tls: return an OpenSSL error from renegotiate

A generic error lacks any of the context or detail of the underlying OpenSSL error, so throw from C++, and report the OpenSSL error to the callback. PR-URL: https://github.com/nodejs/node/pull/26868 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Tobias Nießen <tniessen@tnie.de>
2019-03-27 12:10:48 -07:00 · 2019-03-27 12:10:48 -07:00 · 8c69e06972
commit 8c69e06972
parent bcbd35a48d
6 changed files with 17 additions and 17 deletions
--- a/doc/api/errors.md
+++ b/doc/api/errors.md
@ -1771,11 +1771,6 @@ Valid TLS protocol versions are `'TLSv1'`, `'TLSv1.1'`, or `'TLSv1.2'`.
 Attempting to set a TLS protocol `minVersion` or `maxVersion` conflicts with an
 attempt to set the `secureProtocol` explicitly. Use one mechanism or the other.

-<a id="ERR_TLS_RENEGOTIATE"></a>
-### ERR_TLS_RENEGOTIATE
-
-An attempt to renegotiate the TLS session failed.
-
 <a id="ERR_TLS_RENEGOTIATION_DISABLED"></a>
 ### ERR_TLS_RENEGOTIATION_DISABLED

--- a/doc/api/tls.md
+++ b/doc/api/tls.md
@ -1046,9 +1046,10 @@ added: v0.11.8
    `true`.
  * `requestCert`
 * `callback` {Function} If `renegotiate()` returned `true`, callback is
-   attached once to the `'secure'` event. If it returned `false`, it will be
-   called in the next tick with `ERR_TLS_RENEGOTIATE`, unless the `tlsSocket`
-   has been destroyed, in which case it will not be called at all.
+   attached once to the `'secure'` event. If `renegotiate()` returned `false`,
+   `callback` will be called in the next tick with an error, unless the
+   `tlsSocket` has been destroyed, in which case `callback` will not be called
+   at all.

 * Returns: {boolean} `true` if renegotiation was initiated, `false` otherwise.

--- a/lib/_tls_wrap.js
+++ b/lib/_tls_wrap.js
@ -48,7 +48,6 @@ const {
  ERR_SOCKET_CLOSED,
  ERR_TLS_DH_PARAM_SIZE,
  ERR_TLS_HANDSHAKE_TIMEOUT,
-  ERR_TLS_RENEGOTIATE,
  ERR_TLS_RENEGOTIATION_DISABLED,
  ERR_TLS_REQUIRED_SERVER_NAME,
  ERR_TLS_SESSION_ATTACK,
@ -661,9 +660,11 @@ TLSSocket.prototype.renegotiate = function(options, callback) {
  // Ensure that we'll cycle through internal openssl's state
  this.write('');

-  if (!this._handle.renegotiate()) {
+  try {
+    this._handle.renegotiate();
+  } catch (err) {
    if (callback) {
-      process.nextTick(callback, new ERR_TLS_RENEGOTIATE());
+      process.nextTick(callback, err);
    }
    return false;
  }
--- a/lib/internal/errors.js
+++ b/lib/internal/errors.js
@ -1046,7 +1046,6 @@ E('ERR_TLS_INVALID_PROTOCOL_VERSION',
  '%j is not a valid %s TLS protocol version', TypeError);
 E('ERR_TLS_PROTOCOL_VERSION_CONFLICT',
  'TLS protocol version %j conflicts with secureProtocol %j', TypeError);
-E('ERR_TLS_RENEGOTIATE', 'Attempt to renegotiate TLS session failed', Error);
 E('ERR_TLS_RENEGOTIATION_DISABLED',
  'TLS session renegotiation disabled for this socket', Error);

--- a/src/node_crypto.cc
+++ b/src/node_crypto.cc
@ -2339,9 +2339,9 @@ void SSLWrap<Base>::Renegotiate(const FunctionCallbackInfo<Value>& args) {

  ClearErrorOnReturn clear_error_on_return;

-  // TODO(@sam-github) Return/throw an error, don't discard the SSL error info.
-  bool yes = SSL_renegotiate(w->ssl_.get()) == 1;
-  args.GetReturnValue().Set(yes);
+  if (SSL_renegotiate(w->ssl_.get()) != 1) {
+    return ThrowCryptoError(w->ssl_env(), ERR_get_error());
+  }
 }


--- a/test/parallel/test-tls-client-renegotiation-13.js
+++ b/test/parallel/test-tls-client-renegotiation-13.js
@ -28,8 +28,12 @@ connect({
  assert.strictEqual(client.getProtocol(), 'TLSv1.3');

  const ok = client.renegotiate({}, common.mustCall((err) => {
-    assert(err.code, 'ERR_TLS_RENEGOTIATE');
-    assert(err.message, 'Attempt to renegotiate TLS session failed');
+    assert.throws(() => { throw err; }, {
+      message: 'error:1420410A:SSL routines:SSL_renegotiate:wrong ssl version',
+      code: 'ERR_SSL_WRONG_SSL_VERSION',
+      library: 'SSL routines',
+      reason: 'wrong ssl version',
+    });
    cleanup();
  }));