Haraka 3.1.5 → 3.1.7

package/test/smtp_client.js

@@ -436,18 +436,18 @@ describe('SMTPClient closed() handler', () => {
     })
 })
 
-// ─── load_tls_config ──────────────────────────────────────────────────────────
+// ─── load_tls_options ──────────────────────────────────────────────────────────
 
-describe('SMTPClient#load_tls_config', () => {
+describe('SMTPClient#load_tls_options', () => {
     it('sets tls_options with servername equal to host', () => {
         const client = makeClient()
-        client.load_tls_config()
+        client.load_tls_options()
         assert.equal(client.tls_options.servername, 'mx.example.com')
     })
 
     it('merges additional opts into tls_options', () => {
         const client = makeClient()
-        client.load_tls_config({ key: Buffer.from('secret'), rejectUnauthorized: false })
+        client.load_tls_options({ key: Buffer.from('secret'), rejectUnauthorized: false })
         assert.equal(client.tls_options.servername, 'mx.example.com')
         assert.equal(client.tls_options.rejectUnauthorized, false)
         assert.ok(Buffer.isBuffer(client.tls_options.key))
@@ -728,10 +728,8 @@ describe('smtp_client.onCapabilitiesOutbound', () => {
 
     it('skips STARTTLS when host is in no_tls_hosts ban list', () => {
         client.response = ['STARTTLS']
-        // Note: the code checks tls_options.no_tls_hosts but reads tls_config.no_tls_hosts
-        // (a known quirk) — set both to exercise the branch
+        // no_tls_hosts is read from tls_options consistently
         client.tls_options = { no_tls_hosts: ['10.0.0.0/8'] }
-        client.tls_config = { no_tls_hosts: ['10.0.0.0/8'] }
         client.remote_ip = '10.0.0.1'
         const conn = makeConnection()
         smtp_client_module.onCapabilitiesOutbound(client, false, conn, { enable_tls: true, host: '10.0.0.1' }, () => {})
@@ -766,6 +764,25 @@ describe('smtp_client.get_client_plugin', () => {
         assert.ok(client instanceof SMTPClient)
     })
 
+    it('emits error (does not throw) when AUTH type is unsupported', async () => {
+        const c = {
+            host: 'relay.example.com',
+            port: 25,
+            auth_type: 'login',
+            auth_user: 'a',
+            auth_pass: 'b',
+        }
+        const client = await getClientPlugin(c)
+        client.auth_capabilities = [] // server advertised no AUTH
+        let errMsg
+        client.on('error', (m) => {
+            errMsg = m
+        })
+        // pre-fix this threw out of the event loop and crashed the worker
+        assert.doesNotThrow(() => client.emit('helo'))
+        assert.match(String(errMsg), /not supported by server/)
+    })
+
     it('merges auth_type / auth_user / auth_pass into c.auth', async () => {
         const c = { host: 'relay.example.com', port: 25, auth_type: 'plain', auth_user: 'alice', auth_pass: 's3cr3t' }
         await getClientPlugin(c)
@@ -791,6 +808,16 @@ describe('smtp_client.get_client_plugin', () => {
         assert.ok(written.some((l) => /EHLO relay\.example\.com/.test(l)))
     })
 
+    it('redacts AUTH credentials from protocol logs (S4)', async () => {
+        const client = await getClientPlugin()
+        const logged = []
+        conn.logprotocol = (p, msg) => logged.push(msg)
+        client.emit('client_protocol', 'AUTH PLAIN AGFsaWNlAHMzY3JldA==')
+        assert.equal(logged.length, 1)
+        assert.equal(logged[0], 'C: AUTH PLAIN [redacted]')
+        assert.ok(!logged[0].includes('AGFsaWNlAHMzY3JldA=='))
+    })
+
     it('greeting handler sends EHLO with hello.host when xclient is set', async () => {
         const client = await getClientPlugin()
         client.xclient = true
@@ -850,19 +877,25 @@ describe('smtp_client.get_client_plugin', () => {
         assert.ok(written.some((l) => /AUTH PLAIN/.test(l)))
     })
 
-    // Table-drive the helo-throws cases
+    // these used to throw out of the event loop (crashing the worker); they must
+    // now route through the smtp_client 'error' flow.
     for (const [desc, opts, capabilities, pattern] of [
         ['unsupported auth type', { type: 'plain', user: 'u', pass: 'p' }, ['cram-md5'], /not supported by server/],
         ['plain auth with no user/pass', { type: 'plain', user: '', pass: '' }, ['plain'], /Must include auth\.user/],
-        ['cram-md5 (not implemented)', { type: 'cram-md5', user: 'u', pass: 'p' }, ['cram-md5'], /Not implemented/],
+        ['cram-md5 (not implemented)', { type: 'cram-md5', user: 'u', pass: 'p' }, ['cram-md5'], /not implemented/i],
         ['unknown auth type', { type: 'gssapi', user: 'u', pass: 'p' }, ['gssapi'], /Unknown AUTH type/],
     ]) {
-        it(`helo handler throws for ${desc}`, async () => {
+        it(`helo handler emits error (no throw) for ${desc}`, async () => {
             const c = { host: 'relay.example.com', port: 25, auth: opts }
             const client = await getClientPlugin(c)
             client.authenticated = false
             client.auth_capabilities = capabilities
-            assert.throws(() => client.emit('helo'), pattern)
+            let errMsg
+            client.on('error', (m) => {
+                errMsg = m
+            })
+            assert.doesNotThrow(() => client.emit('helo'))
+            assert.match(String(errMsg), pattern)
         })
     }
 
@@ -1241,7 +1274,7 @@ describe('smtp_client', () => {
         }
 
         const client = new SMTPClient({ host: 'mx.example.com', port: 25, socket })
-        client.load_tls_config({ key: Buffer.from('OutboundTlsKeyLoaded') })
+        client.load_tls_options({ key: Buffer.from('OutboundTlsKeyLoaded') })
 
         client.command = 'starttls'
         cmds.line('250 Hello client.example.com\r\n')

package/test/tls_socket.js

@@ -6,6 +6,7 @@ const path = require('node:path')
 const net = require('node:net')
 const tls = require('node:tls')
 const fs = require('node:fs')
+const { EventEmitter } = require('node:events')
 
 // Mock dependencies before requiring the target
 const mock = require('node:test').mock
@@ -95,10 +96,229 @@ test('tls_socket', async (t) => {
                 await new Promise((resolve) => server.close(resolve))
             }
         })
+
+        await t.test('second error handler does not crash when first handler removes all listeners', () => {
+            // Regression test for issue #3553
+            const originalNetConnect = net.connect
+            const originalTlsConnect = tls.connect
+            const originalTlsValid = tls_socket.tls_valid
+
+            const fakeCrypto = new EventEmitter()
+            fakeCrypto.writable = true
+            fakeCrypto.removeAllListeners = EventEmitter.prototype.removeAllListeners
+            fakeCrypto.setTimeout = () => {}
+            fakeCrypto.setKeepAlive = () => {}
+
+            let capturedCleartext
+            net.connect = () => fakeCrypto
+            tls.connect = () => {
+                capturedCleartext = new EventEmitter()
+                capturedCleartext.writable = true
+                capturedCleartext.setTimeout = () => {}
+                capturedCleartext.setKeepAlive = () => {}
+                return capturedCleartext
+            }
+            tls_socket.tls_valid = false
+
+            try {
+                const socket = tls_socket.connect({ host: 'bad-tls.example.com', port: 25 })
+
+                // Simulate what release_client does: strip all listeners on first error
+                socket.once('error', () => socket.removeAllListeners())
+
+                socket.upgrade({}, () => {})
+
+                // capturedCleartext now has two 'error' handlers (on from upgrade, once from attach).
+                // Emitting error must NOT throw even though the first handler removes all
+                // listeners from the outer socket before the second fires.
+                const tlsError = new Error('dh key too small')
+                assert.doesNotThrow(() => capturedCleartext.emit('error', tlsError))
+            } finally {
+                net.connect = originalNetConnect
+                tls.connect = originalTlsConnect
+                tls_socket.tls_valid = originalTlsValid
+            }
+        })
     })
 
     await t.test('getSocketOpts', async (t) => {
         // Exercise the typo path (would requires failing config.getDir)
         assert.strictEqual(typeof tls_socket.getSocketOpts, 'function')
     })
+
+    await t.test('getSocketOpts handles missing tls dir', async () => {
+        const originalGetCertsDir = tls_socket.get_certs_dir
+        tls_socket.get_certs_dir = async () => {
+            const err = new Error('missing')
+            err.code = 'ENOENT'
+            throw err
+        }
+        try {
+            const opts = await tls_socket.getSocketOpts('*')
+            assert.ok(opts)
+        } finally {
+            tls_socket.get_certs_dir = originalGetCertsDir
+        }
+    })
+
+    await t.test('connect upgrade applies mutual auth cert and timeout/keepalive', async () => {
+        const originalNetConnect = net.connect
+        const originalTlsConnect = tls.connect
+        const originalTlsValid = tls_socket.tls_valid
+        const originalCfg = tls_socket.cfg
+        const originalCertMap = {
+            default: tls_socket.certsByHost['*'],
+            host: tls_socket.certsByHost['client-cert.example'],
+        }
+
+        const fakeSocket = new EventEmitter()
+        fakeSocket.remotePort = 2525
+        fakeSocket.remoteAddress = '127.0.0.1'
+        fakeSocket.localPort = 25
+        fakeSocket.localAddress = '127.0.0.1'
+        fakeSocket.writable = true
+        fakeSocket.removeAllListeners = EventEmitter.prototype.removeAllListeners
+        fakeSocket.setTimeout = () => {}
+        fakeSocket.setKeepAlive = () => {}
+
+        let capturedOptions
+        let timeoutSeen = null
+        let keepaliveSeen = null
+
+        net.connect = () => fakeSocket
+        tls.connect = (options) => {
+            capturedOptions = options
+            const clear = new EventEmitter()
+            clear.writable = true
+            clear.getCipher = () => ({ name: 'TLS_AES_256_GCM_SHA384' })
+            clear.getProtocol = () => 'TLSv1.3'
+            clear.getPeerCertificate = () => ({})
+            clear.setTimeout = (ms) => {
+                timeoutSeen = ms
+            }
+            clear.setKeepAlive = (value) => {
+                keepaliveSeen = value
+            }
+            process.nextTick(() => clear.emit('secureConnect'))
+            return clear
+        }
+
+        tls_socket.tls_valid = true
+        tls_socket.cfg = {
+            mutual_auth_hosts: { 'mx.example.com': 'client-cert.example' },
+            mutual_auth_hosts_exclude: {},
+            main: { mutual_tls: false },
+        }
+        tls_socket.certsByHost['*'] = { key: 'default-key', cert: 'default-cert' }
+        tls_socket.certsByHost['client-cert.example'] = { key: 'host-key', cert: 'host-cert' }
+
+        try {
+            const socket = tls_socket.connect({ host: 'mx.example.com', port: 25 })
+            socket.setTimeout(3210)
+            socket.setKeepAlive(true)
+
+            await new Promise((resolve) => {
+                socket.upgrade({ rejectUnauthorized: false }, () => resolve())
+            })
+
+            assert.equal(capturedOptions.key, 'host-key')
+            assert.equal(capturedOptions.cert, 'host-cert')
+            assert.equal(capturedOptions.socket, fakeSocket)
+            assert.equal(timeoutSeen, 3210)
+            assert.equal(keepaliveSeen, true)
+        } finally {
+            net.connect = originalNetConnect
+            tls.connect = originalTlsConnect
+            tls_socket.tls_valid = originalTlsValid
+            tls_socket.cfg = originalCfg
+            tls_socket.certsByHost['*'] = originalCertMap.default
+            if (originalCertMap.host === undefined) {
+                delete tls_socket.certsByHost['client-cert.example']
+            } else {
+                tls_socket.certsByHost['client-cert.example'] = originalCertMap.host
+            }
+        }
+    })
+
+    await t.test('load_plugin_tls_options', async (t) => {
+        // Point haraka-config at test/config so tls.ini fixtures load.
+        const origConfig = tls_socket.config
+        const origCfg = tls_socket.cfg
+        const test_config = require('haraka-config').module_config(path.resolve(__dirname))
+
+        t.beforeEach(() => {
+            tls_socket.config = test_config
+            tls_socket.cfg = undefined // bust load_tls_ini cache between cases
+        })
+
+        t.after(() => {
+            tls_socket.config = origConfig
+            tls_socket.cfg = origCfg
+        })
+
+        await t.test('inherits tls.ini [main] when plugin cfg is empty', () => {
+            const opts = tls_socket.load_plugin_tls_options({})
+            // From test/config/tls.ini [main]
+            assert.equal(opts.rejectUnauthorized, false)
+            assert.equal(opts.minVersion, 'TLSv1')
+            assert.equal(opts.honorCipherOrder, true)
+            assert.ok(opts.ciphers && opts.ciphers.length)
+            assert.ok(Buffer.isBuffer(opts.key), 'key resolved to Buffer')
+            assert.ok(Buffer.isBuffer(opts.cert), 'cert resolved to Buffer')
+        })
+
+        await t.test('plugin cfg overrides [main]', () => {
+            const opts = tls_socket.load_plugin_tls_options({
+                rejectUnauthorized: true,
+                minVersion: 'TLSv1.3',
+                ciphers: 'ECDHE-RSA-AES256-GCM-SHA384',
+            })
+            assert.equal(opts.rejectUnauthorized, true)
+            assert.equal(opts.minVersion, 'TLSv1.3')
+            assert.equal(opts.ciphers, 'ECDHE-RSA-AES256-GCM-SHA384')
+        })
+
+        await t.test('resolves key/cert/dhparam file refs to Buffers', () => {
+            const opts = tls_socket.load_plugin_tls_options({
+                key: 'outbound_tls_key.pem',
+                cert: 'outbound_tls_cert.pem',
+                dhparam: 'dhparams.pem',
+            })
+            assert.ok(Buffer.isBuffer(opts.key) && opts.key.length > 0)
+            assert.ok(Buffer.isBuffer(opts.cert) && opts.cert.length > 0)
+            assert.ok(Buffer.isBuffer(opts.dhparam) && opts.dhparam.length > 0)
+        })
+
+        await t.test('drops missing dhparam rather than leaving null', () => {
+            const opts = tls_socket.load_plugin_tls_options({
+                dhparam: 'does_not_exist.pem',
+            })
+            assert.equal(opts.dhparam, undefined)
+        })
+
+        await t.test('normalises no_tls_hosts / force_tls_hosts to arrays', () => {
+            const opts = tls_socket.load_plugin_tls_options({
+                no_tls_hosts: '10.0.0.5',
+                force_tls_hosts: ['a.example.com', 'b.example.com'],
+            })
+            assert.deepEqual(opts.no_tls_hosts, ['10.0.0.5'])
+            assert.deepEqual(opts.force_tls_hosts, ['a.example.com', 'b.example.com'])
+
+            const opts2 = tls_socket.load_plugin_tls_options({})
+            assert.deepEqual(opts2.no_tls_hosts, [])
+            assert.deepEqual(opts2.force_tls_hosts, [])
+        })
+
+        await t.test('does not set servername', () => {
+            const opts = tls_socket.load_plugin_tls_options({})
+            assert.equal(opts.servername, undefined)
+        })
+
+        await t.test('does not mutate the input plugin cfg', () => {
+            const input = { rejectUnauthorized: true, no_tls_hosts: '10.0.0.5' }
+            const before = JSON.stringify(input)
+            tls_socket.load_plugin_tls_options(input)
+            assert.equal(JSON.stringify(input), before)
+        })
+    })
 })

package/tls_socket.js

@@ -76,7 +76,7 @@ class pluggableStream extends stream.Stream {
         this.targetsocket.once('error', (exception) => {
             this.writable = this.targetsocket.writable
             exception.source = 'tls'
-            this.emit('error', exception)
+            if (this.listenerCount('error') > 0) this.emit('error', exception)
         })
         this.targetsocket.on('timeout', () => {
             this.emit('timeout')
@@ -225,7 +225,7 @@ exports.load_tls_ini = (opts) => {
 
     if (ocsp === undefined && cfg.main.requestOCSP) {
         try {
-            ocsp = require('ocsp')
+            ocsp = require('@haraka/ocsp')
             log.debug('ocsp loaded')
             ocspCache = new ocsp.Cache()
         } catch (ignore) {
@@ -251,6 +251,56 @@ exports.load_tls_ini = (opts) => {
     return cfg
 }
 
+// Build a client tls_options, merges a consumers own [tls] section
+// over tls.ini [main].
+exports.load_plugin_tls_options = (plugin_tls_cfg = {}) => {
+    const tls_cfg = exports.load_tls_ini({ role: 'client' })
+    const cfg = JSON.parse(JSON.stringify(plugin_tls_cfg))
+
+    // Inheritance from tls.ini [main] deliberately omits no_tls_hosts: the
+    // [main].no_tls_hosts list is documented as inbound-only; outbound and
+    // queue plugins should opt in explicitly via their own section.
+    const inheritable_opts = [
+        'key',
+        'cert',
+        'ciphers',
+        'minVersion',
+        'dhparam',
+        'requestCert',
+        'honorCipherOrder',
+        'rejectUnauthorized',
+        'force_tls_hosts',
+    ]
+    for (const opt of inheritable_opts) {
+        if (cfg[opt] !== undefined) continue // set in plugin [tls]
+        if (tls_cfg.main[opt] === undefined) continue // unset in tls.ini [main]
+        cfg[opt] = tls_cfg.main[opt]
+    }
+
+    // Resolve key/cert/dhparam file references to buffers. Drop empty results
+    // so we never pass null to tls.connect.
+    for (const k of ['key', 'cert', 'dhparam']) {
+        if (!cfg[k]) {
+            delete cfg[k]
+            continue
+        }
+        const ref = Array.isArray(cfg[k]) ? cfg[k][0] : cfg[k]
+        const bin = exports.config.get(ref, 'binary')
+        if (bin) cfg[k] = bin
+        else delete cfg[k]
+    }
+
+    for (const k of ['no_tls_hosts', 'force_tls_hosts']) {
+        if (!cfg[k]) {
+            cfg[k] = []
+            continue
+        }
+        if (!Array.isArray(cfg[k])) cfg[k] = [cfg[k]]
+    }
+
+    return cfg
+}
+
 exports.applySocketOpts = (name) => {
     // https://nodejs.org/api/tls.html#tls_new_tls_tlssocket_socket_options
     const TLSSocketOptions = [