From 491ae12e412076ac9360d34516c827e941caed12 Mon Sep 17 00:00:00 2001 From: Anatoli Papirovski Date: Wed, 2 May 2018 12:49:13 +0200 Subject: [PATCH] tls: cleanup onhandshakestart callback Re-arrange and cleanup the flow of the onhandshakestart to be more clear and less repetitive. Exit early in the case of a first ever handshake for a given connection. PR-URL: https://github.com/nodejs/node/pull/20466 Reviewed-By: Ben Noordhuis Reviewed-By: Ruben Bridgewater --- lib/_tls_wrap.js | 36 ++++++++++++++++-------------------- 1 file changed, 16 insertions(+), 20 deletions(-) diff --git a/lib/_tls_wrap.js b/lib/_tls_wrap.js index 2e6b2e8da55..65c684abfe8 100644 --- a/lib/_tls_wrap.js +++ b/lib/_tls_wrap.js @@ -62,32 +62,28 @@ const noop = () => {}; function onhandshakestart(now) { debug('onhandshakestart'); - assert(now >= this.lastHandshakeTime); + const { lastHandshakeTime } = this; + assert(now >= lastHandshakeTime); - const owner = this.owner; - - if ((now - this.lastHandshakeTime) >= tls.CLIENT_RENEG_WINDOW * 1000) { - this.handshakes = 0; - } - - const first = (this.lastHandshakeTime === 0); this.lastHandshakeTime = now; - if (first) return; - if (++this.handshakes > tls.CLIENT_RENEG_LIMIT) { - // Defer the error event to the next tick. We're being called from OpenSSL's - // state machine and OpenSSL is not re-entrant. We cannot allow the user's - // callback to destroy the connection right now, it would crash and burn. - setImmediate(emitSessionAttackError, owner); + // If this is the first handshake we can skip the rest of the checks. + if (lastHandshakeTime === 0) + return; + + if ((now - lastHandshakeTime) >= tls.CLIENT_RENEG_WINDOW * 1000) + this.handshakes = 1; + else + this.handshakes++; + + const { owner } = this; + if (this.handshakes > tls.CLIENT_RENEG_LIMIT) { + owner._emitTLSError(new ERR_TLS_SESSION_ATTACK()); + return; } - if (owner[kDisableRenegotiation] && this.handshakes > 0) { + if (owner[kDisableRenegotiation]) owner._emitTLSError(new ERR_TLS_RENEGOTIATION_DISABLED()); - } -} - -function emitSessionAttackError(socket) { - socket._emitTLSError(new ERR_TLS_SESSION_ATTACK()); } function onhandshakedone() {