From 6615fe5db1b7b37e5ccc76c0d8790cfd48dc6b17 Mon Sep 17 00:00:00 2001 From: Richard Lau Date: Fri, 14 Jun 2024 16:51:42 +0000 Subject: [PATCH 01/21] src: fix dynamically linked OpenSSL version MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Report the version of OpenSSL that Node.js is running with instead of the version of OpenSSL that Node.js was compiled against. PR-URL: https://github.com/nodejs/node/pull/53456 Reviewed-By: Luigi Pinca Reviewed-By: Tobias Nießen --- src/node_metadata.cc | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/src/node_metadata.cc b/src/node_metadata.cc index 22546e9de25bdf..361b3596b4a65c 100644 --- a/src/node_metadata.cc +++ b/src/node_metadata.cc @@ -17,7 +17,7 @@ #include "zlib.h" #if HAVE_OPENSSL -#include +#include #if NODE_OPENSSL_HAS_QUIC #include #endif @@ -49,9 +49,10 @@ static constexpr size_t search(const char* s, char c, size_t n = 0) { static inline std::string GetOpenSSLVersion() { // sample openssl version string format // for reference: "OpenSSL 1.1.0i 14 Aug 2018" - constexpr size_t start = search(OPENSSL_VERSION_TEXT, ' ') + 1; - constexpr size_t len = search(&OPENSSL_VERSION_TEXT[start], ' '); - return std::string(OPENSSL_VERSION_TEXT, start, len); + const char* version = OpenSSL_version(OPENSSL_VERSION); + const size_t start = search(version, ' ') + 1; + const size_t len = search(&version[start], ' '); + return std::string(version, start, len); } #endif // HAVE_OPENSSL From fc43c6803ec6ec5d92288826b0f25c5afbe86c61 Mon Sep 17 00:00:00 2001 From: Richard Lau Date: Sun, 9 Jun 2024 17:50:08 +0100 Subject: [PATCH 02/21] test: update TLS tests for OpenSSL 3.2 Update the following TLS tests to account for error code changes in OpenSSL 3.2 and later. - `parallel/test-tls-empty-sni-context` - `parallel/test-tls-psk-circuit` PR-URL: https://github.com/nodejs/node/pull/53384 Refs: https://github.com/nodejs/node/issues/53382 Refs: https://github.com/openssl/openssl/pull/19950 Reviewed-By: Luigi Pinca Reviewed-By: Mohammed Keyvanzadeh Reviewed-By: Yagiz Nizipli --- test/common/index.js | 4 ++++ test/parallel/test-tls-empty-sni-context.js | 4 +++- test/parallel/test-tls-psk-circuit.js | 10 ++++++---- 3 files changed, 13 insertions(+), 5 deletions(-) diff --git a/test/common/index.js b/test/common/index.js index e25b861cce1cd6..131cf618b8beaa 100644 --- a/test/common/index.js +++ b/test/common/index.js @@ -61,6 +61,9 @@ const hasOpenSSL3 = hasCrypto && const hasOpenSSL31 = hasCrypto && require('crypto').constants.OPENSSL_VERSION_NUMBER >= 0x30100000; +const hasOpenSSL32 = hasCrypto && + require('crypto').constants.OPENSSL_VERSION_NUMBER >= 0x30200000; + const hasQuic = hasCrypto && !!process.config.variables.openssl_quic; function parseTestFlags(filename = process.argv[1]) { @@ -902,6 +905,7 @@ const common = { hasCrypto, hasOpenSSL3, hasOpenSSL31, + hasOpenSSL32, hasQuic, hasMultiLocalhost, invalidArgTypeHelper, diff --git a/test/parallel/test-tls-empty-sni-context.js b/test/parallel/test-tls-empty-sni-context.js index 87219976a1ebda..3424e057bdef46 100644 --- a/test/parallel/test-tls-empty-sni-context.js +++ b/test/parallel/test-tls-empty-sni-context.js @@ -26,6 +26,8 @@ const server = tls.createServer(options, (c) => { }, common.mustNotCall()); c.on('error', common.mustCall((err) => { - assert.strictEqual(err.code, 'ERR_SSL_SSLV3_ALERT_HANDSHAKE_FAILURE'); + const expectedErr = common.hasOpenSSL32 ? + 'ERR_SSL_SSL/TLS_ALERT_HANDSHAKE_FAILURE' : 'ERR_SSL_SSLV3_ALERT_HANDSHAKE_FAILURE'; + assert.strictEqual(err.code, expectedErr); })); })); diff --git a/test/parallel/test-tls-psk-circuit.js b/test/parallel/test-tls-psk-circuit.js index cef6735032ea6e..2b49161df8326c 100644 --- a/test/parallel/test-tls-psk-circuit.js +++ b/test/parallel/test-tls-psk-circuit.js @@ -62,9 +62,11 @@ test({ psk: USERS.UserA, identity: 'UserA' }, { minVersion: 'TLSv1.3' }); test({ psk: USERS.UserB, identity: 'UserB' }); test({ psk: USERS.UserB, identity: 'UserB' }, { minVersion: 'TLSv1.3' }); // Unrecognized user should fail handshake -test({ psk: USERS.UserB, identity: 'UserC' }, {}, - 'ERR_SSL_SSLV3_ALERT_HANDSHAKE_FAILURE'); +const expectedHandshakeErr = common.hasOpenSSL32 ? + 'ERR_SSL_SSL/TLS_ALERT_HANDSHAKE_FAILURE' : 'ERR_SSL_SSLV3_ALERT_HANDSHAKE_FAILURE'; +test({ psk: USERS.UserB, identity: 'UserC' }, {}, expectedHandshakeErr); // Recognized user but incorrect secret should fail handshake -test({ psk: USERS.UserA, identity: 'UserB' }, {}, - 'ERR_SSL_SSLV3_ALERT_ILLEGAL_PARAMETER'); +const expectedIllegalParameterErr = common.hasOpenSSL32 ? + 'ERR_SSL_SSL/TLS_ALERT_ILLEGAL_PARAMETER' : 'ERR_SSL_SSLV3_ALERT_ILLEGAL_PARAMETER'; +test({ psk: USERS.UserA, identity: 'UserB' }, {}, expectedIllegalParameterErr); test({ psk: USERS.UserB, identity: 'UserB' }); From cc3cdf7cc035398c5f5cd151ab9c2a4cc3f251aa Mon Sep 17 00:00:00 2001 From: Richard Lau Date: Fri, 14 Jun 2024 16:54:18 +0000 Subject: [PATCH 03/21] test: check against run-time OpenSSL version MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Update `common.hasOpenSSL3*` to check against the run-time version of OpenSSL instead of the version of OpenSSL that Node.js was compiled against. Add a generalized `common.hasOpenSSL()` so we do not need to keep adding new checks for each new major/minor of OpenSSL. PR-URL: https://github.com/nodejs/node/pull/53456 Reviewed-By: Luigi Pinca Reviewed-By: Tobias Nießen --- test/common/index.js | 40 ++++++++++++++++++++++++--------- test/parallel/test-crypto-dh.js | 4 ++-- 2 files changed, 32 insertions(+), 12 deletions(-) diff --git a/test/common/index.js b/test/common/index.js index 131cf618b8beaa..7c1b99a9f78d63 100644 --- a/test/common/index.js +++ b/test/common/index.js @@ -55,14 +55,24 @@ const noop = () => {}; const hasCrypto = Boolean(process.versions.openssl) && !process.env.NODE_SKIP_CRYPTO; -const hasOpenSSL3 = hasCrypto && - require('crypto').constants.OPENSSL_VERSION_NUMBER >= 0x30000000; - -const hasOpenSSL31 = hasCrypto && - require('crypto').constants.OPENSSL_VERSION_NUMBER >= 0x30100000; +// Synthesize OPENSSL_VERSION_NUMBER format with the layout 0xMNN00PPSL +const opensslVersionNumber = (major = 0, minor = 0, patch = 0) => { + assert(major >= 0 && major <= 0xf); + assert(minor >= 0 && minor <= 0xff); + assert(patch >= 0 && patch <= 0xff); + return (major << 28) | (minor << 20) | (patch << 4); +}; -const hasOpenSSL32 = hasCrypto && - require('crypto').constants.OPENSSL_VERSION_NUMBER >= 0x30200000; +let OPENSSL_VERSION_NUMBER; +const hasOpenSSL = (major = 0, minor = 0, patch = 0) => { + if (!hasCrypto) return false; + if (OPENSSL_VERSION_NUMBER === undefined) { + const regexp = /(?\d+)\.(?\d+)\.(?

\d+)/; + const { m, n, p } = process.versions.openssl.match(regexp).groups; + OPENSSL_VERSION_NUMBER = opensslVersionNumber(m, n, p); + } + return OPENSSL_VERSION_NUMBER >= opensslVersionNumber(major, minor, patch); +}; const hasQuic = hasCrypto && !!process.config.variables.openssl_quic; @@ -903,9 +913,7 @@ const common = { getTTYfd, hasIntl, hasCrypto, - hasOpenSSL3, - hasOpenSSL31, - hasOpenSSL32, + hasOpenSSL, hasQuic, hasMultiLocalhost, invalidArgTypeHelper, @@ -966,6 +974,18 @@ const common = { }); }, + get hasOpenSSL3() { + return hasOpenSSL(3); + }, + + get hasOpenSSL31() { + return hasOpenSSL(3, 1); + }, + + get hasOpenSSL32() { + return hasOpenSSL(3, 2); + }, + get inFreeBSDJail() { if (inFreeBSDJail !== null) return inFreeBSDJail; diff --git a/test/parallel/test-crypto-dh.js b/test/parallel/test-crypto-dh.js index 3b738b7f47ec59..fb580e1b315445 100644 --- a/test/parallel/test-crypto-dh.js +++ b/test/parallel/test-crypto-dh.js @@ -86,8 +86,8 @@ const crypto = require('crypto'); } { - const v = crypto.constants.OPENSSL_VERSION_NUMBER; - const hasOpenSSL3WithNewErrorMessage = (v >= 0x300000c0 && v <= 0x30100000) || (v >= 0x30100040 && v <= 0x30200000); + const hasOpenSSL3WithNewErrorMessage = (common.hasOpenSSL(3, 0, 12) && !common.hasOpenSSL(3, 1, 1)) || + (common.hasOpenSSL(3, 1, 4) && !common.hasOpenSSL(3, 2, 1)); assert.throws(() => { dh3.computeSecret(''); }, { message: common.hasOpenSSL3 && !hasOpenSSL3WithNewErrorMessage ? From 1320fb9475b8086cf607e2fbfd110fe0fbbe3b87 Mon Sep 17 00:00:00 2001 From: Richard Lau Date: Sun, 2 Jun 2024 17:47:58 +0100 Subject: [PATCH 04/21] test: update TLS trace tests for OpenSSL >= 3.2 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Update tests to allow for a slight change to the TLS trace messages starting from OpenSSL 3.2. Refs: https://github.com/openssl/openssl/commit/45aac10717479b5c2445e7704cd742b0d754aaa8 PR-URL: https://github.com/nodejs/node/pull/53229 Reviewed-By: Tim Perry Reviewed-By: Yagiz Nizipli Reviewed-By: Luigi Pinca Reviewed-By: Moshe Atlow Reviewed-By: Ulises Gascón --- test/parallel/test-tls-enable-trace-cli.js | 2 +- test/parallel/test-tls-enable-trace.js | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/test/parallel/test-tls-enable-trace-cli.js b/test/parallel/test-tls-enable-trace-cli.js index 7b6f7e22397af6..634ce950dadef2 100644 --- a/test/parallel/test-tls-enable-trace-cli.js +++ b/test/parallel/test-tls-enable-trace-cli.js @@ -36,7 +36,7 @@ child.on('close', common.mustCall((code, signal) => { assert.strictEqual(signal, null); assert.strictEqual(stdout.trim(), ''); assert.match(stderr, /Warning: Enabling --trace-tls can expose sensitive/); - assert.match(stderr, /Sent Record/); + assert.match(stderr, /Sent (?:TLS )?Record/); })); function test() { diff --git a/test/parallel/test-tls-enable-trace.js b/test/parallel/test-tls-enable-trace.js index 9126f58ee17314..28c78e13371096 100644 --- a/test/parallel/test-tls-enable-trace.js +++ b/test/parallel/test-tls-enable-trace.js @@ -23,7 +23,7 @@ let stderr = ''; child.stderr.setEncoding('utf8'); child.stderr.on('data', (data) => stderr += data); child.on('close', common.mustCall(() => { - assert.match(stderr, /Received Record/); + assert.match(stderr, /Received (?:TLS )?Record/); assert.match(stderr, /ClientHello/); })); From e9e330642625d073c10e93a971ebc75ee94d70a6 Mon Sep 17 00:00:00 2001 From: Sonny <47546413+sonsurim@users.noreply.github.com> Date: Sun, 4 Aug 2024 16:03:24 +0900 Subject: [PATCH 05/21] test: use assert.{s,deepS}trictEqual() Use `asset.strictEqual()` and `asset.deepStrictEqual()` in `test/parallel/test-tls-set-sigalgs.js`. PR-URL: https://github.com/nodejs/node/pull/54208 Reviewed-By: Jake Yuesong Li Reviewed-By: Daeyeon Jeong Reviewed-By: Trivikram Kamat Reviewed-By: Benjamin Gruenbaum Reviewed-By: Yagiz Nizipli --- test/parallel/test-tls-set-sigalgs.js | 22 ++++++++++------------ 1 file changed, 10 insertions(+), 12 deletions(-) diff --git a/test/parallel/test-tls-set-sigalgs.js b/test/parallel/test-tls-set-sigalgs.js index 59dc2ca0c786cf..ffe950a0d21f86 100644 --- a/test/parallel/test-tls-set-sigalgs.js +++ b/test/parallel/test-tls-set-sigalgs.js @@ -9,13 +9,6 @@ const { assert, connect, keys } = require(fixtures.path('tls-connect')); -function assert_arrays_equal(left, right) { - assert.strictEqual(left.length, right.length); - for (let i = 0; i < left.length; i++) { - assert.strictEqual(left[i], right[i]); - } -} - function test(csigalgs, ssigalgs, shared_sigalgs, cerr, serr) { assert(shared_sigalgs || serr || cerr, 'test missing any expectations'); connect({ @@ -43,16 +36,19 @@ function test(csigalgs, ssigalgs, shared_sigalgs, cerr, serr) { assert.ifError(pair.client.err); assert(pair.server.conn); assert(pair.client.conn); - assert_arrays_equal(pair.server.conn.getSharedSigalgs(), shared_sigalgs); + assert.deepStrictEqual( + pair.server.conn.getSharedSigalgs(), + shared_sigalgs + ); } else { if (serr) { assert(pair.server.err); - assert(pair.server.err.code, serr); + assert.strictEqual(pair.server.err.code, serr); } if (cerr) { assert(pair.client.err); - assert(pair.client.err.code, cerr); + assert.strictEqual(pair.client.err.code, cerr); } } @@ -68,7 +64,9 @@ test('RSA-PSS+SHA256:RSA-PSS+SHA512:ECDSA+SHA256', // Do not have shared sigalgs. test('RSA-PSS+SHA384', 'ECDSA+SHA256', - undefined, 'ECONNRESET', 'ERR_SSL_NO_SHARED_SIGNATURE_ALGORITMS'); + undefined, 'ERR_SSL_SSLV3_ALERT_HANDSHAKE_FAILURE', + 'ERR_SSL_NO_SHARED_SIGNATURE_ALGORITHMS'); test('RSA-PSS+SHA384:ECDSA+SHA256', 'ECDSA+SHA384:RSA-PSS+SHA256', - undefined, 'ECONNRESET', 'ERR_SSL_NO_SHARED_SIGNATURE_ALGORITMS'); + undefined, 'ERR_SSL_SSLV3_ALERT_HANDSHAKE_FAILURE', + 'ERR_SSL_NO_SHARED_SIGNATURE_ALGORITHMS'); From a1f0c8785967f1aaa10b4a4aebd06116f2ac9226 Mon Sep 17 00:00:00 2001 From: Michael Dawson Date: Wed, 28 Aug 2024 14:58:09 +0000 Subject: [PATCH 06/21] test: fix test-tls-client-auth test for OpenSSL32 Refs: https://github.com/nodejs/node/issues/53382 Refs: https://github.com/nodejs/node/pull/53384 Same change as in 53384 where OpenSSL32 returns a slightly different error but for a different test. Signed-off-by: Michael Dawson PR-URL: https://github.com/nodejs/node/pull/54610 Reviewed-By: Richard Lau Reviewed-By: Luigi Pinca --- test/parallel/test-tls-client-auth.js | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/test/parallel/test-tls-client-auth.js b/test/parallel/test-tls-client-auth.js index 04756924e5e0e6..de4c8f038ec073 100644 --- a/test/parallel/test-tls-client-auth.js +++ b/test/parallel/test-tls-client-auth.js @@ -79,8 +79,10 @@ connect({ }, function(err, pair, cleanup) { assert.strictEqual(pair.server.err.code, 'ERR_SSL_PEER_DID_NOT_RETURN_A_CERTIFICATE'); + const expectedErr = common.hasOpenSSL(3, 2) ? + 'ERR_SSL_SSL/TLS_ALERT_HANDSHAKE_FAILURE' : 'ERR_SSL_SSLV3_ALERT_HANDSHAKE_FAILURE'; assert.strictEqual(pair.client.err.code, - 'ERR_SSL_SSLV3_ALERT_HANDSHAKE_FAILURE'); + expectedErr); return cleanup(); }); From 5316314755557acee67df371b23b4fe4d1888cea Mon Sep 17 00:00:00 2001 From: Richard Lau Date: Fri, 30 Aug 2024 16:40:08 +0100 Subject: [PATCH 07/21] test: update TLS test for OpenSSL 3.2 Update `parallel/test-tls-set-sigalgs` to account for error code changes in OpenSSL 3.2 and later. PR-URL: https://github.com/nodejs/node/pull/54612 Refs: https://github.com/nodejs/node/pull/53384 Reviewed-By: Filip Skokan Reviewed-By: Luigi Pinca Reviewed-By: Yagiz Nizipli --- test/parallel/test-tls-set-sigalgs.js | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/test/parallel/test-tls-set-sigalgs.js b/test/parallel/test-tls-set-sigalgs.js index ffe950a0d21f86..3f3d152f4d877e 100644 --- a/test/parallel/test-tls-set-sigalgs.js +++ b/test/parallel/test-tls-set-sigalgs.js @@ -63,10 +63,12 @@ test('RSA-PSS+SHA256:RSA-PSS+SHA512:ECDSA+SHA256', ['RSA-PSS+SHA256', 'ECDSA+SHA256']); // Do not have shared sigalgs. +const handshakeErr = common.hasOpenSSL(3, 2) ? + 'ERR_SSL_SSL/TLS_ALERT_HANDSHAKE_FAILURE' : 'ERR_SSL_SSLV3_ALERT_HANDSHAKE_FAILURE'; test('RSA-PSS+SHA384', 'ECDSA+SHA256', - undefined, 'ERR_SSL_SSLV3_ALERT_HANDSHAKE_FAILURE', + undefined, handshakeErr, 'ERR_SSL_NO_SHARED_SIGNATURE_ALGORITHMS'); test('RSA-PSS+SHA384:ECDSA+SHA256', 'ECDSA+SHA384:RSA-PSS+SHA256', - undefined, 'ERR_SSL_SSLV3_ALERT_HANDSHAKE_FAILURE', + undefined, handshakeErr, 'ERR_SSL_NO_SHARED_SIGNATURE_ALGORITHMS'); From d5b73e5683f9847448defb03634e87af52a34f91 Mon Sep 17 00:00:00 2001 From: Michael Dawson Date: Thu, 29 Aug 2024 19:59:18 -0400 Subject: [PATCH 08/21] test: increase key size for ca2-cert.pem Refs: https://github.com/nodejs/node/pull/44498 Refs: https://github.com/nodejs/node/issues/53382 Key sizes were increased to 2048 in PR 44498 including the configuration file for the generation of ca2-cert.pem. However, it seems like updating ca2-cert.pem and related files themselves were missed as they were not updated in the PR and the ca2-cert.pem reported as being associated with a 1024 bit key. I believe that was the cause of some of the failures mentioned in https://github.com/nodejs/node/issues/53382 as OpenSSL 3.2 increased the default security level from 1 to 2 and that would mean that certificates associated with keys of 1024 bits would no longer be accepted. This PR updates the key size for ca2-cert.pem. It was not necessary to change the config, only run the generation for the ca2-cert.pem and related files. Signed-off-by: Michael Dawson PR-URL: https://github.com/nodejs/node/pull/54599 Reviewed-By: Luigi Pinca Reviewed-By: Richard Lau Reviewed-By: James M Snell --- test/fixtures/keys/agent10-cert.pem | 80 +++++++++++++----------- test/fixtures/keys/agent10.pfx | Bin 4317 -> 4736 bytes test/fixtures/keys/agent3-cert.pem | 35 ++++++----- test/fixtures/keys/agent4-cert.pem | 41 +++++++----- test/fixtures/keys/agent5-cert.pem | 41 +++++++----- test/fixtures/keys/ca2-cert.pem | 33 +++++----- test/fixtures/keys/ca2-crl.pem | 20 +++--- test/fixtures/keys/ca2-database.txt | 1 + test/fixtures/keys/ca2-database.txt.old | 1 + test/fixtures/keys/ca2-key.pem | 44 ++++++++----- test/fixtures/keys/ca4-cert.pem | 41 +++++++----- 11 files changed, 195 insertions(+), 142 deletions(-) diff --git a/test/fixtures/keys/agent10-cert.pem b/test/fixtures/keys/agent10-cert.pem index ce0e515e823d1b..59bb0705757d5b 100644 --- a/test/fixtures/keys/agent10-cert.pem +++ b/test/fixtures/keys/agent10-cert.pem @@ -1,41 +1,47 @@ -----BEGIN CERTIFICATE----- -MIIDjjCCAnagAwIBAgITMVaZ0eX5Kp8NI4vaKFVI592wTjANBgkqhkiG9w0BAQsF -ADCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQHDAJTRjEfMB0G -A1UECgwWVGhlIE5vZGUuanMgRm91bmRhdGlvbjEQMA4GA1UECwwHTm9kZS5qczEM -MAoGA1UEAwwDY2E0MR4wHAYJKoZIhvcNAQkBFg9jYTRAZXhhbXBsZS5vcmcwIBcN -MjIwOTAzMjE0MDM3WhgPMjI5NjA2MTcyMTQwMzdaMHgxCzAJBgNVBAYTAlVTMQsw -CQYDVQQIDAJDQTELMAkGA1UEBwwCU0YxHzAdBgNVBAoMFlRoZSBOb2RlLmpzIEZv -dW5kYXRpb24xEDAOBgNVBAsMB05vZGUuanMxHDAaBgNVBAMME2FnZW50MTAuZXhh -bXBsZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDP49yjMES5 -1sfYG4ac06jR7DnSizMDgW+0V6CFPguv6p1D08aBA60mhY8+tjsbin3DYRiTB2HN -7C9svZ2cAffKK9W/40G6+jfJuB6I8g+LtdZ9hViw2RC0k4PFLzpG3VsJRpM4Wfos -/ubZqBuNGLN+K68sAFU0jbUra4dtJQXMi7SlFlJIUx2g10OF312uJcREfFVgNAw4 -EIZ2H7bmGtpE0p3UfBir4HTy5nz4ruYCbbzNWDuX7RIGZSXtqaQc7P9QPvuLzspl -feI8S2oRTLRIgDEatXJFlIWzGu1kF7XjftOrnFHwRWICK6joqSzdLhSS02qfqIRF -JFVZ8QNq11bhAgMBAAEwDQYJKoZIhvcNAQELBQADggEBACenzaglCUisBHiI7H/v -tOF/75jxDUO8FmV3mksh33EpTmzoBiQD1DiTFQu/EEJ/iAbdTRJ1PVnJsMTFH0Bm -7SmkYOCpETleXjU1MwHZIvh/gGa/CjLZhop26FkK2oqENl7iaM9vvqxxQ8H4Niit -ay3cn+aB9o8MjTH9Ki9iH0LS6bwtqqRimXXX0sx3HTUnFxD/7tzE7s6t7ayk+rIJ -6mBeQAw3UjNzjtLTvSxHoPFto7z5imF+6/v236UlOTdQpkbRS1KlxA8wm/NisWeq -TLjPh5BkZof+CwTUoAFK+WILsIHuvVY9SZBNcsQvsBao/whRR2Z8bU1HDAh8jHnk -4wo= +MIIDijCCAnICFAa1gku/rBMKem53dr6+kaDTIvSCMA0GCSqGSIb3DQEBCwUAMIGI +MQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExCzAJBgNVBAcMAlNGMR8wHQYDVQQK +DBZUaGUgTm9kZS5qcyBGb3VuZGF0aW9uMRAwDgYDVQQLDAdOb2RlLmpzMQwwCgYD +VQQDDANjYTQxHjAcBgkqhkiG9w0BCQEWD2NhNEBleGFtcGxlLm9yZzAgFw0yNDA4 +MjcyMjU4NDRaGA8yMjk4MDYxMTIyNTg0NFoweDELMAkGA1UEBhMCVVMxCzAJBgNV +BAgMAkNBMQswCQYDVQQHDAJTRjEfMB0GA1UECgwWVGhlIE5vZGUuanMgRm91bmRh +dGlvbjEQMA4GA1UECwwHTm9kZS5qczEcMBoGA1UEAwwTYWdlbnQxMC5leGFtcGxl +LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAM/j3KMwRLnWx9gb +hpzTqNHsOdKLMwOBb7RXoIU+C6/qnUPTxoEDrSaFjz62OxuKfcNhGJMHYc3sL2y9 +nZwB98or1b/jQbr6N8m4HojyD4u11n2FWLDZELSTg8UvOkbdWwlGkzhZ+iz+5tmo +G40Ys34rrywAVTSNtStrh20lBcyLtKUWUkhTHaDXQ4XfXa4lxER8VWA0DDgQhnYf +tuYa2kTSndR8GKvgdPLmfPiu5gJtvM1YO5ftEgZlJe2ppBzs/1A++4vOymV94jxL +ahFMtEiAMRq1ckWUhbMa7WQXteN+06ucUfBFYgIrqOipLN0uFJLTap+ohEUkVVnx +A2rXVuECAwEAATANBgkqhkiG9w0BAQsFAAOCAQEAy0rm8E+PR+ZuaQsz8Q3s0Y7I +fNICuwEyByMcwiwCjvMM2FwNZbnmagmSQ2eo+jD0GMAcBLS61AWhC8tPqO6DfFOj +7L07NYJWTKQMqAsv3n6Nl0uXd8Aa4iGDhsMeTZXXk4E/GsZZ8T4pDmE8TtY6285Y +ONU7uKKFcnIfQwtcEUnpwqSAYmQxKa+rhQ974rW3hBCxvtrwNRXsMjCoPyfkIuOz +9P6ThZfMWlmuKg852Yi2VglaOrxakQInQGz4Q0JHyROd/e9m3J+t/QFR9VqtRnX8 +UEOlxD8iazk//VFd7WrO2jzqjXFIzBNrdvmsNsP+8uIjrGJtHdKeHL7v5V687A== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- -MIIDFzCCAoCgAwIBAgIJAJHwBmNgafKfMA0GCSqGSIb3DQEBCwUAMHoxCzAJBgNV -BAYTAlVTMQswCQYDVQQIDAJDQTELMAkGA1UEBwwCU0YxDzANBgNVBAoMBkpveWVu -dDEQMA4GA1UECwwHTm9kZS5qczEMMAoGA1UEAwwDY2EyMSAwHgYJKoZIhvcNAQkB -FhFyeUB0aW55Y2xvdWRzLm9yZzAgFw0yMjA5MDMxNDQ2NTFaGA8yMjk2MDYxNzE0 -NDY1MVowgYgxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTELMAkGA1UEBwwCU0Yx -HzAdBgNVBAoMFlRoZSBOb2RlLmpzIEZvdW5kYXRpb24xEDAOBgNVBAsMB05vZGUu -anMxDDAKBgNVBAMMA2NhNDEeMBwGCSqGSIb3DQEJARYPY2E0QGV4YW1wbGUub3Jn -MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0HnUahyfA25t8kaziu0i -vVMkTWntm0pJ8oemeO7yCGaY4QHEwN+QUzrzO7y7ngl2Dt76eEvj0mrgaW8Ao7Ns -ePfp3663g8RrBsb4cR1da2Tc8kpXCqgwbcTlm8HI/7OAdHGA2YDLNv7iyVk9meHM -gYfO9dVgrZ7RxfnGwNMJdNjYJrd02xeU6euoKl9j/ZWCG5xHAM2xAXOKHGm8toIm -+Ss6iZXY8kypy7Fjwyv7jMT8V+pzIWu24xd3Y3s07r59nkFmQ29nHMTaLP7Tf3TY -MBI5mp8fet732aBoywpQ/w05LR9gdM1jpUvIlmhj4qGskv17AMEmRecwic3opq/b -yQIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBCwUAA4GBADsFOR+N -Bcm2FyHOutoFpQn70qAFg0xlO3NTH87uubbs6rf3LDrsskhjskfs6wpUk56IJOoU -H7+F7aDDtSrnxzxxC5eZeGyaN05T5N01OdK3xvqUnr7mg/Ce0jnxrZhxHI8SHOqs -Kwrg4fRasUHGhH286Y13xOj2pLSrVoSbkXsA +MIIEaDCCA1CgAwIBAgIUDxaIwCfB2vttbQL/LlnVg4mwMUAwDQYJKoZIhvcNAQEL +BQAwejELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQHDAJTRjEPMA0G +A1UECgwGSm95ZW50MRAwDgYDVQQLDAdOb2RlLmpzMQwwCgYDVQQDDANjYTIxIDAe +BgkqhkiG9w0BCQEWEXJ5QHRpbnljbG91ZHMub3JnMCAXDTI0MDgyNzIyNTg0NFoY +DzIyOTgwNjExMjI1ODQ0WjCBiDELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAkNBMQsw +CQYDVQQHDAJTRjEfMB0GA1UECgwWVGhlIE5vZGUuanMgRm91bmRhdGlvbjEQMA4G +A1UECwwHTm9kZS5qczEMMAoGA1UEAwwDY2E0MR4wHAYJKoZIhvcNAQkBFg9jYTRA +ZXhhbXBsZS5vcmcwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDQedRq +HJ8Dbm3yRrOK7SK9UyRNae2bSknyh6Z47vIIZpjhAcTA35BTOvM7vLueCXYO3vp4 +S+PSauBpbwCjs2x49+nfrreDxGsGxvhxHV1rZNzySlcKqDBtxOWbwcj/s4B0cYDZ +gMs2/uLJWT2Z4cyBh8711WCtntHF+cbA0wl02Ngmt3TbF5Tp66gqX2P9lYIbnEcA +zbEBc4ocaby2gib5KzqJldjyTKnLsWPDK/uMxPxX6nMha7bjF3djezTuvn2eQWZD +b2ccxNos/tN/dNgwEjmanx963vfZoGjLClD/DTktH2B0zWOlS8iWaGPioayS/XsA +wSZF5zCJzeimr9vJAgMBAAGjgdQwgdEwDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQU +Tc8o3KouldTCYNQHvW09ZBv9sW0wgaEGA1UdIwSBmTCBlqF+pHwwejELMAkGA1UE +BhMCVVMxCzAJBgNVBAgMAkNBMQswCQYDVQQHDAJTRjEPMA0GA1UECgwGSm95ZW50 +MRAwDgYDVQQLDAdOb2RlLmpzMQwwCgYDVQQDDANjYTIxIDAeBgkqhkiG9w0BCQEW +EXJ5QHRpbnljbG91ZHMub3JnghRsoeMhBMOB34RpWIz6SD/UwaqquzANBgkqhkiG +9w0BAQsFAAOCAQEAKtd7q+5123jVDzpydg4o3FO84u/1gzlkQ9gAc0q48/ePD/0g +GTeTLz3fODq84l0Nx0g2XbcnrnH/07dzykZokAI6TFhv9qioeMmZa5UhwLSFynXJ +tqP26jA2/dpofGrVV2up/dJ9nw/jmvsRTigvIjkPyofFyxyssNmUIOXgEB6szthQ +mg0VKqgcF3yPDFiSMNh7YnxKd6Rsw1uujtRR+dbkLJs3m0sk+MNra7+LIfqVU5Iv +UyieguUmYYtW9rWTjxVCEl84teryIFJK81GlX/wiq1Nx3DZj+DCSwJMdl5DDzvH8 +EnE1L+MapqCnP0eAmNdWwF5SVxfKUwtt6uPpYw== -----END CERTIFICATE----- diff --git a/test/fixtures/keys/agent10.pfx b/test/fixtures/keys/agent10.pfx index f1df772cbbee1bcda61fe8bbf7467023219bb58b..fc6a9a20b1f7c116415971d84049f92bdefb7ee8 100644 GIT binary patch literal 4736 zcmYk9XEYp+w#5ww(IbfHqKt0z=rwxpy^P*_3`QINqD2d$3^97t=)L#eNf5#aq7%K| z-1XkO_kB3)tn=IJ?2mh`4Th7z&;b}=I0+xtGxjK@s4D^hHXsj9!iWhcq5F%ez;OJ; z|4LYSaQv{p=d94u;3r2H+m_#J~Rx*5$<6{Z)f(> z192*)a(cXO{SSLh8M*$Hct_Yz3ucLjg!;b8^;(Ad(*z^|APM&jv7bj-_8*%H4G~Sj z>;*ITB2T3Y3(_s5;>;JF7)53)Wwb3uD16Zm)z1$8)W80&Tqn**l)JIRnBRZ>gZ5?N z#tSj-YCyU}L35p|@a;t&X0J5sFh;TELAK!Pj51wc^1EY*^l*2zZ6u17;2$8KdfK{znI0)v3! zwYN6$n>`!?NI~fye#xkqv+ILG_CSPO7ei>dxrSLd!d1E`-^VOgsL(fWqe)Uu; z&@HgaI?O{+)Ua{H;I7JsHS}`cO6_{PEU{Qgd$O<7BPMS;6~mI#d?xy5sV!p&QDn43mN>e_rCKxJHm9~` z=EeaH%%zHqj0><7@=Weni4gnmHX*AULG&%sJ;zJ1F%qVjb~R4rOahtp?Y-~Ro&p|G z(}L7T;%zYJyOW+CMShU-EA8(;jvS*)Lk*%E9c)v5S!u9lZ>l2pCrHK4sGmW{s+Cbk z-U3c`!wCVQfqZW)Z#%Vln_4V$2yVp_)wg5If=Pdm-aO<@2dd;Y6f45`AFVcUfiNdO zaJ6Y6vJMP-mcF5}gp@ht!O@0w-&Kk|y~5xH4D(npxg7@dXzPfqmf!vJqTPMIf25>M z$d!ittuq{HO?Qs9BaREC5xJIA*Mt+-kk?4SLH=LJr>o=%5r&>e#(>m$+?8#s9gSf zW(c{Ewpb^oI?0JIZbdcgL3Dw(=P8pR|20;>Mu-Javph5PX|``Zr~sty_9XXlP-t0F z$u1d98ttc8&voIjFI6W^uN2!l6iO79qBS~IU0j(10_8MVm0bc7^P~q;3cI$~&r)Y@ ziKn~5_()+F&E)W5^WBqkHj<1}O7HJTfPSNU;aA37f6k9$C7QzoL{vchrjaWyUG_T ztoNn}{U6GnE=g~H8O2>2w+PjP8ZvrnC>x(P&#n~p5ZZ+c-AS&){e%AZsn)ccpW+#k zDCEyYvMO7h3&>NxwbECFc{wr$9iLJB^v;ojjJrr0s2@0gt^T&6SWHGLW7f#SNF!VG^%zx+;AN95%hUI000g1EegdC|GC z9-Kt~Lu|g`1G((8U9VC(CuR%VNTpXQk&gmK*Yh<-Q4;XB0?Bp;Efe#NXt14KMzq>? zKN~L6??ODuIj{N*kFnF>2vBA`URk=x$f0kPLtHsC zh>93u=*uRS(p^coH%FKKQsOn+F=ASbgmTLnk8U0(+*u3!f*vO2w#Oe`7Un3+x=E1H zX}hgNlI(sBo(pbPd03X8(Kl5zLlP;_FqD+Qtu*PlfRiTB8m;z6UR92-0Y;HFzv_=9@bWML(WeX3TE#28BpFu5Lc!874eE!s*j&cpvr0=El%Q zjK!T3e3*bw{1_?)=MA_79pZ_~RIKNK&IvA_#Ton(ry-8E;lH|~TA0b>Y;$buI3yI8 zUv5AZ_~+2D1o4kKu#!n-M;rPG;Tv_h!>HmFqj;f^%wX7>m@M#`70)TYb~bz2&F=Xq z&WlSt_Aaxc1+w=-jwxq31Ld0)uNS5Yrc1I+$^{r$L(1CXIlekZQ?Kf^(4z3;7vjhZ z3gkX&cc`vKTwpYPP`#>BJin@Mo$M}IrwB3M+Z2{=;J>sL9QYKlawREjacaDu80d#A zu2|H>`eoqTUkjbNV|v&Woij=Sg)ar)UY5oP@V^<_KxCWtOK+M0feR++_!ST&^v)(^DK^c+&5XbWj^gxGD4yYtM{4 z_G9tW)Y7P=+*{xrZa$1E#BykO%xh{WxfJ)VJ#h_88iT%^@}yo@IO|+w%q)DE)8gCa zR(dvzuGQo?HiX5UHyq&eQ^GhcMl!n|j#^#ZnCX}egR4PafzNL>2l~rU zu7Xn~f`?b;o|p?+2! z`}o=*jZXnL&ky@%FSW%9QYoq$VG-hlT|uc_4E~15$r7?Vs_UPGLOjs0HgzVtC$Vo= z58H#`b6JWOu>D9`Pxs7RcCcG!x4C$P3%*~*jOJCYySs4~X!_XXly~0+WhNA-8QTI1 zz(g#LX(nIG2)wi53m#bj!-0|iuXyCafqs~9px0mQ_II4H@cyrc-~!P9ioAaz7ufJW zA3y@I3YhJ`Cq9@O6X(_Gy#Jh33*g^f1&oh{^FJ2o&wyxP8mwnlQAz+i3`_t!CUJ{2 zdUP3-fUC)G9k=LF>p3PIb6W9QcVkKfa0l`>=oqH*~SI~VrLNJRa^r}|`&?8PN?M%as( z^j5OY%tkO;k<@wz$~3NuYkbFkI?T}yqga`uf2BvD>8wzB|JK+2?nWZ8TEkl@lLq>92e^h>0BHxuUD)~)y_kK3rwjaD<{*fk3!sM%uArFp1SSxnEM zg}L;E)3(>TF@g1)4Z4x+Ha|uIWyxXAEKn{XGzL78q*hslw~fhN4Fq{KbA&%+-u#~1 zgLy}YR83dNrNa(B4u9)4>b#z*GTgVzyG^a2wia_h(To%HQkNiE`fG>EkhxO2kWS8^ zKOEyM)9a5y8U4Xl@+n8EE9nvG65IVolMxHOAO?OpX>oJKeDqin$$59B_%kSxC#-tX z;4>ednNTvB;qFxIyx74`S8IDyfApl^*Z`q1f)WF zI~>bN)n1+-WrGIxwU5kiTnXFjTmJ#3brm~bf88V|`n2?%(m8G0ufp@T!m5=6UxIZw z@an`zm5&u00k5Pw3C6e)yu;=}CN%sMYaLNxntqVdnH|FW*>}%1mnY4xxmhg}L)M;R zd?w5wRX<~e?(`P1_uEwhls2>~UU&be;mYXsLSY6{nmnr=%alVOMq$JA+ zi~Q9;bwVI6QS%7K_@WD7Ab+T61X&XYV=>_fsd|Oliz&LquRpd3J_BfaT9*NhBxjc#aNsb{0H$YxysQtxtQvkk%Q{_ME5mNb-uY z^0p2y7cCc6m(8mgFOy&a#GV#o4%K7Z?U{SVuDP$A@VEK&A3OQC?-o9iLzEH`;(#J% z8G+MwEYj&eg|u=UG+@3|2gzHNK-xOx^p`?UFzCYA?C%qLIu`B7S6o+Givf|kzAh0g zI|gnM9!!l0B&&CEE&=)c-U_CIZ5uyX`Q{SMVYij}Ui2J^GII?sOf0v?1>)&KDA1uMM z+&6%<7(QyN9z#w{F+OvAA5x*g>^wC)DFFU-a;I0ASC#M<8%C-BJxw&yup7TEdyD0X z<_C%X52x~G%c<+H9^}iapi3RE`jwi*Cs2=_JwZJqjd%C2Rj_s$}btWNYEVf7Z>6212tERyJ*Xp0bpkZ94nL~qe0R*5cp zStR1-&fGS0AO1Nr=ggdk|KZGsK*JXC0R#v%tdNj||K*dHI4FP!P=to10MW37fA(tx z8Y1_<5n&M;g7{}Wzz5*{6Yl>_00<^R@P9Rs{%a%y633WT-ED3he!#~k#*09MuPPhP z=H<_{o%-#DB>C^_eo70gdkTK?L&lKx_4Y^W~H#I=cS*h`K*JNbL(F#S1DVk>QYuN&%sSW6TZKAiNaUkQUsjW^^B85 z)yCT&f4Qvp%j~(oRh*rMeVhEX2EHI7-AxnkiM&5uL9AXsp>mJGavLrjSiv?4bd4K6 z4yKrv53ryhQA9Don**u?M_Y6^7sN?4-X=rc$E8eq~M z1>-o(_~ahjx^_ZNGf)C8%Z^ob!*zze;k!#(7+DQ$+Gv0epL=np^MSj{95frB7x%CY zWZ7eiGPu*TSBBRJbGg?^=9D>}rN=|Nq8e7W*)x?~VC2@P-=5#||6V0wii`=*x%3Q9i;*RVH~ zOh>i(-RuVEg-qcS^9@-Ern)=td_GWXf8x&X zXwzg0^XNqFbS0@G1Xj`-P9pZ>8OCsAfr-{&)|Jg)n(X zoXg;r$1-y(@E+eSH|I`Fc)iL&Q|>*o$t z=C3Lti}H;gJVKqEIzHP9^+H>HO0>l6nkMVt@XHw>8Hp-IpT{ z^YX5$;^F=G?=xe@YZdqQ$SjJhzsmdb{3Pg*vQBKd-O>^`b za_zXAx@T)QSBxJ@3g4#1mBVKWRF$TWmyaG__JKeXx#X0EP#GL5f>@SShoXr1`^!`V zNAww|%f5Zp5Xss10SY74)C1j7?TX(Gx6W1mIPNqp`l}?%R{^hN`#^pR8C8q9sh`v8 zo-Ed(;#+K>66X_`$p%gJP;{b?-gpJum@!Mpg#u@*JFi27%gf^Vd+MD*Dg$O?q`Ril zZIDAU^dZT^?Zv&oJ&#KWbF+xOhRt1`r47(R(ykwytCVX1CzV zAGqTGVX&Ln9+aj~LJ%sI(W`SsDlE<0b9}2o_8n6=ulv^Y{oXbKbPLaIikQt4`#_Pf z0@*dgfCN+~^%1UZ|9}lir|ny=$53A@ z%P$((`Kdla<@FnS(*1TTPvknQr2a(P=VRy_)J67s&RoFydO+$hemZ) zu!mht)_T~@w#}NkJ{J44FPHT9mey3=*#S&9)+ zfEkYMmUrWudl}eI-b?{<&CPl8k?9v^dY<8-#bzr@OHLbJq~dfE*jnH)FH9(2^c@+7 zejC*_*&YEEZG^XWR?!9AmVfZ;(Yr)ZbmJUQR&7sj9H;r(D;w0i_{@I&5up zHP_5R{RRr$if0Eo;S)tKKRS754YYnX780j+s4!>Qcr2|S=f=R6R&RSM6jo)&9BNu& z*}*EfvV55IWX;$5)$(KAciaVQl!I=ezx8(huI9+U;MLqrY5rAuoo8ofs5CRN$VfW^ zNG<*Bl|9=B3;jY7)LOQfe`JyV1(_02AXJoKC?}mj)PaOap@0q9krZaD-4qoCg64j! zbjM`<1X89)zLmFWmsQfGTTTG^f-n|1HHX`CEfH|8I4_xxS3A21HY&wlrdMnr8NhP{ zQgY|K2#YN$!s8hD{oT5&rKC+E_9SeDKbwOKEW(OMd1!eM;3}PGW5xhdL)BzUh|j6u zEj6*<^D`()K#n3!>1kU-b!2)QLV_8?JLTnhzR7u#)osnYBra!*^}Y4DD%Yt6UFo`7 zC&>rDrlni+>%jPx^stvb{(3cqy1B2us8qJ7Z5?b}>{lf!AjnMKXUJ&p0K`JY%pd+vB^k|vP>m_L(p!xZq{L%N!=g(>_Jcuj*!t1RpA|4$^CU&JxOxt7Pmy+_8qjV-` z_o)MY>(eGtCB1Q1*ShJv!`syihpxa|_@8c>@W6H9_123nu@=1G7>Cm-fW%>BY3p8K zm82Y$Jf!#i$6blb_0zPZ2Su6EQQT)r4Ijn!GIpny#FBF?lWs|UKGRXP&(z}hNwMOl zs$5WazI3hhx$KIDu$8IR8|XZ9?0Sh;9Da@@L1<~SZUkqtz&!9BJewF9m0rTQbFe%W zS^hS-EV`P4^z)JgH;xFV*am0$nL5cxS5*FG#_+f{YAZc@Qg9;ywAsEl`9rPy4b+^| zX#O-_#u(@wbS8i=7_bN}+gn=b-6t4INg4PtmExWa<`(3MC}4eqyIctW(A{DFP*&1u z4MB((zlfD|$8a1;`)82J66aQ)4d|FYGYZdHxvZYPlmk&J0ju=?6haVX2FovAfMst1 zvbJ$x1{wYKa63JQQNmUc4y-L%Gl*W67Fvj%cCH)Z&>L4NwIW^}zF z%%xS+rI7W}i}NX`Aq~g(sy+~*4%UrjY_8TIg28RKE2n&^TXMxEnQG&M|4L3y>GKWM zaqMXLOIBCAzibArkJSjdY2VF!$Dd`zpq}22QA9D{CvfXW@JlggjGKz?5#P+n&U4^P z3w$Cl_T7Y1H5xTkUax~TYy$8TgErW*JT%=EPRHEW7R0{_VoK{s)!=@NP0nktn$@3L zT4Y}C2Oby7K=8CenX0yAlPDMV;lC9-_+unHA9qt z_`tVQA#APO6Rr&280vf6&*C(zY*QUpvUf_4I~m;`o;|-vtn=v3o2k5p8E_ zA5f=;utb@TJ<}V1=V9en=n=z`KmXvafjPGtl|r46y?7l%S0|cTUQ>7{>U8r2#N{WK-x{G zE@B@L_Z~U&W6rU}taQvP$Ll`E^ikznx`zF$y6R8n3c8=L@-qbzy^7s*o1XL_jom4d zIAIHOIE;KMTl3v$eNwGGwZWL-+_^2L|0&2dayV}UK>jAx+4-DUz8+Zr_j8S&ycVSe zw(m}9+|yg>Y%|PFua#X(W3QQuh&CnYnf05j4-Yv)@t?HOu+Fz zRlqm;8mzltiAl&n*c{nApJzlMx=gt-Z>J&jJ5nChw~(E z?W`v9j=@SATYj-ZyLQ&f6?jWW{*!KXVq?`lk$YAAz)6d2Jna3rg<9|$A=_|y znLn+-$2BF`Do)l)x4y+?aV2c=T99GHJ%p+j__N#NiY~MdE?1e;YHk3)5;?M<>yIA*Br*AHPjAo5%jCaVZk?iwW0~8Yiq1cA zbY||mMv2BxnwpY2XC3H2(4_t5qN=p@HwxCzKi!XV@rdabu&$?Wb$Qcs_?Mjx0m-~& z^`eTppKRKNc{qZ~<-|5+JEZY_N=WUQd5C$|U5R`}>)j2Z;F^3nVI|_1{^$ywAM-tx zD!DjgZH@WYgxP+6Vph}k>u2bQ2JtS}hSR|50pE7J)Do%Eva%2D?4pc^uB5QHvc-UD z{CbjW`2aTFa9vPdyIzC1FF}Gq>lT+LP1^wiu(s69J|p>YdFByt>nJ+)LR!sK#r_Cg zNvnR6ovt5n^Kno&+_fc@dihnPD8NOK8^QTM>qtT^NCTwW1pn$*@qOm^zRjjZktaho z2-kFh5Ja#eNC-jq$q4WnKzKkZ{}$!JbD}id5FfLs3WO4hx-8QK5>vxZFxHJV`2V?* F{{d`mCA Date: Tue, 3 Sep 2024 16:27:53 +0000 Subject: [PATCH 09/21] test: fix test-tls-client-mindhsize for OpenSSL32 Refs: https://github.com/nodejs/node/issues/53382 - OpenSSL32 has a minimum dh key size by 2048 by default. - Create larter 3072 dh key needed for testing and adjust tests to use it for builds with OpenSSL32 Signed-off-by: Michael Dawson PR-URL: https://github.com/nodejs/node/pull/54739 Reviewed-By: Richard Lau Reviewed-By: Luigi Pinca Reviewed-By: James M Snell --- test/fixtures/keys/Makefile | 4 +++ test/fixtures/keys/dh3072.pem | 11 ++++++++ test/parallel/test-tls-client-mindhsize.js | 30 +++++++++++++++------- 3 files changed, 36 insertions(+), 9 deletions(-) create mode 100644 test/fixtures/keys/dh3072.pem diff --git a/test/fixtures/keys/Makefile b/test/fixtures/keys/Makefile index 313183f6d6e3ed..f562df27047526 100644 --- a/test/fixtures/keys/Makefile +++ b/test/fixtures/keys/Makefile @@ -24,6 +24,7 @@ all: \ dh512.pem \ dh1024.pem \ dh2048.pem \ + dh3072.pem \ dherror.pem \ dsa_params.pem \ dsa_private.pem \ @@ -594,6 +595,9 @@ dh1024.pem: dh2048.pem: openssl dhparam -out dh2048.pem 2048 +dh3072.pem: + openssl dhparam -out dh3072.pem 3072 + dherror.pem: dh1024.pem sed 's/^[^-].*/AAAAAAAAAA/g' dh1024.pem > dherror.pem diff --git a/test/fixtures/keys/dh3072.pem b/test/fixtures/keys/dh3072.pem new file mode 100644 index 00000000000000..50e0533d891b8c --- /dev/null +++ b/test/fixtures/keys/dh3072.pem @@ -0,0 +1,11 @@ +-----BEGIN DH PARAMETERS----- +MIIBiAKCAYEAmV6aZ8ADnmRQoF9aGlV1AmajCkoc2eEltua1KpGFrxM0cr99gcS9 +/zxTDo8ixwPoHBOOBD+9MN6KbSJ+61xvu9yQ2qt8HfNcUI7QZxdVQ4ZHCQM3Jw8h +BPHFgjpx8w/pteZ3+L42felUxbd8/qfDv+gKsfuxrm6Ht7zzKLfbX9oNdJwpxX7N +yGP3nNadYDM/ZmvmEY8xh2dwLHSMaAP1gxuWiitdYXX60Yg6EFgIotznqbdW075D +KccGTTseFx9gNbxYkW33qX/p5IAf3wRFmptiRWCol88NHTDqtQRs0nhVQ1R28tiL +rQhSJLHLSa4esF+whfC64oXECr2AtarcKWG+LX1dEWI4SXqurnBPiBoyqfVWHS4b +PVgR90LlBJoXqblhsVrd+CkJI7ULDJmSA/cpgCqXH6vSvhb40yr5rpU4vZz+zhHY +CTXVpH95JD35PiZOfQYhfDA4LGvfICPLIH7E8YL5v2F6Xxsf8trI5KiAs1S3TN8b +lsLV6og5VoPXAgEC +-----END DH PARAMETERS----- diff --git a/test/parallel/test-tls-client-mindhsize.js b/test/parallel/test-tls-client-mindhsize.js index 92ac995936825d..2295f1f064f3ad 100644 --- a/test/parallel/test-tls-client-mindhsize.js +++ b/test/parallel/test-tls-client-mindhsize.js @@ -35,11 +35,12 @@ function test(size, err, next) { }); server.listen(0, function() { - // Client set minimum DH parameter size to 2048 bits so that - // it fails when it make a connection to the tls server where - // dhparams is 1024 bits + // Client set minimum DH parameter size to 2048 or 3072 bits + // so that it fails when it makes a connection to the tls + // server where is too small + const minDHSize = common.hasOpenSSL(3, 2) ? 3072 : 2048; const client = tls.connect({ - minDHSize: 2048, + minDHSize: minDHSize, port: this.address().port, rejectUnauthorized: false, maxVersion: 'TLSv1.2', @@ -60,16 +61,27 @@ function test(size, err, next) { // A client connection fails with an error when a client has an // 2048 bits minDHSize option and a server has 1024 bits dhparam function testDHE1024() { - test(1024, true, testDHE2048); + test(1024, true, testDHE2048(false, null)); +} + +// Test a client connection when a client has an +// 2048 bits minDHSize option +function testDHE2048(expect_to_fail, next) { + test(2048, expect_to_fail, next); } // A client connection successes when a client has an -// 2048 bits minDHSize option and a server has 2048 bits dhparam -function testDHE2048() { - test(2048, false, null); +// 3072 bits minDHSize option and a server has 3072 bits dhparam +function testDHE3072() { + test(3072, false, null); } -testDHE1024(); +if (common.hasOpenSSL(3, 2)) { + // Minimum size for OpenSSL 3.2 is 2048 by default + testDHE2048(true, testDHE3072); +} else { + testDHE1024(); +} assert.throws(() => test(512, true, common.mustNotCall()), /DH parameter is less than 1024 bits/); From c7de027adbb9a187afa829ab298dc4f66deb7134 Mon Sep 17 00:00:00 2001 From: Michael Dawson Date: Sat, 14 Sep 2024 09:25:24 -0400 Subject: [PATCH 10/21] test: fix test test-tls-dhe for OpenSSL32 Refs: https://github.com/nodejs/node/issues/53382 - OpenSSL32 has a minimum dh key size by 2048 by default. - Adjust test to use larger 3072 key instead of 1024 when OpenSSL32 is present. Signed-off-by: Michael Dawson PR-URL: https://github.com/nodejs/node/pull/54903 Reviewed-By: Luigi Pinca Reviewed-By: Richard Lau Reviewed-By: James M Snell --- test/parallel/test-tls-dhe.js | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/test/parallel/test-tls-dhe.js b/test/parallel/test-tls-dhe.js index 46779b09ff6b8f..21739ce42428eb 100644 --- a/test/parallel/test-tls-dhe.js +++ b/test/parallel/test-tls-dhe.js @@ -43,9 +43,12 @@ const dheCipher = 'DHE-RSA-AES128-SHA256'; const ecdheCipher = 'ECDHE-RSA-AES128-SHA256'; const ciphers = `${dheCipher}:${ecdheCipher}`; -// Test will emit a warning because the DH parameter size is < 2048 bits -common.expectWarning('SecurityWarning', - 'DH parameter is less than 2048 bits'); +if (!common.hasOpenSSL(3, 2)) { + // Test will emit a warning because the DH parameter size is < 2048 bits + // when the test is run on versions lower than OpenSSL32 + common.expectWarning('SecurityWarning', + 'DH parameter is less than 2048 bits'); +} function loadDHParam(n) { const keyname = `dh${n}.pem`; @@ -104,7 +107,11 @@ function testCustomParam(keylen, expectedCipher) { }, /DH parameter is less than 1024 bits/); // Custom DHE parameters are supported (but discouraged). - await testCustomParam(1024, dheCipher); + if (!common.hasOpenSSL(3, 2)) { + await testCustomParam(1024, dheCipher); + } else { + await testCustomParam(3072, dheCipher); + } await testCustomParam(2048, dheCipher); // Invalid DHE parameters are discarded. ECDHE remains enabled. From e9997388a60f5713764bd721292b9eec76de95ea Mon Sep 17 00:00:00 2001 From: Michael Dawson Date: Sat, 14 Sep 2024 12:55:40 -0400 Subject: [PATCH 11/21] test: adjust tls test for OpenSSL32 Refs: https://github.com/nodejs/node/issues/53382 Looks like test is forcing an error through bad data and the error code we get is different for OpenSSL32. Adjust test to cope with the variation across versions. Signed-off-by: Michael Dawson PR-URL: https://github.com/nodejs/node/pull/54909 Reviewed-By: Luigi Pinca Reviewed-By: Richard Lau Reviewed-By: James M Snell --- test/parallel/test-tls-alert-handling.js | 21 +++++++++++++++++---- 1 file changed, 17 insertions(+), 4 deletions(-) diff --git a/test/parallel/test-tls-alert-handling.js b/test/parallel/test-tls-alert-handling.js index bd86149bc5ac22..67680099da07f4 100644 --- a/test/parallel/test-tls-alert-handling.js +++ b/test/parallel/test-tls-alert-handling.js @@ -31,10 +31,17 @@ const max_iter = 20; let iter = 0; const errorHandler = common.mustCall((err) => { - assert.strictEqual(err.code, 'ERR_SSL_WRONG_VERSION_NUMBER'); + let expectedErrorCode = 'ERR_SSL_WRONG_VERSION_NUMBER'; + let expectedErrorReason = 'wrong version number'; + if (common.hasOpenSSL(3, 2)) { + expectedErrorCode = 'ERR_SSL_PACKET_LENGTH_TOO_LONG'; + expectedErrorReason = 'packet length too long'; + } + + assert.strictEqual(err.code, expectedErrorCode); assert.strictEqual(err.library, 'SSL routines'); if (!common.hasOpenSSL3) assert.strictEqual(err.function, 'ssl3_get_record'); - assert.strictEqual(err.reason, 'wrong version number'); + assert.strictEqual(err.reason, expectedErrorReason); errorReceived = true; if (canCloseServer()) server.close(); @@ -87,10 +94,16 @@ function sendBADTLSRecord() { }); })); client.on('error', common.mustCall((err) => { - assert.strictEqual(err.code, 'ERR_SSL_TLSV1_ALERT_PROTOCOL_VERSION'); + let expectedErrorCode = 'ERR_SSL_TLSV1_ALERT_PROTOCOL_VERSION'; + let expectedErrorReason = 'tlsv1 alert protocol version'; + if (common.hasOpenSSL(3, 2)) { + expectedErrorCode = 'ERR_SSL_TLSV1_ALERT_RECORD_OVERFLOW'; + expectedErrorReason = 'tlsv1 alert record overflow'; + } + assert.strictEqual(err.code, expectedErrorCode); assert.strictEqual(err.library, 'SSL routines'); if (!common.hasOpenSSL3) assert.strictEqual(err.function, 'ssl3_read_bytes'); - assert.strictEqual(err.reason, 'tlsv1 alert protocol version'); + assert.strictEqual(err.reason, expectedErrorReason); })); } From b097d85dfe13ebb1e4e3144c47dbdaa19d205cfa Mon Sep 17 00:00:00 2001 From: Michael Dawson Date: Sun, 15 Sep 2024 12:40:05 -0400 Subject: [PATCH 12/21] test: adjust test-tls-junk-server for OpenSSL32 Refs: #53382 OpenSSL32 returns different error text. Looking through the test it seems like the expected error text has been adjusted for different OpenSSL versions in the past and what the test is testing is not related to the error being returned. Update test to allow for error returned by OpenSSL32 Signed-off-by: Michael Dawson PR-URL: https://github.com/nodejs/node/pull/54926 Refs: https://github.com/nodejs/node/issues/53382 Reviewed-By: Richard Lau Reviewed-By: Luigi Pinca --- test/parallel/test-tls-junk-server.js | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/test/parallel/test-tls-junk-server.js b/test/parallel/test-tls-junk-server.js index 273fe9def4ecb4..2226ac93d283af 100644 --- a/test/parallel/test-tls-junk-server.js +++ b/test/parallel/test-tls-junk-server.js @@ -20,8 +20,12 @@ server.listen(0, function() { const req = https.request({ port: this.address().port }); req.end(); + let expectedErrorMessage = new RegExp('wrong version number'); + if (common.hasOpenSSL(3, 2)) { + expectedErrorMessage = new RegExp('packet length too long'); + } req.once('error', common.mustCall(function(err) { - assert(/wrong version number/.test(err.message)); + assert(expectedErrorMessage.test(err.message)); server.close(); })); }); From d2442044dbdb853f1e8c8b66eaea09f1c77aaeac Mon Sep 17 00:00:00 2001 From: Filip Skokan Date: Mon, 8 Apr 2024 08:18:43 +0200 Subject: [PATCH 13/21] crypto: reject Ed25519/Ed448 in Sign/Verify prototypes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit fixes: #52097 PR-URL: https://github.com/nodejs/node/pull/52340 Fixes: https://github.com/nodejs/node/issues/52097 Reviewed-By: Tobias Nießen Reviewed-By: Antoine du Hamel Reviewed-By: Luigi Pinca --- src/crypto/crypto_sig.cc | 10 ++++++++++ test/parallel/test-crypto-sign-verify.js | 20 ++++++++++++++++++++ 2 files changed, 30 insertions(+) diff --git a/src/crypto/crypto_sig.cc b/src/crypto/crypto_sig.cc index 64e788dcecaca1..a0ed640acaaa89 100644 --- a/src/crypto/crypto_sig.cc +++ b/src/crypto/crypto_sig.cc @@ -420,6 +420,11 @@ void Sign::SignFinal(const FunctionCallbackInfo& args) { if (!key) return; + if (IsOneShot(key)) { + THROW_ERR_CRYPTO_UNSUPPORTED_OPERATION(env); + return; + } + int padding = GetDefaultSignPadding(key); if (!args[offset]->IsUndefined()) { CHECK(args[offset]->IsInt32()); @@ -547,6 +552,11 @@ void Verify::VerifyFinal(const FunctionCallbackInfo& args) { if (!pkey) return; + if (IsOneShot(pkey)) { + THROW_ERR_CRYPTO_UNSUPPORTED_OPERATION(env); + return; + } + ArrayBufferOrViewContents hbuf(args[offset]); if (UNLIKELY(!hbuf.CheckSizeInt32())) return THROW_ERR_OUT_OF_RANGE(env, "buffer is too big"); diff --git a/test/parallel/test-crypto-sign-verify.js b/test/parallel/test-crypto-sign-verify.js index 74c0ff53eb18b7..81adde1ba771c8 100644 --- a/test/parallel/test-crypto-sign-verify.js +++ b/test/parallel/test-crypto-sign-verify.js @@ -774,3 +774,23 @@ assert.throws( }, { code: 'ERR_INVALID_ARG_TYPE', message: /The "key\.key" property must be of type object/ }); } } + +{ + // Ed25519 and Ed448 must use the one-shot methods + const keys = [{ privateKey: fixtures.readKey('ed25519_private.pem', 'ascii'), + publicKey: fixtures.readKey('ed25519_public.pem', 'ascii') }, + { privateKey: fixtures.readKey('ed448_private.pem', 'ascii'), + publicKey: fixtures.readKey('ed448_public.pem', 'ascii') }]; + + for (const { publicKey, privateKey } of keys) { + assert.throws(() => { + crypto.createSign('SHA256').update('Test123').sign(privateKey); + }, { code: 'ERR_CRYPTO_UNSUPPORTED_OPERATION', message: 'Unsupported crypto operation' }); + assert.throws(() => { + crypto.createVerify('SHA256').update('Test123').verify(privateKey, 'sig'); + }, { code: 'ERR_CRYPTO_UNSUPPORTED_OPERATION', message: 'Unsupported crypto operation' }); + assert.throws(() => { + crypto.createVerify('SHA256').update('Test123').verify(publicKey, 'sig'); + }, { code: 'ERR_CRYPTO_UNSUPPORTED_OPERATION', message: 'Unsupported crypto operation' }); + } +} From 6e7274fa53fe96b7582a8a8aabfbaf2792021355 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Hu=C3=A1ng=20J=C3=B9nli=C3=A0ng?= Date: Fri, 6 Sep 2024 18:07:16 -0400 Subject: [PATCH 14/21] crypto: reject dh,x25519,x448 in {Sign,Verify}Final MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Fixes: https://github.com/nodejs/node/issues/53742 PR-URL: https://github.com/nodejs/node/pull/53774 Reviewed-By: James M Snell Reviewed-By: Tobias Nießen --- src/crypto/crypto_sig.cc | 33 ++++++++++++++---------- test/fixtures/keys/Makefile | 8 ++++++ test/fixtures/keys/dh_private.pem | 9 +++++++ test/fixtures/keys/dh_public.pem | 14 ++++++++++ test/parallel/test-crypto-sign-verify.js | 18 +++++++++++++ 5 files changed, 69 insertions(+), 13 deletions(-) create mode 100644 test/fixtures/keys/dh_private.pem create mode 100644 test/fixtures/keys/dh_public.pem diff --git a/src/crypto/crypto_sig.cc b/src/crypto/crypto_sig.cc index a0ed640acaaa89..e6731638aa2c87 100644 --- a/src/crypto/crypto_sig.cc +++ b/src/crypto/crypto_sig.cc @@ -92,12 +92,15 @@ std::unique_ptr Node_SignFinal(Environment* env, sig = ArrayBuffer::NewBackingStore(env->isolate(), sig_len); } EVPKeyCtxPointer pkctx(EVP_PKEY_CTX_new(pkey.get(), nullptr)); - if (pkctx && - EVP_PKEY_sign_init(pkctx.get()) && + if (pkctx && EVP_PKEY_sign_init(pkctx.get()) > 0 && ApplyRSAOptions(pkey, pkctx.get(), padding, pss_salt_len) && - EVP_PKEY_CTX_set_signature_md(pkctx.get(), EVP_MD_CTX_md(mdctx.get())) && - EVP_PKEY_sign(pkctx.get(), static_cast(sig->Data()), - &sig_len, m, m_len)) { + EVP_PKEY_CTX_set_signature_md(pkctx.get(), EVP_MD_CTX_md(mdctx.get())) > + 0 && + EVP_PKEY_sign(pkctx.get(), + static_cast(sig->Data()), + &sig_len, + m, + m_len) > 0) { CHECK_LE(sig_len, sig->ByteLength()); if (sig_len == 0) sig = ArrayBuffer::NewBackingStore(env->isolate(), 0); @@ -526,14 +529,18 @@ SignBase::Error Verify::VerifyFinal(const ManagedEVPPKey& pkey, return kSignPublicKey; EVPKeyCtxPointer pkctx(EVP_PKEY_CTX_new(pkey.get(), nullptr)); - if (pkctx && - EVP_PKEY_verify_init(pkctx.get()) > 0 && - ApplyRSAOptions(pkey, pkctx.get(), padding, saltlen) && - EVP_PKEY_CTX_set_signature_md(pkctx.get(), - EVP_MD_CTX_md(mdctx.get())) > 0) { - const unsigned char* s = sig.data(); - const int r = EVP_PKEY_verify(pkctx.get(), s, sig.size(), m, m_len); - *verify_result = r == 1; + if (pkctx) { + const int init_ret = EVP_PKEY_verify_init(pkctx.get()); + if (init_ret == -2) { + return kSignPublicKey; + } + if (init_ret > 0 && ApplyRSAOptions(pkey, pkctx.get(), padding, saltlen) && + EVP_PKEY_CTX_set_signature_md(pkctx.get(), EVP_MD_CTX_md(mdctx.get())) > + 0) { + const unsigned char* s = sig.data(); + const int r = EVP_PKEY_verify(pkctx.get(), s, sig.size(), m, m_len); + *verify_result = r == 1; + } } return kSignOk; diff --git a/test/fixtures/keys/Makefile b/test/fixtures/keys/Makefile index f562df27047526..3339f4b912dc92 100644 --- a/test/fixtures/keys/Makefile +++ b/test/fixtures/keys/Makefile @@ -26,6 +26,8 @@ all: \ dh2048.pem \ dh3072.pem \ dherror.pem \ + dh_private.pem \ + dh_public.pem \ dsa_params.pem \ dsa_private.pem \ dsa_private_encrypted.pem \ @@ -601,6 +603,12 @@ dh3072.pem: dherror.pem: dh1024.pem sed 's/^[^-].*/AAAAAAAAAA/g' dh1024.pem > dherror.pem +dh_private.pem: + openssl genpkey -algorithm dh -out dh_private.pem -pkeyopt dh_param:ffdhe2048 + +dh_public.pem: dh_private.pem + openssl pkey -in dh_private.pem -pubout -out dh_public.pem + dsa_params.pem: openssl dsaparam -out dsa_params.pem 2048 diff --git a/test/fixtures/keys/dh_private.pem b/test/fixtures/keys/dh_private.pem new file mode 100644 index 00000000000000..25c4edc5ea5a3b --- /dev/null +++ b/test/fixtures/keys/dh_private.pem @@ -0,0 +1,9 @@ +-----BEGIN PRIVATE KEY----- +MIIBPgIBADCCARcGCSqGSIb3DQEDATCCAQgCggEBAP//////////rfhUWKK7Spqv +3FYgJz088di5xYPOLTaVqeE2QRRkM/vMk53OJJs++X0v42NjDHXY9oGyAq7EYXrT +3x7V1f1lYSQz9R9fBm7QhWNlVT3tGvO1VxNef1fJNZhPDHDg5ot34qaJ2vPv6HId +8VihNq3nNTCsyk9IOnl6vAqxgrMk+2HRCKlLssjj+7lq2rdg1/RoHU9Co945TfSu +Vu3nY3K7GQsHp8juCm1wngL84c334uzANATNKDQvYZFy/pzphYP/jk8SMu7ygYPD +/jsbTG+tczu1/LwuwiAFxY7xg30Wg7LG80omwbLv+ohrQjhhKFyX//////////8C +AQIEHgIcKNGyhQRxIhVXoyktdymwbN6MgXv85vPax+8eqQ== +-----END PRIVATE KEY----- diff --git a/test/fixtures/keys/dh_public.pem b/test/fixtures/keys/dh_public.pem new file mode 100644 index 00000000000000..b32815e88acc8c --- /dev/null +++ b/test/fixtures/keys/dh_public.pem @@ -0,0 +1,14 @@ +-----BEGIN PUBLIC KEY----- +MIICJTCCARcGCSqGSIb3DQEDATCCAQgCggEBAP//////////rfhUWKK7Spqv3FYg +Jz088di5xYPOLTaVqeE2QRRkM/vMk53OJJs++X0v42NjDHXY9oGyAq7EYXrT3x7V +1f1lYSQz9R9fBm7QhWNlVT3tGvO1VxNef1fJNZhPDHDg5ot34qaJ2vPv6HId8Vih +Nq3nNTCsyk9IOnl6vAqxgrMk+2HRCKlLssjj+7lq2rdg1/RoHU9Co945TfSuVu3n +Y3K7GQsHp8juCm1wngL84c334uzANATNKDQvYZFy/pzphYP/jk8SMu7ygYPD/jsb +TG+tczu1/LwuwiAFxY7xg30Wg7LG80omwbLv+ohrQjhhKFyX//////////8CAQID +ggEGAAKCAQEA2whDVdYtNbr/isSFdw7rOSdbmcWrxiX6ppqDZ6yp8XjUj3/CEf/P +60X7HndX+nXD7YaPtVZxktkIpArI7C+AH7fZxBduuv2eLnvYwK82jFHKe7zvfdMr +26akMCV0kBA3ktgcftHlqYsIj52BaJlG37FRha3SDOL2yJOij3hNQhHCXTWLg7tP +GtXmD202OoZ6Ll+LxBzBCFnxVauiKnzBGeawy4gDycUEHmq5oDRR68I2gmxmsLg5 +MQVAP5ljp+FEu4+TZm6hR4wQ5PRjCQ+teq+VqMro7EbbvZpn+X9kAgKSl2WDu0fT +FbUnBn3HPBmUa/Fv/ooXrlckTUDjLkbWZQ== +-----END PUBLIC KEY----- diff --git a/test/parallel/test-crypto-sign-verify.js b/test/parallel/test-crypto-sign-verify.js index 81adde1ba771c8..1d742c6801c233 100644 --- a/test/parallel/test-crypto-sign-verify.js +++ b/test/parallel/test-crypto-sign-verify.js @@ -794,3 +794,21 @@ assert.throws( }, { code: 'ERR_CRYPTO_UNSUPPORTED_OPERATION', message: 'Unsupported crypto operation' }); } } + +{ + // Dh, x25519 and x448 should not be used for signing/verifying + // https://github.com/nodejs/node/issues/53742 + for (const algo of ['dh', 'x25519', 'x448']) { + const privateKey = fixtures.readKey(`${algo}_private.pem`, 'ascii'); + const publicKey = fixtures.readKey(`${algo}_public.pem`, 'ascii'); + assert.throws(() => { + crypto.createSign('SHA256').update('Test123').sign(privateKey); + }, { code: 'ERR_OSSL_EVP_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE', message: /operation not supported for this keytype/ }); + assert.throws(() => { + crypto.createVerify('SHA256').update('Test123').verify(privateKey, 'sig'); + }, { code: 'ERR_OSSL_EVP_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE', message: /operation not supported for this keytype/ }); + assert.throws(() => { + crypto.createVerify('SHA256').update('Test123').verify(publicKey, 'sig'); + }, { code: 'ERR_OSSL_EVP_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE', message: /operation not supported for this keytype/ }); + } +} From 75ff0cdf6657131d314946b9931a3a80192cd943 Mon Sep 17 00:00:00 2001 From: Michael Dawson Date: Wed, 18 Sep 2024 12:36:08 -0400 Subject: [PATCH 15/21] test: update test to support OpenSSL32 Refs: https://github.com/nodejs/node/issues/53382 This test fails on OpenSSL32 because it complains the key being used is too short. It seems to have been missed when the test suite was udpated to have a Makefile to generate key material as the keys are hard coded in the test as opposed to being read in from the fixtures/key directory. Update the test to use keys/certs from the fixtures directory and to remove newlines at the end of the key and cert to retain the inteded test. Signed-off-by: Michael Dawson PR-URL: https://github.com/nodejs/node/pull/54968 Reviewed-By: Luigi Pinca Reviewed-By: Richard Lau --- test/parallel/test-tls-cert-regression.js | 50 ++++++----------------- 1 file changed, 13 insertions(+), 37 deletions(-) diff --git a/test/parallel/test-tls-cert-regression.js b/test/parallel/test-tls-cert-regression.js index 478402772eb0df..c58998e594ba58 100644 --- a/test/parallel/test-tls-cert-regression.js +++ b/test/parallel/test-tls-cert-regression.js @@ -21,50 +21,26 @@ 'use strict'; const common = require('../common'); +const fixtures = require('../common/fixtures'); if (!common.hasCrypto) common.skip('missing crypto'); const tls = require('tls'); -const cert = -`-----BEGIN CERTIFICATE----- -MIIDNDCCAp2gAwIBAgIJAJvXLQpGPpm7MA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV -BAYTAkdCMRAwDgYDVQQIEwdHd3luZWRkMREwDwYDVQQHEwhXYXVuZmF3cjEUMBIG -A1UEChMLQWNrbmFjayBMdGQxEjAQBgNVBAsTCVRlc3QgQ2VydDESMBAGA1UEAxMJ -bG9jYWxob3N0MB4XDTA5MTEwMjE5MzMwNVoXDTEwMTEwMjE5MzMwNVowcDELMAkG -A1UEBhMCR0IxEDAOBgNVBAgTB0d3eW5lZGQxETAPBgNVBAcTCFdhdW5mYXdyMRQw -EgYDVQQKEwtBY2tuYWNrIEx0ZDESMBAGA1UECxMJVGVzdCBDZXJ0MRIwEAYDVQQD -Ewlsb2NhbGhvc3QwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANdym7nGe2yw -6LlJfJrQtC5TmKOGrSXiyolYCbGOy4xZI4KD31d3097jhlQFJyF+10gwkE62DuJe -fLvBZDUsvLe1R8bzlVhZnBVn+3QJyUIWQAL+DsRj8P3KoD7k363QN5dIaA1GOAg2 -vZcPy1HCUsvOgvDXGRUCZqNLAyt+h/cpAgMBAAGjgdUwgdIwHQYDVR0OBBYEFK4s -VBV4shKUj3UX/fvSJnFaaPBjMIGiBgNVHSMEgZowgZeAFK4sVBV4shKUj3UX/fvS -JnFaaPBjoXSkcjBwMQswCQYDVQQGEwJHQjEQMA4GA1UECBMHR3d5bmVkZDERMA8G -A1UEBxMIV2F1bmZhd3IxFDASBgNVBAoTC0Fja25hY2sgTHRkMRIwEAYDVQQLEwlU -ZXN0IENlcnQxEjAQBgNVBAMTCWxvY2FsaG9zdIIJAJvXLQpGPpm7MAwGA1UdEwQF -MAMBAf8wDQYJKoZIhvcNAQEFBQADgYEAFxR7BA1mUlsYqPiogtxSIfLzHWh+s0bJ -SBuhNrHes4U8QxS8+x/KWjd/81gzsf9J1C2VzTlFaydAgigz3SkQYgs+TMnFkT2o -9jqoJrcdf4WpZ2DQXUALaZgwNzPumMUSx8Ac5gO+BY/RHyP6fCodYvdNwyKslnI3 -US7eCSHZsVo= ------END CERTIFICATE-----`; +let key = fixtures.readKey('rsa_private.pem'); +let cert = fixtures.readKey('rsa_cert.crt'); -const key = -`-----BEGIN RSA PRIVATE KEY----- -MIICXgIBAAKBgQDXcpu5xntssOi5SXya0LQuU5ijhq0l4sqJWAmxjsuMWSOCg99X -d9Pe44ZUBSchftdIMJBOtg7iXny7wWQ1LLy3tUfG85VYWZwVZ/t0CclCFkAC/g7E -Y/D9yqA+5N+t0DeXSGgNRjgINr2XD8tRwlLLzoLw1xkVAmajSwMrfof3KQIDAQAB -AoGBAIBHR/tT93ce2mJAJAXV0AJpWc+7x2pwX2FpXtQujnlxNZhnRlrBCRCD7h4m -t0bVS/86kyGaesBDvAbavfx/N5keYzzmmSp5Ht8IPqKPydGWdigk4x90yWvktai7 -dWuRKF94FXr0GUuBONb/dfHdp4KBtzN7oIF9WydYGGXA9ZmBAkEA8/k01bfwQZIu -AgcdNEM94Zcug1gSspXtUu8exNQX4+PNVbadghZb1+OnUO4d3gvWfqvAnaXD3KV6 -N4OtUhQQ0QJBAOIRbKMfaymQ9yE3CQQxYfKmEhHXWARXVwuYqIFqjmhSjSXx0l/P -7mSHz1I9uDvxkJev8sQgu1TKIyTOdqPH1tkCQQDPa6H1yYoj1Un0Q2Qa2Mg1kTjk -Re6vkjPQ/KcmJEOjZjtekgFbZfLzmwLXFXqjG2FjFFaQMSxR3QYJSJQEYjbhAkEA -sy7OZcjcXnjZeEkv61Pc57/7qIp/6Aj2JGnefZ1gvI1Z9Q5kCa88rA/9Iplq8pA4 -ZBKAoDW1ZbJGAsFmxc/6mQJAdPilhci0qFN86IGmf+ZBnwsDflIwHKDaVofti4wQ -sPWhSOb9VQjMXekI4Y2l8fqAVTS2Fn6+8jkVKxXBywSVCw== ------END RSA PRIVATE KEY-----`; +// This test validates that we accept certificates and keys which +// do not end with a newline. If a newline exists at the end +// of the key or cert being used remove it +let i = 0; +while (key[key.length - 1 - i] === 0x0a) i++; +if (i !== 0) key = key.slice(0, key.length - i); + +i = 0; +while (cert[cert.length - 1 - i] === 0x0a) i++; +if (i !== 0) cert = cert.slice(0, cert.length - i); function test(cert, key, cb) { const server = tls.createServer({ From 37a2f7eaa4a2151fa4333c98eefc05c408f5908e Mon Sep 17 00:00:00 2001 From: Michael Dawson Date: Wed, 18 Sep 2024 15:26:45 -0400 Subject: [PATCH 16/21] test: adjust key sizes to support OpenSSL32 Refs: https://github.com/nodejs/node/issues/53382 This test fails on OpenSSL32 because it complains the key being used is too short. Adjust the key sizes so that they will pass on OpenSSL32 in addition to other OpenSSL3 versions. Since the keys are not public key related I don't think the increase in key size will be too bad in terms of performance so I've just increased versus guarding for OpenSSL32 Signed-off-by: Michael Dawson PR-URL: https://github.com/nodejs/node/pull/54972 Reviewed-By: Yagiz Nizipli Reviewed-By: Luigi Pinca --- test/parallel/test-tls-getcipher.js | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/test/parallel/test-tls-getcipher.js b/test/parallel/test-tls-getcipher.js index 2a234d59016c1c..4d5042d6e6beab 100644 --- a/test/parallel/test-tls-getcipher.js +++ b/test/parallel/test-tls-getcipher.js @@ -47,13 +47,13 @@ server.listen(0, '127.0.0.1', common.mustCall(function() { tls.connect({ host: '127.0.0.1', port: this.address().port, - ciphers: 'AES128-SHA256', + ciphers: 'AES256-SHA256', rejectUnauthorized: false, maxVersion: 'TLSv1.2', }, common.mustCall(function() { const cipher = this.getCipher(); - assert.strictEqual(cipher.name, 'AES128-SHA256'); - assert.strictEqual(cipher.standardName, 'TLS_RSA_WITH_AES_128_CBC_SHA256'); + assert.strictEqual(cipher.name, 'AES256-SHA256'); + assert.strictEqual(cipher.standardName, 'TLS_RSA_WITH_AES_256_CBC_SHA256'); assert.strictEqual(cipher.version, 'TLSv1.2'); this.end(); })); @@ -62,14 +62,14 @@ server.listen(0, '127.0.0.1', common.mustCall(function() { tls.connect({ host: '127.0.0.1', port: this.address().port, - ciphers: 'ECDHE-RSA-AES128-GCM-SHA256', + ciphers: 'ECDHE-RSA-AES256-GCM-SHA384', rejectUnauthorized: false, maxVersion: 'TLSv1.2', }, common.mustCall(function() { const cipher = this.getCipher(); - assert.strictEqual(cipher.name, 'ECDHE-RSA-AES128-GCM-SHA256'); + assert.strictEqual(cipher.name, 'ECDHE-RSA-AES256-GCM-SHA384'); assert.strictEqual(cipher.standardName, - 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256'); + 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384'); assert.strictEqual(cipher.version, 'TLSv1.2'); this.end(); })); @@ -78,19 +78,19 @@ server.listen(0, '127.0.0.1', common.mustCall(function() { tls.createServer({ key: fixtures.readKey('agent2-key.pem'), cert: fixtures.readKey('agent2-cert.pem'), - ciphers: 'TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_8_SHA256', + ciphers: 'TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384', maxVersion: 'TLSv1.3', }, common.mustCall(function() { this.close(); })).listen(0, common.mustCall(function() { const client = tls.connect({ port: this.address().port, - ciphers: 'TLS_AES_128_CCM_8_SHA256', + ciphers: 'TLS_AES_256_GCM_SHA384', maxVersion: 'TLSv1.3', rejectUnauthorized: false }, common.mustCall(() => { const cipher = client.getCipher(); - assert.strictEqual(cipher.name, 'TLS_AES_128_CCM_8_SHA256'); + assert.strictEqual(cipher.name, 'TLS_AES_256_GCM_SHA384'); assert.strictEqual(cipher.standardName, cipher.name); assert.strictEqual(cipher.version, 'TLSv1.3'); client.end(); From 341496a5a2bb02fe3357c40d9c9e159f643205b6 Mon Sep 17 00:00:00 2001 From: Michael Dawson Date: Wed, 18 Sep 2024 20:35:20 +0000 Subject: [PATCH 17/21] test: add asserts to validate test assumptions Refs: https://github.com/nodejs/node/pull/54968 Refs: https://github.com/nodejs/node/issues/53382 Add additional asserts as suggestd by Richard in: https://github.com/nodejs/node/pull/54968 Signed-off-by: Michael Dawson PR-URL: https://github.com/nodejs/node/pull/54997 Reviewed-By: Richard Lau Reviewed-By: Luigi Pinca --- test/parallel/test-tls-cert-regression.js | 3 +++ 1 file changed, 3 insertions(+) diff --git a/test/parallel/test-tls-cert-regression.js b/test/parallel/test-tls-cert-regression.js index c58998e594ba58..5dab23401302ed 100644 --- a/test/parallel/test-tls-cert-regression.js +++ b/test/parallel/test-tls-cert-regression.js @@ -22,6 +22,7 @@ 'use strict'; const common = require('../common'); const fixtures = require('../common/fixtures'); +const assert = require('assert'); if (!common.hasCrypto) common.skip('missing crypto'); @@ -43,6 +44,8 @@ while (cert[cert.length - 1 - i] === 0x0a) i++; if (i !== 0) cert = cert.slice(0, cert.length - i); function test(cert, key, cb) { + assert.notStrictEqual(cert.at(-1), 0x0a); + assert.notStrictEqual(key.at(-1), 0x0a); const server = tls.createServer({ cert, key From 1a4d49793612203bb0cfcdedefeedce2f0f8c3eb Mon Sep 17 00:00:00 2001 From: Michael Dawson Date: Sat, 21 Sep 2024 15:10:51 -0400 Subject: [PATCH 18/21] test: adjust tls-set-ciphers for OpenSSL32 Refs: https://github.com/nodejs/node/issues/53382 The test failed as it was using AES128 which is not supported in OpenSSL32 due to default security level and because some error messages have changed. Adjusted to use AES256 where it made sense and not run tests on OpenSSL32 where test was specific to AES128. Adjust to use the expected error messages based on version. Signed-off-by: Michael Dawson PR-URL: https://github.com/nodejs/node/pull/55016 Reviewed-By: Richard Lau Reviewed-By: Luigi Pinca Reviewed-By: Benjamin Gruenbaum Reviewed-By: James M Snell --- test/parallel/test-tls-set-ciphers.js | 29 ++++++++++++++++++--------- 1 file changed, 19 insertions(+), 10 deletions(-) diff --git a/test/parallel/test-tls-set-ciphers.js b/test/parallel/test-tls-set-ciphers.js index b66c419cf5f4d1..268a2af6344b59 100644 --- a/test/parallel/test-tls-set-ciphers.js +++ b/test/parallel/test-tls-set-ciphers.js @@ -79,6 +79,11 @@ function test(cciphers, sciphers, cipher, cerr, serr, options) { const U = undefined; +let expectedTLSAlertError = 'ERR_SSL_SSLV3_ALERT_HANDSHAKE_FAILURE'; +if (common.hasOpenSSL(3, 2)) { + expectedTLSAlertError = 'ERR_SSL_SSL/TLS_ALERT_HANDSHAKE_FAILURE'; +} + // Have shared ciphers. test(U, 'AES256-SHA', 'AES256-SHA'); test('AES256-SHA', U, 'AES256-SHA'); @@ -88,13 +93,13 @@ test('TLS_AES_256_GCM_SHA384', U, 'TLS_AES_256_GCM_SHA384'); // Do not have shared ciphers. test('TLS_AES_256_GCM_SHA384', 'TLS_CHACHA20_POLY1305_SHA256', - U, 'ERR_SSL_SSLV3_ALERT_HANDSHAKE_FAILURE', 'ERR_SSL_NO_SHARED_CIPHER'); + U, expectedTLSAlertError, 'ERR_SSL_NO_SHARED_CIPHER'); -test('AES128-SHA', 'AES256-SHA', U, 'ERR_SSL_SSLV3_ALERT_HANDSHAKE_FAILURE', +test('AES256-SHA', 'AES256-SHA256', U, expectedTLSAlertError, 'ERR_SSL_NO_SHARED_CIPHER'); -test('AES128-SHA:TLS_AES_256_GCM_SHA384', - 'TLS_CHACHA20_POLY1305_SHA256:AES256-SHA', - U, 'ERR_SSL_SSLV3_ALERT_HANDSHAKE_FAILURE', 'ERR_SSL_NO_SHARED_CIPHER'); +test('AES256-SHA:TLS_AES_256_GCM_SHA384', + 'TLS_CHACHA20_POLY1305_SHA256:AES256-SHA256', + U, expectedTLSAlertError, 'ERR_SSL_NO_SHARED_CIPHER'); // Cipher order ignored, TLS1.3 chosen before TLS1.2. test('AES256-SHA:TLS_AES_256_GCM_SHA384', U, 'TLS_AES_256_GCM_SHA384'); @@ -109,11 +114,15 @@ test(U, 'AES256-SHA', 'TLS_AES_256_GCM_SHA384', U, U, { maxVersion: 'TLSv1.3' }) // TLS_AES_128_CCM_8_SHA256 & TLS_AES_128_CCM_SHA256 are not enabled by // default, but work. -test('TLS_AES_128_CCM_8_SHA256', U, - U, 'ERR_SSL_SSLV3_ALERT_HANDSHAKE_FAILURE', 'ERR_SSL_NO_SHARED_CIPHER'); - -test('TLS_AES_128_CCM_8_SHA256', 'TLS_AES_128_CCM_8_SHA256', - 'TLS_AES_128_CCM_8_SHA256'); +// However, for OpenSSL32 AES_128 is not enabled due to the +// default security level +if (!common.hasOpenSSL(3, 2)) { + test('TLS_AES_128_CCM_8_SHA256', U, + U, 'ERR_SSL_SSLV3_ALERT_HANDSHAKE_FAILURE', 'ERR_SSL_NO_SHARED_CIPHER'); + + test('TLS_AES_128_CCM_8_SHA256', 'TLS_AES_128_CCM_8_SHA256', + 'TLS_AES_128_CCM_8_SHA256'); +} // Invalid cipher values test(9, 'AES256-SHA', U, 'ERR_INVALID_ARG_TYPE', U); From 9824827937ee6d846c3dc79616feb2235b252b6b Mon Sep 17 00:00:00 2001 From: Michael Dawson Date: Sun, 22 Sep 2024 10:01:20 -0400 Subject: [PATCH 19/21] test: update tls test to support OpenSSL32 Refs: https://github.com/nodejs/node/issues/53382 OpenSSL32 does not support AES128 and DH 1024 to update test to use newer algorithms. Signed-off-by: Michael Dawson PR-URL: https://github.com/nodejs/node/pull/55030 Reviewed-By: Luigi Pinca Reviewed-By: Richard Lau Reviewed-By: James M Snell --- .../test-tls-client-getephemeralkeyinfo.js | 20 +++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/test/parallel/test-tls-client-getephemeralkeyinfo.js b/test/parallel/test-tls-client-getephemeralkeyinfo.js index 82ed1e27f49e6c..0bacd8702fc650 100644 --- a/test/parallel/test-tls-client-getephemeralkeyinfo.js +++ b/test/parallel/test-tls-client-getephemeralkeyinfo.js @@ -67,11 +67,15 @@ function test(size, type, name, cipher) { })); } -test(undefined, undefined, undefined, 'AES128-SHA256'); -test('auto', 'DH', undefined, 'DHE-RSA-AES128-GCM-SHA256'); -test(1024, 'DH', undefined, 'DHE-RSA-AES128-GCM-SHA256'); -test(2048, 'DH', undefined, 'DHE-RSA-AES128-GCM-SHA256'); -test(256, 'ECDH', 'prime256v1', 'ECDHE-RSA-AES128-GCM-SHA256'); -test(521, 'ECDH', 'secp521r1', 'ECDHE-RSA-AES128-GCM-SHA256'); -test(253, 'ECDH', 'X25519', 'ECDHE-RSA-AES128-GCM-SHA256'); -test(448, 'ECDH', 'X448', 'ECDHE-RSA-AES128-GCM-SHA256'); +test(undefined, undefined, undefined, 'AES256-SHA256'); +test('auto', 'DH', undefined, 'DHE-RSA-AES256-GCM-SHA384'); +if (!common.hasOpenSSL(3, 2)) { + test(1024, 'DH', undefined, 'DHE-RSA-AES256-GCM-SHA384'); +} else { + test(3072, 'DH', undefined, 'DHE-RSA-AES256-GCM-SHA384'); +} +test(2048, 'DH', undefined, 'DHE-RSA-AES256-GCM-SHA384'); +test(256, 'ECDH', 'prime256v1', 'ECDHE-RSA-AES256-GCM-SHA384'); +test(521, 'ECDH', 'secp521r1', 'ECDHE-RSA-AES256-GCM-SHA384'); +test(253, 'ECDH', 'X25519', 'ECDHE-RSA-AES256-GCM-SHA384'); +test(448, 'ECDH', 'X448', 'ECDHE-RSA-AES256-GCM-SHA384'); From c8520ff7d2268b99d7400bc1358a56f10562f879 Mon Sep 17 00:00:00 2001 From: Richard Lau Date: Wed, 26 Jun 2024 20:45:54 +0100 Subject: [PATCH 20/21] test: fix OpenSSL version checks As per the original pull request that introduced the OpenSSL version check in `parallel/test-crypto-dh`: ``` Error message change is test-only and uses the right error message for versions >=3.0.12 in 3.0.x and >= 3.1.4 in 3.1.x series. ``` Fix the check so that: - The older message is expected for OpenSSL 3.1.0. - The newer message is expected for OpenSSL from 3.1.4 (e.g. 3.2.x). Refs: https://github.com/nodejs/node/pull/50395 PR-URL: https://github.com/nodejs/node/pull/53503 Refs: https://github.com/nodejs/node/issues/53382 Reviewed-By: Luigi Pinca --- test/parallel/test-crypto-dh.js | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/test/parallel/test-crypto-dh.js b/test/parallel/test-crypto-dh.js index fb580e1b315445..8ae0a002fec094 100644 --- a/test/parallel/test-crypto-dh.js +++ b/test/parallel/test-crypto-dh.js @@ -86,8 +86,9 @@ const crypto = require('crypto'); } { - const hasOpenSSL3WithNewErrorMessage = (common.hasOpenSSL(3, 0, 12) && !common.hasOpenSSL(3, 1, 1)) || - (common.hasOpenSSL(3, 1, 4) && !common.hasOpenSSL(3, 2, 1)); + // Error message was changed in OpenSSL 3.0.x from 3.0.12, and 3.1.x from 3.1.4. + const hasOpenSSL3WithNewErrorMessage = (common.hasOpenSSL(3, 0, 12) && !common.hasOpenSSL(3, 1, 0)) || + (common.hasOpenSSL(3, 1, 4)); assert.throws(() => { dh3.computeSecret(''); }, { message: common.hasOpenSSL3 && !hasOpenSSL3WithNewErrorMessage ? From ac3a39051c77c150ca894555387f41b3d1c60d20 Mon Sep 17 00:00:00 2001 From: Michael Dawson Date: Wed, 25 Sep 2024 17:28:05 -0400 Subject: [PATCH 21/21] test: fix test-tls-junk-closes-server Refs: https://github.com/nodejs/node/issues/53382 TLS spec seems to indicate there should should be a response sent when TLS handshake fails. See https://datatracker.ietf.org/doc/html/rfc8446#page-85 When compiled with OpenSSL32 we see the the following response '15 03 03 00 02 02 16' which decodes as a fatal (0x02) TLS error alert number 22 (0x16). which corresponds to TLS1_AD_RECORD_OVERFLOW which matches the error we see if NODE_DEBUG is turned on once you get through the define aliases. If there is a response from the server the test used to hang because the end event will not be emitted until after the response is consumed. This PR fixes the test so it consumes the response. Some earlier OpenSSL versions did not seem to send a response but the error handling seems to have been re-written/improved in OpenSSL32. Signed-off-by: Michael Dawson PR-URL: https://github.com/nodejs/node/pull/55089 Refs: https://github.com/nodejs/node/issues/52482 Reviewed-By: Richard Lau Reviewed-By: Antoine du Hamel Reviewed-By: Jithil P Ponnan Reviewed-By: Luigi Pinca --- test/parallel/test-tls-junk-closes-server.js | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/test/parallel/test-tls-junk-closes-server.js b/test/parallel/test-tls-junk-closes-server.js index 06fa57267a9104..08c2d39c6844f6 100644 --- a/test/parallel/test-tls-junk-closes-server.js +++ b/test/parallel/test-tls-junk-closes-server.js @@ -39,6 +39,22 @@ const server = tls.createServer(options, common.mustNotCall()); server.listen(0, common.mustCall(function() { const c = net.createConnection(this.address().port); + c.on('data', function() { + // We must consume all data sent by the server. Otherwise the + // end event will not be sent and the test will hang. + // For example, when compiled with OpenSSL32 we see the + // following response '15 03 03 00 02 02 16' which + // decodes as a fatal (0x02) TLS error alert number 22 (0x16), + // which corresponds to TLS1_AD_RECORD_OVERFLOW which matches + // the error we see if NODE_DEBUG is turned on. + // Some earlier OpenSSL versions did not seem to send a response + // but the TLS spec seems to indicate there should be one + // https://datatracker.ietf.org/doc/html/rfc8446#page-85 + // and error handling seems to have been re-written/improved + // in OpenSSL32. Consuming the data allows the test to pass + // either way. + }); + c.on('connect', common.mustCall(function() { c.write('blah\nblah\nblah\n'); }));