crypto: disable ssl compression at build time

SSL compression was first disabled at runtime in March 2011 in commit
e83c695 ("Disable compression with OpenSSL.") for performance reasons
and was later shown to be vulnerable to information leakage (CRIME.)
Let's stop compiling it in altogether.

This commit removes a broken CHECK from src/node_crypto.cc; broken
because sk_SSL_COMP_num() returns -1 for a NULL stack, not 0.  As a
result, node.js would abort when linked to an OPENSSL_NO_COMP build
of openssl.

PR-URL: #6582
Reviewed-By: Anna Henningsen <[email protected]>
Reviewed-By: Fedor Indutny <[email protected]>
Reviewed-By: James M Snell <[email protected]>

Author: bnoordhuis

deps/openssl/openssl.gypi

@@ -214,10 +214,6 @@
       'openssl/crypto/cms/cms_pwri.c',
       'openssl/crypto/cms/cms_sd.c',
       'openssl/crypto/cms/cms_smime.c',
-      'openssl/crypto/comp/c_rle.c',
-      'openssl/crypto/comp/c_zlib.c',
-      'openssl/crypto/comp/comp_err.c',
-      'openssl/crypto/comp/comp_lib.c',
       'openssl/crypto/conf/conf_api.c',
       'openssl/crypto/conf/conf_def.c',
       'openssl/crypto/conf/conf_err.c',
@@ -1252,6 +1248,9 @@
       'PURIFY',
       '_REENTRANT',
 
+      # Compression is not used and considered insecure (CRIME.)
+      'OPENSSL_NO_COMP',
+
       # SSLv3 is susceptible to downgrade attacks (POODLE.)
       'OPENSSL_NO_SSL3',
 

src/node_crypto.cc

@@ -5721,15 +5721,8 @@ void InitCryptoOnce() {
 
 
   // Turn off compression. Saves memory and protects against CRIME attacks.
-#if !defined(OPENSSL_NO_COMP)
-#if OPENSSL_VERSION_NUMBER < 0x00908000L
-  STACK_OF(SSL_COMP)* comp_methods = SSL_COMP_get_compression_method();
-#else
-  STACK_OF(SSL_COMP)* comp_methods = SSL_COMP_get_compression_methods();
-#endif
-  sk_SSL_COMP_zero(comp_methods);
-  CHECK_EQ(sk_SSL_COMP_num(comp_methods), 0);
-#endif
+  // No-op with OPENSSL_NO_COMP builds of OpenSSL.
+  sk_SSL_COMP_zero(SSL_COMP_get_compression_methods());
 
 #ifndef OPENSSL_NO_ENGINE
   ERR_load_ENGINE_strings();