tls: use `SSL_set_cert_cb` for async SNI/OCSP

Do not enable ClientHello parser for async SNI/OCSP. Use new OpenSSL-1.0.2's API `SSL_set_cert_cb` to pause the handshake process and load the cert/OCSP response asynchronously. Hopefuly this will make whole async SNI/OCSP process much faster and will eventually let us remove the ClientHello parser itself (which is currently used only for async session, see #1462 for the discussion of removing it). NOTE: Ported our code to `SSL_CTX_add1_chain_cert` to use `SSL_CTX_get0_chain_certs` in `CertCbDone`. Test provided for this feature. Fix: https://github.com/iojs/io.js/issues/1423 PR-URL: https://github.com/iojs/io.js/pull/1464 Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
author: Fedor Indutny <fedor@indutny.com> 2015-04-18 10:19:23 +0200
committer: Fedor Indutny <fedor@indutny.com> 2015-05-01 16:56:55 +0200
commit: 550c2638c0885f9cbb1022f8f5234015e21836fe (patch)
tree: 5bc382b6cef0b84dc1851f719a33b7eb975339b6 /src/node_crypto.h
parent: 30b7349176da785cd7294fec8c31cfb9c5f791e8 (diff)
download: android-node-v8-550c2638c0885f9cbb1022f8f5234015e21836fe.tar.gz
android-node-v8-550c2638c0885f9cbb1022f8f5234015e21836fe.tar.bz2
android-node-v8-550c2638c0885f9cbb1022f8f5234015e21836fe.zip
1 files changed, 23 insertions, 3 deletions
diff --git a/src/node_crypto.h b/src/node_crypto.h
index f6069f8841..179543bd50 100644
--- a/src/node_crypto.h
+++ b/src/node_crypto.h
@@ -143,7 +143,10 @@ class SSLWrap {
         kind_(kind),
         next_sess_(nullptr),
         session_callbacks_(false),
-        new_session_wait_(false) {
+        new_session_wait_(false),
+        cert_cb_(nullptr),
+        cert_cb_arg_(nullptr),
+        cert_cb_running_(false) {
     ssl_ = SSL_new(sc->ctx_);
     env_->isolate()->AdjustAmountOfExternalAllocatedMemory(kExternalSize);
     CHECK_NE(ssl_, nullptr);
@@ -160,6 +163,9 @@ class SSLWrap {
     npn_protos_.Reset();
     selected_npn_proto_.Reset();
 #endif
+#ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
+    sni_context_.Reset();
+#endif
 #ifdef NODE__HAVE_TLSEXT_STATUS_CB
     ocsp_response_.Reset();
 #endif  // NODE__HAVE_TLSEXT_STATUS_CB
@@ -170,8 +176,11 @@ class SSLWrap {
   inline bool is_server() const { return kind_ == kServer; }
   inline bool is_client() const { return kind_ == kClient; }
   inline bool is_waiting_new_session() const { return new_session_wait_; }
+  inline bool is_waiting_cert_cb() const { return cert_cb_ != nullptr; }
 
  protected:
+  typedef void (*CertCb)(void* arg);
+
   // Size allocated by OpenSSL: one for SSL structure, one for SSL3_STATE and
   // some for buffers.
   // NOTE: Actually it is much more than this
@@ -199,6 +208,7 @@ class SSLWrap {
   static void VerifyError(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void GetCurrentCipher(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void EndParser(const v8::FunctionCallbackInfo<v8::Value>& args);
+  static void CertCbDone(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void Renegotiate(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void Shutdown(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void GetTLSTicket(const v8::FunctionCallbackInfo<v8::Value>& args);
@@ -227,10 +237,12 @@ class SSLWrap {
                                      void* arg);
 #endif  // OPENSSL_NPN_NEGOTIATED
   static int TLSExtStatusCallback(SSL* s, void* arg);
+  static int SSLCertCallback(SSL* s, void* arg);
   static void SSLGetter(v8::Local<v8::String> property,
                         const v8::PropertyCallbackInfo<v8::Value>& info);
 
   void DestroySSL();
+  void WaitForCertCb(CertCb cb, void* arg);
 
   inline Environment* ssl_env() const {
     return env_;
@@ -242,6 +254,12 @@ class SSLWrap {
   SSL* ssl_;
   bool session_callbacks_;
   bool new_session_wait_;
+
+  // SSL_set_cert_cb
+  CertCb cert_cb_;
+  void* cert_cb_arg_;
+  bool cert_cb_running_;
+
   ClientHelloParser hello_parser_;
 
 #ifdef NODE__HAVE_TLSEXT_STATUS_CB
@@ -253,6 +271,10 @@ class SSLWrap {
   v8::Persistent<v8::Value> selected_npn_proto_;
 #endif  // OPENSSL_NPN_NEGOTIATED
 
+#ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
+  v8::Persistent<v8::Value> sni_context_;
+#endif
+
   friend class SecureContext;
 };
 
@@ -264,7 +286,6 @@ class Connection : public SSLWrap<Connection>, public AsyncWrap {
   ~Connection() override {
 #ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
     sniObject_.Reset();
-    sniContext_.Reset();
     servername_.Reset();
 #endif
   }
@@ -279,7 +300,6 @@ class Connection : public SSLWrap<Connection>, public AsyncWrap {
 
 #ifdef SSL_CTRL_SET_TLSEXT_SERVERNAME_CB
   v8::Persistent<v8::Object> sniObject_;
-  v8::Persistent<v8::Value> sniContext_;
   v8::Persistent<v8::String> servername_;
 #endif
author	Fedor Indutny <fedor@indutny.com>	2015-04-18 10:19:23 +0200
committer	Fedor Indutny <fedor@indutny.com>	2015-05-01 16:56:55 +0200
commit	550c2638c0885f9cbb1022f8f5234015e21836fe (patch)
tree	5bc382b6cef0b84dc1851f719a33b7eb975339b6 /src/node_crypto.h
parent	30b7349176da785cd7294fec8c31cfb9c5f791e8 (diff)
download	android-node-v8-550c2638c0885f9cbb1022f8f5234015e21836fe.tar.gz android-node-v8-550c2638c0885f9cbb1022f8f5234015e21836fe.tar.bz2 android-node-v8-550c2638c0885f9cbb1022f8f5234015e21836fe.zip