From 6372fca9467c39522f40c748ee136fe5d7fb3697 Mon Sep 17 00:00:00 2001 From: Adrien Nader Date: Tue, 17 Dec 2024 17:18:14 +0100 Subject: [PATCH 1/2] test: skip sha128/256 createHash()/hash() on openssl 3.4. OpenSSL 3.4 has intentionally broken EVP_DigestFinal for SHAKE128 and SHAKE256 when OSSL_DIGEST_PARAM_XOFLEN is not set because a) the default length used weakened them from their maximum strength and b) a static length does not fully make sense for XOFs (which SHAKE* are). Unfortunately, while crypto.createHash accepts an option argument that can be something like `{ outputLength: 128 }`, crypto.hash doesn't offer a similar API. Therefore there is little choice but to skip the test completely for shake128 and shake256 on openssl >= 3.4. Fixes: https://github.com/nodejs/node/issues/56159 Refs: https://github.com/openssl/openssl/commit/b911fef216d1386210ec24e201d54d709528abb4 Refs: https://github.com/openssl/openssl/commit/ad3f28c5fbd5dcbc763a650313fd666b0e339cca --- test/parallel/test-crypto-oneshot-hash.js | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/test/parallel/test-crypto-oneshot-hash.js b/test/parallel/test-crypto-oneshot-hash.js index 56b4c04a65a1c1..ba8db856352e6a 100644 --- a/test/parallel/test-crypto-oneshot-hash.js +++ b/test/parallel/test-crypto-oneshot-hash.js @@ -32,12 +32,14 @@ const input = fs.readFileSync(fixtures.path('utf8_test_text.txt')); for (const method of methods) { for (const outputEncoding of ['buffer', 'hex', 'base64', undefined]) { - const oldDigest = crypto.createHash(method).update(input).digest(outputEncoding || 'hex'); - const digestFromBuffer = crypto.hash(method, input, outputEncoding); - assert.deepStrictEqual(digestFromBuffer, oldDigest, - `different result from ${method} with encoding ${outputEncoding}`); - const digestFromString = crypto.hash(method, input.toString(), outputEncoding); - assert.deepStrictEqual(digestFromString, oldDigest, - `different result from ${method} with encoding ${outputEncoding}`); + if (method !== 'shake128' && method !== 'shake256' || !common.hasOpenSSL(3, 4)) { + const oldDigest = crypto.createHash(method).update(input).digest(outputEncoding || 'hex'); + const digestFromBuffer = crypto.hash(method, input, outputEncoding); + assert.deepStrictEqual(digestFromBuffer, oldDigest, + `different result from ${method} with encoding ${outputEncoding}`); + const digestFromString = crypto.hash(method, input.toString(), outputEncoding); + assert.deepStrictEqual(digestFromString, oldDigest, + `different result from ${method} with encoding ${outputEncoding}`); + } } } From cc182417a12cfa72747f2f78b3a378dd60191691 Mon Sep 17 00:00:00 2001 From: Adrien Nader Date: Tue, 17 Dec 2024 17:29:38 +0100 Subject: [PATCH 2/2] test: openssl 3.4 returns decrypt_error upon PSK binder validation failure According to RFC 8446 (TLS 1.3), a PSK binder validation failure should result in decrypt_error rather than illegal_parameter which openssl had been using. Update the tests to match openssl's fix. Refs: https://github.com/openssl/openssl/commit/02b8b7b83698d1c7ddfef274f16c039c8cca7988 Refs: https://www.rfc-editor.org/rfc/rfc8446 --- test/parallel/test-tls-psk-circuit.js | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/test/parallel/test-tls-psk-circuit.js b/test/parallel/test-tls-psk-circuit.js index e93db3eb1b4923..690628758f7358 100644 --- a/test/parallel/test-tls-psk-circuit.js +++ b/test/parallel/test-tls-psk-circuit.js @@ -66,7 +66,11 @@ const expectedHandshakeErr = common.hasOpenSSL(3, 2) ? 'ERR_SSL_SSL/TLS_ALERT_HANDSHAKE_FAILURE' : 'ERR_SSL_SSLV3_ALERT_HANDSHAKE_FAILURE'; test({ psk: USERS.UserB, identity: 'UserC' }, {}, expectedHandshakeErr); // Recognized user but incorrect secret should fail handshake -const expectedIllegalParameterErr = common.hasOpenSSL(3, 2) ? - 'ERR_SSL_SSL/TLS_ALERT_ILLEGAL_PARAMETER' : 'ERR_SSL_SSLV3_ALERT_ILLEGAL_PARAMETER'; +const expectedIllegalParameterErr = + common.hasOpenSSL(3, 4) + ? 'ERR_SSL_TLSV1_ALERT_DECRYPT_ERROR' + : (common.hasOpenSSL(3, 2) + ? 'ERR_SSL_SSL/TLS_ALERT_ILLEGAL_PARAMETER' + : 'ERR_SSL_SSLV3_ALERT_ILLEGAL_PARAMETER'); test({ psk: USERS.UserA, identity: 'UserB' }, {}, expectedIllegalParameterErr); test({ psk: USERS.UserB, identity: 'UserB' });