From 1895d2e604d3ebff5524365a0700a21a6db406dc Mon Sep 17 00:00:00 2001 From: Zuzana Svetlikova Date: Thu, 7 Sep 2017 11:18:11 +0000 Subject: [PATCH 1/2] Disable crypto tests --- test/disabled/test-crypto-dh.js | 319 ++++++++++++ test/disabled/test-crypto-fips.js | 235 +++++++++ test/disabled/test-tls-0-dns-altname.js | 33 ++ test/disabled/test-tls-addca.js | 50 ++ test/disabled/test-tls-alert-handling.js | 78 +++ test/disabled/test-tls-alert.js | 50 ++ test/disabled/test-tls-alpn-server-client.js | 538 +++++++++++++++++++++ .../disabled/test-tls-async-cb-after-socket-end.js | 70 +++ test/disabled/test-tls-basic-validations.js | 53 ++ test/disabled/test-tls-ca-concat.js | 24 + test/disabled/test-tls-cert-chains-concat.js | 50 ++ test/disabled/test-tls-cert-chains-in-ca.js | 46 ++ test/disabled/test-tls-cert-regression.js | 45 ++ test/disabled/test-tls-check-server-identity.js | 260 ++++++++++ test/disabled/test-tls-cipher-list.js | 30 ++ test/disabled/test-tls-client-abort.js | 19 + test/disabled/test-tls-client-abort2.js | 14 + test/disabled/test-tls-client-default-ciphers.js | 26 + test/disabled/test-tls-client-destroy-soon.js | 46 ++ .../test-tls-client-getephemeralkeyinfo.js | 96 ++++ test/disabled/test-tls-client-mindhsize.js | 92 ++++ test/disabled/test-tls-client-reject.js | 61 +++ test/disabled/test-tls-client-resume.js | 56 +++ test/disabled/test-tls-client-verify.js | 132 +++++ test/disabled/test-tls-close-error.js | 26 + test/disabled/test-tls-close-notify.js | 27 ++ test/disabled/test-tls-cnnic-whitelist.js | 77 +++ test/disabled/test-tls-connect-address-family.js | 45 ++ test/disabled/test-tls-connect-given-socket.js | 65 +++ test/disabled/test-tls-connect-no-host.js | 34 ++ test/disabled/test-tls-connect-pipe.js | 26 + test/disabled/test-tls-connect-secure-context.js | 25 + test/disabled/test-tls-connect-simple.js | 42 ++ test/disabled/test-tls-connect-stream-writes.js | 63 +++ test/disabled/test-tls-connect.js | 39 ++ test/disabled/test-tls-delayed-attach-error.js | 36 ++ test/disabled/test-tls-delayed-attach.js | 45 ++ test/disabled/test-tls-destroy-whilst-write.js | 27 ++ test/disabled/test-tls-dhe.js | 96 ++++ test/disabled/test-tls-ecdh-disable.js | 37 ++ test/disabled/test-tls-ecdh.js | 42 ++ test/disabled/test-tls-econnreset.js | 76 +++ test/disabled/test-tls-empty-sni-context.js | 34 ++ test/disabled/test-tls-env-bad-extra-ca.js | 39 ++ test/disabled/test-tls-env-extra-ca.js | 44 ++ test/disabled/test-tls-external-accessor.js | 22 + test/disabled/test-tls-fast-writing.js | 60 +++ test/disabled/test-tls-friendly-error-message.js | 23 + test/disabled/test-tls-getcipher.js | 36 ++ test/disabled/test-tls-getprotocol.js | 40 ++ test/disabled/test-tls-handshake-error.js | 32 ++ test/disabled/test-tls-handshake-nohang.js | 11 + test/disabled/test-tls-hello-parser-failure.js | 41 ++ test/disabled/test-tls-honorcipherorder.js | 97 ++++ test/disabled/test-tls-inception.js | 66 +++ test/disabled/test-tls-interleave.js | 55 +++ test/disabled/test-tls-invoke-queued.js | 37 ++ test/disabled/test-tls-js-stream.js | 73 +++ test/disabled/test-tls-junk-closes-server.js | 28 ++ test/disabled/test-tls-junk-server.js | 27 ++ test/disabled/test-tls-key-mismatch.js | 20 + test/disabled/test-tls-legacy-onselect.js | 27 ++ test/disabled/test-tls-max-send-fragment.js | 42 ++ test/disabled/test-tls-multi-key.js | 51 ++ test/disabled/test-tls-no-cert-required.js | 29 ++ test/disabled/test-tls-no-rsa-key.js | 33 ++ test/disabled/test-tls-no-sslv23.js | 55 +++ test/disabled/test-tls-no-sslv3.js | 51 ++ test/disabled/test-tls-npn-server-client.js | 104 ++++ test/disabled/test-tls-ocsp-callback.js | 126 +++++ test/disabled/test-tls-on-empty-socket.js | 41 ++ test/disabled/test-tls-over-http-tunnel.js | 155 ++++++ test/disabled/test-tls-parse-cert-string.js | 36 ++ test/disabled/test-tls-passphrase.js | 275 +++++++++++ test/disabled/test-tls-pause.js | 70 +++ .../disabled/test-tls-peer-certificate-encoding.js | 33 ++ .../test-tls-peer-certificate-multi-keys.js | 34 ++ test/disabled/test-tls-peer-certificate.js | 39 ++ test/disabled/test-tls-pfx-gh-5100-regr.js | 38 ++ test/disabled/test-tls-regr-gh-5108.js | 40 ++ test/disabled/test-tls-request-timeout.js | 30 ++ test/disabled/test-tls-retain-handle-no-abort.js | 40 ++ test/disabled/test-tls-securepair-fiftharg.js | 27 ++ test/disabled/test-tls-securepair-server.js | 133 +++++ test/disabled/test-tls-server-connection-server.js | 32 ++ ...ls-server-failed-handshake-emits-clienterror.js | 28 ++ test/disabled/test-tls-server-verify.js | 348 +++++++++++++ test/disabled/test-tls-session-cache.js | 127 +++++ test/disabled/test-tls-set-ciphers.js | 45 ++ test/disabled/test-tls-set-encoding.js | 58 +++ test/disabled/test-tls-sni-option.js | 168 +++++++ test/disabled/test-tls-sni-server-client.js | 113 +++++ test/disabled/test-tls-socket-close.js | 67 +++ test/disabled/test-tls-socket-default-options.js | 67 +++ test/disabled/test-tls-socket-destroy.js | 34 ++ ...test-tls-socket-failed-handshake-emits-error.js | 37 ++ .../disabled/test-tls-startcom-wosign-whitelist.js | 89 ++++ test/disabled/test-tls-starttls-server.js | 51 ++ test/disabled/test-tls-ticket-cluster.js | 108 +++++ test/disabled/test-tls-ticket.js | 98 ++++ test/disabled/test-tls-timeout-server-2.js | 29 ++ test/disabled/test-tls-timeout-server.js | 26 + test/disabled/test-tls-two-cas-one-string.js | 34 ++ test/disabled/test-tls-wrap-no-abort.js | 8 + test/disabled/test-tls-wrap-timeout.js | 53 ++ test/disabled/test-tls-writewrap-leak.js | 24 + test/disabled/test-tls-zero-clear-in.js | 41 ++ test/parallel/test-crypto-dh.js | 319 ------------ test/parallel/test-crypto-fips.js | 235 --------- test/parallel/test-tls-0-dns-altname.js | 33 -- test/parallel/test-tls-addca.js | 50 -- test/parallel/test-tls-alert-handling.js | 78 --- test/parallel/test-tls-alert.js | 50 -- test/parallel/test-tls-alpn-server-client.js | 538 --------------------- .../parallel/test-tls-async-cb-after-socket-end.js | 70 --- test/parallel/test-tls-basic-validations.js | 53 -- test/parallel/test-tls-ca-concat.js | 24 - test/parallel/test-tls-cert-chains-concat.js | 50 -- test/parallel/test-tls-cert-chains-in-ca.js | 46 -- test/parallel/test-tls-cert-regression.js | 45 -- test/parallel/test-tls-check-server-identity.js | 260 ---------- test/parallel/test-tls-cipher-list.js | 30 -- test/parallel/test-tls-client-abort.js | 19 - test/parallel/test-tls-client-abort2.js | 14 - test/parallel/test-tls-client-default-ciphers.js | 26 - test/parallel/test-tls-client-destroy-soon.js | 46 -- .../test-tls-client-getephemeralkeyinfo.js | 96 ---- test/parallel/test-tls-client-mindhsize.js | 92 ---- test/parallel/test-tls-client-reject.js | 61 --- test/parallel/test-tls-client-resume.js | 56 --- test/parallel/test-tls-client-verify.js | 132 ----- test/parallel/test-tls-close-error.js | 26 - test/parallel/test-tls-close-notify.js | 27 -- test/parallel/test-tls-cnnic-whitelist.js | 77 --- test/parallel/test-tls-connect-address-family.js | 45 -- test/parallel/test-tls-connect-given-socket.js | 65 --- test/parallel/test-tls-connect-no-host.js | 34 -- test/parallel/test-tls-connect-pipe.js | 26 - test/parallel/test-tls-connect-secure-context.js | 25 - test/parallel/test-tls-connect-simple.js | 42 -- test/parallel/test-tls-connect-stream-writes.js | 63 --- test/parallel/test-tls-connect.js | 39 -- test/parallel/test-tls-delayed-attach-error.js | 36 -- test/parallel/test-tls-delayed-attach.js | 45 -- test/parallel/test-tls-destroy-whilst-write.js | 27 -- test/parallel/test-tls-dhe.js | 96 ---- test/parallel/test-tls-ecdh-disable.js | 37 -- test/parallel/test-tls-ecdh.js | 42 -- test/parallel/test-tls-econnreset.js | 76 --- test/parallel/test-tls-empty-sni-context.js | 34 -- test/parallel/test-tls-env-bad-extra-ca.js | 39 -- test/parallel/test-tls-env-extra-ca.js | 44 -- test/parallel/test-tls-external-accessor.js | 22 - test/parallel/test-tls-fast-writing.js | 60 --- test/parallel/test-tls-friendly-error-message.js | 23 - test/parallel/test-tls-getcipher.js | 36 -- test/parallel/test-tls-getprotocol.js | 40 -- test/parallel/test-tls-handshake-error.js | 32 -- test/parallel/test-tls-handshake-nohang.js | 11 - test/parallel/test-tls-hello-parser-failure.js | 41 -- test/parallel/test-tls-honorcipherorder.js | 97 ---- test/parallel/test-tls-inception.js | 66 --- test/parallel/test-tls-interleave.js | 55 --- test/parallel/test-tls-invoke-queued.js | 37 -- test/parallel/test-tls-js-stream.js | 73 --- test/parallel/test-tls-junk-closes-server.js | 28 -- test/parallel/test-tls-junk-server.js | 27 -- test/parallel/test-tls-key-mismatch.js | 20 - test/parallel/test-tls-legacy-onselect.js | 27 -- test/parallel/test-tls-max-send-fragment.js | 42 -- test/parallel/test-tls-multi-key.js | 51 -- test/parallel/test-tls-no-cert-required.js | 29 -- test/parallel/test-tls-no-rsa-key.js | 33 -- test/parallel/test-tls-no-sslv23.js | 55 --- test/parallel/test-tls-no-sslv3.js | 51 -- test/parallel/test-tls-npn-server-client.js | 104 ---- test/parallel/test-tls-ocsp-callback.js | 126 ----- test/parallel/test-tls-on-empty-socket.js | 41 -- test/parallel/test-tls-over-http-tunnel.js | 155 ------ test/parallel/test-tls-parse-cert-string.js | 36 -- test/parallel/test-tls-passphrase.js | 275 ----------- test/parallel/test-tls-pause.js | 70 --- .../parallel/test-tls-peer-certificate-encoding.js | 33 -- .../test-tls-peer-certificate-multi-keys.js | 34 -- test/parallel/test-tls-peer-certificate.js | 39 -- test/parallel/test-tls-pfx-gh-5100-regr.js | 38 -- test/parallel/test-tls-regr-gh-5108.js | 40 -- test/parallel/test-tls-request-timeout.js | 30 -- test/parallel/test-tls-retain-handle-no-abort.js | 40 -- test/parallel/test-tls-securepair-fiftharg.js | 27 -- test/parallel/test-tls-securepair-server.js | 133 ----- test/parallel/test-tls-server-connection-server.js | 32 -- ...ls-server-failed-handshake-emits-clienterror.js | 28 -- test/parallel/test-tls-server-verify.js | 348 ------------- test/parallel/test-tls-session-cache.js | 127 ----- test/parallel/test-tls-set-ciphers.js | 45 -- test/parallel/test-tls-set-encoding.js | 58 --- test/parallel/test-tls-sni-option.js | 168 ------- test/parallel/test-tls-sni-server-client.js | 113 ----- test/parallel/test-tls-socket-close.js | 67 --- test/parallel/test-tls-socket-default-options.js | 67 --- test/parallel/test-tls-socket-destroy.js | 34 -- ...test-tls-socket-failed-handshake-emits-error.js | 37 -- .../parallel/test-tls-startcom-wosign-whitelist.js | 89 ---- test/parallel/test-tls-starttls-server.js | 51 -- test/parallel/test-tls-ticket-cluster.js | 108 ----- test/parallel/test-tls-ticket.js | 98 ---- test/parallel/test-tls-timeout-server-2.js | 29 -- test/parallel/test-tls-timeout-server.js | 26 - test/parallel/test-tls-two-cas-one-string.js | 34 -- test/parallel/test-tls-wrap-no-abort.js | 8 - test/parallel/test-tls-wrap-timeout.js | 53 -- test/parallel/test-tls-writewrap-leak.js | 24 - test/parallel/test-tls-zero-clear-in.js | 41 -- 214 files changed, 7230 insertions(+), 7230 deletions(-) create mode 100644 test/disabled/test-crypto-dh.js create mode 100644 test/disabled/test-crypto-fips.js create mode 100644 test/disabled/test-tls-0-dns-altname.js create mode 100644 test/disabled/test-tls-addca.js create mode 100644 test/disabled/test-tls-alert-handling.js create mode 100644 test/disabled/test-tls-alert.js create mode 100644 test/disabled/test-tls-alpn-server-client.js create mode 100644 test/disabled/test-tls-async-cb-after-socket-end.js create mode 100644 test/disabled/test-tls-basic-validations.js create mode 100644 test/disabled/test-tls-ca-concat.js create mode 100644 test/disabled/test-tls-cert-chains-concat.js create mode 100644 test/disabled/test-tls-cert-chains-in-ca.js create mode 100644 test/disabled/test-tls-cert-regression.js create mode 100644 test/disabled/test-tls-check-server-identity.js create mode 100644 test/disabled/test-tls-cipher-list.js create mode 100644 test/disabled/test-tls-client-abort.js create mode 100644 test/disabled/test-tls-client-abort2.js create mode 100644 test/disabled/test-tls-client-default-ciphers.js create mode 100644 test/disabled/test-tls-client-destroy-soon.js create mode 100644 test/disabled/test-tls-client-getephemeralkeyinfo.js create mode 100644 test/disabled/test-tls-client-mindhsize.js create mode 100644 test/disabled/test-tls-client-reject.js create mode 100644 test/disabled/test-tls-client-resume.js create mode 100644 test/disabled/test-tls-client-verify.js create mode 100644 test/disabled/test-tls-close-error.js create mode 100644 test/disabled/test-tls-close-notify.js create mode 100644 test/disabled/test-tls-cnnic-whitelist.js create mode 100644 test/disabled/test-tls-connect-address-family.js create mode 100644 test/disabled/test-tls-connect-given-socket.js create mode 100644 test/disabled/test-tls-connect-no-host.js create mode 100644 test/disabled/test-tls-connect-pipe.js create mode 100644 test/disabled/test-tls-connect-secure-context.js create mode 100644 test/disabled/test-tls-connect-simple.js create mode 100644 test/disabled/test-tls-connect-stream-writes.js create mode 100644 test/disabled/test-tls-connect.js create mode 100644 test/disabled/test-tls-delayed-attach-error.js create mode 100644 test/disabled/test-tls-delayed-attach.js create mode 100644 test/disabled/test-tls-destroy-whilst-write.js create mode 100644 test/disabled/test-tls-dhe.js create mode 100644 test/disabled/test-tls-ecdh-disable.js create mode 100644 test/disabled/test-tls-ecdh.js create mode 100644 test/disabled/test-tls-econnreset.js create mode 100644 test/disabled/test-tls-empty-sni-context.js create mode 100644 test/disabled/test-tls-env-bad-extra-ca.js create mode 100644 test/disabled/test-tls-env-extra-ca.js create mode 100644 test/disabled/test-tls-external-accessor.js create mode 100644 test/disabled/test-tls-fast-writing.js create mode 100644 test/disabled/test-tls-friendly-error-message.js create mode 100644 test/disabled/test-tls-getcipher.js create mode 100644 test/disabled/test-tls-getprotocol.js create mode 100644 test/disabled/test-tls-handshake-error.js create mode 100644 test/disabled/test-tls-handshake-nohang.js create mode 100644 test/disabled/test-tls-hello-parser-failure.js create mode 100644 test/disabled/test-tls-honorcipherorder.js create mode 100644 test/disabled/test-tls-inception.js create mode 100644 test/disabled/test-tls-interleave.js create mode 100644 test/disabled/test-tls-invoke-queued.js create mode 100644 test/disabled/test-tls-js-stream.js create mode 100644 test/disabled/test-tls-junk-closes-server.js create mode 100644 test/disabled/test-tls-junk-server.js create mode 100644 test/disabled/test-tls-key-mismatch.js create mode 100644 test/disabled/test-tls-legacy-onselect.js create mode 100644 test/disabled/test-tls-max-send-fragment.js create mode 100644 test/disabled/test-tls-multi-key.js create mode 100644 test/disabled/test-tls-no-cert-required.js create mode 100644 test/disabled/test-tls-no-rsa-key.js create mode 100644 test/disabled/test-tls-no-sslv23.js create mode 100644 test/disabled/test-tls-no-sslv3.js create mode 100644 test/disabled/test-tls-npn-server-client.js create mode 100644 test/disabled/test-tls-ocsp-callback.js create mode 100644 test/disabled/test-tls-on-empty-socket.js create mode 100644 test/disabled/test-tls-over-http-tunnel.js create mode 100644 test/disabled/test-tls-parse-cert-string.js create mode 100644 test/disabled/test-tls-passphrase.js create mode 100644 test/disabled/test-tls-pause.js create mode 100644 test/disabled/test-tls-peer-certificate-encoding.js create mode 100644 test/disabled/test-tls-peer-certificate-multi-keys.js create mode 100644 test/disabled/test-tls-peer-certificate.js create mode 100644 test/disabled/test-tls-pfx-gh-5100-regr.js create mode 100644 test/disabled/test-tls-regr-gh-5108.js create mode 100644 test/disabled/test-tls-request-timeout.js create mode 100644 test/disabled/test-tls-retain-handle-no-abort.js create mode 100644 test/disabled/test-tls-securepair-fiftharg.js create mode 100644 test/disabled/test-tls-securepair-server.js create mode 100644 test/disabled/test-tls-server-connection-server.js create mode 100644 test/disabled/test-tls-server-failed-handshake-emits-clienterror.js create mode 100644 test/disabled/test-tls-server-verify.js create mode 100644 test/disabled/test-tls-session-cache.js create mode 100644 test/disabled/test-tls-set-ciphers.js create mode 100644 test/disabled/test-tls-set-encoding.js create mode 100644 test/disabled/test-tls-sni-option.js create mode 100644 test/disabled/test-tls-sni-server-client.js create mode 100644 test/disabled/test-tls-socket-close.js create mode 100644 test/disabled/test-tls-socket-default-options.js create mode 100644 test/disabled/test-tls-socket-destroy.js create mode 100644 test/disabled/test-tls-socket-failed-handshake-emits-error.js create mode 100644 test/disabled/test-tls-startcom-wosign-whitelist.js create mode 100644 test/disabled/test-tls-starttls-server.js create mode 100644 test/disabled/test-tls-ticket-cluster.js create mode 100644 test/disabled/test-tls-ticket.js create mode 100644 test/disabled/test-tls-timeout-server-2.js create mode 100644 test/disabled/test-tls-timeout-server.js create mode 100644 test/disabled/test-tls-two-cas-one-string.js create mode 100644 test/disabled/test-tls-wrap-no-abort.js create mode 100644 test/disabled/test-tls-wrap-timeout.js create mode 100644 test/disabled/test-tls-writewrap-leak.js create mode 100644 test/disabled/test-tls-zero-clear-in.js delete mode 100644 test/parallel/test-crypto-dh.js delete mode 100644 test/parallel/test-crypto-fips.js delete mode 100644 test/parallel/test-tls-0-dns-altname.js delete mode 100644 test/parallel/test-tls-addca.js delete mode 100644 test/parallel/test-tls-alert-handling.js delete mode 100644 test/parallel/test-tls-alert.js delete mode 100644 test/parallel/test-tls-alpn-server-client.js delete mode 100644 test/parallel/test-tls-async-cb-after-socket-end.js delete mode 100644 test/parallel/test-tls-basic-validations.js delete mode 100644 test/parallel/test-tls-ca-concat.js delete mode 100644 test/parallel/test-tls-cert-chains-concat.js delete mode 100644 test/parallel/test-tls-cert-chains-in-ca.js delete mode 100644 test/parallel/test-tls-cert-regression.js delete mode 100644 test/parallel/test-tls-check-server-identity.js delete mode 100644 test/parallel/test-tls-cipher-list.js delete mode 100644 test/parallel/test-tls-client-abort.js delete mode 100644 test/parallel/test-tls-client-abort2.js delete mode 100644 test/parallel/test-tls-client-default-ciphers.js delete mode 100644 test/parallel/test-tls-client-destroy-soon.js delete mode 100644 test/parallel/test-tls-client-getephemeralkeyinfo.js delete mode 100644 test/parallel/test-tls-client-mindhsize.js delete mode 100644 test/parallel/test-tls-client-reject.js delete mode 100644 test/parallel/test-tls-client-resume.js delete mode 100644 test/parallel/test-tls-client-verify.js delete mode 100644 test/parallel/test-tls-close-error.js delete mode 100644 test/parallel/test-tls-close-notify.js delete mode 100644 test/parallel/test-tls-cnnic-whitelist.js delete mode 100644 test/parallel/test-tls-connect-address-family.js delete mode 100644 test/parallel/test-tls-connect-given-socket.js delete mode 100644 test/parallel/test-tls-connect-no-host.js delete mode 100644 test/parallel/test-tls-connect-pipe.js delete mode 100644 test/parallel/test-tls-connect-secure-context.js delete mode 100644 test/parallel/test-tls-connect-simple.js delete mode 100644 test/parallel/test-tls-connect-stream-writes.js delete mode 100644 test/parallel/test-tls-connect.js delete mode 100644 test/parallel/test-tls-delayed-attach-error.js delete mode 100644 test/parallel/test-tls-delayed-attach.js delete mode 100644 test/parallel/test-tls-destroy-whilst-write.js delete mode 100644 test/parallel/test-tls-dhe.js delete mode 100644 test/parallel/test-tls-ecdh-disable.js delete mode 100644 test/parallel/test-tls-ecdh.js delete mode 100644 test/parallel/test-tls-econnreset.js delete mode 100644 test/parallel/test-tls-empty-sni-context.js delete mode 100644 test/parallel/test-tls-env-bad-extra-ca.js delete mode 100644 test/parallel/test-tls-env-extra-ca.js delete mode 100644 test/parallel/test-tls-external-accessor.js delete mode 100644 test/parallel/test-tls-fast-writing.js delete mode 100644 test/parallel/test-tls-friendly-error-message.js delete mode 100644 test/parallel/test-tls-getcipher.js delete mode 100644 test/parallel/test-tls-getprotocol.js delete mode 100644 test/parallel/test-tls-handshake-error.js delete mode 100644 test/parallel/test-tls-handshake-nohang.js delete mode 100644 test/parallel/test-tls-hello-parser-failure.js delete mode 100644 test/parallel/test-tls-honorcipherorder.js delete mode 100644 test/parallel/test-tls-inception.js delete mode 100644 test/parallel/test-tls-interleave.js delete mode 100644 test/parallel/test-tls-invoke-queued.js delete mode 100644 test/parallel/test-tls-js-stream.js delete mode 100644 test/parallel/test-tls-junk-closes-server.js delete mode 100644 test/parallel/test-tls-junk-server.js delete mode 100644 test/parallel/test-tls-key-mismatch.js delete mode 100644 test/parallel/test-tls-legacy-onselect.js delete mode 100644 test/parallel/test-tls-max-send-fragment.js delete mode 100644 test/parallel/test-tls-multi-key.js delete mode 100644 test/parallel/test-tls-no-cert-required.js delete mode 100644 test/parallel/test-tls-no-rsa-key.js delete mode 100644 test/parallel/test-tls-no-sslv23.js delete mode 100644 test/parallel/test-tls-no-sslv3.js delete mode 100644 test/parallel/test-tls-npn-server-client.js delete mode 100644 test/parallel/test-tls-ocsp-callback.js delete mode 100644 test/parallel/test-tls-on-empty-socket.js delete mode 100644 test/parallel/test-tls-over-http-tunnel.js delete mode 100644 test/parallel/test-tls-parse-cert-string.js delete mode 100644 test/parallel/test-tls-passphrase.js delete mode 100644 test/parallel/test-tls-pause.js delete mode 100644 test/parallel/test-tls-peer-certificate-encoding.js delete mode 100644 test/parallel/test-tls-peer-certificate-multi-keys.js delete mode 100644 test/parallel/test-tls-peer-certificate.js delete mode 100644 test/parallel/test-tls-pfx-gh-5100-regr.js delete mode 100644 test/parallel/test-tls-regr-gh-5108.js delete mode 100644 test/parallel/test-tls-request-timeout.js delete mode 100644 test/parallel/test-tls-retain-handle-no-abort.js delete mode 100644 test/parallel/test-tls-securepair-fiftharg.js delete mode 100644 test/parallel/test-tls-securepair-server.js delete mode 100644 test/parallel/test-tls-server-connection-server.js delete mode 100644 test/parallel/test-tls-server-failed-handshake-emits-clienterror.js delete mode 100644 test/parallel/test-tls-server-verify.js delete mode 100644 test/parallel/test-tls-session-cache.js delete mode 100644 test/parallel/test-tls-set-ciphers.js delete mode 100644 test/parallel/test-tls-set-encoding.js delete mode 100644 test/parallel/test-tls-sni-option.js delete mode 100644 test/parallel/test-tls-sni-server-client.js delete mode 100644 test/parallel/test-tls-socket-close.js delete mode 100644 test/parallel/test-tls-socket-default-options.js delete mode 100644 test/parallel/test-tls-socket-destroy.js delete mode 100644 test/parallel/test-tls-socket-failed-handshake-emits-error.js delete mode 100644 test/parallel/test-tls-startcom-wosign-whitelist.js delete mode 100644 test/parallel/test-tls-starttls-server.js delete mode 100644 test/parallel/test-tls-ticket-cluster.js delete mode 100644 test/parallel/test-tls-ticket.js delete mode 100644 test/parallel/test-tls-timeout-server-2.js delete mode 100644 test/parallel/test-tls-timeout-server.js delete mode 100644 test/parallel/test-tls-two-cas-one-string.js delete mode 100644 test/parallel/test-tls-wrap-no-abort.js delete mode 100644 test/parallel/test-tls-wrap-timeout.js delete mode 100644 test/parallel/test-tls-writewrap-leak.js delete mode 100644 test/parallel/test-tls-zero-clear-in.js diff --git a/test/disabled/test-crypto-dh.js b/test/disabled/test-crypto-dh.js new file mode 100644 index 0000000..547629e --- /dev/null +++ b/test/disabled/test-crypto-dh.js @@ -0,0 +1,319 @@ +'use strict'; +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const crypto = require('crypto'); + +const DH_NOT_SUITABLE_GENERATOR = crypto.constants.DH_NOT_SUITABLE_GENERATOR; + +// Test Diffie-Hellman with two parties sharing a secret, +// using various encodings as we go along +const dh1 = crypto.createDiffieHellman(common.hasFipsCrypto ? 1024 : 256); +const p1 = dh1.getPrime('buffer'); +const dh2 = crypto.createDiffieHellman(p1, 'buffer'); +let key1 = dh1.generateKeys(); +let key2 = dh2.generateKeys('hex'); +let secret1 = dh1.computeSecret(key2, 'hex', 'base64'); +let secret2 = dh2.computeSecret(key1, 'latin1', 'buffer'); + +assert.strictEqual(secret2.toString('base64'), secret1); +assert.strictEqual(dh1.verifyError, 0); +assert.strictEqual(dh2.verifyError, 0); + +const argumentsError = + /^TypeError: First argument should be number, string or Buffer$/; + +assert.throws(() => { + crypto.createDiffieHellman([0x1, 0x2]); +}, argumentsError); + +assert.throws(() => { + crypto.createDiffieHellman(() => { }); +}, argumentsError); + +assert.throws(() => { + crypto.createDiffieHellman(/abc/); +}, argumentsError); + +assert.throws(() => { + crypto.createDiffieHellman({}); +}, argumentsError); + +// Create "another dh1" using generated keys from dh1, +// and compute secret again +const dh3 = crypto.createDiffieHellman(p1, 'buffer'); +const privkey1 = dh1.getPrivateKey(); +dh3.setPublicKey(key1); +dh3.setPrivateKey(privkey1); + +assert.deepStrictEqual(dh1.getPrime(), dh3.getPrime()); +assert.deepStrictEqual(dh1.getGenerator(), dh3.getGenerator()); +assert.deepStrictEqual(dh1.getPublicKey(), dh3.getPublicKey()); +assert.deepStrictEqual(dh1.getPrivateKey(), dh3.getPrivateKey()); +assert.strictEqual(dh3.verifyError, 0); + +const secret3 = dh3.computeSecret(key2, 'hex', 'base64'); + +assert.strictEqual(secret1, secret3); + +const wrongBlockLength = + new RegExp('^Error: error:0606506D:digital envelope' + + ' routines:EVP_DecryptFinal_ex:wrong final block length$'); + +// Run this one twice to make sure that the dh3 clears its error properly +{ + const c = crypto.createDecipheriv('aes-128-ecb', crypto.randomBytes(16), ''); + assert.throws(() => { + c.final('utf8'); + }, wrongBlockLength); +} + +{ + const c = crypto.createDecipheriv('aes-128-ecb', crypto.randomBytes(16), ''); + assert.throws(() => { + c.final('utf8'); + }, wrongBlockLength); +} + +assert.throws(() => { + dh3.computeSecret(''); +}, /^Error: Supplied key is too small$/); + +// Create a shared using a DH group. +const alice = crypto.createDiffieHellmanGroup('modp5'); +const bob = crypto.createDiffieHellmanGroup('modp5'); +alice.generateKeys(); +bob.generateKeys(); +const aSecret = alice.computeSecret(bob.getPublicKey()).toString('hex'); +const bSecret = bob.computeSecret(alice.getPublicKey()).toString('hex'); +assert.strictEqual(aSecret, bSecret); +assert.strictEqual(alice.verifyError, DH_NOT_SUITABLE_GENERATOR); +assert.strictEqual(bob.verifyError, DH_NOT_SUITABLE_GENERATOR); + +/* Ensure specific generator (buffer) works as expected. + * The values below (modp2/modp2buf) are for a 1024 bits long prime from + * RFC 2412 E.2, see https://tools.ietf.org/html/rfc2412. */ +const modp2 = crypto.createDiffieHellmanGroup('modp2'); +const modp2buf = Buffer.from([ + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xc9, 0x0f, + 0xda, 0xa2, 0x21, 0x68, 0xc2, 0x34, 0xc4, 0xc6, 0x62, 0x8b, + 0x80, 0xdc, 0x1c, 0xd1, 0x29, 0x02, 0x4e, 0x08, 0x8a, 0x67, + 0xcc, 0x74, 0x02, 0x0b, 0xbe, 0xa6, 0x3b, 0x13, 0x9b, 0x22, + 0x51, 0x4a, 0x08, 0x79, 0x8e, 0x34, 0x04, 0xdd, 0xef, 0x95, + 0x19, 0xb3, 0xcd, 0x3a, 0x43, 0x1b, 0x30, 0x2b, 0x0a, 0x6d, + 0xf2, 0x5f, 0x14, 0x37, 0x4f, 0xe1, 0x35, 0x6d, 0x6d, 0x51, + 0xc2, 0x45, 0xe4, 0x85, 0xb5, 0x76, 0x62, 0x5e, 0x7e, 0xc6, + 0xf4, 0x4c, 0x42, 0xe9, 0xa6, 0x37, 0xed, 0x6b, 0x0b, 0xff, + 0x5c, 0xb6, 0xf4, 0x06, 0xb7, 0xed, 0xee, 0x38, 0x6b, 0xfb, + 0x5a, 0x89, 0x9f, 0xa5, 0xae, 0x9f, 0x24, 0x11, 0x7c, 0x4b, + 0x1f, 0xe6, 0x49, 0x28, 0x66, 0x51, 0xec, 0xe6, 0x53, 0x81, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff +]); +const exmodp2 = crypto.createDiffieHellman(modp2buf, Buffer.from([2])); +modp2.generateKeys(); +exmodp2.generateKeys(); +let modp2Secret = modp2.computeSecret(exmodp2.getPublicKey()).toString('hex'); +const exmodp2Secret = exmodp2.computeSecret(modp2.getPublicKey()) + .toString('hex'); +assert.strictEqual(modp2Secret, exmodp2Secret); +assert.strictEqual(modp2.verifyError, DH_NOT_SUITABLE_GENERATOR); +assert.strictEqual(exmodp2.verifyError, DH_NOT_SUITABLE_GENERATOR); + + +// Ensure specific generator (string with encoding) works as expected. +const exmodp2_2 = crypto.createDiffieHellman(modp2buf, '02', 'hex'); +exmodp2_2.generateKeys(); +modp2Secret = modp2.computeSecret(exmodp2_2.getPublicKey()).toString('hex'); +const exmodp2_2Secret = exmodp2_2.computeSecret(modp2.getPublicKey()) + .toString('hex'); +assert.strictEqual(modp2Secret, exmodp2_2Secret); +assert.strictEqual(exmodp2_2.verifyError, DH_NOT_SUITABLE_GENERATOR); + + +// Ensure specific generator (string without encoding) works as expected. +const exmodp2_3 = crypto.createDiffieHellman(modp2buf, '\x02'); +exmodp2_3.generateKeys(); +modp2Secret = modp2.computeSecret(exmodp2_3.getPublicKey()).toString('hex'); +const exmodp2_3Secret = exmodp2_3.computeSecret(modp2.getPublicKey()) + .toString('hex'); +assert.strictEqual(modp2Secret, exmodp2_3Secret); +assert.strictEqual(exmodp2_3.verifyError, DH_NOT_SUITABLE_GENERATOR); + + +// Ensure specific generator (numeric) works as expected. +const exmodp2_4 = crypto.createDiffieHellman(modp2buf, 2); +exmodp2_4.generateKeys(); +modp2Secret = modp2.computeSecret(exmodp2_4.getPublicKey()).toString('hex'); +const exmodp2_4Secret = exmodp2_4.computeSecret(modp2.getPublicKey()) + .toString('hex'); +assert.strictEqual(modp2Secret, exmodp2_4Secret); +assert.strictEqual(exmodp2_4.verifyError, DH_NOT_SUITABLE_GENERATOR); + + +const p = 'FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74' + + '020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F1437' + + '4FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED' + + 'EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381FFFFFFFFFFFFFFFF'; +const bad_dh = crypto.createDiffieHellman(p, 'hex'); +assert.strictEqual(bad_dh.verifyError, DH_NOT_SUITABLE_GENERATOR); + + +const availableCurves = new Set(crypto.getCurves()); + +// Oakley curves do not clean up ERR stack, it was causing unexpected failure +// when accessing other OpenSSL APIs afterwards. +if (availableCurves.has('Oakley-EC2N-3')) { + crypto.createECDH('Oakley-EC2N-3'); + crypto.createHash('sha256'); +} + +// Test ECDH +if (availableCurves.has('prime256v1') && availableCurves.has('secp256k1')) { + const ecdh1 = crypto.createECDH('prime256v1'); + const ecdh2 = crypto.createECDH('prime256v1'); + key1 = ecdh1.generateKeys(); + key2 = ecdh2.generateKeys('hex'); + secret1 = ecdh1.computeSecret(key2, 'hex', 'base64'); + secret2 = ecdh2.computeSecret(key1, 'latin1', 'buffer'); + + assert.strictEqual(secret1, secret2.toString('base64')); + + // Point formats + assert.strictEqual(ecdh1.getPublicKey('buffer', 'uncompressed')[0], 4); + let firstByte = ecdh1.getPublicKey('buffer', 'compressed')[0]; + assert(firstByte === 2 || firstByte === 3); + firstByte = ecdh1.getPublicKey('buffer', 'hybrid')[0]; + assert(firstByte === 6 || firstByte === 7); + // format value should be string + assert.throws(() => { + ecdh1.getPublicKey('buffer', 10); + }, /^TypeError: Bad format: 10$/); + + // ECDH should check that point is on curve + const ecdh3 = crypto.createECDH('secp256k1'); + const key3 = ecdh3.generateKeys(); + + assert.throws(() => { + ecdh2.computeSecret(key3, 'latin1', 'buffer'); + }, /^Error: Failed to translate Buffer to a EC_POINT$/); + + // ECDH should allow .setPrivateKey()/.setPublicKey() + const ecdh4 = crypto.createECDH('prime256v1'); + + ecdh4.setPrivateKey(ecdh1.getPrivateKey()); + ecdh4.setPublicKey(ecdh1.getPublicKey()); + + assert.throws(() => { + ecdh4.setPublicKey(ecdh3.getPublicKey()); + }, /^Error: Failed to convert Buffer to EC_POINT$/); + + // Verify that we can use ECDH without having to use newly generated keys. + const ecdh5 = crypto.createECDH('secp256k1'); + + // Verify errors are thrown when retrieving keys from an uninitialized object. + assert.throws(() => { + ecdh5.getPublicKey(); + }, /^Error: Failed to get ECDH public key$/); + + assert.throws(() => { + ecdh5.getPrivateKey(); + }, /^Error: Failed to get ECDH private key$/); + + // A valid private key for the secp256k1 curve. + const cafebabeKey = 'cafebabe'.repeat(8); + // Associated compressed and uncompressed public keys (points). + const cafebabePubPtComp = + '03672a31bfc59d3f04548ec9b7daeeba2f61814e8ccc40448045007f5479f693a3'; + const cafebabePubPtUnComp = + '04672a31bfc59d3f04548ec9b7daeeba2f61814e8ccc40448045007f5479f693a3' + + '2e02c7f93d13dc2732b760ca377a5897b9dd41a1c1b29dc0442fdce6d0a04d1d'; + ecdh5.setPrivateKey(cafebabeKey, 'hex'); + assert.strictEqual(ecdh5.getPrivateKey('hex'), cafebabeKey); + // Show that the public point (key) is generated while setting the + // private key. + assert.strictEqual(ecdh5.getPublicKey('hex'), cafebabePubPtUnComp); + + // Compressed and uncompressed public points/keys for other party's + // private key. + // 0xDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF + const peerPubPtComp = + '02c6b754b20826eb925e052ee2c25285b162b51fdca732bcf67e39d647fb6830ae'; + const peerPubPtUnComp = + '04c6b754b20826eb925e052ee2c25285b162b51fdca732bcf67e39d647fb6830ae' + + 'b651944a574a362082a77e3f2b5d9223eb54d7f2f76846522bf75f3bedb8178e'; + + const sharedSecret = + '1da220b5329bbe8bfd19ceef5a5898593f411a6f12ea40f2a8eead9a5cf59970'; + + assert.strictEqual(ecdh5.computeSecret(peerPubPtComp, 'hex', 'hex'), + sharedSecret); + assert.strictEqual(ecdh5.computeSecret(peerPubPtUnComp, 'hex', 'hex'), + sharedSecret); + + // Verify that we still have the same key pair as before the computation. + assert.strictEqual(ecdh5.getPrivateKey('hex'), cafebabeKey); + assert.strictEqual(ecdh5.getPublicKey('hex'), cafebabePubPtUnComp); + + // Verify setting and getting compressed and non-compressed serializations. + ecdh5.setPublicKey(cafebabePubPtComp, 'hex'); + assert.strictEqual(ecdh5.getPublicKey('hex'), cafebabePubPtUnComp); + assert.strictEqual(ecdh5.getPublicKey('hex', 'compressed'), + cafebabePubPtComp); + ecdh5.setPublicKey(cafebabePubPtUnComp, 'hex'); + assert.strictEqual(ecdh5.getPublicKey('hex'), cafebabePubPtUnComp); + assert.strictEqual(ecdh5.getPublicKey('hex', 'compressed'), + cafebabePubPtComp); + + // Show why allowing the public key to be set on this type + // does not make sense. + ecdh5.setPublicKey(peerPubPtComp, 'hex'); + assert.strictEqual(ecdh5.getPublicKey('hex'), peerPubPtUnComp); + assert.throws(() => { + // Error because the public key does not match the private key anymore. + ecdh5.computeSecret(peerPubPtComp, 'hex', 'hex'); + }, /^Error: Invalid key pair$/); + + // Set to a valid key to show that later attempts to set an invalid key are + // rejected. + ecdh5.setPrivateKey(cafebabeKey, 'hex'); + + // Some invalid private keys for the secp256k1 curve. + const errMessage = /^Error: Private key is not valid for specified curve.$/; + ['0000000000000000000000000000000000000000000000000000000000000000', + 'FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141', + 'FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF', + ].forEach((element) => { + assert.throws(() => { + ecdh5.setPrivateKey(element, 'hex'); + }, errMessage); + // Verify object state did not change. + assert.strictEqual(ecdh5.getPrivateKey('hex'), cafebabeKey); + }); + + // Use of invalid keys was not cleaning up ERR stack, and was causing + // unexpected failure in subsequent signing operations. + const ecdh6 = crypto.createECDH('prime256v1'); + const invalidKey = Buffer.alloc(65); + invalidKey.fill('\0'); + ecdh6.generateKeys(); + assert.throws(() => { + ecdh6.computeSecret(invalidKey); + }, /^Error: Failed to translate Buffer to a EC_POINT$/); + // Check that signing operations are not impacted by the above error. + const ecPrivateKey = + '-----BEGIN EC PRIVATE KEY-----\n' + + 'MHcCAQEEIF+jnWY1D5kbVYDNvxxo/Y+ku2uJPDwS0r/VuPZQrjjVoAoGCCqGSM49\n' + + 'AwEHoUQDQgAEurOxfSxmqIRYzJVagdZfMMSjRNNhB8i3mXyIMq704m2m52FdfKZ2\n' + + 'pQhByd5eyj3lgZ7m7jbchtdgyOF8Io/1ng==\n' + + '-----END EC PRIVATE KEY-----'; + assert.doesNotThrow(() => { + crypto.createSign('SHA256').sign(ecPrivateKey); + }); +} + +// invalid test: curve argument is undefined +assert.throws(() => { + crypto.createECDH(); +}, /^TypeError: "curve" argument should be a string$/); diff --git a/test/disabled/test-crypto-fips.js b/test/disabled/test-crypto-fips.js new file mode 100644 index 0000000..e3f49e6 --- /dev/null +++ b/test/disabled/test-crypto-fips.js @@ -0,0 +1,235 @@ +'use strict'; +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const spawnSync = require('child_process').spawnSync; +const path = require('path'); + +const FIPS_ENABLED = 1; +const FIPS_DISABLED = 0; +const FIPS_ERROR_STRING = 'Error: Cannot set FIPS mode'; +const OPTION_ERROR_STRING = 'bad option'; +const CNF_FIPS_ON = path.join(common.fixturesDir, 'openssl_fips_enabled.cnf'); +const CNF_FIPS_OFF = path.join(common.fixturesDir, 'openssl_fips_disabled.cnf'); +let num_children_ok = 0; + +function compiledWithFips() { + return process.config.variables.openssl_fips ? true : false; +} + +function sharedOpenSSL() { + return process.config.variables.node_shared_openssl; +} + +function addToEnv(newVar, value) { + const envCopy = {}; + for (const e in process.env) { + envCopy[e] = process.env[e]; + } + envCopy[newVar] = value; + return envCopy; +} + +function testHelper(stream, args, expectedOutput, cmd, env) { + const fullArgs = args.concat(['-e', `console.log(${cmd})`]); + const child = spawnSync(process.execPath, fullArgs, { + cwd: path.dirname(process.execPath), + env: env + }); + + console.error( + `Spawned child [pid:${child.pid}] with cmd '${cmd}' expect %j with args '${ + args}' OPENSSL_CONF=%j`, expectedOutput, env.OPENSSL_CONF); + + function childOk(child) { + console.error(`Child #${++num_children_ok} [pid:${child.pid}] OK.`); + } + + function responseHandler(buffer, expectedOutput) { + const response = buffer.toString(); + assert.notStrictEqual(0, response.length); + if (FIPS_ENABLED !== expectedOutput && FIPS_DISABLED !== expectedOutput) { + // In the case of expected errors just look for a substring. + assert.notStrictEqual(-1, response.indexOf(expectedOutput)); + } else { + // Normal path where we expect either FIPS enabled or disabled. + assert.strictEqual(expectedOutput, Number(response)); + } + childOk(child); + } + + responseHandler(child[stream], expectedOutput); +} + +// By default FIPS should be off in both FIPS and non-FIPS builds. +testHelper( + 'stdout', + [], + FIPS_DISABLED, + 'require("crypto").fips', + addToEnv('OPENSSL_CONF', '')); + +// --enable-fips should turn FIPS mode on +testHelper( + compiledWithFips() ? 'stdout' : 'stderr', + ['--enable-fips'], + compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING, + 'require("crypto").fips', + process.env); + +//--force-fips should turn FIPS mode on +testHelper( + compiledWithFips() ? 'stdout' : 'stderr', + ['--force-fips'], + compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING, + 'require("crypto").fips', + process.env); + +// If Node was configured using --shared-openssl fips support might be +// available depending on how OpenSSL was built. If fips support is +// available the tests that toggle the fips_mode on/off using the config +// file option will succeed and return 1 instead of 0. +// +// Note that this case is different from when calling the fips setter as the +// configuration file is handled by OpenSSL, so it is not possible for us +// to try to call the fips setter, to try to detect this situation, as +// that would throw an error: +// ("Error: Cannot set FIPS mode in a non-FIPS build."). +// Due to this uncertanty the following tests are skipped when configured +// with --shared-openssl. +if (!sharedOpenSSL()) { + // OpenSSL config file should be able to turn on FIPS mode + testHelper( + 'stdout', + [`--openssl-config=${CNF_FIPS_ON}`], + compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED, + 'require("crypto").fips', + process.env); + + // OPENSSL_CONF should be able to turn on FIPS mode + testHelper( + 'stdout', + [], + compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED, + 'require("crypto").fips', + addToEnv('OPENSSL_CONF', CNF_FIPS_ON)); + + // --openssl-config option should override OPENSSL_CONF + testHelper( + 'stdout', + [`--openssl-config=${CNF_FIPS_ON}`], + compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED, + 'require("crypto").fips', + addToEnv('OPENSSL_CONF', CNF_FIPS_OFF)); +} + +testHelper( + 'stdout', + [`--openssl-config=${CNF_FIPS_OFF}`], + FIPS_DISABLED, + 'require("crypto").fips', + addToEnv('OPENSSL_CONF', CNF_FIPS_ON)); + +// --enable-fips should take precedence over OpenSSL config file +testHelper( + compiledWithFips() ? 'stdout' : 'stderr', + ['--enable-fips', `--openssl-config=${CNF_FIPS_OFF}`], + compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING, + 'require("crypto").fips', + process.env); + +// OPENSSL_CONF should _not_ make a difference to --enable-fips +testHelper( + compiledWithFips() ? 'stdout' : 'stderr', + ['--enable-fips'], + compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING, + 'require("crypto").fips', + addToEnv('OPENSSL_CONF', CNF_FIPS_OFF)); + +// --force-fips should take precedence over OpenSSL config file +testHelper( + compiledWithFips() ? 'stdout' : 'stderr', + ['--force-fips', `--openssl-config=${CNF_FIPS_OFF}`], + compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING, + 'require("crypto").fips', + process.env); + +// Using OPENSSL_CONF should not make a difference to --force-fips +testHelper( + compiledWithFips() ? 'stdout' : 'stderr', + ['--force-fips'], + compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING, + 'require("crypto").fips', + addToEnv('OPENSSL_CONF', CNF_FIPS_OFF)); + +// setFipsCrypto should be able to turn FIPS mode on +testHelper( + compiledWithFips() ? 'stdout' : 'stderr', + [], + compiledWithFips() ? FIPS_ENABLED : FIPS_ERROR_STRING, + '(require("crypto").fips = true,' + + 'require("crypto").fips)', + process.env); + +// setFipsCrypto should be able to turn FIPS mode on and off +testHelper( + compiledWithFips() ? 'stdout' : 'stderr', + [], + compiledWithFips() ? FIPS_DISABLED : FIPS_ERROR_STRING, + '(require("crypto").fips = true,' + + 'require("crypto").fips = false,' + + 'require("crypto").fips)', + process.env); + +// setFipsCrypto takes precedence over OpenSSL config file, FIPS on +testHelper( + compiledWithFips() ? 'stdout' : 'stderr', + [`--openssl-config=${CNF_FIPS_OFF}`], + compiledWithFips() ? FIPS_ENABLED : FIPS_ERROR_STRING, + '(require("crypto").fips = true,' + + 'require("crypto").fips)', + process.env); + +// setFipsCrypto takes precedence over OpenSSL config file, FIPS off +testHelper( + compiledWithFips() ? 'stdout' : 'stderr', + [`--openssl-config=${CNF_FIPS_ON}`], + compiledWithFips() ? FIPS_DISABLED : FIPS_ERROR_STRING, + '(require("crypto").fips = false,' + + 'require("crypto").fips)', + process.env); + +// --enable-fips does not prevent use of setFipsCrypto API +testHelper( + compiledWithFips() ? 'stdout' : 'stderr', + ['--enable-fips'], + compiledWithFips() ? FIPS_DISABLED : OPTION_ERROR_STRING, + '(require("crypto").fips = false,' + + 'require("crypto").fips)', + process.env); + +// --force-fips prevents use of setFipsCrypto API +testHelper( + 'stderr', + ['--force-fips'], + compiledWithFips() ? FIPS_ERROR_STRING : OPTION_ERROR_STRING, + 'require("crypto").fips = false', + process.env); + +// --force-fips and --enable-fips order does not matter +testHelper( + 'stderr', + ['--force-fips', '--enable-fips'], + compiledWithFips() ? FIPS_ERROR_STRING : OPTION_ERROR_STRING, + 'require("crypto").fips = false', + process.env); + +//--enable-fips and --force-fips order does not matter +testHelper( + 'stderr', + ['--enable-fips', '--force-fips'], + compiledWithFips() ? FIPS_ERROR_STRING : OPTION_ERROR_STRING, + 'require("crypto").fips = false', + process.env); diff --git a/test/disabled/test-tls-0-dns-altname.js b/test/disabled/test-tls-0-dns-altname.js new file mode 100644 index 0000000..85ddb7d --- /dev/null +++ b/test/disabled/test-tls-0-dns-altname.js @@ -0,0 +1,33 @@ +'use strict'; +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +// Check getPeerCertificate can properly handle '\0' for fix CVE-2009-2408. + +const assert = require('assert'); +const tls = require('tls'); +const fs = require('fs'); + +const server = tls.createServer({ + key: fs.readFileSync(`${common.fixturesDir}/0-dns/0-dns-key.pem`), + cert: fs.readFileSync(`${common.fixturesDir}/0-dns/0-dns-cert.pem`) +}, function(c) { + c.once('data', function() { + c.destroy(); + server.close(); + }); +}).listen(0, common.mustCall(function() { + const c = tls.connect(this.address().port, { + rejectUnauthorized: false + }, common.mustCall(function() { + const cert = c.getPeerCertificate(); + assert.strictEqual(cert.subjectaltname, + 'DNS:good.example.org\0.evil.example.com, ' + + 'DNS:just-another.example.com, ' + + 'IP Address:8.8.8.8, ' + + 'IP Address:8.8.4.4, ' + + 'DNS:last.example.com'); + c.write('ok'); + })); +})); diff --git a/test/disabled/test-tls-addca.js b/test/disabled/test-tls-addca.js new file mode 100644 index 0000000..7a6f9a7 --- /dev/null +++ b/test/disabled/test-tls-addca.js @@ -0,0 +1,50 @@ +'use strict'; +const common = require('../common'); + +// Adding a CA certificate to contextWithCert should not also add it to +// contextWithoutCert. This is tested by trying to connect to a server that +// depends on that CA using contextWithoutCert. + +const join = require('path').join; +const { + assert, connect, keys, tls +} = require(join(common.fixturesDir, 'tls-connect'))(); + +const contextWithoutCert = tls.createSecureContext({}); +const contextWithCert = tls.createSecureContext({}); +contextWithCert.context.addCACert(keys.agent1.ca); + +const serverOptions = { + key: keys.agent1.key, + cert: keys.agent1.cert, +}; + +const clientOptions = { + ca: [keys.agent1.ca], + servername: 'agent1', + rejectUnauthorized: true, +}; + +// This client should fail to connect because it doesn't trust the CA +// certificate. +clientOptions.secureContext = contextWithoutCert; + +connect({ + client: clientOptions, + server: serverOptions, +}, function(err, pair, cleanup) { + assert(err); + assert.strictEqual(err.message, 'unable to verify the first certificate'); + cleanup(); + + // This time it should connect because contextWithCert includes the needed CA + // certificate. + clientOptions.secureContext = contextWithCert; + connect({ + client: clientOptions, + server: serverOptions, + }, function(err, pair, cleanup) { + assert.ifError(err); + cleanup(); + }); +}); diff --git a/test/disabled/test-tls-alert-handling.js b/test/disabled/test-tls-alert-handling.js new file mode 100644 index 0000000..0b34472 --- /dev/null +++ b/test/disabled/test-tls-alert-handling.js @@ -0,0 +1,78 @@ +'use strict'; +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +if (!common.opensslCli) + common.skip('node compiled without OpenSSL CLI.'); + +const fs = require('fs'); +const net = require('net'); +const path = require('path'); +const tls = require('tls'); + +function filenamePEM(n) { + return path.join(common.fixturesDir, 'keys', `${n}.pem`); +} + +function loadPEM(n) { + return fs.readFileSync(filenamePEM(n)); +} + +const opts = { + key: loadPEM('agent2-key'), + cert: loadPEM('agent2-cert') +}; +const max_iter = 20; +let iter = 0; + +const server = tls.createServer(opts, function(s) { + s.pipe(s); + s.on('error', function() { + // ignore error + }); +}); + +server.listen(0, function() { + sendClient(); +}); + + +function sendClient() { + const client = tls.connect(server.address().port, { + rejectUnauthorized: false + }); + client.on('data', common.mustCall(function() { + if (iter++ === 2) sendBADTLSRecord(); + if (iter < max_iter) { + client.write('a'); + return; + } + client.end(); + server.close(); + }, max_iter)); + client.write('a'); + client.on('error', function() { + // ignore error + }); + client.on('close', function() { + server.close(); + }); +} + + +function sendBADTLSRecord() { + const BAD_RECORD = Buffer.from([0xff, 0xff, 0xff, 0xff, 0xff, 0xff]); + const socket = net.connect(server.address().port); + const client = tls.connect({ + socket: socket, + rejectUnauthorized: false + }, function() { + socket.write(BAD_RECORD); + socket.end(); + }); + client.on('error', function() { + // ignore error + }); +} diff --git a/test/disabled/test-tls-alert.js b/test/disabled/test-tls-alert.js new file mode 100644 index 0000000..a48002d --- /dev/null +++ b/test/disabled/test-tls-alert.js @@ -0,0 +1,50 @@ +'use strict'; +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +if (!common.opensslCli) + common.skip('node compiled without OpenSSL CLI.'); + +const assert = require('assert'); +const { spawn } = require('child_process'); +const fs = require('fs'); +const path = require('path'); +const tls = require('tls'); + +let success = false; + +function filenamePEM(n) { + return path.join(common.fixturesDir, 'keys', `${n}.pem`); +} + +function loadPEM(n) { + return fs.readFileSync(filenamePEM(n)); +} + +const server = tls.Server({ + secureProtocol: 'TLSv1_2_server_method', + key: loadPEM('agent2-key'), + cert: loadPEM('agent2-cert') +}, null).listen(0, function() { + const args = ['s_client', '-quiet', '-tls1_1', + '-connect', `127.0.0.1:${this.address().port}`]; + + // for the performance and stability issue in s_client on Windows + if (common.isWindows) + args.push('-no_rand_screen'); + + const client = spawn(common.opensslCli, args); + let out = ''; + client.stderr.setEncoding('utf8'); + client.stderr.on('data', function(d) { + out += d; + if (/SSL alert number 70/.test(out)) { + success = true; + server.close(); + } + }); +}); +process.on('exit', function() { + assert(success); +}); diff --git a/test/disabled/test-tls-alpn-server-client.js b/test/disabled/test-tls-alpn-server-client.js new file mode 100644 index 0000000..56f925b --- /dev/null +++ b/test/disabled/test-tls-alpn-server-client.js @@ -0,0 +1,538 @@ +'use strict'; +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +if (!process.features.tls_alpn || !process.features.tls_npn) { + common.skip( + 'Skipping because node compiled without NPN or ALPN feature of OpenSSL.'); +} + +const assert = require('assert'); +const fs = require('fs'); +const path = require('path'); +const tls = require('tls'); + +function filenamePEM(n) { + return path.join(common.fixturesDir, 'keys', `${n}.pem`); +} + +function loadPEM(n) { + return fs.readFileSync(filenamePEM(n)); +} + +const serverIP = common.localhostIPv4; + +function checkResults(result, expected) { + assert.strictEqual(result.server.ALPN, expected.server.ALPN); + assert.strictEqual(result.server.NPN, expected.server.NPN); + assert.strictEqual(result.client.ALPN, expected.client.ALPN); + assert.strictEqual(result.client.NPN, expected.client.NPN); +} + +function runTest(clientsOptions, serverOptions, cb) { + serverOptions.key = loadPEM('agent2-key'); + serverOptions.cert = loadPEM('agent2-cert'); + const results = []; + let index = 0; + const server = tls.createServer(serverOptions, function(c) { + results[index].server = {ALPN: c.alpnProtocol, NPN: c.npnProtocol}; + }); + + server.listen(0, serverIP, function() { + connectClient(clientsOptions); + }); + + function connectClient(options) { + const opt = options.shift(); + opt.port = server.address().port; + opt.host = serverIP; + opt.rejectUnauthorized = false; + + results[index] = {}; + const client = tls.connect(opt, function() { + results[index].client = {ALPN: client.alpnProtocol, + NPN: client.npnProtocol}; + client.destroy(); + if (options.length) { + index++; + connectClient(options); + } else { + server.close(); + cb(results); + } + }); + } + +} + +// Server: ALPN/NPN, Client: ALPN/NPN +function Test1() { + const serverOptions = { + ALPNProtocols: ['a', 'b', 'c'], + NPNProtocols: ['a', 'b', 'c'] + }; + + const clientsOptions = [{ + ALPNProtocols: ['a', 'b', 'c'], + NPNProtocols: ['a', 'b', 'c'] + }, { + ALPNProtocols: ['c', 'b', 'e'], + NPNProtocols: ['c', 'b', 'e'] + }, { + ALPNProtocols: ['first-priority-unsupported', 'x', 'y'], + NPNProtocols: ['first-priority-unsupported', 'x', 'y'] + }]; + + runTest(clientsOptions, serverOptions, function(results) { + // 'a' is selected by ALPN + checkResults(results[0], + {server: {ALPN: 'a', NPN: false}, + client: {ALPN: 'a', NPN: undefined}}); + // 'b' is selected by ALPN + checkResults(results[1], + {server: {ALPN: 'b', NPN: false}, + client: {ALPN: 'b', NPN: undefined}}); + // nothing is selected by ALPN + checkResults(results[2], + {server: {ALPN: false, NPN: 'first-priority-unsupported'}, + client: {ALPN: false, NPN: false}}); + // execute next test + Test2(); + }); +} + +// Server: ALPN/NPN, Client: ALPN +function Test2() { + const serverOptions = { + ALPNProtocols: ['a', 'b', 'c'], + NPNProtocols: ['a', 'b', 'c'] + }; + + const clientsOptions = [{ + ALPNProtocols: ['a', 'b', 'c'] + }, { + ALPNProtocols: ['c', 'b', 'e'] + }, { + ALPNProtocols: ['first-priority-unsupported', 'x', 'y'] + }]; + + runTest(clientsOptions, serverOptions, function(results) { + // 'a' is selected by ALPN + checkResults(results[0], + {server: {ALPN: 'a', NPN: false}, + client: {ALPN: 'a', NPN: undefined}}); + // 'b' is selected by ALPN + checkResults(results[1], + {server: {ALPN: 'b', NPN: false}, + client: {ALPN: 'b', NPN: undefined}}); + // nothing is selected by ALPN + checkResults(results[2], + {server: {ALPN: false, NPN: 'http/1.1'}, + client: {ALPN: false, NPN: false}}); + // execute next test + Test3(); + }); +} + +// Server: ALPN/NPN, Client: NPN +function Test3() { + const serverOptions = { + ALPNProtocols: ['a', 'b', 'c'], + NPNProtocols: ['a', 'b', 'c'] + }; + + const clientsOptions = [{ + NPNProtocols: ['a', 'b', 'c'] + }, { + NPPNProtocols: ['c', 'b', 'e'] + }, { + NPPNProtocols: ['first-priority-unsupported', 'x', 'y'] + }]; + + runTest(clientsOptions, serverOptions, function(results) { + // 'a' is selected by NPN + checkResults(results[0], + {server: {ALPN: false, NPN: 'a'}, + client: {ALPN: false, NPN: 'a'}}); + // nothing is selected by ALPN + checkResults(results[1], + {server: {ALPN: false, NPN: 'http/1.1'}, + client: {ALPN: false, NPN: false}}); + // nothing is selected by ALPN + checkResults(results[2], + {server: {ALPN: false, NPN: 'http/1.1'}, + client: {ALPN: false, NPN: false}}); + // execute next test + Test4(); + }); +} + +// Server: ALPN/NPN, Client: Nothing +function Test4() { + const serverOptions = { + ALPNProtocols: ['a', 'b', 'c'], + NPNProtocols: ['a', 'b', 'c'] + }; + + const clientsOptions = [{}, {}, {}]; + + runTest(clientsOptions, serverOptions, function(results) { + // nothing is selected by ALPN + checkResults(results[0], + {server: {ALPN: false, NPN: 'http/1.1'}, + client: {ALPN: false, NPN: false}}); + // nothing is selected by ALPN + checkResults(results[1], + {server: {ALPN: false, NPN: 'http/1.1'}, + client: {ALPN: false, NPN: false}}); + // nothing is selected by ALPN + checkResults(results[2], + {server: {ALPN: false, NPN: 'http/1.1'}, + client: {ALPN: false, NPN: false}}); + // execute next test + Test5(); + }); +} + +// Server: ALPN, Client: ALPN/NPN +function Test5() { + const serverOptions = { + ALPNProtocols: ['a', 'b', 'c'] + }; + + const clientsOptions = [{ + ALPNProtocols: ['a', 'b', 'c'], + NPNProtocols: ['a', 'b', 'c'] + }, { + ALPNProtocols: ['c', 'b', 'e'], + NPNProtocols: ['c', 'b', 'e'] + }, { + ALPNProtocols: ['first-priority-unsupported', 'x', 'y'], + NPNProtocols: ['first-priority-unsupported', 'x', 'y'] + }]; + + runTest(clientsOptions, serverOptions, function(results) { + // 'a' is selected by ALPN + checkResults(results[0], {server: {ALPN: 'a', NPN: false}, + client: {ALPN: 'a', NPN: undefined}}); + // 'b' is selected by ALPN + checkResults(results[1], {server: {ALPN: 'b', NPN: false}, + client: {ALPN: 'b', NPN: undefined}}); + // nothing is selected by ALPN + checkResults(results[2], {server: {ALPN: false, + NPN: 'first-priority-unsupported'}, + client: {ALPN: false, NPN: false}}); + // execute next test + Test6(); + }); +} + +// Server: ALPN, Client: ALPN +function Test6() { + const serverOptions = { + ALPNProtocols: ['a', 'b', 'c'] + }; + + const clientsOptions = [{ + ALPNProtocols: ['a', 'b', 'c'] + }, { + ALPNProtocols: ['c', 'b', 'e'] + }, { + ALPNProtocols: ['first-priority-unsupported', 'x', 'y'] + }]; + + runTest(clientsOptions, serverOptions, function(results) { + // 'a' is selected by ALPN + checkResults(results[0], {server: {ALPN: 'a', NPN: false}, + client: {ALPN: 'a', NPN: undefined}}); + // 'b' is selected by ALPN + checkResults(results[1], {server: {ALPN: 'b', NPN: false}, + client: {ALPN: 'b', NPN: undefined}}); + // nothing is selected by ALPN + checkResults(results[2], {server: {ALPN: false, NPN: 'http/1.1'}, + client: {ALPN: false, NPN: false}}); + // execute next test + Test7(); + }); +} + +// Server: ALPN, Client: NPN +function Test7() { + const serverOptions = { + ALPNProtocols: ['a', 'b', 'c'] + }; + + const clientsOptions = [{ + NPNProtocols: ['a', 'b', 'c'] + }, { + NPNProtocols: ['c', 'b', 'e'] + }, { + NPNProtocols: ['first-priority-unsupported', 'x', 'y'] + }]; + + runTest(clientsOptions, serverOptions, function(results) { + // nothing is selected by ALPN + checkResults(results[0], {server: {ALPN: false, NPN: 'a'}, + client: {ALPN: false, NPN: false}}); + // nothing is selected by ALPN + checkResults(results[1], {server: {ALPN: false, NPN: 'c'}, + client: {ALPN: false, NPN: false}}); + // nothing is selected by ALPN + checkResults(results[2], + {server: {ALPN: false, NPN: 'first-priority-unsupported'}, + client: {ALPN: false, NPN: false}}); + // execute next test + Test8(); + }); +} + +// Server: ALPN, Client: Nothing +function Test8() { + const serverOptions = { + ALPNProtocols: ['a', 'b', 'c'] + }; + + const clientsOptions = [{}, {}, {}]; + + runTest(clientsOptions, serverOptions, function(results) { + // nothing is selected by ALPN + checkResults(results[0], {server: {ALPN: false, NPN: 'http/1.1'}, + client: {ALPN: false, NPN: false}}); + // nothing is selected by ALPN + checkResults(results[1], {server: {ALPN: false, NPN: 'http/1.1'}, + client: {ALPN: false, NPN: false}}); + // nothing is selected by ALPN + checkResults(results[2], + {server: {ALPN: false, NPN: 'http/1.1'}, + client: {ALPN: false, NPN: false}}); + // execute next test + Test9(); + }); +} + +// Server: NPN, Client: ALPN/NPN +function Test9() { + const serverOptions = { + NPNProtocols: ['a', 'b', 'c'] + }; + + const clientsOptions = [{ + ALPNrotocols: ['a', 'b', 'c'], + NPNProtocols: ['a', 'b', 'c'] + }, { + ALPNProtocols: ['c', 'b', 'e'], + NPNProtocols: ['c', 'b', 'e'] + }, { + ALPNProtocols: ['first-priority-unsupported', 'x', 'y'], + NPNProtocols: ['first-priority-unsupported', 'x', 'y'] + }]; + + runTest(clientsOptions, serverOptions, function(results) { + // 'a' is selected by NPN + checkResults(results[0], {server: {ALPN: false, NPN: 'a'}, + client: {ALPN: false, NPN: 'a'}}); + // 'b' is selected by NPN + checkResults(results[1], {server: {ALPN: false, NPN: 'b'}, + client: {ALPN: false, NPN: 'b'}}); + // nothing is selected + checkResults(results[2], + {server: {ALPN: false, NPN: 'first-priority-unsupported'}, + client: {ALPN: false, NPN: false}}); + // execute next test + Test10(); + }); +} + +// Server: NPN, Client: ALPN +function Test10() { + const serverOptions = { + NPNProtocols: ['a', 'b', 'c'] + }; + + const clientsOptions = [{ + ALPNProtocols: ['a', 'b', 'c'] + }, { + ALPNProtocols: ['c', 'b', 'e'] + }, { + ALPNProtocols: ['first-priority-unsupported', 'x', 'y'] + }]; + + runTest(clientsOptions, serverOptions, function(results) { + // nothing is selected + checkResults(results[0], {server: {ALPN: false, NPN: 'http/1.1'}, + client: {ALPN: false, NPN: false}}); + // nothing is selected + checkResults(results[1], {server: {ALPN: false, NPN: 'http/1.1'}, + client: {ALPN: false, NPN: false}}); + // nothing is selected + checkResults(results[2], {server: {ALPN: false, NPN: 'http/1.1'}, + client: {ALPN: false, NPN: false}}); + // execute next test + Test11(); + }); +} + +// Server: NPN, Client: NPN +function Test11() { + const serverOptions = { + NPNProtocols: ['a', 'b', 'c'] + }; + + const clientsOptions = [{ + NPNProtocols: ['a', 'b', 'c'] + }, { + NPNProtocols: ['c', 'b', 'e'] + }, { + NPNProtocols: ['first-priority-unsupported', 'x', 'y'] + }]; + + runTest(clientsOptions, serverOptions, function(results) { + // 'a' is selected by NPN + checkResults(results[0], {server: {ALPN: false, NPN: 'a'}, + client: {ALPN: false, NPN: 'a'}}); + // 'b' is selected by NPN + checkResults(results[1], {server: {ALPN: false, NPN: 'b'}, + client: {ALPN: false, NPN: 'b'}}); + // nothing is selected + checkResults(results[2], + {server: {ALPN: false, NPN: 'first-priority-unsupported'}, + client: {ALPN: false, NPN: false}}); + // execute next test + Test12(); + }); +} + +// Server: NPN, Client: Nothing +function Test12() { + const serverOptions = { + NPNProtocols: ['a', 'b', 'c'] + }; + + const clientsOptions = [{}, {}, {}]; + + runTest(clientsOptions, serverOptions, function(results) { + // nothing is selected + checkResults(results[0], {server: {ALPN: false, NPN: 'http/1.1'}, + client: {ALPN: false, NPN: false}}); + // nothing is selected + checkResults(results[1], {server: {ALPN: false, NPN: 'http/1.1'}, + client: {ALPN: false, NPN: false}}); + // nothing is selected + checkResults(results[2], + {server: {ALPN: false, NPN: 'http/1.1'}, + client: {ALPN: false, NPN: false}}); + // execute next test + Test13(); + }); +} + +// Server: Nothing, Client: ALPN/NPN +function Test13() { + const serverOptions = {}; + + const clientsOptions = [{ + ALPNrotocols: ['a', 'b', 'c'], + NPNProtocols: ['a', 'b', 'c'] + }, { + ALPNProtocols: ['c', 'b', 'e'], + NPNProtocols: ['c', 'b', 'e'] + }, { + ALPNProtocols: ['first-priority-unsupported', 'x', 'y'], + NPNProtocols: ['first-priority-unsupported', 'x', 'y'] + }]; + + runTest(clientsOptions, serverOptions, function(results) { + // nothing is selected + checkResults(results[0], {server: {ALPN: false, NPN: 'a'}, + client: {ALPN: false, NPN: false}}); + // nothing is selected + checkResults(results[1], {server: {ALPN: false, NPN: 'c'}, + client: {ALPN: false, NPN: false}}); + // nothing is selected + checkResults(results[2], + {server: {ALPN: false, NPN: 'first-priority-unsupported'}, + client: {ALPN: false, NPN: false}}); + // execute next test + Test14(); + }); +} + +// Server: Nothing, Client: ALPN +function Test14() { + const serverOptions = {}; + + const clientsOptions = [{ + ALPNrotocols: ['a', 'b', 'c'] + }, { + ALPNProtocols: ['c', 'b', 'e'] + }, { + ALPNProtocols: ['first-priority-unsupported', 'x', 'y'] + }]; + + runTest(clientsOptions, serverOptions, function(results) { + // nothing is selected + checkResults(results[0], {server: {ALPN: false, NPN: 'http/1.1'}, + client: {ALPN: false, NPN: false}}); + // nothing is selected + checkResults(results[1], {server: {ALPN: false, NPN: 'http/1.1'}, + client: {ALPN: false, NPN: false}}); + // nothing is selected + checkResults(results[2], + {server: {ALPN: false, NPN: 'http/1.1'}, + client: {ALPN: false, NPN: false}}); + // execute next test + Test15(); + }); +} + +// Server: Nothing, Client: NPN +function Test15() { + const serverOptions = {}; + + const clientsOptions = [{ + NPNProtocols: ['a', 'b', 'c'] + }, { + NPNProtocols: ['c', 'b', 'e'] + }, { + NPNProtocols: ['first-priority-unsupported', 'x', 'y'] + }]; + + runTest(clientsOptions, serverOptions, function(results) { + // nothing is selected + checkResults(results[0], {server: {ALPN: false, NPN: 'a'}, + client: {ALPN: false, NPN: false}}); + // nothing is selected + checkResults(results[1], {server: {ALPN: false, NPN: 'c'}, + client: {ALPN: false, NPN: false}}); + // nothing is selected + checkResults(results[2], + {server: {ALPN: false, NPN: 'first-priority-unsupported'}, + client: {ALPN: false, NPN: false}}); + // execute next test + Test16(); + }); +} + +// Server: Nothing, Client: Nothing +function Test16() { + const serverOptions = {}; + + const clientsOptions = [{}, {}, {}]; + + runTest(clientsOptions, serverOptions, function(results) { + // nothing is selected + checkResults(results[0], {server: {ALPN: false, NPN: 'http/1.1'}, + client: {ALPN: false, NPN: false}}); + // nothing is selected + checkResults(results[1], {server: {ALPN: false, NPN: 'http/1.1'}, + client: {ALPN: false, NPN: false}}); + // nothing is selected + checkResults(results[2], + {server: {ALPN: false, NPN: 'http/1.1'}, + client: {ALPN: false, NPN: false}}); + }); +} + +Test1(); diff --git a/test/disabled/test-tls-async-cb-after-socket-end.js b/test/disabled/test-tls-async-cb-after-socket-end.js new file mode 100644 index 0000000..a49b44d --- /dev/null +++ b/test/disabled/test-tls-async-cb-after-socket-end.js @@ -0,0 +1,70 @@ +'use strict'; + +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const path = require('path'); +const fs = require('fs'); +const SSL_OP_NO_TICKET = require('crypto').constants.SSL_OP_NO_TICKET; + +const tls = require('tls'); + +const options = { + secureOptions: SSL_OP_NO_TICKET, + key: fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem')), + cert: fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem')) +}; + +const server = tls.createServer(options, function(c) { +}); + +let sessionCb = null; +let client = null; + +server.on('newSession', function(key, session, done) { + done(); +}); + +server.on('resumeSession', function(id, cb) { + sessionCb = cb; + + next(); +}); + +server.listen(0, function() { + const clientOpts = { + port: this.address().port, + rejectUnauthorized: false, + session: false + }; + + const s1 = tls.connect(clientOpts, function() { + clientOpts.session = s1.getSession(); + console.log('1st secure'); + + s1.destroy(); + const s2 = tls.connect(clientOpts, function(s) { + console.log('2nd secure'); + + s2.destroy(); + }).on('connect', function() { + console.log('2nd connected'); + client = s2; + + next(); + }); + }); +}); + +function next() { + if (!client || !sessionCb) + return; + + client.destroy(); + setTimeout(function() { + sessionCb(); + server.close(); + }, 100); +} diff --git a/test/disabled/test-tls-basic-validations.js b/test/disabled/test-tls-basic-validations.js new file mode 100644 index 0000000..d6c20ea --- /dev/null +++ b/test/disabled/test-tls-basic-validations.js @@ -0,0 +1,53 @@ +'use strict'; + +require('../common'); +const assert = require('assert'); +const tls = require('tls'); + +assert.throws(() => tls.createSecureContext({ciphers: 1}), + /TypeError: Ciphers must be a string/); + +assert.throws(() => tls.createServer({ciphers: 1}), + /TypeError: Ciphers must be a string/); + +assert.throws(() => tls.createSecureContext({key: 'dummykey', passphrase: 1}), + /TypeError: Pass phrase must be a string/); + +assert.throws(() => tls.createServer({key: 'dummykey', passphrase: 1}), + /TypeError: Pass phrase must be a string/); + +assert.throws(() => tls.createServer({ecdhCurve: 1}), + /TypeError: ECDH curve name must be a string/); + +assert.throws(() => tls.createServer({handshakeTimeout: 'abcd'}), + /TypeError: handshakeTimeout must be a number/); + +assert.throws(() => tls.createServer({sessionTimeout: 'abcd'}), + /TypeError: Session timeout must be a 32-bit integer/); + +assert.throws(() => tls.createServer({ticketKeys: 'abcd'}), + /TypeError: Ticket keys must be a buffer/); + +assert.throws(() => tls.createServer({ticketKeys: Buffer.alloc(0)}), + /TypeError: Ticket keys length must be 48 bytes/); + +assert.throws(() => tls.createSecurePair({}), + /Error: First argument must be a tls module SecureContext/); + +{ + const buffer = Buffer.from('abcd'); + const out = {}; + tls.convertALPNProtocols(buffer, out); + out.ALPNProtocols.write('efgh'); + assert(buffer.equals(Buffer.from('abcd'))); + assert(out.ALPNProtocols.equals(Buffer.from('efgh'))); +} + +{ + const buffer = Buffer.from('abcd'); + const out = {}; + tls.convertNPNProtocols(buffer, out); + out.NPNProtocols.write('efgh'); + assert(buffer.equals(Buffer.from('abcd'))); + assert(out.NPNProtocols.equals(Buffer.from('efgh'))); +} diff --git a/test/disabled/test-tls-ca-concat.js b/test/disabled/test-tls-ca-concat.js new file mode 100644 index 0000000..8fa83a4 --- /dev/null +++ b/test/disabled/test-tls-ca-concat.js @@ -0,0 +1,24 @@ +'use strict'; +const common = require('../common'); + +// Check ca option can contain concatenated certs by prepending an unrelated +// non-CA cert and showing that agent6's CA root is still found. + +const join = require('path').join; +const { + assert, connect, keys +} = require(join(common.fixturesDir, 'tls-connect'))(); + +connect({ + client: { + checkServerIdentity: (servername, cert) => { }, + ca: `${keys.agent1.cert}\n${keys.agent6.ca}`, + }, + server: { + cert: keys.agent6.cert, + key: keys.agent6.key, + }, +}, function(err, pair, cleanup) { + assert.ifError(err); + return cleanup(); +}); diff --git a/test/disabled/test-tls-cert-chains-concat.js b/test/disabled/test-tls-cert-chains-concat.js new file mode 100644 index 0000000..d53edef --- /dev/null +++ b/test/disabled/test-tls-cert-chains-concat.js @@ -0,0 +1,50 @@ +'use strict'; +const common = require('../common'); + +// Check cert chain is received by client, and is completed with the ca cert +// known to the client. + +const join = require('path').join; +const { + assert, connect, debug, keys +} = require(join(common.fixturesDir, 'tls-connect'))(); + +// agent6-cert.pem includes cert for agent6 and ca3 +connect({ + client: { + checkServerIdentity: (servername, cert) => { }, + ca: keys.agent6.ca, + }, + server: { + cert: keys.agent6.cert, + key: keys.agent6.key, + }, +}, function(err, pair, cleanup) { + assert.ifError(err); + + const peer = pair.client.conn.getPeerCertificate(); + debug('peer:\n', peer); + assert.strictEqual(peer.subject.emailAddress, 'adam.lippai@tresorit.com'); + assert.strictEqual(peer.subject.CN, 'Ádám Lippai'), + assert.strictEqual(peer.issuer.CN, 'ca3'); + assert.strictEqual(peer.serialNumber, 'C4CD893EF9A75DCC'); + + const next = pair.client.conn.getPeerCertificate(true).issuerCertificate; + const root = next.issuerCertificate; + delete next.issuerCertificate; + debug('next:\n', next); + assert.strictEqual(next.subject.CN, 'ca3'); + assert.strictEqual(next.issuer.CN, 'ca1'); + assert.strictEqual(next.serialNumber, '9A84ABCFB8A72ABF'); + + debug('root:\n', root); + assert.strictEqual(root.subject.CN, 'ca1'); + assert.strictEqual(root.issuer.CN, 'ca1'); + assert.strictEqual(root.serialNumber, '8DF21C01468AF393'); + + // No client cert, so empty object returned. + assert.deepStrictEqual(pair.server.conn.getPeerCertificate(), {}); + assert.deepStrictEqual(pair.server.conn.getPeerCertificate(true), {}); + + return cleanup(); +}); diff --git a/test/disabled/test-tls-cert-chains-in-ca.js b/test/disabled/test-tls-cert-chains-in-ca.js new file mode 100644 index 0000000..69f62c3 --- /dev/null +++ b/test/disabled/test-tls-cert-chains-in-ca.js @@ -0,0 +1,46 @@ +'use strict'; +const common = require('../common'); + +// Check cert chain is received by client, and is completed with the ca cert +// known to the client. + +const join = require('path').join; +const { + assert, connect, debug, keys +} = require(join(common.fixturesDir, 'tls-connect'))(); + + +// agent6-cert.pem includes cert for agent6 and ca3, split it apart and +// provide ca3 in the .ca property. +const agent6Chain = keys.agent6.cert.split('-----END CERTIFICATE-----') + .map((c) => { return c + '-----END CERTIFICATE-----'; }); +const agent6End = agent6Chain[0]; +const agent6Middle = agent6Chain[1]; +connect({ + client: { + checkServerIdentity: (servername, cert) => { }, + ca: keys.agent6.ca, + }, + server: { + cert: agent6End, + key: keys.agent6.key, + ca: agent6Middle, + }, +}, function(err, pair, cleanup) { + assert.ifError(err); + + const peer = pair.client.conn.getPeerCertificate(); + debug('peer:\n', peer); + assert.strictEqual(peer.serialNumber, 'C4CD893EF9A75DCC'); + + const next = pair.client.conn.getPeerCertificate(true).issuerCertificate; + const root = next.issuerCertificate; + delete next.issuerCertificate; + debug('next:\n', next); + assert.strictEqual(next.serialNumber, '9A84ABCFB8A72ABF'); + + debug('root:\n', root); + assert.strictEqual(root.serialNumber, '8DF21C01468AF393'); + + return cleanup(); +}); diff --git a/test/disabled/test-tls-cert-regression.js b/test/disabled/test-tls-cert-regression.js new file mode 100644 index 0000000..20cfff5 --- /dev/null +++ b/test/disabled/test-tls-cert-regression.js @@ -0,0 +1,45 @@ +'use strict'; +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const tls = require('tls'); + + +const cert = +`-----BEGIN CERTIFICATE----- +MIIBfjCCASgCCQDmmNjAojbDQjANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJB +VTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0 +cyBQdHkgTHRkMCAXDTE0MDExNjE3NTMxM1oYDzIyODcxMDMxMTc1MzEzWjBFMQsw +CQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJu +ZXQgV2lkZ2l0cyBQdHkgTHRkMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAPKwlfMX +6HGZIt1xm7fna72eWcOYfUfSxSugghvqYgJt2Oi3lH+wsU1O9FzRIVmpeIjDXhbp +Mjsa1HtzSiccPXsCAwEAATANBgkqhkiG9w0BAQUFAANBAHOoKy0NkyfiYH7Ne5ka +uvCyndyeB4d24FlfqEUlkfaWCZlNKRaV9YhLDiEg3BcIreFo4brtKQfZzTRs0GVm +KHg= +-----END CERTIFICATE-----`; + +const key = +`-----BEGIN RSA PRIVATE KEY----- +MIIBPQIBAAJBAPKwlfMX6HGZIt1xm7fna72eWcOYfUfSxSugghvqYgJt2Oi3lH+w +sU1O9FzRIVmpeIjDXhbpMjsa1HtzSiccPXsCAwEAAQJBAM4uU9aJE0OfdE1p/X+K +LrCT3XMdFCJ24GgmHyOURtwDy18upQJecDVdcZp16fjtOPmaW95GoYRyifB3R4I5 +RxECIQD7jRM9slCSVV8xp9kOJQNpHjhRQYVGBn+pyllS2sb+RQIhAPb7Y+BIccri +NWnuhwCW8hA7Fkj/kaBdAwyW7L3Tvui/AiEAiqLCovMecre4Yi6GcsQ1b/6mvSmm +IOS+AT6zIfXPTB0CIQCJKGR3ymN/Qw5crL1GQ41cHCQtF9ickOq/lBUW+j976wIh +AOaJnkQrmurlRdePX6LvN/LgGAQoxwovfjcOYNnZsIVY +-----END RSA PRIVATE KEY-----`; + +function test(cert, key, cb) { + const server = tls.createServer({ + cert: cert, + key: key + }).listen(0, function() { + server.close(cb); + }); +} + +test(cert, key, common.mustCall(function() { + test(Buffer.from(cert), Buffer.from(key), common.mustCall()); +})); diff --git a/test/disabled/test-tls-check-server-identity.js b/test/disabled/test-tls-check-server-identity.js new file mode 100644 index 0000000..0cc55d6 --- /dev/null +++ b/test/disabled/test-tls-check-server-identity.js @@ -0,0 +1,260 @@ +'use strict'; +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const util = require('util'); + +const tls = require('tls'); + +const tests = [ + // False-y values. + { + host: false, + cert: { subject: { CN: 'a.com' } }, + error: 'Host: false. is not cert\'s CN: a.com' + }, + { + host: null, + cert: { subject: { CN: 'a.com' } }, + error: 'Host: null. is not cert\'s CN: a.com' + }, + { + host: undefined, + cert: { subject: { CN: 'a.com' } }, + error: 'Host: undefined. is not cert\'s CN: a.com' + }, + + // Basic CN handling + { host: 'a.com', cert: { subject: { CN: 'a.com' } } }, + { host: 'a.com', cert: { subject: { CN: 'A.COM' } } }, + { + host: 'a.com', + cert: { subject: { CN: 'b.com' } }, + error: 'Host: a.com. is not cert\'s CN: b.com' + }, + { host: 'a.com', cert: { subject: { CN: 'a.com.' } } }, + { + host: 'a.com', + cert: { subject: { CN: '.a.com' } }, + error: 'Host: a.com. is not cert\'s CN: .a.com' + }, + + // Wildcards in CN + { host: 'b.a.com', cert: { subject: { CN: '*.a.com' } } }, + { + host: 'ba.com', + cert: { subject: { CN: '*.a.com' } }, + error: 'Host: ba.com. is not cert\'s CN: *.a.com' + }, + { + host: '\n.b.com', + cert: { subject: { CN: '*n.b.com' } }, + error: 'Host: \n.b.com. is not cert\'s CN: *n.b.com' + }, + { host: 'b.a.com', cert: { + subjectaltname: 'DNS:omg.com', + subject: { CN: '*.a.com' } }, + error: 'Host: b.a.com. is not in the cert\'s altnames: ' + + 'DNS:omg.com' + }, + { + host: 'b.a.com', + cert: { subject: { CN: 'b*b.a.com' } }, + error: 'Host: b.a.com. is not cert\'s CN: b*b.a.com' + }, + + // Empty Cert + { + host: 'a.com', + cert: { }, + error: 'Cert is empty' + }, + + // Multiple CN fields + { + host: 'foo.com', cert: { + subject: { CN: ['foo.com', 'bar.com'] } // CN=foo.com; CN=bar.com; + } + }, + + // DNS names and CN + { + host: 'a.com', cert: { + subjectaltname: 'DNS:*', + subject: { CN: 'b.com' } + }, + error: 'Host: a.com. is not in the cert\'s altnames: ' + + 'DNS:*' + }, + { + host: 'a.com', cert: { + subjectaltname: 'DNS:*.com', + subject: { CN: 'b.com' } + }, + error: 'Host: a.com. is not in the cert\'s altnames: ' + + 'DNS:*.com' + }, + { + host: 'a.co.uk', cert: { + subjectaltname: 'DNS:*.co.uk', + subject: { CN: 'b.com' } + } + }, + { + host: 'a.com', cert: { + subjectaltname: 'DNS:*.a.com', + subject: { CN: 'a.com' } + }, + error: 'Host: a.com. is not in the cert\'s altnames: ' + + 'DNS:*.a.com' + }, + { + host: 'a.com', cert: { + subjectaltname: 'DNS:*.a.com', + subject: { CN: 'b.com' } + }, + error: 'Host: a.com. is not in the cert\'s altnames: ' + + 'DNS:*.a.com' + }, + { + host: 'a.com', cert: { + subjectaltname: 'DNS:a.com', + subject: { CN: 'b.com' } + } + }, + { + host: 'a.com', cert: { + subjectaltname: 'DNS:A.COM', + subject: { CN: 'b.com' } + } + }, + + // DNS names + { + host: 'a.com', cert: { + subjectaltname: 'DNS:*.a.com', + subject: {} + }, + error: 'Host: a.com. is not in the cert\'s altnames: ' + + 'DNS:*.a.com' + }, + { + host: 'b.a.com', cert: { + subjectaltname: 'DNS:*.a.com', + subject: {} + } + }, + { + host: 'c.b.a.com', cert: { + subjectaltname: 'DNS:*.a.com', + subject: {} + }, + error: 'Host: c.b.a.com. is not in the cert\'s altnames: ' + + 'DNS:*.a.com' + }, + { + host: 'b.a.com', cert: { + subjectaltname: 'DNS:*b.a.com', + subject: {} + } + }, + { + host: 'a-cb.a.com', cert: { + subjectaltname: 'DNS:*b.a.com', + subject: {} + } + }, + { + host: 'a.b.a.com', cert: { + subjectaltname: 'DNS:*b.a.com', + subject: {} + }, + error: 'Host: a.b.a.com. is not in the cert\'s altnames: ' + + 'DNS:*b.a.com' + }, + // Mutliple DNS names + { + host: 'a.b.a.com', cert: { + subjectaltname: 'DNS:*b.a.com, DNS:a.b.a.com', + subject: {} + } + }, + // URI names + { + host: 'a.b.a.com', cert: { + subjectaltname: 'URI:http://a.b.a.com/', + subject: {} + } + }, + { + host: 'a.b.a.com', cert: { + subjectaltname: 'URI:http://*.b.a.com/', + subject: {} + }, + error: 'Host: a.b.a.com. is not in the cert\'s altnames: ' + + 'URI:http://*.b.a.com/' + }, + // IP addresses + { + host: 'a.b.a.com', cert: { + subjectaltname: 'IP Address:127.0.0.1', + subject: {} + }, + error: 'Host: a.b.a.com. is not in the cert\'s altnames: ' + + 'IP Address:127.0.0.1' + }, + { + host: '127.0.0.1', cert: { + subjectaltname: 'IP Address:127.0.0.1', + subject: {} + } + }, + { + host: '127.0.0.2', cert: { + subjectaltname: 'IP Address:127.0.0.1', + subject: {} + }, + error: 'IP: 127.0.0.2 is not in the cert\'s list: ' + + '127.0.0.1' + }, + { + host: '127.0.0.1', cert: { + subjectaltname: 'DNS:a.com', + subject: {} + }, + error: 'IP: 127.0.0.1 is not in the cert\'s list: ' + }, + { + host: 'localhost', cert: { + subjectaltname: 'DNS:a.com', + subject: { CN: 'localhost' } + }, + error: 'Host: localhost. is not in the cert\'s altnames: ' + + 'DNS:a.com' + }, + // IDNA + { + host: 'xn--bcher-kva.example.com', + cert: { subject: { CN: '*.example.com' } }, + }, + // RFC 6125, section 6.4.3: "[...] the client SHOULD NOT attempt to match + // a presented identifier where the wildcard character is embedded within + // an A-label [...]" + { + host: 'xn--bcher-kva.example.com', + cert: { subject: { CN: 'xn--*.example.com' } }, + error: 'Host: xn--bcher-kva.example.com. is not cert\'s CN: ' + + 'xn--*.example.com', + }, +]; + +tests.forEach(function(test, i) { + const err = tls.checkServerIdentity(test.host, test.cert); + assert.strictEqual(err && err.reason, + test.error, + `Test# ${i} failed: ${util.inspect(test)} \n` + + `${test.error} != ${(err && err.reason)}`); +}); diff --git a/test/disabled/test-tls-cipher-list.js b/test/disabled/test-tls-cipher-list.js new file mode 100644 index 0000000..4a39ee9 --- /dev/null +++ b/test/disabled/test-tls-cipher-list.js @@ -0,0 +1,30 @@ +'use strict'; +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const spawn = require('child_process').spawn; +const defaultCoreList = require('crypto').constants.defaultCoreCipherList; + +function doCheck(arg, check) { + let out = ''; + arg = arg.concat([ + '-pe', + 'require("crypto").constants.defaultCipherList' + ]); + spawn(process.execPath, arg, {}) + .on('error', common.mustNotCall()) + .stdout.on('data', function(chunk) { + out += chunk; + }).on('end', function() { + assert.strictEqual(out.trim(), check); + }).on('error', common.mustNotCall()); +} + +// test the default unmodified version +doCheck([], defaultCoreList); + +// test the command line switch by itself +doCheck(['--tls-cipher-list=ABC'], 'ABC'); diff --git a/test/disabled/test-tls-client-abort.js b/test/disabled/test-tls-client-abort.js new file mode 100644 index 0000000..4216e34 --- /dev/null +++ b/test/disabled/test-tls-client-abort.js @@ -0,0 +1,19 @@ +'use strict'; +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); +const fs = require('fs'); +const path = require('path'); + +const cert = fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem')); +const key = fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem')); + +const conn = tls.connect({cert, key, port: 0}, common.mustNotCall()); +conn.on('error', function() { +}); +assert.doesNotThrow(function() { + conn.destroy(); +}); diff --git a/test/disabled/test-tls-client-abort2.js b/test/disabled/test-tls-client-abort2.js new file mode 100644 index 0000000..f3d84a5 --- /dev/null +++ b/test/disabled/test-tls-client-abort2.js @@ -0,0 +1,14 @@ +'use strict'; +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); + +const conn = tls.connect(0, common.mustNotCall()); +conn.on('error', common.mustCall(function() { + assert.doesNotThrow(function() { + conn.destroy(); + }); +})); diff --git a/test/disabled/test-tls-client-default-ciphers.js b/test/disabled/test-tls-client-default-ciphers.js new file mode 100644 index 0000000..91a0a86 --- /dev/null +++ b/test/disabled/test-tls-client-default-ciphers.js @@ -0,0 +1,26 @@ +'use strict'; +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); + +function Done() {} + +function test1() { + let ciphers = ''; + + tls.createSecureContext = function(options) { + ciphers = options.ciphers; + throw new Done(); + }; + + try { + tls.connect(common.PORT); + } catch (e) { + assert(e instanceof Done); + } + assert.strictEqual(ciphers, tls.DEFAULT_CIPHERS); +} +test1(); diff --git a/test/disabled/test-tls-client-destroy-soon.js b/test/disabled/test-tls-client-destroy-soon.js new file mode 100644 index 0000000..94a4956 --- /dev/null +++ b/test/disabled/test-tls-client-destroy-soon.js @@ -0,0 +1,46 @@ +'use strict'; +// Create an ssl server. First connection, validate that not resume. +// Cache session and close connection. Use session on second connection. +// ASSERT resumption. + +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); +const fs = require('fs'); + +const options = { + key: fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`), + cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`) +}; + +const big = Buffer.alloc(2 * 1024 * 1024, 'Y'); + +// create server +const server = tls.createServer(options, common.mustCall(function(socket) { + socket.end(big); + socket.destroySoon(); +})); + +// start listening +server.listen(0, common.mustCall(function() { + const client = tls.connect({ + port: this.address().port, + rejectUnauthorized: false + }, common.mustCall(function() { + let bytesRead = 0; + + client.on('readable', function() { + const d = client.read(); + if (d) + bytesRead += d.length; + }); + + client.on('end', common.mustCall(function() { + server.close(); + assert.strictEqual(big.length, bytesRead); + })); + })); +})); diff --git a/test/disabled/test-tls-client-getephemeralkeyinfo.js b/test/disabled/test-tls-client-getephemeralkeyinfo.js new file mode 100644 index 0000000..7d93dcb --- /dev/null +++ b/test/disabled/test-tls-client-getephemeralkeyinfo.js @@ -0,0 +1,96 @@ +'use strict'; +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); +const fs = require('fs'); + +const key = fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`); +const cert = fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`); + +let ntests = 0; +let nsuccess = 0; + +function loadDHParam(n) { + let path = common.fixturesDir; + if (n !== 'error') path += '/keys'; + return fs.readFileSync(`${path}/dh${n}.pem`); +} + +const cipherlist = { + 'NOT_PFS': 'AES128-SHA256', + 'DH': 'DHE-RSA-AES128-GCM-SHA256', + 'ECDH': 'ECDHE-RSA-AES128-GCM-SHA256' +}; + +function test(size, type, name, next) { + const cipher = type ? cipherlist[type] : cipherlist['NOT_PFS']; + + if (name) tls.DEFAULT_ECDH_CURVE = name; + + const options = { + key: key, + cert: cert, + ciphers: cipher + }; + + if (type === 'DH') options.dhparam = loadDHParam(size); + + const server = tls.createServer(options, function(conn) { + assert.strictEqual(conn.getEphemeralKeyInfo(), null); + conn.end(); + }); + + server.on('close', common.mustCall(function(err) { + assert(!err); + if (next) next(); + })); + + server.listen(0, '127.0.0.1', common.mustCall(function() { + const client = tls.connect({ + port: this.address().port, + rejectUnauthorized: false + }, function() { + const ekeyinfo = client.getEphemeralKeyInfo(); + assert.strictEqual(ekeyinfo.type, type); + assert.strictEqual(ekeyinfo.size, size); + assert.strictEqual(ekeyinfo.name, name); + nsuccess++; + server.close(); + }); + })); +} + +function testNOT_PFS() { + test(undefined, undefined, undefined, testDHE1024); + ntests++; +} + +function testDHE1024() { + test(1024, 'DH', undefined, testDHE2048); + ntests++; +} + +function testDHE2048() { + test(2048, 'DH', undefined, testECDHE256); + ntests++; +} + +function testECDHE256() { + test(256, 'ECDH', tls.DEFAULT_ECDH_CURVE, testECDHE512); + ntests++; +} + +function testECDHE512() { + test(521, 'ECDH', 'secp521r1', null); + ntests++; +} + +testNOT_PFS(); + +process.on('exit', function() { + assert.strictEqual(ntests, nsuccess); + assert.strictEqual(ntests, 5); +}); diff --git a/test/disabled/test-tls-client-mindhsize.js b/test/disabled/test-tls-client-mindhsize.js new file mode 100644 index 0000000..685d790 --- /dev/null +++ b/test/disabled/test-tls-client-mindhsize.js @@ -0,0 +1,92 @@ +'use strict'; +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); +const fs = require('fs'); + +const key = fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`); +const cert = fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`); + +let nsuccess = 0; +let nerror = 0; + +function loadDHParam(n) { + let path = common.fixturesDir; + if (n !== 'error') path += '/keys'; + return fs.readFileSync(`${path}/dh${n}.pem`); +} + +function test(size, err, next) { + const options = { + key: key, + cert: cert, + dhparam: loadDHParam(size), + ciphers: 'DHE-RSA-AES128-GCM-SHA256' + }; + + const server = tls.createServer(options, function(conn) { + conn.end(); + }); + + server.on('close', function(isException) { + assert(!isException); + if (next) next(); + }); + + server.listen(0, '127.0.0.1', function() { + // client set minimum DH parameter size to 2048 bits so that + // it fails when it make a connection to the tls server where + // dhparams is 1024 bits + const client = tls.connect({ + minDHSize: 2048, + port: this.address().port, + rejectUnauthorized: false + }, function() { + nsuccess++; + server.close(); + }); + if (err) { + client.on('error', function(e) { + nerror++; + assert.strictEqual(e.message, + 'DH parameter size 1024 is less than 2048'); + server.close(); + }); + } + }); +} + +// A client connection fails with an error when a client has an +// 2048 bits minDHSize option and a server has 1024 bits dhparam +function testDHE1024() { + test(1024, true, testDHE2048); +} + +// A client connection successes when a client has an +// 2048 bits minDHSize option and a server has 2048 bits dhparam +function testDHE2048() { + test(2048, false, null); +} + +testDHE1024(); + +assert.throws(() => test(512, true, common.mustNotCall()), + /DH parameter is less than 1024 bits/); + +let errMessage = /minDHSize is not a positive number/; +[0, -1, -Infinity, NaN].forEach((minDHSize) => { + assert.throws(() => tls.connect({ minDHSize }), errMessage); +}); + +errMessage = /minDHSize is not a number/; +[true, false, null, undefined, {}, [], '', '1'].forEach((minDHSize) => { + assert.throws(() => tls.connect({ minDHSize }), errMessage); +}); + +process.on('exit', function() { + assert.strictEqual(nsuccess, 1); + assert.strictEqual(nerror, 1); +}); diff --git a/test/disabled/test-tls-client-reject.js b/test/disabled/test-tls-client-reject.js new file mode 100644 index 0000000..be3233d --- /dev/null +++ b/test/disabled/test-tls-client-reject.js @@ -0,0 +1,61 @@ +'use strict'; +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); +const fs = require('fs'); +const path = require('path'); + +const options = { + key: fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem')), + cert: fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem')) +}; + +const server = tls.createServer(options, common.mustCall(function(socket) { + socket.on('data', function(data) { + console.error(data.toString()); + assert.strictEqual(data.toString(), 'ok'); + }); +}, 3)).listen(0, function() { + unauthorized(); +}); + +function unauthorized() { + const socket = tls.connect({ + port: server.address().port, + servername: 'localhost', + rejectUnauthorized: false + }, common.mustCall(function() { + assert(!socket.authorized); + socket.end(); + rejectUnauthorized(); + })); + socket.on('error', common.mustNotCall()); + socket.write('ok'); +} + +function rejectUnauthorized() { + const socket = tls.connect(server.address().port, { + servername: 'localhost' + }, common.mustNotCall()); + socket.on('error', common.mustCall(function(err) { + console.error(err); + authorized(); + })); + socket.write('ng'); +} + +function authorized() { + const socket = tls.connect(server.address().port, { + ca: [fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem'))], + servername: 'localhost' + }, common.mustCall(function() { + assert(socket.authorized); + socket.end(); + server.close(); + })); + socket.on('error', common.mustNotCall()); + socket.write('ok'); +} diff --git a/test/disabled/test-tls-client-resume.js b/test/disabled/test-tls-client-resume.js new file mode 100644 index 0000000..211d086 --- /dev/null +++ b/test/disabled/test-tls-client-resume.js @@ -0,0 +1,56 @@ +'use strict'; +// Create an ssl server. First connection, validate that not resume. +// Cache session and close connection. Use session on second connection. +// ASSERT resumption. + +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); +const fs = require('fs'); + +const options = { + key: fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`), + cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`) +}; + +// create server +const server = tls.Server(options, common.mustCall(function(socket) { + socket.end('Goodbye'); +}, 2)); + +// start listening +server.listen(0, function() { + + let session1 = null; + const client1 = tls.connect({ + port: this.address().port, + rejectUnauthorized: false + }, function() { + console.log('connect1'); + assert.ok(!client1.isSessionReused(), 'Session *should not* be reused.'); + session1 = client1.getSession(); + }); + + client1.on('close', function() { + console.log('close1'); + + const opts = { + port: server.address().port, + rejectUnauthorized: false, + session: session1 + }; + + const client2 = tls.connect(opts, function() { + console.log('connect2'); + assert.ok(client2.isSessionReused(), 'Session *should* be reused.'); + }); + + client2.on('close', function() { + console.log('close2'); + server.close(); + }); + }); +}); diff --git a/test/disabled/test-tls-client-verify.js b/test/disabled/test-tls-client-verify.js new file mode 100644 index 0000000..565b391 --- /dev/null +++ b/test/disabled/test-tls-client-verify.js @@ -0,0 +1,132 @@ +'use strict'; +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const fs = require('fs'); +const path = require('path'); +const tls = require('tls'); + +const hosterr = /Hostname\/IP doesn't match certificate's altnames/; +const testCases = + [{ ca: ['ca1-cert'], + key: 'agent2-key', + cert: 'agent2-cert', + servers: [ + { ok: true, key: 'agent1-key', cert: 'agent1-cert' }, + { ok: false, key: 'agent2-key', cert: 'agent2-cert' }, + { ok: false, key: 'agent3-key', cert: 'agent3-cert' } + ] + }, + + { ca: [], + key: 'agent2-key', + cert: 'agent2-cert', + servers: [ + { ok: false, key: 'agent1-key', cert: 'agent1-cert' }, + { ok: false, key: 'agent2-key', cert: 'agent2-cert' }, + { ok: false, key: 'agent3-key', cert: 'agent3-cert' } + ] + }, + + { ca: ['ca1-cert', 'ca2-cert'], + key: 'agent2-key', + cert: 'agent2-cert', + servers: [ + { ok: true, key: 'agent1-key', cert: 'agent1-cert' }, + { ok: false, key: 'agent2-key', cert: 'agent2-cert' }, + { ok: true, key: 'agent3-key', cert: 'agent3-cert' } + ] + } + ]; + +function filenamePEM(n) { + return path.join(common.fixturesDir, 'keys', `${n}.pem`); +} + + +function loadPEM(n) { + return fs.readFileSync(filenamePEM(n)); +} + +let successfulTests = 0; + +function testServers(index, servers, clientOptions, cb) { + const serverOptions = servers[index]; + if (!serverOptions) { + cb(); + return; + } + + const ok = serverOptions.ok; + + if (serverOptions.key) { + serverOptions.key = loadPEM(serverOptions.key); + } + + if (serverOptions.cert) { + serverOptions.cert = loadPEM(serverOptions.cert); + } + + const server = tls.createServer(serverOptions, common.mustCall(function(s) { + s.end('hello world\n'); + })); + + server.listen(0, common.mustCall(function() { + let b = ''; + + console.error('connecting...'); + clientOptions.port = this.address().port; + const client = tls.connect(clientOptions, common.mustCall(function() { + const authorized = client.authorized || + hosterr.test(client.authorizationError); + + console.error(`expected: ${ok} authed: ${authorized}`); + + assert.strictEqual(ok, authorized); + server.close(); + })); + + client.on('data', function(d) { + b += d.toString(); + }); + + client.on('end', common.mustCall(function() { + assert.strictEqual('hello world\n', b); + })); + + client.on('close', common.mustCall(function() { + testServers(index + 1, servers, clientOptions, cb); + })); + })); +} + + +function runTest(testIndex) { + const tcase = testCases[testIndex]; + if (!tcase) return; + + const clientOptions = { + port: undefined, + ca: tcase.ca.map(loadPEM), + key: loadPEM(tcase.key), + cert: loadPEM(tcase.cert), + rejectUnauthorized: false + }; + + + testServers(0, tcase.servers, clientOptions, common.mustCall(function() { + successfulTests++; + runTest(testIndex + 1); + })); +} + + +runTest(0); + + +process.on('exit', function() { + console.log('successful tests: %d', successfulTests); + assert.strictEqual(successfulTests, testCases.length); +}); diff --git a/test/disabled/test-tls-close-error.js b/test/disabled/test-tls-close-error.js new file mode 100644 index 0000000..e7e48cd --- /dev/null +++ b/test/disabled/test-tls-close-error.js @@ -0,0 +1,26 @@ +'use strict'; + +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); +const fs = require('fs'); + +const server = tls.createServer({ + key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), + cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`) +}, function(c) { +}).listen(0, common.mustCall(function() { + const c = tls.connect(this.address().port, function() { + assert(false, 'should not be called'); + }); + + c.on('error', common.mustCall(function(err) {})); + + c.on('close', common.mustCall(function(err) { + assert.ok(err); + server.close(); + })); +})); diff --git a/test/disabled/test-tls-close-notify.js b/test/disabled/test-tls-close-notify.js new file mode 100644 index 0000000..15f9f36 --- /dev/null +++ b/test/disabled/test-tls-close-notify.js @@ -0,0 +1,27 @@ +'use strict'; +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const tls = require('tls'); +const fs = require('fs'); + +const server = tls.createServer({ + key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), + cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`) +}, function(c) { + // Send close-notify without shutting down TCP socket + if (c._handle.shutdownSSL() !== 1) + c._handle.shutdownSSL(); +}).listen(0, common.mustCall(function() { + const c = tls.connect(this.address().port, { + rejectUnauthorized: false + }, common.mustCall(function() { + // Ensure that we receive 'end' event anyway + c.on('end', common.mustCall(function() { + c.destroy(); + server.close(); + })); + })); +})); diff --git a/test/disabled/test-tls-cnnic-whitelist.js b/test/disabled/test-tls-cnnic-whitelist.js new file mode 100644 index 0000000..84b71c7 --- /dev/null +++ b/test/disabled/test-tls-cnnic-whitelist.js @@ -0,0 +1,77 @@ +// Flags: --use-bundled-ca +'use strict'; +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const fs = require('fs'); +const path = require('path'); +const tls = require('tls'); + +function filenamePEM(n) { + return path.join(common.fixturesDir, 'keys', `${n}.pem`); +} + +function loadPEM(n) { + return fs.readFileSync(filenamePEM(n)); +} + +const testCases = [ + { // Test 0: for the check of a cert not existed in the whitelist. + // agent7-cert.pem is issued by the fake CNNIC root CA so that its + // hash is not listed in the whitelist. + // fake-cnnic-root-cert has the same subject name as the original + // rootCA. + serverOpts: { + key: loadPEM('agent7-key'), + cert: loadPEM('agent7-cert') + }, + clientOpts: { + port: undefined, + rejectUnauthorized: true, + ca: [loadPEM('fake-cnnic-root-cert')] + }, + errorCode: 'CERT_REVOKED' + }, + // Test 1: for the fix of node#2061 + // agent6-cert.pem is signed by intermidate cert of ca3. + // The server has a cert chain of agent6->ca3->ca1(root) but + // tls.connect should be failed with an error of + // UNABLE_TO_GET_ISSUER_CERT_LOCALLY since the root CA of ca1 is not + // installed locally. + { + serverOpts: { + ca: loadPEM('ca3-key'), + key: loadPEM('agent6-key'), + cert: loadPEM('agent6-cert') + }, + clientOpts: { + port: undefined, + rejectUnauthorized: true + }, + errorCode: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY' + } +]; + +function runTest(tindex) { + const tcase = testCases[tindex]; + + if (!tcase) return; + + const server = tls.createServer(tcase.serverOpts, (s) => { + s.resume(); + }).listen(0, common.mustCall(function() { + tcase.clientOpts = this.address().port; + const client = tls.connect(tcase.clientOpts); + client.on('error', common.mustCall((e) => { + assert.strictEqual(e.code, tcase.errorCode); + server.close(common.mustCall(() => { + runTest(tindex + 1); + })); + })); + })); +} + +runTest(0); diff --git a/test/disabled/test-tls-connect-address-family.js b/test/disabled/test-tls-connect-address-family.js new file mode 100644 index 0000000..afacd5a --- /dev/null +++ b/test/disabled/test-tls-connect-address-family.js @@ -0,0 +1,45 @@ +'use strict'; +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +if (!common.hasIPv6) + common.skip('no IPv6 support'); + +const assert = require('assert'); +const tls = require('tls'); +const dns = require('dns'); + +function runTest() { + const ciphers = 'AECDH-NULL-SHA'; + tls.createServer({ ciphers }, common.mustCall(function() { + this.close(); + })).listen(0, '::1', common.mustCall(function() { + const options = { + host: 'localhost', + port: this.address().port, + family: 6, + ciphers: ciphers, + rejectUnauthorized: false, + }; + // Will fail with ECONNREFUSED if the address family is not honored. + tls.connect(options).once('secureConnect', common.mustCall(function() { + assert.strictEqual('::1', this.remoteAddress); + this.destroy(); + })); + })); +} + +dns.lookup('localhost', {family: 6, all: true}, (err, addresses) => { + if (err) { + if (err.code === 'ENOTFOUND') + common.skip('localhost does not resolve to ::1'); + + throw err; + } + + if (addresses.some((val) => val.address === '::1')) + runTest(); + else + common.skip('localhost does not resolve to ::1'); +}); diff --git a/test/disabled/test-tls-connect-given-socket.js b/test/disabled/test-tls-connect-given-socket.js new file mode 100644 index 0000000..b69e0b9 --- /dev/null +++ b/test/disabled/test-tls-connect-given-socket.js @@ -0,0 +1,65 @@ +'use strict'; +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); +const net = require('net'); +const fs = require('fs'); +const path = require('path'); + +const options = { + key: fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem')), + cert: fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem')) +}; + +const server = tls.createServer(options, common.mustCall((socket) => { + socket.end('Hello'); +}, 2)).listen(0, common.mustCall(() => { + let waiting = 2; + function establish(socket, calls) { + const client = tls.connect({ + rejectUnauthorized: false, + socket: socket + }, common.mustCall(() => { + let data = ''; + client.on('data', common.mustCall((chunk) => { + data += chunk.toString(); + })); + client.on('end', common.mustCall(() => { + assert.strictEqual(data, 'Hello'); + if (--waiting === 0) + server.close(); + })); + }, calls)); + assert(client.readable); + assert(client.writable); + + return client; + } + + const { port } = server.address(); + + // Immediate death socket + const immediateDeath = net.connect(port); + establish(immediateDeath, 0).destroy(); + + // Outliving + const outlivingTCP = net.connect(port, common.mustCall(() => { + outlivingTLS.destroy(); + next(); + })); + const outlivingTLS = establish(outlivingTCP, 0); + + function next() { + // Already connected socket + const connected = net.connect(port, common.mustCall(() => { + establish(connected); + })); + + // Connecting socket + const connecting = net.connect(port); + establish(connecting); + } +})); diff --git a/test/disabled/test-tls-connect-no-host.js b/test/disabled/test-tls-connect-no-host.js new file mode 100644 index 0000000..f63c821 --- /dev/null +++ b/test/disabled/test-tls-connect-no-host.js @@ -0,0 +1,34 @@ +'use strict'; +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const tls = require('tls'); + +const assert = require('assert'); +const fs = require('fs'); +const path = require('path'); + +const cert = fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem')); +const key = fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem')); + +// https://github.com/nodejs/node/issues/1489 +// tls.connect(options) with no options.host should accept a cert with +// CN:'localhost' +tls.createServer({ + key: key, + cert: cert +}).listen(0, function() { + const socket = tls.connect({ + port: this.address().port, + ca: cert, + // No host set here. 'localhost' is the default, + // but tls.checkServerIdentity() breaks before the fix with: + // Error: Hostname/IP doesn't match certificate's altnames: + // "Host: undefined. is not cert's CN: localhost" + }, function() { + assert(socket.authorized); + process.exit(); + }); +}); diff --git a/test/disabled/test-tls-connect-pipe.js b/test/disabled/test-tls-connect-pipe.js new file mode 100644 index 0000000..2467a91 --- /dev/null +++ b/test/disabled/test-tls-connect-pipe.js @@ -0,0 +1,26 @@ +'use strict'; +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const tls = require('tls'); + +const fs = require('fs'); + +const options = { + key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), + cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`) +}; + +common.refreshTmpDir(); + +const server = tls.Server(options, common.mustCall(function(socket) { + server.close(); +})); +server.listen(common.PIPE, common.mustCall(function() { + const options = { rejectUnauthorized: false }; + const client = tls.connect(common.PIPE, options, common.mustCall(function() { + client.end(); + })); +})); diff --git a/test/disabled/test-tls-connect-secure-context.js b/test/disabled/test-tls-connect-secure-context.js new file mode 100644 index 0000000..d1552a6 --- /dev/null +++ b/test/disabled/test-tls-connect-secure-context.js @@ -0,0 +1,25 @@ +'use strict'; +const common = require('../common'); + +// Verify connection with explicitly created client SecureContext. + +const join = require('path').join; +const { + assert, connect, keys, tls +} = require(join(common.fixturesDir, 'tls-connect'))(); + +connect({ + client: { + servername: 'agent1', + secureContext: tls.createSecureContext({ + ca: keys.agent1.ca, + }), + }, + server: { + cert: keys.agent1.cert, + key: keys.agent1.key, + }, +}, function(err, pair, cleanup) { + assert.ifError(err); + return cleanup(); +}); diff --git a/test/disabled/test-tls-connect-simple.js b/test/disabled/test-tls-connect-simple.js new file mode 100644 index 0000000..aa59f05 --- /dev/null +++ b/test/disabled/test-tls-connect-simple.js @@ -0,0 +1,42 @@ +'use strict'; +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const tls = require('tls'); + +const fs = require('fs'); + +let serverConnected = 0; + +const options = { + key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), + cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`) +}; + +const server = tls.Server(options, common.mustCall(function(socket) { + if (++serverConnected === 2) { + server.close(common.mustCall()); + server.on('close', common.mustCall()); + } +}, 2)); + +server.listen(0, function() { + const client1options = { + port: this.address().port, + rejectUnauthorized: false + }; + const client1 = tls.connect(client1options, common.mustCall(function() { + client1.end(); + })); + + const client2options = { + port: this.address().port, + rejectUnauthorized: false + }; + const client2 = tls.connect(client2options); + client2.on('secureConnect', common.mustCall(function() { + client2.end(); + })); +}); diff --git a/test/disabled/test-tls-connect-stream-writes.js b/test/disabled/test-tls-connect-stream-writes.js new file mode 100644 index 0000000..5266d6c --- /dev/null +++ b/test/disabled/test-tls-connect-stream-writes.js @@ -0,0 +1,63 @@ +'use strict'; +const common = require('../common'); +const assert = require('assert'); +const fs = require('fs'); +const tls = require('tls'); +const stream = require('stream'); +const net = require('net'); + +const cert_dir = common.fixturesDir; +const options = { key: fs.readFileSync(`${cert_dir}/test_key.pem`), + cert: fs.readFileSync(`${cert_dir}/test_cert.pem`), + ca: [ fs.readFileSync(`${cert_dir}/test_ca.pem`) ], + ciphers: 'AES256-GCM-SHA384' }; +const content = 'hello world'; +const recv_bufs = []; +let send_data = ''; +const server = tls.createServer(options, function(s) { + s.on('data', function(c) { + recv_bufs.push(c); + }); +}); +server.listen(0, function() { + const raw = net.connect(this.address().port); + + let pending = false; + raw.on('readable', function() { + if (pending) + p._read(); + }); + + let p = new stream.Duplex({ + read: function read() { + pending = false; + + const chunk = raw.read(); + if (chunk) { + this.push(chunk); + } else { + pending = true; + } + }, + write: function write(data, enc, cb) { + raw.write(data, enc, cb); + } + }); + + const socket = tls.connect({ + socket: p, + rejectUnauthorized: false + }, function() { + for (let i = 0; i < 50; ++i) { + socket.write(content); + send_data += content; + } + socket.end(); + server.close(); + }); +}); + +process.on('exit', function() { + const recv_data = (Buffer.concat(recv_bufs)).toString(); + assert.strictEqual(send_data, recv_data); +}); diff --git a/test/disabled/test-tls-connect.js b/test/disabled/test-tls-connect.js new file mode 100644 index 0000000..b410f86 --- /dev/null +++ b/test/disabled/test-tls-connect.js @@ -0,0 +1,39 @@ +'use strict'; +const common = require('../common'); +const assert = require('assert'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const tls = require('tls'); +const fs = require('fs'); +const path = require('path'); + +// https://github.com/joyent/node/issues/1218 +// uncatchable exception on TLS connection error +{ + const cert = fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem')); + const key = fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem')); + + const options = {cert: cert, key: key, port: common.PORT}; + const conn = tls.connect(options, common.fail); + + conn.on('error', common.mustCall()); +} + +// SSL_accept/SSL_connect error handling +{ + const cert = fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem')); + const key = fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem')); + + const conn = tls.connect({ + cert: cert, + key: key, + port: common.PORT, + ciphers: 'rick-128-roll' + }, function() { + assert.ok(false); // callback should never be executed + }); + + conn.on('error', common.mustCall()); +} diff --git a/test/disabled/test-tls-delayed-attach-error.js b/test/disabled/test-tls-delayed-attach-error.js new file mode 100644 index 0000000..9d37f15 --- /dev/null +++ b/test/disabled/test-tls-delayed-attach-error.js @@ -0,0 +1,36 @@ +'use strict'; +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const tls = require('tls'); +const fs = require('fs'); +const net = require('net'); + +const bonkers = Buffer.alloc(1024, 42); + +const options = { + key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), + cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`) +}; + +const server = net.createServer(common.mustCall(function(c) { + setTimeout(common.mustCall(function() { + const s = new tls.TLSSocket(c, { + isServer: true, + secureContext: tls.createSecureContext(options) + }); + + s.on('_tlsError', common.mustCall()); + + s.on('close', function() { + server.close(); + s.destroy(); + }); + }), 200); +})).listen(0, function() { + const c = net.connect({port: this.address().port}, function() { + c.write(bonkers); + }); +}); diff --git a/test/disabled/test-tls-delayed-attach.js b/test/disabled/test-tls-delayed-attach.js new file mode 100644 index 0000000..12ebb91 --- /dev/null +++ b/test/disabled/test-tls-delayed-attach.js @@ -0,0 +1,45 @@ +'use strict'; +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); +const fs = require('fs'); +const net = require('net'); + +const sent = 'hello world'; +let received = ''; + +const options = { + key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), + cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`) +}; + +const server = net.createServer(function(c) { + setTimeout(function() { + const s = new tls.TLSSocket(c, { + isServer: true, + secureContext: tls.createSecureContext(options) + }); + + s.on('data', function(chunk) { + received += chunk; + }); + + s.on('end', function() { + server.close(); + s.destroy(); + }); + }, 200); +}).listen(0, function() { + const c = tls.connect(this.address().port, { + rejectUnauthorized: false + }, function() { + c.end(sent); + }); +}); + +process.on('exit', function() { + assert.strictEqual(received, sent); +}); diff --git a/test/disabled/test-tls-destroy-whilst-write.js b/test/disabled/test-tls-destroy-whilst-write.js new file mode 100644 index 0000000..d157c7b --- /dev/null +++ b/test/disabled/test-tls-destroy-whilst-write.js @@ -0,0 +1,27 @@ +'use strict'; +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const tls = require('tls'); +const stream = require('stream'); + +const delay = new stream.Duplex({ + read: function read() { + }, + write: function write(data, enc, cb) { + console.log('pending'); + setImmediate(function() { + console.log('done'); + cb(); + }); + } +}); + +const secure = tls.connect({ + socket: delay +}); +setImmediate(function() { + secure.destroy(); +}); diff --git a/test/disabled/test-tls-dhe.js b/test/disabled/test-tls-dhe.js new file mode 100644 index 0000000..3e43fd2 --- /dev/null +++ b/test/disabled/test-tls-dhe.js @@ -0,0 +1,96 @@ +'use strict'; +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +if (!common.opensslCli) + common.skip('missing openssl-cli'); + +const assert = require('assert'); +const tls = require('tls'); +const spawn = require('child_process').spawn; +const fs = require('fs'); + +const key = fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`); +const cert = fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`); +let nsuccess = 0; +let ntests = 0; +const ciphers = 'DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; + + +function loadDHParam(n) { + let path = common.fixturesDir; + if (n !== 'error') path += '/keys'; + return fs.readFileSync(`${path}/dh${n}.pem`); +} + +function test(keylen, expectedCipher, cb) { + const options = { + key: key, + cert: cert, + ciphers: ciphers, + dhparam: loadDHParam(keylen) + }; + + const server = tls.createServer(options, function(conn) { + conn.end(); + }); + + server.on('close', function(err) { + assert(!err); + if (cb) cb(); + }); + + server.listen(0, '127.0.0.1', function() { + const args = ['s_client', '-connect', `127.0.0.1:${this.address().port}`, + '-cipher', ciphers]; + + // for the performance and stability issue in s_client on Windows + if (common.isWindows) + args.push('-no_rand_screen'); + + const client = spawn(common.opensslCli, args); + let out = ''; + client.stdout.setEncoding('utf8'); + client.stdout.on('data', function(d) { + out += d; + }); + client.stdout.on('end', function() { + // DHE key length can be checked -brief option in s_client but it + // is only supported in openssl 1.0.2 so we cannot check it. + const reg = new RegExp(`Cipher : ${expectedCipher}`); + if (reg.test(out)) { + nsuccess++; + server.close(); + } + }); + }); +} + +function test512() { + assert.throws(function() { + test(512, 'DHE-RSA-AES128-SHA256', null); + }, /DH parameter is less than 1024 bits/); +} + +function test1024() { + test(1024, 'DHE-RSA-AES128-SHA256', test2048); + ntests++; +} + +function test2048() { + test(2048, 'DHE-RSA-AES128-SHA256', testError); + ntests++; +} + +function testError() { + test('error', 'ECDHE-RSA-AES128-SHA256', test512); + ntests++; +} + +test1024(); + +process.on('exit', function() { + assert.strictEqual(ntests, nsuccess); + assert.strictEqual(ntests, 3); +}); diff --git a/test/disabled/test-tls-ecdh-disable.js b/test/disabled/test-tls-ecdh-disable.js new file mode 100644 index 0000000..a44ce2c --- /dev/null +++ b/test/disabled/test-tls-ecdh-disable.js @@ -0,0 +1,37 @@ +'use strict'; +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +if (!common.opensslCli) + common.skip('missing openssl-cli'); + +const assert = require('assert'); +const tls = require('tls'); +const exec = require('child_process').exec; +const fs = require('fs'); + +const options = { + key: fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`), + cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`), + ciphers: 'ECDHE-RSA-RC4-SHA', + ecdhCurve: false +}; + +const server = tls.createServer(options, common.mustNotCall()); + +server.listen(0, '127.0.0.1', common.mustCall(function() { + let cmd = `"${common.opensslCli}" s_client -cipher ${ + options.ciphers} -connect 127.0.0.1:${this.address().port}`; + + // for the performance and stability issue in s_client on Windows + if (common.isWindows) + cmd += ' -no_rand_screen'; + + exec(cmd, common.mustCall(function(err, stdout, stderr) { + // Old versions of openssl will still exit with 0 so we + // can't just check if err is not null. + assert(stderr.includes('handshake failure')); + server.close(); + })); +})); diff --git a/test/disabled/test-tls-ecdh.js b/test/disabled/test-tls-ecdh.js new file mode 100644 index 0000000..32df9c1 --- /dev/null +++ b/test/disabled/test-tls-ecdh.js @@ -0,0 +1,42 @@ +'use strict'; +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +if (!common.opensslCli) + common.skip('missing openssl-cli'); + +const assert = require('assert'); +const tls = require('tls'); + +const exec = require('child_process').exec; +const fs = require('fs'); + +const options = { + key: fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`), + cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`), + ciphers: '-ALL:ECDHE-RSA-AES128-SHA256', + ecdhCurve: 'prime256v1' +}; + +const reply = 'I AM THE WALRUS'; // something recognizable + +const server = tls.createServer(options, common.mustCall(function(conn) { + conn.end(reply); +})); + +server.listen(0, '127.0.0.1', common.mustCall(function() { + let cmd = `"${common.opensslCli}" s_client -cipher ${ + options.ciphers} -connect 127.0.0.1:${this.address().port}`; + + // for the performance and stability issue in s_client on Windows + if (common.isWindows) + cmd += ' -no_rand_screen'; + + exec(cmd, common.mustCall(function(err, stdout, stderr) { + if (err) throw err; + assert(stdout.includes(reply)); + server.close(); + })); +})); diff --git a/test/disabled/test-tls-econnreset.js b/test/disabled/test-tls-econnreset.js new file mode 100644 index 0000000..fb3cb2f --- /dev/null +++ b/test/disabled/test-tls-econnreset.js @@ -0,0 +1,76 @@ +'use strict'; +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); + +const cacert = +`-----BEGIN CERTIFICATE----- +MIIBxTCCAX8CAnXnMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNVBAYTAlVTMQswCQYD +VQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEZMBcGA1UEChMQU3Ryb25n +TG9vcCwgSW5jLjESMBAGA1UECxMJU3Ryb25nT3BzMRowGAYDVQQDExFjYS5zdHJv +bmdsb29wLmNvbTAeFw0xNDAxMTcyMjE1MDdaFw00MTA2MDMyMjE1MDdaMH0xCzAJ +BgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEZ +MBcGA1UEChMQU3Ryb25nTG9vcCwgSW5jLjESMBAGA1UECxMJU3Ryb25nT3BzMRow +GAYDVQQDExFjYS5zdHJvbmdsb29wLmNvbTBMMA0GCSqGSIb3DQEBAQUAAzsAMDgC +MQDKbQ6rIR5t1q1v4Ha36jrq0IkyUohy9EYNvLnXUly1PGqxby0ILlAVJ8JawpY9 +AVkCAwEAATANBgkqhkiG9w0BAQUFAAMxALA1uS4CqQXRSAyYTfio5oyLGz71a+NM ++0AFLBwh5AQjhGd0FcenU4OfHxyDEOJT/Q== +-----END CERTIFICATE-----`; + +const cert = +`-----BEGIN CERTIFICATE----- +MIIBfDCCATYCAgQaMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNVBAYTAlVTMQswCQYD +VQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEZMBcGA1UEChMQU3Ryb25n +TG9vcCwgSW5jLjESMBAGA1UECxMJU3Ryb25nT3BzMRowGAYDVQQDExFjYS5zdHJv +bmdsb29wLmNvbTAeFw0xNDAxMTcyMjE1MDdaFw00MTA2MDMyMjE1MDdaMBkxFzAV +BgNVBAMTDnN0cm9uZ2xvb3AuY29tMEwwDQYJKoZIhvcNAQEBBQADOwAwOAIxAMfk +I0LWU15pPUwIQNMnRVhhOibi0TQmAau8FBtgwEfGK01WpfGUaJr1a41K8Uq7xwID +AQABoxkwFzAVBgNVHREEDjAMhwQAAAAAhwR/AAABMA0GCSqGSIb3DQEBBQUAAzEA +cGpYrhkrb7mIh9DNhV0qp7pGjqBzlHqB7KQXw2luLDp//6dyHBMexDCQznkhZKRU +-----END CERTIFICATE-----`; + +const key = +`-----BEGIN RSA PRIVATE KEY----- +MIH0AgEAAjEAx+QjQtZTXmk9TAhA0ydFWGE6JuLRNCYBq7wUG2DAR8YrTVal8ZRo +mvVrjUrxSrvHAgMBAAECMBCGccvSwC2r8Z9Zh1JtirQVxaL1WWpAQfmVwLe0bAgg +/JWMU/6hS36TsYyZMxwswQIZAPTAfht/zDLb7Hwgu2twsS1Ra9w/yyvtlwIZANET +26votwJAHK1yUrZGA5nnp5qcmQ/JUQIZAII5YV/UUZvF9D/fUplJ7puENPWNY9bN +pQIZAMMwxuS3XiO7two2sQF6W+JTYyX1DPCwAQIZAOYg1TvEGT38k8e8jygv8E8w +YqrWTeQFNQ== +-----END RSA PRIVATE KEY-----`; + +const ca = [ cert, cacert ]; + +let clientError = null; +let connectError = null; + +const server = + tls.createServer({ ca: ca, cert: cert, key: key }, function(conn) { + throw 'unreachable'; + }).on('tlsClientError', function(err, conn) { + assert(!clientError && conn); + clientError = err; + }).listen(0, function() { + const options = { + ciphers: 'AES128-GCM-SHA256', + port: this.address().port, + ca: ca + }; + tls.connect(options).on('error', function(err) { + assert(!connectError); + + connectError = err; + this.destroy(); + server.close(); + }).write('123'); + }); + +process.on('exit', function() { + assert(clientError); + assert(connectError); + assert(/socket hang up/.test(clientError.message)); + assert(/ECONNRESET/.test(clientError.code)); +}); diff --git a/test/disabled/test-tls-empty-sni-context.js b/test/disabled/test-tls-empty-sni-context.js new file mode 100644 index 0000000..3f39d6e --- /dev/null +++ b/test/disabled/test-tls-empty-sni-context.js @@ -0,0 +1,34 @@ +'use strict'; + +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +if (!process.features.tls_sni) + common.skip('node compiled without OpenSSL or with old OpenSSL version.'); + +const assert = require('assert'); +const tls = require('tls'); + +const options = { + SNICallback: (name, callback) => { + callback(null, tls.createSecureContext()); + } +}; + +const server = tls.createServer(options, (c) => { + common.fail('Should not be called'); +}).on('tlsClientError', common.mustCall((err, c) => { + assert(/SSL_use_certificate:passed a null parameter/i.test(err.message)); + server.close(); +})).listen(0, common.mustCall(() => { + const c = tls.connect({ + port: server.address().port, + rejectUnauthorized: false, + servername: 'any.name' + }, common.mustNotCall()); + + c.on('error', common.mustCall((err) => { + assert(/socket hang up/.test(err.message)); + })); +})); diff --git a/test/disabled/test-tls-env-bad-extra-ca.js b/test/disabled/test-tls-env-bad-extra-ca.js new file mode 100644 index 0000000..ece93f3 --- /dev/null +++ b/test/disabled/test-tls-env-bad-extra-ca.js @@ -0,0 +1,39 @@ +// Setting NODE_EXTRA_CA_CERTS to non-existent file emits a warning + +'use strict'; +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); +const fork = require('child_process').fork; + +if (process.env.CHILD) { + // This will try to load the extra CA certs, and emit a warning when it fails. + return tls.createServer({}); +} + +const env = { + CHILD: 'yes', + NODE_EXTRA_CA_CERTS: `${common.fixturesDir}/no-such-file-exists`, +}; + +const opts = { + env: env, + silent: true, +}; +let stderr = ''; + +fork(__filename, opts) + .on('exit', common.mustCall(function(status) { + assert.strictEqual(status, 0, 'client did not succeed in connecting'); + })) + .on('close', common.mustCall(function() { + const re = /Warning: Ignoring extra certs from.*no-such-file-exists.* load failed:.*No such file or directory/; + assert(re.test(stderr), stderr); + })) + .stderr.setEncoding('utf8').on('data', function(str) { + stderr += str; + }); diff --git a/test/disabled/test-tls-env-extra-ca.js b/test/disabled/test-tls-env-extra-ca.js new file mode 100644 index 0000000..be7c826 --- /dev/null +++ b/test/disabled/test-tls-env-extra-ca.js @@ -0,0 +1,44 @@ +// Certs in NODE_EXTRA_CA_CERTS are used for TLS peer validation + +'use strict'; +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const fs = require('fs'); +const tls = require('tls'); + +const fork = require('child_process').fork; + +if (process.env.CHILD) { + const copts = { + port: process.env.PORT, + checkServerIdentity: common.mustCall(), + }; + const client = tls.connect(copts, common.mustCall(function() { + client.end('hi'); + })); + return; +} + +const options = { + key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), + cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`), +}; + +const server = tls.createServer(options, common.mustCall(function(s) { + s.end('bye'); + server.close(); +})).listen(0, common.mustCall(function() { + const env = { + CHILD: 'yes', + PORT: this.address().port, + NODE_EXTRA_CA_CERTS: `${common.fixturesDir}/keys/ca1-cert.pem`, + }; + + fork(__filename, {env: env}).on('exit', common.mustCall(function(status) { + assert.strictEqual(status, 0, 'client did not succeed in connecting'); + })); +})); diff --git a/test/disabled/test-tls-external-accessor.js b/test/disabled/test-tls-external-accessor.js new file mode 100644 index 0000000..2d7b1f6 --- /dev/null +++ b/test/disabled/test-tls-external-accessor.js @@ -0,0 +1,22 @@ +'use strict'; + +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); + +// Ensure accessing ._external doesn't hit an assert in the accessor method. +{ + const pctx = tls.createSecureContext().context; + const cctx = Object.create(pctx); + assert.throws(() => cctx._external, /incompatible receiver/); + pctx._external; +} +{ + const pctx = tls.createSecurePair().credentials.context; + const cctx = Object.create(pctx); + assert.throws(() => cctx._external, /incompatible receiver/); + pctx._external; +} diff --git a/test/disabled/test-tls-fast-writing.js b/test/disabled/test-tls-fast-writing.js new file mode 100644 index 0000000..b8605ca --- /dev/null +++ b/test/disabled/test-tls-fast-writing.js @@ -0,0 +1,60 @@ +'use strict'; +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); +const fs = require('fs'); + +const dir = common.fixturesDir; +const options = { key: fs.readFileSync(`${dir}/test_key.pem`), + cert: fs.readFileSync(`${dir}/test_cert.pem`), + ca: [ fs.readFileSync(`${dir}/test_ca.pem`) ] }; + +const server = tls.createServer(options, onconnection); +let gotChunk = false; +let gotDrain = false; + +setTimeout(function() { + console.log('not ok - timed out'); + process.exit(1); +}, common.platformTimeout(1000)); + +function onconnection(conn) { + conn.on('data', function(c) { + if (!gotChunk) { + gotChunk = true; + console.log('ok - got chunk'); + } + + // just some basic sanity checks. + assert(c.length); + assert(Buffer.isBuffer(c)); + + if (gotDrain) + process.exit(0); + }); +} + +server.listen(0, function() { + const chunk = Buffer.alloc(1024, 'x'); + const opt = { port: this.address().port, rejectUnauthorized: false }; + const conn = tls.connect(opt, function() { + conn.on('drain', ondrain); + write(); + }); + function ondrain() { + if (!gotDrain) { + gotDrain = true; + console.log('ok - got drain'); + } + if (gotChunk) + process.exit(0); + write(); + } + function write() { + // this needs to return false eventually + while (false !== conn.write(chunk)); + } +}); diff --git a/test/disabled/test-tls-friendly-error-message.js b/test/disabled/test-tls-friendly-error-message.js new file mode 100644 index 0000000..51ce0d0 --- /dev/null +++ b/test/disabled/test-tls-friendly-error-message.js @@ -0,0 +1,23 @@ +'use strict'; +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); +const fs = require('fs'); + +const key = fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`); +const cert = fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`); + +tls.createServer({ key: key, cert: cert }, common.mustCall(function(conn) { + conn.end(); + this.close(); +})).listen(0, common.mustCall(function() { + const options = { port: this.address().port, rejectUnauthorized: true }; + tls.connect(options).on('error', common.mustCall(function(err) { + assert.strictEqual(err.code, 'UNABLE_TO_VERIFY_LEAF_SIGNATURE'); + assert.strictEqual(err.message, 'unable to verify the first certificate'); + this.destroy(); + })); +})); diff --git a/test/disabled/test-tls-getcipher.js b/test/disabled/test-tls-getcipher.js new file mode 100644 index 0000000..dc3ff1b --- /dev/null +++ b/test/disabled/test-tls-getcipher.js @@ -0,0 +1,36 @@ +'use strict'; +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); + +const fs = require('fs'); +const cipher_list = ['AES128-SHA256', 'AES256-SHA256']; +const cipher_version_pattern = /TLS|SSL/; +const options = { + key: fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`), + cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`), + ciphers: cipher_list.join(':'), + honorCipherOrder: true +}; + +const server = tls.createServer(options, + common.mustCall(function(cleartextStream) {})); + +server.listen(0, '127.0.0.1', common.mustCall(function() { + const client = tls.connect({ + host: '127.0.0.1', + port: this.address().port, + ciphers: cipher_list.join(':'), + rejectUnauthorized: false + }, common.mustCall(function() { + const cipher = client.getCipher(); + assert.strictEqual(cipher.name, cipher_list[0]); + assert(cipher_version_pattern.test(cipher.version)); + client.end(); + server.close(); + })); +})); diff --git a/test/disabled/test-tls-getprotocol.js b/test/disabled/test-tls-getprotocol.js new file mode 100644 index 0000000..dd96aa6 --- /dev/null +++ b/test/disabled/test-tls-getprotocol.js @@ -0,0 +1,40 @@ +'use strict'; +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); +const fs = require('fs'); + +const clientConfigs = [ + { secureProtocol: 'TLSv1_method', version: 'TLSv1' }, + { secureProtocol: 'TLSv1_1_method', version: 'TLSv1.1' }, + { secureProtocol: 'TLSv1_2_method', version: 'TLSv1.2' } +]; + +const serverConfig = { + key: fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`), + cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`) +}; + +const server = tls.createServer(serverConfig, common.mustCall(function() { + +}, clientConfigs.length)).listen(0, common.localhostIPv4, function() { + let connected = 0; + clientConfigs.forEach(function(v) { + tls.connect({ + host: common.localhostIPv4, + port: server.address().port, + rejectUnauthorized: false, + secureProtocol: v.secureProtocol + }, common.mustCall(function() { + assert.strictEqual(this.getProtocol(), v.version); + this.on('end', common.mustCall(function() { + assert.strictEqual(this.getProtocol(), null); + })).end(); + if (++connected === clientConfigs.length) + server.close(); + })); + }); +}); diff --git a/test/disabled/test-tls-handshake-error.js b/test/disabled/test-tls-handshake-error.js new file mode 100644 index 0000000..9ae1f31 --- /dev/null +++ b/test/disabled/test-tls-handshake-error.js @@ -0,0 +1,32 @@ +'use strict'; + +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); +const fs = require('fs'); + +const server = tls.createServer({ + key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), + cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`), + rejectUnauthorized: true +}, function(c) { +}).listen(0, common.mustCall(function() { + const c = tls.connect({ + port: this.address().port, + ciphers: 'RC4' + }, function() { + assert(false, 'should not be called'); + }); + + c.on('error', common.mustCall(function(err) { + assert.notStrictEqual(err.code, 'ECONNRESET'); + })); + + c.on('close', common.mustCall(function(err) { + assert.ok(err); + server.close(); + })); +})); diff --git a/test/disabled/test-tls-handshake-nohang.js b/test/disabled/test-tls-handshake-nohang.js new file mode 100644 index 0000000..5c65ca4 --- /dev/null +++ b/test/disabled/test-tls-handshake-nohang.js @@ -0,0 +1,11 @@ +'use strict'; +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const tls = require('tls'); + +// neither should hang +tls.createSecurePair(null, false, false, false); +tls.createSecurePair(null, true, false, false); diff --git a/test/disabled/test-tls-hello-parser-failure.js b/test/disabled/test-tls-hello-parser-failure.js new file mode 100644 index 0000000..a6659d4 --- /dev/null +++ b/test/disabled/test-tls-hello-parser-failure.js @@ -0,0 +1,41 @@ +'use strict'; + +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); + +const net = require('net'); +const fs = require('fs'); + +const options = { + key: fs.readFileSync(`${common.fixturesDir}/test_key.pem`), + cert: fs.readFileSync(`${common.fixturesDir}/test_cert.pem`) +}; + +const bonkers = Buffer.alloc(1024 * 1024, 42); + +const server = tls.createServer(options, function(c) { + +}).listen(0, common.mustCall(function() { + const client = net.connect(this.address().port, common.mustCall(function() { + client.write(bonkers); + })); + + const writeAgain = setImmediate(function() { + client.write(bonkers); + }); + + client.once('error', common.mustCall(function(err) { + clearImmediate(writeAgain); + client.destroy(); + server.close(); + })); + + client.on('close', common.mustCall(function(hadError) { + assert.strictEqual(hadError, true, 'Client never errored'); + })); +})); diff --git a/test/disabled/test-tls-honorcipherorder.js b/test/disabled/test-tls-honorcipherorder.js new file mode 100644 index 0000000..a9d35a0 --- /dev/null +++ b/test/disabled/test-tls-honorcipherorder.js @@ -0,0 +1,97 @@ +'use strict'; +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); +const fs = require('fs'); + +let nconns = 0; + +// We explicitly set TLS version to 1.2 so as to be safe when the +// default method is updated in the future +const SSL_Method = 'TLSv1_2_method'; +const localhost = '127.0.0.1'; + +process.on('exit', function() { + assert.strictEqual(nconns, 6); +}); + +function test(honorCipherOrder, clientCipher, expectedCipher, cb) { + const soptions = { + secureProtocol: SSL_Method, + key: fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`), + cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`), + ciphers: 'AES256-SHA256:AES128-GCM-SHA256:AES128-SHA256:' + + 'ECDHE-RSA-AES128-GCM-SHA256', + honorCipherOrder: !!honorCipherOrder + }; + + const server = tls.createServer(soptions, function(cleartextStream) { + nconns++; + + // End socket to send CLOSE_NOTIFY and TCP FIN packet, otherwise + // it may hang for ~30 seconds in FIN_WAIT_1 state (at least on OSX). + cleartextStream.end(); + }); + server.listen(0, localhost, function() { + const coptions = { + rejectUnauthorized: false, + secureProtocol: SSL_Method + }; + if (clientCipher) { + coptions.ciphers = clientCipher; + } + const port = this.address().port; + const client = tls.connect(port, localhost, coptions, function() { + const cipher = client.getCipher(); + client.end(); + server.close(); + assert.strictEqual(cipher.name, expectedCipher); + if (cb) cb(); + }); + }); +} + +test1(); + +function test1() { + // Client has the preference of cipher suites by default + test(false, 'AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256', + 'AES128-GCM-SHA256', test2); +} + +function test2() { + // Server has the preference of cipher suites, and AES256-SHA256 is + // the server's top choice. + test(true, 'AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256', + 'AES256-SHA256', test3); +} + +function test3() { + // Server has the preference of cipher suites. AES128-GCM-SHA256 is given + // higher priority over AES128-SHA256 among client cipher suites. + test(true, 'AES128-SHA256:AES128-GCM-SHA256', 'AES128-GCM-SHA256', test4); + +} + +function test4() { + // As client has only one cipher, server has no choice, irrespective + // of honorCipherOrder. + test(true, 'AES128-SHA256', 'AES128-SHA256', test5); +} + +function test5() { + // Client did not explicitly set ciphers and client offers + // tls.DEFAULT_CIPHERS. All ciphers of the server are included in the + // default list so the negotiated cipher is selected according to the + // server's top preference of AES256-SHA256. + test(true, null, 'AES256-SHA256', test6); +} + +function test6() { + // Ensure that `tls.DEFAULT_CIPHERS` is used + tls.DEFAULT_CIPHERS = 'ECDHE-RSA-AES128-GCM-SHA256'; + test(true, null, 'ECDHE-RSA-AES128-GCM-SHA256'); +} diff --git a/test/disabled/test-tls-inception.js b/test/disabled/test-tls-inception.js new file mode 100644 index 0000000..50debbc --- /dev/null +++ b/test/disabled/test-tls-inception.js @@ -0,0 +1,66 @@ +'use strict'; +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); + +const fs = require('fs'); +const path = require('path'); +const net = require('net'); + +const options = { + key: fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem')), + cert: fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem')) +}; + +const body = 'A'.repeat(40000); + +// the "proxy" server +const a = tls.createServer(options, function(socket) { + const myOptions = { + host: '127.0.0.1', + port: b.address().port, + rejectUnauthorized: false + }; + const dest = net.connect(myOptions); + dest.pipe(socket); + socket.pipe(dest); + + dest.on('end', function() { + socket.destroy(); + }); +}); + +// the "target" server +const b = tls.createServer(options, function(socket) { + socket.end(body); +}); + +a.listen(0, function() { + b.listen(0, function() { + const myOptions = { + host: '127.0.0.1', + port: a.address().port, + rejectUnauthorized: false + }; + const socket = tls.connect(myOptions); + const ssl = tls.connect({ + socket: socket, + rejectUnauthorized: false + }); + ssl.setEncoding('utf8'); + let buf = ''; + ssl.on('data', function(data) { + buf += data; + }); + ssl.on('end', common.mustCall(function() { + assert.strictEqual(buf, body); + ssl.end(); + a.close(); + b.close(); + })); + }); +}); diff --git a/test/disabled/test-tls-interleave.js b/test/disabled/test-tls-interleave.js new file mode 100644 index 0000000..15d617c --- /dev/null +++ b/test/disabled/test-tls-interleave.js @@ -0,0 +1,55 @@ +'use strict'; +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); + +const tls = require('tls'); + +const fs = require('fs'); + +const dir = common.fixturesDir; +const options = { key: fs.readFileSync(`${dir}/test_key.pem`), + cert: fs.readFileSync(`${dir}/test_cert.pem`), + ca: [ fs.readFileSync(`${dir}/test_ca.pem`) ] }; + +const writes = [ + 'some server data', + 'and a separate packet', + 'and one more', +]; +let receivedWrites = 0; + +const server = tls.createServer(options, function(c) { + writes.forEach(function(str) { + c.write(str); + }); +}).listen(0, common.mustCall(function() { + const connectOpts = { rejectUnauthorized: false }; + const c = tls.connect(this.address().port, connectOpts, function() { + c.write('some client data'); + c.on('readable', function() { + let data = c.read(); + if (data === null) + return; + + data = data.toString(); + while (data.length !== 0) { + assert(data.startsWith(writes[receivedWrites])); + data = data.slice(writes[receivedWrites].length); + + if (++receivedWrites === writes.length) { + c.end(); + server.close(); + } + } + }); + }); +})); + + +process.on('exit', function() { + assert.strictEqual(receivedWrites, writes.length); +}); diff --git a/test/disabled/test-tls-invoke-queued.js b/test/disabled/test-tls-invoke-queued.js new file mode 100644 index 0000000..3d4cb8b --- /dev/null +++ b/test/disabled/test-tls-invoke-queued.js @@ -0,0 +1,37 @@ +'use strict'; +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const fs = require('fs'); +const tls = require('tls'); + +let received = ''; + +const server = tls.createServer({ + key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), + cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`) +}, common.mustCall(function(c) { + c._write('hello ', null, common.mustCall(function() { + c._write('world!', null, common.mustCall(function() { + c.destroy(); + })); + // Data on next _write() will be written but callback will not be invoked + c._write(' gosh', null, common.mustNotCall()); + })); + + server.close(); +})).listen(0, common.mustCall(function() { + const c = tls.connect(this.address().port, { + rejectUnauthorized: false + }, common.mustCall(function() { + c.on('data', function(chunk) { + received += chunk; + }); + c.on('end', common.mustCall(function() { + assert.strictEqual(received, 'hello world! gosh'); + })); + })); +})); diff --git a/test/disabled/test-tls-js-stream.js b/test/disabled/test-tls-js-stream.js new file mode 100644 index 0000000..56f62ae --- /dev/null +++ b/test/disabled/test-tls-js-stream.js @@ -0,0 +1,73 @@ +'use strict'; +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); +const stream = require('stream'); +const fs = require('fs'); +const net = require('net'); + +const connected = { + client: 0, + server: 0 +}; + +const server = tls.createServer({ + key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), + cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`) +}, function(c) { + console.log('new client'); + connected.server++; + c.end('ohai'); +}).listen(0, function() { + const raw = net.connect(this.address().port); + + let pending = false; + raw.on('readable', function() { + if (pending) + p._read(); + }); + + let p = new stream.Duplex({ + read: function read() { + pending = false; + + const chunk = raw.read(); + if (chunk) { + console.log('read', chunk); + this.push(chunk); + } else { + pending = true; + } + }, + write: function write(data, enc, cb) { + console.log('write', data, enc); + raw.write(data, enc, cb); + } + }); + + const socket = tls.connect({ + socket: p, + rejectUnauthorized: false + }, function() { + console.log('client secure'); + + connected.client++; + + socket.end('hello'); + socket.resume(); + socket.destroy(); + }); + + socket.once('close', function() { + console.log('client close'); + server.close(); + }); +}); + +process.once('exit', function() { + assert.strictEqual(connected.client, 1); + assert.strictEqual(connected.server, 1); +}); diff --git a/test/disabled/test-tls-junk-closes-server.js b/test/disabled/test-tls-junk-closes-server.js new file mode 100644 index 0000000..33b0583 --- /dev/null +++ b/test/disabled/test-tls-junk-closes-server.js @@ -0,0 +1,28 @@ +'use strict'; +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const tls = require('tls'); +const fs = require('fs'); +const net = require('net'); + +const options = { + key: fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`), + cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`) +}; + +const server = tls.createServer(options, common.mustNotCall()); + +server.listen(0, common.mustCall(function() { + const c = net.createConnection(this.address().port); + + c.on('connect', common.mustCall(function() { + c.write('blah\nblah\nblah\n'); + })); + + c.on('end', common.mustCall(function() { + server.close(); + })); +})); diff --git a/test/disabled/test-tls-junk-server.js b/test/disabled/test-tls-junk-server.js new file mode 100644 index 0000000..3270dec --- /dev/null +++ b/test/disabled/test-tls-junk-server.js @@ -0,0 +1,27 @@ +'use strict'; +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const https = require('https'); +const net = require('net'); + +const server = net.createServer(function(s) { + s.once('data', function() { + s.end('I was waiting for you, hello!', function() { + s.destroy(); + }); + }); +}); + +server.listen(0, function() { + const req = https.request({ port: this.address().port }); + req.end(); + + req.once('error', common.mustCall(function(err) { + assert(/unknown protocol/.test(err.message)); + server.close(); + })); +}); diff --git a/test/disabled/test-tls-key-mismatch.js b/test/disabled/test-tls-key-mismatch.js new file mode 100644 index 0000000..c301646 --- /dev/null +++ b/test/disabled/test-tls-key-mismatch.js @@ -0,0 +1,20 @@ +'use strict'; +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); +const fs = require('fs'); +const errorMessageRegex = + /^Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch$/; + +const options = { + key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), + cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`) +}; + +assert.throws(function() { + tls.createSecureContext(options); +}, errorMessageRegex); diff --git a/test/disabled/test-tls-legacy-onselect.js b/test/disabled/test-tls-legacy-onselect.js new file mode 100644 index 0000000..4b66f31 --- /dev/null +++ b/test/disabled/test-tls-legacy-onselect.js @@ -0,0 +1,27 @@ +'use strict'; +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const tls = require('tls'); +const net = require('net'); + +const server = net.Server(common.mustCall(function(raw) { + const pair = tls.createSecurePair(null, true, false, false); + pair.on('error', () => {}); + pair.ssl.setSNICallback(common.mustCall(function() { + raw.destroy(); + server.close(); + })); + require('_tls_legacy').pipe(pair, raw); +})).listen(0, function() { + tls.connect({ + port: this.address().port, + rejectUnauthorized: false, + servername: 'server' + }, function() { + }).on('error', function() { + // Just ignore + }); +}); diff --git a/test/disabled/test-tls-max-send-fragment.js b/test/disabled/test-tls-max-send-fragment.js new file mode 100644 index 0000000..1f9dd33 --- /dev/null +++ b/test/disabled/test-tls-max-send-fragment.js @@ -0,0 +1,42 @@ +'use strict'; +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); +const fs = require('fs'); + +const buf = Buffer.allocUnsafe(10000); +let received = 0; +const maxChunk = 768; + +const server = tls.createServer({ + key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), + cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`) +}, function(c) { + // Lower and upper limits + assert(!c.setMaxSendFragment(511)); + assert(!c.setMaxSendFragment(16385)); + + // Correct fragment size + assert(c.setMaxSendFragment(maxChunk)); + + c.end(buf); +}).listen(0, common.mustCall(function() { + const c = tls.connect(this.address().port, { + rejectUnauthorized: false + }, common.mustCall(function() { + c.on('data', function(chunk) { + assert(chunk.length <= maxChunk); + received += chunk.length; + }); + + // Ensure that we receive 'end' event anyway + c.on('end', common.mustCall(function() { + c.destroy(); + server.close(); + assert.strictEqual(received, buf.length); + })); + })); +})); diff --git a/test/disabled/test-tls-multi-key.js b/test/disabled/test-tls-multi-key.js new file mode 100644 index 0000000..ca2517c --- /dev/null +++ b/test/disabled/test-tls-multi-key.js @@ -0,0 +1,51 @@ +'use strict'; +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); +const fs = require('fs'); + +const options = { + key: [ + fs.readFileSync(`${common.fixturesDir}/keys/ec-key.pem`), + fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), + ], + cert: [ + fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`), + fs.readFileSync(`${common.fixturesDir}/keys/ec-cert.pem`) + ] +}; + +const ciphers = []; + +const server = tls.createServer(options, function(conn) { + conn.end('ok'); +}).listen(0, function() { + const ecdsa = tls.connect(this.address().port, { + ciphers: 'ECDHE-ECDSA-AES256-GCM-SHA384', + rejectUnauthorized: false + }, function() { + ciphers.push(ecdsa.getCipher()); + const rsa = tls.connect(server.address().port, { + ciphers: 'ECDHE-RSA-AES256-GCM-SHA384', + rejectUnauthorized: false + }, function() { + ciphers.push(rsa.getCipher()); + ecdsa.end(); + rsa.end(); + server.close(); + }); + }); +}); + +process.on('exit', function() { + assert.deepStrictEqual(ciphers, [{ + name: 'ECDHE-ECDSA-AES256-GCM-SHA384', + version: 'TLSv1/SSLv3' + }, { + name: 'ECDHE-RSA-AES256-GCM-SHA384', + version: 'TLSv1/SSLv3' + }]); +}); diff --git a/test/disabled/test-tls-no-cert-required.js b/test/disabled/test-tls-no-cert-required.js new file mode 100644 index 0000000..7f3d1b8 --- /dev/null +++ b/test/disabled/test-tls-no-cert-required.js @@ -0,0 +1,29 @@ +'use strict'; +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); + +// Omitting the cert or pfx option to tls.createServer() should not throw. +// AECDH-NULL-SHA is a no-authentication/no-encryption cipher and hence +// doesn't need a certificate. +tls.createServer({ ciphers: 'AECDH-NULL-SHA' }) + .listen(0, common.mustCall(close)); + +tls.createServer(assert.fail) + .listen(0, common.mustCall(close)); + +tls.createServer({}) + .listen(0, common.mustCall(close)); + +assert.throws(() => tls.createServer('this is not valid'), + /^TypeError: options must be an object$/); + +tls.createServer() + .listen(0, common.mustCall(close)); + +function close() { + this.close(); +} diff --git a/test/disabled/test-tls-no-rsa-key.js b/test/disabled/test-tls-no-rsa-key.js new file mode 100644 index 0000000..07a3ea4 --- /dev/null +++ b/test/disabled/test-tls-no-rsa-key.js @@ -0,0 +1,33 @@ +'use strict'; +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); +const fs = require('fs'); + +const options = { + key: fs.readFileSync(`${common.fixturesDir}/keys/ec-key.pem`), + cert: fs.readFileSync(`${common.fixturesDir}/keys/ec-cert.pem`) +}; + +const server = tls.createServer(options, function(conn) { + conn.end('ok'); +}).listen(0, common.mustCall(function() { + const c = tls.connect(this.address().port, { + rejectUnauthorized: false + }, common.mustCall(function() { + c.on('end', common.mustCall(function() { + c.end(); + server.close(); + })); + + c.on('data', function(data) { + assert.strictEqual(data.toString(), 'ok'); + }); + + const cert = c.getPeerCertificate(); + assert.strictEqual(cert.subject.C, 'US'); + })); +})); diff --git a/test/disabled/test-tls-no-sslv23.js b/test/disabled/test-tls-no-sslv23.js new file mode 100644 index 0000000..737f42b --- /dev/null +++ b/test/disabled/test-tls-no-sslv23.js @@ -0,0 +1,55 @@ +'use strict'; +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); + +assert.throws(function() { + tls.createSecureContext({ secureProtocol: 'blargh' }); +}, /Unknown method/); + +const errMessageSSLv2 = /SSLv2 methods disabled/; + +assert.throws(function() { + tls.createSecureContext({ secureProtocol: 'SSLv2_method' }); +}, errMessageSSLv2); + +assert.throws(function() { + tls.createSecureContext({ secureProtocol: 'SSLv2_client_method' }); +}, errMessageSSLv2); + +assert.throws(function() { + tls.createSecureContext({ secureProtocol: 'SSLv2_server_method' }); +}, errMessageSSLv2); + +const errMessageSSLv3 = /SSLv3 methods disabled/; + +assert.throws(function() { + tls.createSecureContext({ secureProtocol: 'SSLv3_method' }); +}, errMessageSSLv3); + +assert.throws(function() { + tls.createSecureContext({ secureProtocol: 'SSLv3_client_method' }); +}, errMessageSSLv3); + +assert.throws(function() { + tls.createSecureContext({ secureProtocol: 'SSLv3_server_method' }); +}, errMessageSSLv3); + +// Note that SSLv2 and SSLv3 are disallowed but SSLv2_method and friends are +// still accepted. They are OpenSSL's way of saying that all known protocols +// are supported unless explicitly disabled (which we do for SSLv2 and SSLv3.) +tls.createSecureContext({ secureProtocol: 'SSLv23_method' }); +tls.createSecureContext({ secureProtocol: 'SSLv23_client_method' }); +tls.createSecureContext({ secureProtocol: 'SSLv23_server_method' }); +tls.createSecureContext({ secureProtocol: 'TLSv1_method' }); +tls.createSecureContext({ secureProtocol: 'TLSv1_client_method' }); +tls.createSecureContext({ secureProtocol: 'TLSv1_server_method' }); +tls.createSecureContext({ secureProtocol: 'TLSv1_1_method' }); +tls.createSecureContext({ secureProtocol: 'TLSv1_1_client_method' }); +tls.createSecureContext({ secureProtocol: 'TLSv1_1_server_method' }); +tls.createSecureContext({ secureProtocol: 'TLSv1_2_method' }); +tls.createSecureContext({ secureProtocol: 'TLSv1_2_client_method' }); +tls.createSecureContext({ secureProtocol: 'TLSv1_2_server_method' }); diff --git a/test/disabled/test-tls-no-sslv3.js b/test/disabled/test-tls-no-sslv3.js new file mode 100644 index 0000000..0a118db --- /dev/null +++ b/test/disabled/test-tls-no-sslv3.js @@ -0,0 +1,51 @@ +'use strict'; +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +if (common.opensslCli === false) + common.skip('node compiled without OpenSSL CLI.'); + +const assert = require('assert'); +const tls = require('tls'); +const fs = require('fs'); +const spawn = require('child_process').spawn; + +const cert = fs.readFileSync(`${common.fixturesDir}/test_cert.pem`); +const key = fs.readFileSync(`${common.fixturesDir}/test_key.pem`); +const server = tls.createServer({ cert: cert, key: key }, common.mustNotCall()); +const errors = []; +let stderr = ''; + +server.listen(0, '127.0.0.1', function() { + const address = `${this.address().address}:${this.address().port}`; + const args = ['s_client', + '-ssl3', + '-connect', address]; + + // for the performance and stability issue in s_client on Windows + if (common.isWindows) + args.push('-no_rand_screen'); + + const client = spawn(common.opensslCli, args, { stdio: 'pipe' }); + client.stdout.pipe(process.stdout); + client.stderr.pipe(process.stderr); + client.stderr.setEncoding('utf8'); + client.stderr.on('data', (data) => stderr += data); + + client.once('exit', common.mustCall(function(exitCode) { + assert.strictEqual(exitCode, 1); + server.close(); + })); +}); + +server.on('tlsClientError', (err) => errors.push(err)); + +process.on('exit', function() { + if (/unknown option -ssl3/.test(stderr)) { + common.printSkipMessage('`openssl s_client -ssl3` not supported.'); + } else { + assert.strictEqual(errors.length, 1); + assert(/:wrong version number/.test(errors[0].message)); + } +}); diff --git a/test/disabled/test-tls-npn-server-client.js b/test/disabled/test-tls-npn-server-client.js new file mode 100644 index 0000000..22491c1 --- /dev/null +++ b/test/disabled/test-tls-npn-server-client.js @@ -0,0 +1,104 @@ +'use strict'; + +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +if (!process.features.tls_npn) + common.skip('Skipping because node compiled without NPN feature of OpenSSL.'); + +const assert = require('assert'); +const fs = require('fs'); +const path = require('path'); +const tls = require('tls'); + +function filenamePEM(n) { + return path.join(common.fixturesDir, 'keys', `${n}.pem`); +} + +function loadPEM(n) { + return fs.readFileSync(filenamePEM(n)); +} + +const serverOptions = { + key: loadPEM('agent2-key'), + cert: loadPEM('agent2-cert'), + crl: loadPEM('ca2-crl'), + SNICallback: function(servername, cb) { + cb(null, tls.createSecureContext({ + key: loadPEM('agent2-key'), + cert: loadPEM('agent2-cert'), + crl: loadPEM('ca2-crl'), + })); + }, + NPNProtocols: ['a', 'b', 'c'] +}; + +const clientsOptions = [{ + port: undefined, + key: serverOptions.key, + cert: serverOptions.cert, + crl: serverOptions.crl, + NPNProtocols: ['a', 'b', 'c'], + rejectUnauthorized: false +}, { + port: undefined, + key: serverOptions.key, + cert: serverOptions.cert, + crl: serverOptions.crl, + NPNProtocols: ['c', 'b', 'e'], + rejectUnauthorized: false +}, { + port: undefined, + key: serverOptions.key, + cert: serverOptions.cert, + crl: serverOptions.crl, + rejectUnauthorized: false +}, { + port: undefined, + key: serverOptions.key, + cert: serverOptions.cert, + crl: serverOptions.crl, + NPNProtocols: ['first-priority-unsupported', 'x', 'y'], + rejectUnauthorized: false +}]; + +const serverResults = []; +const clientsResults = []; + +const server = tls.createServer(serverOptions, function(c) { + serverResults.push(c.npnProtocol); +}); +server.listen(0, startTest); + +function startTest() { + function connectClient(options, callback) { + options.port = server.address().port; + const client = tls.connect(options, function() { + clientsResults.push(client.npnProtocol); + client.destroy(); + + callback(); + }); + } + + connectClient(clientsOptions[0], function() { + connectClient(clientsOptions[1], function() { + connectClient(clientsOptions[2], function() { + connectClient(clientsOptions[3], function() { + server.close(); + }); + }); + }); + }); +} + +process.on('exit', function() { + assert.strictEqual(serverResults[0], clientsResults[0]); + assert.strictEqual(serverResults[1], clientsResults[1]); + assert.strictEqual(serverResults[2], 'http/1.1'); + assert.strictEqual(clientsResults[2], false); + assert.strictEqual(serverResults[3], 'first-priority-unsupported'); + assert.strictEqual(clientsResults[3], false); +}); diff --git a/test/disabled/test-tls-ocsp-callback.js b/test/disabled/test-tls-ocsp-callback.js new file mode 100644 index 0000000..673b69e --- /dev/null +++ b/test/disabled/test-tls-ocsp-callback.js @@ -0,0 +1,126 @@ +'use strict'; +const common = require('../common'); + +if (!process.features.tls_ocsp) + common.skip('node compiled without OpenSSL or with old OpenSSL version.'); + +if (!common.opensslCli) + common.skip('node compiled without OpenSSL CLI.'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const tls = require('tls'); + +const assert = require('assert'); +const fs = require('fs'); +const join = require('path').join; + +const SSL_OP_NO_TICKET = require('crypto').constants.SSL_OP_NO_TICKET; + +const pfx = fs.readFileSync(join(common.fixturesDir, 'keys', 'agent1-pfx.pem')); + +function test(testOptions, cb) { + + const keyFile = join(common.fixturesDir, 'keys', 'agent1-key.pem'); + const certFile = join(common.fixturesDir, 'keys', 'agent1-cert.pem'); + const caFile = join(common.fixturesDir, 'keys', 'ca1-cert.pem'); + const key = fs.readFileSync(keyFile); + const cert = fs.readFileSync(certFile); + const ca = fs.readFileSync(caFile); + const options = { + key: key, + cert: cert, + ca: [ca] + }; + let requestCount = 0; + let clientSecure = 0; + let ocspCount = 0; + let ocspResponse; + + if (testOptions.pfx) { + delete options.key; + delete options.cert; + options.pfx = testOptions.pfx; + options.passphrase = testOptions.passphrase; + } + + const server = tls.createServer(options, function(cleartext) { + cleartext.on('error', function(er) { + // We're ok with getting ECONNRESET in this test, but it's + // timing-dependent, and thus unreliable. Any other errors + // are just failures, though. + if (er.code !== 'ECONNRESET') + throw er; + }); + ++requestCount; + cleartext.end(); + }); + server.on('OCSPRequest', function(cert, issuer, callback) { + ++ocspCount; + assert.ok(Buffer.isBuffer(cert)); + assert.ok(Buffer.isBuffer(issuer)); + + // Just to check that async really works there + setTimeout(function() { + callback(null, + testOptions.response ? Buffer.from(testOptions.response) : null); + }, 100); + }); + server.listen(0, function() { + const client = tls.connect({ + port: this.address().port, + requestOCSP: testOptions.ocsp !== false, + secureOptions: testOptions.ocsp === false ? + SSL_OP_NO_TICKET : 0, + rejectUnauthorized: false + }, function() { + clientSecure++; + }); + client.on('OCSPResponse', function(resp) { + ocspResponse = resp; + if (resp) + client.destroy(); + }); + client.on('close', function() { + server.close(cb); + }); + }); + + process.on('exit', function() { + if (testOptions.ocsp === false) { + assert.strictEqual(requestCount, clientSecure); + assert.strictEqual(requestCount, 1); + return; + } + + if (testOptions.response) { + assert.strictEqual(ocspResponse.toString(), testOptions.response); + } else { + assert.strictEqual(ocspResponse, null); + } + assert.strictEqual(requestCount, testOptions.response ? 0 : 1); + assert.strictEqual(clientSecure, requestCount); + assert.strictEqual(ocspCount, 1); + }); +} + +const tests = [ + { response: false }, + { response: 'hello world' }, + { ocsp: false } +]; + +if (!common.hasFipsCrypto) { + tests.push({ pfx: pfx, passphrase: 'sample', response: 'hello pfx' }); +} + +function runTests(i) { + if (i === tests.length) return; + + test(tests[i], common.mustCall(function() { + runTests(i + 1); + })); +} + +runTests(0); diff --git a/test/disabled/test-tls-on-empty-socket.js b/test/disabled/test-tls-on-empty-socket.js new file mode 100644 index 0000000..5b66edd --- /dev/null +++ b/test/disabled/test-tls-on-empty-socket.js @@ -0,0 +1,41 @@ +'use strict'; +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); + +const fs = require('fs'); +const net = require('net'); + +let out = ''; + +const server = tls.createServer({ + key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), + cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`) +}, function(c) { + c.end('hello'); +}).listen(0, function() { + const socket = new net.Socket(); + + const s = tls.connect({ + socket: socket, + rejectUnauthorized: false + }, function() { + s.on('data', function(chunk) { + out += chunk; + }); + s.on('end', function() { + s.destroy(); + server.close(); + }); + }); + + socket.connect(this.address().port); +}); + +process.on('exit', function() { + assert.strictEqual(out, 'hello'); +}); diff --git a/test/disabled/test-tls-over-http-tunnel.js b/test/disabled/test-tls-over-http-tunnel.js new file mode 100644 index 0000000..ae9c8e0 --- /dev/null +++ b/test/disabled/test-tls-over-http-tunnel.js @@ -0,0 +1,155 @@ +'use strict'; +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const https = require('https'); +const fs = require('fs'); +const net = require('net'); +const http = require('http'); + +let gotRequest = false; + +const key = fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`); +const cert = fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`); + +const options = { + key: key, + cert: cert +}; + +const server = https.createServer(options, function(req, res) { + console.log('SERVER: got request'); + res.writeHead(200, { + 'content-type': 'text/plain' + }); + console.log('SERVER: sending response'); + res.end('hello world\n'); +}); + +const proxy = net.createServer(function(clientSocket) { + console.log('PROXY: got a client connection'); + + let serverSocket = null; + + clientSocket.on('data', function(chunk) { + if (!serverSocket) { + // Verify the CONNECT request + assert.strictEqual(`CONNECT localhost:${server.address().port} ` + + 'HTTP/1.1\r\n' + + 'Proxy-Connections: keep-alive\r\n' + + `Host: localhost:${proxy.address().port}\r\n` + + 'Connection: close\r\n\r\n', + chunk.toString()); + + console.log('PROXY: got CONNECT request'); + console.log('PROXY: creating a tunnel'); + + // create the tunnel + serverSocket = net.connect(server.address().port, function() { + console.log('PROXY: replying to client CONNECT request'); + + // Send the response + clientSocket.write('HTTP/1.1 200 OK\r\nProxy-Connections: keep' + + '-alive\r\nConnections: keep-alive\r\nVia: ' + + `localhost:${proxy.address().port}\r\n\r\n`); + }); + + serverSocket.on('data', function(chunk) { + clientSocket.write(chunk); + }); + + serverSocket.on('end', function() { + clientSocket.destroy(); + }); + } else { + serverSocket.write(chunk); + } + }); + + clientSocket.on('end', function() { + serverSocket.destroy(); + }); +}); + +server.listen(0); + +proxy.listen(0, function() { + console.log('CLIENT: Making CONNECT request'); + + const req = http.request({ + port: this.address().port, + method: 'CONNECT', + path: `localhost:${server.address().port}`, + headers: { + 'Proxy-Connections': 'keep-alive' + } + }); + req.useChunkedEncodingByDefault = false; // for v0.6 + req.on('response', onResponse); // for v0.6 + req.on('upgrade', onUpgrade); // for v0.6 + req.on('connect', onConnect); // for v0.7 or later + req.end(); + + function onResponse(res) { + // Very hacky. This is necessary to avoid http-parser leaks. + res.upgrade = true; + } + + function onUpgrade(res, socket, head) { + // Hacky. + process.nextTick(function() { + onConnect(res, socket, head); + }); + } + + function onConnect(res, socket, header) { + assert.strictEqual(200, res.statusCode); + console.log('CLIENT: got CONNECT response'); + + // detach the socket + socket.removeAllListeners('data'); + socket.removeAllListeners('close'); + socket.removeAllListeners('error'); + socket.removeAllListeners('drain'); + socket.removeAllListeners('end'); + socket.ondata = null; + socket.onend = null; + socket.ondrain = null; + + console.log('CLIENT: Making HTTPS request'); + + https.get({ + path: '/foo', + key: key, + cert: cert, + socket: socket, // reuse the socket + agent: false, + rejectUnauthorized: false + }, function(res) { + assert.strictEqual(200, res.statusCode); + + res.on('data', function(chunk) { + assert.strictEqual('hello world\n', chunk.toString()); + console.log('CLIENT: got HTTPS response'); + gotRequest = true; + }); + + res.on('end', function() { + proxy.close(); + server.close(); + }); + }).on('error', function(er) { + // We're ok with getting ECONNRESET in this test, but it's + // timing-dependent, and thus unreliable. Any other errors + // are just failures, though. + if (er.code !== 'ECONNRESET') + throw er; + }).end(); + } +}); + +process.on('exit', function() { + assert.ok(gotRequest); +}); diff --git a/test/disabled/test-tls-parse-cert-string.js b/test/disabled/test-tls-parse-cert-string.js new file mode 100644 index 0000000..bbe098b --- /dev/null +++ b/test/disabled/test-tls-parse-cert-string.js @@ -0,0 +1,36 @@ +'use strict'; + +require('../common'); +const assert = require('assert'); +const tls = require('tls'); + +{ + const singles = 'C=US\nST=CA\nL=SF\nO=Node.js Foundation\nOU=Node.js\n' + + 'CN=ca1\nemailAddress=ry@clouds.org'; + const singlesOut = tls.parseCertString(singles); + assert.deepStrictEqual(singlesOut, { + C: 'US', + ST: 'CA', + L: 'SF', + O: 'Node.js Foundation', + OU: 'Node.js', + CN: 'ca1', + emailAddress: 'ry@clouds.org' + }); +} + +{ + const doubles = 'OU=Domain Control Validated\nOU=PositiveSSL Wildcard\n' + + 'CN=*.nodejs.org'; + const doublesOut = tls.parseCertString(doubles); + assert.deepStrictEqual(doublesOut, { + OU: [ 'Domain Control Validated', 'PositiveSSL Wildcard' ], + CN: '*.nodejs.org' + }); +} + +{ + const invalid = 'fhqwhgads'; + const invalidOut = tls.parseCertString(invalid); + assert.deepStrictEqual(invalidOut, {}); +} diff --git a/test/disabled/test-tls-passphrase.js b/test/disabled/test-tls-passphrase.js new file mode 100644 index 0000000..0092dbd --- /dev/null +++ b/test/disabled/test-tls-passphrase.js @@ -0,0 +1,275 @@ +'use strict'; +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); +const fs = require('fs'); +const path = require('path'); + +const passKey = fs.readFileSync(path.join(common.fixturesDir, 'pass-key.pem')); +const rawKey = fs.readFileSync(path.join(common.fixturesDir, 'raw-key.pem')); +const cert = fs.readFileSync(path.join(common.fixturesDir, 'pass-cert.pem')); + +assert(Buffer.isBuffer(passKey)); +assert(Buffer.isBuffer(cert)); +assert.strictEqual(typeof passKey.toString(), 'string'); +assert.strictEqual(typeof cert.toString(), 'string'); + +const server = tls.Server({ + key: passKey, + passphrase: 'passphrase', + cert: cert, + ca: [cert], + requestCert: true, + rejectUnauthorized: true +}, function(s) { + s.end(); +}); + +server.listen(0, common.mustCall(function() { + // Buffer + tls.connect({ + port: this.address().port, + key: passKey, + passphrase: 'passphrase', + cert: cert, + rejectUnauthorized: false + }, common.mustCall()); + + tls.connect({ + port: this.address().port, + key: rawKey, + cert: cert, + rejectUnauthorized: false + }, common.mustCall()); + + tls.connect({ + port: this.address().port, + key: rawKey, + passphrase: 'ignored', + cert: cert, + rejectUnauthorized: false + }, common.mustCall()); + + // Buffer[] + tls.connect({ + port: this.address().port, + key: [passKey], + passphrase: 'passphrase', + cert: [cert], + rejectUnauthorized: false + }, common.mustCall()); + + tls.connect({ + port: this.address().port, + key: [rawKey], + cert: [cert], + rejectUnauthorized: false + }, common.mustCall()); + + tls.connect({ + port: this.address().port, + key: [rawKey], + passphrase: 'ignored', + cert: [cert], + rejectUnauthorized: false + }, common.mustCall()); + + // string + tls.connect({ + port: this.address().port, + key: passKey.toString(), + passphrase: 'passphrase', + cert: cert.toString(), + rejectUnauthorized: false + }, common.mustCall()); + + tls.connect({ + port: this.address().port, + key: rawKey.toString(), + cert: cert.toString(), + rejectUnauthorized: false + }, common.mustCall()); + + tls.connect({ + port: this.address().port, + key: rawKey.toString(), + passphrase: 'ignored', + cert: cert.toString(), + rejectUnauthorized: false + }, common.mustCall()); + + // String[] + tls.connect({ + port: this.address().port, + key: [passKey.toString()], + passphrase: 'passphrase', + cert: [cert.toString()], + rejectUnauthorized: false + }, common.mustCall()); + + tls.connect({ + port: this.address().port, + key: [rawKey.toString()], + cert: [cert.toString()], + rejectUnauthorized: false + }, common.mustCall()); + + tls.connect({ + port: this.address().port, + key: [rawKey.toString()], + passphrase: 'ignored', + cert: [cert.toString()], + rejectUnauthorized: false + }, common.mustCall()); + + // Object[] + tls.connect({ + port: this.address().port, + key: [{pem: passKey, passphrase: 'passphrase'}], + cert: cert, + rejectUnauthorized: false + }, common.mustCall()); + + tls.connect({ + port: this.address().port, + key: [{pem: passKey, passphrase: 'passphrase'}], + passphrase: 'ignored', + cert: cert, + rejectUnauthorized: false + }, common.mustCall()); + + tls.connect({ + port: this.address().port, + key: [{pem: passKey}], + passphrase: 'passphrase', + cert: cert, + rejectUnauthorized: false + }, common.mustCall()); + + tls.connect({ + port: this.address().port, + key: [{pem: passKey.toString(), passphrase: 'passphrase'}], + cert: cert, + rejectUnauthorized: false + }, common.mustCall()); + + tls.connect({ + port: this.address().port, + key: [{pem: rawKey, passphrase: 'ignored'}], + cert: cert, + rejectUnauthorized: false + }, common.mustCall()); + + tls.connect({ + port: this.address().port, + key: [{pem: rawKey.toString(), passphrase: 'ignored'}], + cert: cert, + rejectUnauthorized: false + }, common.mustCall()); + + tls.connect({ + port: this.address().port, + key: [{pem: rawKey}], + passphrase: 'ignored', + cert: cert, + rejectUnauthorized: false + }, common.mustCall()); + + tls.connect({ + port: this.address().port, + key: [{pem: rawKey.toString()}], + passphrase: 'ignored', + cert: cert, + rejectUnauthorized: false + }, common.mustCall()); + + tls.connect({ + port: this.address().port, + key: [{pem: rawKey}], + cert: cert, + rejectUnauthorized: false + }, common.mustCall()); + + tls.connect({ + port: this.address().port, + key: [{pem: rawKey.toString()}], + cert: cert, + rejectUnauthorized: false + }, common.mustCall()); +})).unref(); + +const errMessagePassword = /bad password read/; + +// Missing passphrase +assert.throws(function() { + tls.connect({ + port: server.address().port, + key: passKey, + cert: cert, + rejectUnauthorized: false + }); +}, errMessagePassword); + +assert.throws(function() { + tls.connect({ + port: server.address().port, + key: [passKey], + cert: cert, + rejectUnauthorized: false + }); +}, errMessagePassword); + +assert.throws(function() { + tls.connect({ + port: server.address().port, + key: [{pem: passKey}], + cert: cert, + rejectUnauthorized: false + }); +}, errMessagePassword); + +const errMessageDecrypt = /bad decrypt/; + +// Invalid passphrase +assert.throws(function() { + tls.connect({ + port: server.address().port, + key: passKey, + passphrase: 'invalid', + cert: cert, + rejectUnauthorized: false + }); +}, errMessageDecrypt); + +assert.throws(function() { + tls.connect({ + port: server.address().port, + key: [passKey], + passphrase: 'invalid', + cert: cert, + rejectUnauthorized: false + }); +}, errMessageDecrypt); + +assert.throws(function() { + tls.connect({ + port: server.address().port, + key: [{pem: passKey}], + passphrase: 'invalid', + cert: cert, + rejectUnauthorized: false + }); +}, errMessageDecrypt); + +assert.throws(function() { + tls.connect({ + port: server.address().port, + key: [{pem: passKey, passphrase: 'invalid'}], + passphrase: 'passphrase', // Valid but unused + cert: cert, + rejectUnauthorized: false + }); +}, errMessageDecrypt); diff --git a/test/disabled/test-tls-pause.js b/test/disabled/test-tls-pause.js new file mode 100644 index 0000000..4aded19 --- /dev/null +++ b/test/disabled/test-tls-pause.js @@ -0,0 +1,70 @@ +'use strict'; +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); +const fs = require('fs'); +const path = require('path'); + +const options = { + key: fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem')), + cert: fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem')) +}; + +const bufSize = 1024 * 1024; +let sent = 0; +let received = 0; + +const server = tls.Server(options, function(socket) { + socket.pipe(socket); + socket.on('data', function(c) { + console.error('data', c.length); + }); +}); + +server.listen(0, function() { + let resumed = false; + const client = tls.connect({ + port: this.address().port, + rejectUnauthorized: false + }, function() { + console.error('connected'); + client.pause(); + console.error('paused'); + send(); + function send() { + console.error('sending'); + const ret = client.write(Buffer.allocUnsafe(bufSize)); + console.error('write => %j', ret); + if (false !== ret) { + console.error('write again'); + sent += bufSize; + assert.ok(sent < 100 * 1024 * 1024); // max 100MB + return process.nextTick(send); + } + sent += bufSize; + console.error(`sent: ${sent}`); + resumed = true; + client.resume(); + console.error('resumed', client); + } + }); + client.on('data', function(data) { + console.error('data'); + assert.ok(resumed); + received += data.length; + console.error('received', received); + console.error('sent', sent); + if (received >= sent) { + console.error(`received: ${received}`); + client.end(); + server.close(); + } + }); +}); + +process.on('exit', function() { + assert.strictEqual(sent, received); +}); diff --git a/test/disabled/test-tls-peer-certificate-encoding.js b/test/disabled/test-tls-peer-certificate-encoding.js new file mode 100644 index 0000000..d6e920a --- /dev/null +++ b/test/disabled/test-tls-peer-certificate-encoding.js @@ -0,0 +1,33 @@ +'use strict'; +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); +const fs = require('fs'); +const util = require('util'); +const join = require('path').join; + +const options = { + key: fs.readFileSync(join(common.fixturesDir, 'keys', 'agent5-key.pem')), + cert: fs.readFileSync(join(common.fixturesDir, 'keys', 'agent5-cert.pem')), + ca: [ fs.readFileSync(join(common.fixturesDir, 'keys', 'ca2-cert.pem')) ] +}; + +const server = tls.createServer(options, function(cleartext) { + cleartext.end('World'); +}); +server.listen(0, common.mustCall(function() { + const socket = tls.connect({ + port: this.address().port, + rejectUnauthorized: false + }, common.mustCall(function() { + const peerCert = socket.getPeerCertificate(); + + console.error(util.inspect(peerCert)); + assert.strictEqual(peerCert.subject.CN, 'Ádám Lippai'); + server.close(); + })); + socket.end('Hello'); +})); diff --git a/test/disabled/test-tls-peer-certificate-multi-keys.js b/test/disabled/test-tls-peer-certificate-multi-keys.js new file mode 100644 index 0000000..ed5566f --- /dev/null +++ b/test/disabled/test-tls-peer-certificate-multi-keys.js @@ -0,0 +1,34 @@ +'use strict'; +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); +const fs = require('fs'); +const util = require('util'); +const join = require('path').join; + +const options = { + key: fs.readFileSync(join(common.fixturesDir, 'agent.key')), + cert: fs.readFileSync(join(common.fixturesDir, 'multi-alice.crt')) +}; + +const server = tls.createServer(options, function(cleartext) { + cleartext.end('World'); +}); +server.listen(0, common.mustCall(function() { + const socket = tls.connect({ + port: this.address().port, + rejectUnauthorized: false + }, common.mustCall(function() { + const peerCert = socket.getPeerCertificate(); + console.error(util.inspect(peerCert)); + assert.deepStrictEqual( + peerCert.subject.OU, + ['Information Technology', 'Engineering', 'Marketing'] + ); + server.close(); + })); + socket.end('Hello'); +})); diff --git a/test/disabled/test-tls-peer-certificate.js b/test/disabled/test-tls-peer-certificate.js new file mode 100644 index 0000000..eb5be6d --- /dev/null +++ b/test/disabled/test-tls-peer-certificate.js @@ -0,0 +1,39 @@ +'use strict'; +const common = require('../common'); + +// Verify that detailed getPeerCertificate() return value has all certs. + +const join = require('path').join; +const { + assert, connect, debug, keys +} = require(join(common.fixturesDir, 'tls-connect'))(); + +connect({ + client: {rejectUnauthorized: false}, + server: keys.agent1, +}, function(err, pair, cleanup) { + assert.ifError(err); + const socket = pair.client.conn; + let peerCert = socket.getPeerCertificate(); + assert.ok(!peerCert.issuerCertificate); + + peerCert = socket.getPeerCertificate(true); + debug('peerCert:\n', peerCert); + + assert.ok(peerCert.issuerCertificate); + assert.strictEqual(peerCert.subject.emailAddress, 'ry@tinyclouds.org'); + assert.strictEqual(peerCert.serialNumber, '9A84ABCFB8A72AC0'); + assert.strictEqual(peerCert.exponent, '0x10001'); + assert.strictEqual( + peerCert.fingerprint, + '8D:06:3A:B3:E5:8B:85:29:72:4F:7D:1B:54:CD:95:19:3C:EF:6F:AA' + ); + assert.deepStrictEqual(peerCert.infoAccess['OCSP - URI'], + [ 'http://ocsp.nodejs.org/' ]); + + const issuer = peerCert.issuerCertificate; + assert.strictEqual(issuer.issuerCertificate, issuer); + assert.strictEqual(issuer.serialNumber, '8DF21C01468AF393'); + + return cleanup(); +}); diff --git a/test/disabled/test-tls-pfx-gh-5100-regr.js b/test/disabled/test-tls-pfx-gh-5100-regr.js new file mode 100644 index 0000000..ba38f02 --- /dev/null +++ b/test/disabled/test-tls-pfx-gh-5100-regr.js @@ -0,0 +1,38 @@ +'use strict'; + +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('node compiled without crypto.'); + +const assert = require('assert'); +const tls = require('tls'); +const fs = require('fs'); +const path = require('path'); + +const pfx = fs.readFileSync( + path.join(common.fixturesDir, 'keys', 'agent1-pfx.pem')); + +const server = tls.createServer({ + pfx: pfx, + passphrase: 'sample', + requestCert: true, + rejectUnauthorized: false +}, common.mustCall(function(c) { + assert.strictEqual( + c.authorizationError, + null, + 'authorizationError must be null' + ); + c.end(); +})).listen(0, function() { + const client = tls.connect({ + port: this.address().port, + pfx: pfx, + passphrase: 'sample', + rejectUnauthorized: false + }, function() { + client.end(); + server.close(); + }); +}); diff --git a/test/disabled/test-tls-regr-gh-5108.js b/test/disabled/test-tls-regr-gh-5108.js new file mode 100644 index 0000000..9bb07fe --- /dev/null +++ b/test/disabled/test-tls-regr-gh-5108.js @@ -0,0 +1,40 @@ +'use strict'; +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); +const fs = require('fs'); + +const options = { + key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), + cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`) +}; + + +const server = tls.createServer(options, function(s) { + s.end('hello'); +}).listen(0, function() { + const opts = { + port: this.address().port, + rejectUnauthorized: false + }; + const client = tls.connect(opts, function() { + putImmediate(client); + }); +}); + + +function putImmediate(client) { + setImmediate(function() { + if (client.ssl) { + const fd = client.ssl.fd; + assert(!!fd); + putImmediate(client); + } else { + server.close(); + } + }); +} diff --git a/test/disabled/test-tls-request-timeout.js b/test/disabled/test-tls-request-timeout.js new file mode 100644 index 0000000..3989e40 --- /dev/null +++ b/test/disabled/test-tls-request-timeout.js @@ -0,0 +1,30 @@ +'use strict'; +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); +const fs = require('fs'); + +const options = { + key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), + cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`) +}; + +const server = tls.Server(options, common.mustCall(function(socket) { + const s = socket.setTimeout(100); + assert.ok(s instanceof tls.TLSSocket); + + socket.on('timeout', common.mustCall(function(err) { + socket.end(); + server.close(); + })); +})); + +server.listen(0, function() { + tls.connect({ + port: this.address().port, + rejectUnauthorized: false + }); +}); diff --git a/test/disabled/test-tls-retain-handle-no-abort.js b/test/disabled/test-tls-retain-handle-no-abort.js new file mode 100644 index 0000000..4be64c1 --- /dev/null +++ b/test/disabled/test-tls-retain-handle-no-abort.js @@ -0,0 +1,40 @@ +'use strict'; + +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); +const fs = require('fs'); +const util = require('util'); + +const sent = 'hello world'; +const serverOptions = { + isServer: true, + key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), + cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`) +}; + +let ssl = null; + +process.on('exit', function() { + assert.ok(ssl !== null); + // If the internal pointer to stream_ isn't cleared properly then this + // will abort. + util.inspect(ssl); +}); + +const server = tls.createServer(serverOptions, function(s) { + s.on('data', function() { }); + s.on('end', function() { + server.close(); + s.destroy(); + }); +}).listen(0, function() { + const c = new tls.TLSSocket(); + ssl = c.ssl; + c.connect(this.address().port, function() { + c.end(sent); + }); +}); diff --git a/test/disabled/test-tls-securepair-fiftharg.js b/test/disabled/test-tls-securepair-fiftharg.js new file mode 100644 index 0000000..97b563a --- /dev/null +++ b/test/disabled/test-tls-securepair-fiftharg.js @@ -0,0 +1,27 @@ +'use strict'; + +const common = require('../common'); +const assert = require('assert'); +const fs = require('fs'); +const tls = require('tls'); + +const sslcontext = tls.createSecureContext({ + cert: fs.readFileSync(`${common.fixturesDir}/test_cert.pem`), + key: fs.readFileSync(`${common.fixturesDir}/test_key.pem`) +}); + +let catchedServername; +const pair = tls.createSecurePair(sslcontext, true, false, false, { + SNICallback: common.mustCall(function(servername, cb) { + catchedServername = servername; + }) +}); + +// captured traffic from browser's request to https://www.google.com +const sslHello = fs.readFileSync(`${common.fixturesDir}/google_ssl_hello.bin`); + +pair.encrypted.write(sslHello); + +process.on('exit', function() { + assert.strictEqual('www.google.com', catchedServername); +}); diff --git a/test/disabled/test-tls-securepair-server.js b/test/disabled/test-tls-securepair-server.js new file mode 100644 index 0000000..d335bb2 --- /dev/null +++ b/test/disabled/test-tls-securepair-server.js @@ -0,0 +1,133 @@ +'use strict'; +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +if (!common.opensslCli) + common.skip('missing openssl-cli'); + +const assert = require('assert'); +const tls = require('tls'); +const join = require('path').join; +const net = require('net'); +const fs = require('fs'); +const spawn = require('child_process').spawn; + +const key = fs.readFileSync(join(common.fixturesDir, 'agent.key')).toString(); +const cert = fs.readFileSync(join(common.fixturesDir, 'agent.crt')).toString(); + +function log(a) { + console.error(`***server*** ${a}`); +} + +const server = net.createServer(common.mustCall(function(socket) { + log(`connection fd=${socket.fd}`); + const sslcontext = tls.createSecureContext({key: key, cert: cert}); + sslcontext.context.setCiphers('RC4-SHA:AES128-SHA:AES256-SHA'); + + const pair = tls.createSecurePair(sslcontext, true); + + assert.ok(pair.encrypted.writable); + assert.ok(pair.cleartext.writable); + + pair.encrypted.pipe(socket); + socket.pipe(pair.encrypted); + + log('i set it secure'); + + pair.on('secure', function() { + log('connected+secure!'); + pair.cleartext.write('hello\r\n'); + log(pair.cleartext.getPeerCertificate()); + log(pair.cleartext.getCipher()); + }); + + pair.cleartext.on('data', function(data) { + log(`read bytes ${data.length}`); + pair.cleartext.write(data); + }); + + socket.on('end', function() { + log('socket end'); + }); + + pair.cleartext.on('error', function(err) { + log('got error: '); + log(err); + log(err.stack); + socket.destroy(); + }); + + pair.encrypted.on('error', function(err) { + log('encrypted error: '); + log(err); + log(err.stack); + socket.destroy(); + }); + + socket.on('error', function(err) { + log('socket error: '); + log(err); + log(err.stack); + socket.destroy(); + }); + + socket.on('close', function(err) { + log('socket closed'); + }); + + pair.on('error', function(err) { + log('secure error: '); + log(err); + log(err.stack); + socket.destroy(); + }); +})); + +let gotHello = false; +let sentWorld = false; +let gotWorld = false; + +server.listen(0, common.mustCall(function() { + // To test use: openssl s_client -connect localhost:8000 + + const args = ['s_client', '-connect', `127.0.0.1:${this.address().port}`]; + + // for the performance and stability issue in s_client on Windows + if (common.isWindows) + args.push('-no_rand_screen'); + + const client = spawn(common.opensslCli, args); + + + let out = ''; + + client.stdout.setEncoding('utf8'); + client.stdout.on('data', function(d) { + out += d; + + if (!gotHello && /hello/.test(out)) { + gotHello = true; + client.stdin.write('world\r\n'); + sentWorld = true; + } + + if (!gotWorld && /world/.test(out)) { + gotWorld = true; + client.stdin.end(); + } + }); + + client.stdout.pipe(process.stdout, { end: false }); + + client.on('exit', common.mustCall(function(code) { + assert.strictEqual(0, code); + server.close(); + })); +})); + +process.on('exit', function() { + assert.ok(gotHello); + assert.ok(sentWorld); + assert.ok(gotWorld); +}); diff --git a/test/disabled/test-tls-server-connection-server.js b/test/disabled/test-tls-server-connection-server.js new file mode 100644 index 0000000..7eef14d --- /dev/null +++ b/test/disabled/test-tls-server-connection-server.js @@ -0,0 +1,32 @@ +'use strict'; +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); +const fs = require('fs'); + +const options = { + key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), + cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`) +}; + +const server = tls.createServer(options, function(s) { + s.end('hello'); +}).listen(0, function() { + const opts = { + port: this.address().port, + rejectUnauthorized: false + }; + + server.on('connection', common.mustCall(function(socket) { + assert.strictEqual(socket.server, server); + server.close(); + })); + + const client = tls.connect(opts, function() { + client.end(); + }); +}); diff --git a/test/disabled/test-tls-server-failed-handshake-emits-clienterror.js b/test/disabled/test-tls-server-failed-handshake-emits-clienterror.js new file mode 100644 index 0000000..8efb4ec --- /dev/null +++ b/test/disabled/test-tls-server-failed-handshake-emits-clienterror.js @@ -0,0 +1,28 @@ +'use strict'; +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const tls = require('tls'); +const net = require('net'); +const assert = require('assert'); + +const bonkers = Buffer.alloc(1024, 42); + + +const server = tls.createServer({}) + .listen(0, function() { + const c = net.connect({ port: this.address().port }, function() { + c.write(bonkers); + }); + + }).on('tlsClientError', common.mustCall(function(e) { + assert.ok(e instanceof Error, + 'Instance of Error should be passed to error handler'); + assert.ok( + /SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol/.test(e.message), + 'Expecting SSL unknown protocol'); + + server.close(); + })); diff --git a/test/disabled/test-tls-server-verify.js b/test/disabled/test-tls-server-verify.js new file mode 100644 index 0000000..7a106f6 --- /dev/null +++ b/test/disabled/test-tls-server-verify.js @@ -0,0 +1,348 @@ +'use strict'; +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +if (!common.opensslCli) + common.skip('node compiled without OpenSSL CLI.'); + +// This is a rather complex test which sets up various TLS servers with node +// and connects to them using the 'openssl s_client' command line utility +// with various keys. Depending on the certificate authority and other +// parameters given to the server, the various clients are +// - rejected, +// - accepted and "unauthorized", or +// - accepted and "authorized". + +const assert = require('assert'); +const { spawn } = require('child_process'); +const { SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION } = + require('crypto').constants; +const fs = require('fs'); +const path = require('path'); +const tls = require('tls'); + +const testCases = + [{ title: 'Do not request certs. Everyone is unauthorized.', + requestCert: false, + rejectUnauthorized: false, + renegotiate: false, + CAs: ['ca1-cert'], + clients: + [{ name: 'agent1', shouldReject: false, shouldAuth: false }, + { name: 'agent2', shouldReject: false, shouldAuth: false }, + { name: 'agent3', shouldReject: false, shouldAuth: false }, + { name: 'nocert', shouldReject: false, shouldAuth: false } + ] + }, + + { title: 'Allow both authed and unauthed connections with CA1', + requestCert: true, + rejectUnauthorized: false, + renegotiate: false, + CAs: ['ca1-cert'], + clients: + [{ name: 'agent1', shouldReject: false, shouldAuth: true }, + { name: 'agent2', shouldReject: false, shouldAuth: false }, + { name: 'agent3', shouldReject: false, shouldAuth: false }, + { name: 'nocert', shouldReject: false, shouldAuth: false } + ] + }, + + { title: 'Do not request certs at connection. Do that later', + requestCert: false, + rejectUnauthorized: false, + renegotiate: true, + CAs: ['ca1-cert'], + clients: + [{ name: 'agent1', shouldReject: false, shouldAuth: true }, + { name: 'agent2', shouldReject: false, shouldAuth: false }, + { name: 'agent3', shouldReject: false, shouldAuth: false }, + { name: 'nocert', shouldReject: false, shouldAuth: false } + ] + }, + + { title: 'Allow only authed connections with CA1', + requestCert: true, + rejectUnauthorized: true, + renegotiate: false, + CAs: ['ca1-cert'], + clients: + [{ name: 'agent1', shouldReject: false, shouldAuth: true }, + { name: 'agent2', shouldReject: true }, + { name: 'agent3', shouldReject: true }, + { name: 'nocert', shouldReject: true } + ] + }, + + { title: 'Allow only authed connections with CA1 and CA2', + requestCert: true, + rejectUnauthorized: true, + renegotiate: false, + CAs: ['ca1-cert', 'ca2-cert'], + clients: + [{ name: 'agent1', shouldReject: false, shouldAuth: true }, + { name: 'agent2', shouldReject: true }, + { name: 'agent3', shouldReject: false, shouldAuth: true }, + { name: 'nocert', shouldReject: true } + ] + }, + + + { title: 'Allow only certs signed by CA2 but not in the CRL', + requestCert: true, + rejectUnauthorized: true, + renegotiate: false, + CAs: ['ca2-cert'], + crl: 'ca2-crl', + clients: [ + { name: 'agent1', shouldReject: true, shouldAuth: false }, + { name: 'agent2', shouldReject: true, shouldAuth: false }, + { name: 'agent3', shouldReject: false, shouldAuth: true }, + // Agent4 has a cert in the CRL. + { name: 'agent4', shouldReject: true, shouldAuth: false }, + { name: 'nocert', shouldReject: true } + ] + } + ]; + + +function filenamePEM(n) { + return path.join(common.fixturesDir, 'keys', `${n}.pem`); +} + + +function loadPEM(n) { + return fs.readFileSync(filenamePEM(n)); +} + + +const serverKey = loadPEM('agent2-key'); +const serverCert = loadPEM('agent2-cert'); + + +function runClient(prefix, port, options, cb) { + + // Client can connect in three ways: + // - Self-signed cert + // - Certificate, but not signed by CA. + // - Certificate signed by CA. + + const args = ['s_client', '-connect', `127.0.0.1:${port}`]; + + // for the performance issue in s_client on Windows + if (common.isWindows) + args.push('-no_rand_screen'); + + console.log(`${prefix} connecting with`, options.name); + + switch (options.name) { + case 'agent1': + // Signed by CA1 + args.push('-key'); + args.push(filenamePEM('agent1-key')); + args.push('-cert'); + args.push(filenamePEM('agent1-cert')); + break; + + case 'agent2': + // Self-signed + // This is also the key-cert pair that the server will use. + args.push('-key'); + args.push(filenamePEM('agent2-key')); + args.push('-cert'); + args.push(filenamePEM('agent2-cert')); + break; + + case 'agent3': + // Signed by CA2 + args.push('-key'); + args.push(filenamePEM('agent3-key')); + args.push('-cert'); + args.push(filenamePEM('agent3-cert')); + break; + + case 'agent4': + // Signed by CA2 (rejected by ca2-crl) + args.push('-key'); + args.push(filenamePEM('agent4-key')); + args.push('-cert'); + args.push(filenamePEM('agent4-cert')); + break; + + case 'nocert': + // Do not send certificate + break; + + default: + throw new Error(`${prefix}Unknown agent name`); + } + + // To test use: openssl s_client -connect localhost:8000 + const client = spawn(common.opensslCli, args); + + let out = ''; + + let rejected = true; + let authed = false; + let goodbye = false; + + client.stdout.setEncoding('utf8'); + client.stdout.on('data', function(d) { + out += d; + + if (!goodbye && /_unauthed/.test(out)) { + console.error(`${prefix} * unauthed`); + goodbye = true; + client.kill(); + authed = false; + rejected = false; + } + + if (!goodbye && /_authed/.test(out)) { + console.error(`${prefix} * authed`); + goodbye = true; + client.kill(); + authed = true; + rejected = false; + } + }); + + //client.stdout.pipe(process.stdout); + + client.on('exit', function(code) { + //assert.strictEqual( + // 0, code, + // `${prefix}${options.name}: s_client exited with error code ${code}`); + if (options.shouldReject) { + assert.strictEqual( + true, rejected, + `${prefix}${options.name} NOT rejected, but should have been`); + } else { + assert.strictEqual( + false, rejected, + `${prefix}${options.name} rejected, but should NOT have been`); + assert.strictEqual( + options.shouldAuth, authed, + `${prefix}${options.name} authed is ${authed} but should have been ${ + options.shouldAuth}`); + } + + cb(); + }); +} + + +// Run the tests +let successfulTests = 0; +function runTest(port, testIndex) { + const prefix = `${testIndex} `; + const tcase = testCases[testIndex]; + if (!tcase) return; + + console.error(`${prefix}Running '%s'`, tcase.title); + + const cas = tcase.CAs.map(loadPEM); + + const crl = tcase.crl ? loadPEM(tcase.crl) : null; + + const serverOptions = { + key: serverKey, + cert: serverCert, + ca: cas, + crl: crl, + requestCert: tcase.requestCert, + rejectUnauthorized: tcase.rejectUnauthorized + }; + + /* + * If renegotiating - session might be resumed and openssl won't request + * client's certificate (probably because of bug in the openssl) + */ + if (tcase.renegotiate) { + serverOptions.secureOptions = + SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION; + } + + let renegotiated = false; + const server = tls.Server(serverOptions, function handleConnection(c) { + c.on('error', function(e) { + // child.kill() leads ECONNRESET errro in the TLS connection of + // openssl s_client via spawn(). A Test result is already + // checked by the data of client.stdout before child.kill() so + // these tls errors can be ignored. + }); + if (tcase.renegotiate && !renegotiated) { + renegotiated = true; + setTimeout(function() { + console.error(`${prefix}- connected, renegotiating`); + c.write('\n_renegotiating\n'); + return c.renegotiate({ + requestCert: true, + rejectUnauthorized: false + }, function(err) { + assert(!err); + c.write('\n_renegotiated\n'); + handleConnection(c); + }); + }, 200); + return; + } + + if (c.authorized) { + console.error(`${prefix}- authed connection: ${ + c.getPeerCertificate().subject.CN}`); + c.write('\n_authed\n'); + } else { + console.error(`${prefix}- unauthed connection: %s`, c.authorizationError); + c.write('\n_unauthed\n'); + } + }); + + function runNextClient(clientIndex) { + const options = tcase.clients[clientIndex]; + if (options) { + runClient(`${prefix}${clientIndex} `, port, options, function() { + runNextClient(clientIndex + 1); + }); + } else { + server.close(); + successfulTests++; + runTest(port, nextTest++); + } + } + + server.listen(port, function() { + port = server.address().port; + if (tcase.debug) { + console.error(`${prefix}TLS server running on port ${port}`); + } else { + if (tcase.renegotiate) { + runNextClient(0); + } else { + let clientsCompleted = 0; + for (let i = 0; i < tcase.clients.length; i++) { + runClient(`${prefix}${i} `, port, tcase.clients[i], function() { + clientsCompleted++; + if (clientsCompleted === tcase.clients.length) { + server.close(); + successfulTests++; + runTest(port, nextTest++); + } + }); + } + } + } + }); +} + + +let nextTest = 0; +runTest(0, nextTest++); +runTest(0, nextTest++); + + +process.on('exit', function() { + assert.strictEqual(successfulTests, testCases.length); +}); diff --git a/test/disabled/test-tls-session-cache.js b/test/disabled/test-tls-session-cache.js new file mode 100644 index 0000000..326e760 --- /dev/null +++ b/test/disabled/test-tls-session-cache.js @@ -0,0 +1,127 @@ +'use strict'; +const common = require('../common'); + +if (!common.opensslCli) + common.skip('node compiled without OpenSSL CLI.'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +doTest({ tickets: false }, function() { + doTest({ tickets: true }, function() { + console.error('all done'); + }); +}); + +function doTest(testOptions, callback) { + const assert = require('assert'); + const tls = require('tls'); + const fs = require('fs'); + const join = require('path').join; + const spawn = require('child_process').spawn; + + const keyFile = join(common.fixturesDir, 'agent.key'); + const certFile = join(common.fixturesDir, 'agent.crt'); + const key = fs.readFileSync(keyFile); + const cert = fs.readFileSync(certFile); + const options = { + key: key, + cert: cert, + ca: [cert], + requestCert: true + }; + let requestCount = 0; + let resumeCount = 0; + let session; + + const server = tls.createServer(options, function(cleartext) { + cleartext.on('error', function(er) { + // We're ok with getting ECONNRESET in this test, but it's + // timing-dependent, and thus unreliable. Any other errors + // are just failures, though. + if (er.code !== 'ECONNRESET') + throw er; + }); + ++requestCount; + cleartext.end(); + }); + server.on('newSession', function(id, data, cb) { + // Emulate asynchronous store + setTimeout(function() { + assert.ok(!session); + session = { + id: id, + data: data + }; + cb(); + }, 1000); + }); + server.on('resumeSession', function(id, callback) { + ++resumeCount; + assert.ok(session); + assert.strictEqual(session.id.toString('hex'), id.toString('hex')); + + // Just to check that async really works there + setTimeout(function() { + callback(null, session.data); + }, 100); + }); + + server.listen(0, function() { + const args = [ + 's_client', + '-tls1', + '-connect', `localhost:${this.address().port}`, + '-servername', 'ohgod', + '-key', join(common.fixturesDir, 'agent.key'), + '-cert', join(common.fixturesDir, 'agent.crt'), + '-reconnect' + ].concat(testOptions.tickets ? [] : '-no_ticket'); + + // for the performance and stability issue in s_client on Windows + if (common.isWindows) + args.push('-no_rand_screen'); + + function spawnClient() { + const client = spawn(common.opensslCli, args, { + stdio: [ 0, 1, 'pipe' ] + }); + let err = ''; + client.stderr.setEncoding('utf8'); + client.stderr.on('data', function(chunk) { + err += chunk; + }); + + client.on('exit', common.mustCall(function(code, signal) { + if (code !== 0) { + // If SmartOS and connection refused, then retry. See + // https://github.com/nodejs/node/issues/2663. + if (common.isSunOS && err.includes('Connection refused')) { + requestCount = 0; + spawnClient(); + return; + } + common.fail(`code: ${code}, signal: ${signal}, output: ${err}`); + } + assert.strictEqual(code, 0); + server.close(common.mustCall(function() { + setTimeout(callback, 100); + })); + })); + } + + spawnClient(); + }); + + process.on('exit', function() { + if (testOptions.tickets) { + assert.strictEqual(requestCount, 6); + assert.strictEqual(resumeCount, 0); + } else { + // initial request + reconnect requests (5 times) + assert.ok(session); + assert.strictEqual(requestCount, 6); + assert.strictEqual(resumeCount, 5); + } + }); +} diff --git a/test/disabled/test-tls-set-ciphers.js b/test/disabled/test-tls-set-ciphers.js new file mode 100644 index 0000000..d53029e --- /dev/null +++ b/test/disabled/test-tls-set-ciphers.js @@ -0,0 +1,45 @@ +'use strict'; +const common = require('../common'); + +if (!common.opensslCli) + common.skip('node compiled without OpenSSL CLI.'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const exec = require('child_process').exec; +const tls = require('tls'); +const fs = require('fs'); + +const options = { + key: fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`), + cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`), + ciphers: 'DES-CBC3-SHA' +}; + +const reply = 'I AM THE WALRUS'; // something recognizable +let response = ''; + +process.on('exit', function() { + assert.notStrictEqual(response.indexOf(reply), -1); +}); + +const server = tls.createServer(options, common.mustCall(function(conn) { + conn.end(reply); +})); + +server.listen(0, '127.0.0.1', function() { + let cmd = `"${common.opensslCli}" s_client -cipher ${ + options.ciphers} -connect 127.0.0.1:${this.address().port}`; + + // for the performance and stability issue in s_client on Windows + if (common.isWindows) + cmd += ' -no_rand_screen'; + + exec(cmd, function(err, stdout, stderr) { + if (err) throw err; + response = stdout; + server.close(); + }); +}); diff --git a/test/disabled/test-tls-set-encoding.js b/test/disabled/test-tls-set-encoding.js new file mode 100644 index 0000000..4114ee5 --- /dev/null +++ b/test/disabled/test-tls-set-encoding.js @@ -0,0 +1,58 @@ +'use strict'; +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); +const fs = require('fs'); + +const options = { + key: fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`), + cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`) +}; + +// Contains a UTF8 only character +const messageUtf8 = 'x√ab c'; + +// The same string above represented with ASCII +const messageAscii = 'xb\b\u001aab c'; + +const server = tls.Server(options, common.mustCall(function(socket) { + socket.end(messageUtf8); +})); + + +server.listen(0, function() { + const client = tls.connect({ + port: this.address().port, + rejectUnauthorized: false + }); + + let buffer = ''; + + client.setEncoding('ascii'); + + client.on('data', function(d) { + assert.ok(typeof d === 'string'); + buffer += d; + }); + + + client.on('close', function() { + // readyState is deprecated but we want to make + // sure this isn't triggering an assert in lib/net.js + // See issue #1069. + assert.strictEqual('closed', client.readyState); + + // Confirming the buffer string is encoded in ASCII + // and thus does NOT match the UTF8 string + assert.notStrictEqual(buffer, messageUtf8); + + // Confirming the buffer string is encoded in ASCII + // and thus does equal the ASCII string representation + assert.strictEqual(buffer, messageAscii); + + server.close(); + }); +}); diff --git a/test/disabled/test-tls-sni-option.js b/test/disabled/test-tls-sni-option.js new file mode 100644 index 0000000..ff3e2ef --- /dev/null +++ b/test/disabled/test-tls-sni-option.js @@ -0,0 +1,168 @@ +'use strict'; + +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +if (!process.features.tls_sni) + common.skip('node compiled without OpenSSL or with old OpenSSL version.'); + +const assert = require('assert'); +const fs = require('fs'); +const path = require('path'); +const tls = require('tls'); + +function filenamePEM(n) { + return path.join(common.fixturesDir, 'keys', `${n}.pem`); +} + +function loadPEM(n) { + return fs.readFileSync(filenamePEM(n)); +} + +const serverOptions = { + key: loadPEM('agent2-key'), + cert: loadPEM('agent2-cert'), + requestCert: true, + rejectUnauthorized: false, + SNICallback: function(servername, callback) { + const context = SNIContexts[servername]; + + // Just to test asynchronous callback + setTimeout(function() { + if (context) { + if (context.emptyRegression) + callback(null, {}); + else + callback(null, tls.createSecureContext(context)); + } else { + callback(null, null); + } + }, 100); + } +}; + +let SNIContexts = { + 'a.example.com': { + key: loadPEM('agent1-key'), + cert: loadPEM('agent1-cert'), + ca: [ loadPEM('ca2-cert') ] + }, + 'b.example.com': { + key: loadPEM('agent3-key'), + cert: loadPEM('agent3-cert') + }, + 'c.another.com': { + emptyRegression: true + } +}; + +const clientsOptions = [{ + port: undefined, + key: loadPEM('agent1-key'), + cert: loadPEM('agent1-cert'), + ca: [loadPEM('ca1-cert')], + servername: 'a.example.com', + rejectUnauthorized: false +}, { + port: undefined, + key: loadPEM('agent4-key'), + cert: loadPEM('agent4-cert'), + ca: [loadPEM('ca1-cert')], + servername: 'a.example.com', + rejectUnauthorized: false +}, { + port: undefined, + key: loadPEM('agent2-key'), + cert: loadPEM('agent2-cert'), + ca: [loadPEM('ca2-cert')], + servername: 'b.example.com', + rejectUnauthorized: false +}, { + port: undefined, + key: loadPEM('agent3-key'), + cert: loadPEM('agent3-cert'), + ca: [loadPEM('ca1-cert')], + servername: 'c.wrong.com', + rejectUnauthorized: false +}, { + port: undefined, + key: loadPEM('agent3-key'), + cert: loadPEM('agent3-cert'), + ca: [loadPEM('ca1-cert')], + servername: 'c.another.com', + rejectUnauthorized: false +}]; + +const serverResults = []; +const clientResults = []; +const serverErrors = []; +const clientErrors = []; +let serverError; +let clientError; + +const server = tls.createServer(serverOptions, function(c) { + serverResults.push({ sni: c.servername, authorized: c.authorized }); +}); + +server.on('tlsClientError', function(err) { + serverResults.push(null); + serverError = err.message; +}); + +server.listen(0, startTest); + +function startTest() { + function connectClient(i, callback) { + const options = clientsOptions[i]; + clientError = null; + serverError = null; + + options.port = server.address().port; + const client = tls.connect(options, function() { + clientResults.push( + /Hostname\/IP doesn't/.test(client.authorizationError || '')); + client.destroy(); + + next(); + }); + + client.on('error', function(err) { + clientResults.push(false); + clientError = err.message; + next(); + }); + + function next() { + clientErrors.push(clientError); + serverErrors.push(serverError); + + if (i === clientsOptions.length - 1) + callback(); + else + connectClient(i + 1, callback); + } + } + + connectClient(0, function() { + server.close(); + }); +} + +process.on('exit', function() { + assert.deepStrictEqual(serverResults, [ + { sni: 'a.example.com', authorized: false }, + { sni: 'a.example.com', authorized: true }, + { sni: 'b.example.com', authorized: false }, + { sni: 'c.wrong.com', authorized: false }, + null + ]); + assert.deepStrictEqual(clientResults, [true, true, true, false, false]); + assert.deepStrictEqual(clientErrors, [ + null, null, null, null, 'socket hang up' + ]); + assert.deepStrictEqual(serverErrors, [ + null, null, null, null, 'Invalid SNI context' + ]); +}); diff --git a/test/disabled/test-tls-sni-server-client.js b/test/disabled/test-tls-sni-server-client.js new file mode 100644 index 0000000..ebe51f2 --- /dev/null +++ b/test/disabled/test-tls-sni-server-client.js @@ -0,0 +1,113 @@ +'use strict'; +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +if (!process.features.tls_sni) + common.skip('node compiled without OpenSSL or with old OpenSSL version.'); + +const assert = require('assert'); +const fs = require('fs'); +const path = require('path'); +const tls = require('tls'); + +function filenamePEM(n) { + return path.join(common.fixturesDir, 'keys', `${n}.pem`); +} + +function loadPEM(n) { + return fs.readFileSync(filenamePEM(n)); +} + +const serverOptions = { + key: loadPEM('agent2-key'), + cert: loadPEM('agent2-cert') +}; + +const SNIContexts = { + 'a.example.com': { + key: loadPEM('agent1-key'), + cert: loadPEM('agent1-cert') + }, + 'asterisk.test.com': { + key: loadPEM('agent3-key'), + cert: loadPEM('agent3-cert') + }, + 'chain.example.com': { + key: loadPEM('agent6-key'), + // NOTE: Contains ca3 chain cert + cert: loadPEM('agent6-cert') + } +}; + +const clientsOptions = [{ + port: undefined, + ca: [loadPEM('ca1-cert')], + servername: 'a.example.com', + rejectUnauthorized: false +}, { + port: undefined, + ca: [loadPEM('ca2-cert')], + servername: 'b.test.com', + rejectUnauthorized: false +}, { + port: undefined, + ca: [loadPEM('ca2-cert')], + servername: 'a.b.test.com', + rejectUnauthorized: false +}, { + port: undefined, + ca: [loadPEM('ca1-cert')], + servername: 'c.wrong.com', + rejectUnauthorized: false +}, { + port: undefined, + ca: [loadPEM('ca1-cert')], + servername: 'chain.example.com', + rejectUnauthorized: false +}]; + +const serverResults = []; +const clientResults = []; + +const server = tls.createServer(serverOptions, function(c) { + serverResults.push(c.servername); +}); + +server.addContext('a.example.com', SNIContexts['a.example.com']); +server.addContext('*.test.com', SNIContexts['asterisk.test.com']); +server.addContext('chain.example.com', SNIContexts['chain.example.com']); + +server.listen(0, startTest); + +function startTest() { + let i = 0; + function start() { + // No options left + if (i === clientsOptions.length) + return server.close(); + + const options = clientsOptions[i++]; + options.port = server.address().port; + const client = tls.connect(options, function() { + clientResults.push( + client.authorizationError && + /Hostname\/IP doesn't/.test(client.authorizationError)); + client.destroy(); + + // Continue + start(); + }); + } + + start(); +} + +process.on('exit', function() { + assert.deepStrictEqual(serverResults, [ + 'a.example.com', 'b.test.com', 'a.b.test.com', 'c.wrong.com', + 'chain.example.com' + ]); + assert.deepStrictEqual(clientResults, [true, true, false, false, true]); +}); diff --git a/test/disabled/test-tls-socket-close.js b/test/disabled/test-tls-socket-close.js new file mode 100644 index 0000000..f9a77bf --- /dev/null +++ b/test/disabled/test-tls-socket-close.js @@ -0,0 +1,67 @@ +'use strict'; +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); +const fs = require('fs'); +const net = require('net'); + +const key = fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`); +const cert = fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`); + +let tlsSocket; +// tls server +const tlsServer = tls.createServer({ cert, key }, (socket) => { + tlsSocket = socket; + socket.on('error', common.mustCall((error) => { + assert.strictEqual(error.code, 'EINVAL'); + tlsServer.close(); + netServer.close(); + })); +}); + +let netSocket; +// plain tcp server +const netServer = net.createServer((socket) => { + // if client wants to use tls + tlsServer.emit('connection', socket); + + netSocket = socket; +}).listen(0, common.mustCall(function() { + connectClient(netServer); +})); + +function connectClient(server) { + const tlsConnection = tls.connect({ + host: 'localhost', + port: server.address().port, + rejectUnauthorized: false + }); + + tlsConnection.write('foo', 'utf8', common.mustCall(() => { + assert(netSocket); + netSocket.setTimeout(1, common.mustCall(() => { + assert(tlsSocket); + // this breaks if TLSSocket is already managing the socket: + netSocket.destroy(); + const interval = setInterval(() => { + // Checking this way allows us to do the write at a time that causes a + // segmentation fault (not always, but often) in Node.js 7.7.3 and + // earlier. If we instead, for example, wait on the `close` event, then + // it will not segmentation fault, which is what this test is all about. + if (tlsSocket._handle._parent.bytesRead === 0) { + tlsSocket.write('bar'); + clearInterval(interval); + } + }, 1); + })); + })); + tlsConnection.on('error', (e) => { + // Tolerate the occasional ECONNRESET. + // Ref: https://github.com/nodejs/node/issues/13184 + if (e.code !== 'ECONNRESET') + throw e; + }); +} diff --git a/test/disabled/test-tls-socket-default-options.js b/test/disabled/test-tls-socket-default-options.js new file mode 100644 index 0000000..66f2689 --- /dev/null +++ b/test/disabled/test-tls-socket-default-options.js @@ -0,0 +1,67 @@ +'use strict'; +const common = require('../common'); + +// Test directly created TLS sockets and options. + +const assert = require('assert'); +const join = require('path').join; +const { + connect, keys, tls +} = require(join(common.fixturesDir, 'tls-connect')); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +test(undefined, (err) => { + assert.strictEqual(err.message, 'unable to verify the first certificate'); +}); + +test({}, (err) => { + assert.strictEqual(err.message, 'unable to verify the first certificate'); +}); + +test({secureContext: tls.createSecureContext({ca: keys.agent1.ca})}, (err) => { + assert.ifError(err); +}); + +test({ca: keys.agent1.ca}, (err) => { + assert.ifError(err); +}); + +// Secure context options, like ca, are ignored if a sec ctx is explicitly +// provided. +test({secureContext: tls.createSecureContext(), ca: keys.agent1.ca}, (err) => { + assert.strictEqual(err.message, 'unable to verify the first certificate'); +}); + +function test(client, callback) { + callback = common.mustCall(callback); + connect({ + server: { + key: keys.agent1.key, + cert: keys.agent1.cert, + }, + }, function(err, pair, cleanup) { + assert.strictEqual(err.message, 'unable to verify the first certificate'); + let recv = ''; + pair.server.server.once('secureConnection', common.mustCall((conn) => { + conn.on('data', (data) => recv += data); + conn.on('end', common.mustCall(() => { + // Server sees nothing wrong with connection, even though the client's + // authentication of the server cert failed. + assert.strictEqual(recv, 'hello'); + cleanup(); + })); + })); + + // Client doesn't support the 'secureConnect' event, and doesn't error if + // authentication failed. Caller must explicitly check for failure. + (new tls.TLSSocket(null, client)).connect(pair.server.server.address().port) + .on('connect', common.mustCall(function() { + this.end('hello'); + })) + .on('secure', common.mustCall(function() { + callback(this.ssl.verifyError()); + })); + }); +} diff --git a/test/disabled/test-tls-socket-destroy.js b/test/disabled/test-tls-socket-destroy.js new file mode 100644 index 0000000..b101a87 --- /dev/null +++ b/test/disabled/test-tls-socket-destroy.js @@ -0,0 +1,34 @@ +'use strict'; + +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const fs = require('fs'); +const net = require('net'); +const tls = require('tls'); + +const key = fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`); +const cert = fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`); +const secureContext = tls.createSecureContext({ key, cert }); + +const server = net.createServer(common.mustCall((conn) => { + const options = { isServer: true, secureContext, server }; + const socket = new tls.TLSSocket(conn, options); + socket.once('data', common.mustCall(() => { + socket._destroySSL(); // Should not crash. + server.close(); + })); +})); + +server.listen(0, function() { + const options = { + port: this.address().port, + rejectUnauthorized: false, + }; + tls.connect(options, function() { + this.write('*'.repeat(1 << 20)); // Write more data than fits in a frame. + this.on('error', this.destroy); // Server closes connection on us. + }); +}); diff --git a/test/disabled/test-tls-socket-failed-handshake-emits-error.js b/test/disabled/test-tls-socket-failed-handshake-emits-error.js new file mode 100644 index 0000000..16175b8 --- /dev/null +++ b/test/disabled/test-tls-socket-failed-handshake-emits-error.js @@ -0,0 +1,37 @@ +'use strict'; +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const tls = require('tls'); +const net = require('net'); +const assert = require('assert'); + +const bonkers = Buffer.alloc(1024, 42); + +const server = net.createServer(function(c) { + setTimeout(function() { + const s = new tls.TLSSocket(c, { + isServer: true, + server: server + }); + + s.on('error', common.mustCall(function(e) { + assert.ok(e instanceof Error, + 'Instance of Error should be passed to error handler'); + assert.ok( + /SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol/.test(e.message), + 'Expecting SSL unknown protocol'); + })); + + s.on('close', function() { + server.close(); + s.destroy(); + }); + }, common.platformTimeout(200)); +}).listen(0, function() { + const c = net.connect({port: this.address().port}, function() { + c.write(bonkers); + }); +}); diff --git a/test/disabled/test-tls-startcom-wosign-whitelist.js b/test/disabled/test-tls-startcom-wosign-whitelist.js new file mode 100644 index 0000000..92d595e --- /dev/null +++ b/test/disabled/test-tls-startcom-wosign-whitelist.js @@ -0,0 +1,89 @@ +'use strict'; +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const fs = require('fs'); +const path = require('path'); +const tls = require('tls'); + +let finished = 0; + +function filenamePEM(n) { + return path.join(common.fixturesDir, 'keys', `${n}.pem`); +} + +function loadPEM(n) { + return fs.readFileSync(filenamePEM(n)); +} + +const testCases = [ + { // agent8 is signed by fake-startcom-root with notBefore of + // Oct 20 23:59:59 2016 GMT. It passes StartCom/WoSign check. + serverOpts: { + key: loadPEM('agent8-key'), + cert: loadPEM('agent8-cert') + }, + clientOpts: { + ca: loadPEM('fake-startcom-root-cert'), + port: undefined, + rejectUnauthorized: true + }, + errorCode: 'CERT_OK' + }, + { // agent9 is signed by fake-startcom-root with notBefore of + // Oct 21 00:00:01 2016 GMT. It fails StartCom/WoSign check. + serverOpts: { + key: loadPEM('agent9-key'), + cert: loadPEM('agent9-cert') + }, + clientOpts: { + ca: loadPEM('fake-startcom-root-cert'), + port: undefined, + rejectUnauthorized: true + }, + errorCode: 'CERT_REVOKED' + } +]; + + +function runNextTest(server, tindex) { + server.close(function() { + finished++; + runTest(tindex + 1); + }); +} + + +function runTest(tindex) { + const tcase = testCases[tindex]; + + if (!tcase) return; + + const server = tls.createServer(tcase.serverOpts, function(s) { + s.resume(); + }).listen(0, function() { + tcase.clientOpts.port = this.address().port; + const client = tls.connect(tcase.clientOpts); + client.on('error', function(e) { + assert.strictEqual(e.code, tcase.errorCode); + runNextTest(server, tindex); + }); + + client.on('secureConnect', function() { + // agent8 can pass StartCom/WoSign check so that the secureConnect + // is established. + assert.strictEqual(tcase.errorCode, 'CERT_OK'); + client.end(); + runNextTest(server, tindex); + }); + }); +} + + +runTest(0); + +process.on('exit', function() { + assert.strictEqual(finished, testCases.length); +}); diff --git a/test/disabled/test-tls-starttls-server.js b/test/disabled/test-tls-starttls-server.js new file mode 100644 index 0000000..28d1db8 --- /dev/null +++ b/test/disabled/test-tls-starttls-server.js @@ -0,0 +1,51 @@ +'use strict'; + +// Test asynchronous SNI+OCSP on TLSSocket created with `server` set to +// `net.Server` instead of `tls.Server` + +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const fs = require('fs'); +const net = require('net'); +const tls = require('tls'); + +const key = fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`); +const cert = fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`); + +const server = net.createServer(common.mustCall((s) => { + const tlsSocket = new tls.TLSSocket(s, { + isServer: true, + server: server, + + secureContext: tls.createSecureContext({ + key: key, + cert: cert + }), + + SNICallback: common.mustCall((hostname, callback) => { + assert.strictEqual(hostname, 'test.test'); + + callback(null, null); + }) + }); + + tlsSocket.on('secure', common.mustCall(() => { + tlsSocket.end(); + server.close(); + })); +})).listen(0, () => { + const opts = { + servername: 'test.test', + port: server.address().port, + rejectUnauthorized: false, + requestOCSP: true + }; + + tls.connect(opts, function() { + this.end(); + }); +}); diff --git a/test/disabled/test-tls-ticket-cluster.js b/test/disabled/test-tls-ticket-cluster.js new file mode 100644 index 0000000..49c4c34 --- /dev/null +++ b/test/disabled/test-tls-ticket-cluster.js @@ -0,0 +1,108 @@ +'use strict'; +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); +const cluster = require('cluster'); +const fs = require('fs'); +const join = require('path').join; + +const workerCount = 4; +const expectedReqCount = 16; + +if (cluster.isMaster) { + let reusedCount = 0; + let reqCount = 0; + let lastSession = null; + let shootOnce = false; + let workerPort = null; + + function shoot() { + console.error('[master] connecting', workerPort); + const c = tls.connect(workerPort, { + session: lastSession, + rejectUnauthorized: false + }, function() { + lastSession = c.getSession(); + c.end(); + + if (++reqCount === expectedReqCount) { + Object.keys(cluster.workers).forEach(function(id) { + cluster.workers[id].send('die'); + }); + } else { + shoot(); + } + }); + } + + function fork() { + const worker = cluster.fork(); + worker.on('message', function({ msg, port }) { + console.error('[master] got %j', msg); + if (msg === 'reused') { + ++reusedCount; + } else if (msg === 'listening' && !shootOnce) { + workerPort = port || workerPort; + shootOnce = true; + shoot(); + } + }); + + worker.on('exit', function() { + console.error('[master] worker died'); + }); + } + for (let i = 0; i < workerCount; i++) { + fork(); + } + + process.on('exit', function() { + assert.strictEqual(reqCount, expectedReqCount); + assert.strictEqual(reusedCount + 1, reqCount); + }); + return; +} + +const keyFile = join(common.fixturesDir, 'agent.key'); +const certFile = join(common.fixturesDir, 'agent.crt'); +const key = fs.readFileSync(keyFile); +const cert = fs.readFileSync(certFile); +const options = { + key: key, + cert: cert +}; + +const server = tls.createServer(options, function(c) { + if (c.isSessionReused()) { + process.send({ msg: 'reused' }); + } else { + process.send({ msg: 'not-reused' }); + } + c.end(); +}); + +server.listen(0, function() { + const { port } = server.address(); + process.send({ + msg: 'listening', + port, + }); +}); + +process.on('message', function listener(msg) { + console.error('[worker] got %j', msg); + if (msg === 'die') { + server.close(function() { + console.error('[worker] server close'); + + process.exit(); + }); + } +}); + +process.on('exit', function() { + console.error('[worker] exit'); +}); diff --git a/test/disabled/test-tls-ticket.js b/test/disabled/test-tls-ticket.js new file mode 100644 index 0000000..3d6f7a4 --- /dev/null +++ b/test/disabled/test-tls-ticket.js @@ -0,0 +1,98 @@ +'use strict'; +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); +const fs = require('fs'); +const net = require('net'); +const crypto = require('crypto'); + +const keys = crypto.randomBytes(48); +const serverLog = []; +const ticketLog = []; + +let serverCount = 0; +function createServer() { + const id = serverCount++; + + let counter = 0; + let previousKey = null; + + const server = tls.createServer({ + key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), + cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`), + ticketKeys: keys + }, function(c) { + serverLog.push(id); + c.end(); + + counter++; + + // Rotate ticket keys + if (counter === 1) { + previousKey = server.getTicketKeys(); + server.setTicketKeys(crypto.randomBytes(48)); + } else if (counter === 2) { + server.setTicketKeys(previousKey); + } else if (counter === 3) { + // Use keys from counter=2 + } else { + throw new Error('UNREACHABLE'); + } + }); + + return server; +} + +const naturalServers = [ createServer(), createServer(), createServer() ]; + +// 3x servers +const servers = naturalServers.concat(naturalServers).concat(naturalServers); + +// Create one TCP server and balance sockets to multiple TLS server instances +const shared = net.createServer(function(c) { + servers.shift().emit('connection', c); +}).listen(0, function() { + start(function() { + shared.close(); + }); +}); + +function start(callback) { + let sess = null; + let left = servers.length; + + function connect() { + const s = tls.connect(shared.address().port, { + session: sess, + rejectUnauthorized: false + }, function() { + sess = sess || s.getSession(); + ticketLog.push(s.getTLSTicket().toString('hex')); + }); + s.on('close', function() { + if (--left === 0) + callback(); + else + connect(); + }); + } + + connect(); +} + +process.on('exit', function() { + assert.strictEqual(ticketLog.length, serverLog.length); + for (let i = 0; i < naturalServers.length - 1; i++) { + assert.notStrictEqual(serverLog[i], serverLog[i + 1]); + assert.strictEqual(ticketLog[i], ticketLog[i + 1]); + + // 2nd connection should have different ticket + assert.notStrictEqual(ticketLog[i], ticketLog[i + naturalServers.length]); + + // 3rd connection should have the same ticket + assert.strictEqual(ticketLog[i], ticketLog[i + naturalServers.length * 2]); + } +}); diff --git a/test/disabled/test-tls-timeout-server-2.js b/test/disabled/test-tls-timeout-server-2.js new file mode 100644 index 0000000..a462750 --- /dev/null +++ b/test/disabled/test-tls-timeout-server-2.js @@ -0,0 +1,29 @@ +'use strict'; +const common = require('../common'); +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); +const fs = require('fs'); + +const options = { + key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), + cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`) +}; + +const server = tls.createServer(options, common.mustCall(function(cleartext) { + const s = cleartext.setTimeout(50, function() { + cleartext.destroy(); + server.close(); + }); + assert.ok(s instanceof tls.TLSSocket); +})); + +server.listen(0, common.mustCall(function() { + tls.connect({ + host: '127.0.0.1', + port: this.address().port, + rejectUnauthorized: false + }); +})); diff --git a/test/disabled/test-tls-timeout-server.js b/test/disabled/test-tls-timeout-server.js new file mode 100644 index 0000000..b983e2c --- /dev/null +++ b/test/disabled/test-tls-timeout-server.js @@ -0,0 +1,26 @@ +'use strict'; +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const tls = require('tls'); +const net = require('net'); +const fs = require('fs'); + +const options = { + key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), + cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`), + handshakeTimeout: 50 +}; + +const server = tls.createServer(options, common.mustNotCall()); + +server.on('tlsClientError', common.mustCall(function(err, conn) { + conn.destroy(); + server.close(); +})); + +server.listen(0, common.mustCall(function() { + net.connect({ host: '127.0.0.1', port: this.address().port }); +})); diff --git a/test/disabled/test-tls-two-cas-one-string.js b/test/disabled/test-tls-two-cas-one-string.js new file mode 100644 index 0000000..10d626b --- /dev/null +++ b/test/disabled/test-tls-two-cas-one-string.js @@ -0,0 +1,34 @@ +'use strict'; + +const common = require('../common'); +const tls = require('tls'); +const fs = require('fs'); + +const ca1 = + fs.readFileSync(`${common.fixturesDir}/keys/ca1-cert.pem`, 'utf8'); +const ca2 = + fs.readFileSync(`${common.fixturesDir}/keys/ca2-cert.pem`, 'utf8'); +const cert = + fs.readFileSync(`${common.fixturesDir}/keys/agent3-cert.pem`, 'utf8'); +const key = + fs.readFileSync(`${common.fixturesDir}/keys/agent3-key.pem`, 'utf8'); + +function test(ca, next) { + const server = tls.createServer({ ca, cert, key }, function(conn) { + this.close(); + conn.end(); + }); + + server.addContext('agent3', { ca, cert, key }); + + const host = common.localhostIPv4; + server.listen(0, host, function() { + tls.connect({ servername: 'agent3', host, port: this.address().port, ca }); + }); + + server.once('close', next); +} + +const array = [ca1, ca2]; +const string = `${ca1}\n${ca2}`; +test(array, () => test(string, () => {})); diff --git a/test/disabled/test-tls-wrap-no-abort.js b/test/disabled/test-tls-wrap-no-abort.js new file mode 100644 index 0000000..a64aea0 --- /dev/null +++ b/test/disabled/test-tls-wrap-no-abort.js @@ -0,0 +1,8 @@ +'use strict'; + +require('../common'); +const util = require('util'); +const TLSWrap = process.binding('tls_wrap').TLSWrap; + +// This will abort if internal pointer is not set to nullptr. +util.inspect(new TLSWrap()); diff --git a/test/disabled/test-tls-wrap-timeout.js b/test/disabled/test-tls-wrap-timeout.js new file mode 100644 index 0000000..b4cff36 --- /dev/null +++ b/test/disabled/test-tls-wrap-timeout.js @@ -0,0 +1,53 @@ +'use strict'; +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const tls = require('tls'); + +const net = require('net'); +const fs = require('fs'); + +const options = { + key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), + cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`) +}; + +const server = tls.createServer(options, common.mustCall((c) => { + setImmediate(() => { + c.write('hello', () => { + setImmediate(() => { + c.destroy(); + server.close(); + }); + }); + }); +})); + +let socket; +let lastIdleStart; + +server.listen(0, () => { + socket = net.connect(server.address().port, function() { + const s = socket.setTimeout(Number.MAX_VALUE, function() { + throw new Error('timeout'); + }); + assert.ok(s instanceof net.Socket); + + assert.notStrictEqual(socket._idleTimeout, -1); + lastIdleStart = socket._idleStart; + + const tsocket = tls.connect({ + socket: socket, + rejectUnauthorized: false + }); + tsocket.resume(); + }); +}); + +process.on('exit', () => { + assert.strictEqual(socket._idleTimeout, -1); + assert(lastIdleStart < socket._idleStart); +}); diff --git a/test/disabled/test-tls-writewrap-leak.js b/test/disabled/test-tls-writewrap-leak.js new file mode 100644 index 0000000..bc09044 --- /dev/null +++ b/test/disabled/test-tls-writewrap-leak.js @@ -0,0 +1,24 @@ +'use strict'; +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const assert = require('assert'); +const net = require('net'); +const tls = require('tls'); + +const server = net.createServer(common.mustCall((c) => { + c.destroy(); +})).listen(0, common.mustCall(() => { + const c = tls.connect({ port: server.address().port }); + c.on('error', () => { + // Otherwise `.write()` callback won't be invoked. + c.destroyed = false; + }); + + c.write('hello', common.mustCall((err) => { + assert.strictEqual(err.code, 'ECANCELED'); + server.close(); + })); +})); diff --git a/test/disabled/test-tls-zero-clear-in.js b/test/disabled/test-tls-zero-clear-in.js new file mode 100644 index 0000000..8192660 --- /dev/null +++ b/test/disabled/test-tls-zero-clear-in.js @@ -0,0 +1,41 @@ +'use strict'; +const common = require('../common'); + +if (!common.hasCrypto) + common.skip('missing crypto'); + +const tls = require('tls'); + +const fs = require('fs'); +const path = require('path'); + +const cert = fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem')); +const key = fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem')); + +const server = tls.createServer({ + cert: cert, + key: key +}, function(c) { + // Nop + setTimeout(function() { + c.end(); + server.close(); + }, 20); +}).listen(0, common.mustCall(function() { + const conn = tls.connect({ + cert: cert, + key: key, + rejectUnauthorized: false, + port: this.address().port + }, function() { + setTimeout(function() { + conn.destroy(); + }, 20); + }); + + // SSL_write() call's return value, when called 0 bytes, should not be + // treated as error. + conn.end(''); + + conn.on('error', common.mustNotCall()); +})); diff --git a/test/parallel/test-crypto-dh.js b/test/parallel/test-crypto-dh.js deleted file mode 100644 index 547629e..0000000 --- a/test/parallel/test-crypto-dh.js +++ /dev/null @@ -1,319 +0,0 @@ -'use strict'; -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const crypto = require('crypto'); - -const DH_NOT_SUITABLE_GENERATOR = crypto.constants.DH_NOT_SUITABLE_GENERATOR; - -// Test Diffie-Hellman with two parties sharing a secret, -// using various encodings as we go along -const dh1 = crypto.createDiffieHellman(common.hasFipsCrypto ? 1024 : 256); -const p1 = dh1.getPrime('buffer'); -const dh2 = crypto.createDiffieHellman(p1, 'buffer'); -let key1 = dh1.generateKeys(); -let key2 = dh2.generateKeys('hex'); -let secret1 = dh1.computeSecret(key2, 'hex', 'base64'); -let secret2 = dh2.computeSecret(key1, 'latin1', 'buffer'); - -assert.strictEqual(secret2.toString('base64'), secret1); -assert.strictEqual(dh1.verifyError, 0); -assert.strictEqual(dh2.verifyError, 0); - -const argumentsError = - /^TypeError: First argument should be number, string or Buffer$/; - -assert.throws(() => { - crypto.createDiffieHellman([0x1, 0x2]); -}, argumentsError); - -assert.throws(() => { - crypto.createDiffieHellman(() => { }); -}, argumentsError); - -assert.throws(() => { - crypto.createDiffieHellman(/abc/); -}, argumentsError); - -assert.throws(() => { - crypto.createDiffieHellman({}); -}, argumentsError); - -// Create "another dh1" using generated keys from dh1, -// and compute secret again -const dh3 = crypto.createDiffieHellman(p1, 'buffer'); -const privkey1 = dh1.getPrivateKey(); -dh3.setPublicKey(key1); -dh3.setPrivateKey(privkey1); - -assert.deepStrictEqual(dh1.getPrime(), dh3.getPrime()); -assert.deepStrictEqual(dh1.getGenerator(), dh3.getGenerator()); -assert.deepStrictEqual(dh1.getPublicKey(), dh3.getPublicKey()); -assert.deepStrictEqual(dh1.getPrivateKey(), dh3.getPrivateKey()); -assert.strictEqual(dh3.verifyError, 0); - -const secret3 = dh3.computeSecret(key2, 'hex', 'base64'); - -assert.strictEqual(secret1, secret3); - -const wrongBlockLength = - new RegExp('^Error: error:0606506D:digital envelope' + - ' routines:EVP_DecryptFinal_ex:wrong final block length$'); - -// Run this one twice to make sure that the dh3 clears its error properly -{ - const c = crypto.createDecipheriv('aes-128-ecb', crypto.randomBytes(16), ''); - assert.throws(() => { - c.final('utf8'); - }, wrongBlockLength); -} - -{ - const c = crypto.createDecipheriv('aes-128-ecb', crypto.randomBytes(16), ''); - assert.throws(() => { - c.final('utf8'); - }, wrongBlockLength); -} - -assert.throws(() => { - dh3.computeSecret(''); -}, /^Error: Supplied key is too small$/); - -// Create a shared using a DH group. -const alice = crypto.createDiffieHellmanGroup('modp5'); -const bob = crypto.createDiffieHellmanGroup('modp5'); -alice.generateKeys(); -bob.generateKeys(); -const aSecret = alice.computeSecret(bob.getPublicKey()).toString('hex'); -const bSecret = bob.computeSecret(alice.getPublicKey()).toString('hex'); -assert.strictEqual(aSecret, bSecret); -assert.strictEqual(alice.verifyError, DH_NOT_SUITABLE_GENERATOR); -assert.strictEqual(bob.verifyError, DH_NOT_SUITABLE_GENERATOR); - -/* Ensure specific generator (buffer) works as expected. - * The values below (modp2/modp2buf) are for a 1024 bits long prime from - * RFC 2412 E.2, see https://tools.ietf.org/html/rfc2412. */ -const modp2 = crypto.createDiffieHellmanGroup('modp2'); -const modp2buf = Buffer.from([ - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xc9, 0x0f, - 0xda, 0xa2, 0x21, 0x68, 0xc2, 0x34, 0xc4, 0xc6, 0x62, 0x8b, - 0x80, 0xdc, 0x1c, 0xd1, 0x29, 0x02, 0x4e, 0x08, 0x8a, 0x67, - 0xcc, 0x74, 0x02, 0x0b, 0xbe, 0xa6, 0x3b, 0x13, 0x9b, 0x22, - 0x51, 0x4a, 0x08, 0x79, 0x8e, 0x34, 0x04, 0xdd, 0xef, 0x95, - 0x19, 0xb3, 0xcd, 0x3a, 0x43, 0x1b, 0x30, 0x2b, 0x0a, 0x6d, - 0xf2, 0x5f, 0x14, 0x37, 0x4f, 0xe1, 0x35, 0x6d, 0x6d, 0x51, - 0xc2, 0x45, 0xe4, 0x85, 0xb5, 0x76, 0x62, 0x5e, 0x7e, 0xc6, - 0xf4, 0x4c, 0x42, 0xe9, 0xa6, 0x37, 0xed, 0x6b, 0x0b, 0xff, - 0x5c, 0xb6, 0xf4, 0x06, 0xb7, 0xed, 0xee, 0x38, 0x6b, 0xfb, - 0x5a, 0x89, 0x9f, 0xa5, 0xae, 0x9f, 0x24, 0x11, 0x7c, 0x4b, - 0x1f, 0xe6, 0x49, 0x28, 0x66, 0x51, 0xec, 0xe6, 0x53, 0x81, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff -]); -const exmodp2 = crypto.createDiffieHellman(modp2buf, Buffer.from([2])); -modp2.generateKeys(); -exmodp2.generateKeys(); -let modp2Secret = modp2.computeSecret(exmodp2.getPublicKey()).toString('hex'); -const exmodp2Secret = exmodp2.computeSecret(modp2.getPublicKey()) - .toString('hex'); -assert.strictEqual(modp2Secret, exmodp2Secret); -assert.strictEqual(modp2.verifyError, DH_NOT_SUITABLE_GENERATOR); -assert.strictEqual(exmodp2.verifyError, DH_NOT_SUITABLE_GENERATOR); - - -// Ensure specific generator (string with encoding) works as expected. -const exmodp2_2 = crypto.createDiffieHellman(modp2buf, '02', 'hex'); -exmodp2_2.generateKeys(); -modp2Secret = modp2.computeSecret(exmodp2_2.getPublicKey()).toString('hex'); -const exmodp2_2Secret = exmodp2_2.computeSecret(modp2.getPublicKey()) - .toString('hex'); -assert.strictEqual(modp2Secret, exmodp2_2Secret); -assert.strictEqual(exmodp2_2.verifyError, DH_NOT_SUITABLE_GENERATOR); - - -// Ensure specific generator (string without encoding) works as expected. -const exmodp2_3 = crypto.createDiffieHellman(modp2buf, '\x02'); -exmodp2_3.generateKeys(); -modp2Secret = modp2.computeSecret(exmodp2_3.getPublicKey()).toString('hex'); -const exmodp2_3Secret = exmodp2_3.computeSecret(modp2.getPublicKey()) - .toString('hex'); -assert.strictEqual(modp2Secret, exmodp2_3Secret); -assert.strictEqual(exmodp2_3.verifyError, DH_NOT_SUITABLE_GENERATOR); - - -// Ensure specific generator (numeric) works as expected. -const exmodp2_4 = crypto.createDiffieHellman(modp2buf, 2); -exmodp2_4.generateKeys(); -modp2Secret = modp2.computeSecret(exmodp2_4.getPublicKey()).toString('hex'); -const exmodp2_4Secret = exmodp2_4.computeSecret(modp2.getPublicKey()) - .toString('hex'); -assert.strictEqual(modp2Secret, exmodp2_4Secret); -assert.strictEqual(exmodp2_4.verifyError, DH_NOT_SUITABLE_GENERATOR); - - -const p = 'FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74' + - '020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F1437' + - '4FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7ED' + - 'EE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381FFFFFFFFFFFFFFFF'; -const bad_dh = crypto.createDiffieHellman(p, 'hex'); -assert.strictEqual(bad_dh.verifyError, DH_NOT_SUITABLE_GENERATOR); - - -const availableCurves = new Set(crypto.getCurves()); - -// Oakley curves do not clean up ERR stack, it was causing unexpected failure -// when accessing other OpenSSL APIs afterwards. -if (availableCurves.has('Oakley-EC2N-3')) { - crypto.createECDH('Oakley-EC2N-3'); - crypto.createHash('sha256'); -} - -// Test ECDH -if (availableCurves.has('prime256v1') && availableCurves.has('secp256k1')) { - const ecdh1 = crypto.createECDH('prime256v1'); - const ecdh2 = crypto.createECDH('prime256v1'); - key1 = ecdh1.generateKeys(); - key2 = ecdh2.generateKeys('hex'); - secret1 = ecdh1.computeSecret(key2, 'hex', 'base64'); - secret2 = ecdh2.computeSecret(key1, 'latin1', 'buffer'); - - assert.strictEqual(secret1, secret2.toString('base64')); - - // Point formats - assert.strictEqual(ecdh1.getPublicKey('buffer', 'uncompressed')[0], 4); - let firstByte = ecdh1.getPublicKey('buffer', 'compressed')[0]; - assert(firstByte === 2 || firstByte === 3); - firstByte = ecdh1.getPublicKey('buffer', 'hybrid')[0]; - assert(firstByte === 6 || firstByte === 7); - // format value should be string - assert.throws(() => { - ecdh1.getPublicKey('buffer', 10); - }, /^TypeError: Bad format: 10$/); - - // ECDH should check that point is on curve - const ecdh3 = crypto.createECDH('secp256k1'); - const key3 = ecdh3.generateKeys(); - - assert.throws(() => { - ecdh2.computeSecret(key3, 'latin1', 'buffer'); - }, /^Error: Failed to translate Buffer to a EC_POINT$/); - - // ECDH should allow .setPrivateKey()/.setPublicKey() - const ecdh4 = crypto.createECDH('prime256v1'); - - ecdh4.setPrivateKey(ecdh1.getPrivateKey()); - ecdh4.setPublicKey(ecdh1.getPublicKey()); - - assert.throws(() => { - ecdh4.setPublicKey(ecdh3.getPublicKey()); - }, /^Error: Failed to convert Buffer to EC_POINT$/); - - // Verify that we can use ECDH without having to use newly generated keys. - const ecdh5 = crypto.createECDH('secp256k1'); - - // Verify errors are thrown when retrieving keys from an uninitialized object. - assert.throws(() => { - ecdh5.getPublicKey(); - }, /^Error: Failed to get ECDH public key$/); - - assert.throws(() => { - ecdh5.getPrivateKey(); - }, /^Error: Failed to get ECDH private key$/); - - // A valid private key for the secp256k1 curve. - const cafebabeKey = 'cafebabe'.repeat(8); - // Associated compressed and uncompressed public keys (points). - const cafebabePubPtComp = - '03672a31bfc59d3f04548ec9b7daeeba2f61814e8ccc40448045007f5479f693a3'; - const cafebabePubPtUnComp = - '04672a31bfc59d3f04548ec9b7daeeba2f61814e8ccc40448045007f5479f693a3' + - '2e02c7f93d13dc2732b760ca377a5897b9dd41a1c1b29dc0442fdce6d0a04d1d'; - ecdh5.setPrivateKey(cafebabeKey, 'hex'); - assert.strictEqual(ecdh5.getPrivateKey('hex'), cafebabeKey); - // Show that the public point (key) is generated while setting the - // private key. - assert.strictEqual(ecdh5.getPublicKey('hex'), cafebabePubPtUnComp); - - // Compressed and uncompressed public points/keys for other party's - // private key. - // 0xDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEFDEADBEEF - const peerPubPtComp = - '02c6b754b20826eb925e052ee2c25285b162b51fdca732bcf67e39d647fb6830ae'; - const peerPubPtUnComp = - '04c6b754b20826eb925e052ee2c25285b162b51fdca732bcf67e39d647fb6830ae' + - 'b651944a574a362082a77e3f2b5d9223eb54d7f2f76846522bf75f3bedb8178e'; - - const sharedSecret = - '1da220b5329bbe8bfd19ceef5a5898593f411a6f12ea40f2a8eead9a5cf59970'; - - assert.strictEqual(ecdh5.computeSecret(peerPubPtComp, 'hex', 'hex'), - sharedSecret); - assert.strictEqual(ecdh5.computeSecret(peerPubPtUnComp, 'hex', 'hex'), - sharedSecret); - - // Verify that we still have the same key pair as before the computation. - assert.strictEqual(ecdh5.getPrivateKey('hex'), cafebabeKey); - assert.strictEqual(ecdh5.getPublicKey('hex'), cafebabePubPtUnComp); - - // Verify setting and getting compressed and non-compressed serializations. - ecdh5.setPublicKey(cafebabePubPtComp, 'hex'); - assert.strictEqual(ecdh5.getPublicKey('hex'), cafebabePubPtUnComp); - assert.strictEqual(ecdh5.getPublicKey('hex', 'compressed'), - cafebabePubPtComp); - ecdh5.setPublicKey(cafebabePubPtUnComp, 'hex'); - assert.strictEqual(ecdh5.getPublicKey('hex'), cafebabePubPtUnComp); - assert.strictEqual(ecdh5.getPublicKey('hex', 'compressed'), - cafebabePubPtComp); - - // Show why allowing the public key to be set on this type - // does not make sense. - ecdh5.setPublicKey(peerPubPtComp, 'hex'); - assert.strictEqual(ecdh5.getPublicKey('hex'), peerPubPtUnComp); - assert.throws(() => { - // Error because the public key does not match the private key anymore. - ecdh5.computeSecret(peerPubPtComp, 'hex', 'hex'); - }, /^Error: Invalid key pair$/); - - // Set to a valid key to show that later attempts to set an invalid key are - // rejected. - ecdh5.setPrivateKey(cafebabeKey, 'hex'); - - // Some invalid private keys for the secp256k1 curve. - const errMessage = /^Error: Private key is not valid for specified curve.$/; - ['0000000000000000000000000000000000000000000000000000000000000000', - 'FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141', - 'FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF', - ].forEach((element) => { - assert.throws(() => { - ecdh5.setPrivateKey(element, 'hex'); - }, errMessage); - // Verify object state did not change. - assert.strictEqual(ecdh5.getPrivateKey('hex'), cafebabeKey); - }); - - // Use of invalid keys was not cleaning up ERR stack, and was causing - // unexpected failure in subsequent signing operations. - const ecdh6 = crypto.createECDH('prime256v1'); - const invalidKey = Buffer.alloc(65); - invalidKey.fill('\0'); - ecdh6.generateKeys(); - assert.throws(() => { - ecdh6.computeSecret(invalidKey); - }, /^Error: Failed to translate Buffer to a EC_POINT$/); - // Check that signing operations are not impacted by the above error. - const ecPrivateKey = - '-----BEGIN EC PRIVATE KEY-----\n' + - 'MHcCAQEEIF+jnWY1D5kbVYDNvxxo/Y+ku2uJPDwS0r/VuPZQrjjVoAoGCCqGSM49\n' + - 'AwEHoUQDQgAEurOxfSxmqIRYzJVagdZfMMSjRNNhB8i3mXyIMq704m2m52FdfKZ2\n' + - 'pQhByd5eyj3lgZ7m7jbchtdgyOF8Io/1ng==\n' + - '-----END EC PRIVATE KEY-----'; - assert.doesNotThrow(() => { - crypto.createSign('SHA256').sign(ecPrivateKey); - }); -} - -// invalid test: curve argument is undefined -assert.throws(() => { - crypto.createECDH(); -}, /^TypeError: "curve" argument should be a string$/); diff --git a/test/parallel/test-crypto-fips.js b/test/parallel/test-crypto-fips.js deleted file mode 100644 index e3f49e6..0000000 --- a/test/parallel/test-crypto-fips.js +++ /dev/null @@ -1,235 +0,0 @@ -'use strict'; -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const spawnSync = require('child_process').spawnSync; -const path = require('path'); - -const FIPS_ENABLED = 1; -const FIPS_DISABLED = 0; -const FIPS_ERROR_STRING = 'Error: Cannot set FIPS mode'; -const OPTION_ERROR_STRING = 'bad option'; -const CNF_FIPS_ON = path.join(common.fixturesDir, 'openssl_fips_enabled.cnf'); -const CNF_FIPS_OFF = path.join(common.fixturesDir, 'openssl_fips_disabled.cnf'); -let num_children_ok = 0; - -function compiledWithFips() { - return process.config.variables.openssl_fips ? true : false; -} - -function sharedOpenSSL() { - return process.config.variables.node_shared_openssl; -} - -function addToEnv(newVar, value) { - const envCopy = {}; - for (const e in process.env) { - envCopy[e] = process.env[e]; - } - envCopy[newVar] = value; - return envCopy; -} - -function testHelper(stream, args, expectedOutput, cmd, env) { - const fullArgs = args.concat(['-e', `console.log(${cmd})`]); - const child = spawnSync(process.execPath, fullArgs, { - cwd: path.dirname(process.execPath), - env: env - }); - - console.error( - `Spawned child [pid:${child.pid}] with cmd '${cmd}' expect %j with args '${ - args}' OPENSSL_CONF=%j`, expectedOutput, env.OPENSSL_CONF); - - function childOk(child) { - console.error(`Child #${++num_children_ok} [pid:${child.pid}] OK.`); - } - - function responseHandler(buffer, expectedOutput) { - const response = buffer.toString(); - assert.notStrictEqual(0, response.length); - if (FIPS_ENABLED !== expectedOutput && FIPS_DISABLED !== expectedOutput) { - // In the case of expected errors just look for a substring. - assert.notStrictEqual(-1, response.indexOf(expectedOutput)); - } else { - // Normal path where we expect either FIPS enabled or disabled. - assert.strictEqual(expectedOutput, Number(response)); - } - childOk(child); - } - - responseHandler(child[stream], expectedOutput); -} - -// By default FIPS should be off in both FIPS and non-FIPS builds. -testHelper( - 'stdout', - [], - FIPS_DISABLED, - 'require("crypto").fips', - addToEnv('OPENSSL_CONF', '')); - -// --enable-fips should turn FIPS mode on -testHelper( - compiledWithFips() ? 'stdout' : 'stderr', - ['--enable-fips'], - compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING, - 'require("crypto").fips', - process.env); - -//--force-fips should turn FIPS mode on -testHelper( - compiledWithFips() ? 'stdout' : 'stderr', - ['--force-fips'], - compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING, - 'require("crypto").fips', - process.env); - -// If Node was configured using --shared-openssl fips support might be -// available depending on how OpenSSL was built. If fips support is -// available the tests that toggle the fips_mode on/off using the config -// file option will succeed and return 1 instead of 0. -// -// Note that this case is different from when calling the fips setter as the -// configuration file is handled by OpenSSL, so it is not possible for us -// to try to call the fips setter, to try to detect this situation, as -// that would throw an error: -// ("Error: Cannot set FIPS mode in a non-FIPS build."). -// Due to this uncertanty the following tests are skipped when configured -// with --shared-openssl. -if (!sharedOpenSSL()) { - // OpenSSL config file should be able to turn on FIPS mode - testHelper( - 'stdout', - [`--openssl-config=${CNF_FIPS_ON}`], - compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED, - 'require("crypto").fips', - process.env); - - // OPENSSL_CONF should be able to turn on FIPS mode - testHelper( - 'stdout', - [], - compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED, - 'require("crypto").fips', - addToEnv('OPENSSL_CONF', CNF_FIPS_ON)); - - // --openssl-config option should override OPENSSL_CONF - testHelper( - 'stdout', - [`--openssl-config=${CNF_FIPS_ON}`], - compiledWithFips() ? FIPS_ENABLED : FIPS_DISABLED, - 'require("crypto").fips', - addToEnv('OPENSSL_CONF', CNF_FIPS_OFF)); -} - -testHelper( - 'stdout', - [`--openssl-config=${CNF_FIPS_OFF}`], - FIPS_DISABLED, - 'require("crypto").fips', - addToEnv('OPENSSL_CONF', CNF_FIPS_ON)); - -// --enable-fips should take precedence over OpenSSL config file -testHelper( - compiledWithFips() ? 'stdout' : 'stderr', - ['--enable-fips', `--openssl-config=${CNF_FIPS_OFF}`], - compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING, - 'require("crypto").fips', - process.env); - -// OPENSSL_CONF should _not_ make a difference to --enable-fips -testHelper( - compiledWithFips() ? 'stdout' : 'stderr', - ['--enable-fips'], - compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING, - 'require("crypto").fips', - addToEnv('OPENSSL_CONF', CNF_FIPS_OFF)); - -// --force-fips should take precedence over OpenSSL config file -testHelper( - compiledWithFips() ? 'stdout' : 'stderr', - ['--force-fips', `--openssl-config=${CNF_FIPS_OFF}`], - compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING, - 'require("crypto").fips', - process.env); - -// Using OPENSSL_CONF should not make a difference to --force-fips -testHelper( - compiledWithFips() ? 'stdout' : 'stderr', - ['--force-fips'], - compiledWithFips() ? FIPS_ENABLED : OPTION_ERROR_STRING, - 'require("crypto").fips', - addToEnv('OPENSSL_CONF', CNF_FIPS_OFF)); - -// setFipsCrypto should be able to turn FIPS mode on -testHelper( - compiledWithFips() ? 'stdout' : 'stderr', - [], - compiledWithFips() ? FIPS_ENABLED : FIPS_ERROR_STRING, - '(require("crypto").fips = true,' + - 'require("crypto").fips)', - process.env); - -// setFipsCrypto should be able to turn FIPS mode on and off -testHelper( - compiledWithFips() ? 'stdout' : 'stderr', - [], - compiledWithFips() ? FIPS_DISABLED : FIPS_ERROR_STRING, - '(require("crypto").fips = true,' + - 'require("crypto").fips = false,' + - 'require("crypto").fips)', - process.env); - -// setFipsCrypto takes precedence over OpenSSL config file, FIPS on -testHelper( - compiledWithFips() ? 'stdout' : 'stderr', - [`--openssl-config=${CNF_FIPS_OFF}`], - compiledWithFips() ? FIPS_ENABLED : FIPS_ERROR_STRING, - '(require("crypto").fips = true,' + - 'require("crypto").fips)', - process.env); - -// setFipsCrypto takes precedence over OpenSSL config file, FIPS off -testHelper( - compiledWithFips() ? 'stdout' : 'stderr', - [`--openssl-config=${CNF_FIPS_ON}`], - compiledWithFips() ? FIPS_DISABLED : FIPS_ERROR_STRING, - '(require("crypto").fips = false,' + - 'require("crypto").fips)', - process.env); - -// --enable-fips does not prevent use of setFipsCrypto API -testHelper( - compiledWithFips() ? 'stdout' : 'stderr', - ['--enable-fips'], - compiledWithFips() ? FIPS_DISABLED : OPTION_ERROR_STRING, - '(require("crypto").fips = false,' + - 'require("crypto").fips)', - process.env); - -// --force-fips prevents use of setFipsCrypto API -testHelper( - 'stderr', - ['--force-fips'], - compiledWithFips() ? FIPS_ERROR_STRING : OPTION_ERROR_STRING, - 'require("crypto").fips = false', - process.env); - -// --force-fips and --enable-fips order does not matter -testHelper( - 'stderr', - ['--force-fips', '--enable-fips'], - compiledWithFips() ? FIPS_ERROR_STRING : OPTION_ERROR_STRING, - 'require("crypto").fips = false', - process.env); - -//--enable-fips and --force-fips order does not matter -testHelper( - 'stderr', - ['--enable-fips', '--force-fips'], - compiledWithFips() ? FIPS_ERROR_STRING : OPTION_ERROR_STRING, - 'require("crypto").fips = false', - process.env); diff --git a/test/parallel/test-tls-0-dns-altname.js b/test/parallel/test-tls-0-dns-altname.js deleted file mode 100644 index 85ddb7d..0000000 --- a/test/parallel/test-tls-0-dns-altname.js +++ /dev/null @@ -1,33 +0,0 @@ -'use strict'; -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -// Check getPeerCertificate can properly handle '\0' for fix CVE-2009-2408. - -const assert = require('assert'); -const tls = require('tls'); -const fs = require('fs'); - -const server = tls.createServer({ - key: fs.readFileSync(`${common.fixturesDir}/0-dns/0-dns-key.pem`), - cert: fs.readFileSync(`${common.fixturesDir}/0-dns/0-dns-cert.pem`) -}, function(c) { - c.once('data', function() { - c.destroy(); - server.close(); - }); -}).listen(0, common.mustCall(function() { - const c = tls.connect(this.address().port, { - rejectUnauthorized: false - }, common.mustCall(function() { - const cert = c.getPeerCertificate(); - assert.strictEqual(cert.subjectaltname, - 'DNS:good.example.org\0.evil.example.com, ' + - 'DNS:just-another.example.com, ' + - 'IP Address:8.8.8.8, ' + - 'IP Address:8.8.4.4, ' + - 'DNS:last.example.com'); - c.write('ok'); - })); -})); diff --git a/test/parallel/test-tls-addca.js b/test/parallel/test-tls-addca.js deleted file mode 100644 index 7a6f9a7..0000000 --- a/test/parallel/test-tls-addca.js +++ /dev/null @@ -1,50 +0,0 @@ -'use strict'; -const common = require('../common'); - -// Adding a CA certificate to contextWithCert should not also add it to -// contextWithoutCert. This is tested by trying to connect to a server that -// depends on that CA using contextWithoutCert. - -const join = require('path').join; -const { - assert, connect, keys, tls -} = require(join(common.fixturesDir, 'tls-connect'))(); - -const contextWithoutCert = tls.createSecureContext({}); -const contextWithCert = tls.createSecureContext({}); -contextWithCert.context.addCACert(keys.agent1.ca); - -const serverOptions = { - key: keys.agent1.key, - cert: keys.agent1.cert, -}; - -const clientOptions = { - ca: [keys.agent1.ca], - servername: 'agent1', - rejectUnauthorized: true, -}; - -// This client should fail to connect because it doesn't trust the CA -// certificate. -clientOptions.secureContext = contextWithoutCert; - -connect({ - client: clientOptions, - server: serverOptions, -}, function(err, pair, cleanup) { - assert(err); - assert.strictEqual(err.message, 'unable to verify the first certificate'); - cleanup(); - - // This time it should connect because contextWithCert includes the needed CA - // certificate. - clientOptions.secureContext = contextWithCert; - connect({ - client: clientOptions, - server: serverOptions, - }, function(err, pair, cleanup) { - assert.ifError(err); - cleanup(); - }); -}); diff --git a/test/parallel/test-tls-alert-handling.js b/test/parallel/test-tls-alert-handling.js deleted file mode 100644 index 0b34472..0000000 --- a/test/parallel/test-tls-alert-handling.js +++ /dev/null @@ -1,78 +0,0 @@ -'use strict'; -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -if (!common.opensslCli) - common.skip('node compiled without OpenSSL CLI.'); - -const fs = require('fs'); -const net = require('net'); -const path = require('path'); -const tls = require('tls'); - -function filenamePEM(n) { - return path.join(common.fixturesDir, 'keys', `${n}.pem`); -} - -function loadPEM(n) { - return fs.readFileSync(filenamePEM(n)); -} - -const opts = { - key: loadPEM('agent2-key'), - cert: loadPEM('agent2-cert') -}; -const max_iter = 20; -let iter = 0; - -const server = tls.createServer(opts, function(s) { - s.pipe(s); - s.on('error', function() { - // ignore error - }); -}); - -server.listen(0, function() { - sendClient(); -}); - - -function sendClient() { - const client = tls.connect(server.address().port, { - rejectUnauthorized: false - }); - client.on('data', common.mustCall(function() { - if (iter++ === 2) sendBADTLSRecord(); - if (iter < max_iter) { - client.write('a'); - return; - } - client.end(); - server.close(); - }, max_iter)); - client.write('a'); - client.on('error', function() { - // ignore error - }); - client.on('close', function() { - server.close(); - }); -} - - -function sendBADTLSRecord() { - const BAD_RECORD = Buffer.from([0xff, 0xff, 0xff, 0xff, 0xff, 0xff]); - const socket = net.connect(server.address().port); - const client = tls.connect({ - socket: socket, - rejectUnauthorized: false - }, function() { - socket.write(BAD_RECORD); - socket.end(); - }); - client.on('error', function() { - // ignore error - }); -} diff --git a/test/parallel/test-tls-alert.js b/test/parallel/test-tls-alert.js deleted file mode 100644 index a48002d..0000000 --- a/test/parallel/test-tls-alert.js +++ /dev/null @@ -1,50 +0,0 @@ -'use strict'; -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -if (!common.opensslCli) - common.skip('node compiled without OpenSSL CLI.'); - -const assert = require('assert'); -const { spawn } = require('child_process'); -const fs = require('fs'); -const path = require('path'); -const tls = require('tls'); - -let success = false; - -function filenamePEM(n) { - return path.join(common.fixturesDir, 'keys', `${n}.pem`); -} - -function loadPEM(n) { - return fs.readFileSync(filenamePEM(n)); -} - -const server = tls.Server({ - secureProtocol: 'TLSv1_2_server_method', - key: loadPEM('agent2-key'), - cert: loadPEM('agent2-cert') -}, null).listen(0, function() { - const args = ['s_client', '-quiet', '-tls1_1', - '-connect', `127.0.0.1:${this.address().port}`]; - - // for the performance and stability issue in s_client on Windows - if (common.isWindows) - args.push('-no_rand_screen'); - - const client = spawn(common.opensslCli, args); - let out = ''; - client.stderr.setEncoding('utf8'); - client.stderr.on('data', function(d) { - out += d; - if (/SSL alert number 70/.test(out)) { - success = true; - server.close(); - } - }); -}); -process.on('exit', function() { - assert(success); -}); diff --git a/test/parallel/test-tls-alpn-server-client.js b/test/parallel/test-tls-alpn-server-client.js deleted file mode 100644 index 56f925b..0000000 --- a/test/parallel/test-tls-alpn-server-client.js +++ /dev/null @@ -1,538 +0,0 @@ -'use strict'; -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -if (!process.features.tls_alpn || !process.features.tls_npn) { - common.skip( - 'Skipping because node compiled without NPN or ALPN feature of OpenSSL.'); -} - -const assert = require('assert'); -const fs = require('fs'); -const path = require('path'); -const tls = require('tls'); - -function filenamePEM(n) { - return path.join(common.fixturesDir, 'keys', `${n}.pem`); -} - -function loadPEM(n) { - return fs.readFileSync(filenamePEM(n)); -} - -const serverIP = common.localhostIPv4; - -function checkResults(result, expected) { - assert.strictEqual(result.server.ALPN, expected.server.ALPN); - assert.strictEqual(result.server.NPN, expected.server.NPN); - assert.strictEqual(result.client.ALPN, expected.client.ALPN); - assert.strictEqual(result.client.NPN, expected.client.NPN); -} - -function runTest(clientsOptions, serverOptions, cb) { - serverOptions.key = loadPEM('agent2-key'); - serverOptions.cert = loadPEM('agent2-cert'); - const results = []; - let index = 0; - const server = tls.createServer(serverOptions, function(c) { - results[index].server = {ALPN: c.alpnProtocol, NPN: c.npnProtocol}; - }); - - server.listen(0, serverIP, function() { - connectClient(clientsOptions); - }); - - function connectClient(options) { - const opt = options.shift(); - opt.port = server.address().port; - opt.host = serverIP; - opt.rejectUnauthorized = false; - - results[index] = {}; - const client = tls.connect(opt, function() { - results[index].client = {ALPN: client.alpnProtocol, - NPN: client.npnProtocol}; - client.destroy(); - if (options.length) { - index++; - connectClient(options); - } else { - server.close(); - cb(results); - } - }); - } - -} - -// Server: ALPN/NPN, Client: ALPN/NPN -function Test1() { - const serverOptions = { - ALPNProtocols: ['a', 'b', 'c'], - NPNProtocols: ['a', 'b', 'c'] - }; - - const clientsOptions = [{ - ALPNProtocols: ['a', 'b', 'c'], - NPNProtocols: ['a', 'b', 'c'] - }, { - ALPNProtocols: ['c', 'b', 'e'], - NPNProtocols: ['c', 'b', 'e'] - }, { - ALPNProtocols: ['first-priority-unsupported', 'x', 'y'], - NPNProtocols: ['first-priority-unsupported', 'x', 'y'] - }]; - - runTest(clientsOptions, serverOptions, function(results) { - // 'a' is selected by ALPN - checkResults(results[0], - {server: {ALPN: 'a', NPN: false}, - client: {ALPN: 'a', NPN: undefined}}); - // 'b' is selected by ALPN - checkResults(results[1], - {server: {ALPN: 'b', NPN: false}, - client: {ALPN: 'b', NPN: undefined}}); - // nothing is selected by ALPN - checkResults(results[2], - {server: {ALPN: false, NPN: 'first-priority-unsupported'}, - client: {ALPN: false, NPN: false}}); - // execute next test - Test2(); - }); -} - -// Server: ALPN/NPN, Client: ALPN -function Test2() { - const serverOptions = { - ALPNProtocols: ['a', 'b', 'c'], - NPNProtocols: ['a', 'b', 'c'] - }; - - const clientsOptions = [{ - ALPNProtocols: ['a', 'b', 'c'] - }, { - ALPNProtocols: ['c', 'b', 'e'] - }, { - ALPNProtocols: ['first-priority-unsupported', 'x', 'y'] - }]; - - runTest(clientsOptions, serverOptions, function(results) { - // 'a' is selected by ALPN - checkResults(results[0], - {server: {ALPN: 'a', NPN: false}, - client: {ALPN: 'a', NPN: undefined}}); - // 'b' is selected by ALPN - checkResults(results[1], - {server: {ALPN: 'b', NPN: false}, - client: {ALPN: 'b', NPN: undefined}}); - // nothing is selected by ALPN - checkResults(results[2], - {server: {ALPN: false, NPN: 'http/1.1'}, - client: {ALPN: false, NPN: false}}); - // execute next test - Test3(); - }); -} - -// Server: ALPN/NPN, Client: NPN -function Test3() { - const serverOptions = { - ALPNProtocols: ['a', 'b', 'c'], - NPNProtocols: ['a', 'b', 'c'] - }; - - const clientsOptions = [{ - NPNProtocols: ['a', 'b', 'c'] - }, { - NPPNProtocols: ['c', 'b', 'e'] - }, { - NPPNProtocols: ['first-priority-unsupported', 'x', 'y'] - }]; - - runTest(clientsOptions, serverOptions, function(results) { - // 'a' is selected by NPN - checkResults(results[0], - {server: {ALPN: false, NPN: 'a'}, - client: {ALPN: false, NPN: 'a'}}); - // nothing is selected by ALPN - checkResults(results[1], - {server: {ALPN: false, NPN: 'http/1.1'}, - client: {ALPN: false, NPN: false}}); - // nothing is selected by ALPN - checkResults(results[2], - {server: {ALPN: false, NPN: 'http/1.1'}, - client: {ALPN: false, NPN: false}}); - // execute next test - Test4(); - }); -} - -// Server: ALPN/NPN, Client: Nothing -function Test4() { - const serverOptions = { - ALPNProtocols: ['a', 'b', 'c'], - NPNProtocols: ['a', 'b', 'c'] - }; - - const clientsOptions = [{}, {}, {}]; - - runTest(clientsOptions, serverOptions, function(results) { - // nothing is selected by ALPN - checkResults(results[0], - {server: {ALPN: false, NPN: 'http/1.1'}, - client: {ALPN: false, NPN: false}}); - // nothing is selected by ALPN - checkResults(results[1], - {server: {ALPN: false, NPN: 'http/1.1'}, - client: {ALPN: false, NPN: false}}); - // nothing is selected by ALPN - checkResults(results[2], - {server: {ALPN: false, NPN: 'http/1.1'}, - client: {ALPN: false, NPN: false}}); - // execute next test - Test5(); - }); -} - -// Server: ALPN, Client: ALPN/NPN -function Test5() { - const serverOptions = { - ALPNProtocols: ['a', 'b', 'c'] - }; - - const clientsOptions = [{ - ALPNProtocols: ['a', 'b', 'c'], - NPNProtocols: ['a', 'b', 'c'] - }, { - ALPNProtocols: ['c', 'b', 'e'], - NPNProtocols: ['c', 'b', 'e'] - }, { - ALPNProtocols: ['first-priority-unsupported', 'x', 'y'], - NPNProtocols: ['first-priority-unsupported', 'x', 'y'] - }]; - - runTest(clientsOptions, serverOptions, function(results) { - // 'a' is selected by ALPN - checkResults(results[0], {server: {ALPN: 'a', NPN: false}, - client: {ALPN: 'a', NPN: undefined}}); - // 'b' is selected by ALPN - checkResults(results[1], {server: {ALPN: 'b', NPN: false}, - client: {ALPN: 'b', NPN: undefined}}); - // nothing is selected by ALPN - checkResults(results[2], {server: {ALPN: false, - NPN: 'first-priority-unsupported'}, - client: {ALPN: false, NPN: false}}); - // execute next test - Test6(); - }); -} - -// Server: ALPN, Client: ALPN -function Test6() { - const serverOptions = { - ALPNProtocols: ['a', 'b', 'c'] - }; - - const clientsOptions = [{ - ALPNProtocols: ['a', 'b', 'c'] - }, { - ALPNProtocols: ['c', 'b', 'e'] - }, { - ALPNProtocols: ['first-priority-unsupported', 'x', 'y'] - }]; - - runTest(clientsOptions, serverOptions, function(results) { - // 'a' is selected by ALPN - checkResults(results[0], {server: {ALPN: 'a', NPN: false}, - client: {ALPN: 'a', NPN: undefined}}); - // 'b' is selected by ALPN - checkResults(results[1], {server: {ALPN: 'b', NPN: false}, - client: {ALPN: 'b', NPN: undefined}}); - // nothing is selected by ALPN - checkResults(results[2], {server: {ALPN: false, NPN: 'http/1.1'}, - client: {ALPN: false, NPN: false}}); - // execute next test - Test7(); - }); -} - -// Server: ALPN, Client: NPN -function Test7() { - const serverOptions = { - ALPNProtocols: ['a', 'b', 'c'] - }; - - const clientsOptions = [{ - NPNProtocols: ['a', 'b', 'c'] - }, { - NPNProtocols: ['c', 'b', 'e'] - }, { - NPNProtocols: ['first-priority-unsupported', 'x', 'y'] - }]; - - runTest(clientsOptions, serverOptions, function(results) { - // nothing is selected by ALPN - checkResults(results[0], {server: {ALPN: false, NPN: 'a'}, - client: {ALPN: false, NPN: false}}); - // nothing is selected by ALPN - checkResults(results[1], {server: {ALPN: false, NPN: 'c'}, - client: {ALPN: false, NPN: false}}); - // nothing is selected by ALPN - checkResults(results[2], - {server: {ALPN: false, NPN: 'first-priority-unsupported'}, - client: {ALPN: false, NPN: false}}); - // execute next test - Test8(); - }); -} - -// Server: ALPN, Client: Nothing -function Test8() { - const serverOptions = { - ALPNProtocols: ['a', 'b', 'c'] - }; - - const clientsOptions = [{}, {}, {}]; - - runTest(clientsOptions, serverOptions, function(results) { - // nothing is selected by ALPN - checkResults(results[0], {server: {ALPN: false, NPN: 'http/1.1'}, - client: {ALPN: false, NPN: false}}); - // nothing is selected by ALPN - checkResults(results[1], {server: {ALPN: false, NPN: 'http/1.1'}, - client: {ALPN: false, NPN: false}}); - // nothing is selected by ALPN - checkResults(results[2], - {server: {ALPN: false, NPN: 'http/1.1'}, - client: {ALPN: false, NPN: false}}); - // execute next test - Test9(); - }); -} - -// Server: NPN, Client: ALPN/NPN -function Test9() { - const serverOptions = { - NPNProtocols: ['a', 'b', 'c'] - }; - - const clientsOptions = [{ - ALPNrotocols: ['a', 'b', 'c'], - NPNProtocols: ['a', 'b', 'c'] - }, { - ALPNProtocols: ['c', 'b', 'e'], - NPNProtocols: ['c', 'b', 'e'] - }, { - ALPNProtocols: ['first-priority-unsupported', 'x', 'y'], - NPNProtocols: ['first-priority-unsupported', 'x', 'y'] - }]; - - runTest(clientsOptions, serverOptions, function(results) { - // 'a' is selected by NPN - checkResults(results[0], {server: {ALPN: false, NPN: 'a'}, - client: {ALPN: false, NPN: 'a'}}); - // 'b' is selected by NPN - checkResults(results[1], {server: {ALPN: false, NPN: 'b'}, - client: {ALPN: false, NPN: 'b'}}); - // nothing is selected - checkResults(results[2], - {server: {ALPN: false, NPN: 'first-priority-unsupported'}, - client: {ALPN: false, NPN: false}}); - // execute next test - Test10(); - }); -} - -// Server: NPN, Client: ALPN -function Test10() { - const serverOptions = { - NPNProtocols: ['a', 'b', 'c'] - }; - - const clientsOptions = [{ - ALPNProtocols: ['a', 'b', 'c'] - }, { - ALPNProtocols: ['c', 'b', 'e'] - }, { - ALPNProtocols: ['first-priority-unsupported', 'x', 'y'] - }]; - - runTest(clientsOptions, serverOptions, function(results) { - // nothing is selected - checkResults(results[0], {server: {ALPN: false, NPN: 'http/1.1'}, - client: {ALPN: false, NPN: false}}); - // nothing is selected - checkResults(results[1], {server: {ALPN: false, NPN: 'http/1.1'}, - client: {ALPN: false, NPN: false}}); - // nothing is selected - checkResults(results[2], {server: {ALPN: false, NPN: 'http/1.1'}, - client: {ALPN: false, NPN: false}}); - // execute next test - Test11(); - }); -} - -// Server: NPN, Client: NPN -function Test11() { - const serverOptions = { - NPNProtocols: ['a', 'b', 'c'] - }; - - const clientsOptions = [{ - NPNProtocols: ['a', 'b', 'c'] - }, { - NPNProtocols: ['c', 'b', 'e'] - }, { - NPNProtocols: ['first-priority-unsupported', 'x', 'y'] - }]; - - runTest(clientsOptions, serverOptions, function(results) { - // 'a' is selected by NPN - checkResults(results[0], {server: {ALPN: false, NPN: 'a'}, - client: {ALPN: false, NPN: 'a'}}); - // 'b' is selected by NPN - checkResults(results[1], {server: {ALPN: false, NPN: 'b'}, - client: {ALPN: false, NPN: 'b'}}); - // nothing is selected - checkResults(results[2], - {server: {ALPN: false, NPN: 'first-priority-unsupported'}, - client: {ALPN: false, NPN: false}}); - // execute next test - Test12(); - }); -} - -// Server: NPN, Client: Nothing -function Test12() { - const serverOptions = { - NPNProtocols: ['a', 'b', 'c'] - }; - - const clientsOptions = [{}, {}, {}]; - - runTest(clientsOptions, serverOptions, function(results) { - // nothing is selected - checkResults(results[0], {server: {ALPN: false, NPN: 'http/1.1'}, - client: {ALPN: false, NPN: false}}); - // nothing is selected - checkResults(results[1], {server: {ALPN: false, NPN: 'http/1.1'}, - client: {ALPN: false, NPN: false}}); - // nothing is selected - checkResults(results[2], - {server: {ALPN: false, NPN: 'http/1.1'}, - client: {ALPN: false, NPN: false}}); - // execute next test - Test13(); - }); -} - -// Server: Nothing, Client: ALPN/NPN -function Test13() { - const serverOptions = {}; - - const clientsOptions = [{ - ALPNrotocols: ['a', 'b', 'c'], - NPNProtocols: ['a', 'b', 'c'] - }, { - ALPNProtocols: ['c', 'b', 'e'], - NPNProtocols: ['c', 'b', 'e'] - }, { - ALPNProtocols: ['first-priority-unsupported', 'x', 'y'], - NPNProtocols: ['first-priority-unsupported', 'x', 'y'] - }]; - - runTest(clientsOptions, serverOptions, function(results) { - // nothing is selected - checkResults(results[0], {server: {ALPN: false, NPN: 'a'}, - client: {ALPN: false, NPN: false}}); - // nothing is selected - checkResults(results[1], {server: {ALPN: false, NPN: 'c'}, - client: {ALPN: false, NPN: false}}); - // nothing is selected - checkResults(results[2], - {server: {ALPN: false, NPN: 'first-priority-unsupported'}, - client: {ALPN: false, NPN: false}}); - // execute next test - Test14(); - }); -} - -// Server: Nothing, Client: ALPN -function Test14() { - const serverOptions = {}; - - const clientsOptions = [{ - ALPNrotocols: ['a', 'b', 'c'] - }, { - ALPNProtocols: ['c', 'b', 'e'] - }, { - ALPNProtocols: ['first-priority-unsupported', 'x', 'y'] - }]; - - runTest(clientsOptions, serverOptions, function(results) { - // nothing is selected - checkResults(results[0], {server: {ALPN: false, NPN: 'http/1.1'}, - client: {ALPN: false, NPN: false}}); - // nothing is selected - checkResults(results[1], {server: {ALPN: false, NPN: 'http/1.1'}, - client: {ALPN: false, NPN: false}}); - // nothing is selected - checkResults(results[2], - {server: {ALPN: false, NPN: 'http/1.1'}, - client: {ALPN: false, NPN: false}}); - // execute next test - Test15(); - }); -} - -// Server: Nothing, Client: NPN -function Test15() { - const serverOptions = {}; - - const clientsOptions = [{ - NPNProtocols: ['a', 'b', 'c'] - }, { - NPNProtocols: ['c', 'b', 'e'] - }, { - NPNProtocols: ['first-priority-unsupported', 'x', 'y'] - }]; - - runTest(clientsOptions, serverOptions, function(results) { - // nothing is selected - checkResults(results[0], {server: {ALPN: false, NPN: 'a'}, - client: {ALPN: false, NPN: false}}); - // nothing is selected - checkResults(results[1], {server: {ALPN: false, NPN: 'c'}, - client: {ALPN: false, NPN: false}}); - // nothing is selected - checkResults(results[2], - {server: {ALPN: false, NPN: 'first-priority-unsupported'}, - client: {ALPN: false, NPN: false}}); - // execute next test - Test16(); - }); -} - -// Server: Nothing, Client: Nothing -function Test16() { - const serverOptions = {}; - - const clientsOptions = [{}, {}, {}]; - - runTest(clientsOptions, serverOptions, function(results) { - // nothing is selected - checkResults(results[0], {server: {ALPN: false, NPN: 'http/1.1'}, - client: {ALPN: false, NPN: false}}); - // nothing is selected - checkResults(results[1], {server: {ALPN: false, NPN: 'http/1.1'}, - client: {ALPN: false, NPN: false}}); - // nothing is selected - checkResults(results[2], - {server: {ALPN: false, NPN: 'http/1.1'}, - client: {ALPN: false, NPN: false}}); - }); -} - -Test1(); diff --git a/test/parallel/test-tls-async-cb-after-socket-end.js b/test/parallel/test-tls-async-cb-after-socket-end.js deleted file mode 100644 index a49b44d..0000000 --- a/test/parallel/test-tls-async-cb-after-socket-end.js +++ /dev/null @@ -1,70 +0,0 @@ -'use strict'; - -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -const path = require('path'); -const fs = require('fs'); -const SSL_OP_NO_TICKET = require('crypto').constants.SSL_OP_NO_TICKET; - -const tls = require('tls'); - -const options = { - secureOptions: SSL_OP_NO_TICKET, - key: fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem')), - cert: fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem')) -}; - -const server = tls.createServer(options, function(c) { -}); - -let sessionCb = null; -let client = null; - -server.on('newSession', function(key, session, done) { - done(); -}); - -server.on('resumeSession', function(id, cb) { - sessionCb = cb; - - next(); -}); - -server.listen(0, function() { - const clientOpts = { - port: this.address().port, - rejectUnauthorized: false, - session: false - }; - - const s1 = tls.connect(clientOpts, function() { - clientOpts.session = s1.getSession(); - console.log('1st secure'); - - s1.destroy(); - const s2 = tls.connect(clientOpts, function(s) { - console.log('2nd secure'); - - s2.destroy(); - }).on('connect', function() { - console.log('2nd connected'); - client = s2; - - next(); - }); - }); -}); - -function next() { - if (!client || !sessionCb) - return; - - client.destroy(); - setTimeout(function() { - sessionCb(); - server.close(); - }, 100); -} diff --git a/test/parallel/test-tls-basic-validations.js b/test/parallel/test-tls-basic-validations.js deleted file mode 100644 index d6c20ea..0000000 --- a/test/parallel/test-tls-basic-validations.js +++ /dev/null @@ -1,53 +0,0 @@ -'use strict'; - -require('../common'); -const assert = require('assert'); -const tls = require('tls'); - -assert.throws(() => tls.createSecureContext({ciphers: 1}), - /TypeError: Ciphers must be a string/); - -assert.throws(() => tls.createServer({ciphers: 1}), - /TypeError: Ciphers must be a string/); - -assert.throws(() => tls.createSecureContext({key: 'dummykey', passphrase: 1}), - /TypeError: Pass phrase must be a string/); - -assert.throws(() => tls.createServer({key: 'dummykey', passphrase: 1}), - /TypeError: Pass phrase must be a string/); - -assert.throws(() => tls.createServer({ecdhCurve: 1}), - /TypeError: ECDH curve name must be a string/); - -assert.throws(() => tls.createServer({handshakeTimeout: 'abcd'}), - /TypeError: handshakeTimeout must be a number/); - -assert.throws(() => tls.createServer({sessionTimeout: 'abcd'}), - /TypeError: Session timeout must be a 32-bit integer/); - -assert.throws(() => tls.createServer({ticketKeys: 'abcd'}), - /TypeError: Ticket keys must be a buffer/); - -assert.throws(() => tls.createServer({ticketKeys: Buffer.alloc(0)}), - /TypeError: Ticket keys length must be 48 bytes/); - -assert.throws(() => tls.createSecurePair({}), - /Error: First argument must be a tls module SecureContext/); - -{ - const buffer = Buffer.from('abcd'); - const out = {}; - tls.convertALPNProtocols(buffer, out); - out.ALPNProtocols.write('efgh'); - assert(buffer.equals(Buffer.from('abcd'))); - assert(out.ALPNProtocols.equals(Buffer.from('efgh'))); -} - -{ - const buffer = Buffer.from('abcd'); - const out = {}; - tls.convertNPNProtocols(buffer, out); - out.NPNProtocols.write('efgh'); - assert(buffer.equals(Buffer.from('abcd'))); - assert(out.NPNProtocols.equals(Buffer.from('efgh'))); -} diff --git a/test/parallel/test-tls-ca-concat.js b/test/parallel/test-tls-ca-concat.js deleted file mode 100644 index 8fa83a4..0000000 --- a/test/parallel/test-tls-ca-concat.js +++ /dev/null @@ -1,24 +0,0 @@ -'use strict'; -const common = require('../common'); - -// Check ca option can contain concatenated certs by prepending an unrelated -// non-CA cert and showing that agent6's CA root is still found. - -const join = require('path').join; -const { - assert, connect, keys -} = require(join(common.fixturesDir, 'tls-connect'))(); - -connect({ - client: { - checkServerIdentity: (servername, cert) => { }, - ca: `${keys.agent1.cert}\n${keys.agent6.ca}`, - }, - server: { - cert: keys.agent6.cert, - key: keys.agent6.key, - }, -}, function(err, pair, cleanup) { - assert.ifError(err); - return cleanup(); -}); diff --git a/test/parallel/test-tls-cert-chains-concat.js b/test/parallel/test-tls-cert-chains-concat.js deleted file mode 100644 index d53edef..0000000 --- a/test/parallel/test-tls-cert-chains-concat.js +++ /dev/null @@ -1,50 +0,0 @@ -'use strict'; -const common = require('../common'); - -// Check cert chain is received by client, and is completed with the ca cert -// known to the client. - -const join = require('path').join; -const { - assert, connect, debug, keys -} = require(join(common.fixturesDir, 'tls-connect'))(); - -// agent6-cert.pem includes cert for agent6 and ca3 -connect({ - client: { - checkServerIdentity: (servername, cert) => { }, - ca: keys.agent6.ca, - }, - server: { - cert: keys.agent6.cert, - key: keys.agent6.key, - }, -}, function(err, pair, cleanup) { - assert.ifError(err); - - const peer = pair.client.conn.getPeerCertificate(); - debug('peer:\n', peer); - assert.strictEqual(peer.subject.emailAddress, 'adam.lippai@tresorit.com'); - assert.strictEqual(peer.subject.CN, 'Ádám Lippai'), - assert.strictEqual(peer.issuer.CN, 'ca3'); - assert.strictEqual(peer.serialNumber, 'C4CD893EF9A75DCC'); - - const next = pair.client.conn.getPeerCertificate(true).issuerCertificate; - const root = next.issuerCertificate; - delete next.issuerCertificate; - debug('next:\n', next); - assert.strictEqual(next.subject.CN, 'ca3'); - assert.strictEqual(next.issuer.CN, 'ca1'); - assert.strictEqual(next.serialNumber, '9A84ABCFB8A72ABF'); - - debug('root:\n', root); - assert.strictEqual(root.subject.CN, 'ca1'); - assert.strictEqual(root.issuer.CN, 'ca1'); - assert.strictEqual(root.serialNumber, '8DF21C01468AF393'); - - // No client cert, so empty object returned. - assert.deepStrictEqual(pair.server.conn.getPeerCertificate(), {}); - assert.deepStrictEqual(pair.server.conn.getPeerCertificate(true), {}); - - return cleanup(); -}); diff --git a/test/parallel/test-tls-cert-chains-in-ca.js b/test/parallel/test-tls-cert-chains-in-ca.js deleted file mode 100644 index 69f62c3..0000000 --- a/test/parallel/test-tls-cert-chains-in-ca.js +++ /dev/null @@ -1,46 +0,0 @@ -'use strict'; -const common = require('../common'); - -// Check cert chain is received by client, and is completed with the ca cert -// known to the client. - -const join = require('path').join; -const { - assert, connect, debug, keys -} = require(join(common.fixturesDir, 'tls-connect'))(); - - -// agent6-cert.pem includes cert for agent6 and ca3, split it apart and -// provide ca3 in the .ca property. -const agent6Chain = keys.agent6.cert.split('-----END CERTIFICATE-----') - .map((c) => { return c + '-----END CERTIFICATE-----'; }); -const agent6End = agent6Chain[0]; -const agent6Middle = agent6Chain[1]; -connect({ - client: { - checkServerIdentity: (servername, cert) => { }, - ca: keys.agent6.ca, - }, - server: { - cert: agent6End, - key: keys.agent6.key, - ca: agent6Middle, - }, -}, function(err, pair, cleanup) { - assert.ifError(err); - - const peer = pair.client.conn.getPeerCertificate(); - debug('peer:\n', peer); - assert.strictEqual(peer.serialNumber, 'C4CD893EF9A75DCC'); - - const next = pair.client.conn.getPeerCertificate(true).issuerCertificate; - const root = next.issuerCertificate; - delete next.issuerCertificate; - debug('next:\n', next); - assert.strictEqual(next.serialNumber, '9A84ABCFB8A72ABF'); - - debug('root:\n', root); - assert.strictEqual(root.serialNumber, '8DF21C01468AF393'); - - return cleanup(); -}); diff --git a/test/parallel/test-tls-cert-regression.js b/test/parallel/test-tls-cert-regression.js deleted file mode 100644 index 20cfff5..0000000 --- a/test/parallel/test-tls-cert-regression.js +++ /dev/null @@ -1,45 +0,0 @@ -'use strict'; -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -const tls = require('tls'); - - -const cert = -`-----BEGIN CERTIFICATE----- -MIIBfjCCASgCCQDmmNjAojbDQjANBgkqhkiG9w0BAQUFADBFMQswCQYDVQQGEwJB -VTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0 -cyBQdHkgTHRkMCAXDTE0MDExNjE3NTMxM1oYDzIyODcxMDMxMTc1MzEzWjBFMQsw -CQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJu -ZXQgV2lkZ2l0cyBQdHkgTHRkMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAPKwlfMX -6HGZIt1xm7fna72eWcOYfUfSxSugghvqYgJt2Oi3lH+wsU1O9FzRIVmpeIjDXhbp -Mjsa1HtzSiccPXsCAwEAATANBgkqhkiG9w0BAQUFAANBAHOoKy0NkyfiYH7Ne5ka -uvCyndyeB4d24FlfqEUlkfaWCZlNKRaV9YhLDiEg3BcIreFo4brtKQfZzTRs0GVm -KHg= ------END CERTIFICATE-----`; - -const key = -`-----BEGIN RSA PRIVATE KEY----- -MIIBPQIBAAJBAPKwlfMX6HGZIt1xm7fna72eWcOYfUfSxSugghvqYgJt2Oi3lH+w -sU1O9FzRIVmpeIjDXhbpMjsa1HtzSiccPXsCAwEAAQJBAM4uU9aJE0OfdE1p/X+K -LrCT3XMdFCJ24GgmHyOURtwDy18upQJecDVdcZp16fjtOPmaW95GoYRyifB3R4I5 -RxECIQD7jRM9slCSVV8xp9kOJQNpHjhRQYVGBn+pyllS2sb+RQIhAPb7Y+BIccri -NWnuhwCW8hA7Fkj/kaBdAwyW7L3Tvui/AiEAiqLCovMecre4Yi6GcsQ1b/6mvSmm -IOS+AT6zIfXPTB0CIQCJKGR3ymN/Qw5crL1GQ41cHCQtF9ickOq/lBUW+j976wIh -AOaJnkQrmurlRdePX6LvN/LgGAQoxwovfjcOYNnZsIVY ------END RSA PRIVATE KEY-----`; - -function test(cert, key, cb) { - const server = tls.createServer({ - cert: cert, - key: key - }).listen(0, function() { - server.close(cb); - }); -} - -test(cert, key, common.mustCall(function() { - test(Buffer.from(cert), Buffer.from(key), common.mustCall()); -})); diff --git a/test/parallel/test-tls-check-server-identity.js b/test/parallel/test-tls-check-server-identity.js deleted file mode 100644 index 0cc55d6..0000000 --- a/test/parallel/test-tls-check-server-identity.js +++ /dev/null @@ -1,260 +0,0 @@ -'use strict'; -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const util = require('util'); - -const tls = require('tls'); - -const tests = [ - // False-y values. - { - host: false, - cert: { subject: { CN: 'a.com' } }, - error: 'Host: false. is not cert\'s CN: a.com' - }, - { - host: null, - cert: { subject: { CN: 'a.com' } }, - error: 'Host: null. is not cert\'s CN: a.com' - }, - { - host: undefined, - cert: { subject: { CN: 'a.com' } }, - error: 'Host: undefined. is not cert\'s CN: a.com' - }, - - // Basic CN handling - { host: 'a.com', cert: { subject: { CN: 'a.com' } } }, - { host: 'a.com', cert: { subject: { CN: 'A.COM' } } }, - { - host: 'a.com', - cert: { subject: { CN: 'b.com' } }, - error: 'Host: a.com. is not cert\'s CN: b.com' - }, - { host: 'a.com', cert: { subject: { CN: 'a.com.' } } }, - { - host: 'a.com', - cert: { subject: { CN: '.a.com' } }, - error: 'Host: a.com. is not cert\'s CN: .a.com' - }, - - // Wildcards in CN - { host: 'b.a.com', cert: { subject: { CN: '*.a.com' } } }, - { - host: 'ba.com', - cert: { subject: { CN: '*.a.com' } }, - error: 'Host: ba.com. is not cert\'s CN: *.a.com' - }, - { - host: '\n.b.com', - cert: { subject: { CN: '*n.b.com' } }, - error: 'Host: \n.b.com. is not cert\'s CN: *n.b.com' - }, - { host: 'b.a.com', cert: { - subjectaltname: 'DNS:omg.com', - subject: { CN: '*.a.com' } }, - error: 'Host: b.a.com. is not in the cert\'s altnames: ' + - 'DNS:omg.com' - }, - { - host: 'b.a.com', - cert: { subject: { CN: 'b*b.a.com' } }, - error: 'Host: b.a.com. is not cert\'s CN: b*b.a.com' - }, - - // Empty Cert - { - host: 'a.com', - cert: { }, - error: 'Cert is empty' - }, - - // Multiple CN fields - { - host: 'foo.com', cert: { - subject: { CN: ['foo.com', 'bar.com'] } // CN=foo.com; CN=bar.com; - } - }, - - // DNS names and CN - { - host: 'a.com', cert: { - subjectaltname: 'DNS:*', - subject: { CN: 'b.com' } - }, - error: 'Host: a.com. is not in the cert\'s altnames: ' + - 'DNS:*' - }, - { - host: 'a.com', cert: { - subjectaltname: 'DNS:*.com', - subject: { CN: 'b.com' } - }, - error: 'Host: a.com. is not in the cert\'s altnames: ' + - 'DNS:*.com' - }, - { - host: 'a.co.uk', cert: { - subjectaltname: 'DNS:*.co.uk', - subject: { CN: 'b.com' } - } - }, - { - host: 'a.com', cert: { - subjectaltname: 'DNS:*.a.com', - subject: { CN: 'a.com' } - }, - error: 'Host: a.com. is not in the cert\'s altnames: ' + - 'DNS:*.a.com' - }, - { - host: 'a.com', cert: { - subjectaltname: 'DNS:*.a.com', - subject: { CN: 'b.com' } - }, - error: 'Host: a.com. is not in the cert\'s altnames: ' + - 'DNS:*.a.com' - }, - { - host: 'a.com', cert: { - subjectaltname: 'DNS:a.com', - subject: { CN: 'b.com' } - } - }, - { - host: 'a.com', cert: { - subjectaltname: 'DNS:A.COM', - subject: { CN: 'b.com' } - } - }, - - // DNS names - { - host: 'a.com', cert: { - subjectaltname: 'DNS:*.a.com', - subject: {} - }, - error: 'Host: a.com. is not in the cert\'s altnames: ' + - 'DNS:*.a.com' - }, - { - host: 'b.a.com', cert: { - subjectaltname: 'DNS:*.a.com', - subject: {} - } - }, - { - host: 'c.b.a.com', cert: { - subjectaltname: 'DNS:*.a.com', - subject: {} - }, - error: 'Host: c.b.a.com. is not in the cert\'s altnames: ' + - 'DNS:*.a.com' - }, - { - host: 'b.a.com', cert: { - subjectaltname: 'DNS:*b.a.com', - subject: {} - } - }, - { - host: 'a-cb.a.com', cert: { - subjectaltname: 'DNS:*b.a.com', - subject: {} - } - }, - { - host: 'a.b.a.com', cert: { - subjectaltname: 'DNS:*b.a.com', - subject: {} - }, - error: 'Host: a.b.a.com. is not in the cert\'s altnames: ' + - 'DNS:*b.a.com' - }, - // Mutliple DNS names - { - host: 'a.b.a.com', cert: { - subjectaltname: 'DNS:*b.a.com, DNS:a.b.a.com', - subject: {} - } - }, - // URI names - { - host: 'a.b.a.com', cert: { - subjectaltname: 'URI:http://a.b.a.com/', - subject: {} - } - }, - { - host: 'a.b.a.com', cert: { - subjectaltname: 'URI:http://*.b.a.com/', - subject: {} - }, - error: 'Host: a.b.a.com. is not in the cert\'s altnames: ' + - 'URI:http://*.b.a.com/' - }, - // IP addresses - { - host: 'a.b.a.com', cert: { - subjectaltname: 'IP Address:127.0.0.1', - subject: {} - }, - error: 'Host: a.b.a.com. is not in the cert\'s altnames: ' + - 'IP Address:127.0.0.1' - }, - { - host: '127.0.0.1', cert: { - subjectaltname: 'IP Address:127.0.0.1', - subject: {} - } - }, - { - host: '127.0.0.2', cert: { - subjectaltname: 'IP Address:127.0.0.1', - subject: {} - }, - error: 'IP: 127.0.0.2 is not in the cert\'s list: ' + - '127.0.0.1' - }, - { - host: '127.0.0.1', cert: { - subjectaltname: 'DNS:a.com', - subject: {} - }, - error: 'IP: 127.0.0.1 is not in the cert\'s list: ' - }, - { - host: 'localhost', cert: { - subjectaltname: 'DNS:a.com', - subject: { CN: 'localhost' } - }, - error: 'Host: localhost. is not in the cert\'s altnames: ' + - 'DNS:a.com' - }, - // IDNA - { - host: 'xn--bcher-kva.example.com', - cert: { subject: { CN: '*.example.com' } }, - }, - // RFC 6125, section 6.4.3: "[...] the client SHOULD NOT attempt to match - // a presented identifier where the wildcard character is embedded within - // an A-label [...]" - { - host: 'xn--bcher-kva.example.com', - cert: { subject: { CN: 'xn--*.example.com' } }, - error: 'Host: xn--bcher-kva.example.com. is not cert\'s CN: ' + - 'xn--*.example.com', - }, -]; - -tests.forEach(function(test, i) { - const err = tls.checkServerIdentity(test.host, test.cert); - assert.strictEqual(err && err.reason, - test.error, - `Test# ${i} failed: ${util.inspect(test)} \n` + - `${test.error} != ${(err && err.reason)}`); -}); diff --git a/test/parallel/test-tls-cipher-list.js b/test/parallel/test-tls-cipher-list.js deleted file mode 100644 index 4a39ee9..0000000 --- a/test/parallel/test-tls-cipher-list.js +++ /dev/null @@ -1,30 +0,0 @@ -'use strict'; -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const spawn = require('child_process').spawn; -const defaultCoreList = require('crypto').constants.defaultCoreCipherList; - -function doCheck(arg, check) { - let out = ''; - arg = arg.concat([ - '-pe', - 'require("crypto").constants.defaultCipherList' - ]); - spawn(process.execPath, arg, {}) - .on('error', common.mustNotCall()) - .stdout.on('data', function(chunk) { - out += chunk; - }).on('end', function() { - assert.strictEqual(out.trim(), check); - }).on('error', common.mustNotCall()); -} - -// test the default unmodified version -doCheck([], defaultCoreList); - -// test the command line switch by itself -doCheck(['--tls-cipher-list=ABC'], 'ABC'); diff --git a/test/parallel/test-tls-client-abort.js b/test/parallel/test-tls-client-abort.js deleted file mode 100644 index 4216e34..0000000 --- a/test/parallel/test-tls-client-abort.js +++ /dev/null @@ -1,19 +0,0 @@ -'use strict'; -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); -const fs = require('fs'); -const path = require('path'); - -const cert = fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem')); -const key = fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem')); - -const conn = tls.connect({cert, key, port: 0}, common.mustNotCall()); -conn.on('error', function() { -}); -assert.doesNotThrow(function() { - conn.destroy(); -}); diff --git a/test/parallel/test-tls-client-abort2.js b/test/parallel/test-tls-client-abort2.js deleted file mode 100644 index f3d84a5..0000000 --- a/test/parallel/test-tls-client-abort2.js +++ /dev/null @@ -1,14 +0,0 @@ -'use strict'; -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); - -const conn = tls.connect(0, common.mustNotCall()); -conn.on('error', common.mustCall(function() { - assert.doesNotThrow(function() { - conn.destroy(); - }); -})); diff --git a/test/parallel/test-tls-client-default-ciphers.js b/test/parallel/test-tls-client-default-ciphers.js deleted file mode 100644 index 91a0a86..0000000 --- a/test/parallel/test-tls-client-default-ciphers.js +++ /dev/null @@ -1,26 +0,0 @@ -'use strict'; -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); - -function Done() {} - -function test1() { - let ciphers = ''; - - tls.createSecureContext = function(options) { - ciphers = options.ciphers; - throw new Done(); - }; - - try { - tls.connect(common.PORT); - } catch (e) { - assert(e instanceof Done); - } - assert.strictEqual(ciphers, tls.DEFAULT_CIPHERS); -} -test1(); diff --git a/test/parallel/test-tls-client-destroy-soon.js b/test/parallel/test-tls-client-destroy-soon.js deleted file mode 100644 index 94a4956..0000000 --- a/test/parallel/test-tls-client-destroy-soon.js +++ /dev/null @@ -1,46 +0,0 @@ -'use strict'; -// Create an ssl server. First connection, validate that not resume. -// Cache session and close connection. Use session on second connection. -// ASSERT resumption. - -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); -const fs = require('fs'); - -const options = { - key: fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`), - cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`) -}; - -const big = Buffer.alloc(2 * 1024 * 1024, 'Y'); - -// create server -const server = tls.createServer(options, common.mustCall(function(socket) { - socket.end(big); - socket.destroySoon(); -})); - -// start listening -server.listen(0, common.mustCall(function() { - const client = tls.connect({ - port: this.address().port, - rejectUnauthorized: false - }, common.mustCall(function() { - let bytesRead = 0; - - client.on('readable', function() { - const d = client.read(); - if (d) - bytesRead += d.length; - }); - - client.on('end', common.mustCall(function() { - server.close(); - assert.strictEqual(big.length, bytesRead); - })); - })); -})); diff --git a/test/parallel/test-tls-client-getephemeralkeyinfo.js b/test/parallel/test-tls-client-getephemeralkeyinfo.js deleted file mode 100644 index 7d93dcb..0000000 --- a/test/parallel/test-tls-client-getephemeralkeyinfo.js +++ /dev/null @@ -1,96 +0,0 @@ -'use strict'; -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); -const fs = require('fs'); - -const key = fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`); -const cert = fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`); - -let ntests = 0; -let nsuccess = 0; - -function loadDHParam(n) { - let path = common.fixturesDir; - if (n !== 'error') path += '/keys'; - return fs.readFileSync(`${path}/dh${n}.pem`); -} - -const cipherlist = { - 'NOT_PFS': 'AES128-SHA256', - 'DH': 'DHE-RSA-AES128-GCM-SHA256', - 'ECDH': 'ECDHE-RSA-AES128-GCM-SHA256' -}; - -function test(size, type, name, next) { - const cipher = type ? cipherlist[type] : cipherlist['NOT_PFS']; - - if (name) tls.DEFAULT_ECDH_CURVE = name; - - const options = { - key: key, - cert: cert, - ciphers: cipher - }; - - if (type === 'DH') options.dhparam = loadDHParam(size); - - const server = tls.createServer(options, function(conn) { - assert.strictEqual(conn.getEphemeralKeyInfo(), null); - conn.end(); - }); - - server.on('close', common.mustCall(function(err) { - assert(!err); - if (next) next(); - })); - - server.listen(0, '127.0.0.1', common.mustCall(function() { - const client = tls.connect({ - port: this.address().port, - rejectUnauthorized: false - }, function() { - const ekeyinfo = client.getEphemeralKeyInfo(); - assert.strictEqual(ekeyinfo.type, type); - assert.strictEqual(ekeyinfo.size, size); - assert.strictEqual(ekeyinfo.name, name); - nsuccess++; - server.close(); - }); - })); -} - -function testNOT_PFS() { - test(undefined, undefined, undefined, testDHE1024); - ntests++; -} - -function testDHE1024() { - test(1024, 'DH', undefined, testDHE2048); - ntests++; -} - -function testDHE2048() { - test(2048, 'DH', undefined, testECDHE256); - ntests++; -} - -function testECDHE256() { - test(256, 'ECDH', tls.DEFAULT_ECDH_CURVE, testECDHE512); - ntests++; -} - -function testECDHE512() { - test(521, 'ECDH', 'secp521r1', null); - ntests++; -} - -testNOT_PFS(); - -process.on('exit', function() { - assert.strictEqual(ntests, nsuccess); - assert.strictEqual(ntests, 5); -}); diff --git a/test/parallel/test-tls-client-mindhsize.js b/test/parallel/test-tls-client-mindhsize.js deleted file mode 100644 index 685d790..0000000 --- a/test/parallel/test-tls-client-mindhsize.js +++ /dev/null @@ -1,92 +0,0 @@ -'use strict'; -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); -const fs = require('fs'); - -const key = fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`); -const cert = fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`); - -let nsuccess = 0; -let nerror = 0; - -function loadDHParam(n) { - let path = common.fixturesDir; - if (n !== 'error') path += '/keys'; - return fs.readFileSync(`${path}/dh${n}.pem`); -} - -function test(size, err, next) { - const options = { - key: key, - cert: cert, - dhparam: loadDHParam(size), - ciphers: 'DHE-RSA-AES128-GCM-SHA256' - }; - - const server = tls.createServer(options, function(conn) { - conn.end(); - }); - - server.on('close', function(isException) { - assert(!isException); - if (next) next(); - }); - - server.listen(0, '127.0.0.1', function() { - // client set minimum DH parameter size to 2048 bits so that - // it fails when it make a connection to the tls server where - // dhparams is 1024 bits - const client = tls.connect({ - minDHSize: 2048, - port: this.address().port, - rejectUnauthorized: false - }, function() { - nsuccess++; - server.close(); - }); - if (err) { - client.on('error', function(e) { - nerror++; - assert.strictEqual(e.message, - 'DH parameter size 1024 is less than 2048'); - server.close(); - }); - } - }); -} - -// A client connection fails with an error when a client has an -// 2048 bits minDHSize option and a server has 1024 bits dhparam -function testDHE1024() { - test(1024, true, testDHE2048); -} - -// A client connection successes when a client has an -// 2048 bits minDHSize option and a server has 2048 bits dhparam -function testDHE2048() { - test(2048, false, null); -} - -testDHE1024(); - -assert.throws(() => test(512, true, common.mustNotCall()), - /DH parameter is less than 1024 bits/); - -let errMessage = /minDHSize is not a positive number/; -[0, -1, -Infinity, NaN].forEach((minDHSize) => { - assert.throws(() => tls.connect({ minDHSize }), errMessage); -}); - -errMessage = /minDHSize is not a number/; -[true, false, null, undefined, {}, [], '', '1'].forEach((minDHSize) => { - assert.throws(() => tls.connect({ minDHSize }), errMessage); -}); - -process.on('exit', function() { - assert.strictEqual(nsuccess, 1); - assert.strictEqual(nerror, 1); -}); diff --git a/test/parallel/test-tls-client-reject.js b/test/parallel/test-tls-client-reject.js deleted file mode 100644 index be3233d..0000000 --- a/test/parallel/test-tls-client-reject.js +++ /dev/null @@ -1,61 +0,0 @@ -'use strict'; -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); -const fs = require('fs'); -const path = require('path'); - -const options = { - key: fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem')), - cert: fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem')) -}; - -const server = tls.createServer(options, common.mustCall(function(socket) { - socket.on('data', function(data) { - console.error(data.toString()); - assert.strictEqual(data.toString(), 'ok'); - }); -}, 3)).listen(0, function() { - unauthorized(); -}); - -function unauthorized() { - const socket = tls.connect({ - port: server.address().port, - servername: 'localhost', - rejectUnauthorized: false - }, common.mustCall(function() { - assert(!socket.authorized); - socket.end(); - rejectUnauthorized(); - })); - socket.on('error', common.mustNotCall()); - socket.write('ok'); -} - -function rejectUnauthorized() { - const socket = tls.connect(server.address().port, { - servername: 'localhost' - }, common.mustNotCall()); - socket.on('error', common.mustCall(function(err) { - console.error(err); - authorized(); - })); - socket.write('ng'); -} - -function authorized() { - const socket = tls.connect(server.address().port, { - ca: [fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem'))], - servername: 'localhost' - }, common.mustCall(function() { - assert(socket.authorized); - socket.end(); - server.close(); - })); - socket.on('error', common.mustNotCall()); - socket.write('ok'); -} diff --git a/test/parallel/test-tls-client-resume.js b/test/parallel/test-tls-client-resume.js deleted file mode 100644 index 211d086..0000000 --- a/test/parallel/test-tls-client-resume.js +++ /dev/null @@ -1,56 +0,0 @@ -'use strict'; -// Create an ssl server. First connection, validate that not resume. -// Cache session and close connection. Use session on second connection. -// ASSERT resumption. - -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); -const fs = require('fs'); - -const options = { - key: fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`), - cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`) -}; - -// create server -const server = tls.Server(options, common.mustCall(function(socket) { - socket.end('Goodbye'); -}, 2)); - -// start listening -server.listen(0, function() { - - let session1 = null; - const client1 = tls.connect({ - port: this.address().port, - rejectUnauthorized: false - }, function() { - console.log('connect1'); - assert.ok(!client1.isSessionReused(), 'Session *should not* be reused.'); - session1 = client1.getSession(); - }); - - client1.on('close', function() { - console.log('close1'); - - const opts = { - port: server.address().port, - rejectUnauthorized: false, - session: session1 - }; - - const client2 = tls.connect(opts, function() { - console.log('connect2'); - assert.ok(client2.isSessionReused(), 'Session *should* be reused.'); - }); - - client2.on('close', function() { - console.log('close2'); - server.close(); - }); - }); -}); diff --git a/test/parallel/test-tls-client-verify.js b/test/parallel/test-tls-client-verify.js deleted file mode 100644 index 565b391..0000000 --- a/test/parallel/test-tls-client-verify.js +++ /dev/null @@ -1,132 +0,0 @@ -'use strict'; -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const fs = require('fs'); -const path = require('path'); -const tls = require('tls'); - -const hosterr = /Hostname\/IP doesn't match certificate's altnames/; -const testCases = - [{ ca: ['ca1-cert'], - key: 'agent2-key', - cert: 'agent2-cert', - servers: [ - { ok: true, key: 'agent1-key', cert: 'agent1-cert' }, - { ok: false, key: 'agent2-key', cert: 'agent2-cert' }, - { ok: false, key: 'agent3-key', cert: 'agent3-cert' } - ] - }, - - { ca: [], - key: 'agent2-key', - cert: 'agent2-cert', - servers: [ - { ok: false, key: 'agent1-key', cert: 'agent1-cert' }, - { ok: false, key: 'agent2-key', cert: 'agent2-cert' }, - { ok: false, key: 'agent3-key', cert: 'agent3-cert' } - ] - }, - - { ca: ['ca1-cert', 'ca2-cert'], - key: 'agent2-key', - cert: 'agent2-cert', - servers: [ - { ok: true, key: 'agent1-key', cert: 'agent1-cert' }, - { ok: false, key: 'agent2-key', cert: 'agent2-cert' }, - { ok: true, key: 'agent3-key', cert: 'agent3-cert' } - ] - } - ]; - -function filenamePEM(n) { - return path.join(common.fixturesDir, 'keys', `${n}.pem`); -} - - -function loadPEM(n) { - return fs.readFileSync(filenamePEM(n)); -} - -let successfulTests = 0; - -function testServers(index, servers, clientOptions, cb) { - const serverOptions = servers[index]; - if (!serverOptions) { - cb(); - return; - } - - const ok = serverOptions.ok; - - if (serverOptions.key) { - serverOptions.key = loadPEM(serverOptions.key); - } - - if (serverOptions.cert) { - serverOptions.cert = loadPEM(serverOptions.cert); - } - - const server = tls.createServer(serverOptions, common.mustCall(function(s) { - s.end('hello world\n'); - })); - - server.listen(0, common.mustCall(function() { - let b = ''; - - console.error('connecting...'); - clientOptions.port = this.address().port; - const client = tls.connect(clientOptions, common.mustCall(function() { - const authorized = client.authorized || - hosterr.test(client.authorizationError); - - console.error(`expected: ${ok} authed: ${authorized}`); - - assert.strictEqual(ok, authorized); - server.close(); - })); - - client.on('data', function(d) { - b += d.toString(); - }); - - client.on('end', common.mustCall(function() { - assert.strictEqual('hello world\n', b); - })); - - client.on('close', common.mustCall(function() { - testServers(index + 1, servers, clientOptions, cb); - })); - })); -} - - -function runTest(testIndex) { - const tcase = testCases[testIndex]; - if (!tcase) return; - - const clientOptions = { - port: undefined, - ca: tcase.ca.map(loadPEM), - key: loadPEM(tcase.key), - cert: loadPEM(tcase.cert), - rejectUnauthorized: false - }; - - - testServers(0, tcase.servers, clientOptions, common.mustCall(function() { - successfulTests++; - runTest(testIndex + 1); - })); -} - - -runTest(0); - - -process.on('exit', function() { - console.log('successful tests: %d', successfulTests); - assert.strictEqual(successfulTests, testCases.length); -}); diff --git a/test/parallel/test-tls-close-error.js b/test/parallel/test-tls-close-error.js deleted file mode 100644 index e7e48cd..0000000 --- a/test/parallel/test-tls-close-error.js +++ /dev/null @@ -1,26 +0,0 @@ -'use strict'; - -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); -const fs = require('fs'); - -const server = tls.createServer({ - key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), - cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`) -}, function(c) { -}).listen(0, common.mustCall(function() { - const c = tls.connect(this.address().port, function() { - assert(false, 'should not be called'); - }); - - c.on('error', common.mustCall(function(err) {})); - - c.on('close', common.mustCall(function(err) { - assert.ok(err); - server.close(); - })); -})); diff --git a/test/parallel/test-tls-close-notify.js b/test/parallel/test-tls-close-notify.js deleted file mode 100644 index 15f9f36..0000000 --- a/test/parallel/test-tls-close-notify.js +++ /dev/null @@ -1,27 +0,0 @@ -'use strict'; -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -const tls = require('tls'); -const fs = require('fs'); - -const server = tls.createServer({ - key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), - cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`) -}, function(c) { - // Send close-notify without shutting down TCP socket - if (c._handle.shutdownSSL() !== 1) - c._handle.shutdownSSL(); -}).listen(0, common.mustCall(function() { - const c = tls.connect(this.address().port, { - rejectUnauthorized: false - }, common.mustCall(function() { - // Ensure that we receive 'end' event anyway - c.on('end', common.mustCall(function() { - c.destroy(); - server.close(); - })); - })); -})); diff --git a/test/parallel/test-tls-cnnic-whitelist.js b/test/parallel/test-tls-cnnic-whitelist.js deleted file mode 100644 index 84b71c7..0000000 --- a/test/parallel/test-tls-cnnic-whitelist.js +++ /dev/null @@ -1,77 +0,0 @@ -// Flags: --use-bundled-ca -'use strict'; -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const fs = require('fs'); -const path = require('path'); -const tls = require('tls'); - -function filenamePEM(n) { - return path.join(common.fixturesDir, 'keys', `${n}.pem`); -} - -function loadPEM(n) { - return fs.readFileSync(filenamePEM(n)); -} - -const testCases = [ - { // Test 0: for the check of a cert not existed in the whitelist. - // agent7-cert.pem is issued by the fake CNNIC root CA so that its - // hash is not listed in the whitelist. - // fake-cnnic-root-cert has the same subject name as the original - // rootCA. - serverOpts: { - key: loadPEM('agent7-key'), - cert: loadPEM('agent7-cert') - }, - clientOpts: { - port: undefined, - rejectUnauthorized: true, - ca: [loadPEM('fake-cnnic-root-cert')] - }, - errorCode: 'CERT_REVOKED' - }, - // Test 1: for the fix of node#2061 - // agent6-cert.pem is signed by intermidate cert of ca3. - // The server has a cert chain of agent6->ca3->ca1(root) but - // tls.connect should be failed with an error of - // UNABLE_TO_GET_ISSUER_CERT_LOCALLY since the root CA of ca1 is not - // installed locally. - { - serverOpts: { - ca: loadPEM('ca3-key'), - key: loadPEM('agent6-key'), - cert: loadPEM('agent6-cert') - }, - clientOpts: { - port: undefined, - rejectUnauthorized: true - }, - errorCode: 'UNABLE_TO_GET_ISSUER_CERT_LOCALLY' - } -]; - -function runTest(tindex) { - const tcase = testCases[tindex]; - - if (!tcase) return; - - const server = tls.createServer(tcase.serverOpts, (s) => { - s.resume(); - }).listen(0, common.mustCall(function() { - tcase.clientOpts = this.address().port; - const client = tls.connect(tcase.clientOpts); - client.on('error', common.mustCall((e) => { - assert.strictEqual(e.code, tcase.errorCode); - server.close(common.mustCall(() => { - runTest(tindex + 1); - })); - })); - })); -} - -runTest(0); diff --git a/test/parallel/test-tls-connect-address-family.js b/test/parallel/test-tls-connect-address-family.js deleted file mode 100644 index afacd5a..0000000 --- a/test/parallel/test-tls-connect-address-family.js +++ /dev/null @@ -1,45 +0,0 @@ -'use strict'; -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -if (!common.hasIPv6) - common.skip('no IPv6 support'); - -const assert = require('assert'); -const tls = require('tls'); -const dns = require('dns'); - -function runTest() { - const ciphers = 'AECDH-NULL-SHA'; - tls.createServer({ ciphers }, common.mustCall(function() { - this.close(); - })).listen(0, '::1', common.mustCall(function() { - const options = { - host: 'localhost', - port: this.address().port, - family: 6, - ciphers: ciphers, - rejectUnauthorized: false, - }; - // Will fail with ECONNREFUSED if the address family is not honored. - tls.connect(options).once('secureConnect', common.mustCall(function() { - assert.strictEqual('::1', this.remoteAddress); - this.destroy(); - })); - })); -} - -dns.lookup('localhost', {family: 6, all: true}, (err, addresses) => { - if (err) { - if (err.code === 'ENOTFOUND') - common.skip('localhost does not resolve to ::1'); - - throw err; - } - - if (addresses.some((val) => val.address === '::1')) - runTest(); - else - common.skip('localhost does not resolve to ::1'); -}); diff --git a/test/parallel/test-tls-connect-given-socket.js b/test/parallel/test-tls-connect-given-socket.js deleted file mode 100644 index b69e0b9..0000000 --- a/test/parallel/test-tls-connect-given-socket.js +++ /dev/null @@ -1,65 +0,0 @@ -'use strict'; -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); -const net = require('net'); -const fs = require('fs'); -const path = require('path'); - -const options = { - key: fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem')), - cert: fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem')) -}; - -const server = tls.createServer(options, common.mustCall((socket) => { - socket.end('Hello'); -}, 2)).listen(0, common.mustCall(() => { - let waiting = 2; - function establish(socket, calls) { - const client = tls.connect({ - rejectUnauthorized: false, - socket: socket - }, common.mustCall(() => { - let data = ''; - client.on('data', common.mustCall((chunk) => { - data += chunk.toString(); - })); - client.on('end', common.mustCall(() => { - assert.strictEqual(data, 'Hello'); - if (--waiting === 0) - server.close(); - })); - }, calls)); - assert(client.readable); - assert(client.writable); - - return client; - } - - const { port } = server.address(); - - // Immediate death socket - const immediateDeath = net.connect(port); - establish(immediateDeath, 0).destroy(); - - // Outliving - const outlivingTCP = net.connect(port, common.mustCall(() => { - outlivingTLS.destroy(); - next(); - })); - const outlivingTLS = establish(outlivingTCP, 0); - - function next() { - // Already connected socket - const connected = net.connect(port, common.mustCall(() => { - establish(connected); - })); - - // Connecting socket - const connecting = net.connect(port); - establish(connecting); - } -})); diff --git a/test/parallel/test-tls-connect-no-host.js b/test/parallel/test-tls-connect-no-host.js deleted file mode 100644 index f63c821..0000000 --- a/test/parallel/test-tls-connect-no-host.js +++ /dev/null @@ -1,34 +0,0 @@ -'use strict'; -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -const tls = require('tls'); - -const assert = require('assert'); -const fs = require('fs'); -const path = require('path'); - -const cert = fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem')); -const key = fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem')); - -// https://github.com/nodejs/node/issues/1489 -// tls.connect(options) with no options.host should accept a cert with -// CN:'localhost' -tls.createServer({ - key: key, - cert: cert -}).listen(0, function() { - const socket = tls.connect({ - port: this.address().port, - ca: cert, - // No host set here. 'localhost' is the default, - // but tls.checkServerIdentity() breaks before the fix with: - // Error: Hostname/IP doesn't match certificate's altnames: - // "Host: undefined. is not cert's CN: localhost" - }, function() { - assert(socket.authorized); - process.exit(); - }); -}); diff --git a/test/parallel/test-tls-connect-pipe.js b/test/parallel/test-tls-connect-pipe.js deleted file mode 100644 index 2467a91..0000000 --- a/test/parallel/test-tls-connect-pipe.js +++ /dev/null @@ -1,26 +0,0 @@ -'use strict'; -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -const tls = require('tls'); - -const fs = require('fs'); - -const options = { - key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), - cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`) -}; - -common.refreshTmpDir(); - -const server = tls.Server(options, common.mustCall(function(socket) { - server.close(); -})); -server.listen(common.PIPE, common.mustCall(function() { - const options = { rejectUnauthorized: false }; - const client = tls.connect(common.PIPE, options, common.mustCall(function() { - client.end(); - })); -})); diff --git a/test/parallel/test-tls-connect-secure-context.js b/test/parallel/test-tls-connect-secure-context.js deleted file mode 100644 index d1552a6..0000000 --- a/test/parallel/test-tls-connect-secure-context.js +++ /dev/null @@ -1,25 +0,0 @@ -'use strict'; -const common = require('../common'); - -// Verify connection with explicitly created client SecureContext. - -const join = require('path').join; -const { - assert, connect, keys, tls -} = require(join(common.fixturesDir, 'tls-connect'))(); - -connect({ - client: { - servername: 'agent1', - secureContext: tls.createSecureContext({ - ca: keys.agent1.ca, - }), - }, - server: { - cert: keys.agent1.cert, - key: keys.agent1.key, - }, -}, function(err, pair, cleanup) { - assert.ifError(err); - return cleanup(); -}); diff --git a/test/parallel/test-tls-connect-simple.js b/test/parallel/test-tls-connect-simple.js deleted file mode 100644 index aa59f05..0000000 --- a/test/parallel/test-tls-connect-simple.js +++ /dev/null @@ -1,42 +0,0 @@ -'use strict'; -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -const tls = require('tls'); - -const fs = require('fs'); - -let serverConnected = 0; - -const options = { - key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), - cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`) -}; - -const server = tls.Server(options, common.mustCall(function(socket) { - if (++serverConnected === 2) { - server.close(common.mustCall()); - server.on('close', common.mustCall()); - } -}, 2)); - -server.listen(0, function() { - const client1options = { - port: this.address().port, - rejectUnauthorized: false - }; - const client1 = tls.connect(client1options, common.mustCall(function() { - client1.end(); - })); - - const client2options = { - port: this.address().port, - rejectUnauthorized: false - }; - const client2 = tls.connect(client2options); - client2.on('secureConnect', common.mustCall(function() { - client2.end(); - })); -}); diff --git a/test/parallel/test-tls-connect-stream-writes.js b/test/parallel/test-tls-connect-stream-writes.js deleted file mode 100644 index 5266d6c..0000000 --- a/test/parallel/test-tls-connect-stream-writes.js +++ /dev/null @@ -1,63 +0,0 @@ -'use strict'; -const common = require('../common'); -const assert = require('assert'); -const fs = require('fs'); -const tls = require('tls'); -const stream = require('stream'); -const net = require('net'); - -const cert_dir = common.fixturesDir; -const options = { key: fs.readFileSync(`${cert_dir}/test_key.pem`), - cert: fs.readFileSync(`${cert_dir}/test_cert.pem`), - ca: [ fs.readFileSync(`${cert_dir}/test_ca.pem`) ], - ciphers: 'AES256-GCM-SHA384' }; -const content = 'hello world'; -const recv_bufs = []; -let send_data = ''; -const server = tls.createServer(options, function(s) { - s.on('data', function(c) { - recv_bufs.push(c); - }); -}); -server.listen(0, function() { - const raw = net.connect(this.address().port); - - let pending = false; - raw.on('readable', function() { - if (pending) - p._read(); - }); - - let p = new stream.Duplex({ - read: function read() { - pending = false; - - const chunk = raw.read(); - if (chunk) { - this.push(chunk); - } else { - pending = true; - } - }, - write: function write(data, enc, cb) { - raw.write(data, enc, cb); - } - }); - - const socket = tls.connect({ - socket: p, - rejectUnauthorized: false - }, function() { - for (let i = 0; i < 50; ++i) { - socket.write(content); - send_data += content; - } - socket.end(); - server.close(); - }); -}); - -process.on('exit', function() { - const recv_data = (Buffer.concat(recv_bufs)).toString(); - assert.strictEqual(send_data, recv_data); -}); diff --git a/test/parallel/test-tls-connect.js b/test/parallel/test-tls-connect.js deleted file mode 100644 index b410f86..0000000 --- a/test/parallel/test-tls-connect.js +++ /dev/null @@ -1,39 +0,0 @@ -'use strict'; -const common = require('../common'); -const assert = require('assert'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -const tls = require('tls'); -const fs = require('fs'); -const path = require('path'); - -// https://github.com/joyent/node/issues/1218 -// uncatchable exception on TLS connection error -{ - const cert = fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem')); - const key = fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem')); - - const options = {cert: cert, key: key, port: common.PORT}; - const conn = tls.connect(options, common.fail); - - conn.on('error', common.mustCall()); -} - -// SSL_accept/SSL_connect error handling -{ - const cert = fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem')); - const key = fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem')); - - const conn = tls.connect({ - cert: cert, - key: key, - port: common.PORT, - ciphers: 'rick-128-roll' - }, function() { - assert.ok(false); // callback should never be executed - }); - - conn.on('error', common.mustCall()); -} diff --git a/test/parallel/test-tls-delayed-attach-error.js b/test/parallel/test-tls-delayed-attach-error.js deleted file mode 100644 index 9d37f15..0000000 --- a/test/parallel/test-tls-delayed-attach-error.js +++ /dev/null @@ -1,36 +0,0 @@ -'use strict'; -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -const tls = require('tls'); -const fs = require('fs'); -const net = require('net'); - -const bonkers = Buffer.alloc(1024, 42); - -const options = { - key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), - cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`) -}; - -const server = net.createServer(common.mustCall(function(c) { - setTimeout(common.mustCall(function() { - const s = new tls.TLSSocket(c, { - isServer: true, - secureContext: tls.createSecureContext(options) - }); - - s.on('_tlsError', common.mustCall()); - - s.on('close', function() { - server.close(); - s.destroy(); - }); - }), 200); -})).listen(0, function() { - const c = net.connect({port: this.address().port}, function() { - c.write(bonkers); - }); -}); diff --git a/test/parallel/test-tls-delayed-attach.js b/test/parallel/test-tls-delayed-attach.js deleted file mode 100644 index 12ebb91..0000000 --- a/test/parallel/test-tls-delayed-attach.js +++ /dev/null @@ -1,45 +0,0 @@ -'use strict'; -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); -const fs = require('fs'); -const net = require('net'); - -const sent = 'hello world'; -let received = ''; - -const options = { - key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), - cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`) -}; - -const server = net.createServer(function(c) { - setTimeout(function() { - const s = new tls.TLSSocket(c, { - isServer: true, - secureContext: tls.createSecureContext(options) - }); - - s.on('data', function(chunk) { - received += chunk; - }); - - s.on('end', function() { - server.close(); - s.destroy(); - }); - }, 200); -}).listen(0, function() { - const c = tls.connect(this.address().port, { - rejectUnauthorized: false - }, function() { - c.end(sent); - }); -}); - -process.on('exit', function() { - assert.strictEqual(received, sent); -}); diff --git a/test/parallel/test-tls-destroy-whilst-write.js b/test/parallel/test-tls-destroy-whilst-write.js deleted file mode 100644 index d157c7b..0000000 --- a/test/parallel/test-tls-destroy-whilst-write.js +++ /dev/null @@ -1,27 +0,0 @@ -'use strict'; -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -const tls = require('tls'); -const stream = require('stream'); - -const delay = new stream.Duplex({ - read: function read() { - }, - write: function write(data, enc, cb) { - console.log('pending'); - setImmediate(function() { - console.log('done'); - cb(); - }); - } -}); - -const secure = tls.connect({ - socket: delay -}); -setImmediate(function() { - secure.destroy(); -}); diff --git a/test/parallel/test-tls-dhe.js b/test/parallel/test-tls-dhe.js deleted file mode 100644 index 3e43fd2..0000000 --- a/test/parallel/test-tls-dhe.js +++ /dev/null @@ -1,96 +0,0 @@ -'use strict'; -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -if (!common.opensslCli) - common.skip('missing openssl-cli'); - -const assert = require('assert'); -const tls = require('tls'); -const spawn = require('child_process').spawn; -const fs = require('fs'); - -const key = fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`); -const cert = fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`); -let nsuccess = 0; -let ntests = 0; -const ciphers = 'DHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; - - -function loadDHParam(n) { - let path = common.fixturesDir; - if (n !== 'error') path += '/keys'; - return fs.readFileSync(`${path}/dh${n}.pem`); -} - -function test(keylen, expectedCipher, cb) { - const options = { - key: key, - cert: cert, - ciphers: ciphers, - dhparam: loadDHParam(keylen) - }; - - const server = tls.createServer(options, function(conn) { - conn.end(); - }); - - server.on('close', function(err) { - assert(!err); - if (cb) cb(); - }); - - server.listen(0, '127.0.0.1', function() { - const args = ['s_client', '-connect', `127.0.0.1:${this.address().port}`, - '-cipher', ciphers]; - - // for the performance and stability issue in s_client on Windows - if (common.isWindows) - args.push('-no_rand_screen'); - - const client = spawn(common.opensslCli, args); - let out = ''; - client.stdout.setEncoding('utf8'); - client.stdout.on('data', function(d) { - out += d; - }); - client.stdout.on('end', function() { - // DHE key length can be checked -brief option in s_client but it - // is only supported in openssl 1.0.2 so we cannot check it. - const reg = new RegExp(`Cipher : ${expectedCipher}`); - if (reg.test(out)) { - nsuccess++; - server.close(); - } - }); - }); -} - -function test512() { - assert.throws(function() { - test(512, 'DHE-RSA-AES128-SHA256', null); - }, /DH parameter is less than 1024 bits/); -} - -function test1024() { - test(1024, 'DHE-RSA-AES128-SHA256', test2048); - ntests++; -} - -function test2048() { - test(2048, 'DHE-RSA-AES128-SHA256', testError); - ntests++; -} - -function testError() { - test('error', 'ECDHE-RSA-AES128-SHA256', test512); - ntests++; -} - -test1024(); - -process.on('exit', function() { - assert.strictEqual(ntests, nsuccess); - assert.strictEqual(ntests, 3); -}); diff --git a/test/parallel/test-tls-ecdh-disable.js b/test/parallel/test-tls-ecdh-disable.js deleted file mode 100644 index a44ce2c..0000000 --- a/test/parallel/test-tls-ecdh-disable.js +++ /dev/null @@ -1,37 +0,0 @@ -'use strict'; -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -if (!common.opensslCli) - common.skip('missing openssl-cli'); - -const assert = require('assert'); -const tls = require('tls'); -const exec = require('child_process').exec; -const fs = require('fs'); - -const options = { - key: fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`), - cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`), - ciphers: 'ECDHE-RSA-RC4-SHA', - ecdhCurve: false -}; - -const server = tls.createServer(options, common.mustNotCall()); - -server.listen(0, '127.0.0.1', common.mustCall(function() { - let cmd = `"${common.opensslCli}" s_client -cipher ${ - options.ciphers} -connect 127.0.0.1:${this.address().port}`; - - // for the performance and stability issue in s_client on Windows - if (common.isWindows) - cmd += ' -no_rand_screen'; - - exec(cmd, common.mustCall(function(err, stdout, stderr) { - // Old versions of openssl will still exit with 0 so we - // can't just check if err is not null. - assert(stderr.includes('handshake failure')); - server.close(); - })); -})); diff --git a/test/parallel/test-tls-ecdh.js b/test/parallel/test-tls-ecdh.js deleted file mode 100644 index 32df9c1..0000000 --- a/test/parallel/test-tls-ecdh.js +++ /dev/null @@ -1,42 +0,0 @@ -'use strict'; -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -if (!common.opensslCli) - common.skip('missing openssl-cli'); - -const assert = require('assert'); -const tls = require('tls'); - -const exec = require('child_process').exec; -const fs = require('fs'); - -const options = { - key: fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`), - cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`), - ciphers: '-ALL:ECDHE-RSA-AES128-SHA256', - ecdhCurve: 'prime256v1' -}; - -const reply = 'I AM THE WALRUS'; // something recognizable - -const server = tls.createServer(options, common.mustCall(function(conn) { - conn.end(reply); -})); - -server.listen(0, '127.0.0.1', common.mustCall(function() { - let cmd = `"${common.opensslCli}" s_client -cipher ${ - options.ciphers} -connect 127.0.0.1:${this.address().port}`; - - // for the performance and stability issue in s_client on Windows - if (common.isWindows) - cmd += ' -no_rand_screen'; - - exec(cmd, common.mustCall(function(err, stdout, stderr) { - if (err) throw err; - assert(stdout.includes(reply)); - server.close(); - })); -})); diff --git a/test/parallel/test-tls-econnreset.js b/test/parallel/test-tls-econnreset.js deleted file mode 100644 index fb3cb2f..0000000 --- a/test/parallel/test-tls-econnreset.js +++ /dev/null @@ -1,76 +0,0 @@ -'use strict'; -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); - -const cacert = -`-----BEGIN CERTIFICATE----- -MIIBxTCCAX8CAnXnMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNVBAYTAlVTMQswCQYD -VQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEZMBcGA1UEChMQU3Ryb25n -TG9vcCwgSW5jLjESMBAGA1UECxMJU3Ryb25nT3BzMRowGAYDVQQDExFjYS5zdHJv -bmdsb29wLmNvbTAeFw0xNDAxMTcyMjE1MDdaFw00MTA2MDMyMjE1MDdaMH0xCzAJ -BgNVBAYTAlVTMQswCQYDVQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEZ -MBcGA1UEChMQU3Ryb25nTG9vcCwgSW5jLjESMBAGA1UECxMJU3Ryb25nT3BzMRow -GAYDVQQDExFjYS5zdHJvbmdsb29wLmNvbTBMMA0GCSqGSIb3DQEBAQUAAzsAMDgC -MQDKbQ6rIR5t1q1v4Ha36jrq0IkyUohy9EYNvLnXUly1PGqxby0ILlAVJ8JawpY9 -AVkCAwEAATANBgkqhkiG9w0BAQUFAAMxALA1uS4CqQXRSAyYTfio5oyLGz71a+NM -+0AFLBwh5AQjhGd0FcenU4OfHxyDEOJT/Q== ------END CERTIFICATE-----`; - -const cert = -`-----BEGIN CERTIFICATE----- -MIIBfDCCATYCAgQaMA0GCSqGSIb3DQEBBQUAMH0xCzAJBgNVBAYTAlVTMQswCQYD -VQQIEwJDQTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEZMBcGA1UEChMQU3Ryb25n -TG9vcCwgSW5jLjESMBAGA1UECxMJU3Ryb25nT3BzMRowGAYDVQQDExFjYS5zdHJv -bmdsb29wLmNvbTAeFw0xNDAxMTcyMjE1MDdaFw00MTA2MDMyMjE1MDdaMBkxFzAV -BgNVBAMTDnN0cm9uZ2xvb3AuY29tMEwwDQYJKoZIhvcNAQEBBQADOwAwOAIxAMfk -I0LWU15pPUwIQNMnRVhhOibi0TQmAau8FBtgwEfGK01WpfGUaJr1a41K8Uq7xwID -AQABoxkwFzAVBgNVHREEDjAMhwQAAAAAhwR/AAABMA0GCSqGSIb3DQEBBQUAAzEA -cGpYrhkrb7mIh9DNhV0qp7pGjqBzlHqB7KQXw2luLDp//6dyHBMexDCQznkhZKRU ------END CERTIFICATE-----`; - -const key = -`-----BEGIN RSA PRIVATE KEY----- -MIH0AgEAAjEAx+QjQtZTXmk9TAhA0ydFWGE6JuLRNCYBq7wUG2DAR8YrTVal8ZRo -mvVrjUrxSrvHAgMBAAECMBCGccvSwC2r8Z9Zh1JtirQVxaL1WWpAQfmVwLe0bAgg -/JWMU/6hS36TsYyZMxwswQIZAPTAfht/zDLb7Hwgu2twsS1Ra9w/yyvtlwIZANET -26votwJAHK1yUrZGA5nnp5qcmQ/JUQIZAII5YV/UUZvF9D/fUplJ7puENPWNY9bN -pQIZAMMwxuS3XiO7two2sQF6W+JTYyX1DPCwAQIZAOYg1TvEGT38k8e8jygv8E8w -YqrWTeQFNQ== ------END RSA PRIVATE KEY-----`; - -const ca = [ cert, cacert ]; - -let clientError = null; -let connectError = null; - -const server = - tls.createServer({ ca: ca, cert: cert, key: key }, function(conn) { - throw 'unreachable'; - }).on('tlsClientError', function(err, conn) { - assert(!clientError && conn); - clientError = err; - }).listen(0, function() { - const options = { - ciphers: 'AES128-GCM-SHA256', - port: this.address().port, - ca: ca - }; - tls.connect(options).on('error', function(err) { - assert(!connectError); - - connectError = err; - this.destroy(); - server.close(); - }).write('123'); - }); - -process.on('exit', function() { - assert(clientError); - assert(connectError); - assert(/socket hang up/.test(clientError.message)); - assert(/ECONNRESET/.test(clientError.code)); -}); diff --git a/test/parallel/test-tls-empty-sni-context.js b/test/parallel/test-tls-empty-sni-context.js deleted file mode 100644 index 3f39d6e..0000000 --- a/test/parallel/test-tls-empty-sni-context.js +++ /dev/null @@ -1,34 +0,0 @@ -'use strict'; - -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -if (!process.features.tls_sni) - common.skip('node compiled without OpenSSL or with old OpenSSL version.'); - -const assert = require('assert'); -const tls = require('tls'); - -const options = { - SNICallback: (name, callback) => { - callback(null, tls.createSecureContext()); - } -}; - -const server = tls.createServer(options, (c) => { - common.fail('Should not be called'); -}).on('tlsClientError', common.mustCall((err, c) => { - assert(/SSL_use_certificate:passed a null parameter/i.test(err.message)); - server.close(); -})).listen(0, common.mustCall(() => { - const c = tls.connect({ - port: server.address().port, - rejectUnauthorized: false, - servername: 'any.name' - }, common.mustNotCall()); - - c.on('error', common.mustCall((err) => { - assert(/socket hang up/.test(err.message)); - })); -})); diff --git a/test/parallel/test-tls-env-bad-extra-ca.js b/test/parallel/test-tls-env-bad-extra-ca.js deleted file mode 100644 index ece93f3..0000000 --- a/test/parallel/test-tls-env-bad-extra-ca.js +++ /dev/null @@ -1,39 +0,0 @@ -// Setting NODE_EXTRA_CA_CERTS to non-existent file emits a warning - -'use strict'; -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); -const fork = require('child_process').fork; - -if (process.env.CHILD) { - // This will try to load the extra CA certs, and emit a warning when it fails. - return tls.createServer({}); -} - -const env = { - CHILD: 'yes', - NODE_EXTRA_CA_CERTS: `${common.fixturesDir}/no-such-file-exists`, -}; - -const opts = { - env: env, - silent: true, -}; -let stderr = ''; - -fork(__filename, opts) - .on('exit', common.mustCall(function(status) { - assert.strictEqual(status, 0, 'client did not succeed in connecting'); - })) - .on('close', common.mustCall(function() { - const re = /Warning: Ignoring extra certs from.*no-such-file-exists.* load failed:.*No such file or directory/; - assert(re.test(stderr), stderr); - })) - .stderr.setEncoding('utf8').on('data', function(str) { - stderr += str; - }); diff --git a/test/parallel/test-tls-env-extra-ca.js b/test/parallel/test-tls-env-extra-ca.js deleted file mode 100644 index be7c826..0000000 --- a/test/parallel/test-tls-env-extra-ca.js +++ /dev/null @@ -1,44 +0,0 @@ -// Certs in NODE_EXTRA_CA_CERTS are used for TLS peer validation - -'use strict'; -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const fs = require('fs'); -const tls = require('tls'); - -const fork = require('child_process').fork; - -if (process.env.CHILD) { - const copts = { - port: process.env.PORT, - checkServerIdentity: common.mustCall(), - }; - const client = tls.connect(copts, common.mustCall(function() { - client.end('hi'); - })); - return; -} - -const options = { - key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), - cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`), -}; - -const server = tls.createServer(options, common.mustCall(function(s) { - s.end('bye'); - server.close(); -})).listen(0, common.mustCall(function() { - const env = { - CHILD: 'yes', - PORT: this.address().port, - NODE_EXTRA_CA_CERTS: `${common.fixturesDir}/keys/ca1-cert.pem`, - }; - - fork(__filename, {env: env}).on('exit', common.mustCall(function(status) { - assert.strictEqual(status, 0, 'client did not succeed in connecting'); - })); -})); diff --git a/test/parallel/test-tls-external-accessor.js b/test/parallel/test-tls-external-accessor.js deleted file mode 100644 index 2d7b1f6..0000000 --- a/test/parallel/test-tls-external-accessor.js +++ /dev/null @@ -1,22 +0,0 @@ -'use strict'; - -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); - -// Ensure accessing ._external doesn't hit an assert in the accessor method. -{ - const pctx = tls.createSecureContext().context; - const cctx = Object.create(pctx); - assert.throws(() => cctx._external, /incompatible receiver/); - pctx._external; -} -{ - const pctx = tls.createSecurePair().credentials.context; - const cctx = Object.create(pctx); - assert.throws(() => cctx._external, /incompatible receiver/); - pctx._external; -} diff --git a/test/parallel/test-tls-fast-writing.js b/test/parallel/test-tls-fast-writing.js deleted file mode 100644 index b8605ca..0000000 --- a/test/parallel/test-tls-fast-writing.js +++ /dev/null @@ -1,60 +0,0 @@ -'use strict'; -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); -const fs = require('fs'); - -const dir = common.fixturesDir; -const options = { key: fs.readFileSync(`${dir}/test_key.pem`), - cert: fs.readFileSync(`${dir}/test_cert.pem`), - ca: [ fs.readFileSync(`${dir}/test_ca.pem`) ] }; - -const server = tls.createServer(options, onconnection); -let gotChunk = false; -let gotDrain = false; - -setTimeout(function() { - console.log('not ok - timed out'); - process.exit(1); -}, common.platformTimeout(1000)); - -function onconnection(conn) { - conn.on('data', function(c) { - if (!gotChunk) { - gotChunk = true; - console.log('ok - got chunk'); - } - - // just some basic sanity checks. - assert(c.length); - assert(Buffer.isBuffer(c)); - - if (gotDrain) - process.exit(0); - }); -} - -server.listen(0, function() { - const chunk = Buffer.alloc(1024, 'x'); - const opt = { port: this.address().port, rejectUnauthorized: false }; - const conn = tls.connect(opt, function() { - conn.on('drain', ondrain); - write(); - }); - function ondrain() { - if (!gotDrain) { - gotDrain = true; - console.log('ok - got drain'); - } - if (gotChunk) - process.exit(0); - write(); - } - function write() { - // this needs to return false eventually - while (false !== conn.write(chunk)); - } -}); diff --git a/test/parallel/test-tls-friendly-error-message.js b/test/parallel/test-tls-friendly-error-message.js deleted file mode 100644 index 51ce0d0..0000000 --- a/test/parallel/test-tls-friendly-error-message.js +++ /dev/null @@ -1,23 +0,0 @@ -'use strict'; -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); -const fs = require('fs'); - -const key = fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`); -const cert = fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`); - -tls.createServer({ key: key, cert: cert }, common.mustCall(function(conn) { - conn.end(); - this.close(); -})).listen(0, common.mustCall(function() { - const options = { port: this.address().port, rejectUnauthorized: true }; - tls.connect(options).on('error', common.mustCall(function(err) { - assert.strictEqual(err.code, 'UNABLE_TO_VERIFY_LEAF_SIGNATURE'); - assert.strictEqual(err.message, 'unable to verify the first certificate'); - this.destroy(); - })); -})); diff --git a/test/parallel/test-tls-getcipher.js b/test/parallel/test-tls-getcipher.js deleted file mode 100644 index dc3ff1b..0000000 --- a/test/parallel/test-tls-getcipher.js +++ /dev/null @@ -1,36 +0,0 @@ -'use strict'; -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); - -const fs = require('fs'); -const cipher_list = ['AES128-SHA256', 'AES256-SHA256']; -const cipher_version_pattern = /TLS|SSL/; -const options = { - key: fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`), - cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`), - ciphers: cipher_list.join(':'), - honorCipherOrder: true -}; - -const server = tls.createServer(options, - common.mustCall(function(cleartextStream) {})); - -server.listen(0, '127.0.0.1', common.mustCall(function() { - const client = tls.connect({ - host: '127.0.0.1', - port: this.address().port, - ciphers: cipher_list.join(':'), - rejectUnauthorized: false - }, common.mustCall(function() { - const cipher = client.getCipher(); - assert.strictEqual(cipher.name, cipher_list[0]); - assert(cipher_version_pattern.test(cipher.version)); - client.end(); - server.close(); - })); -})); diff --git a/test/parallel/test-tls-getprotocol.js b/test/parallel/test-tls-getprotocol.js deleted file mode 100644 index dd96aa6..0000000 --- a/test/parallel/test-tls-getprotocol.js +++ /dev/null @@ -1,40 +0,0 @@ -'use strict'; -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); -const fs = require('fs'); - -const clientConfigs = [ - { secureProtocol: 'TLSv1_method', version: 'TLSv1' }, - { secureProtocol: 'TLSv1_1_method', version: 'TLSv1.1' }, - { secureProtocol: 'TLSv1_2_method', version: 'TLSv1.2' } -]; - -const serverConfig = { - key: fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`), - cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`) -}; - -const server = tls.createServer(serverConfig, common.mustCall(function() { - -}, clientConfigs.length)).listen(0, common.localhostIPv4, function() { - let connected = 0; - clientConfigs.forEach(function(v) { - tls.connect({ - host: common.localhostIPv4, - port: server.address().port, - rejectUnauthorized: false, - secureProtocol: v.secureProtocol - }, common.mustCall(function() { - assert.strictEqual(this.getProtocol(), v.version); - this.on('end', common.mustCall(function() { - assert.strictEqual(this.getProtocol(), null); - })).end(); - if (++connected === clientConfigs.length) - server.close(); - })); - }); -}); diff --git a/test/parallel/test-tls-handshake-error.js b/test/parallel/test-tls-handshake-error.js deleted file mode 100644 index 9ae1f31..0000000 --- a/test/parallel/test-tls-handshake-error.js +++ /dev/null @@ -1,32 +0,0 @@ -'use strict'; - -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); -const fs = require('fs'); - -const server = tls.createServer({ - key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), - cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`), - rejectUnauthorized: true -}, function(c) { -}).listen(0, common.mustCall(function() { - const c = tls.connect({ - port: this.address().port, - ciphers: 'RC4' - }, function() { - assert(false, 'should not be called'); - }); - - c.on('error', common.mustCall(function(err) { - assert.notStrictEqual(err.code, 'ECONNRESET'); - })); - - c.on('close', common.mustCall(function(err) { - assert.ok(err); - server.close(); - })); -})); diff --git a/test/parallel/test-tls-handshake-nohang.js b/test/parallel/test-tls-handshake-nohang.js deleted file mode 100644 index 5c65ca4..0000000 --- a/test/parallel/test-tls-handshake-nohang.js +++ /dev/null @@ -1,11 +0,0 @@ -'use strict'; -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -const tls = require('tls'); - -// neither should hang -tls.createSecurePair(null, false, false, false); -tls.createSecurePair(null, true, false, false); diff --git a/test/parallel/test-tls-hello-parser-failure.js b/test/parallel/test-tls-hello-parser-failure.js deleted file mode 100644 index a6659d4..0000000 --- a/test/parallel/test-tls-hello-parser-failure.js +++ /dev/null @@ -1,41 +0,0 @@ -'use strict'; - -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); - -const net = require('net'); -const fs = require('fs'); - -const options = { - key: fs.readFileSync(`${common.fixturesDir}/test_key.pem`), - cert: fs.readFileSync(`${common.fixturesDir}/test_cert.pem`) -}; - -const bonkers = Buffer.alloc(1024 * 1024, 42); - -const server = tls.createServer(options, function(c) { - -}).listen(0, common.mustCall(function() { - const client = net.connect(this.address().port, common.mustCall(function() { - client.write(bonkers); - })); - - const writeAgain = setImmediate(function() { - client.write(bonkers); - }); - - client.once('error', common.mustCall(function(err) { - clearImmediate(writeAgain); - client.destroy(); - server.close(); - })); - - client.on('close', common.mustCall(function(hadError) { - assert.strictEqual(hadError, true, 'Client never errored'); - })); -})); diff --git a/test/parallel/test-tls-honorcipherorder.js b/test/parallel/test-tls-honorcipherorder.js deleted file mode 100644 index a9d35a0..0000000 --- a/test/parallel/test-tls-honorcipherorder.js +++ /dev/null @@ -1,97 +0,0 @@ -'use strict'; -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); -const fs = require('fs'); - -let nconns = 0; - -// We explicitly set TLS version to 1.2 so as to be safe when the -// default method is updated in the future -const SSL_Method = 'TLSv1_2_method'; -const localhost = '127.0.0.1'; - -process.on('exit', function() { - assert.strictEqual(nconns, 6); -}); - -function test(honorCipherOrder, clientCipher, expectedCipher, cb) { - const soptions = { - secureProtocol: SSL_Method, - key: fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`), - cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`), - ciphers: 'AES256-SHA256:AES128-GCM-SHA256:AES128-SHA256:' + - 'ECDHE-RSA-AES128-GCM-SHA256', - honorCipherOrder: !!honorCipherOrder - }; - - const server = tls.createServer(soptions, function(cleartextStream) { - nconns++; - - // End socket to send CLOSE_NOTIFY and TCP FIN packet, otherwise - // it may hang for ~30 seconds in FIN_WAIT_1 state (at least on OSX). - cleartextStream.end(); - }); - server.listen(0, localhost, function() { - const coptions = { - rejectUnauthorized: false, - secureProtocol: SSL_Method - }; - if (clientCipher) { - coptions.ciphers = clientCipher; - } - const port = this.address().port; - const client = tls.connect(port, localhost, coptions, function() { - const cipher = client.getCipher(); - client.end(); - server.close(); - assert.strictEqual(cipher.name, expectedCipher); - if (cb) cb(); - }); - }); -} - -test1(); - -function test1() { - // Client has the preference of cipher suites by default - test(false, 'AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256', - 'AES128-GCM-SHA256', test2); -} - -function test2() { - // Server has the preference of cipher suites, and AES256-SHA256 is - // the server's top choice. - test(true, 'AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256', - 'AES256-SHA256', test3); -} - -function test3() { - // Server has the preference of cipher suites. AES128-GCM-SHA256 is given - // higher priority over AES128-SHA256 among client cipher suites. - test(true, 'AES128-SHA256:AES128-GCM-SHA256', 'AES128-GCM-SHA256', test4); - -} - -function test4() { - // As client has only one cipher, server has no choice, irrespective - // of honorCipherOrder. - test(true, 'AES128-SHA256', 'AES128-SHA256', test5); -} - -function test5() { - // Client did not explicitly set ciphers and client offers - // tls.DEFAULT_CIPHERS. All ciphers of the server are included in the - // default list so the negotiated cipher is selected according to the - // server's top preference of AES256-SHA256. - test(true, null, 'AES256-SHA256', test6); -} - -function test6() { - // Ensure that `tls.DEFAULT_CIPHERS` is used - tls.DEFAULT_CIPHERS = 'ECDHE-RSA-AES128-GCM-SHA256'; - test(true, null, 'ECDHE-RSA-AES128-GCM-SHA256'); -} diff --git a/test/parallel/test-tls-inception.js b/test/parallel/test-tls-inception.js deleted file mode 100644 index 50debbc..0000000 --- a/test/parallel/test-tls-inception.js +++ /dev/null @@ -1,66 +0,0 @@ -'use strict'; -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); - -const fs = require('fs'); -const path = require('path'); -const net = require('net'); - -const options = { - key: fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem')), - cert: fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem')) -}; - -const body = 'A'.repeat(40000); - -// the "proxy" server -const a = tls.createServer(options, function(socket) { - const myOptions = { - host: '127.0.0.1', - port: b.address().port, - rejectUnauthorized: false - }; - const dest = net.connect(myOptions); - dest.pipe(socket); - socket.pipe(dest); - - dest.on('end', function() { - socket.destroy(); - }); -}); - -// the "target" server -const b = tls.createServer(options, function(socket) { - socket.end(body); -}); - -a.listen(0, function() { - b.listen(0, function() { - const myOptions = { - host: '127.0.0.1', - port: a.address().port, - rejectUnauthorized: false - }; - const socket = tls.connect(myOptions); - const ssl = tls.connect({ - socket: socket, - rejectUnauthorized: false - }); - ssl.setEncoding('utf8'); - let buf = ''; - ssl.on('data', function(data) { - buf += data; - }); - ssl.on('end', common.mustCall(function() { - assert.strictEqual(buf, body); - ssl.end(); - a.close(); - b.close(); - })); - }); -}); diff --git a/test/parallel/test-tls-interleave.js b/test/parallel/test-tls-interleave.js deleted file mode 100644 index 15d617c..0000000 --- a/test/parallel/test-tls-interleave.js +++ /dev/null @@ -1,55 +0,0 @@ -'use strict'; -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); - -const tls = require('tls'); - -const fs = require('fs'); - -const dir = common.fixturesDir; -const options = { key: fs.readFileSync(`${dir}/test_key.pem`), - cert: fs.readFileSync(`${dir}/test_cert.pem`), - ca: [ fs.readFileSync(`${dir}/test_ca.pem`) ] }; - -const writes = [ - 'some server data', - 'and a separate packet', - 'and one more', -]; -let receivedWrites = 0; - -const server = tls.createServer(options, function(c) { - writes.forEach(function(str) { - c.write(str); - }); -}).listen(0, common.mustCall(function() { - const connectOpts = { rejectUnauthorized: false }; - const c = tls.connect(this.address().port, connectOpts, function() { - c.write('some client data'); - c.on('readable', function() { - let data = c.read(); - if (data === null) - return; - - data = data.toString(); - while (data.length !== 0) { - assert(data.startsWith(writes[receivedWrites])); - data = data.slice(writes[receivedWrites].length); - - if (++receivedWrites === writes.length) { - c.end(); - server.close(); - } - } - }); - }); -})); - - -process.on('exit', function() { - assert.strictEqual(receivedWrites, writes.length); -}); diff --git a/test/parallel/test-tls-invoke-queued.js b/test/parallel/test-tls-invoke-queued.js deleted file mode 100644 index 3d4cb8b..0000000 --- a/test/parallel/test-tls-invoke-queued.js +++ /dev/null @@ -1,37 +0,0 @@ -'use strict'; -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const fs = require('fs'); -const tls = require('tls'); - -let received = ''; - -const server = tls.createServer({ - key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), - cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`) -}, common.mustCall(function(c) { - c._write('hello ', null, common.mustCall(function() { - c._write('world!', null, common.mustCall(function() { - c.destroy(); - })); - // Data on next _write() will be written but callback will not be invoked - c._write(' gosh', null, common.mustNotCall()); - })); - - server.close(); -})).listen(0, common.mustCall(function() { - const c = tls.connect(this.address().port, { - rejectUnauthorized: false - }, common.mustCall(function() { - c.on('data', function(chunk) { - received += chunk; - }); - c.on('end', common.mustCall(function() { - assert.strictEqual(received, 'hello world! gosh'); - })); - })); -})); diff --git a/test/parallel/test-tls-js-stream.js b/test/parallel/test-tls-js-stream.js deleted file mode 100644 index 56f62ae..0000000 --- a/test/parallel/test-tls-js-stream.js +++ /dev/null @@ -1,73 +0,0 @@ -'use strict'; -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); -const stream = require('stream'); -const fs = require('fs'); -const net = require('net'); - -const connected = { - client: 0, - server: 0 -}; - -const server = tls.createServer({ - key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), - cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`) -}, function(c) { - console.log('new client'); - connected.server++; - c.end('ohai'); -}).listen(0, function() { - const raw = net.connect(this.address().port); - - let pending = false; - raw.on('readable', function() { - if (pending) - p._read(); - }); - - let p = new stream.Duplex({ - read: function read() { - pending = false; - - const chunk = raw.read(); - if (chunk) { - console.log('read', chunk); - this.push(chunk); - } else { - pending = true; - } - }, - write: function write(data, enc, cb) { - console.log('write', data, enc); - raw.write(data, enc, cb); - } - }); - - const socket = tls.connect({ - socket: p, - rejectUnauthorized: false - }, function() { - console.log('client secure'); - - connected.client++; - - socket.end('hello'); - socket.resume(); - socket.destroy(); - }); - - socket.once('close', function() { - console.log('client close'); - server.close(); - }); -}); - -process.once('exit', function() { - assert.strictEqual(connected.client, 1); - assert.strictEqual(connected.server, 1); -}); diff --git a/test/parallel/test-tls-junk-closes-server.js b/test/parallel/test-tls-junk-closes-server.js deleted file mode 100644 index 33b0583..0000000 --- a/test/parallel/test-tls-junk-closes-server.js +++ /dev/null @@ -1,28 +0,0 @@ -'use strict'; -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -const tls = require('tls'); -const fs = require('fs'); -const net = require('net'); - -const options = { - key: fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`), - cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`) -}; - -const server = tls.createServer(options, common.mustNotCall()); - -server.listen(0, common.mustCall(function() { - const c = net.createConnection(this.address().port); - - c.on('connect', common.mustCall(function() { - c.write('blah\nblah\nblah\n'); - })); - - c.on('end', common.mustCall(function() { - server.close(); - })); -})); diff --git a/test/parallel/test-tls-junk-server.js b/test/parallel/test-tls-junk-server.js deleted file mode 100644 index 3270dec..0000000 --- a/test/parallel/test-tls-junk-server.js +++ /dev/null @@ -1,27 +0,0 @@ -'use strict'; -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const https = require('https'); -const net = require('net'); - -const server = net.createServer(function(s) { - s.once('data', function() { - s.end('I was waiting for you, hello!', function() { - s.destroy(); - }); - }); -}); - -server.listen(0, function() { - const req = https.request({ port: this.address().port }); - req.end(); - - req.once('error', common.mustCall(function(err) { - assert(/unknown protocol/.test(err.message)); - server.close(); - })); -}); diff --git a/test/parallel/test-tls-key-mismatch.js b/test/parallel/test-tls-key-mismatch.js deleted file mode 100644 index c301646..0000000 --- a/test/parallel/test-tls-key-mismatch.js +++ /dev/null @@ -1,20 +0,0 @@ -'use strict'; -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); -const fs = require('fs'); -const errorMessageRegex = - /^Error: error:0B080074:x509 certificate routines:X509_check_private_key:key values mismatch$/; - -const options = { - key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), - cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`) -}; - -assert.throws(function() { - tls.createSecureContext(options); -}, errorMessageRegex); diff --git a/test/parallel/test-tls-legacy-onselect.js b/test/parallel/test-tls-legacy-onselect.js deleted file mode 100644 index 4b66f31..0000000 --- a/test/parallel/test-tls-legacy-onselect.js +++ /dev/null @@ -1,27 +0,0 @@ -'use strict'; -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -const tls = require('tls'); -const net = require('net'); - -const server = net.Server(common.mustCall(function(raw) { - const pair = tls.createSecurePair(null, true, false, false); - pair.on('error', () => {}); - pair.ssl.setSNICallback(common.mustCall(function() { - raw.destroy(); - server.close(); - })); - require('_tls_legacy').pipe(pair, raw); -})).listen(0, function() { - tls.connect({ - port: this.address().port, - rejectUnauthorized: false, - servername: 'server' - }, function() { - }).on('error', function() { - // Just ignore - }); -}); diff --git a/test/parallel/test-tls-max-send-fragment.js b/test/parallel/test-tls-max-send-fragment.js deleted file mode 100644 index 1f9dd33..0000000 --- a/test/parallel/test-tls-max-send-fragment.js +++ /dev/null @@ -1,42 +0,0 @@ -'use strict'; -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); -const fs = require('fs'); - -const buf = Buffer.allocUnsafe(10000); -let received = 0; -const maxChunk = 768; - -const server = tls.createServer({ - key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), - cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`) -}, function(c) { - // Lower and upper limits - assert(!c.setMaxSendFragment(511)); - assert(!c.setMaxSendFragment(16385)); - - // Correct fragment size - assert(c.setMaxSendFragment(maxChunk)); - - c.end(buf); -}).listen(0, common.mustCall(function() { - const c = tls.connect(this.address().port, { - rejectUnauthorized: false - }, common.mustCall(function() { - c.on('data', function(chunk) { - assert(chunk.length <= maxChunk); - received += chunk.length; - }); - - // Ensure that we receive 'end' event anyway - c.on('end', common.mustCall(function() { - c.destroy(); - server.close(); - assert.strictEqual(received, buf.length); - })); - })); -})); diff --git a/test/parallel/test-tls-multi-key.js b/test/parallel/test-tls-multi-key.js deleted file mode 100644 index ca2517c..0000000 --- a/test/parallel/test-tls-multi-key.js +++ /dev/null @@ -1,51 +0,0 @@ -'use strict'; -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); -const fs = require('fs'); - -const options = { - key: [ - fs.readFileSync(`${common.fixturesDir}/keys/ec-key.pem`), - fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), - ], - cert: [ - fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`), - fs.readFileSync(`${common.fixturesDir}/keys/ec-cert.pem`) - ] -}; - -const ciphers = []; - -const server = tls.createServer(options, function(conn) { - conn.end('ok'); -}).listen(0, function() { - const ecdsa = tls.connect(this.address().port, { - ciphers: 'ECDHE-ECDSA-AES256-GCM-SHA384', - rejectUnauthorized: false - }, function() { - ciphers.push(ecdsa.getCipher()); - const rsa = tls.connect(server.address().port, { - ciphers: 'ECDHE-RSA-AES256-GCM-SHA384', - rejectUnauthorized: false - }, function() { - ciphers.push(rsa.getCipher()); - ecdsa.end(); - rsa.end(); - server.close(); - }); - }); -}); - -process.on('exit', function() { - assert.deepStrictEqual(ciphers, [{ - name: 'ECDHE-ECDSA-AES256-GCM-SHA384', - version: 'TLSv1/SSLv3' - }, { - name: 'ECDHE-RSA-AES256-GCM-SHA384', - version: 'TLSv1/SSLv3' - }]); -}); diff --git a/test/parallel/test-tls-no-cert-required.js b/test/parallel/test-tls-no-cert-required.js deleted file mode 100644 index 7f3d1b8..0000000 --- a/test/parallel/test-tls-no-cert-required.js +++ /dev/null @@ -1,29 +0,0 @@ -'use strict'; -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); - -// Omitting the cert or pfx option to tls.createServer() should not throw. -// AECDH-NULL-SHA is a no-authentication/no-encryption cipher and hence -// doesn't need a certificate. -tls.createServer({ ciphers: 'AECDH-NULL-SHA' }) - .listen(0, common.mustCall(close)); - -tls.createServer(assert.fail) - .listen(0, common.mustCall(close)); - -tls.createServer({}) - .listen(0, common.mustCall(close)); - -assert.throws(() => tls.createServer('this is not valid'), - /^TypeError: options must be an object$/); - -tls.createServer() - .listen(0, common.mustCall(close)); - -function close() { - this.close(); -} diff --git a/test/parallel/test-tls-no-rsa-key.js b/test/parallel/test-tls-no-rsa-key.js deleted file mode 100644 index 07a3ea4..0000000 --- a/test/parallel/test-tls-no-rsa-key.js +++ /dev/null @@ -1,33 +0,0 @@ -'use strict'; -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); -const fs = require('fs'); - -const options = { - key: fs.readFileSync(`${common.fixturesDir}/keys/ec-key.pem`), - cert: fs.readFileSync(`${common.fixturesDir}/keys/ec-cert.pem`) -}; - -const server = tls.createServer(options, function(conn) { - conn.end('ok'); -}).listen(0, common.mustCall(function() { - const c = tls.connect(this.address().port, { - rejectUnauthorized: false - }, common.mustCall(function() { - c.on('end', common.mustCall(function() { - c.end(); - server.close(); - })); - - c.on('data', function(data) { - assert.strictEqual(data.toString(), 'ok'); - }); - - const cert = c.getPeerCertificate(); - assert.strictEqual(cert.subject.C, 'US'); - })); -})); diff --git a/test/parallel/test-tls-no-sslv23.js b/test/parallel/test-tls-no-sslv23.js deleted file mode 100644 index 737f42b..0000000 --- a/test/parallel/test-tls-no-sslv23.js +++ /dev/null @@ -1,55 +0,0 @@ -'use strict'; -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); - -assert.throws(function() { - tls.createSecureContext({ secureProtocol: 'blargh' }); -}, /Unknown method/); - -const errMessageSSLv2 = /SSLv2 methods disabled/; - -assert.throws(function() { - tls.createSecureContext({ secureProtocol: 'SSLv2_method' }); -}, errMessageSSLv2); - -assert.throws(function() { - tls.createSecureContext({ secureProtocol: 'SSLv2_client_method' }); -}, errMessageSSLv2); - -assert.throws(function() { - tls.createSecureContext({ secureProtocol: 'SSLv2_server_method' }); -}, errMessageSSLv2); - -const errMessageSSLv3 = /SSLv3 methods disabled/; - -assert.throws(function() { - tls.createSecureContext({ secureProtocol: 'SSLv3_method' }); -}, errMessageSSLv3); - -assert.throws(function() { - tls.createSecureContext({ secureProtocol: 'SSLv3_client_method' }); -}, errMessageSSLv3); - -assert.throws(function() { - tls.createSecureContext({ secureProtocol: 'SSLv3_server_method' }); -}, errMessageSSLv3); - -// Note that SSLv2 and SSLv3 are disallowed but SSLv2_method and friends are -// still accepted. They are OpenSSL's way of saying that all known protocols -// are supported unless explicitly disabled (which we do for SSLv2 and SSLv3.) -tls.createSecureContext({ secureProtocol: 'SSLv23_method' }); -tls.createSecureContext({ secureProtocol: 'SSLv23_client_method' }); -tls.createSecureContext({ secureProtocol: 'SSLv23_server_method' }); -tls.createSecureContext({ secureProtocol: 'TLSv1_method' }); -tls.createSecureContext({ secureProtocol: 'TLSv1_client_method' }); -tls.createSecureContext({ secureProtocol: 'TLSv1_server_method' }); -tls.createSecureContext({ secureProtocol: 'TLSv1_1_method' }); -tls.createSecureContext({ secureProtocol: 'TLSv1_1_client_method' }); -tls.createSecureContext({ secureProtocol: 'TLSv1_1_server_method' }); -tls.createSecureContext({ secureProtocol: 'TLSv1_2_method' }); -tls.createSecureContext({ secureProtocol: 'TLSv1_2_client_method' }); -tls.createSecureContext({ secureProtocol: 'TLSv1_2_server_method' }); diff --git a/test/parallel/test-tls-no-sslv3.js b/test/parallel/test-tls-no-sslv3.js deleted file mode 100644 index 0a118db..0000000 --- a/test/parallel/test-tls-no-sslv3.js +++ /dev/null @@ -1,51 +0,0 @@ -'use strict'; -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -if (common.opensslCli === false) - common.skip('node compiled without OpenSSL CLI.'); - -const assert = require('assert'); -const tls = require('tls'); -const fs = require('fs'); -const spawn = require('child_process').spawn; - -const cert = fs.readFileSync(`${common.fixturesDir}/test_cert.pem`); -const key = fs.readFileSync(`${common.fixturesDir}/test_key.pem`); -const server = tls.createServer({ cert: cert, key: key }, common.mustNotCall()); -const errors = []; -let stderr = ''; - -server.listen(0, '127.0.0.1', function() { - const address = `${this.address().address}:${this.address().port}`; - const args = ['s_client', - '-ssl3', - '-connect', address]; - - // for the performance and stability issue in s_client on Windows - if (common.isWindows) - args.push('-no_rand_screen'); - - const client = spawn(common.opensslCli, args, { stdio: 'pipe' }); - client.stdout.pipe(process.stdout); - client.stderr.pipe(process.stderr); - client.stderr.setEncoding('utf8'); - client.stderr.on('data', (data) => stderr += data); - - client.once('exit', common.mustCall(function(exitCode) { - assert.strictEqual(exitCode, 1); - server.close(); - })); -}); - -server.on('tlsClientError', (err) => errors.push(err)); - -process.on('exit', function() { - if (/unknown option -ssl3/.test(stderr)) { - common.printSkipMessage('`openssl s_client -ssl3` not supported.'); - } else { - assert.strictEqual(errors.length, 1); - assert(/:wrong version number/.test(errors[0].message)); - } -}); diff --git a/test/parallel/test-tls-npn-server-client.js b/test/parallel/test-tls-npn-server-client.js deleted file mode 100644 index 22491c1..0000000 --- a/test/parallel/test-tls-npn-server-client.js +++ /dev/null @@ -1,104 +0,0 @@ -'use strict'; - -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -if (!process.features.tls_npn) - common.skip('Skipping because node compiled without NPN feature of OpenSSL.'); - -const assert = require('assert'); -const fs = require('fs'); -const path = require('path'); -const tls = require('tls'); - -function filenamePEM(n) { - return path.join(common.fixturesDir, 'keys', `${n}.pem`); -} - -function loadPEM(n) { - return fs.readFileSync(filenamePEM(n)); -} - -const serverOptions = { - key: loadPEM('agent2-key'), - cert: loadPEM('agent2-cert'), - crl: loadPEM('ca2-crl'), - SNICallback: function(servername, cb) { - cb(null, tls.createSecureContext({ - key: loadPEM('agent2-key'), - cert: loadPEM('agent2-cert'), - crl: loadPEM('ca2-crl'), - })); - }, - NPNProtocols: ['a', 'b', 'c'] -}; - -const clientsOptions = [{ - port: undefined, - key: serverOptions.key, - cert: serverOptions.cert, - crl: serverOptions.crl, - NPNProtocols: ['a', 'b', 'c'], - rejectUnauthorized: false -}, { - port: undefined, - key: serverOptions.key, - cert: serverOptions.cert, - crl: serverOptions.crl, - NPNProtocols: ['c', 'b', 'e'], - rejectUnauthorized: false -}, { - port: undefined, - key: serverOptions.key, - cert: serverOptions.cert, - crl: serverOptions.crl, - rejectUnauthorized: false -}, { - port: undefined, - key: serverOptions.key, - cert: serverOptions.cert, - crl: serverOptions.crl, - NPNProtocols: ['first-priority-unsupported', 'x', 'y'], - rejectUnauthorized: false -}]; - -const serverResults = []; -const clientsResults = []; - -const server = tls.createServer(serverOptions, function(c) { - serverResults.push(c.npnProtocol); -}); -server.listen(0, startTest); - -function startTest() { - function connectClient(options, callback) { - options.port = server.address().port; - const client = tls.connect(options, function() { - clientsResults.push(client.npnProtocol); - client.destroy(); - - callback(); - }); - } - - connectClient(clientsOptions[0], function() { - connectClient(clientsOptions[1], function() { - connectClient(clientsOptions[2], function() { - connectClient(clientsOptions[3], function() { - server.close(); - }); - }); - }); - }); -} - -process.on('exit', function() { - assert.strictEqual(serverResults[0], clientsResults[0]); - assert.strictEqual(serverResults[1], clientsResults[1]); - assert.strictEqual(serverResults[2], 'http/1.1'); - assert.strictEqual(clientsResults[2], false); - assert.strictEqual(serverResults[3], 'first-priority-unsupported'); - assert.strictEqual(clientsResults[3], false); -}); diff --git a/test/parallel/test-tls-ocsp-callback.js b/test/parallel/test-tls-ocsp-callback.js deleted file mode 100644 index 673b69e..0000000 --- a/test/parallel/test-tls-ocsp-callback.js +++ /dev/null @@ -1,126 +0,0 @@ -'use strict'; -const common = require('../common'); - -if (!process.features.tls_ocsp) - common.skip('node compiled without OpenSSL or with old OpenSSL version.'); - -if (!common.opensslCli) - common.skip('node compiled without OpenSSL CLI.'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -const tls = require('tls'); - -const assert = require('assert'); -const fs = require('fs'); -const join = require('path').join; - -const SSL_OP_NO_TICKET = require('crypto').constants.SSL_OP_NO_TICKET; - -const pfx = fs.readFileSync(join(common.fixturesDir, 'keys', 'agent1-pfx.pem')); - -function test(testOptions, cb) { - - const keyFile = join(common.fixturesDir, 'keys', 'agent1-key.pem'); - const certFile = join(common.fixturesDir, 'keys', 'agent1-cert.pem'); - const caFile = join(common.fixturesDir, 'keys', 'ca1-cert.pem'); - const key = fs.readFileSync(keyFile); - const cert = fs.readFileSync(certFile); - const ca = fs.readFileSync(caFile); - const options = { - key: key, - cert: cert, - ca: [ca] - }; - let requestCount = 0; - let clientSecure = 0; - let ocspCount = 0; - let ocspResponse; - - if (testOptions.pfx) { - delete options.key; - delete options.cert; - options.pfx = testOptions.pfx; - options.passphrase = testOptions.passphrase; - } - - const server = tls.createServer(options, function(cleartext) { - cleartext.on('error', function(er) { - // We're ok with getting ECONNRESET in this test, but it's - // timing-dependent, and thus unreliable. Any other errors - // are just failures, though. - if (er.code !== 'ECONNRESET') - throw er; - }); - ++requestCount; - cleartext.end(); - }); - server.on('OCSPRequest', function(cert, issuer, callback) { - ++ocspCount; - assert.ok(Buffer.isBuffer(cert)); - assert.ok(Buffer.isBuffer(issuer)); - - // Just to check that async really works there - setTimeout(function() { - callback(null, - testOptions.response ? Buffer.from(testOptions.response) : null); - }, 100); - }); - server.listen(0, function() { - const client = tls.connect({ - port: this.address().port, - requestOCSP: testOptions.ocsp !== false, - secureOptions: testOptions.ocsp === false ? - SSL_OP_NO_TICKET : 0, - rejectUnauthorized: false - }, function() { - clientSecure++; - }); - client.on('OCSPResponse', function(resp) { - ocspResponse = resp; - if (resp) - client.destroy(); - }); - client.on('close', function() { - server.close(cb); - }); - }); - - process.on('exit', function() { - if (testOptions.ocsp === false) { - assert.strictEqual(requestCount, clientSecure); - assert.strictEqual(requestCount, 1); - return; - } - - if (testOptions.response) { - assert.strictEqual(ocspResponse.toString(), testOptions.response); - } else { - assert.strictEqual(ocspResponse, null); - } - assert.strictEqual(requestCount, testOptions.response ? 0 : 1); - assert.strictEqual(clientSecure, requestCount); - assert.strictEqual(ocspCount, 1); - }); -} - -const tests = [ - { response: false }, - { response: 'hello world' }, - { ocsp: false } -]; - -if (!common.hasFipsCrypto) { - tests.push({ pfx: pfx, passphrase: 'sample', response: 'hello pfx' }); -} - -function runTests(i) { - if (i === tests.length) return; - - test(tests[i], common.mustCall(function() { - runTests(i + 1); - })); -} - -runTests(0); diff --git a/test/parallel/test-tls-on-empty-socket.js b/test/parallel/test-tls-on-empty-socket.js deleted file mode 100644 index 5b66edd..0000000 --- a/test/parallel/test-tls-on-empty-socket.js +++ /dev/null @@ -1,41 +0,0 @@ -'use strict'; -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); - -const fs = require('fs'); -const net = require('net'); - -let out = ''; - -const server = tls.createServer({ - key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), - cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`) -}, function(c) { - c.end('hello'); -}).listen(0, function() { - const socket = new net.Socket(); - - const s = tls.connect({ - socket: socket, - rejectUnauthorized: false - }, function() { - s.on('data', function(chunk) { - out += chunk; - }); - s.on('end', function() { - s.destroy(); - server.close(); - }); - }); - - socket.connect(this.address().port); -}); - -process.on('exit', function() { - assert.strictEqual(out, 'hello'); -}); diff --git a/test/parallel/test-tls-over-http-tunnel.js b/test/parallel/test-tls-over-http-tunnel.js deleted file mode 100644 index ae9c8e0..0000000 --- a/test/parallel/test-tls-over-http-tunnel.js +++ /dev/null @@ -1,155 +0,0 @@ -'use strict'; -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const https = require('https'); -const fs = require('fs'); -const net = require('net'); -const http = require('http'); - -let gotRequest = false; - -const key = fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`); -const cert = fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`); - -const options = { - key: key, - cert: cert -}; - -const server = https.createServer(options, function(req, res) { - console.log('SERVER: got request'); - res.writeHead(200, { - 'content-type': 'text/plain' - }); - console.log('SERVER: sending response'); - res.end('hello world\n'); -}); - -const proxy = net.createServer(function(clientSocket) { - console.log('PROXY: got a client connection'); - - let serverSocket = null; - - clientSocket.on('data', function(chunk) { - if (!serverSocket) { - // Verify the CONNECT request - assert.strictEqual(`CONNECT localhost:${server.address().port} ` + - 'HTTP/1.1\r\n' + - 'Proxy-Connections: keep-alive\r\n' + - `Host: localhost:${proxy.address().port}\r\n` + - 'Connection: close\r\n\r\n', - chunk.toString()); - - console.log('PROXY: got CONNECT request'); - console.log('PROXY: creating a tunnel'); - - // create the tunnel - serverSocket = net.connect(server.address().port, function() { - console.log('PROXY: replying to client CONNECT request'); - - // Send the response - clientSocket.write('HTTP/1.1 200 OK\r\nProxy-Connections: keep' + - '-alive\r\nConnections: keep-alive\r\nVia: ' + - `localhost:${proxy.address().port}\r\n\r\n`); - }); - - serverSocket.on('data', function(chunk) { - clientSocket.write(chunk); - }); - - serverSocket.on('end', function() { - clientSocket.destroy(); - }); - } else { - serverSocket.write(chunk); - } - }); - - clientSocket.on('end', function() { - serverSocket.destroy(); - }); -}); - -server.listen(0); - -proxy.listen(0, function() { - console.log('CLIENT: Making CONNECT request'); - - const req = http.request({ - port: this.address().port, - method: 'CONNECT', - path: `localhost:${server.address().port}`, - headers: { - 'Proxy-Connections': 'keep-alive' - } - }); - req.useChunkedEncodingByDefault = false; // for v0.6 - req.on('response', onResponse); // for v0.6 - req.on('upgrade', onUpgrade); // for v0.6 - req.on('connect', onConnect); // for v0.7 or later - req.end(); - - function onResponse(res) { - // Very hacky. This is necessary to avoid http-parser leaks. - res.upgrade = true; - } - - function onUpgrade(res, socket, head) { - // Hacky. - process.nextTick(function() { - onConnect(res, socket, head); - }); - } - - function onConnect(res, socket, header) { - assert.strictEqual(200, res.statusCode); - console.log('CLIENT: got CONNECT response'); - - // detach the socket - socket.removeAllListeners('data'); - socket.removeAllListeners('close'); - socket.removeAllListeners('error'); - socket.removeAllListeners('drain'); - socket.removeAllListeners('end'); - socket.ondata = null; - socket.onend = null; - socket.ondrain = null; - - console.log('CLIENT: Making HTTPS request'); - - https.get({ - path: '/foo', - key: key, - cert: cert, - socket: socket, // reuse the socket - agent: false, - rejectUnauthorized: false - }, function(res) { - assert.strictEqual(200, res.statusCode); - - res.on('data', function(chunk) { - assert.strictEqual('hello world\n', chunk.toString()); - console.log('CLIENT: got HTTPS response'); - gotRequest = true; - }); - - res.on('end', function() { - proxy.close(); - server.close(); - }); - }).on('error', function(er) { - // We're ok with getting ECONNRESET in this test, but it's - // timing-dependent, and thus unreliable. Any other errors - // are just failures, though. - if (er.code !== 'ECONNRESET') - throw er; - }).end(); - } -}); - -process.on('exit', function() { - assert.ok(gotRequest); -}); diff --git a/test/parallel/test-tls-parse-cert-string.js b/test/parallel/test-tls-parse-cert-string.js deleted file mode 100644 index bbe098b..0000000 --- a/test/parallel/test-tls-parse-cert-string.js +++ /dev/null @@ -1,36 +0,0 @@ -'use strict'; - -require('../common'); -const assert = require('assert'); -const tls = require('tls'); - -{ - const singles = 'C=US\nST=CA\nL=SF\nO=Node.js Foundation\nOU=Node.js\n' + - 'CN=ca1\nemailAddress=ry@clouds.org'; - const singlesOut = tls.parseCertString(singles); - assert.deepStrictEqual(singlesOut, { - C: 'US', - ST: 'CA', - L: 'SF', - O: 'Node.js Foundation', - OU: 'Node.js', - CN: 'ca1', - emailAddress: 'ry@clouds.org' - }); -} - -{ - const doubles = 'OU=Domain Control Validated\nOU=PositiveSSL Wildcard\n' + - 'CN=*.nodejs.org'; - const doublesOut = tls.parseCertString(doubles); - assert.deepStrictEqual(doublesOut, { - OU: [ 'Domain Control Validated', 'PositiveSSL Wildcard' ], - CN: '*.nodejs.org' - }); -} - -{ - const invalid = 'fhqwhgads'; - const invalidOut = tls.parseCertString(invalid); - assert.deepStrictEqual(invalidOut, {}); -} diff --git a/test/parallel/test-tls-passphrase.js b/test/parallel/test-tls-passphrase.js deleted file mode 100644 index 0092dbd..0000000 --- a/test/parallel/test-tls-passphrase.js +++ /dev/null @@ -1,275 +0,0 @@ -'use strict'; -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); -const fs = require('fs'); -const path = require('path'); - -const passKey = fs.readFileSync(path.join(common.fixturesDir, 'pass-key.pem')); -const rawKey = fs.readFileSync(path.join(common.fixturesDir, 'raw-key.pem')); -const cert = fs.readFileSync(path.join(common.fixturesDir, 'pass-cert.pem')); - -assert(Buffer.isBuffer(passKey)); -assert(Buffer.isBuffer(cert)); -assert.strictEqual(typeof passKey.toString(), 'string'); -assert.strictEqual(typeof cert.toString(), 'string'); - -const server = tls.Server({ - key: passKey, - passphrase: 'passphrase', - cert: cert, - ca: [cert], - requestCert: true, - rejectUnauthorized: true -}, function(s) { - s.end(); -}); - -server.listen(0, common.mustCall(function() { - // Buffer - tls.connect({ - port: this.address().port, - key: passKey, - passphrase: 'passphrase', - cert: cert, - rejectUnauthorized: false - }, common.mustCall()); - - tls.connect({ - port: this.address().port, - key: rawKey, - cert: cert, - rejectUnauthorized: false - }, common.mustCall()); - - tls.connect({ - port: this.address().port, - key: rawKey, - passphrase: 'ignored', - cert: cert, - rejectUnauthorized: false - }, common.mustCall()); - - // Buffer[] - tls.connect({ - port: this.address().port, - key: [passKey], - passphrase: 'passphrase', - cert: [cert], - rejectUnauthorized: false - }, common.mustCall()); - - tls.connect({ - port: this.address().port, - key: [rawKey], - cert: [cert], - rejectUnauthorized: false - }, common.mustCall()); - - tls.connect({ - port: this.address().port, - key: [rawKey], - passphrase: 'ignored', - cert: [cert], - rejectUnauthorized: false - }, common.mustCall()); - - // string - tls.connect({ - port: this.address().port, - key: passKey.toString(), - passphrase: 'passphrase', - cert: cert.toString(), - rejectUnauthorized: false - }, common.mustCall()); - - tls.connect({ - port: this.address().port, - key: rawKey.toString(), - cert: cert.toString(), - rejectUnauthorized: false - }, common.mustCall()); - - tls.connect({ - port: this.address().port, - key: rawKey.toString(), - passphrase: 'ignored', - cert: cert.toString(), - rejectUnauthorized: false - }, common.mustCall()); - - // String[] - tls.connect({ - port: this.address().port, - key: [passKey.toString()], - passphrase: 'passphrase', - cert: [cert.toString()], - rejectUnauthorized: false - }, common.mustCall()); - - tls.connect({ - port: this.address().port, - key: [rawKey.toString()], - cert: [cert.toString()], - rejectUnauthorized: false - }, common.mustCall()); - - tls.connect({ - port: this.address().port, - key: [rawKey.toString()], - passphrase: 'ignored', - cert: [cert.toString()], - rejectUnauthorized: false - }, common.mustCall()); - - // Object[] - tls.connect({ - port: this.address().port, - key: [{pem: passKey, passphrase: 'passphrase'}], - cert: cert, - rejectUnauthorized: false - }, common.mustCall()); - - tls.connect({ - port: this.address().port, - key: [{pem: passKey, passphrase: 'passphrase'}], - passphrase: 'ignored', - cert: cert, - rejectUnauthorized: false - }, common.mustCall()); - - tls.connect({ - port: this.address().port, - key: [{pem: passKey}], - passphrase: 'passphrase', - cert: cert, - rejectUnauthorized: false - }, common.mustCall()); - - tls.connect({ - port: this.address().port, - key: [{pem: passKey.toString(), passphrase: 'passphrase'}], - cert: cert, - rejectUnauthorized: false - }, common.mustCall()); - - tls.connect({ - port: this.address().port, - key: [{pem: rawKey, passphrase: 'ignored'}], - cert: cert, - rejectUnauthorized: false - }, common.mustCall()); - - tls.connect({ - port: this.address().port, - key: [{pem: rawKey.toString(), passphrase: 'ignored'}], - cert: cert, - rejectUnauthorized: false - }, common.mustCall()); - - tls.connect({ - port: this.address().port, - key: [{pem: rawKey}], - passphrase: 'ignored', - cert: cert, - rejectUnauthorized: false - }, common.mustCall()); - - tls.connect({ - port: this.address().port, - key: [{pem: rawKey.toString()}], - passphrase: 'ignored', - cert: cert, - rejectUnauthorized: false - }, common.mustCall()); - - tls.connect({ - port: this.address().port, - key: [{pem: rawKey}], - cert: cert, - rejectUnauthorized: false - }, common.mustCall()); - - tls.connect({ - port: this.address().port, - key: [{pem: rawKey.toString()}], - cert: cert, - rejectUnauthorized: false - }, common.mustCall()); -})).unref(); - -const errMessagePassword = /bad password read/; - -// Missing passphrase -assert.throws(function() { - tls.connect({ - port: server.address().port, - key: passKey, - cert: cert, - rejectUnauthorized: false - }); -}, errMessagePassword); - -assert.throws(function() { - tls.connect({ - port: server.address().port, - key: [passKey], - cert: cert, - rejectUnauthorized: false - }); -}, errMessagePassword); - -assert.throws(function() { - tls.connect({ - port: server.address().port, - key: [{pem: passKey}], - cert: cert, - rejectUnauthorized: false - }); -}, errMessagePassword); - -const errMessageDecrypt = /bad decrypt/; - -// Invalid passphrase -assert.throws(function() { - tls.connect({ - port: server.address().port, - key: passKey, - passphrase: 'invalid', - cert: cert, - rejectUnauthorized: false - }); -}, errMessageDecrypt); - -assert.throws(function() { - tls.connect({ - port: server.address().port, - key: [passKey], - passphrase: 'invalid', - cert: cert, - rejectUnauthorized: false - }); -}, errMessageDecrypt); - -assert.throws(function() { - tls.connect({ - port: server.address().port, - key: [{pem: passKey}], - passphrase: 'invalid', - cert: cert, - rejectUnauthorized: false - }); -}, errMessageDecrypt); - -assert.throws(function() { - tls.connect({ - port: server.address().port, - key: [{pem: passKey, passphrase: 'invalid'}], - passphrase: 'passphrase', // Valid but unused - cert: cert, - rejectUnauthorized: false - }); -}, errMessageDecrypt); diff --git a/test/parallel/test-tls-pause.js b/test/parallel/test-tls-pause.js deleted file mode 100644 index 4aded19..0000000 --- a/test/parallel/test-tls-pause.js +++ /dev/null @@ -1,70 +0,0 @@ -'use strict'; -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); -const fs = require('fs'); -const path = require('path'); - -const options = { - key: fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem')), - cert: fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem')) -}; - -const bufSize = 1024 * 1024; -let sent = 0; -let received = 0; - -const server = tls.Server(options, function(socket) { - socket.pipe(socket); - socket.on('data', function(c) { - console.error('data', c.length); - }); -}); - -server.listen(0, function() { - let resumed = false; - const client = tls.connect({ - port: this.address().port, - rejectUnauthorized: false - }, function() { - console.error('connected'); - client.pause(); - console.error('paused'); - send(); - function send() { - console.error('sending'); - const ret = client.write(Buffer.allocUnsafe(bufSize)); - console.error('write => %j', ret); - if (false !== ret) { - console.error('write again'); - sent += bufSize; - assert.ok(sent < 100 * 1024 * 1024); // max 100MB - return process.nextTick(send); - } - sent += bufSize; - console.error(`sent: ${sent}`); - resumed = true; - client.resume(); - console.error('resumed', client); - } - }); - client.on('data', function(data) { - console.error('data'); - assert.ok(resumed); - received += data.length; - console.error('received', received); - console.error('sent', sent); - if (received >= sent) { - console.error(`received: ${received}`); - client.end(); - server.close(); - } - }); -}); - -process.on('exit', function() { - assert.strictEqual(sent, received); -}); diff --git a/test/parallel/test-tls-peer-certificate-encoding.js b/test/parallel/test-tls-peer-certificate-encoding.js deleted file mode 100644 index d6e920a..0000000 --- a/test/parallel/test-tls-peer-certificate-encoding.js +++ /dev/null @@ -1,33 +0,0 @@ -'use strict'; -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); -const fs = require('fs'); -const util = require('util'); -const join = require('path').join; - -const options = { - key: fs.readFileSync(join(common.fixturesDir, 'keys', 'agent5-key.pem')), - cert: fs.readFileSync(join(common.fixturesDir, 'keys', 'agent5-cert.pem')), - ca: [ fs.readFileSync(join(common.fixturesDir, 'keys', 'ca2-cert.pem')) ] -}; - -const server = tls.createServer(options, function(cleartext) { - cleartext.end('World'); -}); -server.listen(0, common.mustCall(function() { - const socket = tls.connect({ - port: this.address().port, - rejectUnauthorized: false - }, common.mustCall(function() { - const peerCert = socket.getPeerCertificate(); - - console.error(util.inspect(peerCert)); - assert.strictEqual(peerCert.subject.CN, 'Ádám Lippai'); - server.close(); - })); - socket.end('Hello'); -})); diff --git a/test/parallel/test-tls-peer-certificate-multi-keys.js b/test/parallel/test-tls-peer-certificate-multi-keys.js deleted file mode 100644 index ed5566f..0000000 --- a/test/parallel/test-tls-peer-certificate-multi-keys.js +++ /dev/null @@ -1,34 +0,0 @@ -'use strict'; -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); -const fs = require('fs'); -const util = require('util'); -const join = require('path').join; - -const options = { - key: fs.readFileSync(join(common.fixturesDir, 'agent.key')), - cert: fs.readFileSync(join(common.fixturesDir, 'multi-alice.crt')) -}; - -const server = tls.createServer(options, function(cleartext) { - cleartext.end('World'); -}); -server.listen(0, common.mustCall(function() { - const socket = tls.connect({ - port: this.address().port, - rejectUnauthorized: false - }, common.mustCall(function() { - const peerCert = socket.getPeerCertificate(); - console.error(util.inspect(peerCert)); - assert.deepStrictEqual( - peerCert.subject.OU, - ['Information Technology', 'Engineering', 'Marketing'] - ); - server.close(); - })); - socket.end('Hello'); -})); diff --git a/test/parallel/test-tls-peer-certificate.js b/test/parallel/test-tls-peer-certificate.js deleted file mode 100644 index eb5be6d..0000000 --- a/test/parallel/test-tls-peer-certificate.js +++ /dev/null @@ -1,39 +0,0 @@ -'use strict'; -const common = require('../common'); - -// Verify that detailed getPeerCertificate() return value has all certs. - -const join = require('path').join; -const { - assert, connect, debug, keys -} = require(join(common.fixturesDir, 'tls-connect'))(); - -connect({ - client: {rejectUnauthorized: false}, - server: keys.agent1, -}, function(err, pair, cleanup) { - assert.ifError(err); - const socket = pair.client.conn; - let peerCert = socket.getPeerCertificate(); - assert.ok(!peerCert.issuerCertificate); - - peerCert = socket.getPeerCertificate(true); - debug('peerCert:\n', peerCert); - - assert.ok(peerCert.issuerCertificate); - assert.strictEqual(peerCert.subject.emailAddress, 'ry@tinyclouds.org'); - assert.strictEqual(peerCert.serialNumber, '9A84ABCFB8A72AC0'); - assert.strictEqual(peerCert.exponent, '0x10001'); - assert.strictEqual( - peerCert.fingerprint, - '8D:06:3A:B3:E5:8B:85:29:72:4F:7D:1B:54:CD:95:19:3C:EF:6F:AA' - ); - assert.deepStrictEqual(peerCert.infoAccess['OCSP - URI'], - [ 'http://ocsp.nodejs.org/' ]); - - const issuer = peerCert.issuerCertificate; - assert.strictEqual(issuer.issuerCertificate, issuer); - assert.strictEqual(issuer.serialNumber, '8DF21C01468AF393'); - - return cleanup(); -}); diff --git a/test/parallel/test-tls-pfx-gh-5100-regr.js b/test/parallel/test-tls-pfx-gh-5100-regr.js deleted file mode 100644 index ba38f02..0000000 --- a/test/parallel/test-tls-pfx-gh-5100-regr.js +++ /dev/null @@ -1,38 +0,0 @@ -'use strict'; - -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('node compiled without crypto.'); - -const assert = require('assert'); -const tls = require('tls'); -const fs = require('fs'); -const path = require('path'); - -const pfx = fs.readFileSync( - path.join(common.fixturesDir, 'keys', 'agent1-pfx.pem')); - -const server = tls.createServer({ - pfx: pfx, - passphrase: 'sample', - requestCert: true, - rejectUnauthorized: false -}, common.mustCall(function(c) { - assert.strictEqual( - c.authorizationError, - null, - 'authorizationError must be null' - ); - c.end(); -})).listen(0, function() { - const client = tls.connect({ - port: this.address().port, - pfx: pfx, - passphrase: 'sample', - rejectUnauthorized: false - }, function() { - client.end(); - server.close(); - }); -}); diff --git a/test/parallel/test-tls-regr-gh-5108.js b/test/parallel/test-tls-regr-gh-5108.js deleted file mode 100644 index 9bb07fe..0000000 --- a/test/parallel/test-tls-regr-gh-5108.js +++ /dev/null @@ -1,40 +0,0 @@ -'use strict'; -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); -const fs = require('fs'); - -const options = { - key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), - cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`) -}; - - -const server = tls.createServer(options, function(s) { - s.end('hello'); -}).listen(0, function() { - const opts = { - port: this.address().port, - rejectUnauthorized: false - }; - const client = tls.connect(opts, function() { - putImmediate(client); - }); -}); - - -function putImmediate(client) { - setImmediate(function() { - if (client.ssl) { - const fd = client.ssl.fd; - assert(!!fd); - putImmediate(client); - } else { - server.close(); - } - }); -} diff --git a/test/parallel/test-tls-request-timeout.js b/test/parallel/test-tls-request-timeout.js deleted file mode 100644 index 3989e40..0000000 --- a/test/parallel/test-tls-request-timeout.js +++ /dev/null @@ -1,30 +0,0 @@ -'use strict'; -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); -const fs = require('fs'); - -const options = { - key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), - cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`) -}; - -const server = tls.Server(options, common.mustCall(function(socket) { - const s = socket.setTimeout(100); - assert.ok(s instanceof tls.TLSSocket); - - socket.on('timeout', common.mustCall(function(err) { - socket.end(); - server.close(); - })); -})); - -server.listen(0, function() { - tls.connect({ - port: this.address().port, - rejectUnauthorized: false - }); -}); diff --git a/test/parallel/test-tls-retain-handle-no-abort.js b/test/parallel/test-tls-retain-handle-no-abort.js deleted file mode 100644 index 4be64c1..0000000 --- a/test/parallel/test-tls-retain-handle-no-abort.js +++ /dev/null @@ -1,40 +0,0 @@ -'use strict'; - -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); -const fs = require('fs'); -const util = require('util'); - -const sent = 'hello world'; -const serverOptions = { - isServer: true, - key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), - cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`) -}; - -let ssl = null; - -process.on('exit', function() { - assert.ok(ssl !== null); - // If the internal pointer to stream_ isn't cleared properly then this - // will abort. - util.inspect(ssl); -}); - -const server = tls.createServer(serverOptions, function(s) { - s.on('data', function() { }); - s.on('end', function() { - server.close(); - s.destroy(); - }); -}).listen(0, function() { - const c = new tls.TLSSocket(); - ssl = c.ssl; - c.connect(this.address().port, function() { - c.end(sent); - }); -}); diff --git a/test/parallel/test-tls-securepair-fiftharg.js b/test/parallel/test-tls-securepair-fiftharg.js deleted file mode 100644 index 97b563a..0000000 --- a/test/parallel/test-tls-securepair-fiftharg.js +++ /dev/null @@ -1,27 +0,0 @@ -'use strict'; - -const common = require('../common'); -const assert = require('assert'); -const fs = require('fs'); -const tls = require('tls'); - -const sslcontext = tls.createSecureContext({ - cert: fs.readFileSync(`${common.fixturesDir}/test_cert.pem`), - key: fs.readFileSync(`${common.fixturesDir}/test_key.pem`) -}); - -let catchedServername; -const pair = tls.createSecurePair(sslcontext, true, false, false, { - SNICallback: common.mustCall(function(servername, cb) { - catchedServername = servername; - }) -}); - -// captured traffic from browser's request to https://www.google.com -const sslHello = fs.readFileSync(`${common.fixturesDir}/google_ssl_hello.bin`); - -pair.encrypted.write(sslHello); - -process.on('exit', function() { - assert.strictEqual('www.google.com', catchedServername); -}); diff --git a/test/parallel/test-tls-securepair-server.js b/test/parallel/test-tls-securepair-server.js deleted file mode 100644 index d335bb2..0000000 --- a/test/parallel/test-tls-securepair-server.js +++ /dev/null @@ -1,133 +0,0 @@ -'use strict'; -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -if (!common.opensslCli) - common.skip('missing openssl-cli'); - -const assert = require('assert'); -const tls = require('tls'); -const join = require('path').join; -const net = require('net'); -const fs = require('fs'); -const spawn = require('child_process').spawn; - -const key = fs.readFileSync(join(common.fixturesDir, 'agent.key')).toString(); -const cert = fs.readFileSync(join(common.fixturesDir, 'agent.crt')).toString(); - -function log(a) { - console.error(`***server*** ${a}`); -} - -const server = net.createServer(common.mustCall(function(socket) { - log(`connection fd=${socket.fd}`); - const sslcontext = tls.createSecureContext({key: key, cert: cert}); - sslcontext.context.setCiphers('RC4-SHA:AES128-SHA:AES256-SHA'); - - const pair = tls.createSecurePair(sslcontext, true); - - assert.ok(pair.encrypted.writable); - assert.ok(pair.cleartext.writable); - - pair.encrypted.pipe(socket); - socket.pipe(pair.encrypted); - - log('i set it secure'); - - pair.on('secure', function() { - log('connected+secure!'); - pair.cleartext.write('hello\r\n'); - log(pair.cleartext.getPeerCertificate()); - log(pair.cleartext.getCipher()); - }); - - pair.cleartext.on('data', function(data) { - log(`read bytes ${data.length}`); - pair.cleartext.write(data); - }); - - socket.on('end', function() { - log('socket end'); - }); - - pair.cleartext.on('error', function(err) { - log('got error: '); - log(err); - log(err.stack); - socket.destroy(); - }); - - pair.encrypted.on('error', function(err) { - log('encrypted error: '); - log(err); - log(err.stack); - socket.destroy(); - }); - - socket.on('error', function(err) { - log('socket error: '); - log(err); - log(err.stack); - socket.destroy(); - }); - - socket.on('close', function(err) { - log('socket closed'); - }); - - pair.on('error', function(err) { - log('secure error: '); - log(err); - log(err.stack); - socket.destroy(); - }); -})); - -let gotHello = false; -let sentWorld = false; -let gotWorld = false; - -server.listen(0, common.mustCall(function() { - // To test use: openssl s_client -connect localhost:8000 - - const args = ['s_client', '-connect', `127.0.0.1:${this.address().port}`]; - - // for the performance and stability issue in s_client on Windows - if (common.isWindows) - args.push('-no_rand_screen'); - - const client = spawn(common.opensslCli, args); - - - let out = ''; - - client.stdout.setEncoding('utf8'); - client.stdout.on('data', function(d) { - out += d; - - if (!gotHello && /hello/.test(out)) { - gotHello = true; - client.stdin.write('world\r\n'); - sentWorld = true; - } - - if (!gotWorld && /world/.test(out)) { - gotWorld = true; - client.stdin.end(); - } - }); - - client.stdout.pipe(process.stdout, { end: false }); - - client.on('exit', common.mustCall(function(code) { - assert.strictEqual(0, code); - server.close(); - })); -})); - -process.on('exit', function() { - assert.ok(gotHello); - assert.ok(sentWorld); - assert.ok(gotWorld); -}); diff --git a/test/parallel/test-tls-server-connection-server.js b/test/parallel/test-tls-server-connection-server.js deleted file mode 100644 index 7eef14d..0000000 --- a/test/parallel/test-tls-server-connection-server.js +++ /dev/null @@ -1,32 +0,0 @@ -'use strict'; -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); -const fs = require('fs'); - -const options = { - key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), - cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`) -}; - -const server = tls.createServer(options, function(s) { - s.end('hello'); -}).listen(0, function() { - const opts = { - port: this.address().port, - rejectUnauthorized: false - }; - - server.on('connection', common.mustCall(function(socket) { - assert.strictEqual(socket.server, server); - server.close(); - })); - - const client = tls.connect(opts, function() { - client.end(); - }); -}); diff --git a/test/parallel/test-tls-server-failed-handshake-emits-clienterror.js b/test/parallel/test-tls-server-failed-handshake-emits-clienterror.js deleted file mode 100644 index 8efb4ec..0000000 --- a/test/parallel/test-tls-server-failed-handshake-emits-clienterror.js +++ /dev/null @@ -1,28 +0,0 @@ -'use strict'; -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -const tls = require('tls'); -const net = require('net'); -const assert = require('assert'); - -const bonkers = Buffer.alloc(1024, 42); - - -const server = tls.createServer({}) - .listen(0, function() { - const c = net.connect({ port: this.address().port }, function() { - c.write(bonkers); - }); - - }).on('tlsClientError', common.mustCall(function(e) { - assert.ok(e instanceof Error, - 'Instance of Error should be passed to error handler'); - assert.ok( - /SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol/.test(e.message), - 'Expecting SSL unknown protocol'); - - server.close(); - })); diff --git a/test/parallel/test-tls-server-verify.js b/test/parallel/test-tls-server-verify.js deleted file mode 100644 index 7a106f6..0000000 --- a/test/parallel/test-tls-server-verify.js +++ /dev/null @@ -1,348 +0,0 @@ -'use strict'; -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -if (!common.opensslCli) - common.skip('node compiled without OpenSSL CLI.'); - -// This is a rather complex test which sets up various TLS servers with node -// and connects to them using the 'openssl s_client' command line utility -// with various keys. Depending on the certificate authority and other -// parameters given to the server, the various clients are -// - rejected, -// - accepted and "unauthorized", or -// - accepted and "authorized". - -const assert = require('assert'); -const { spawn } = require('child_process'); -const { SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION } = - require('crypto').constants; -const fs = require('fs'); -const path = require('path'); -const tls = require('tls'); - -const testCases = - [{ title: 'Do not request certs. Everyone is unauthorized.', - requestCert: false, - rejectUnauthorized: false, - renegotiate: false, - CAs: ['ca1-cert'], - clients: - [{ name: 'agent1', shouldReject: false, shouldAuth: false }, - { name: 'agent2', shouldReject: false, shouldAuth: false }, - { name: 'agent3', shouldReject: false, shouldAuth: false }, - { name: 'nocert', shouldReject: false, shouldAuth: false } - ] - }, - - { title: 'Allow both authed and unauthed connections with CA1', - requestCert: true, - rejectUnauthorized: false, - renegotiate: false, - CAs: ['ca1-cert'], - clients: - [{ name: 'agent1', shouldReject: false, shouldAuth: true }, - { name: 'agent2', shouldReject: false, shouldAuth: false }, - { name: 'agent3', shouldReject: false, shouldAuth: false }, - { name: 'nocert', shouldReject: false, shouldAuth: false } - ] - }, - - { title: 'Do not request certs at connection. Do that later', - requestCert: false, - rejectUnauthorized: false, - renegotiate: true, - CAs: ['ca1-cert'], - clients: - [{ name: 'agent1', shouldReject: false, shouldAuth: true }, - { name: 'agent2', shouldReject: false, shouldAuth: false }, - { name: 'agent3', shouldReject: false, shouldAuth: false }, - { name: 'nocert', shouldReject: false, shouldAuth: false } - ] - }, - - { title: 'Allow only authed connections with CA1', - requestCert: true, - rejectUnauthorized: true, - renegotiate: false, - CAs: ['ca1-cert'], - clients: - [{ name: 'agent1', shouldReject: false, shouldAuth: true }, - { name: 'agent2', shouldReject: true }, - { name: 'agent3', shouldReject: true }, - { name: 'nocert', shouldReject: true } - ] - }, - - { title: 'Allow only authed connections with CA1 and CA2', - requestCert: true, - rejectUnauthorized: true, - renegotiate: false, - CAs: ['ca1-cert', 'ca2-cert'], - clients: - [{ name: 'agent1', shouldReject: false, shouldAuth: true }, - { name: 'agent2', shouldReject: true }, - { name: 'agent3', shouldReject: false, shouldAuth: true }, - { name: 'nocert', shouldReject: true } - ] - }, - - - { title: 'Allow only certs signed by CA2 but not in the CRL', - requestCert: true, - rejectUnauthorized: true, - renegotiate: false, - CAs: ['ca2-cert'], - crl: 'ca2-crl', - clients: [ - { name: 'agent1', shouldReject: true, shouldAuth: false }, - { name: 'agent2', shouldReject: true, shouldAuth: false }, - { name: 'agent3', shouldReject: false, shouldAuth: true }, - // Agent4 has a cert in the CRL. - { name: 'agent4', shouldReject: true, shouldAuth: false }, - { name: 'nocert', shouldReject: true } - ] - } - ]; - - -function filenamePEM(n) { - return path.join(common.fixturesDir, 'keys', `${n}.pem`); -} - - -function loadPEM(n) { - return fs.readFileSync(filenamePEM(n)); -} - - -const serverKey = loadPEM('agent2-key'); -const serverCert = loadPEM('agent2-cert'); - - -function runClient(prefix, port, options, cb) { - - // Client can connect in three ways: - // - Self-signed cert - // - Certificate, but not signed by CA. - // - Certificate signed by CA. - - const args = ['s_client', '-connect', `127.0.0.1:${port}`]; - - // for the performance issue in s_client on Windows - if (common.isWindows) - args.push('-no_rand_screen'); - - console.log(`${prefix} connecting with`, options.name); - - switch (options.name) { - case 'agent1': - // Signed by CA1 - args.push('-key'); - args.push(filenamePEM('agent1-key')); - args.push('-cert'); - args.push(filenamePEM('agent1-cert')); - break; - - case 'agent2': - // Self-signed - // This is also the key-cert pair that the server will use. - args.push('-key'); - args.push(filenamePEM('agent2-key')); - args.push('-cert'); - args.push(filenamePEM('agent2-cert')); - break; - - case 'agent3': - // Signed by CA2 - args.push('-key'); - args.push(filenamePEM('agent3-key')); - args.push('-cert'); - args.push(filenamePEM('agent3-cert')); - break; - - case 'agent4': - // Signed by CA2 (rejected by ca2-crl) - args.push('-key'); - args.push(filenamePEM('agent4-key')); - args.push('-cert'); - args.push(filenamePEM('agent4-cert')); - break; - - case 'nocert': - // Do not send certificate - break; - - default: - throw new Error(`${prefix}Unknown agent name`); - } - - // To test use: openssl s_client -connect localhost:8000 - const client = spawn(common.opensslCli, args); - - let out = ''; - - let rejected = true; - let authed = false; - let goodbye = false; - - client.stdout.setEncoding('utf8'); - client.stdout.on('data', function(d) { - out += d; - - if (!goodbye && /_unauthed/.test(out)) { - console.error(`${prefix} * unauthed`); - goodbye = true; - client.kill(); - authed = false; - rejected = false; - } - - if (!goodbye && /_authed/.test(out)) { - console.error(`${prefix} * authed`); - goodbye = true; - client.kill(); - authed = true; - rejected = false; - } - }); - - //client.stdout.pipe(process.stdout); - - client.on('exit', function(code) { - //assert.strictEqual( - // 0, code, - // `${prefix}${options.name}: s_client exited with error code ${code}`); - if (options.shouldReject) { - assert.strictEqual( - true, rejected, - `${prefix}${options.name} NOT rejected, but should have been`); - } else { - assert.strictEqual( - false, rejected, - `${prefix}${options.name} rejected, but should NOT have been`); - assert.strictEqual( - options.shouldAuth, authed, - `${prefix}${options.name} authed is ${authed} but should have been ${ - options.shouldAuth}`); - } - - cb(); - }); -} - - -// Run the tests -let successfulTests = 0; -function runTest(port, testIndex) { - const prefix = `${testIndex} `; - const tcase = testCases[testIndex]; - if (!tcase) return; - - console.error(`${prefix}Running '%s'`, tcase.title); - - const cas = tcase.CAs.map(loadPEM); - - const crl = tcase.crl ? loadPEM(tcase.crl) : null; - - const serverOptions = { - key: serverKey, - cert: serverCert, - ca: cas, - crl: crl, - requestCert: tcase.requestCert, - rejectUnauthorized: tcase.rejectUnauthorized - }; - - /* - * If renegotiating - session might be resumed and openssl won't request - * client's certificate (probably because of bug in the openssl) - */ - if (tcase.renegotiate) { - serverOptions.secureOptions = - SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION; - } - - let renegotiated = false; - const server = tls.Server(serverOptions, function handleConnection(c) { - c.on('error', function(e) { - // child.kill() leads ECONNRESET errro in the TLS connection of - // openssl s_client via spawn(). A Test result is already - // checked by the data of client.stdout before child.kill() so - // these tls errors can be ignored. - }); - if (tcase.renegotiate && !renegotiated) { - renegotiated = true; - setTimeout(function() { - console.error(`${prefix}- connected, renegotiating`); - c.write('\n_renegotiating\n'); - return c.renegotiate({ - requestCert: true, - rejectUnauthorized: false - }, function(err) { - assert(!err); - c.write('\n_renegotiated\n'); - handleConnection(c); - }); - }, 200); - return; - } - - if (c.authorized) { - console.error(`${prefix}- authed connection: ${ - c.getPeerCertificate().subject.CN}`); - c.write('\n_authed\n'); - } else { - console.error(`${prefix}- unauthed connection: %s`, c.authorizationError); - c.write('\n_unauthed\n'); - } - }); - - function runNextClient(clientIndex) { - const options = tcase.clients[clientIndex]; - if (options) { - runClient(`${prefix}${clientIndex} `, port, options, function() { - runNextClient(clientIndex + 1); - }); - } else { - server.close(); - successfulTests++; - runTest(port, nextTest++); - } - } - - server.listen(port, function() { - port = server.address().port; - if (tcase.debug) { - console.error(`${prefix}TLS server running on port ${port}`); - } else { - if (tcase.renegotiate) { - runNextClient(0); - } else { - let clientsCompleted = 0; - for (let i = 0; i < tcase.clients.length; i++) { - runClient(`${prefix}${i} `, port, tcase.clients[i], function() { - clientsCompleted++; - if (clientsCompleted === tcase.clients.length) { - server.close(); - successfulTests++; - runTest(port, nextTest++); - } - }); - } - } - } - }); -} - - -let nextTest = 0; -runTest(0, nextTest++); -runTest(0, nextTest++); - - -process.on('exit', function() { - assert.strictEqual(successfulTests, testCases.length); -}); diff --git a/test/parallel/test-tls-session-cache.js b/test/parallel/test-tls-session-cache.js deleted file mode 100644 index 326e760..0000000 --- a/test/parallel/test-tls-session-cache.js +++ /dev/null @@ -1,127 +0,0 @@ -'use strict'; -const common = require('../common'); - -if (!common.opensslCli) - common.skip('node compiled without OpenSSL CLI.'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -doTest({ tickets: false }, function() { - doTest({ tickets: true }, function() { - console.error('all done'); - }); -}); - -function doTest(testOptions, callback) { - const assert = require('assert'); - const tls = require('tls'); - const fs = require('fs'); - const join = require('path').join; - const spawn = require('child_process').spawn; - - const keyFile = join(common.fixturesDir, 'agent.key'); - const certFile = join(common.fixturesDir, 'agent.crt'); - const key = fs.readFileSync(keyFile); - const cert = fs.readFileSync(certFile); - const options = { - key: key, - cert: cert, - ca: [cert], - requestCert: true - }; - let requestCount = 0; - let resumeCount = 0; - let session; - - const server = tls.createServer(options, function(cleartext) { - cleartext.on('error', function(er) { - // We're ok with getting ECONNRESET in this test, but it's - // timing-dependent, and thus unreliable. Any other errors - // are just failures, though. - if (er.code !== 'ECONNRESET') - throw er; - }); - ++requestCount; - cleartext.end(); - }); - server.on('newSession', function(id, data, cb) { - // Emulate asynchronous store - setTimeout(function() { - assert.ok(!session); - session = { - id: id, - data: data - }; - cb(); - }, 1000); - }); - server.on('resumeSession', function(id, callback) { - ++resumeCount; - assert.ok(session); - assert.strictEqual(session.id.toString('hex'), id.toString('hex')); - - // Just to check that async really works there - setTimeout(function() { - callback(null, session.data); - }, 100); - }); - - server.listen(0, function() { - const args = [ - 's_client', - '-tls1', - '-connect', `localhost:${this.address().port}`, - '-servername', 'ohgod', - '-key', join(common.fixturesDir, 'agent.key'), - '-cert', join(common.fixturesDir, 'agent.crt'), - '-reconnect' - ].concat(testOptions.tickets ? [] : '-no_ticket'); - - // for the performance and stability issue in s_client on Windows - if (common.isWindows) - args.push('-no_rand_screen'); - - function spawnClient() { - const client = spawn(common.opensslCli, args, { - stdio: [ 0, 1, 'pipe' ] - }); - let err = ''; - client.stderr.setEncoding('utf8'); - client.stderr.on('data', function(chunk) { - err += chunk; - }); - - client.on('exit', common.mustCall(function(code, signal) { - if (code !== 0) { - // If SmartOS and connection refused, then retry. See - // https://github.com/nodejs/node/issues/2663. - if (common.isSunOS && err.includes('Connection refused')) { - requestCount = 0; - spawnClient(); - return; - } - common.fail(`code: ${code}, signal: ${signal}, output: ${err}`); - } - assert.strictEqual(code, 0); - server.close(common.mustCall(function() { - setTimeout(callback, 100); - })); - })); - } - - spawnClient(); - }); - - process.on('exit', function() { - if (testOptions.tickets) { - assert.strictEqual(requestCount, 6); - assert.strictEqual(resumeCount, 0); - } else { - // initial request + reconnect requests (5 times) - assert.ok(session); - assert.strictEqual(requestCount, 6); - assert.strictEqual(resumeCount, 5); - } - }); -} diff --git a/test/parallel/test-tls-set-ciphers.js b/test/parallel/test-tls-set-ciphers.js deleted file mode 100644 index d53029e..0000000 --- a/test/parallel/test-tls-set-ciphers.js +++ /dev/null @@ -1,45 +0,0 @@ -'use strict'; -const common = require('../common'); - -if (!common.opensslCli) - common.skip('node compiled without OpenSSL CLI.'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const exec = require('child_process').exec; -const tls = require('tls'); -const fs = require('fs'); - -const options = { - key: fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`), - cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`), - ciphers: 'DES-CBC3-SHA' -}; - -const reply = 'I AM THE WALRUS'; // something recognizable -let response = ''; - -process.on('exit', function() { - assert.notStrictEqual(response.indexOf(reply), -1); -}); - -const server = tls.createServer(options, common.mustCall(function(conn) { - conn.end(reply); -})); - -server.listen(0, '127.0.0.1', function() { - let cmd = `"${common.opensslCli}" s_client -cipher ${ - options.ciphers} -connect 127.0.0.1:${this.address().port}`; - - // for the performance and stability issue in s_client on Windows - if (common.isWindows) - cmd += ' -no_rand_screen'; - - exec(cmd, function(err, stdout, stderr) { - if (err) throw err; - response = stdout; - server.close(); - }); -}); diff --git a/test/parallel/test-tls-set-encoding.js b/test/parallel/test-tls-set-encoding.js deleted file mode 100644 index 4114ee5..0000000 --- a/test/parallel/test-tls-set-encoding.js +++ /dev/null @@ -1,58 +0,0 @@ -'use strict'; -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); -const fs = require('fs'); - -const options = { - key: fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`), - cert: fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`) -}; - -// Contains a UTF8 only character -const messageUtf8 = 'x√ab c'; - -// The same string above represented with ASCII -const messageAscii = 'xb\b\u001aab c'; - -const server = tls.Server(options, common.mustCall(function(socket) { - socket.end(messageUtf8); -})); - - -server.listen(0, function() { - const client = tls.connect({ - port: this.address().port, - rejectUnauthorized: false - }); - - let buffer = ''; - - client.setEncoding('ascii'); - - client.on('data', function(d) { - assert.ok(typeof d === 'string'); - buffer += d; - }); - - - client.on('close', function() { - // readyState is deprecated but we want to make - // sure this isn't triggering an assert in lib/net.js - // See issue #1069. - assert.strictEqual('closed', client.readyState); - - // Confirming the buffer string is encoded in ASCII - // and thus does NOT match the UTF8 string - assert.notStrictEqual(buffer, messageUtf8); - - // Confirming the buffer string is encoded in ASCII - // and thus does equal the ASCII string representation - assert.strictEqual(buffer, messageAscii); - - server.close(); - }); -}); diff --git a/test/parallel/test-tls-sni-option.js b/test/parallel/test-tls-sni-option.js deleted file mode 100644 index ff3e2ef..0000000 --- a/test/parallel/test-tls-sni-option.js +++ /dev/null @@ -1,168 +0,0 @@ -'use strict'; - -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -if (!process.features.tls_sni) - common.skip('node compiled without OpenSSL or with old OpenSSL version.'); - -const assert = require('assert'); -const fs = require('fs'); -const path = require('path'); -const tls = require('tls'); - -function filenamePEM(n) { - return path.join(common.fixturesDir, 'keys', `${n}.pem`); -} - -function loadPEM(n) { - return fs.readFileSync(filenamePEM(n)); -} - -const serverOptions = { - key: loadPEM('agent2-key'), - cert: loadPEM('agent2-cert'), - requestCert: true, - rejectUnauthorized: false, - SNICallback: function(servername, callback) { - const context = SNIContexts[servername]; - - // Just to test asynchronous callback - setTimeout(function() { - if (context) { - if (context.emptyRegression) - callback(null, {}); - else - callback(null, tls.createSecureContext(context)); - } else { - callback(null, null); - } - }, 100); - } -}; - -let SNIContexts = { - 'a.example.com': { - key: loadPEM('agent1-key'), - cert: loadPEM('agent1-cert'), - ca: [ loadPEM('ca2-cert') ] - }, - 'b.example.com': { - key: loadPEM('agent3-key'), - cert: loadPEM('agent3-cert') - }, - 'c.another.com': { - emptyRegression: true - } -}; - -const clientsOptions = [{ - port: undefined, - key: loadPEM('agent1-key'), - cert: loadPEM('agent1-cert'), - ca: [loadPEM('ca1-cert')], - servername: 'a.example.com', - rejectUnauthorized: false -}, { - port: undefined, - key: loadPEM('agent4-key'), - cert: loadPEM('agent4-cert'), - ca: [loadPEM('ca1-cert')], - servername: 'a.example.com', - rejectUnauthorized: false -}, { - port: undefined, - key: loadPEM('agent2-key'), - cert: loadPEM('agent2-cert'), - ca: [loadPEM('ca2-cert')], - servername: 'b.example.com', - rejectUnauthorized: false -}, { - port: undefined, - key: loadPEM('agent3-key'), - cert: loadPEM('agent3-cert'), - ca: [loadPEM('ca1-cert')], - servername: 'c.wrong.com', - rejectUnauthorized: false -}, { - port: undefined, - key: loadPEM('agent3-key'), - cert: loadPEM('agent3-cert'), - ca: [loadPEM('ca1-cert')], - servername: 'c.another.com', - rejectUnauthorized: false -}]; - -const serverResults = []; -const clientResults = []; -const serverErrors = []; -const clientErrors = []; -let serverError; -let clientError; - -const server = tls.createServer(serverOptions, function(c) { - serverResults.push({ sni: c.servername, authorized: c.authorized }); -}); - -server.on('tlsClientError', function(err) { - serverResults.push(null); - serverError = err.message; -}); - -server.listen(0, startTest); - -function startTest() { - function connectClient(i, callback) { - const options = clientsOptions[i]; - clientError = null; - serverError = null; - - options.port = server.address().port; - const client = tls.connect(options, function() { - clientResults.push( - /Hostname\/IP doesn't/.test(client.authorizationError || '')); - client.destroy(); - - next(); - }); - - client.on('error', function(err) { - clientResults.push(false); - clientError = err.message; - next(); - }); - - function next() { - clientErrors.push(clientError); - serverErrors.push(serverError); - - if (i === clientsOptions.length - 1) - callback(); - else - connectClient(i + 1, callback); - } - } - - connectClient(0, function() { - server.close(); - }); -} - -process.on('exit', function() { - assert.deepStrictEqual(serverResults, [ - { sni: 'a.example.com', authorized: false }, - { sni: 'a.example.com', authorized: true }, - { sni: 'b.example.com', authorized: false }, - { sni: 'c.wrong.com', authorized: false }, - null - ]); - assert.deepStrictEqual(clientResults, [true, true, true, false, false]); - assert.deepStrictEqual(clientErrors, [ - null, null, null, null, 'socket hang up' - ]); - assert.deepStrictEqual(serverErrors, [ - null, null, null, null, 'Invalid SNI context' - ]); -}); diff --git a/test/parallel/test-tls-sni-server-client.js b/test/parallel/test-tls-sni-server-client.js deleted file mode 100644 index ebe51f2..0000000 --- a/test/parallel/test-tls-sni-server-client.js +++ /dev/null @@ -1,113 +0,0 @@ -'use strict'; -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -if (!process.features.tls_sni) - common.skip('node compiled without OpenSSL or with old OpenSSL version.'); - -const assert = require('assert'); -const fs = require('fs'); -const path = require('path'); -const tls = require('tls'); - -function filenamePEM(n) { - return path.join(common.fixturesDir, 'keys', `${n}.pem`); -} - -function loadPEM(n) { - return fs.readFileSync(filenamePEM(n)); -} - -const serverOptions = { - key: loadPEM('agent2-key'), - cert: loadPEM('agent2-cert') -}; - -const SNIContexts = { - 'a.example.com': { - key: loadPEM('agent1-key'), - cert: loadPEM('agent1-cert') - }, - 'asterisk.test.com': { - key: loadPEM('agent3-key'), - cert: loadPEM('agent3-cert') - }, - 'chain.example.com': { - key: loadPEM('agent6-key'), - // NOTE: Contains ca3 chain cert - cert: loadPEM('agent6-cert') - } -}; - -const clientsOptions = [{ - port: undefined, - ca: [loadPEM('ca1-cert')], - servername: 'a.example.com', - rejectUnauthorized: false -}, { - port: undefined, - ca: [loadPEM('ca2-cert')], - servername: 'b.test.com', - rejectUnauthorized: false -}, { - port: undefined, - ca: [loadPEM('ca2-cert')], - servername: 'a.b.test.com', - rejectUnauthorized: false -}, { - port: undefined, - ca: [loadPEM('ca1-cert')], - servername: 'c.wrong.com', - rejectUnauthorized: false -}, { - port: undefined, - ca: [loadPEM('ca1-cert')], - servername: 'chain.example.com', - rejectUnauthorized: false -}]; - -const serverResults = []; -const clientResults = []; - -const server = tls.createServer(serverOptions, function(c) { - serverResults.push(c.servername); -}); - -server.addContext('a.example.com', SNIContexts['a.example.com']); -server.addContext('*.test.com', SNIContexts['asterisk.test.com']); -server.addContext('chain.example.com', SNIContexts['chain.example.com']); - -server.listen(0, startTest); - -function startTest() { - let i = 0; - function start() { - // No options left - if (i === clientsOptions.length) - return server.close(); - - const options = clientsOptions[i++]; - options.port = server.address().port; - const client = tls.connect(options, function() { - clientResults.push( - client.authorizationError && - /Hostname\/IP doesn't/.test(client.authorizationError)); - client.destroy(); - - // Continue - start(); - }); - } - - start(); -} - -process.on('exit', function() { - assert.deepStrictEqual(serverResults, [ - 'a.example.com', 'b.test.com', 'a.b.test.com', 'c.wrong.com', - 'chain.example.com' - ]); - assert.deepStrictEqual(clientResults, [true, true, false, false, true]); -}); diff --git a/test/parallel/test-tls-socket-close.js b/test/parallel/test-tls-socket-close.js deleted file mode 100644 index f9a77bf..0000000 --- a/test/parallel/test-tls-socket-close.js +++ /dev/null @@ -1,67 +0,0 @@ -'use strict'; -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); -const fs = require('fs'); -const net = require('net'); - -const key = fs.readFileSync(`${common.fixturesDir}/keys/agent2-key.pem`); -const cert = fs.readFileSync(`${common.fixturesDir}/keys/agent2-cert.pem`); - -let tlsSocket; -// tls server -const tlsServer = tls.createServer({ cert, key }, (socket) => { - tlsSocket = socket; - socket.on('error', common.mustCall((error) => { - assert.strictEqual(error.code, 'EINVAL'); - tlsServer.close(); - netServer.close(); - })); -}); - -let netSocket; -// plain tcp server -const netServer = net.createServer((socket) => { - // if client wants to use tls - tlsServer.emit('connection', socket); - - netSocket = socket; -}).listen(0, common.mustCall(function() { - connectClient(netServer); -})); - -function connectClient(server) { - const tlsConnection = tls.connect({ - host: 'localhost', - port: server.address().port, - rejectUnauthorized: false - }); - - tlsConnection.write('foo', 'utf8', common.mustCall(() => { - assert(netSocket); - netSocket.setTimeout(1, common.mustCall(() => { - assert(tlsSocket); - // this breaks if TLSSocket is already managing the socket: - netSocket.destroy(); - const interval = setInterval(() => { - // Checking this way allows us to do the write at a time that causes a - // segmentation fault (not always, but often) in Node.js 7.7.3 and - // earlier. If we instead, for example, wait on the `close` event, then - // it will not segmentation fault, which is what this test is all about. - if (tlsSocket._handle._parent.bytesRead === 0) { - tlsSocket.write('bar'); - clearInterval(interval); - } - }, 1); - })); - })); - tlsConnection.on('error', (e) => { - // Tolerate the occasional ECONNRESET. - // Ref: https://github.com/nodejs/node/issues/13184 - if (e.code !== 'ECONNRESET') - throw e; - }); -} diff --git a/test/parallel/test-tls-socket-default-options.js b/test/parallel/test-tls-socket-default-options.js deleted file mode 100644 index 66f2689..0000000 --- a/test/parallel/test-tls-socket-default-options.js +++ /dev/null @@ -1,67 +0,0 @@ -'use strict'; -const common = require('../common'); - -// Test directly created TLS sockets and options. - -const assert = require('assert'); -const join = require('path').join; -const { - connect, keys, tls -} = require(join(common.fixturesDir, 'tls-connect')); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -test(undefined, (err) => { - assert.strictEqual(err.message, 'unable to verify the first certificate'); -}); - -test({}, (err) => { - assert.strictEqual(err.message, 'unable to verify the first certificate'); -}); - -test({secureContext: tls.createSecureContext({ca: keys.agent1.ca})}, (err) => { - assert.ifError(err); -}); - -test({ca: keys.agent1.ca}, (err) => { - assert.ifError(err); -}); - -// Secure context options, like ca, are ignored if a sec ctx is explicitly -// provided. -test({secureContext: tls.createSecureContext(), ca: keys.agent1.ca}, (err) => { - assert.strictEqual(err.message, 'unable to verify the first certificate'); -}); - -function test(client, callback) { - callback = common.mustCall(callback); - connect({ - server: { - key: keys.agent1.key, - cert: keys.agent1.cert, - }, - }, function(err, pair, cleanup) { - assert.strictEqual(err.message, 'unable to verify the first certificate'); - let recv = ''; - pair.server.server.once('secureConnection', common.mustCall((conn) => { - conn.on('data', (data) => recv += data); - conn.on('end', common.mustCall(() => { - // Server sees nothing wrong with connection, even though the client's - // authentication of the server cert failed. - assert.strictEqual(recv, 'hello'); - cleanup(); - })); - })); - - // Client doesn't support the 'secureConnect' event, and doesn't error if - // authentication failed. Caller must explicitly check for failure. - (new tls.TLSSocket(null, client)).connect(pair.server.server.address().port) - .on('connect', common.mustCall(function() { - this.end('hello'); - })) - .on('secure', common.mustCall(function() { - callback(this.ssl.verifyError()); - })); - }); -} diff --git a/test/parallel/test-tls-socket-destroy.js b/test/parallel/test-tls-socket-destroy.js deleted file mode 100644 index b101a87..0000000 --- a/test/parallel/test-tls-socket-destroy.js +++ /dev/null @@ -1,34 +0,0 @@ -'use strict'; - -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -const fs = require('fs'); -const net = require('net'); -const tls = require('tls'); - -const key = fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`); -const cert = fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`); -const secureContext = tls.createSecureContext({ key, cert }); - -const server = net.createServer(common.mustCall((conn) => { - const options = { isServer: true, secureContext, server }; - const socket = new tls.TLSSocket(conn, options); - socket.once('data', common.mustCall(() => { - socket._destroySSL(); // Should not crash. - server.close(); - })); -})); - -server.listen(0, function() { - const options = { - port: this.address().port, - rejectUnauthorized: false, - }; - tls.connect(options, function() { - this.write('*'.repeat(1 << 20)); // Write more data than fits in a frame. - this.on('error', this.destroy); // Server closes connection on us. - }); -}); diff --git a/test/parallel/test-tls-socket-failed-handshake-emits-error.js b/test/parallel/test-tls-socket-failed-handshake-emits-error.js deleted file mode 100644 index 16175b8..0000000 --- a/test/parallel/test-tls-socket-failed-handshake-emits-error.js +++ /dev/null @@ -1,37 +0,0 @@ -'use strict'; -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -const tls = require('tls'); -const net = require('net'); -const assert = require('assert'); - -const bonkers = Buffer.alloc(1024, 42); - -const server = net.createServer(function(c) { - setTimeout(function() { - const s = new tls.TLSSocket(c, { - isServer: true, - server: server - }); - - s.on('error', common.mustCall(function(e) { - assert.ok(e instanceof Error, - 'Instance of Error should be passed to error handler'); - assert.ok( - /SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol/.test(e.message), - 'Expecting SSL unknown protocol'); - })); - - s.on('close', function() { - server.close(); - s.destroy(); - }); - }, common.platformTimeout(200)); -}).listen(0, function() { - const c = net.connect({port: this.address().port}, function() { - c.write(bonkers); - }); -}); diff --git a/test/parallel/test-tls-startcom-wosign-whitelist.js b/test/parallel/test-tls-startcom-wosign-whitelist.js deleted file mode 100644 index 92d595e..0000000 --- a/test/parallel/test-tls-startcom-wosign-whitelist.js +++ /dev/null @@ -1,89 +0,0 @@ -'use strict'; -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const fs = require('fs'); -const path = require('path'); -const tls = require('tls'); - -let finished = 0; - -function filenamePEM(n) { - return path.join(common.fixturesDir, 'keys', `${n}.pem`); -} - -function loadPEM(n) { - return fs.readFileSync(filenamePEM(n)); -} - -const testCases = [ - { // agent8 is signed by fake-startcom-root with notBefore of - // Oct 20 23:59:59 2016 GMT. It passes StartCom/WoSign check. - serverOpts: { - key: loadPEM('agent8-key'), - cert: loadPEM('agent8-cert') - }, - clientOpts: { - ca: loadPEM('fake-startcom-root-cert'), - port: undefined, - rejectUnauthorized: true - }, - errorCode: 'CERT_OK' - }, - { // agent9 is signed by fake-startcom-root with notBefore of - // Oct 21 00:00:01 2016 GMT. It fails StartCom/WoSign check. - serverOpts: { - key: loadPEM('agent9-key'), - cert: loadPEM('agent9-cert') - }, - clientOpts: { - ca: loadPEM('fake-startcom-root-cert'), - port: undefined, - rejectUnauthorized: true - }, - errorCode: 'CERT_REVOKED' - } -]; - - -function runNextTest(server, tindex) { - server.close(function() { - finished++; - runTest(tindex + 1); - }); -} - - -function runTest(tindex) { - const tcase = testCases[tindex]; - - if (!tcase) return; - - const server = tls.createServer(tcase.serverOpts, function(s) { - s.resume(); - }).listen(0, function() { - tcase.clientOpts.port = this.address().port; - const client = tls.connect(tcase.clientOpts); - client.on('error', function(e) { - assert.strictEqual(e.code, tcase.errorCode); - runNextTest(server, tindex); - }); - - client.on('secureConnect', function() { - // agent8 can pass StartCom/WoSign check so that the secureConnect - // is established. - assert.strictEqual(tcase.errorCode, 'CERT_OK'); - client.end(); - runNextTest(server, tindex); - }); - }); -} - - -runTest(0); - -process.on('exit', function() { - assert.strictEqual(finished, testCases.length); -}); diff --git a/test/parallel/test-tls-starttls-server.js b/test/parallel/test-tls-starttls-server.js deleted file mode 100644 index 28d1db8..0000000 --- a/test/parallel/test-tls-starttls-server.js +++ /dev/null @@ -1,51 +0,0 @@ -'use strict'; - -// Test asynchronous SNI+OCSP on TLSSocket created with `server` set to -// `net.Server` instead of `tls.Server` - -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const fs = require('fs'); -const net = require('net'); -const tls = require('tls'); - -const key = fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`); -const cert = fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`); - -const server = net.createServer(common.mustCall((s) => { - const tlsSocket = new tls.TLSSocket(s, { - isServer: true, - server: server, - - secureContext: tls.createSecureContext({ - key: key, - cert: cert - }), - - SNICallback: common.mustCall((hostname, callback) => { - assert.strictEqual(hostname, 'test.test'); - - callback(null, null); - }) - }); - - tlsSocket.on('secure', common.mustCall(() => { - tlsSocket.end(); - server.close(); - })); -})).listen(0, () => { - const opts = { - servername: 'test.test', - port: server.address().port, - rejectUnauthorized: false, - requestOCSP: true - }; - - tls.connect(opts, function() { - this.end(); - }); -}); diff --git a/test/parallel/test-tls-ticket-cluster.js b/test/parallel/test-tls-ticket-cluster.js deleted file mode 100644 index 49c4c34..0000000 --- a/test/parallel/test-tls-ticket-cluster.js +++ /dev/null @@ -1,108 +0,0 @@ -'use strict'; -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); -const cluster = require('cluster'); -const fs = require('fs'); -const join = require('path').join; - -const workerCount = 4; -const expectedReqCount = 16; - -if (cluster.isMaster) { - let reusedCount = 0; - let reqCount = 0; - let lastSession = null; - let shootOnce = false; - let workerPort = null; - - function shoot() { - console.error('[master] connecting', workerPort); - const c = tls.connect(workerPort, { - session: lastSession, - rejectUnauthorized: false - }, function() { - lastSession = c.getSession(); - c.end(); - - if (++reqCount === expectedReqCount) { - Object.keys(cluster.workers).forEach(function(id) { - cluster.workers[id].send('die'); - }); - } else { - shoot(); - } - }); - } - - function fork() { - const worker = cluster.fork(); - worker.on('message', function({ msg, port }) { - console.error('[master] got %j', msg); - if (msg === 'reused') { - ++reusedCount; - } else if (msg === 'listening' && !shootOnce) { - workerPort = port || workerPort; - shootOnce = true; - shoot(); - } - }); - - worker.on('exit', function() { - console.error('[master] worker died'); - }); - } - for (let i = 0; i < workerCount; i++) { - fork(); - } - - process.on('exit', function() { - assert.strictEqual(reqCount, expectedReqCount); - assert.strictEqual(reusedCount + 1, reqCount); - }); - return; -} - -const keyFile = join(common.fixturesDir, 'agent.key'); -const certFile = join(common.fixturesDir, 'agent.crt'); -const key = fs.readFileSync(keyFile); -const cert = fs.readFileSync(certFile); -const options = { - key: key, - cert: cert -}; - -const server = tls.createServer(options, function(c) { - if (c.isSessionReused()) { - process.send({ msg: 'reused' }); - } else { - process.send({ msg: 'not-reused' }); - } - c.end(); -}); - -server.listen(0, function() { - const { port } = server.address(); - process.send({ - msg: 'listening', - port, - }); -}); - -process.on('message', function listener(msg) { - console.error('[worker] got %j', msg); - if (msg === 'die') { - server.close(function() { - console.error('[worker] server close'); - - process.exit(); - }); - } -}); - -process.on('exit', function() { - console.error('[worker] exit'); -}); diff --git a/test/parallel/test-tls-ticket.js b/test/parallel/test-tls-ticket.js deleted file mode 100644 index 3d6f7a4..0000000 --- a/test/parallel/test-tls-ticket.js +++ /dev/null @@ -1,98 +0,0 @@ -'use strict'; -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); -const fs = require('fs'); -const net = require('net'); -const crypto = require('crypto'); - -const keys = crypto.randomBytes(48); -const serverLog = []; -const ticketLog = []; - -let serverCount = 0; -function createServer() { - const id = serverCount++; - - let counter = 0; - let previousKey = null; - - const server = tls.createServer({ - key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), - cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`), - ticketKeys: keys - }, function(c) { - serverLog.push(id); - c.end(); - - counter++; - - // Rotate ticket keys - if (counter === 1) { - previousKey = server.getTicketKeys(); - server.setTicketKeys(crypto.randomBytes(48)); - } else if (counter === 2) { - server.setTicketKeys(previousKey); - } else if (counter === 3) { - // Use keys from counter=2 - } else { - throw new Error('UNREACHABLE'); - } - }); - - return server; -} - -const naturalServers = [ createServer(), createServer(), createServer() ]; - -// 3x servers -const servers = naturalServers.concat(naturalServers).concat(naturalServers); - -// Create one TCP server and balance sockets to multiple TLS server instances -const shared = net.createServer(function(c) { - servers.shift().emit('connection', c); -}).listen(0, function() { - start(function() { - shared.close(); - }); -}); - -function start(callback) { - let sess = null; - let left = servers.length; - - function connect() { - const s = tls.connect(shared.address().port, { - session: sess, - rejectUnauthorized: false - }, function() { - sess = sess || s.getSession(); - ticketLog.push(s.getTLSTicket().toString('hex')); - }); - s.on('close', function() { - if (--left === 0) - callback(); - else - connect(); - }); - } - - connect(); -} - -process.on('exit', function() { - assert.strictEqual(ticketLog.length, serverLog.length); - for (let i = 0; i < naturalServers.length - 1; i++) { - assert.notStrictEqual(serverLog[i], serverLog[i + 1]); - assert.strictEqual(ticketLog[i], ticketLog[i + 1]); - - // 2nd connection should have different ticket - assert.notStrictEqual(ticketLog[i], ticketLog[i + naturalServers.length]); - - // 3rd connection should have the same ticket - assert.strictEqual(ticketLog[i], ticketLog[i + naturalServers.length * 2]); - } -}); diff --git a/test/parallel/test-tls-timeout-server-2.js b/test/parallel/test-tls-timeout-server-2.js deleted file mode 100644 index a462750..0000000 --- a/test/parallel/test-tls-timeout-server-2.js +++ /dev/null @@ -1,29 +0,0 @@ -'use strict'; -const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); -const fs = require('fs'); - -const options = { - key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), - cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`) -}; - -const server = tls.createServer(options, common.mustCall(function(cleartext) { - const s = cleartext.setTimeout(50, function() { - cleartext.destroy(); - server.close(); - }); - assert.ok(s instanceof tls.TLSSocket); -})); - -server.listen(0, common.mustCall(function() { - tls.connect({ - host: '127.0.0.1', - port: this.address().port, - rejectUnauthorized: false - }); -})); diff --git a/test/parallel/test-tls-timeout-server.js b/test/parallel/test-tls-timeout-server.js deleted file mode 100644 index b983e2c..0000000 --- a/test/parallel/test-tls-timeout-server.js +++ /dev/null @@ -1,26 +0,0 @@ -'use strict'; -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -const tls = require('tls'); -const net = require('net'); -const fs = require('fs'); - -const options = { - key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), - cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`), - handshakeTimeout: 50 -}; - -const server = tls.createServer(options, common.mustNotCall()); - -server.on('tlsClientError', common.mustCall(function(err, conn) { - conn.destroy(); - server.close(); -})); - -server.listen(0, common.mustCall(function() { - net.connect({ host: '127.0.0.1', port: this.address().port }); -})); diff --git a/test/parallel/test-tls-two-cas-one-string.js b/test/parallel/test-tls-two-cas-one-string.js deleted file mode 100644 index 10d626b..0000000 --- a/test/parallel/test-tls-two-cas-one-string.js +++ /dev/null @@ -1,34 +0,0 @@ -'use strict'; - -const common = require('../common'); -const tls = require('tls'); -const fs = require('fs'); - -const ca1 = - fs.readFileSync(`${common.fixturesDir}/keys/ca1-cert.pem`, 'utf8'); -const ca2 = - fs.readFileSync(`${common.fixturesDir}/keys/ca2-cert.pem`, 'utf8'); -const cert = - fs.readFileSync(`${common.fixturesDir}/keys/agent3-cert.pem`, 'utf8'); -const key = - fs.readFileSync(`${common.fixturesDir}/keys/agent3-key.pem`, 'utf8'); - -function test(ca, next) { - const server = tls.createServer({ ca, cert, key }, function(conn) { - this.close(); - conn.end(); - }); - - server.addContext('agent3', { ca, cert, key }); - - const host = common.localhostIPv4; - server.listen(0, host, function() { - tls.connect({ servername: 'agent3', host, port: this.address().port, ca }); - }); - - server.once('close', next); -} - -const array = [ca1, ca2]; -const string = `${ca1}\n${ca2}`; -test(array, () => test(string, () => {})); diff --git a/test/parallel/test-tls-wrap-no-abort.js b/test/parallel/test-tls-wrap-no-abort.js deleted file mode 100644 index a64aea0..0000000 --- a/test/parallel/test-tls-wrap-no-abort.js +++ /dev/null @@ -1,8 +0,0 @@ -'use strict'; - -require('../common'); -const util = require('util'); -const TLSWrap = process.binding('tls_wrap').TLSWrap; - -// This will abort if internal pointer is not set to nullptr. -util.inspect(new TLSWrap()); diff --git a/test/parallel/test-tls-wrap-timeout.js b/test/parallel/test-tls-wrap-timeout.js deleted file mode 100644 index b4cff36..0000000 --- a/test/parallel/test-tls-wrap-timeout.js +++ /dev/null @@ -1,53 +0,0 @@ -'use strict'; -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const tls = require('tls'); - -const net = require('net'); -const fs = require('fs'); - -const options = { - key: fs.readFileSync(`${common.fixturesDir}/keys/agent1-key.pem`), - cert: fs.readFileSync(`${common.fixturesDir}/keys/agent1-cert.pem`) -}; - -const server = tls.createServer(options, common.mustCall((c) => { - setImmediate(() => { - c.write('hello', () => { - setImmediate(() => { - c.destroy(); - server.close(); - }); - }); - }); -})); - -let socket; -let lastIdleStart; - -server.listen(0, () => { - socket = net.connect(server.address().port, function() { - const s = socket.setTimeout(Number.MAX_VALUE, function() { - throw new Error('timeout'); - }); - assert.ok(s instanceof net.Socket); - - assert.notStrictEqual(socket._idleTimeout, -1); - lastIdleStart = socket._idleStart; - - const tsocket = tls.connect({ - socket: socket, - rejectUnauthorized: false - }); - tsocket.resume(); - }); -}); - -process.on('exit', () => { - assert.strictEqual(socket._idleTimeout, -1); - assert(lastIdleStart < socket._idleStart); -}); diff --git a/test/parallel/test-tls-writewrap-leak.js b/test/parallel/test-tls-writewrap-leak.js deleted file mode 100644 index bc09044..0000000 --- a/test/parallel/test-tls-writewrap-leak.js +++ /dev/null @@ -1,24 +0,0 @@ -'use strict'; -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -const assert = require('assert'); -const net = require('net'); -const tls = require('tls'); - -const server = net.createServer(common.mustCall((c) => { - c.destroy(); -})).listen(0, common.mustCall(() => { - const c = tls.connect({ port: server.address().port }); - c.on('error', () => { - // Otherwise `.write()` callback won't be invoked. - c.destroyed = false; - }); - - c.write('hello', common.mustCall((err) => { - assert.strictEqual(err.code, 'ECANCELED'); - server.close(); - })); -})); diff --git a/test/parallel/test-tls-zero-clear-in.js b/test/parallel/test-tls-zero-clear-in.js deleted file mode 100644 index 8192660..0000000 --- a/test/parallel/test-tls-zero-clear-in.js +++ /dev/null @@ -1,41 +0,0 @@ -'use strict'; -const common = require('../common'); - -if (!common.hasCrypto) - common.skip('missing crypto'); - -const tls = require('tls'); - -const fs = require('fs'); -const path = require('path'); - -const cert = fs.readFileSync(path.join(common.fixturesDir, 'test_cert.pem')); -const key = fs.readFileSync(path.join(common.fixturesDir, 'test_key.pem')); - -const server = tls.createServer({ - cert: cert, - key: key -}, function(c) { - // Nop - setTimeout(function() { - c.end(); - server.close(); - }, 20); -}).listen(0, common.mustCall(function() { - const conn = tls.connect({ - cert: cert, - key: key, - rejectUnauthorized: false, - port: this.address().port - }, function() { - setTimeout(function() { - conn.destroy(); - }, 20); - }); - - // SSL_write() call's return value, when called 0 bytes, should not be - // treated as error. - conn.end(''); - - conn.on('error', common.mustNotCall()); -})); -- 1.8.3.1