tls: zero SSL_CTX freelist for a singleUse socket

indutny · indutny · commit 1cfc455dc505 · 2015-04-30T11:07:17.000+02:00
When connecting to server with `keepAlive` turned off - make sure that the read/write buffers won't be kept in a single use SSL_CTX instance after the socket will be destroyed. Fix: #1522 PR-URL: #1529 Reviewed-By: Shigeki Ohtsu <ohtsu@iij.ad.jp>
diff --git a/lib/_tls_common.js b/lib/_tls_common.js
@@ -133,6 +133,10 @@ exports.createSecureContext = function createSecureContext(options, context) {
     }
   }
 
+  // Do not keep read/write buffers in free list
+  if (options.singleUse)
+    c.context.setFreeListLength(0);
+
   return c;
 };
 
diff --git a/lib/_tls_wrap.js b/lib/_tls_wrap.js
@@ -862,6 +862,8 @@ exports.connect = function(/* [port, host], options, cb */) {
   };
 
   options = util._extend(defaults, options || {});
+  if (!options.keepAlive)
+    options.singleUse = true;
 
   assert(typeof options.checkServerIdentity === 'function');
 
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
@@ -265,6 +265,7 @@ void SecureContext::Initialize(Environment* env, Handle<Object> target) {
   env->SetProtoMethod(t, "loadPKCS12", SecureContext::LoadPKCS12);
   env->SetProtoMethod(t, "getTicketKeys", SecureContext::GetTicketKeys);
   env->SetProtoMethod(t, "setTicketKeys", SecureContext::SetTicketKeys);
+  env->SetProtoMethod(t, "setFreeListLength", SecureContext::SetFreeListLength);
   env->SetProtoMethod(t, "getCertificate", SecureContext::GetCertificate<true>);
   env->SetProtoMethod(t, "getIssuer", SecureContext::GetCertificate<false>);
 
@@ -933,6 +934,13 @@ void SecureContext::SetTicketKeys(const FunctionCallbackInfo<Value>& args) {
 }
 
 
+void SecureContext::SetFreeListLength(const FunctionCallbackInfo<Value>& args) {
+  SecureContext* wrap = Unwrap<SecureContext>(args.Holder());
+
+  wrap->ctx_->freelist_max_len = args[0]->Int32Value();
+}
+
+
 void SecureContext::CtxGetter(Local<String> property,
                               const PropertyCallbackInfo<Value>& info) {
   HandleScope scope(info.GetIsolate());
diff --git a/src/node_crypto.h b/src/node_crypto.h
@@ -85,6 +85,8 @@ class SecureContext : public BaseObject {
   static void LoadPKCS12(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void GetTicketKeys(const v8::FunctionCallbackInfo<v8::Value>& args);
   static void SetTicketKeys(const v8::FunctionCallbackInfo<v8::Value>& args);
+  static void SetFreeListLength(
+      const v8::FunctionCallbackInfo<v8::Value>& args);
   static void CtxGetter(v8::Local<v8::String> property,
                         const v8::PropertyCallbackInfo<v8::Value>& info);
 

Original file line number	Diff line number	Diff line change
`@@ -133,6 +133,10 @@ exports.createSecureContext = function createSecureContext(options, context) {`
`133`	`133`	`}`
`134`	`134`	`}`
`135`	`135`
	`136`	`+ // Do not keep read/write buffers in free list`
	`137`	`+ if (options.singleUse)`
	`138`	`+ c.context.setFreeListLength(0);`
	`139`	`+`
`136`	`140`	`return c;`
`137`	`141`	`};`
`138`	`142`