diff options
author | Fedor Indutny <fedor@indutny.com> | 2015-04-18 10:19:23 +0200 |
---|---|---|
committer | Fedor Indutny <fedor@indutny.com> | 2015-05-01 16:56:55 +0200 |
commit | 550c2638c0885f9cbb1022f8f5234015e21836fe (patch) | |
tree | 5bc382b6cef0b84dc1851f719a33b7eb975339b6 /src/node_crypto.h | |
parent | 30b7349176da785cd7294fec8c31cfb9c5f791e8 (diff) | |
download | android-node-v8-550c2638c0885f9cbb1022f8f5234015e21836fe.tar.gz android-node-v8-550c2638c0885f9cbb1022f8f5234015e21836fe.tar.bz2 android-node-v8-550c2638c0885f9cbb1022f8f5234015e21836fe.zip |
tls: use `SSL_set_cert_cb` for async SNI/OCSP
Do not enable ClientHello parser for async SNI/OCSP. Use new
OpenSSL-1.0.2's API `SSL_set_cert_cb` to pause the handshake process and
load the cert/OCSP response asynchronously. Hopefuly this will make
whole async SNI/OCSP process much faster and will eventually let us
remove the ClientHello parser itself (which is currently used only for
async session, see #1462 for the discussion of removing it).
NOTE: Ported our code to `SSL_CTX_add1_chain_cert` to use
`SSL_CTX_get0_chain_certs` in `CertCbDone`. Test provided for this
feature.
Fix: https://github.com/iojs/io.js/issues/1423
PR-URL: https://github.com/iojs/io.js/pull/1464
Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
Diffstat (limited to 'src/node_crypto.h')
-rw-r--r-- | src/node_crypto.h | 26 |
1 files changed, 23 insertions, 3 deletions
diff --git a/src/node_crypto.h b/src/node_crypto.h index f6069f8841..179543bd50 100644 --- a/src/node_crypto.h +++ b/src/node_crypto.h @@ -143,7 +143,10 @@ class SSLWrap { kind_(kind), next_sess_(nullptr), session_callbacks_(false), - new_session_wait_(false) { + new_session_wait_(false), + cert_cb_(nullptr), + cert_cb_arg_(nullptr), + cert_cb_running_(false) { ssl_ = SSL_new(sc->ctx_); env_->isolate()->AdjustAmountOfExternalAllocatedMemory(kExternalSize); CHECK_NE(ssl_, nullptr); @@ -160,6 +163,9 @@ class SSLWrap { npn_protos_.Reset(); selected_npn_proto_.Reset(); #endif +#ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB + sni_context_.Reset(); +#endif #ifdef NODE__HAVE_TLSEXT_STATUS_CB ocsp_response_.Reset(); #endif // NODE__HAVE_TLSEXT_STATUS_CB @@ -170,8 +176,11 @@ class SSLWrap { inline bool is_server() const { return kind_ == kServer; } inline bool is_client() const { return kind_ == kClient; } inline bool is_waiting_new_session() const { return new_session_wait_; } + inline bool is_waiting_cert_cb() const { return cert_cb_ != nullptr; } protected: + typedef void (*CertCb)(void* arg); + // Size allocated by OpenSSL: one for SSL structure, one for SSL3_STATE and // some for buffers. // NOTE: Actually it is much more than this @@ -199,6 +208,7 @@ class SSLWrap { static void VerifyError(const v8::FunctionCallbackInfo<v8::Value>& args); static void GetCurrentCipher(const v8::FunctionCallbackInfo<v8::Value>& args); static void EndParser(const v8::FunctionCallbackInfo<v8::Value>& args); + static void CertCbDone(const v8::FunctionCallbackInfo<v8::Value>& args); static void Renegotiate(const v8::FunctionCallbackInfo<v8::Value>& args); static void Shutdown(const v8::FunctionCallbackInfo<v8::Value>& args); static void GetTLSTicket(const v8::FunctionCallbackInfo<v8::Value>& args); @@ -227,10 +237,12 @@ class SSLWrap { void* arg); #endif // OPENSSL_NPN_NEGOTIATED static int TLSExtStatusCallback(SSL* s, void* arg); + static int SSLCertCallback(SSL* s, void* arg); static void SSLGetter(v8::Local<v8::String> property, const v8::PropertyCallbackInfo<v8::Value>& info); void DestroySSL(); + void WaitForCertCb(CertCb cb, void* arg); inline Environment* ssl_env() const { return env_; @@ -242,6 +254,12 @@ class SSLWrap { SSL* ssl_; bool session_callbacks_; bool new_session_wait_; + + // SSL_set_cert_cb + CertCb cert_cb_; + void* cert_cb_arg_; + bool cert_cb_running_; + ClientHelloParser hello_parser_; #ifdef NODE__HAVE_TLSEXT_STATUS_CB @@ -253,6 +271,10 @@ class SSLWrap { v8::Persistent<v8::Value> selected_npn_proto_; #endif // OPENSSL_NPN_NEGOTIATED +#ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB + v8::Persistent<v8::Value> sni_context_; +#endif + friend class SecureContext; }; @@ -264,7 +286,6 @@ class Connection : public SSLWrap<Connection>, public AsyncWrap { ~Connection() override { #ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB sniObject_.Reset(); - sniContext_.Reset(); servername_.Reset(); #endif } @@ -279,7 +300,6 @@ class Connection : public SSLWrap<Connection>, public AsyncWrap { #ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB v8::Persistent<v8::Object> sniObject_; - v8::Persistent<v8::Value> sniContext_; v8::Persistent<v8::String> servername_; #endif |