Skip to content

Commit

Permalink
tls: introduce ERR_TLS_INVALID_CONTEXT
Browse files Browse the repository at this point in the history
It is trivially possible to cause an internal assertion error with
tls.createSecurePair(). Throw a friendly error instead. Reserve internal
assertions for things that we believe to be impossible.

PR-URL: #30718
Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
Reviewed-By: Luigi Pinca <luigipinca@gmail.com>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: James M Snell <jasnell@gmail.com>
  • Loading branch information
Trott authored and targos committed Dec 2, 2019
1 parent e65ad86 commit 7aa1df7
Show file tree
Hide file tree
Showing 4 changed files with 19 additions and 4 deletions.
8 changes: 8 additions & 0 deletions doc/api/errors.md
Original file line number Diff line number Diff line change
Expand Up @@ -1809,6 +1809,14 @@ recommended to use 2048 bits or larger for stronger security.
A TLS/SSL handshake timed out. In this case, the server must also abort the
connection.

<a id="ERR_TLS_INVALID_CONTEXT">
### ERR_TLS_INVALID_CONTEXT
<!-- YAML
added: REPLACEME
-->

The context must be a `SecureContext`.

<a id="ERR_TLS_INVALID_PROTOCOL_METHOD"></a>
### ERR_TLS_INVALID_PROTOCOL_METHOD

Expand Down
6 changes: 4 additions & 2 deletions lib/_tls_wrap.js
Original file line number Diff line number Diff line change
Expand Up @@ -56,6 +56,7 @@ const {
ERR_SOCKET_CLOSED,
ERR_TLS_DH_PARAM_SIZE,
ERR_TLS_HANDSHAKE_TIMEOUT,
ERR_TLS_INVALID_CONTEXT,
ERR_TLS_RENEGOTIATION_DISABLED,
ERR_TLS_REQUIRED_SERVER_NAME,
ERR_TLS_SESSION_ATTACK,
Expand Down Expand Up @@ -517,8 +518,9 @@ TLSSocket.prototype._wrapHandle = function(wrap) {
options.credentials ||
tls.createSecureContext(options);
assert(handle.isStreamBase, 'handle must be a StreamBase');
assert(context.context instanceof NativeSecureContext,
'context.context must be a NativeSecureContext');
if (!(context.context instanceof NativeSecureContext)) {
throw new ERR_TLS_INVALID_CONTEXT('context');
}
const res = tls_wrap.wrap(handle, context.context, !!options.isServer);
res._parent = handle; // C++ "wrap" object: TCPWrap, JSStream, ...
res._parentWrap = wrap; // JS object: net.Socket, JSStreamSocket, ...
Expand Down
1 change: 1 addition & 0 deletions lib/internal/errors.js
Original file line number Diff line number Diff line change
Expand Up @@ -1169,6 +1169,7 @@ E('ERR_TLS_CERT_ALTNAME_INVALID', function(reason, host, cert) {
}, Error);
E('ERR_TLS_DH_PARAM_SIZE', 'DH parameter size %s is less than 2048', Error);
E('ERR_TLS_HANDSHAKE_TIMEOUT', 'TLS handshake timeout', Error);
E('ERR_TLS_INVALID_CONTEXT', '%s must be a SecureContext', TypeError),
E('ERR_TLS_INVALID_PROTOCOL_VERSION',
'%j is not a valid %s TLS protocol version', TypeError);
E('ERR_TLS_PROTOCOL_VERSION_CONFLICT',
Expand Down
8 changes: 6 additions & 2 deletions test/parallel/test-tls-basic-validations.js
Original file line number Diff line number Diff line change
Expand Up @@ -78,9 +78,13 @@ common.expectsError(
assert.throws(() => tls.createServer({ ticketKeys: Buffer.alloc(0) }),
/TypeError: Ticket keys length must be 48 bytes/);

common.expectsInternalAssertion(
assert.throws(
() => tls.createSecurePair({}),
'context.context must be a NativeSecureContext'
{
message: 'context must be a SecureContext',
code: 'ERR_TLS_INVALID_CONTEXT',
name: 'TypeError',
}
);

{
Expand Down

0 comments on commit 7aa1df7

Please sign in to comment.