From ceb8044ff5b713b5de00e3341c6c92deb1c24e8e Mon Sep 17 00:00:00 2001
From: =?utf8?q?J=C3=A9r=C3=A9my=20Lal?= <kapouer@melix.org>
Date: Fri, 8 Nov 2024 20:05:21 +0100
Subject: [PATCH] trivial tests fixes for OpenSSL32 compatibility

Forwarded: https://github.com/nodejs/node/issues/51152
Last-Update: 2024-11-08


Gbp-Pq: Topic build
Gbp-Pq: Name openssl-3-2-2-tests.patch
---
 test/parallel/test-tls-getcipher.js          | 18 ++++++------
 test/parallel/test-tls-junk-closes-server.js | 16 +++++++++++
 test/parallel/test-tls-set-ciphers.js        | 29 +++++++++++++-------
 3 files changed, 44 insertions(+), 19 deletions(-)

diff --git a/test/parallel/test-tls-getcipher.js b/test/parallel/test-tls-getcipher.js
index 2a234d590..4d5042d6e 100644
--- a/test/parallel/test-tls-getcipher.js
+++ b/test/parallel/test-tls-getcipher.js
@@ -47,13 +47,13 @@ server.listen(0, '127.0.0.1', common.mustCall(function() {
   tls.connect({
     host: '127.0.0.1',
     port: this.address().port,
-    ciphers: 'AES128-SHA256',
+    ciphers: 'AES256-SHA256',
     rejectUnauthorized: false,
     maxVersion: 'TLSv1.2',
   }, common.mustCall(function() {
     const cipher = this.getCipher();
-    assert.strictEqual(cipher.name, 'AES128-SHA256');
-    assert.strictEqual(cipher.standardName, 'TLS_RSA_WITH_AES_128_CBC_SHA256');
+    assert.strictEqual(cipher.name, 'AES256-SHA256');
+    assert.strictEqual(cipher.standardName, 'TLS_RSA_WITH_AES_256_CBC_SHA256');
     assert.strictEqual(cipher.version, 'TLSv1.2');
     this.end();
   }));
@@ -62,14 +62,14 @@ server.listen(0, '127.0.0.1', common.mustCall(function() {
   tls.connect({
     host: '127.0.0.1',
     port: this.address().port,
-    ciphers: 'ECDHE-RSA-AES128-GCM-SHA256',
+    ciphers: 'ECDHE-RSA-AES256-GCM-SHA384',
     rejectUnauthorized: false,
     maxVersion: 'TLSv1.2',
   }, common.mustCall(function() {
     const cipher = this.getCipher();
-    assert.strictEqual(cipher.name, 'ECDHE-RSA-AES128-GCM-SHA256');
+    assert.strictEqual(cipher.name, 'ECDHE-RSA-AES256-GCM-SHA384');
     assert.strictEqual(cipher.standardName,
-                       'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256');
+                       'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384');
     assert.strictEqual(cipher.version, 'TLSv1.2');
     this.end();
   }));
@@ -78,19 +78,19 @@ server.listen(0, '127.0.0.1', common.mustCall(function() {
 tls.createServer({
   key: fixtures.readKey('agent2-key.pem'),
   cert: fixtures.readKey('agent2-cert.pem'),
-  ciphers: 'TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_CCM_8_SHA256',
+  ciphers: 'TLS_CHACHA20_POLY1305_SHA256:TLS_AES_256_GCM_SHA384',
   maxVersion: 'TLSv1.3',
 }, common.mustCall(function() {
   this.close();
 })).listen(0, common.mustCall(function() {
   const client = tls.connect({
     port: this.address().port,
-    ciphers: 'TLS_AES_128_CCM_8_SHA256',
+    ciphers: 'TLS_AES_256_GCM_SHA384',
     maxVersion: 'TLSv1.3',
     rejectUnauthorized: false
   }, common.mustCall(() => {
     const cipher = client.getCipher();
-    assert.strictEqual(cipher.name, 'TLS_AES_128_CCM_8_SHA256');
+    assert.strictEqual(cipher.name, 'TLS_AES_256_GCM_SHA384');
     assert.strictEqual(cipher.standardName, cipher.name);
     assert.strictEqual(cipher.version, 'TLSv1.3');
     client.end();
diff --git a/test/parallel/test-tls-junk-closes-server.js b/test/parallel/test-tls-junk-closes-server.js
index 06fa57267..08c2d39c6 100644
--- a/test/parallel/test-tls-junk-closes-server.js
+++ b/test/parallel/test-tls-junk-closes-server.js
@@ -39,6 +39,22 @@ const server = tls.createServer(options, common.mustNotCall());
 server.listen(0, common.mustCall(function() {
   const c = net.createConnection(this.address().port);
 
+  c.on('data', function() {
+    // We must consume all data sent by the server. Otherwise the
+    // end event will not be sent and the test will hang.
+    // For example, when compiled with OpenSSL32 we see the
+    // following response '15 03 03 00 02 02 16' which
+    // decodes as a fatal (0x02) TLS error alert number 22 (0x16),
+    // which corresponds to TLS1_AD_RECORD_OVERFLOW which matches
+    // the error we see if NODE_DEBUG is turned on.
+    // Some earlier OpenSSL versions did not seem to send a response
+    // but the TLS spec seems to indicate there should be one
+    // https://datatracker.ietf.org/doc/html/rfc8446#page-85
+    // and error handling seems to have been re-written/improved
+    // in OpenSSL32. Consuming the data allows the test to pass
+    // either way.
+  });
+
   c.on('connect', common.mustCall(function() {
     c.write('blah\nblah\nblah\n');
   }));
diff --git a/test/parallel/test-tls-set-ciphers.js b/test/parallel/test-tls-set-ciphers.js
index 313c5e238..f7062e73c 100644
--- a/test/parallel/test-tls-set-ciphers.js
+++ b/test/parallel/test-tls-set-ciphers.js
@@ -79,6 +79,11 @@ function test(cciphers, sciphers, cipher, cerr, serr, options) {
 
 const U = undefined;
 
+let expectedTLSAlertError = 'ERR_SSL_SSLV3_ALERT_HANDSHAKE_FAILURE';
+if (common.hasOpenSSL(3, 2)) {
+  expectedTLSAlertError = 'ERR_SSL_SSL/TLS_ALERT_HANDSHAKE_FAILURE';
+}
+
 // Have shared ciphers.
 test(U, 'AES256-SHA', 'AES256-SHA');
 test('AES256-SHA', U, 'AES256-SHA');
@@ -89,13 +94,13 @@ test('TLS_AES_256_GCM_SHA384:!TLS_CHACHA20_POLY1305_SHA256', U, 'TLS_AES_256_GCM
 
 // Do not have shared ciphers.
 test('TLS_AES_256_GCM_SHA384', 'TLS_CHACHA20_POLY1305_SHA256',
-     U, 'ERR_SSL_SSLV3_ALERT_HANDSHAKE_FAILURE', 'ERR_SSL_NO_SHARED_CIPHER');
+     U, expectedTLSAlertError, 'ERR_SSL_NO_SHARED_CIPHER');
 
-test('AES128-SHA', 'AES256-SHA', U, 'ERR_SSL_SSLV3_ALERT_HANDSHAKE_FAILURE',
+test('AES256-SHA', 'AES256-SHA256', U, expectedTLSAlertError,
      'ERR_SSL_NO_SHARED_CIPHER');
-test('AES128-SHA:TLS_AES_256_GCM_SHA384',
-     'TLS_CHACHA20_POLY1305_SHA256:AES256-SHA',
-     U, 'ERR_SSL_SSLV3_ALERT_HANDSHAKE_FAILURE', 'ERR_SSL_NO_SHARED_CIPHER');
+test('AES256-SHA:TLS_AES_256_GCM_SHA384',
+     'TLS_CHACHA20_POLY1305_SHA256:AES256-SHA256',
+     U, expectedTLSAlertError, 'ERR_SSL_NO_SHARED_CIPHER');
 
 // Cipher order ignored, TLS1.3 chosen before TLS1.2.
 test('AES256-SHA:TLS_AES_256_GCM_SHA384', U, 'TLS_AES_256_GCM_SHA384');
@@ -110,11 +115,15 @@ test(U, 'AES256-SHA', 'TLS_AES_256_GCM_SHA384', U, U, { maxVersion: 'TLSv1.3' })
 
 // TLS_AES_128_CCM_8_SHA256 & TLS_AES_128_CCM_SHA256 are not enabled by
 // default, but work.
-test('TLS_AES_128_CCM_8_SHA256', U,
-     U, 'ERR_SSL_SSLV3_ALERT_HANDSHAKE_FAILURE', 'ERR_SSL_NO_SHARED_CIPHER');
-
-test('TLS_AES_128_CCM_8_SHA256', 'TLS_AES_128_CCM_8_SHA256',
-     'TLS_AES_128_CCM_8_SHA256');
+// However, for OpenSSL32 AES_128 is not enabled due to the
+// default security level
+if (!common.hasOpenSSL(3, 2)) {
+  test('TLS_AES_128_CCM_8_SHA256', U,
+       U, 'ERR_SSL_SSLV3_ALERT_HANDSHAKE_FAILURE', 'ERR_SSL_NO_SHARED_CIPHER');
+
+  test('TLS_AES_128_CCM_8_SHA256', 'TLS_AES_128_CCM_8_SHA256',
+       'TLS_AES_128_CCM_8_SHA256');
+}
 
 // Invalid cipher values
 test(9, 'AES256-SHA', U, 'ERR_INVALID_ARG_TYPE', U);
-- 
2.30.2