From 902a18e497b5375a59a4d54a111c742c65fab8b8 Mon Sep 17 00:00:00 2001 From: Sam Roberts Date: Tue, 20 Nov 2018 15:30:34 -0800 Subject: [PATCH] tls: add code for ERR_TLS_INVALID_PROTOCOL_METHOD Add an error code property to invalid `secureProtocol` method exceptions. --- doc/api/errors.md | 6 +++++ src/node_crypto.cc | 23 +++++++++++++------ src/node_errors.h | 1 + test/parallel/test-tls-min-max-version.js | 28 +++++++++++++---------- 4 files changed, 39 insertions(+), 19 deletions(-) diff --git a/doc/api/errors.md b/doc/api/errors.md index 75d0f368ca7c2d..3b4ea6156f36dd 100644 --- a/doc/api/errors.md +++ b/doc/api/errors.md @@ -1655,6 +1655,12 @@ recommended to use 2048 bits or larger for stronger security. A TLS/SSL handshake timed out. In this case, the server must also abort the connection. + +### ERR_TLS_INVALID_PROTOCOL_METHOD + +The specified `secureProtocol` method is invalid. It is either unknown, or +disabled because it is insecure. + ### ERR_TLS_INVALID_PROTOCOL_VERSION diff --git a/src/node_crypto.cc b/src/node_crypto.cc index 16d1951ff72eaa..2023cae1b6a098 100644 --- a/src/node_crypto.cc +++ b/src/node_crypto.cc @@ -63,6 +63,8 @@ v8::MaybeLocal New(Environment* env, unsigned char* udata, namespace crypto { +using node::THROW_ERR_TLS_INVALID_PROTOCOL_METHOD; + using v8::Array; using v8::Boolean; using v8::ConstructorBehavior; @@ -421,17 +423,23 @@ void SecureContext::Init(const FunctionCallbackInfo& args) { // protocols are supported unless explicitly disabled (which we do below // for SSLv2 and SSLv3.) if (strcmp(*sslmethod, "SSLv2_method") == 0) { - return env->ThrowError("SSLv2 methods disabled"); + THROW_ERR_TLS_INVALID_PROTOCOL_METHOD(env, "SSLv2 methods disabled"); + return; } else if (strcmp(*sslmethod, "SSLv2_server_method") == 0) { - return env->ThrowError("SSLv2 methods disabled"); + THROW_ERR_TLS_INVALID_PROTOCOL_METHOD(env, "SSLv2 methods disabled"); + return; } else if (strcmp(*sslmethod, "SSLv2_client_method") == 0) { - return env->ThrowError("SSLv2 methods disabled"); + THROW_ERR_TLS_INVALID_PROTOCOL_METHOD(env, "SSLv2 methods disabled"); + return; } else if (strcmp(*sslmethod, "SSLv3_method") == 0) { - return env->ThrowError("SSLv3 methods disabled"); + THROW_ERR_TLS_INVALID_PROTOCOL_METHOD(env, "SSLv3 methods disabled"); + return; } else if (strcmp(*sslmethod, "SSLv3_server_method") == 0) { - return env->ThrowError("SSLv3 methods disabled"); + THROW_ERR_TLS_INVALID_PROTOCOL_METHOD(env, "SSLv3 methods disabled"); + return; } else if (strcmp(*sslmethod, "SSLv3_client_method") == 0) { - return env->ThrowError("SSLv3 methods disabled"); + THROW_ERR_TLS_INVALID_PROTOCOL_METHOD(env, "SSLv3 methods disabled"); + return; } else if (strcmp(*sslmethod, "SSLv23_method") == 0) { // noop } else if (strcmp(*sslmethod, "SSLv23_server_method") == 0) { @@ -483,7 +491,8 @@ void SecureContext::Init(const FunctionCallbackInfo& args) { max_version = TLS1_2_VERSION; method = TLS_client_method(); } else { - return env->ThrowError("Unknown method"); + THROW_ERR_TLS_INVALID_PROTOCOL_METHOD(env, "Unknown method"); + return; } } diff --git a/src/node_errors.h b/src/node_errors.h index 2c52007c5110c6..44dc1d8094f254 100644 --- a/src/node_errors.h +++ b/src/node_errors.h @@ -71,6 +71,7 @@ void FatalException(const v8::FunctionCallbackInfo& args); V(ERR_SCRIPT_EXECUTION_INTERRUPTED, Error) \ V(ERR_SCRIPT_EXECUTION_TIMEOUT, Error) \ V(ERR_STRING_TOO_LONG, Error) \ + V(ERR_TLS_INVALID_PROTOCOL_METHOD, TypeError) \ V(ERR_TRANSFERRING_EXTERNALIZED_SHAREDARRAYBUFFER, TypeError) \ #define V(code, type) \ diff --git a/test/parallel/test-tls-min-max-version.js b/test/parallel/test-tls-min-max-version.js index 3a3dab33d566c6..a8367a3fe58815 100644 --- a/test/parallel/test-tls-min-max-version.js +++ b/test/parallel/test-tls-min-max-version.js @@ -26,8 +26,8 @@ function test(cmin, cmax, cprot, smin, smax, sprot, expect) { secureProtocol: sprot, }, }, common.mustCall((err, pair, cleanup) => { - if (expect && !expect.match(/^TLS/)) { - assert(err.message.match(expect)); + if (expect && expect.match(/^ERR/)) { + assert.strictEqual(err.code, expect); return cleanup(); } @@ -53,18 +53,22 @@ const U = undefined; test(U, U, U, U, U, U, 'TLSv1.2'); // Insecure or invalid protocols cannot be enabled. -test(U, U, U, U, U, 'SSLv2_method', 'SSLv2 methods disabled'); -test(U, U, U, U, U, 'SSLv3_method', 'SSLv3 methods disabled'); -test(U, U, 'SSLv2_method', U, U, U, 'SSLv2 methods disabled'); -test(U, U, 'SSLv3_method', U, U, U, 'SSLv3 methods disabled'); -test(U, U, 'hokey-pokey', U, U, U, 'Unknown method'); -test(U, U, U, U, U, 'hokey-pokey', 'Unknown method'); +test(U, U, U, U, U, 'SSLv2_method', 'ERR_TLS_INVALID_PROTOCOL_METHOD'); +test(U, U, U, U, U, 'SSLv3_method', 'ERR_TLS_INVALID_PROTOCOL_METHOD'); +test(U, U, 'SSLv2_method', U, U, U, 'ERR_TLS_INVALID_PROTOCOL_METHOD'); +test(U, U, 'SSLv3_method', U, U, U, 'ERR_TLS_INVALID_PROTOCOL_METHOD'); +test(U, U, 'hokey-pokey', U, U, U, 'ERR_TLS_INVALID_PROTOCOL_METHOD'); +test(U, U, U, U, U, 'hokey-pokey', 'ERR_TLS_INVALID_PROTOCOL_METHOD'); // Cannot use secureProtocol and min/max versions simultaneously. -test(U, U, U, U, 'TLSv1.2', 'TLS1_2_method', 'conflicts with secureProtocol'); -test(U, U, U, 'TLSv1.2', U, 'TLS1_2_method', 'conflicts with secureProtocol'); -test(U, 'TLSv1.2', 'TLS1_2_method', U, U, U, 'conflicts with secureProtocol'); -test('TLSv1.2', U, 'TLS1_2_method', U, U, U, 'conflicts with secureProtocol'); +test(U, U, U, U, 'TLSv1.2', 'TLS1_2_method', + 'ERR_TLS_PROTOCOL_VERSION_CONFLICT'); +test(U, U, U, 'TLSv1.2', U, 'TLS1_2_method', + 'ERR_TLS_PROTOCOL_VERSION_CONFLICT'); +test(U, 'TLSv1.2', 'TLS1_2_method', U, U, U, + 'ERR_TLS_PROTOCOL_VERSION_CONFLICT'); +test('TLSv1.2', U, 'TLS1_2_method', U, U, U, + 'ERR_TLS_PROTOCOL_VERSION_CONFLICT'); // TLS_method means "any supported protocol". test(U, U, 'TLSv1_2_method', U, U, 'TLS_method', 'TLSv1.2');