-
Notifications
You must be signed in to change notification settings - Fork 30.1k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
tls: fix legacy SecurePair clienthello race window
There is a time window between the first and the last step of processing the clienthello event and the SecurePair may have been destroyed during that interval. Fixes: #26428 PR-URL: #26452 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
- Loading branch information
1 parent
91620b8
commit 7573b55
Showing
2 changed files
with
84 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
80 changes: 80 additions & 0 deletions
80
test/parallel/test-tls-async-cb-after-socket-end-securepair.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,80 @@ | ||
| 'use strict'; | ||
|
|
||
| const common = require('../common'); | ||
| if (!common.hasCrypto) | ||
| common.skip('missing crypto'); | ||
| const fixtures = require('../common/fixtures'); | ||
| const SSL_OP_NO_TICKET = require('crypto').constants.SSL_OP_NO_TICKET; | ||
| const assert = require('assert'); | ||
| const net = require('net'); | ||
| const tls = require('tls'); | ||
|
|
||
| const options = { | ||
| secureOptions: SSL_OP_NO_TICKET, | ||
| key: fixtures.readSync('test_key.pem'), | ||
| cert: fixtures.readSync('test_cert.pem') | ||
| }; | ||
|
|
||
| const server = net.createServer(function(socket) { | ||
| const sslcontext = tls.createSecureContext(options); | ||
| sslcontext.context.setCiphers('RC4-SHA:AES128-SHA:AES256-SHA'); | ||
|
|
||
| const pair = tls.createSecurePair(sslcontext, true, false, false, { server }); | ||
|
|
||
| assert.ok(pair.encrypted.writable); | ||
| assert.ok(pair.cleartext.writable); | ||
|
|
||
| pair.encrypted.pipe(socket); | ||
| socket.pipe(pair.encrypted); | ||
|
|
||
| pair.on('error', () => {}); // Expected, client s1 closes connection. | ||
| }); | ||
|
|
||
| let sessionCb = null; | ||
| let client = null; | ||
|
|
||
| server.on('newSession', common.mustCall(function(key, session, done) { | ||
| done(); | ||
| })); | ||
|
|
||
| server.on('resumeSession', common.mustCall(function(id, cb) { | ||
| sessionCb = cb; | ||
|
|
||
| next(); | ||
| })); | ||
|
|
||
| server.listen(0, function() { | ||
| const clientOpts = { | ||
| port: this.address().port, | ||
| rejectUnauthorized: false, | ||
| session: false | ||
| }; | ||
|
|
||
| const s1 = tls.connect(clientOpts, function() { | ||
| clientOpts.session = s1.getSession(); | ||
| console.log('1st secure'); | ||
|
|
||
| s1.destroy(); | ||
| const s2 = tls.connect(clientOpts, function(s) { | ||
| console.log('2nd secure'); | ||
|
|
||
| s2.destroy(); | ||
| }).on('connect', function() { | ||
| console.log('2nd connected'); | ||
| client = s2; | ||
|
|
||
| next(); | ||
| }); | ||
| }); | ||
| }); | ||
|
|
||
| function next() { | ||
| if (!client || !sessionCb) | ||
| return; | ||
|
|
||
| client.destroy(); | ||
| setTimeout(function() { | ||
| sessionCb(); | ||
| server.close(); | ||
| }, 100); | ||
| } |