From 7aa1df707679278474c7016bb1620253ee40a6f5 Mon Sep 17 00:00:00 2001 From: Rich Trott Date: Fri, 29 Nov 2019 12:02:04 -0800 Subject: [PATCH] tls: introduce ERR_TLS_INVALID_CONTEXT It is trivially possible to cause an internal assertion error with tls.createSecurePair(). Throw a friendly error instead. Reserve internal assertions for things that we believe to be impossible. PR-URL: https://github.com/nodejs/node/pull/30718 Reviewed-By: Sam Roberts Reviewed-By: Luigi Pinca Reviewed-By: Colin Ihrig Reviewed-By: Anna Henningsen Reviewed-By: James M Snell --- doc/api/errors.md | 8 ++++++++ lib/_tls_wrap.js | 6 ++++-- lib/internal/errors.js | 1 + test/parallel/test-tls-basic-validations.js | 8 ++++++-- 4 files changed, 19 insertions(+), 4 deletions(-) diff --git a/doc/api/errors.md b/doc/api/errors.md index bdfd0df4a7bba7..9cba4de5f2e628 100644 --- a/doc/api/errors.md +++ b/doc/api/errors.md @@ -1809,6 +1809,14 @@ recommended to use 2048 bits or larger for stronger security. A TLS/SSL handshake timed out. In this case, the server must also abort the connection. + +### ERR_TLS_INVALID_CONTEXT + + +The context must be a `SecureContext`. + ### ERR_TLS_INVALID_PROTOCOL_METHOD diff --git a/lib/_tls_wrap.js b/lib/_tls_wrap.js index 6f08f91c43dd5d..530a41a1e855fd 100644 --- a/lib/_tls_wrap.js +++ b/lib/_tls_wrap.js @@ -56,6 +56,7 @@ const { ERR_SOCKET_CLOSED, ERR_TLS_DH_PARAM_SIZE, ERR_TLS_HANDSHAKE_TIMEOUT, + ERR_TLS_INVALID_CONTEXT, ERR_TLS_RENEGOTIATION_DISABLED, ERR_TLS_REQUIRED_SERVER_NAME, ERR_TLS_SESSION_ATTACK, @@ -517,8 +518,9 @@ TLSSocket.prototype._wrapHandle = function(wrap) { options.credentials || tls.createSecureContext(options); assert(handle.isStreamBase, 'handle must be a StreamBase'); - assert(context.context instanceof NativeSecureContext, - 'context.context must be a NativeSecureContext'); + if (!(context.context instanceof NativeSecureContext)) { + throw new ERR_TLS_INVALID_CONTEXT('context'); + } const res = tls_wrap.wrap(handle, context.context, !!options.isServer); res._parent = handle; // C++ "wrap" object: TCPWrap, JSStream, ... res._parentWrap = wrap; // JS object: net.Socket, JSStreamSocket, ... diff --git a/lib/internal/errors.js b/lib/internal/errors.js index 88a38f5e1de62d..f85253ec444256 100644 --- a/lib/internal/errors.js +++ b/lib/internal/errors.js @@ -1169,6 +1169,7 @@ E('ERR_TLS_CERT_ALTNAME_INVALID', function(reason, host, cert) { }, Error); E('ERR_TLS_DH_PARAM_SIZE', 'DH parameter size %s is less than 2048', Error); E('ERR_TLS_HANDSHAKE_TIMEOUT', 'TLS handshake timeout', Error); +E('ERR_TLS_INVALID_CONTEXT', '%s must be a SecureContext', TypeError), E('ERR_TLS_INVALID_PROTOCOL_VERSION', '%j is not a valid %s TLS protocol version', TypeError); E('ERR_TLS_PROTOCOL_VERSION_CONFLICT', diff --git a/test/parallel/test-tls-basic-validations.js b/test/parallel/test-tls-basic-validations.js index 925c6643a1a0cc..c4e2833464cb44 100644 --- a/test/parallel/test-tls-basic-validations.js +++ b/test/parallel/test-tls-basic-validations.js @@ -78,9 +78,13 @@ common.expectsError( assert.throws(() => tls.createServer({ ticketKeys: Buffer.alloc(0) }), /TypeError: Ticket keys length must be 48 bytes/); -common.expectsInternalAssertion( +assert.throws( () => tls.createSecurePair({}), - 'context.context must be a NativeSecureContext' + { + message: 'context must be a SecureContext', + code: 'ERR_TLS_INVALID_CONTEXT', + name: 'TypeError', + } ); {