node/test/parallel/test-crypto-secure-heap.js

'use strict';

const common = require('../common');
if (!common.hasCrypto)
  common.skip('missing crypto');

if (common.isWindows)
  common.skip('Not supported on Windows');

if (process.config.variables.asan)
  common.skip('ASAN does not play well with secure heap allocations');

const assert = require('assert');
const { fork } = require('child_process');
const fixtures = require('../common/fixtures');
const {
  secureHeapUsed,
  createDiffieHellman,
} = require('crypto');

if (process.argv[2] === 'child') {

  const a = secureHeapUsed();

  assert(a);
  assert.strictEqual(typeof a, 'object');
  assert.strictEqual(a.total, 65536);
  assert.strictEqual(a.min, 4);
  assert.strictEqual(a.used, 0);

  {
    const dh1 = createDiffieHellman(common.hasFipsCrypto ? 1024 : 256);
    const p1 = dh1.getPrime('buffer');
    const dh2 = createDiffieHellman(p1, 'buffer');
    const key1 = dh1.generateKeys();
    const key2 = dh2.generateKeys('hex');
    dh1.computeSecret(key2, 'hex', 'base64');
    dh2.computeSecret(key1, 'latin1', 'buffer');

    const b = secureHeapUsed();
    assert(b);
    assert.strictEqual(typeof b, 'object');
    assert.strictEqual(b.total, 65536);
    assert.strictEqual(b.min, 4);
    // The amount used can vary on a number of factors
    assert(b.used > 0);
    assert(b.utilization > 0.0);
  }

  return;
}

const child = fork(
  process.argv[1],
  ['child'],
  { execArgv: ['--secure-heap=65536', '--secure-heap-min=4'] });

child.on('exit', common.mustCall((code) => {
  assert.strictEqual(code, 0);
}));

{
  const child = fork(fixtures.path('a.js'), {
    execArgv: ['--secure-heap=3', '--secure-heap-min=3'],
    stdio: 'pipe'
  });
  let res = '';
  child.on('exit', common.mustCall((code) => {
    assert.notStrictEqual(code, 0);
    assert.match(res, /--secure-heap must be a power of 2/);
    assert.match(res, /--secure-heap-min must be a power of 2/);
  }));
  child.stderr.setEncoding('utf8');
  child.stderr.on('data', (chunk) => res += chunk);
}
crypto: implement basic secure heap support Adds two new command line arguments: * `--secure-heap=n`, which causes node.js to initialize an openssl secure heap of `n` bytes on openssl initialization. * `--secure-heap-min=n`, which specifies the minimum allocation from the secure heap. * A new method `crypto.secureHeapUsed()` that returns details about the total and used secure heap allocation. The secure heap is an openssl feature that allows certain kinds of potentially sensitive information (such as private key BigNums) to be allocated from a dedicated memory area that is protected against pointer over- and underruns. The secure heap is a fixed size, so it's important that users pick a large enough size to cover the crypto operations they intend to utilize. The secure heap is disabled by default. Signed-off-by: James M Snell <jasnell@gmail.com> PR-URL: https://github.com/nodejs/node/pull/36779 Refs: https://github.com/nodejs/node/pull/36729 Reviewed-By: Tobias Nießen <tniessen@tnie.de> 2021-01-04 17:06:26 +00:00			`'use strict';`

			`const common = require('../common');`
			`if (!common.hasCrypto)`
			`common.skip('missing crypto');`

			`if (common.isWindows)`
			`common.skip('Not supported on Windows');`

test: disable test-crypto-secure-heap with asan The asan checks don't play well currently with persistent secure heap allocations. Signed-off-by: James M Snell <jasnell@gmail.com> PR-URL: https://github.com/nodejs/node/pull/36900 Refs: https://github.com/nodejs/node/pull/36881 Reviewed-By: Danielle Adams <adamzdanielle@gmail.com> Reviewed-By: Richard Lau <rlau@redhat.com> Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: Filip Skokan <panva.ip@gmail.com> 2021-01-12 19:29:13 +00:00			`if (process.config.variables.asan)`
			`common.skip('ASAN does not play well with secure heap allocations');`

crypto: implement basic secure heap support Adds two new command line arguments: * `--secure-heap=n`, which causes node.js to initialize an openssl secure heap of `n` bytes on openssl initialization. * `--secure-heap-min=n`, which specifies the minimum allocation from the secure heap. * A new method `crypto.secureHeapUsed()` that returns details about the total and used secure heap allocation. The secure heap is an openssl feature that allows certain kinds of potentially sensitive information (such as private key BigNums) to be allocated from a dedicated memory area that is protected against pointer over- and underruns. The secure heap is a fixed size, so it's important that users pick a large enough size to cover the crypto operations they intend to utilize. The secure heap is disabled by default. Signed-off-by: James M Snell <jasnell@gmail.com> PR-URL: https://github.com/nodejs/node/pull/36779 Refs: https://github.com/nodejs/node/pull/36729 Reviewed-By: Tobias Nießen <tniessen@tnie.de> 2021-01-04 17:06:26 +00:00			`const assert = require('assert');`
			`const { fork } = require('child_process');`
			`const fixtures = require('../common/fixtures');`
			`const {`
			`secureHeapUsed,`
			`createDiffieHellman,`
			`} = require('crypto');`

			`if (process.argv[2] === 'child') {`

			`const a = secureHeapUsed();`

			`assert(a);`
			`assert.strictEqual(typeof a, 'object');`
			`assert.strictEqual(a.total, 65536);`
			`assert.strictEqual(a.min, 4);`
			`assert.strictEqual(a.used, 0);`

			`{`
			`const dh1 = createDiffieHellman(common.hasFipsCrypto ? 1024 : 256);`
			`const p1 = dh1.getPrime('buffer');`
			`const dh2 = createDiffieHellman(p1, 'buffer');`
			`const key1 = dh1.generateKeys();`
			`const key2 = dh2.generateKeys('hex');`
			`dh1.computeSecret(key2, 'hex', 'base64');`
			`dh2.computeSecret(key1, 'latin1', 'buffer');`

			`const b = secureHeapUsed();`
			`assert(b);`
			`assert.strictEqual(typeof b, 'object');`
			`assert.strictEqual(b.total, 65536);`
			`assert.strictEqual(b.min, 4);`
			`// The amount used can vary on a number of factors`
			`assert(b.used > 0);`
			`assert(b.utilization > 0.0);`
			`}`

			`return;`
			`}`

			`const child = fork(`
			`process.argv[1],`
			`['child'],`
			`{ execArgv: ['--secure-heap=65536', '--secure-heap-min=4'] });`

			`child.on('exit', common.mustCall((code) => {`
			`assert.strictEqual(code, 0);`
			`}));`

			`{`
			`const child = fork(fixtures.path('a.js'), {`
			`execArgv: ['--secure-heap=3', '--secure-heap-min=3'],`
			`stdio: 'pipe'`
			`});`
			`let res = '';`
			`child.on('exit', common.mustCall((code) => {`
			`assert.notStrictEqual(code, 0);`
			`assert.match(res, /--secure-heap must be a power of 2/);`
			`assert.match(res, /--secure-heap-min must be a power of 2/);`
			`}));`
			`child.stderr.setEncoding('utf8');`
			`child.stderr.on('data', (chunk) => res += chunk);`
			`}`