tls: accept SecureContext object in server.addContext()

Do not call tls.createSecureContext() if the context provided is already an instance of tls.SecureContext. Fixes: nodejs#47408 PR-URL: nodejs#47570 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com>
MoLow · Jul 6, 2023 · 19b0f24 · 19b0f24
1 parent beaad7f
commit 19b0f24
Show file tree

Hide file tree

Showing 3 changed files with 83 additions and 5 deletions.
diff --git a/doc/api/tls.md b/doc/api/tls.md
@@ -728,9 +728,10 @@ added: v0.5.3
 -->
 
 * `hostname` {string} A SNI host name or wildcard (e.g. `'*'`)
-* `context` {Object} An object containing any of the possible properties
-  from the [`tls.createSecureContext()`][] `options` arguments (e.g. `key`,
-  `cert`, `ca`, etc).
+* `context` {Object|tls.SecureContext} An object containing any of the possible
+  properties from the [`tls.createSecureContext()`][] `options` arguments
+  (e.g. `key`, `cert`, `ca`, etc), or a TLS context object created with
+  [`tls.createSecureContext()`][] itself.
 
 The `server.addContext()` method adds a secure context that will be used if
 the client request's SNI name matches the supplied `hostname` (or wildcard).

diff --git a/lib/_tls_wrap.js b/lib/_tls_wrap.js
@@ -1458,8 +1458,10 @@ Server.prototype.addContext = function(servername, context) {
     RegExpPrototypeSymbolReplace(/([.^$+?\-\\[\]{}])/g, servername, '\\$1'),
     '*', '[^.]*',
   ) + '$');
-  ArrayPrototypePush(this._contexts,
-                     [re, tls.createSecureContext(context).context]);
+
+  const secureContext =
+    context instanceof common.SecureContext ? context : tls.createSecureContext(context);
+  ArrayPrototypePush(this._contexts, [re, secureContext.context]);
 };
 
 Server.prototype[EE.captureRejectionSymbol] = function(

diff --git a/test/parallel/test-tls-add-context.js b/test/parallel/test-tls-add-context.js
@@ -0,0 +1,75 @@
+'use strict';
+const common = require('../common');
+
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+const fixtures = require('../common/fixtures');
+const assert = require('assert');
+const tls = require('tls');
+
+function loadPEM(n) {
+  return fixtures.readKey(`${n}.pem`);
+}
+
+const serverOptions = {
+  key: loadPEM('agent2-key'),
+  cert: loadPEM('agent2-cert'),
+  ca: [ loadPEM('ca2-cert') ],
+  requestCert: true,
+  rejectUnauthorized: false,
+};
+
+let connections = 0;
+
+const server = tls.createServer(serverOptions, (c) => {
+  if (++connections === 3) {
+    server.close();
+  }
+  if (c.servername === 'unknowncontext') {
+    assert.strictEqual(c.authorized, false);
+    return;
+  }
+  assert.strictEqual(c.authorized, true);
+});
+
+const secureContext = {
+  key: loadPEM('agent1-key'),
+  cert: loadPEM('agent1-cert'),
+  ca: [ loadPEM('ca1-cert') ],
+};
+server.addContext('context1', secureContext);
+server.addContext('context2', tls.createSecureContext(secureContext));
+
+const clientOptionsBase = {
+  key: loadPEM('agent1-key'),
+  cert: loadPEM('agent1-cert'),
+  ca: [ loadPEM('ca1-cert') ],
+  rejectUnauthorized: false,
+};
+
+server.listen(0, common.mustCall(() => {
+  const client1 = tls.connect({
+    ...clientOptionsBase,
+    port: server.address().port,
+    servername: 'context1',
+  }, common.mustCall(() => {
+    client1.end();
+  }));
+
+  const client2 = tls.connect({
+    ...clientOptionsBase,
+    port: server.address().port,
+    servername: 'context2',
+  }, common.mustCall(() => {
+    client2.end();
+  }));
+
+  const client3 = tls.connect({
+    ...clientOptionsBase,
+    port: server.address().port,
+    servername: 'unknowncontext',
+  }, common.mustCall(() => {
+    client3.end();
+  }));
+}));