From cb4ed3c78fd6c795c29ff67df19d358a90c777cc Mon Sep 17 00:00:00 2001 From: Fedor Indutny Date: Thu, 18 Sep 2014 02:21:32 +0400 Subject: [PATCH] crypto: never store pointer to conn in SSL_CTX SSL_CTX is shared between multiple connections and is not a right place to store per-connection data. fix #8348 Reviewed-By: Trevor Norris --- src/node_crypto.cc | 36 +++++++++++++++--------------------- src/node_crypto.h | 2 +- src/tls_wrap.cc | 4 ++-- 3 files changed, 18 insertions(+), 24 deletions(-) diff --git a/src/node_crypto.cc b/src/node_crypto.cc index 7f546ed6718..5d8a9f5de0e 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -120,8 +120,7 @@ X509_STORE* root_cert_store; template class SSLWrap; template void SSLWrap::AddMethods(Environment* env, Handle t); -template void SSLWrap::InitNPN(SecureContext* sc, - TLSCallbacks* base); +template void SSLWrap::InitNPN(SecureContext* sc); template SSL_SESSION* SSLWrap::GetSessionCallback( SSL* s, unsigned char* key, @@ -1013,26 +1012,21 @@ void SSLWrap::AddMethods(Environment* env, Handle t) { template -void SSLWrap::InitNPN(SecureContext* sc, Base* base) { - if (base->is_server()) { +void SSLWrap::InitNPN(SecureContext* sc) { #ifdef OPENSSL_NPN_NEGOTIATED - // Server should advertise NPN protocols - SSL_CTX_set_next_protos_advertised_cb(sc->ctx_, - AdvertiseNextProtoCallback, - base); + // Server should advertise NPN protocols + SSL_CTX_set_next_protos_advertised_cb(sc->ctx_, + AdvertiseNextProtoCallback, + NULL); + // Client should select protocol from list of advertised + // If server supports NPN + SSL_CTX_set_next_proto_select_cb(sc->ctx_, SelectNextProtoCallback, NULL); #endif // OPENSSL_NPN_NEGOTIATED - } else { -#ifdef OPENSSL_NPN_NEGOTIATED - // Client should select protocol from list of advertised - // If server supports NPN - SSL_CTX_set_next_proto_select_cb(sc->ctx_, SelectNextProtoCallback, base); -#endif // OPENSSL_NPN_NEGOTIATED - } #ifdef NODE__HAVE_TLSEXT_STATUS_CB // OCSP stapling SSL_CTX_set_tlsext_status_cb(sc->ctx_, TLSExtStatusCallback); - SSL_CTX_set_tlsext_status_arg(sc->ctx_, base); + SSL_CTX_set_tlsext_status_arg(sc->ctx_, NULL); #endif // NODE__HAVE_TLSEXT_STATUS_CB } @@ -1688,7 +1682,7 @@ int SSLWrap::AdvertiseNextProtoCallback(SSL* s, const unsigned char** data, unsigned int* len, void* arg) { - Base* w = static_cast(arg); + Base* w = static_cast(SSL_get_app_data(s)); Environment* env = w->env(); HandleScope handle_scope(env->isolate()); Context::Scope context_scope(env->context()); @@ -1714,7 +1708,7 @@ int SSLWrap::SelectNextProtoCallback(SSL* s, const unsigned char* in, unsigned int inlen, void* arg) { - Base* w = static_cast(arg); + Base* w = static_cast(SSL_get_app_data(s)); Environment* env = w->env(); HandleScope handle_scope(env->isolate()); Context::Scope context_scope(env->context()); @@ -1806,7 +1800,7 @@ void SSLWrap::SetNPNProtocols(const FunctionCallbackInfo& args) { #ifdef NODE__HAVE_TLSEXT_STATUS_CB template int SSLWrap::TLSExtStatusCallback(SSL* s, void* arg) { - Base* w = static_cast(arg); + Base* w = static_cast(SSL_get_app_data(s)); Environment* env = w->env(); HandleScope handle_scope(env->isolate()); @@ -2122,7 +2116,7 @@ int Connection::SelectSNIContextCallback_(SSL *s, int *ad, void* arg) { if (secure_context_constructor_template->HasInstance(ret)) { conn->sniContext_.Reset(env->isolate(), ret); SecureContext* sc = Unwrap(ret.As()); - InitNPN(sc, conn); + InitNPN(sc); SSL_set_SSL_CTX(s, sc->ctx_); } else { return SSL_TLSEXT_ERR_NOACK; @@ -2158,7 +2152,7 @@ void Connection::New(const FunctionCallbackInfo& args) { if (is_server) SSL_set_info_callback(conn->ssl_, SSLInfoCallback); - InitNPN(sc, conn); + InitNPN(sc); #ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB if (is_server) { diff --git a/src/node_crypto.h b/src/node_crypto.h index c88f3945e64..3c46e0c11e2 100644 --- a/src/node_crypto.h +++ b/src/node_crypto.h @@ -188,7 +188,7 @@ class SSLWrap { inline bool is_waiting_new_session() const { return new_session_wait_; } protected: - static void InitNPN(SecureContext* sc, Base* base); + static void InitNPN(SecureContext* sc); static void AddMethods(Environment* env, v8::Handle t); static SSL_SESSION* GetSessionCallback(SSL* s, diff --git a/src/tls_wrap.cc b/src/tls_wrap.cc index d74954f7eef..8e70b88d31e 100644 --- a/src/tls_wrap.cc +++ b/src/tls_wrap.cc @@ -186,7 +186,7 @@ void TLSCallbacks::InitSSL() { } #endif // SSL_CTRL_SET_TLSEXT_SERVERNAME_CB - InitNPN(sc_, this); + InitNPN(sc_); if (is_server()) { SSL_set_accept_state(ssl_); @@ -800,7 +800,7 @@ int TLSCallbacks::SelectSNIContextCallback(SSL* s, int* ad, void* arg) { p->sni_context_.Reset(env->isolate(), ctx); SecureContext* sc = Unwrap(ctx.As()); - InitNPN(sc, p); + InitNPN(sc); SSL_set_SSL_CTX(s, sc->ctx_); return SSL_TLSEXT_ERR_OK; }