From 3966d8b10507e27392db17597d5837715edac598 Mon Sep 17 00:00:00 2001 From: Anna Henningsen Date: Thu, 28 Apr 2022 20:59:00 +0200 Subject: [PATCH] src: turn SSL_CTX_new CHECK/segfault into JS exception MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit These operations do not usually fail, but can do so when OpenSSL is not configured properly (I ran into this while dynamically linking against OpenSSL with FIPS). JS exceptions are way more useful than CHECK failures or plain segfaults. PR-URL: https://github.com/nodejs/node/pull/42799 Reviewed-By: Tobias Nießen Reviewed-By: Colin Ihrig Reviewed-By: Darshan Sen Reviewed-By: James M Snell --- src/crypto/crypto_cipher.cc | 8 ++++++-- src/crypto/crypto_context.cc | 3 +++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/src/crypto/crypto_cipher.cc b/src/crypto/crypto_cipher.cc index 05acefb60113c1..f513ffbb6f65c2 100644 --- a/src/crypto/crypto_cipher.cc +++ b/src/crypto/crypto_cipher.cc @@ -197,10 +197,14 @@ void CipherBase::GetSSLCiphers(const FunctionCallbackInfo& args) { Environment* env = Environment::GetCurrent(args); SSLCtxPointer ctx(SSL_CTX_new(TLS_method())); - CHECK(ctx); + if (!ctx) { + return ThrowCryptoError(env, ERR_get_error(), "SSL_CTX_new"); + } SSLPointer ssl(SSL_new(ctx.get())); - CHECK(ssl); + if (!ssl) { + return ThrowCryptoError(env, ERR_get_error(), "SSL_new"); + } STACK_OF(SSL_CIPHER)* ciphers = SSL_get_ciphers(ssl.get()); diff --git a/src/crypto/crypto_context.cc b/src/crypto/crypto_context.cc index 739b559c3b7b22..f8125ab706b733 100644 --- a/src/crypto/crypto_context.cc +++ b/src/crypto/crypto_context.cc @@ -508,6 +508,9 @@ void SecureContext::Init(const FunctionCallbackInfo& args) { } sc->ctx_.reset(SSL_CTX_new(method)); + if (!sc->ctx_) { + return ThrowCryptoError(env, ERR_get_error(), "SSL_CTX_new"); + } SSL_CTX_set_app_data(sc->ctx_.get(), sc); // Disable SSLv2 in the case when method == TLS_method() and the