bits and a warning is shown when DH key size is less than 2048 bits. This a security consideration to prevent "logjam" attacks. A new minDHSize TLS
    option can be used to override the default. (Shigeki Ohtsu) #1831.
* util:
  - (Breaking) util.p() was deprecated for years, and has now been removed
    (Wyatt Preul) #3432.
  - (Breaking) util.inherits() can now work with ES6 classes. This is considered
    a breaking change because of potential subtle side-effects caused by a
    change from directly reassigning the prototype of the constructor using
    `ctor.prototype = Object.create(superCtor.prototype, { constructor: { ... } })`
    to using `Object.setPrototypeOf(ctor.prototype, superCtor.prototype)`
    (Michaël Zasso) #3455.
* v8: (Breaking) Upgraded to 4.6.85.25 from 4.5.103.35 (Ali Ijaz Sheikh) #3351.
  - Implements the spread operator, see
    https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/Spread_operator
    for further information.
  - Implements new.target, see
    https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Operators/new.target
    for further information.
* zlib: Decompression now throws on truncated input (e.g. unexpected end of
  file) (Yuval Brik) #2595.

PR-URL: #3466
@Fishrock123

This comment has been minimized.

Member

Fishrock123 commented Oct 30, 2015

Tagging also as minor since one commit is just additive.

@MylesBorins

This comment has been minimized.

Member

MylesBorins commented Nov 16, 2015

Just want to verify that f72e178 will not be landing in lts

@jasnell

This comment has been minimized.

Member

jasnell commented Nov 17, 2015

@thealphanerd ... this one is a special case, a variation on this will land in v4.x, v0.12 and v0.10 as part of a security fix that landed in master but not in the branches.

@MylesBorins

This comment has been minimized.

Member

MylesBorins commented Dec 15, 2015

@jasnell has the security fix landed yet? I could not find any of these commits in v4.x-staging

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment