crypto: add OP flag constants added in OpenSSL v1.1.1

mkrawczuk · addaleax · commit a7b4318df92d · 2020-08-08T22:10:24.000+02:00
PR-URL: #33929 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Alba Mendez <me@alba.sh> Reviewed-By: Tobias Nießen <tniessen@tnie.de>
diff --git a/doc/api/crypto.md b/doc/api/crypto.md
@@ -3184,6 +3184,11 @@ the `crypto`, `tls`, and `https` modules and are generally specific to OpenSSL.
     <a href="https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html">https://www.openssl.org/docs/man1.0.2/ssl/SSL_CTX_set_options.html</a>
     for detail.</td>
   </tr>
+  <tr>
+    <td><code>SSL_OP_ALLOW_NO_DHE_KEX</code></td>
+    <td>Instructs OpenSSL to allow a non-[EC]DHE-based key exchange mode
+    for TLS v1.3</td>
+  </tr>
   <tr>
     <td><code>SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION</code></td>
     <td>Allows legacy insecure renegotiation between OpenSSL and unpatched
@@ -3256,10 +3261,18 @@ the `crypto`, `tls`, and `https` modules and are generally specific to OpenSSL.
     <td><code>SSL_OP_NO_COMPRESSION</code></td>
     <td>Instructs OpenSSL to disable support for SSL/TLS compression.</td>
   </tr>
+  <tr>
+    <td><code>SSL_OP_NO_ENCRYPT_THEN_MAC</code></td>
+    <td>Instructs OpenSSL to disable encrypt-then-MAC.</td>
+  </tr>
   <tr>
     <td><code>SSL_OP_NO_QUERY_MTU</code></td>
     <td></td>
   </tr>
+  <tr>
+    <td><code>SSL_OP_NO_RENEGOTIATION</code></td>
+    <td>Instructs OpenSSL to disable renegotiation.</td>
+  </tr>
   <tr>
     <td><code>SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION</code></td>
     <td>Instructs OpenSSL to always start a new session when performing
@@ -3288,6 +3301,10 @@ the `crypto`, `tls`, and `https` modules and are generally specific to OpenSSL.
   <tr>
     <td><code>SSL_OP_NO_TLSv1_2</code></td>
     <td>Instructs OpenSSL to turn off TLS v1.2</td>
+  </tr>
+  <tr>
+    <td><code>SSL_OP_NO_TLSv1_3</code></td>
+    <td>Instructs OpenSSL to turn off TLS v1.3</td>
   </tr>
     <td><code>SSL_OP_PKCS1_CHECK_1</code></td>
     <td></td>
@@ -3296,6 +3313,14 @@ the `crypto`, `tls`, and `https` modules and are generally specific to OpenSSL.
     <td><code>SSL_OP_PKCS1_CHECK_2</code></td>
     <td></td>
   </tr>
+  <tr>
+    <td><code>SSL_OP_PRIORITIZE_CHACHA</code></td>
+    <td>Instructs OpenSSL server to prioritize ChaCha20Poly1305
+    when client does.
+    This option has no effect if
+    <code>SSL_OP_CIPHER_SERVER_PREFERENCE</code>
+    is not enabled.</td>
+  </tr>
   <tr>
     <td><code>SSL_OP_SINGLE_DH_USE</code></td>
     <td>Instructs OpenSSL to always create a new key when using
diff --git a/src/node_constants.cc b/src/node_constants.cc
@@ -806,6 +806,10 @@ void DefineCryptoConstants(Local<Object> target) {
     NODE_DEFINE_CONSTANT(target, SSL_OP_ALL);
 #endif
 
+#ifdef SSL_OP_ALLOW_NO_DHE_KEX
+    NODE_DEFINE_CONSTANT(target, SSL_OP_ALLOW_NO_DHE_KEX);
+#endif
+
 #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
     NODE_DEFINE_CONSTANT(target, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
 #endif
@@ -870,10 +874,18 @@ void DefineCryptoConstants(Local<Object> target) {
     NODE_DEFINE_CONSTANT(target, SSL_OP_NO_COMPRESSION);
 #endif
 
+#ifdef SSL_OP_NO_ENCRYPT_THEN_MAC
+    NODE_DEFINE_CONSTANT(target, SSL_OP_NO_ENCRYPT_THEN_MAC);
+#endif
+
 #ifdef SSL_OP_NO_QUERY_MTU
     NODE_DEFINE_CONSTANT(target, SSL_OP_NO_QUERY_MTU);
 #endif
 
+#ifdef SSL_OP_NO_RENEGOTIATION
+    NODE_DEFINE_CONSTANT(target, SSL_OP_NO_RENEGOTIATION);
+#endif
+
 #ifdef SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION
     NODE_DEFINE_CONSTANT(target, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
 #endif
@@ -902,6 +914,10 @@ void DefineCryptoConstants(Local<Object> target) {
     NODE_DEFINE_CONSTANT(target, SSL_OP_NO_TLSv1_2);
 #endif
 
+#ifdef SSL_OP_NO_TLSv1_3
+    NODE_DEFINE_CONSTANT(target, SSL_OP_NO_TLSv1_3);
+#endif
+
 #ifdef SSL_OP_PKCS1_CHECK_1
     NODE_DEFINE_CONSTANT(target, SSL_OP_PKCS1_CHECK_1);
 #endif
@@ -910,6 +926,10 @@ void DefineCryptoConstants(Local<Object> target) {
     NODE_DEFINE_CONSTANT(target, SSL_OP_PKCS1_CHECK_2);
 #endif
 
+#ifdef SSL_OP_PRIORITIZE_CHACHA
+    NODE_DEFINE_CONSTANT(target, SSL_OP_PRIORITIZE_CHACHA);
+#endif
+
 #ifdef SSL_OP_SINGLE_DH_USE
     NODE_DEFINE_CONSTANT(target, SSL_OP_SINGLE_DH_USE);
 #endif
