diff options
author | Rich Trott <rtrott@gmail.com> | 2019-11-29 12:02:04 -0800 |
---|---|---|
committer | Rich Trott <rtrott@gmail.com> | 2019-12-01 12:07:14 -0800 |
commit | d25db11312e9ef4392042380b812359fad103707 (patch) | |
tree | 9ecc10f34c7fc7deeb2084cb95f64df577d04243 | |
parent | 7da6630aa4a3ba7f866be3af83ccd812102c281b (diff) | |
download | android-node-v8-d25db11312e9ef4392042380b812359fad103707.tar.gz android-node-v8-d25db11312e9ef4392042380b812359fad103707.tar.bz2 android-node-v8-d25db11312e9ef4392042380b812359fad103707.zip |
tls: introduce ERR_TLS_INVALID_CONTEXT
It is trivially possible to cause an internal assertion error with
tls.createSecurePair(). Throw a friendly error instead. Reserve internal
assertions for things that we believe to be impossible.
PR-URL: https://github.com/nodejs/node/pull/30718
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
-rw-r--r-- | doc/api/errors.md | 8 | ||||
-rw-r--r-- | lib/_tls_wrap.js | 6 | ||||
-rw-r--r-- | lib/internal/errors.js | 1 | ||||
-rw-r--r-- | test/parallel/test-tls-basic-validations.js | 8 |
4 files changed, 19 insertions, 4 deletions
diff --git a/doc/api/errors.md b/doc/api/errors.md index bdfd0df4a7..9cba4de5f2 100644 --- a/doc/api/errors.md +++ b/doc/api/errors.md @@ -1809,6 +1809,14 @@ recommended to use 2048 bits or larger for stronger security. A TLS/SSL handshake timed out. In this case, the server must also abort the connection. +<a id="ERR_TLS_INVALID_CONTEXT"> +### ERR_TLS_INVALID_CONTEXT +<!-- YAML +added: REPLACEME +--> + +The context must be a `SecureContext`. + <a id="ERR_TLS_INVALID_PROTOCOL_METHOD"></a> ### ERR_TLS_INVALID_PROTOCOL_METHOD diff --git a/lib/_tls_wrap.js b/lib/_tls_wrap.js index 6f08f91c43..530a41a1e8 100644 --- a/lib/_tls_wrap.js +++ b/lib/_tls_wrap.js @@ -56,6 +56,7 @@ const { ERR_SOCKET_CLOSED, ERR_TLS_DH_PARAM_SIZE, ERR_TLS_HANDSHAKE_TIMEOUT, + ERR_TLS_INVALID_CONTEXT, ERR_TLS_RENEGOTIATION_DISABLED, ERR_TLS_REQUIRED_SERVER_NAME, ERR_TLS_SESSION_ATTACK, @@ -517,8 +518,9 @@ TLSSocket.prototype._wrapHandle = function(wrap) { options.credentials || tls.createSecureContext(options); assert(handle.isStreamBase, 'handle must be a StreamBase'); - assert(context.context instanceof NativeSecureContext, - 'context.context must be a NativeSecureContext'); + if (!(context.context instanceof NativeSecureContext)) { + throw new ERR_TLS_INVALID_CONTEXT('context'); + } const res = tls_wrap.wrap(handle, context.context, !!options.isServer); res._parent = handle; // C++ "wrap" object: TCPWrap, JSStream, ... res._parentWrap = wrap; // JS object: net.Socket, JSStreamSocket, ... diff --git a/lib/internal/errors.js b/lib/internal/errors.js index 88a38f5e1d..f85253ec44 100644 --- a/lib/internal/errors.js +++ b/lib/internal/errors.js @@ -1169,6 +1169,7 @@ E('ERR_TLS_CERT_ALTNAME_INVALID', function(reason, host, cert) { }, Error); E('ERR_TLS_DH_PARAM_SIZE', 'DH parameter size %s is less than 2048', Error); E('ERR_TLS_HANDSHAKE_TIMEOUT', 'TLS handshake timeout', Error); +E('ERR_TLS_INVALID_CONTEXT', '%s must be a SecureContext', TypeError), E('ERR_TLS_INVALID_PROTOCOL_VERSION', '%j is not a valid %s TLS protocol version', TypeError); E('ERR_TLS_PROTOCOL_VERSION_CONFLICT', diff --git a/test/parallel/test-tls-basic-validations.js b/test/parallel/test-tls-basic-validations.js index 925c6643a1..c4e2833464 100644 --- a/test/parallel/test-tls-basic-validations.js +++ b/test/parallel/test-tls-basic-validations.js @@ -78,9 +78,13 @@ common.expectsError( assert.throws(() => tls.createServer({ ticketKeys: Buffer.alloc(0) }), /TypeError: Ticket keys length must be 48 bytes/); -common.expectsInternalAssertion( +assert.throws( () => tls.createSecurePair({}), - 'context.context must be a NativeSecureContext' + { + message: 'context must be a SecureContext', + code: 'ERR_TLS_INVALID_CONTEXT', + name: 'TypeError', + } ); { |