src: move SSLCtxPointer impl to ncrypto

nodejs · Jan 7, 2025 · e79a7aa · e79a7aa
1 parent b421159
commit e79a7aa
Show file tree

Hide file tree

Showing 7 changed files with 81 additions and 8 deletions.
diff --git a/deps/ncrypto/ncrypto.cc b/deps/ncrypto/ncrypto.cc
@@ -2371,4 +2371,46 @@ EVPKeyPointer SSLPointer::getPeerTempKey() const {
   if (!SSL_get_peer_tmp_key(get(), &raw_key)) return {};
   return EVPKeyPointer(raw_key);
 }
+
+SSLCtxPointer::SSLCtxPointer(SSL_CTX* ctx) : ctx_(ctx) {}
+
+SSLCtxPointer::SSLCtxPointer(SSLCtxPointer&& other) noexcept
+    : ctx_(other.release()) {}
+
+SSLCtxPointer& SSLCtxPointer::operator=(SSLCtxPointer&& other) noexcept {
+  if (this == &other) return *this;
+  this->~SSLCtxPointer();
+  return *new (this) SSLCtxPointer(std::move(other));
+}
+
+SSLCtxPointer::~SSLCtxPointer() { reset(); }
+
+void SSLCtxPointer::reset(SSL_CTX* ctx) {
+  ctx_.reset(ctx);
+}
+
+void SSLCtxPointer::reset(const SSL_METHOD* method) {
+  ctx_.reset(SSL_CTX_new(method));
+}
+
+SSL_CTX* SSLCtxPointer::release() {
+  return ctx_.release();
+}
+
+SSLCtxPointer SSLCtxPointer::NewServer() {
+  return SSLCtxPointer(SSL_CTX_new(TLS_server_method()));
+}
+
+SSLCtxPointer SSLCtxPointer::NewClient() {
+  return SSLCtxPointer(SSL_CTX_new(TLS_client_method()));
+}
+
+SSLCtxPointer SSLCtxPointer::New(const SSL_METHOD* method) {
+  return SSLCtxPointer(SSL_CTX_new(method));
+}
+
+bool SSLCtxPointer::setGroups(const char* groups) {
+  return SSL_CTX_set1_groups_list(get(), groups) == 1;
+}
+
 }  // namespace ncrypto
diff --git a/deps/ncrypto/ncrypto.h b/deps/ncrypto/ncrypto.h
@@ -211,7 +211,6 @@ using HMACCtxPointer = DeleteFnPtr<HMAC_CTX, HMAC_CTX_free>;
 using NetscapeSPKIPointer = DeleteFnPtr<NETSCAPE_SPKI, NETSCAPE_SPKI_free>;
 using PKCS8Pointer = DeleteFnPtr<PKCS8_PRIV_KEY_INFO, PKCS8_PRIV_KEY_INFO_free>;
 using RSAPointer = DeleteFnPtr<RSA, RSA_free>;
-using SSLCtxPointer = DeleteFnPtr<SSL_CTX, SSL_CTX_free>;
 using SSLSessionPointer = DeleteFnPtr<SSL_SESSION, SSL_SESSION_free>;
 
 struct StackOfXASN1Deleter {
@@ -582,6 +581,39 @@ using StackOfX509 = std::unique_ptr<STACK_OF(X509), StackOfX509Deleter>;
 class X509Pointer;
 class X509View;
 
+class SSLCtxPointer final {
+ public:
+  SSLCtxPointer() = default;
+  explicit SSLCtxPointer(SSL_CTX* ctx);
+  SSLCtxPointer(SSLCtxPointer&& other) noexcept;
+  SSLCtxPointer& operator=(SSLCtxPointer&& other) noexcept;
+  NCRYPTO_DISALLOW_COPY(SSLCtxPointer)
+  ~SSLCtxPointer();
+
+  inline bool operator==(std::nullptr_t) const noexcept {
+    return ctx_ == nullptr;
+  }
+  inline operator bool() const { return ctx_ != nullptr; }
+  inline SSL_CTX* get() const { return ctx_.get(); }
+  void reset(SSL_CTX* ctx = nullptr);
+  void reset(const SSL_METHOD* method);
+  SSL_CTX* release();
+
+  bool setGroups(const char* groups);
+  void setStatusCallback(auto callback) {
+    if (!ctx_) return;
+    SSL_CTX_set_tlsext_status_cb(get(), callback);
+    SSL_CTX_set_tlsext_status_arg(get(), nullptr);
+  }
+
+  static SSLCtxPointer NewServer();
+  static SSLCtxPointer NewClient();
+  static SSLCtxPointer New(const SSL_METHOD* method = TLS_method());
+
+ private:
+  DeleteFnPtr<SSL_CTX, SSL_CTX_free> ctx_;
+};
+
 class SSLPointer final {
  public:
   SSLPointer() = default;

diff --git a/src/crypto/crypto_cipher.cc b/src/crypto/crypto_cipher.cc
@@ -198,7 +198,7 @@ void GetCipherInfo(const FunctionCallbackInfo<Value>& args) {
 void CipherBase::GetSSLCiphers(const FunctionCallbackInfo<Value>& args) {
   Environment* env = Environment::GetCurrent(args);
 
-  SSLCtxPointer ctx(SSL_CTX_new(TLS_method()));
+  auto ctx = SSLCtxPointer::New();
   if (!ctx) {
     return ThrowCryptoError(env, ERR_get_error(), "SSL_CTX_new");
   }

diff --git a/src/crypto/crypto_common.cc b/src/crypto/crypto_common.cc
@@ -58,7 +58,7 @@ bool UseSNIContext(
 }
 
 bool SetGroups(SecureContext* sc, const char* groups) {
-  return SSL_CTX_set1_groups_list(sc->ctx().get(), groups) == 1;
+  return sc->ctx().setGroups(groups);
 }
 
 MaybeLocal<Value> GetValidationErrorReason(Environment* env, int err) {

diff --git a/src/crypto/crypto_context.cc b/src/crypto/crypto_context.cc
@@ -551,7 +551,7 @@ void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
     }
   }
 
-  sc->ctx_.reset(SSL_CTX_new(method));
+  sc->ctx_.reset(method);
   if (!sc->ctx_) {
     return ThrowCryptoError(env, ERR_get_error(), "SSL_CTX_new");
   }

diff --git a/src/crypto/crypto_tls.cc b/src/crypto/crypto_tls.cc
@@ -358,8 +358,7 @@ int TLSExtStatusCallback(SSL* s, void* arg) {
 
 void ConfigureSecureContext(SecureContext* sc) {
   // OCSP stapling
-  SSL_CTX_set_tlsext_status_cb(sc->ctx().get(), TLSExtStatusCallback);
-  SSL_CTX_set_tlsext_status_arg(sc->ctx().get(), nullptr);
+  sc->ctx().setStatusCallback(TLSExtStatusCallback);
 }
 
 inline bool Set(

diff --git a/src/quic/tlscontext.cc b/src/quic/tlscontext.cc
@@ -245,7 +245,7 @@ crypto::SSLCtxPointer TLSContext::Initialize() {
   switch (side_) {
     case Side::SERVER: {
       static constexpr unsigned char kSidCtx[] = "Node.js QUIC Server";
-      ctx.reset(SSL_CTX_new(TLS_server_method()));
+      ctx = crypto::SSLCtxPointer::NewServer();
       CHECK_EQ(ngtcp2_crypto_quictls_configure_server_context(ctx.get()), 0);
       CHECK_EQ(SSL_CTX_set_max_early_data(ctx.get(), UINT32_MAX), 1);
       SSL_CTX_set_options(ctx.get(),
@@ -276,7 +276,7 @@ crypto::SSLCtxPointer TLSContext::Initialize() {
       break;
     }
     case Side::CLIENT: {
-      ctx.reset(SSL_CTX_new(TLS_client_method()));
+      ctx = crypto::SSLCtxPointer::NewClient();
       CHECK_EQ(ngtcp2_crypto_quictls_configure_client_context(ctx.get()), 0);
 
       SSL_CTX_set_session_cache_mode(