Memory safe TLS in Node.js

[kevinburke1]

Node ships with its own vendored OpenSSL in deps/openssl. Still you can try to compile in your own with the --shared-openssl, --shared-openssl-include and --shared-openssl-libpath flags. I tried compiling in mesalink in place of OpenSSL and got this error:

In file included from ../src/node.cc:45:
In file included from ../src/node_crypto.h:31:
In file included from ../src/crypto/crypto_aes.h:6:
In file included from ../src/crypto/crypto_cipher.h:6:
In file included from ../src/crypto/crypto_keys.h:6:
../src/crypto/crypto_util.h:17:10: fatal error: 'openssl/ec.h' file not found
#include <openssl/ec.h>
         ^~~~~~~~~~~~~~
1 error generated.
make[1]: *** [libnode.target.mk:467: /Users/kevin/src/github.com/nodejs/node/out/Release/obj.target/libnode/src/node.o] Error 1
rm ccd3dc533142c730cad81819404fde1dda793e8d.intermediate
make: *** [Makefile:104: node] Error 2

The interface to OpenSSL is contained entirely in src/crypto which has this nice README: https://github.com/nodejs/node/tree/master/src/crypto#nodejs-srccrypto-documentation

There is a note in there about how the Electron distribution ships with BoringSSL so in terms of replacing OpenSSL that might be the first place to look, in terms of how they made in more portable.

This might be a good place to start in src/crypto/crypto_x509.cc, trying to replace SSL_get_certificate with a safer parser.

void X509Certificate::Verify(const FunctionCallbackInfo<Value>& args) {
  X509Certificate* cert;
  ASSIGN_OR_RETURN_UNWRAP(&cert, args.Holder());

  CHECK(args[0]->IsObject());
  KeyObjectHandle* key;
  ASSIGN_OR_RETURN_UNWRAP(&key, args[0]);
  CHECK_EQ(key->Data()->GetKeyType(), kKeyTypePublic);

  args.GetReturnValue().Set(
      X509_verify(
          cert->get(),
          key->Data()->GetAsymmetricKey().get()) > 0);
}