node/test/parallel/test-crypto-secure-heap.js

'use strict';

const common = require('../common');
if (!common.hasCrypto)
  common.skip('missing crypto');

if (common.isWindows)
  common.skip('Not supported on Windows');

if (common.isASan)
  common.skip('ASan does not play well with secure heap allocations');

const assert = require('assert');
const { fork } = require('child_process');
const fixtures = require('../common/fixtures');
const {
  secureHeapUsed,
  createDiffieHellman,
} = require('crypto');

if (process.argv[2] === 'child') {

  const a = secureHeapUsed();

  assert(a);
  assert.strictEqual(typeof a, 'object');
  assert.strictEqual(a.total, 65536);
  assert.strictEqual(a.min, 4);
  assert.strictEqual(a.used, 0);

  {
    const size = common.hasFipsCrypto || common.hasOpenSSL3 ? 1024 : 256;
    const dh1 = createDiffieHellman(size);
    const p1 = dh1.getPrime('buffer');
    const dh2 = createDiffieHellman(p1, 'buffer');
    const key1 = dh1.generateKeys();
    const key2 = dh2.generateKeys('hex');
    dh1.computeSecret(key2, 'hex', 'base64');
    dh2.computeSecret(key1, 'latin1', 'buffer');

    const b = secureHeapUsed();
    assert(b);
    assert.strictEqual(typeof b, 'object');
    assert.strictEqual(b.total, 65536);
    assert.strictEqual(b.min, 4);
    // The amount used can vary on a number of factors
    assert(b.used > 0);
    assert(b.utilization > 0.0);
  }

  return;
}

const child = fork(
  process.argv[1],
  ['child'],
  { execArgv: ['--secure-heap=65536', '--secure-heap-min=4'] });

child.on('exit', common.mustCall((code) => {
  assert.strictEqual(code, 0);
}));

{
  const child = fork(fixtures.path('a.js'), {
    execArgv: ['--secure-heap=3', '--secure-heap-min=3'],
    stdio: 'pipe'
  });
  let res = '';
  child.on('exit', common.mustCall((code) => {
    assert.notStrictEqual(code, 0);
    assert.match(res, /--secure-heap must be a power of 2/);
    assert.match(res, /--secure-heap-min must be a power of 2/);
  }));
  child.stderr.setEncoding('utf8');
  child.stderr.on('data', (chunk) => res += chunk);
}
crypto: implement basic secure heap support Adds two new command line arguments: * `--secure-heap=n`, which causes node.js to initialize an openssl secure heap of `n` bytes on openssl initialization. * `--secure-heap-min=n`, which specifies the minimum allocation from the secure heap. * A new method `crypto.secureHeapUsed()` that returns details about the total and used secure heap allocation. The secure heap is an openssl feature that allows certain kinds of potentially sensitive information (such as private key BigNums) to be allocated from a dedicated memory area that is protected against pointer over- and underruns. The secure heap is a fixed size, so it's important that users pick a large enough size to cover the crypto operations they intend to utilize. The secure heap is disabled by default. Signed-off-by: James M Snell <jasnell@gmail.com> PR-URL: https://github.com/nodejs/node/pull/36779 Refs: https://github.com/nodejs/node/pull/36729 Reviewed-By: Tobias Nießen <tniessen@tnie.de> 2021-01-04 17:06:26 +00:00			`'use strict';`

			`const common = require('../common');`
			`if (!common.hasCrypto)`
			`common.skip('missing crypto');`

			`if (common.isWindows)`
			`common.skip('Not supported on Windows');`

test: simplify ASan build checks Always use `process.config.variables.asan`. This removes the need for a special ASAN env var. PR-URL: https://github.com/nodejs/node/pull/52430 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> Reviewed-By: Mohammed Keyvanzadeh <mohammadkeyvanzade94@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Yagiz Nizipli <yagiz.nizipli@sentry.io> 2024-04-11 07:29:27 +00:00			`if (common.isASan)`
			`common.skip('ASan does not play well with secure heap allocations');`
test: disable test-crypto-secure-heap with asan The asan checks don't play well currently with persistent secure heap allocations. Signed-off-by: James M Snell <jasnell@gmail.com> PR-URL: https://github.com/nodejs/node/pull/36900 Refs: https://github.com/nodejs/node/pull/36881 Reviewed-By: Danielle Adams <adamzdanielle@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Filip Skokan <panva.ip@gmail.com> 2021-01-12 19:29:13 +00:00
crypto: implement basic secure heap support Adds two new command line arguments: * `--secure-heap=n`, which causes node.js to initialize an openssl secure heap of `n` bytes on openssl initialization. * `--secure-heap-min=n`, which specifies the minimum allocation from the secure heap. * A new method `crypto.secureHeapUsed()` that returns details about the total and used secure heap allocation. The secure heap is an openssl feature that allows certain kinds of potentially sensitive information (such as private key BigNums) to be allocated from a dedicated memory area that is protected against pointer over- and underruns. The secure heap is a fixed size, so it's important that users pick a large enough size to cover the crypto operations they intend to utilize. The secure heap is disabled by default. Signed-off-by: James M Snell <jasnell@gmail.com> PR-URL: https://github.com/nodejs/node/pull/36779 Refs: https://github.com/nodejs/node/pull/36729 Reviewed-By: Tobias Nießen <tniessen@tnie.de> 2021-01-04 17:06:26 +00:00			`const assert = require('assert');`
			`const { fork } = require('child_process');`
			`const fixtures = require('../common/fixtures');`
			`const {`
			`secureHeapUsed,`
			`createDiffieHellman,`
			`} = require('crypto');`

			`if (process.argv[2] === 'child') {`

			`const a = secureHeapUsed();`

			`assert(a);`
			`assert.strictEqual(typeof a, 'object');`
			`assert.strictEqual(a.total, 65536);`
			`assert.strictEqual(a.min, 4);`
			`assert.strictEqual(a.used, 0);`

			`{`
src,test: support dynamically linking OpenSSL 3.0 This commit enables node to dynamically link against OpenSSL 3.0. The motivation for opening this PR even though OpenSSL 3.0 has not been released yet is to allow a nightly CI job to be created. This will allow us stay on top of changes required for OpenSSL 3.0, and also to make sure that changes to node crypto do not cause issues when linking to OpenSSL 3.0. PR-URL: https://github.com/nodejs/node/pull/37669 Refs: https://github.com/nodejs/node/issues/29817 Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Michael Dawson <midawson@redhat.com> 2020-10-26 06:23:55 +00:00			`const size = common.hasFipsCrypto \|\| common.hasOpenSSL3 ? 1024 : 256;`
			`const dh1 = createDiffieHellman(size);`
crypto: implement basic secure heap support Adds two new command line arguments: * `--secure-heap=n`, which causes node.js to initialize an openssl secure heap of `n` bytes on openssl initialization. * `--secure-heap-min=n`, which specifies the minimum allocation from the secure heap. * A new method `crypto.secureHeapUsed()` that returns details about the total and used secure heap allocation. The secure heap is an openssl feature that allows certain kinds of potentially sensitive information (such as private key BigNums) to be allocated from a dedicated memory area that is protected against pointer over- and underruns. The secure heap is a fixed size, so it's important that users pick a large enough size to cover the crypto operations they intend to utilize. The secure heap is disabled by default. Signed-off-by: James M Snell <jasnell@gmail.com> PR-URL: https://github.com/nodejs/node/pull/36779 Refs: https://github.com/nodejs/node/pull/36729 Reviewed-By: Tobias Nießen <tniessen@tnie.de> 2021-01-04 17:06:26 +00:00			`const p1 = dh1.getPrime('buffer');`
			`const dh2 = createDiffieHellman(p1, 'buffer');`
			`const key1 = dh1.generateKeys();`
			`const key2 = dh2.generateKeys('hex');`
			`dh1.computeSecret(key2, 'hex', 'base64');`
			`dh2.computeSecret(key1, 'latin1', 'buffer');`

			`const b = secureHeapUsed();`
			`assert(b);`
			`assert.strictEqual(typeof b, 'object');`
			`assert.strictEqual(b.total, 65536);`
			`assert.strictEqual(b.min, 4);`
			`// The amount used can vary on a number of factors`
			`assert(b.used > 0);`
			`assert(b.utilization > 0.0);`
			`}`

			`return;`
			`}`

			`const child = fork(`
			`process.argv[1],`
			`['child'],`
			`{ execArgv: ['--secure-heap=65536', '--secure-heap-min=4'] });`

			`child.on('exit', common.mustCall((code) => {`
			`assert.strictEqual(code, 0);`
			`}));`

			`{`
			`const child = fork(fixtures.path('a.js'), {`
			`execArgv: ['--secure-heap=3', '--secure-heap-min=3'],`
			`stdio: 'pipe'`
			`});`
			`let res = '';`
			`child.on('exit', common.mustCall((code) => {`
			`assert.notStrictEqual(code, 0);`
			`assert.match(res, /--secure-heap must be a power of 2/);`
			`assert.match(res, /--secure-heap-min must be a power of 2/);`
			`}));`
			`child.stderr.setEncoding('utf8');`
			`child.stderr.on('data', (chunk) => res += chunk);`
			`}`