From a6bceaec4d1857bad616bd0eecbaf415cbde0236 Mon Sep 17 00:00:00 2001 From: Anna Henningsen Date: Thu, 28 Apr 2022 20:59:00 +0200 Subject: [PATCH] src: turn SSL_CTX_new CHECK/segfault into JS exception MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit These operations do not usually fail, but can do so when OpenSSL is not configured properly (I ran into this while dynamically linking against OpenSSL with FIPS). JS exceptions are way more useful than CHECK failures or plain segfaults. PR-URL: https://github.com/nodejs/node/pull/42799 Reviewed-By: Tobias Nießen Reviewed-By: Colin Ihrig Reviewed-By: Darshan Sen Reviewed-By: James M Snell --- src/crypto/crypto_cipher.cc | 8 ++++++-- src/crypto/crypto_context.cc | 3 +++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/src/crypto/crypto_cipher.cc b/src/crypto/crypto_cipher.cc index f65b7c41bd996d..e58261b411d8fe 100644 --- a/src/crypto/crypto_cipher.cc +++ b/src/crypto/crypto_cipher.cc @@ -197,10 +197,14 @@ void CipherBase::GetSSLCiphers(const FunctionCallbackInfo& args) { Environment* env = Environment::GetCurrent(args); SSLCtxPointer ctx(SSL_CTX_new(TLS_method())); - CHECK(ctx); + if (!ctx) { + return ThrowCryptoError(env, ERR_get_error(), "SSL_CTX_new"); + } SSLPointer ssl(SSL_new(ctx.get())); - CHECK(ssl); + if (!ssl) { + return ThrowCryptoError(env, ERR_get_error(), "SSL_new"); + } STACK_OF(SSL_CIPHER)* ciphers = SSL_get_ciphers(ssl.get()); diff --git a/src/crypto/crypto_context.cc b/src/crypto/crypto_context.cc index 739b559c3b7b22..f8125ab706b733 100644 --- a/src/crypto/crypto_context.cc +++ b/src/crypto/crypto_context.cc @@ -508,6 +508,9 @@ void SecureContext::Init(const FunctionCallbackInfo& args) { } sc->ctx_.reset(SSL_CTX_new(method)); + if (!sc->ctx_) { + return ThrowCryptoError(env, ERR_get_error(), "SSL_CTX_new"); + } SSL_CTX_set_app_data(sc->ctx_.get(), sc); // Disable SSLv2 in the case when method == TLS_method() and the