tls: supported shared openssl 1.1.0

sam-github · BethGriggs · commit 7aeca270f666 · 2019-04-15T13:32:50.000+01:00
PR-URL: #26951 Reviewed-By: Rod Vagg <rod@vagg.org> Reviewed-By: Beth Griggs <Bethany.Griggs@uk.ibm.com>
diff --git a/lib/_tls_common.js b/lib/_tls_common.js
@@ -47,7 +47,7 @@ function toV(which, v, def) {
   if (v === 'TLSv1') return TLS1_VERSION;
   if (v === 'TLSv1.1') return TLS1_1_VERSION;
   if (v === 'TLSv1.2') return TLS1_2_VERSION;
-  if (v === 'TLSv1.3') return TLS1_3_VERSION;
+  if (v === 'TLSv1.3' && TLS1_3_VERSION) return TLS1_3_VERSION;
   throw new ERR_TLS_INVALID_PROTOCOL_VERSION(v, which);
 }
 
diff --git a/src/node_constants.cc b/src/node_constants.cc
@@ -1245,7 +1245,9 @@ void DefineCryptoConstants(Local<Object> target) {
   NODE_DEFINE_CONSTANT(target, TLS1_VERSION);
   NODE_DEFINE_CONSTANT(target, TLS1_1_VERSION);
   NODE_DEFINE_CONSTANT(target, TLS1_2_VERSION);
+#ifdef TLS1_3_VERSION
   NODE_DEFINE_CONSTANT(target, TLS1_3_VERSION);
+#endif
 #endif
   NODE_DEFINE_CONSTANT(target, INT_MAX);
 }
diff --git a/src/node_crypto.cc b/src/node_crypto.cc
@@ -411,7 +411,12 @@ void SecureContext::New(const FunctionCallbackInfo<Value>& args) {
 
 // A maxVersion of 0 means "any", but OpenSSL may support TLS versions that
 // Node.js doesn't, so pin the max to what we do support.
-const int MAX_SUPPORTED_VERSION = TLS1_3_VERSION;
+const int MAX_SUPPORTED_VERSION =
+#ifdef TLS1_3_VERSION
+  TLS1_3_VERSION;
+#else
+  TLS1_2_VERSION;
+#endif
 
 void SecureContext::Init(const FunctionCallbackInfo<Value>& args) {
   SecureContext* sc;
@@ -947,7 +952,7 @@ void SecureContext::AddRootCerts(const FunctionCallbackInfo<Value>& args) {
 
 void SecureContext::SetCipherSuites(const FunctionCallbackInfo<Value>& args) {
   // BoringSSL doesn't allow API config of TLS1.3 cipher suites.
-#ifndef OPENSSL_IS_BORINGSSL
+#if defined(TLS1_3_VERSION) && !defined(OPENSSL_IS_BORINGSSL)
   SecureContext* sc;
   ASSIGN_OR_RETURN_UNWRAP(&sc, args.Holder());
   Environment* env = sc->env();
diff --git a/test/parallel/test-tls-client-renegotiation-13.js b/test/parallel/test-tls-client-renegotiation-13.js
@@ -4,6 +4,9 @@
 const common = require('../common');
 const fixtures = require('../common/fixtures');
 
+if (!require('constants').TLS1_3_VERSION)
+  common.skip(`openssl ${process.versions.openssl} does not support TLSv1.3`);
+
 // Confirm that for TLSv1.3, renegotiate() is disallowed.
 
 const {
diff --git a/test/parallel/test-tls-getcipher.js b/test/parallel/test-tls-getcipher.js
@@ -56,6 +56,9 @@ server.listen(0, '127.0.0.1', common.mustCall(function() {
   }));
 }));
 
+if (!require('constants').TLS1_3_VERSION)
+  return console.log('cannot test TLSv1.3 against 1.3-incapable shared lib');
+
 tls.createServer({
   key: fixtures.readKey('agent2-key.pem'),
   cert: fixtures.readKey('agent2-cert.pem'),
diff --git a/test/parallel/test-tls-min-max-version.js b/test/parallel/test-tls-min-max-version.js
@@ -9,13 +9,25 @@ const {
 } = require(fixtures.path('tls-connect'));
 const DEFAULT_MIN_VERSION = tls.DEFAULT_MIN_VERSION;
 const DEFAULT_MAX_VERSION = tls.DEFAULT_MAX_VERSION;
+const tls13 = !!require('constants').TLS1_3_VERSION;
+
+if (!tls13 && (
+  DEFAULT_MAX_VERSION === 'TLSv1.3' ||
+  DEFAULT_MIN_VERSION === 'TLSv1.3')) {
+  return common.skip('cannot test TLSv1.3 against 1.3-incapable shared lib');
+}
 
 function test(cmin, cmax, cprot, smin, smax, sprot, proto, cerr, serr) {
   assert(proto || cerr || serr, 'test missing any expectations');
   // Report where test was called from. Strip leading garbage from
   //     at Object.<anonymous> (file:line)
   // from the stack location, we only want the file:line part.
   const where = (new Error()).stack.split('\n')[2].replace(/[^(]*/, '');
+  if (Array.prototype.includes.call(arguments, 'TLSv1.3')) {
+    console.log('test: skip because TLSv1.3 is not supported');
+    console.log('  ', where);
+    return;
+  }
   connect({
     client: {
       checkServerIdentity: (servername, cert) => { },
diff --git a/test/parallel/test-tls-set-ciphers-error.js b/test/parallel/test-tls-set-ciphers-error.js
@@ -4,6 +4,9 @@ const common = require('../common');
 if (!common.hasCrypto)
   common.skip('missing crypto');
 
+if (!require('constants').TLS1_3_VERSION)
+  return common.skip('openssl before TLS1.3 does not check for failure');
+
 const assert = require('assert');
 const tls = require('tls');
 const fixtures = require('../common/fixtures');
diff --git a/test/parallel/test-tls-set-ciphers.js b/test/parallel/test-tls-set-ciphers.js
@@ -15,6 +15,10 @@ if (tls13)
   tls.DEFAULT_MAX_VERSION = 'TLSv1.3';
 
 function test(cciphers, sciphers, cipher, cerr, serr) {
+  if (!tls13 && (/TLS_/.test(cciphers) || /TLS_/.test(sciphers))) {
+    // Test relies on TLS1.3, skip it.
+    return;
+  }
   assert(cipher || cerr || serr, 'test missing any expectations');
   const where = (new Error()).stack.split('\n')[2].replace(/[^(]*/, '');
   connect({

Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,7 @@ function toV(which, v, def) {`
`47`	`47`	`if (v === 'TLSv1') return TLS1_VERSION;`
`48`	`48`	`if (v === 'TLSv1.1') return TLS1_1_VERSION;`
`49`	`49`	`if (v === 'TLSv1.2') return TLS1_2_VERSION;`
`50`		`- if (v === 'TLSv1.3') return TLS1_3_VERSION;`
	`50`	`+ if (v === 'TLSv1.3' && TLS1_3_VERSION) return TLS1_3_VERSION;`
`51`	`51`	`throw new ERR_TLS_INVALID_PROTOCOL_VERSION(v, which);`
`52`	`52`	`}`
`53`	`53`