From 52b56939499f778ed717d488c2b11bee69654217 Mon Sep 17 00:00:00 2001 From: Chemi Atlow Date: Wed, 4 Oct 2023 10:17:35 +0300 Subject: [PATCH] tls: ciphers allow bang syntax Fixes: https://github.com/nodejs/node/issues/49699 PR-URL: https://github.com/nodejs/node/pull/49712 Reviewed-By: Ben Noordhuis Reviewed-By: Moshe Atlow --- lib/internal/tls/secure-context.js | 12 ++++++++---- test/parallel/test-tls-set-ciphers.js | 5 +++-- 2 files changed, 11 insertions(+), 6 deletions(-) diff --git a/lib/internal/tls/secure-context.js b/lib/internal/tls/secure-context.js index 36d33e6ac8e2e3..0fa3098ffa1020 100644 --- a/lib/internal/tls/secure-context.js +++ b/lib/internal/tls/secure-context.js @@ -101,8 +101,10 @@ function processCiphers(ciphers, name) { ArrayPrototypeFilter( ciphers, (cipher) => { - return cipher.length > 0 && - !StringPrototypeStartsWith(cipher, 'TLS_'); + if (cipher.length === 0) return false; + if (StringPrototypeStartsWith(cipher, 'TLS_')) return false; + if (StringPrototypeStartsWith(cipher, '!TLS_')) return false; + return true; }), ':'); const cipherSuites = @@ -110,8 +112,10 @@ function processCiphers(ciphers, name) { ArrayPrototypeFilter( ciphers, (cipher) => { - return cipher.length > 0 && - StringPrototypeStartsWith(cipher, 'TLS_'); + if (cipher.length === 0) return false; + if (StringPrototypeStartsWith(cipher, 'TLS_')) return true; + if (StringPrototypeStartsWith(cipher, '!TLS_')) return true; + return false; }), ':'); // Specifying empty cipher suites for both TLS1.2 and TLS1.3 is invalid, its diff --git a/test/parallel/test-tls-set-ciphers.js b/test/parallel/test-tls-set-ciphers.js index b66c419cf5f4d1..313c5e238956b0 100644 --- a/test/parallel/test-tls-set-ciphers.js +++ b/test/parallel/test-tls-set-ciphers.js @@ -1,7 +1,7 @@ 'use strict'; const common = require('../common'); -if (!common.hasCrypto) - common.skip('missing crypto'); +if (!common.hasOpenSSL3) + common.skip('missing crypto, or OpenSSL version lower than 3'); const fixtures = require('../common/fixtures'); const { inspect } = require('util'); @@ -85,6 +85,7 @@ test('AES256-SHA', U, 'AES256-SHA'); test(U, 'TLS_AES_256_GCM_SHA384', 'TLS_AES_256_GCM_SHA384'); test('TLS_AES_256_GCM_SHA384', U, 'TLS_AES_256_GCM_SHA384'); +test('TLS_AES_256_GCM_SHA384:!TLS_CHACHA20_POLY1305_SHA256', U, 'TLS_AES_256_GCM_SHA384'); // Do not have shared ciphers. test('TLS_AES_256_GCM_SHA384', 'TLS_CHACHA20_POLY1305_SHA256',