1berry/nodejs
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

crypto: move createCredentials to tls

Browse Source 
Move `createCredentials` to `tls` module and rename it to
`createSecureContext`. Make it use default values from `tls` module:
`DEFAULT_CIPHERS` and `DEFAULT_ECDH_CURVE`.

fix #7249
This commit is contained in:
Fedor Indutny 2014-03-07 03:27:01 +04:00 committed by Fedor Indutny
parent b55c9d68aa
commit 5d2aef17ee
No known key found for this signature in database
GPG Key ID: FB0E1095B1797999
17 changed files with 222 additions and 163 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

14
doc/api/tls.markdown
View File

@ -197,7 +197,7 @@ automatically set as a listener for the [secureConnection][] event. The
supports SNI TLS extension. Two argument will be passed to it: `servername`, supports SNI TLS extension. Two argument will be passed to it: `servername`,
and `cb`. `SNICallback` should invoke `cb(null, ctx)`, where `ctx` is a and `cb`. `SNICallback` should invoke `cb(null, ctx)`, where `ctx` is a
SecureContext instance. SecureContext instance.
(You can use `crypto.createCredentials(...).context` to get proper (You can use `tls.createSecureContext(...)` to get proper
SecureContext). If `SNICallback` wasn't provided - default callback with SecureContext). If `SNICallback` wasn't provided - default callback with
high-level API will be used (see below). high-level API will be used (see below).
@ -391,8 +391,8 @@ Construct a new TLSSocket object from existing TCP socket.
`options` is an object that might contain following properties: `options` is an object that might contain following properties:
- `credentials`: An optional credentials object from - `secureContext`: An optional TLS context object from
`crypto.createCredentials( ... )` `tls.createSecureContext( ... )`
- `isServer`: If true - TLS socket will be instantiated in server-mode - `isServer`: If true - TLS socket will be instantiated in server-mode
@ -408,7 +408,7 @@ Construct a new TLSSocket object from existing TCP socket.
- `session`: Optional, a `Buffer` instance, containing TLS session - `session`: Optional, a `Buffer` instance, containing TLS session
## tls.createSecurePair([credentials], [isServer], [requestCert], [rejectUnauthorized]) ## tls.createSecurePair([context], [isServer], [requestCert], [rejectUnauthorized])
Stability: 0 - Deprecated. Use tls.TLSSocket instead. Stability: 0 - Deprecated. Use tls.TLSSocket instead.
@ -417,7 +417,7 @@ encrypted data, and one reads/writes cleartext data.
Generally the encrypted one is piped to/from an incoming encrypted data stream, Generally the encrypted one is piped to/from an incoming encrypted data stream,
and the cleartext one is used as a replacement for the initial encrypted stream. and the cleartext one is used as a replacement for the initial encrypted stream.
- `credentials`: A credentials object from crypto.createCredentials( ... ) - `credentials`: A secure context object from tls.createSecureContext( ... )
- `isServer`: A boolean indicating whether this tls connection should be - `isServer`: A boolean indicating whether this tls connection should be
opened as a server or a client. opened as a server or a client.
@ -532,10 +532,10 @@ Returns the bound address, the address family name and port of the
server as reported by the operating system. See [net.Server.address()][] for server as reported by the operating system. See [net.Server.address()][] for
more information. more information.
### server.addContext(hostname, credentials) ### server.addContext(hostname, context)
Add secure context that will be used if client request's SNI hostname is Add secure context that will be used if client request's SNI hostname is
matching passed `hostname` (wildcards can be used). `credentials` can contain matching passed `hostname` (wildcards can be used). `context` can contain
`key`, `cert` and `ca`. `key`, `cert` and `ca`.
### server.maxConnections ### server.maxConnections

128
lib/_tls_common.js Normal file
View File

@ -0,0 +1,128 @@
// Copyright Joyent, Inc. and other Node contributors.
//
// Permission is hereby granted, free of charge, to any person obtaining a
// copy of this software and associated documentation files (the
// "Software"), to deal in the Software without restriction, including
// without limitation the rights to use, copy, modify, merge, publish,
// distribute, sublicense, and/or sell copies of the Software, and to permit
// persons to whom the Software is furnished to do so, subject to the
// following conditions:
//
// The above copyright notice and this permission notice shall be included
// in all copies or substantial portions of the Software.
//
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
// USE OR OTHER DEALINGS IN THE SOFTWARE.
var util = require('util');
var tls = require('tls');
// Lazily loaded
var crypto = null;
var binding = process.binding('crypto');
var NativeSecureContext = binding.SecureContext;
function SecureContext(secureProtocol, flags, context) {
if (!(this instanceof SecureContext)) {
return new SecureContext(secureProtocol, flags, context);
}
if (context) {
this.context = context;
} else {
this.context = new NativeSecureContext();
if (secureProtocol) {
this.context.init(secureProtocol);
} else {
this.context.init();
}
}
if (flags) this.context.setOptions(flags);
}
exports.SecureContext = SecureContext;
exports.createSecureContext = function createSecureContext(options, context) {
if (!options) options = {};
var c = new SecureContext(options.secureProtocol,
options.secureOptions,
context);
if (context) return c;
if (options.key) {
if (options.passphrase) {
c.context.setKey(options.key, options.passphrase);
} else {
c.context.setKey(options.key);
}
}
if (options.cert) c.context.setCert(options.cert);
if (options.ciphers)
c.context.setCiphers(options.ciphers);
else
c.context.setCiphers(tls.DEFAULT_CIPHERS);
if (util.isUndefined(options.ecdhCurve))
c.context.setECDHCurve(tls.DEFAULT_ECDH_CURVE);
else if (options.ecdhCurve)
c.context.setECDHCurve(options.ecdhCurve);
if (options.ca) {
if (util.isArray(options.ca)) {
for (var i = 0, len = options.ca.length; i < len; i++) {
c.context.addCACert(options.ca[i]);
}
} else {
c.context.addCACert(options.ca);
}
} else {
c.context.addRootCerts();
}
if (options.crl) {
if (util.isArray(options.crl)) {
for (var i = 0, len = options.crl.length; i < len; i++) {
c.context.addCRL(options.crl[i]);
}
} else {
c.context.addCRL(options.crl);
}
}
if (options.sessionIdContext) {
c.context.setSessionIdContext(options.sessionIdContext);
}
if (options.pfx) {
var pfx = options.pfx;
var passphrase = options.passphrase;
if (!crypto)
crypto = require('crypto');
pfx = crypto._toBuf(pfx);
if (passphrase)
passphrase = crypto._toBuf(passphrase);
if (passphrase) {
c.context.loadPKCS12(pfx, passphrase);
} else {
c.context.loadPKCS12(pfx);
}
}
return c;
};

14
lib/_tls_legacy.js
View File

@ -681,10 +681,10 @@ function onnewsessiondone() {
* Provides a pair of streams to do encrypted communication. * Provides a pair of streams to do encrypted communication.
*/ */
function SecurePair(credentials, isServer, requestCert, rejectUnauthorized, function SecurePair(context, isServer, requestCert, rejectUnauthorized,
options) { options) {
if (!(this instanceof SecurePair)) { if (!(this instanceof SecurePair)) {
return new SecurePair(credentials, return new SecurePair(context,
isServer, isServer,
requestCert, requestCert,
rejectUnauthorized, rejectUnauthorized,
@ -705,10 +705,10 @@ function SecurePair(credentials, isServer, requestCert, rejectUnauthorized,
this._doneFlag = false; this._doneFlag = false;
this._destroying = false; this._destroying = false;
if (!credentials) { if (!context) {
this.credentials = crypto.createCredentials(); this.credentials = tls.createSecureContext();
} else { } else {
this.credentials = credentials; this.credentials = context;
} }
if (!this._isServer) { if (!this._isServer) {
@ -774,11 +774,11 @@ function SecurePair(credentials, isServer, requestCert, rejectUnauthorized,
util.inherits(SecurePair, events.EventEmitter); util.inherits(SecurePair, events.EventEmitter);
exports.createSecurePair = function(credentials, exports.createSecurePair = function(context,
isServer, isServer,
requestCert, requestCert,
rejectUnauthorized) { rejectUnauthorized) {
var pair = new SecurePair(credentials, var pair = new SecurePair(context,
isServer, isServer,
requestCert, requestCert,
rejectUnauthorized); rejectUnauthorized);

32
lib/_tls_wrap.js
View File

@ -123,8 +123,9 @@ function onclienthello(hello) {
if (err) if (err)
return self.destroy(err); return self.destroy(err);
// TODO(indutny): eventually disallow raw `SecureContext`
if (context) if (context)
self.ssl.sni_context = context; self.ssl.sni_context = context.context || context;
self.ssl.endParser(); self.ssl.endParser();
} }
@ -226,8 +227,10 @@ TLSSocket.prototype._init = function(socket) {
var options = this._tlsOptions; var options = this._tlsOptions;
// Wrap socket's handle // Wrap socket's handle
var credentials = options.credentials || crypto.createCredentials(); var context = options.secureContext ||
this.ssl = tls_wrap.wrap(this._handle, credentials.context, options.isServer); options.credentials ||
tls.createSecureContext();
this.ssl = tls_wrap.wrap(this._handle, context.context, options.isServer);
this.server = options.server || null; this.server = options.server || null;
// For clients, we will always have either a given ca list or be using // For clients, we will always have either a given ca list or be using
@ -530,15 +533,14 @@ function Server(/* [options], listener */) {
// Handle option defaults: // Handle option defaults:
this.setOptions(options); this.setOptions(options);
var sharedCreds = crypto.createCredentials({ var sharedCreds = tls.createSecureContext({
pfx: self.pfx, pfx: self.pfx,
key: self.key, key: self.key,
passphrase: self.passphrase, passphrase: self.passphrase,
cert: self.cert, cert: self.cert,
ca: self.ca, ca: self.ca,
ciphers: self.ciphers || tls.DEFAULT_CIPHERS, ciphers: self.ciphers,
ecdhCurve: util.isUndefined(self.ecdhCurve) ? ecdhCurve: self.ecdhCurve,
tls.DEFAULT_ECDH_CURVE : self.ecdhCurve,
secureProtocol: self.secureProtocol, secureProtocol: self.secureProtocol,
secureOptions: self.secureOptions, secureOptions: self.secureOptions,
crl: self.crl, crl: self.crl,
@ -563,7 +565,7 @@ function Server(/* [options], listener */) {
// constructor call // constructor call
net.Server.call(this, function(raw_socket) { net.Server.call(this, function(raw_socket) {
var socket = new TLSSocket(raw_socket, { var socket = new TLSSocket(raw_socket, {
credentials: sharedCreds, secureContext: sharedCreds,
isServer: true, isServer: true,
server: self, server: self,
requestCert: self.requestCert, requestCert: self.requestCert,
@ -674,7 +676,7 @@ Server.prototype.setOptions = function(options) {
}; };
// SNI Contexts High-Level API // SNI Contexts High-Level API
Server.prototype.addContext = function(servername, credentials) { Server.prototype.addContext = function(servername, context) {
if (!servername) { if (!servername) {
throw 'Servername is required parameter for Server.addContext'; throw 'Servername is required parameter for Server.addContext';
} }
@ -683,7 +685,7 @@ Server.prototype.addContext = function(servername, credentials) {
servername.replace(/([\.^$+?\-\\[\]{}])/g, '\\$1') servername.replace(/([\.^$+?\-\\[\]{}])/g, '\\$1')
.replace(/\*/g, '[^\.]*') + .replace(/\*/g, '[^\.]*') +
'$'); '$');
this._contexts.push([re, crypto.createCredentials(credentials).context]); this._contexts.push([re, tls.createSecureContext(context).context]);
}; };
function SNICallback(servername, callback) { function SNICallback(servername, callback) {
@ -728,12 +730,12 @@ function normalizeConnectArgs(listArgs) {
return (cb) ? [options, cb] : [options]; return (cb) ? [options, cb] : [options];
} }
function legacyConnect(hostname, options, NPN, credentials) { function legacyConnect(hostname, options, NPN, context) {
assert(options.socket); assert(options.socket);
if (!tls_legacy) if (!tls_legacy)
tls_legacy = require('_tls_legacy'); tls_legacy = require('_tls_legacy');
var pair = tls_legacy.createSecurePair(credentials, var pair = tls_legacy.createSecurePair(context,
false, false,
true, true,
!!options.rejectUnauthorized, !!options.rejectUnauthorized,
@ -765,7 +767,7 @@ exports.connect = function(/* [port, host], options, cb */) {
options.host || options.host ||
options.socket && options.socket._host, options.socket && options.socket._host,
NPN = {}, NPN = {},
credentials = crypto.createCredentials(options); context = tls.createSecureContext(options);
tls.convertNPNProtocols(options.NPNProtocols, NPN); tls.convertNPNProtocols(options.NPNProtocols, NPN);
// Wrapping TLS socket inside another TLS socket was requested - // Wrapping TLS socket inside another TLS socket was requested -
@ -776,12 +778,12 @@ exports.connect = function(/* [port, host], options, cb */) {
if (options.socket instanceof TLSSocket) { if (options.socket instanceof TLSSocket) {
debug('legacy connect'); debug('legacy connect');
legacy = true; legacy = true;
socket = legacyConnect(hostname, options, NPN, credentials); socket = legacyConnect(hostname, options, NPN, context);
result = socket.cleartext; result = socket.cleartext;
} else { } else {
legacy = false; legacy = false;
socket = new TLSSocket(options.socket, { socket = new TLSSocket(options.socket, {
credentials: credentials, secureContext: context,
isServer: false, isServer: false,
requestCert: true, requestCert: true,
rejectUnauthorized: options.rejectUnauthorized, rejectUnauthorized: options.rejectUnauthorized,

101
lib/crypto.js
View File

@ -26,7 +26,6 @@ exports.DEFAULT_ENCODING = 'buffer';
try { try {
var binding = process.binding('crypto'); var binding = process.binding('crypto');
var SecureContext = binding.SecureContext;
var randomBytes = binding.randomBytes; var randomBytes = binding.randomBytes;
var pseudoRandomBytes = binding.pseudoRandomBytes; var pseudoRandomBytes = binding.pseudoRandomBytes;
var getCiphers = binding.getCiphers; var getCiphers = binding.getCiphers;
@ -53,101 +52,12 @@ function toBuf(str, encoding) {
} }
return str; return str;
} }
exports._toBuf = toBuf;
var assert = require('assert'); var assert = require('assert');
var StringDecoder = require('string_decoder').StringDecoder; var StringDecoder = require('string_decoder').StringDecoder;
function Credentials(secureProtocol, flags, context) {
if (!(this instanceof Credentials)) {
return new Credentials(secureProtocol, flags, context);
}
if (context) {
this.context = context;
} else {
this.context = new SecureContext();
if (secureProtocol) {
this.context.init(secureProtocol);
} else {
this.context.init();
}
}
if (flags) this.context.setOptions(flags);
}
exports.Credentials = Credentials;
exports.createCredentials = function(options, context) {
if (!options) options = {};
var c = new Credentials(options.secureProtocol,
options.secureOptions,
context);
if (context) return c;
if (options.key) {
if (options.passphrase) {
c.context.setKey(options.key, options.passphrase);
} else {
c.context.setKey(options.key);
}
}
if (options.cert) c.context.setCert(options.cert);
if (options.ciphers) c.context.setCiphers(options.ciphers);
if (options.ecdhCurve) c.context.setECDHCurve(options.ecdhCurve);
if (options.ca) {
if (util.isArray(options.ca)) {
for (var i = 0, len = options.ca.length; i < len; i++) {
c.context.addCACert(options.ca[i]);
}
} else {
c.context.addCACert(options.ca);
}
} else {
c.context.addRootCerts();
}
if (options.crl) {
if (util.isArray(options.crl)) {
for (var i = 0, len = options.crl.length; i < len; i++) {
c.context.addCRL(options.crl[i]);
}
} else {
c.context.addCRL(options.crl);
}
}
if (options.sessionIdContext) {
c.context.setSessionIdContext(options.sessionIdContext);
}
if (options.pfx) {
var pfx = options.pfx;
var passphrase = options.passphrase;
pfx = toBuf(pfx);
if (passphrase)
passphrase = toBuf(passphrase);
if (passphrase) {
c.context.loadPKCS12(pfx, passphrase);
} else {
c.context.loadPKCS12(pfx);
}
}
return c;
};
function LazyTransform(options) { function LazyTransform(options) {
this._options = options; this._options = options;
@ -711,3 +621,12 @@ function filterDuplicates(names) {
return ctx[key]; return ctx[key];
}).sort(); }).sort();
} }
// Legacy API
exports.__defineGetter__('createCredentials', util.deprecate(function() {
return require('tls').createSecureContext;
}, 'createCredentials() is deprecated, use tls.createSecureContext instead'));
exports.__defineGetter__('Credentials', util.deprecate(function() {
return require('tls').SecureContext;
}, 'Credentials is deprecated, use tls.createSecureContext instead'));

14
lib/tls.js
View File

@ -23,12 +23,6 @@ var net = require('net');
var url = require('url'); var url = require('url');
var util = require('util'); var util = require('util');
exports.DEFAULT_CIPHERS =
'ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:' + // TLS 1.2
'RC4:HIGH:!MD5:!aNULL:!EDH'; // TLS 1.0
exports.DEFAULT_ECDH_CURVE = 'prime256v1';
// Allow {CLIENT_RENEG_LIMIT} client-initiated session renegotiations // Allow {CLIENT_RENEG_LIMIT} client-initiated session renegotiations
// every {CLIENT_RENEG_WINDOW} seconds. An error event is emitted if more // every {CLIENT_RENEG_WINDOW} seconds. An error event is emitted if more
// renegotations are seen. The settings are applied to all remote client // renegotations are seen. The settings are applied to all remote client
@ -38,6 +32,12 @@ exports.CLIENT_RENEG_WINDOW = 600;
exports.SLAB_BUFFER_SIZE = 10 * 1024 * 1024; exports.SLAB_BUFFER_SIZE = 10 * 1024 * 1024;
exports.DEFAULT_CIPHERS =
'ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:' + // TLS 1.2
'RC4:HIGH:!MD5:!aNULL:!EDH'; // TLS 1.0
exports.DEFAULT_ECDH_CURVE = 'prime256v1';
exports.getCiphers = function() { exports.getCiphers = function() {
var names = process.binding('crypto').getSSLCiphers(); var names = process.binding('crypto').getSSLCiphers();
// Drop all-caps names in favor of their lowercase aliases, // Drop all-caps names in favor of their lowercase aliases,
@ -209,6 +209,8 @@ exports.parseCertString = function parseCertString(s) {
}; };
// Public API // Public API
exports.createSecureContext = require('_tls_common').createSecureContext;
exports.SecureContext = require('_tls_common').SecureContext;
exports.TLSSocket = require('_tls_wrap').TLSSocket; exports.TLSSocket = require('_tls_wrap').TLSSocket;
exports.Server = require('_tls_wrap').Server; exports.Server = require('_tls_wrap').Server;
exports.createServer = require('_tls_wrap').createServer; exports.createServer = require('_tls_wrap').createServer;

1
node.gyp
View File

@ -59,6 +59,7 @@
'lib/timers.js', 'lib/timers.js',
'lib/tracing.js', 'lib/tracing.js',
'lib/tls.js', 'lib/tls.js',
'lib/_tls_common.js',
'lib/_tls_legacy.js', 'lib/_tls_legacy.js',
'lib/_tls_wrap.js', 'lib/_tls_wrap.js',
'lib/tty.js', 'lib/tty.js',

2
src/node_crypto.cc
View File

@ -1834,7 +1834,7 @@ void Connection::New(const FunctionCallbackInfo<Value>& args) {
HandleScope scope(env->isolate()); HandleScope scope(env->isolate());
if (args.Length() < 1 || !args[0]->IsObject()) { if (args.Length() < 1 || !args[0]->IsObject()) {
env->ThrowError("First argument must be a crypto module Credentials"); env->ThrowError("First argument must be a tls module SecureContext");
return; return;
} }

2
test/pummel/test-tls-securepair-client.js
View File

@ -128,7 +128,7 @@ function test(keyfn, certfn, check, next) {
function startClient() { function startClient() {
var s = new net.Stream(); var s = new net.Stream();
var sslcontext = crypto.createCredentials({key: key, cert: cert}); var sslcontext = tls.createSecureContext({key: key, cert: cert});
sslcontext.context.setCiphers('RC4-SHA:AES128-SHA:AES256-SHA'); sslcontext.context.setCiphers('RC4-SHA:AES128-SHA:AES256-SHA');
var pair = tls.createSecurePair(sslcontext, false); var pair = tls.createSecurePair(sslcontext, false);

19
test/simple/test-crypto-binary-default.js
View File

@ -29,6 +29,7 @@ var constants = require('constants');
try { try {
var crypto = require('crypto'); var crypto = require('crypto');
var tls = require('tls');
} catch (e) { } catch (e) {
console.log('Not compiled with OPENSSL support.'); console.log('Not compiled with OPENSSL support.');
process.exit(); process.exit();
@ -49,11 +50,13 @@ var rsaPubPem = fs.readFileSync(common.fixturesDir + '/test_rsa_pubkey.pem',
var rsaKeyPem = fs.readFileSync(common.fixturesDir + '/test_rsa_privkey.pem', var rsaKeyPem = fs.readFileSync(common.fixturesDir + '/test_rsa_privkey.pem',
'ascii'); 'ascii');
// TODO(indutny): Move to a separate test eventually
try { try {
var credentials = crypto.createCredentials( var context = tls.createSecureContext({
{key: keyPem, key: keyPem,
cert: certPem, cert: certPem,
ca: caPem}); ca: caPem
});
} catch (e) { } catch (e) {
console.log('Not compiled with OPENSSL support.'); console.log('Not compiled with OPENSSL support.');
process.exit(); process.exit();
@ -61,19 +64,19 @@ try {
// PFX tests // PFX tests
assert.doesNotThrow(function() { assert.doesNotThrow(function() {
crypto.createCredentials({pfx:certPfx, passphrase:'sample'}); tls.createSecureContext({pfx:certPfx, passphrase:'sample'});
}); });
assert.throws(function() { assert.throws(function() {
crypto.createCredentials({pfx:certPfx}); tls.createSecureContext({pfx:certPfx});
}, 'mac verify failure'); }, 'mac verify failure');
assert.throws(function() { assert.throws(function() {
crypto.createCredentials({pfx:certPfx, passphrase:'test'}); tls.createSecureContext({pfx:certPfx, passphrase:'test'});
}, 'mac verify failure'); }, 'mac verify failure');
assert.throws(function() { assert.throws(function() {
crypto.createCredentials({pfx:'sample', passphrase:'test'}); tls.createSecureContext({pfx:'sample', passphrase:'test'});
}, 'not enough data'); }, 'not enough data');
// Test HMAC // Test HMAC

18
test/simple/test-crypto.js
View File

@ -58,11 +58,13 @@ var dsaKeyPemEncrypted = fs.readFileSync(
common.fixturesDir + '/test_dsa_privkey_encrypted.pem', 'ascii'); common.fixturesDir + '/test_dsa_privkey_encrypted.pem', 'ascii');
// TODO(indunty): move to a separate test eventually
try { try {
var credentials = crypto.createCredentials( var context = tls.createSecureContext({
{key: keyPem, key: keyPem,
cert: certPem, cert: certPem,
ca: caPem}); ca: caPem
});
} catch (e) { } catch (e) {
console.log('Not compiled with OPENSSL support.'); console.log('Not compiled with OPENSSL support.');
process.exit(); process.exit();
@ -70,19 +72,19 @@ try {
// PFX tests // PFX tests
assert.doesNotThrow(function() { assert.doesNotThrow(function() {
crypto.createCredentials({pfx:certPfx, passphrase:'sample'}); crypto.createSecureContext({pfx:certPfx, passphrase:'sample'});
}); });
assert.throws(function() { assert.throws(function() {
crypto.createCredentials({pfx:certPfx}); tls.createSecureContext({pfx:certPfx});
}, 'mac verify failure'); }, 'mac verify failure');
assert.throws(function() { assert.throws(function() {
crypto.createCredentials({pfx:certPfx, passphrase:'test'}); tls.createSecureContext({pfx:certPfx, passphrase:'test'});
}, 'mac verify failure'); }, 'mac verify failure');
assert.throws(function() { assert.throws(function() {
crypto.createCredentials({pfx:'sample', passphrase:'test'}); tls.createSecureContext({pfx:'sample', passphrase:'test'});
}, 'not enough data'); }, 'not enough data');
// Test HMAC // Test HMAC

3
test/simple/test-tls-client-default-ciphers.js
View File

@ -19,13 +19,12 @@
// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE // OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
// USE OR OTHER DEALINGS IN THE SOFTWARE. // USE OR OTHER DEALINGS IN THE SOFTWARE.
var crypto = require('crypto');
var assert = require('assert'); var assert = require('assert');
var tls = require('tls'); var tls = require('tls');
function test1() { function test1() {
var ciphers = ''; var ciphers = '';
crypto.createCredentials = function(options) { tls.createSecureContext = function(options) {
ciphers = options.ciphers ciphers = options.ciphers
} }
tls.connect(443); tls.connect(443);

3
test/simple/test-tls-delayed-attach.js
View File

@ -28,7 +28,6 @@ var assert = require('assert');
var fs = require('fs'); var fs = require('fs');
var net = require('net'); var net = require('net');
var tls = require('tls'); var tls = require('tls');
var crypto = require('crypto');
var common = require('../common'); var common = require('../common');
@ -45,7 +44,7 @@ var server = net.createServer(function(c) {
setTimeout(function() { setTimeout(function() {
var s = new tls.TLSSocket(c, { var s = new tls.TLSSocket(c, {
isServer: true, isServer: true,
credentials: crypto.createCredentials(options) secureContext: tls.createSecureContext(options)
}); });
s.on('data', function(chunk) { s.on('data', function(chunk) {

13
test/simple/test-tls-honorcipherorder.js
View File

@ -30,7 +30,7 @@ var SSL_Method = 'TLSv1_method';
var localhost = '127.0.0.1'; var localhost = '127.0.0.1';
process.on('exit', function() { process.on('exit', function() {
assert.equal(nconns, 5); assert.equal(nconns, 6);
}); });
function test(honorCipherOrder, clientCipher, expectedCipher, cb) { function test(honorCipherOrder, clientCipher, expectedCipher, cb) {
@ -38,7 +38,7 @@ function test(honorCipherOrder, clientCipher, expectedCipher, cb) {
secureProtocol: SSL_Method, secureProtocol: SSL_Method,
key: fs.readFileSync(common.fixturesDir + '/keys/agent2-key.pem'), key: fs.readFileSync(common.fixturesDir + '/keys/agent2-key.pem'),
cert: fs.readFileSync(common.fixturesDir + '/keys/agent2-cert.pem'), cert: fs.readFileSync(common.fixturesDir + '/keys/agent2-cert.pem'),
ciphers: 'DES-CBC-SHA:AES256-SHA:RC4-SHA', ciphers: 'DES-CBC-SHA:AES256-SHA:RC4-SHA:ECDHE-RSA-AES256-SHA',
honorCipherOrder: !!honorCipherOrder honorCipherOrder: !!honorCipherOrder
}; };
@ -96,5 +96,12 @@ function test5() {
// Client did not explicitly set ciphers. Ensure that client defaults to // Client did not explicitly set ciphers. Ensure that client defaults to
// sane ciphers. Even though server gives top priority to DES-CBC-SHA // sane ciphers. Even though server gives top priority to DES-CBC-SHA
// it should not be negotiated because it's not in default client ciphers. // it should not be negotiated because it's not in default client ciphers.
test(true, null, 'AES256-SHA'); test(true, null, 'AES256-SHA', test6);
}
function test6() {
// Ensure that `tls.DEFAULT_CIPHERS` is used
SSL_Method = 'TLSv1_2_method';
tls.DEFAULT_CIPHERS = 'ECDHE-RSA-AES256-SHA';
test(true, null, 'ECDHE-RSA-AES256-SHA');
} }

9
test/simple/test-tls-npn-server-client.js
View File

@ -28,8 +28,7 @@ if (!process.features.tls_npn) {
var common = require('../common'), var common = require('../common'),
assert = require('assert'), assert = require('assert'),
fs = require('fs'), fs = require('fs'),
tls = require('tls'), tls = require('tls');
crypto = require('crypto');
function filenamePEM(n) { function filenamePEM(n) {
return require('path').join(common.fixturesDir, 'keys', n + '.pem'); return require('path').join(common.fixturesDir, 'keys', n + '.pem');
@ -43,12 +42,12 @@ var serverOptions = {
key: loadPEM('agent2-key'), key: loadPEM('agent2-key'),
cert: loadPEM('agent2-cert'), cert: loadPEM('agent2-cert'),
crl: loadPEM('ca2-crl'), crl: loadPEM('ca2-crl'),
SNICallback: function() { SNICallback: function(servername, cb) {
return crypto.createCredentials({ cb(null, tls.createSecureContext({
key: loadPEM('agent2-key'), key: loadPEM('agent2-key'),
cert: loadPEM('agent2-cert'), cert: loadPEM('agent2-cert'),
crl: loadPEM('ca2-crl'), crl: loadPEM('ca2-crl'),
}).context; }));
}, },
NPNProtocols: ['a', 'b', 'c'] NPNProtocols: ['a', 'b', 'c']
}; };

3
test/simple/test-tls-securepair-server.js
View File

@ -31,7 +31,6 @@ var assert = require('assert');
var join = require('path').join; var join = require('path').join;
var net = require('net'); var net = require('net');
var fs = require('fs'); var fs = require('fs');
var crypto = require('crypto');
var tls = require('tls'); var tls = require('tls');
var spawn = require('child_process').spawn; var spawn = require('child_process').spawn;
@ -46,7 +45,7 @@ function log(a) {
var server = net.createServer(function(socket) { var server = net.createServer(function(socket) {
connections++; connections++;
log('connection fd=' + socket.fd); log('connection fd=' + socket.fd);
var sslcontext = crypto.createCredentials({key: key, cert: cert}); var sslcontext = tls.createSecureContext({key: key, cert: cert});
sslcontext.context.setCiphers('RC4-SHA:AES128-SHA:AES256-SHA'); sslcontext.context.setCiphers('RC4-SHA:AES128-SHA:AES256-SHA');
var pair = tls.createSecurePair(sslcontext, true); var pair = tls.createSecurePair(sslcontext, true);

9
test/simple/test-tls-sni-option.js
View File

@ -27,7 +27,6 @@ if (!process.features.tls_sni) {
var common = require('../common'), var common = require('../common'),
assert = require('assert'), assert = require('assert'),
crypto = require('crypto'),
fs = require('fs'), fs = require('fs'),
tls = require('tls'); tls = require('tls');
@ -43,15 +42,15 @@ var serverOptions = {
key: loadPEM('agent2-key'), key: loadPEM('agent2-key'),
cert: loadPEM('agent2-cert'), cert: loadPEM('agent2-cert'),
SNICallback: function(servername, callback) { SNICallback: function(servername, callback) {
var credentials = SNIContexts[servername]; var context = SNIContexts[servername];
// Just to test asynchronous callback // Just to test asynchronous callback
setTimeout(function() { setTimeout(function() {
if (credentials) { if (context) {
if (credentials.emptyRegression) if (context.emptyRegression)
callback(null, {}); callback(null, {});
else else
callback(null, crypto.createCredentials(credentials).context); callback(null, tls.createSecureContext(context));
} else { } else {
callback(null, null); callback(null, null);
} }