From c6ac626bc45b45c02255fecd195f5843b7df77e6 Mon Sep 17 00:00:00 2001
From: Michael Dawson <midawson@redhat.com>
Date: Sat, 21 Sep 2024 15:10:51 -0400
Subject: [PATCH] test: adjust tls-set-ciphers for OpenSSL32

Refs: https://github.com/nodejs/node/issues/53382

The test failed as it was using AES128 which is not supported
in OpenSSL32 due to default security level and because
some error messages have changed.

Adjusted to use AES256 where it made sense and not run
tests on OpenSSL32 where test was specific to AES128.

Adjust to use the expected error messages based on version.

Signed-off-by: Michael Dawson <midawson@redhat.com>
PR-URL: https://github.com/nodejs/node/pull/55016
Reviewed-By: Richard Lau <rlau@redhat.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: James M Snell <jasnell@gmail.com>
---
 test/parallel/test-tls-set-ciphers.js | 29 ++++++++++++++++++---------
 1 file changed, 19 insertions(+), 10 deletions(-)

diff --git a/test/parallel/test-tls-set-ciphers.js b/test/parallel/test-tls-set-ciphers.js
index b66c419cf5f4d1..268a2af6344b59 100644
--- a/test/parallel/test-tls-set-ciphers.js
+++ b/test/parallel/test-tls-set-ciphers.js
@@ -79,6 +79,11 @@ function test(cciphers, sciphers, cipher, cerr, serr, options) {
 
 const U = undefined;
 
+let expectedTLSAlertError = 'ERR_SSL_SSLV3_ALERT_HANDSHAKE_FAILURE';
+if (common.hasOpenSSL(3, 2)) {
+  expectedTLSAlertError = 'ERR_SSL_SSL/TLS_ALERT_HANDSHAKE_FAILURE';
+}
+
 // Have shared ciphers.
 test(U, 'AES256-SHA', 'AES256-SHA');
 test('AES256-SHA', U, 'AES256-SHA');
@@ -88,13 +93,13 @@ test('TLS_AES_256_GCM_SHA384', U, 'TLS_AES_256_GCM_SHA384');
 
 // Do not have shared ciphers.
 test('TLS_AES_256_GCM_SHA384', 'TLS_CHACHA20_POLY1305_SHA256',
-     U, 'ERR_SSL_SSLV3_ALERT_HANDSHAKE_FAILURE', 'ERR_SSL_NO_SHARED_CIPHER');
+     U, expectedTLSAlertError, 'ERR_SSL_NO_SHARED_CIPHER');
 
-test('AES128-SHA', 'AES256-SHA', U, 'ERR_SSL_SSLV3_ALERT_HANDSHAKE_FAILURE',
+test('AES256-SHA', 'AES256-SHA256', U, expectedTLSAlertError,
      'ERR_SSL_NO_SHARED_CIPHER');
-test('AES128-SHA:TLS_AES_256_GCM_SHA384',
-     'TLS_CHACHA20_POLY1305_SHA256:AES256-SHA',
-     U, 'ERR_SSL_SSLV3_ALERT_HANDSHAKE_FAILURE', 'ERR_SSL_NO_SHARED_CIPHER');
+test('AES256-SHA:TLS_AES_256_GCM_SHA384',
+     'TLS_CHACHA20_POLY1305_SHA256:AES256-SHA256',
+     U, expectedTLSAlertError, 'ERR_SSL_NO_SHARED_CIPHER');
 
 // Cipher order ignored, TLS1.3 chosen before TLS1.2.
 test('AES256-SHA:TLS_AES_256_GCM_SHA384', U, 'TLS_AES_256_GCM_SHA384');
@@ -109,11 +114,15 @@ test(U, 'AES256-SHA', 'TLS_AES_256_GCM_SHA384', U, U, { maxVersion: 'TLSv1.3' })
 
 // TLS_AES_128_CCM_8_SHA256 & TLS_AES_128_CCM_SHA256 are not enabled by
 // default, but work.
-test('TLS_AES_128_CCM_8_SHA256', U,
-     U, 'ERR_SSL_SSLV3_ALERT_HANDSHAKE_FAILURE', 'ERR_SSL_NO_SHARED_CIPHER');
-
-test('TLS_AES_128_CCM_8_SHA256', 'TLS_AES_128_CCM_8_SHA256',
-     'TLS_AES_128_CCM_8_SHA256');
+// However, for OpenSSL32 AES_128 is not enabled due to the
+// default security level
+if (!common.hasOpenSSL(3, 2)) {
+  test('TLS_AES_128_CCM_8_SHA256', U,
+       U, 'ERR_SSL_SSLV3_ALERT_HANDSHAKE_FAILURE', 'ERR_SSL_NO_SHARED_CIPHER');
+
+  test('TLS_AES_128_CCM_8_SHA256', 'TLS_AES_128_CCM_8_SHA256',
+       'TLS_AES_128_CCM_8_SHA256');
+}
 
 // Invalid cipher values
 test(9, 'AES256-SHA', U, 'ERR_INVALID_ARG_TYPE', U);