Browse Source

Don't load root certs for each SSL context

v0.7.4-release
Ryan Dahl 14 years ago
parent
commit
5c35dff419
  1. 63
      src/node_crypto.cc
  2. 16
      src/node_crypto.h

63
src/node_crypto.cc

@ -131,8 +131,7 @@ Handle<Value> SecureContext::Init(const Arguments& args) {
SSL_CTX_set_session_cache_mode(sc->ctx_, SSL_SESS_CACHE_SERVER); SSL_CTX_set_session_cache_mode(sc->ctx_, SSL_SESS_CACHE_SERVER);
// SSL_CTX_set_session_cache_mode(sc->ctx_,SSL_SESS_CACHE_OFF); // SSL_CTX_set_session_cache_mode(sc->ctx_,SSL_SESS_CACHE_OFF);
sc->ca_store_ = X509_STORE_new(); sc->ca_store_ = NULL;
SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_);
return True(); return True();
} }
@ -311,6 +310,7 @@ Handle<Value> SecureContext::SetCert(const Arguments& args) {
Handle<Value> SecureContext::AddCACert(const Arguments& args) { Handle<Value> SecureContext::AddCACert(const Arguments& args) {
bool newCAStore = false;
HandleScope scope; HandleScope scope;
SecureContext *sc = ObjectWrap::Unwrap<SecureContext>(args.Holder()); SecureContext *sc = ObjectWrap::Unwrap<SecureContext>(args.Holder());
@ -319,6 +319,11 @@ Handle<Value> SecureContext::AddCACert(const Arguments& args) {
return ThrowException(Exception::TypeError(String::New("Bad parameter"))); return ThrowException(Exception::TypeError(String::New("Bad parameter")));
} }
if (!sc->ca_store_) {
sc->ca_store_ = X509_STORE_new();
newCAStore = true;
}
X509* x509 = LoadX509(args[0]); X509* x509 = LoadX509(args[0]);
if (!x509) return False(); if (!x509) return False();
@ -327,6 +332,10 @@ Handle<Value> SecureContext::AddCACert(const Arguments& args) {
X509_free(x509); X509_free(x509);
if (newCAStore) {
SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_);
}
return True(); return True();
} }
@ -362,33 +371,42 @@ Handle<Value> SecureContext::AddCRL(const Arguments& args) {
} }
Handle<Value> SecureContext::AddRootCerts(const Arguments& args) { Handle<Value> SecureContext::AddRootCerts(const Arguments& args) {
HandleScope scope; HandleScope scope;
SecureContext *sc = ObjectWrap::Unwrap<SecureContext>(args.Holder()); SecureContext *sc = ObjectWrap::Unwrap<SecureContext>(args.Holder());
for (int i = 0; root_certs[i]; i++) { assert(sc->ca_store_ == NULL);
// TODO: reuse bp ?
BIO *bp = BIO_new(BIO_s_mem());
if (!BIO_write(bp, root_certs[i], strlen(root_certs[i]))) { if (!root_cert_store) {
BIO_free(bp); root_cert_store = X509_STORE_new();
return False();
}
X509 *x509 = PEM_read_bio_X509(bp, NULL, NULL, NULL); for (int i = 0; root_certs[i]; i++) {
BIO *bp = BIO_new(BIO_s_mem());
if (x509 == NULL) { if (!BIO_write(bp, root_certs[i], strlen(root_certs[i]))) {
BIO_free(bp); BIO_free(bp);
return False(); return False();
} }
X509_STORE_add_cert(sc->ca_store_, x509); X509 *x509 = PEM_read_bio_X509(bp, NULL, NULL, NULL);
BIO_free(bp); if (x509 == NULL) {
X509_free(x509); BIO_free(bp);
return False();
}
X509_STORE_add_cert(root_cert_store, x509);
BIO_free(bp);
X509_free(x509);
}
} }
sc->ca_store_ = root_cert_store;
SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_);
return True(); return True();
} }
@ -411,19 +429,12 @@ Handle<Value> SecureContext::SetCiphers(const Arguments& args) {
Handle<Value> SecureContext::Close(const Arguments& args) { Handle<Value> SecureContext::Close(const Arguments& args) {
HandleScope scope; HandleScope scope;
SecureContext *sc = ObjectWrap::Unwrap<SecureContext>(args.Holder()); SecureContext *sc = ObjectWrap::Unwrap<SecureContext>(args.Holder());
sc->FreeCTXMem();
if (sc->ctx_ != NULL) {
SSL_CTX_free(sc->ctx_);
sc->ctx_ = NULL;
sc->ca_store_ = NULL;
return True();
}
return False(); return False();
} }
#ifdef SSL_PRINT_DEBUG #ifdef SSL_PRINT_DEBUG
# define DEBUG_PRINT(...) fprintf (stderr, __VA_ARGS__) # define DEBUG_PRINT(...) fprintf (stderr, __VA_ARGS__)
#else #else

16
src/node_crypto.h

@ -39,11 +39,14 @@
namespace node { namespace node {
namespace crypto { namespace crypto {
static X509_STORE* root_cert_store;
class SecureContext : ObjectWrap { class SecureContext : ObjectWrap {
public: public:
static void Initialize(v8::Handle<v8::Object> target); static void Initialize(v8::Handle<v8::Object> target);
SSL_CTX *ctx_; SSL_CTX *ctx_;
// TODO: ca_store_ should probably be removed, it's not used anywhere.
X509_STORE *ca_store_; X509_STORE *ca_store_;
protected: protected:
@ -62,8 +65,15 @@ class SecureContext : ObjectWrap {
ca_store_ = NULL; ca_store_ = NULL;
} }
~SecureContext() { void FreeCTXMem() {
if (ctx_) { if (ctx_) {
if (ctx_->cert_store == root_cert_store) {
// SSL_CTX_free() will attempt to free the cert_store as well.
// Since we want our root_cert_store to stay around forever
// we just clear the field. Hopefully OpenSSL will not modify this
// struct in future versions.
ctx_->cert_store = NULL;
}
SSL_CTX_free(ctx_); SSL_CTX_free(ctx_);
ctx_ = NULL; ctx_ = NULL;
ca_store_ = NULL; ca_store_ = NULL;
@ -72,6 +82,10 @@ class SecureContext : ObjectWrap {
} }
} }
~SecureContext() {
FreeCTXMem();
}
private: private:
}; };

Loading…
Cancel
Save