From e70a5e10c35ba525ee18b67d82580bcaf747753b Mon Sep 17 00:00:00 2001 From: Sam Roberts Date: Mon, 7 Jan 2019 14:13:17 -0800 Subject: [PATCH] test: assert on client and server side seperately This gets better coverage of the codes, and is more explicit. It also works around ordering differences in the errors produced by openssl. The approach was tested with 1.1.0 and 1.1.1, as well as TLSv1.2 vs TLSv1.3. OpenSSL 1.1.0 is relevant when node is built against a shared openssl. --- test/parallel/test-tls-min-max-version.js | 97 ++++++++++++++++------- 1 file changed, 69 insertions(+), 28 deletions(-) diff --git a/test/parallel/test-tls-min-max-version.js b/test/parallel/test-tls-min-max-version.js index 6b856ac59b27b3..9ee6fdc8ac1549 100644 --- a/test/parallel/test-tls-min-max-version.js +++ b/test/parallel/test-tls-min-max-version.js @@ -8,9 +8,11 @@ const { assert, connect, keys, tls } = require(fixtures.path('tls-connect')); const DEFAULT_MIN_VERSION = tls.DEFAULT_MIN_VERSION; +const DEFAULT_MAX_VERSION = tls.DEFAULT_MAX_VERSION; -function test(cmin, cmax, cprot, smin, smax, sprot, expect) { - assert(expect); + +function test(cmin, cmax, cprot, smin, smax, sprot, proto, cerr, serr) { + assert(proto || cerr || serr, 'test missing any expectations'); connect({ client: { checkServerIdentity: (servername, cert) => { }, @@ -27,8 +29,20 @@ function test(cmin, cmax, cprot, smin, smax, sprot, expect) { secureProtocol: sprot, }, }, common.mustCall((err, pair, cleanup) => { - if (err) { - assert.strictEqual(err.code, expect, err + '.code !== ' + expect); + function u(_) { return _ === undefined ? 'U' : _; } + console.log('test:', u(cmin), u(cmax), u(cprot), u(smin), u(smax), u(sprot), + 'expect', u(proto), u(cerr), u(serr)); + if (!proto) { + console.log('client', pair.client.err ? pair.client.err.code : undefined); + console.log('server', pair.server.err ? pair.server.err.code : undefined); + if (cerr) { + assert(pair.client.err); + assert.strictEqual(pair.client.err.code, cerr); + } + if (serr) { + assert(pair.server.err); + assert.strictEqual(pair.server.err.code, serr); + } return cleanup(); } @@ -37,8 +51,8 @@ function test(cmin, cmax, cprot, smin, smax, sprot, expect) { assert.ifError(pair.client.err); assert(pair.server.conn); assert(pair.client.conn); - assert.strictEqual(pair.client.conn.getProtocol(), expect); - assert.strictEqual(pair.server.conn.getProtocol(), expect); + assert.strictEqual(pair.client.conn.getProtocol(), proto); + assert.strictEqual(pair.server.conn.getProtocol(), proto); return cleanup(); })); } @@ -49,22 +63,28 @@ const U = undefined; test(U, U, U, U, U, U, 'TLSv1.2'); // Insecure or invalid protocols cannot be enabled. -test(U, U, U, U, U, 'SSLv2_method', 'ERR_TLS_INVALID_PROTOCOL_METHOD'); -test(U, U, U, U, U, 'SSLv3_method', 'ERR_TLS_INVALID_PROTOCOL_METHOD'); -test(U, U, 'SSLv2_method', U, U, U, 'ERR_TLS_INVALID_PROTOCOL_METHOD'); -test(U, U, 'SSLv3_method', U, U, U, 'ERR_TLS_INVALID_PROTOCOL_METHOD'); -test(U, U, 'hokey-pokey', U, U, U, 'ERR_TLS_INVALID_PROTOCOL_METHOD'); -test(U, U, U, U, U, 'hokey-pokey', 'ERR_TLS_INVALID_PROTOCOL_METHOD'); +test(U, U, U, U, U, 'SSLv2_method', + U, U, 'ERR_TLS_INVALID_PROTOCOL_METHOD'); +test(U, U, U, U, U, 'SSLv3_method', + U, U, 'ERR_TLS_INVALID_PROTOCOL_METHOD'); +test(U, U, 'SSLv2_method', U, U, U, + U, 'ERR_TLS_INVALID_PROTOCOL_METHOD'); +test(U, U, 'SSLv3_method', U, U, U, + U, 'ERR_TLS_INVALID_PROTOCOL_METHOD'); +test(U, U, 'hokey-pokey', U, U, U, + U, 'ERR_TLS_INVALID_PROTOCOL_METHOD'); +test(U, U, U, U, U, 'hokey-pokey', + U, U, 'ERR_TLS_INVALID_PROTOCOL_METHOD'); // Cannot use secureProtocol and min/max versions simultaneously. test(U, U, U, U, 'TLSv1.2', 'TLS1_2_method', - 'ERR_TLS_PROTOCOL_VERSION_CONFLICT'); + U, U, 'ERR_TLS_PROTOCOL_VERSION_CONFLICT'); test(U, U, U, 'TLSv1.2', U, 'TLS1_2_method', - 'ERR_TLS_PROTOCOL_VERSION_CONFLICT'); + U, U, 'ERR_TLS_PROTOCOL_VERSION_CONFLICT'); test(U, 'TLSv1.2', 'TLS1_2_method', U, U, U, - 'ERR_TLS_PROTOCOL_VERSION_CONFLICT'); + U, 'ERR_TLS_PROTOCOL_VERSION_CONFLICT'); test('TLSv1.2', U, 'TLS1_2_method', U, U, U, - 'ERR_TLS_PROTOCOL_VERSION_CONFLICT'); + U, 'ERR_TLS_PROTOCOL_VERSION_CONFLICT'); // TLS_method means "any supported protocol". test(U, U, 'TLSv1_2_method', U, U, 'TLS_method', 'TLSv1.2'); @@ -79,18 +99,23 @@ test(U, U, 'TLS_method', U, U, 'TLSv1_method', 'TLSv1'); test(U, U, 'TLSv1_2_method', U, U, 'SSLv23_method', 'TLSv1.2'); if (DEFAULT_MIN_VERSION === 'TLSv1.2') { - test(U, U, 'TLSv1_1_method', U, U, 'SSLv23_method', 'ECONNRESET'); - test(U, U, 'TLSv1_method', U, U, 'SSLv23_method', 'ECONNRESET'); + test(U, U, 'TLSv1_1_method', U, U, 'SSLv23_method', + U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL'); + test(U, U, 'TLSv1_method', U, U, 'SSLv23_method', + U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL'); test(U, U, 'SSLv23_method', U, U, 'TLSv1_1_method', - 'ERR_SSL_VERSION_TOO_LOW'); - test(U, U, 'SSLv23_method', U, U, 'TLSv1_method', 'ERR_SSL_VERSION_TOO_LOW'); + U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER'); + test(U, U, 'SSLv23_method', U, U, 'TLSv1_method', + U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER'); } if (DEFAULT_MIN_VERSION === 'TLSv1.1') { test(U, U, 'TLSv1_1_method', U, U, 'SSLv23_method', 'TLSv1.1'); - test(U, U, 'TLSv1_method', U, U, 'SSLv23_method', 'ECONNRESET'); + test(U, U, 'TLSv1_method', U, U, 'SSLv23_method', + U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL'); test(U, U, 'SSLv23_method', U, U, 'TLSv1_1_method', 'TLSv1.1'); - test(U, U, 'SSLv23_method', U, U, 'TLSv1_method', 'ERR_SSL_VERSION_TOO_LOW'); + test(U, U, 'SSLv23_method', U, U, 'TLSv1_method', + U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER'); } if (DEFAULT_MIN_VERSION === 'TLSv1') { @@ -108,18 +133,34 @@ test(U, U, 'TLSv1_method', U, U, 'TLSv1_method', 'TLSv1'); // The default default. if (DEFAULT_MIN_VERSION === 'TLSv1.2') { - test(U, U, 'TLSv1_1_method', U, U, U, 'ECONNRESET'); - test(U, U, 'TLSv1_method', U, U, U, 'ECONNRESET'); - test(U, U, U, U, U, 'TLSv1_1_method', 'ERR_SSL_VERSION_TOO_LOW'); - test(U, U, U, U, U, 'TLSv1_method', 'ERR_SSL_VERSION_TOO_LOW'); + test(U, U, 'TLSv1_1_method', U, U, U, + U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL'); + test(U, U, 'TLSv1_method', U, U, U, + U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL'); + + if (DEFAULT_MAX_VERSION === 'TLSv1.2') { + test(U, U, U, U, U, 'TLSv1_1_method', + U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER'); + test(U, U, U, U, U, 'TLSv1_method', + U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER'); + } else { + assert(false, 'unreachable'); + } } // The default with --tls-v1.1. if (DEFAULT_MIN_VERSION === 'TLSv1.1') { test(U, U, 'TLSv1_1_method', U, U, U, 'TLSv1.1'); - test(U, U, 'TLSv1_method', U, U, U, 'ECONNRESET'); + test(U, U, 'TLSv1_method', U, U, U, + U, 'ECONNRESET', 'ERR_SSL_UNSUPPORTED_PROTOCOL'); test(U, U, U, U, U, 'TLSv1_1_method', 'TLSv1.1'); - test(U, U, U, U, U, 'TLSv1_method', 'ERR_SSL_VERSION_TOO_LOW'); + + if (DEFAULT_MAX_VERSION === 'TLSv1.2') { + test(U, U, U, U, U, 'TLSv1_method', + U, 'ERR_SSL_UNSUPPORTED_PROTOCOL', 'ERR_SSL_WRONG_VERSION_NUMBER'); + } else { + assert(false, 'unreachable'); + } } // The default with --tls-v1.0.