Haraka 3.1.4 → 3.1.5

package/test/tls_socket.js

@@ -0,0 +1,104 @@
+'use strict'
+
+const test = require('node:test')
+const assert = require('node:assert/strict')
+const path = require('node:path')
+const net = require('node:net')
+const tls = require('node:tls')
+const fs = require('node:fs')
+
+// Mock dependencies before requiring the target
+const mock = require('node:test').mock
+
+const tls_socket = require('../tls_socket')
+
+const TEST_CERT = fs.readFileSync(path.join(__dirname, 'config/tls_cert.pem'))
+const TEST_KEY = fs.readFileSync(path.join(__dirname, 'config/tls_key.pem'))
+
+test('tls_socket', async (t) => {
+    await t.test('parse_x509', async (t) => {
+        await t.test('handles empty string', async () => {
+            const res = await tls_socket.parse_x509('')
+            assert.deepEqual(res, {})
+        })
+
+        await t.test('handles null/undefined', async () => {
+            const res = await tls_socket.parse_x509(null)
+            assert.deepEqual(res, {})
+        })
+
+        // This would exercise the uninitialized res.names bug if we had a cert string
+        // but since it spawns openssl, we'd need to mock spawn or provide a real cert.
+    })
+
+    await t.test('get_rejectUnauthorized', async (t) => {
+        await t.test('returns true if rejectUnauthorized is true', () => {
+            assert.strictEqual(tls_socket.get_rejectUnauthorized(true, 25, [25]), true)
+        })
+
+        await t.test('returns true if port is in port_list', () => {
+            assert.strictEqual(tls_socket.get_rejectUnauthorized(false, 465, [465]), true)
+        })
+
+        await t.test('returns false if port is not in port_list', () => {
+            assert.strictEqual(tls_socket.get_rejectUnauthorized(false, 25, [465]), false)
+        })
+    })
+
+    await t.test('SNICallback', async (t) => {
+        await t.test('calls sniDone with default context if servername unknown', (t, done) => {
+            // This test requires some setup of ctxByHost which is private to the module
+            // but we can test if it's a function
+            assert.strictEqual(typeof tls_socket.SNICallback, 'function')
+            done()
+        })
+    })
+
+    await t.test('pluggableStream', async (t) => {
+        // This is a class inside the file, but not exported.
+        // We can test it via createServer or connect if we mock net.
+    })
+
+    await t.test('connect', async (t) => {
+        // Exercise the `new tls.connect` bug
+        // We can't easily catch the 'new' keyword usage without proxying tls.connect
+        assert.strictEqual(typeof tls_socket.connect, 'function')
+    })
+
+    await t.test('connect upgrade error propagation', async (t) => {
+        // Verify that TLS errors during socket.upgrade() are propagated to the outer
+        // pluggableStream socket, not silently swallowed.
+        // A TLS server that requires a client cert; connecting without one triggers
+        // a post-handshake "certificate required" alert (TLSv1.3).
+        await t.test('emits error on outer socket when client cert is missing', async () => {
+            const server = tls.createServer(
+                { cert: TEST_CERT, key: TEST_KEY, requestCert: true, rejectUnauthorized: true },
+                () => {},
+            )
+            await new Promise((resolve) => server.listen(0, '127.0.0.1', resolve))
+            const { port } = server.address()
+
+            try {
+                const err = await new Promise((resolve, reject) => {
+                    const socket = tls_socket.connect({ host: '127.0.0.1', port })
+                    socket.upgrade({ rejectUnauthorized: false }, () => {})
+                    socket.on('error', resolve)
+                    socket.on('close', () => reject(new Error('closed without error')))
+                    setTimeout(() => reject(new Error('timeout')), 3000)
+                })
+                assert.ok(
+                    /certificate required|socket hang up|disconnected/.test(err.message),
+                    `unexpected error: ${err.message}`,
+                )
+                assert.equal(err.source, 'tls', 'error.source should be "tls"')
+            } finally {
+                await new Promise((resolve) => server.close(resolve))
+            }
+        })
+    })
+
+    await t.test('getSocketOpts', async (t) => {
+        // Exercise the typo path (would requires failing config.getDir)
+        assert.strictEqual(typeof tls_socket.getSocketOpts, 'function')
+    })
+})

package/tls_socket.js

@@ -159,21 +159,16 @@ exports.parse_x509 = async (string) => {
     const res = {}
     if (!string) return res
 
-    const keyRe = new RegExp('([-]+BEGIN (?:\\w+ )?PRIVATE KEY[-]+[^-]*[-]+END (?:\\w+ )?PRIVATE KEY[-]+)', 'gm')
+    const keyRe = /([-]+BEGIN (?:\w+ )?PRIVATE KEY[-]+[^-]*[-]+END (?:\w+ )?PRIVATE KEY[-]+)/gm
     res.keys = string.match(keyRe)
 
-    const certRe = new RegExp('([-]+BEGIN CERTIFICATE[-]+[^-]*[-]+END CERTIFICATE[-]+)', 'gm')
+    const certRe = /([-]+BEGIN CERTIFICATE[-]+[^-]*[-]+END CERTIFICATE[-]+)/gm
     res.chain = string.match(certRe)
 
     if (res.chain?.length) {
-        const opensslArgs = [res.chain[0], 'x509', '-noout']
-        // shush openssl, https://github.com/openssl/openssl/issues/22893
-        // if (['darwin','linux','freebsd'].includes(process.platform))
-        //     opensslArgs.push('-in', '/dev/stdin')
-
         // it's cleaner to call openssl with each of -enddate, -subject, etc, but it costs
         // 40-50ms per spawn with node v21 on a M1 MBP
-        const raw = await openssl(...opensslArgs, '-enddate', '-subject', '-ext', 'subjectAltName')
+        const raw = await openssl(res.chain[0], 'x509', '-noout', '-enddate', '-subject', '-ext', 'subjectAltName')
         if (!raw) return res
 
         res.expire = new Date(raw.match(/notAfter=(.* [A-Z]{3})/)[1])
@@ -191,7 +186,7 @@ exports.parse_x509 = async (string) => {
 }
 
 exports.load_tls_ini = (opts) => {
-    log.info(`loading tls.ini`) // from ${this.config.root_path}`);
+    log.info('loading tls.ini')
 
     const cfg = exports.config.get(
         'tls.ini',
@@ -339,7 +334,7 @@ exports.load_default_opts = () => {
     if (!Array.isArray(cfg.key)) cfg.key = [cfg.key]
     if (!Array.isArray(cfg.cert)) cfg.cert = [cfg.cert]
 
-    if (cfg.key.length != cfg.cert.length) {
+    if (cfg.key.length !== cfg.cert.length) {
         log.error(`number of keys (${cfg.key.length}) not equal to certs (${cfg.cert.length}).`)
     }
 
@@ -454,19 +449,20 @@ exports.get_certs_dir = async (tlsDir) => {
 function openssl(crt, ...params) {
     return new Promise((resolve) => {
         let crtTxt = ''
+        let errTxt = ''
 
-        const o = spawn('openssl', [...params], { timeout: 1000 })
+        const o = spawn('openssl', params, { timeout: 2000 })
         o.stdout.on('data', (data) => {
             crtTxt += data
         })
 
         o.stderr.on('data', (data) => {
-            log.debug(`err: ${data.toString().trim()}`)
+            errTxt += data
         })
 
         o.on('close', (code) => {
             if (code !== 0) {
-                if (code) console.error(code)
+                log.error(`openssl ${params.join(' ')} failed with code ${code}: ${errTxt.trim()}`)
             }
             resolve(crtTxt)
         })
@@ -484,8 +480,7 @@ exports.getSocketOpts = async (name) => {
         await this.get_certs_dir('tls')
     } catch (err) {
         if (err.code !== 'ENOENT') {
-            console.error(err.messsage)
-            log.error(err)
+            log.error(err.message)
         }
     }
 
@@ -519,7 +514,7 @@ exports.ensureDhparams = (done) => {
 
     log.info(`Generating a 2048 bit dhparams file at ${fpResolved}`)
 
-    const o = spawn('openssl', ['dhparam', '-out', `${fpResolved}`, '2048'])
+    const o = spawn('openssl', ['dhparam', '-out', fpResolved, '2048'], { timeout: 30000 })
     o.stdout.on('data', (data) => {
         // normally empty output
         log.debug(data)
@@ -586,9 +581,9 @@ exports.shutdown = () => {
 
 function cleanOcspCache() {
     log.debug(`Cleaning ocspCache. How many keys? ${Object.keys(ocspCache.cache).length}`)
-    Object.keys(ocspCache.cache).forEach((key) => {
+    for (const key of Object.keys(ocspCache.cache)) {
         clearTimeout(ocspCache.cache[key].timer)
-    })
+    }
 }
 
 exports.certsByHost = certsByHost
@@ -688,12 +683,13 @@ function connect(conn_options = {}) {
         }
         options.socket = cryptoSocket
 
-        const cleartext = new tls.connect(options)
+        const cleartext = tls.connect(options)
 
         pipe(cleartext, cryptoSocket)
 
         cleartext.on('error', (err) => {
-            if (err.reason) log.error(`client TLS error: ${err}`)
+            err.source = 'tls'
+            socket.emit('error', err)
         })
 
         cleartext.once('secureConnect', () => {