From 7778ebecaaffdc9f6217348f7db63f2ee9537a85 Mon Sep 17 00:00:00 2001 From: Anna Henningsen Date: Thu, 28 Apr 2022 20:59:00 +0200 Subject: [PATCH] src: turn SSL_CTX_new CHECK/segfault into JS exception MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit These operations do not usually fail, but can do so when OpenSSL is not configured properly (I ran into this while dynamically linking against OpenSSL with FIPS). JS exceptions are way more useful than CHECK failures or plain segfaults. PR-URL: https://github.com/nodejs/node/pull/42799 Reviewed-By: Tobias Nießen Reviewed-By: Colin Ihrig Reviewed-By: Darshan Sen Reviewed-By: James M Snell --- src/crypto/crypto_cipher.cc | 8 ++++++-- src/crypto/crypto_context.cc | 3 +++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/src/crypto/crypto_cipher.cc b/src/crypto/crypto_cipher.cc index d6c6f0c4375aad..d1e29d5f7b0019 100644 --- a/src/crypto/crypto_cipher.cc +++ b/src/crypto/crypto_cipher.cc @@ -198,10 +198,14 @@ void CipherBase::GetSSLCiphers(const FunctionCallbackInfo& args) { Environment* env = Environment::GetCurrent(args); SSLCtxPointer ctx(SSL_CTX_new(TLS_method())); - CHECK(ctx); + if (!ctx) { + return ThrowCryptoError(env, ERR_get_error(), "SSL_CTX_new"); + } SSLPointer ssl(SSL_new(ctx.get())); - CHECK(ssl); + if (!ssl) { + return ThrowCryptoError(env, ERR_get_error(), "SSL_new"); + } STACK_OF(SSL_CIPHER)* ciphers = SSL_get_ciphers(ssl.get()); diff --git a/src/crypto/crypto_context.cc b/src/crypto/crypto_context.cc index 739b559c3b7b22..f8125ab706b733 100644 --- a/src/crypto/crypto_context.cc +++ b/src/crypto/crypto_context.cc @@ -508,6 +508,9 @@ void SecureContext::Init(const FunctionCallbackInfo& args) { } sc->ctx_.reset(SSL_CTX_new(method)); + if (!sc->ctx_) { + return ThrowCryptoError(env, ERR_get_error(), "SSL_CTX_new"); + } SSL_CTX_set_app_data(sc->ctx_.get(), sc); // Disable SSLv2 in the case when method == TLS_method() and the