test: add session reuse host verification regressions

mcollina · aduh95 · commit e3723ff2d642 · 2026-06-17T20:02:06.000+02:00
Backport-PR-URL: nodejs-private/node-private#895 PR-URL: nodejs-private/node-private#854 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> Refs: https://hackerone.com/reports/3649802
diff --git a/test/parallel/test-http2-session-reuse-different-authority.js b/test/parallel/test-http2-session-reuse-different-authority.js
@@ -0,0 +1,146 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+const assert = require('assert');
+const fixtures = require('../common/fixtures');
+const h2 = require('http2');
+const tls = require('tls');
+const { once } = require('events');
+
+function load(name) {
+  return fixtures.readKey(name);
+}
+
+const contexts = {
+  agent1: tls.createSecureContext({
+    key: load('agent1-key.pem'),
+    cert: load('agent1-cert.pem'),
+  }),
+  agent3: tls.createSecureContext({
+    key: load('agent3-key.pem'),
+    cert: load('agent3-cert.pem'),
+  }),
+};
+
+function makeRequest(server, authority, options) {
+  return new Promise((resolve, reject) => {
+    let session;
+    let settled = false;
+
+    function done(err, result) {
+      if (settled)
+        return;
+      settled = true;
+
+      if (err) {
+        client.destroy();
+        reject(err);
+        return;
+      }
+
+      client.close();
+      resolve({ session, result });
+    }
+
+    const client = h2.connect(authority, {
+      ...options,
+      ALPNProtocols: ['h2'],
+      createConnection(url, connectOptions) {
+        const socket = tls.connect({
+          ...connectOptions,
+          ALPNProtocols: ['h2'],
+          host: '127.0.0.1',
+          port: server.address().port,
+          servername: connectOptions.servername || url.hostname,
+        });
+
+        socket.once('session', (value) => {
+          if (session === undefined)
+            session = value;
+        });
+
+        return socket;
+      },
+    });
+
+    client.once('error', (err) => done(err));
+    client.once('connect', () => {
+      const req = client.request({ ':path': '/' });
+      req.setEncoding('utf8');
+      req.on('response', () => {});
+      req.on('error', (err) => done(err));
+      req.on('data', () => {});
+      req.on('end', () => {
+        done(null, {
+          authority: client.socket.servername,
+          authorized: client.socket.authorized,
+          reused: client.socket.isSessionReused(),
+          authorizationError: client.socket.authorizationError,
+        });
+      });
+      req.end();
+    });
+  });
+}
+
+const server = h2.createSecureServer({
+  key: load('agent1-key.pem'),
+  cert: load('agent1-cert.pem'),
+  allowHTTP1: false,
+  minVersion: 'TLSv1.2',
+  maxVersion: 'TLSv1.2',
+  SNICallback(servername, cb) {
+    cb(null, contexts[servername] || contexts.agent1);
+  },
+});
+
+server.on('stream', (stream) => {
+  stream.respond({ ':status': 200 });
+  stream.end('ok');
+});
+
+(async function() {
+  server.listen(0);
+  await once(server, 'listening');
+
+  try {
+    const port = server.address().port;
+    const first = await makeRequest(server, `https://agent1:${port}`, {
+      ca: [load('ca1-cert.pem')],
+      minVersion: 'TLSv1.2',
+      maxVersion: 'TLSv1.2',
+    });
+
+    assert.strictEqual(first.result.authorized, true);
+    assert.strictEqual(first.result.reused, false);
+    assert(first.session);
+
+    await assert.rejects(
+      makeRequest(server, `https://agent3:${port}`, {
+        ca: [load('ca1-cert.pem')],
+        minVersion: 'TLSv1.2',
+        maxVersion: 'TLSv1.2',
+        session: first.session,
+      }),
+      {
+        code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE',
+      },
+    );
+
+    await assert.rejects(
+      makeRequest(server, `https://agent3:${port}`, {
+        ca: [load('ca1-cert.pem')],
+        minVersion: 'TLSv1.2',
+        maxVersion: 'TLSv1.2',
+      }),
+      {
+        code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE',
+      },
+    );
+  } finally {
+    server.close();
+    await once(server, 'close');
+  }
+})().then(common.mustCall());
diff --git a/test/parallel/test-https-session-reuse-different-servername.js b/test/parallel/test-https-session-reuse-different-servername.js
@@ -0,0 +1,126 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+const assert = require('assert');
+const fixtures = require('../common/fixtures');
+const https = require('https');
+const tls = require('tls');
+const { once } = require('events');
+
+function load(name) {
+  return fixtures.readKey(name);
+}
+
+const contexts = {
+  agent1: tls.createSecureContext({
+    key: load('agent1-key.pem'),
+    cert: load('agent1-cert.pem'),
+  }),
+  agent3: tls.createSecureContext({
+    key: load('agent3-key.pem'),
+    cert: load('agent3-cert.pem'),
+  }),
+};
+
+function request(options) {
+  return new Promise((resolve, reject) => {
+    const req = https.get({
+      ...options,
+      host: '127.0.0.1',
+      agent: false,
+    }, (res) => {
+      res.resume();
+      res.once('end', () => resolve(res));
+    });
+
+    req.once('error', reject);
+  });
+}
+
+async function requestAndCaptureSession(options) {
+  let sessionResolve;
+  const sessionPromise = new Promise((resolve) => {
+    sessionResolve = resolve;
+  });
+
+  const req = https.get({
+    ...options,
+    host: '127.0.0.1',
+    agent: false,
+  });
+
+  req.on('socket', (socket) => {
+    socket.once('session', sessionResolve);
+  });
+
+  const res = await new Promise((resolve, reject) => {
+    req.once('response', resolve);
+    req.once('error', reject);
+  });
+
+  assert.strictEqual(res.socket.authorized, true);
+  assert.strictEqual(res.socket.isSessionReused(), false);
+
+  res.resume();
+  await once(res, 'end');
+
+  const session = await sessionPromise;
+  assert(session);
+  return session;
+}
+
+const server = https.createServer({
+  key: load('agent1-key.pem'),
+  cert: load('agent1-cert.pem'),
+  minVersion: 'TLSv1.2',
+  maxVersion: 'TLSv1.2',
+  SNICallback(servername, cb) {
+    cb(null, contexts[servername] || contexts.agent1);
+  },
+}, (req, res) => {
+  res.end('ok');
+});
+
+(async function() {
+  server.listen(0);
+  await once(server, 'listening');
+
+  try {
+    const session = await requestAndCaptureSession({
+      port: server.address().port,
+      servername: 'agent1',
+      rejectUnauthorized: true,
+      ca: [load('ca1-cert.pem')],
+    });
+
+    await assert.rejects(
+      request({
+        port: server.address().port,
+        servername: 'agent3',
+        session,
+        rejectUnauthorized: true,
+        ca: [load('ca1-cert.pem')],
+      }),
+      {
+        code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE',
+      },
+    );
+
+    await assert.rejects(
+      request({
+        port: server.address().port,
+        servername: 'agent3',
+        rejectUnauthorized: true,
+        ca: [load('ca1-cert.pem')],
+      }),
+      {
+        code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE',
+      },
+    );
+  } finally {
+    server.close();
+    await once(server, 'close');
+  }
+})().then(common.mustCall());
diff --git a/test/parallel/test-tls-session-reuse-different-servername.js b/test/parallel/test-tls-session-reuse-different-servername.js
@@ -0,0 +1,122 @@
+'use strict';
+const common = require('../common');
+if (!common.hasCrypto)
+  common.skip('missing crypto');
+
+const assert = require('assert');
+const fixtures = require('../common/fixtures');
+const tls = require('tls');
+const { once } = require('events');
+
+function load(name) {
+  return fixtures.readKey(name);
+}
+
+const contexts = {
+  agent1: tls.createSecureContext({
+    key: load('agent1-key.pem'),
+    cert: load('agent1-cert.pem'),
+  }),
+  agent3: tls.createSecureContext({
+    key: load('agent3-key.pem'),
+    cert: load('agent3-cert.pem'),
+  }),
+};
+
+function connect(options) {
+  return new Promise((resolve, reject) => {
+    const socket = tls.connect(options);
+    socket.once('secureConnect', () => resolve(socket));
+    socket.once('error', reject);
+    socket.resume();
+  });
+}
+
+async function connectAndCaptureSession(options) {
+  const socket = tls.connect(options);
+  const sessionPromise = once(socket, 'session').then(([session]) => session);
+
+  socket.resume();
+  await once(socket, 'secureConnect');
+
+  assert.strictEqual(socket.authorized, true);
+  assert.strictEqual(socket.isSessionReused(), false);
+
+  const session = await sessionPromise;
+  assert(session);
+
+  await once(socket, 'close');
+  return session;
+}
+
+async function testVersion(minVersion, maxVersion) {
+  const server = tls.createServer({
+    key: load('agent1-key.pem'),
+    cert: load('agent1-cert.pem'),
+    minVersion,
+    maxVersion,
+    SNICallback(servername, cb) {
+      cb(null, contexts[servername] || contexts.agent1);
+    },
+  }, (socket) => {
+    socket.end('ok');
+  });
+
+  server.listen(0);
+  await once(server, 'listening');
+
+  try {
+    const port = server.address().port;
+    const session = await connectAndCaptureSession({
+      port,
+      host: '127.0.0.1',
+      servername: 'agent1',
+      minVersion,
+      maxVersion,
+      ca: [load('ca1-cert.pem')],
+    });
+
+    await assert.rejects(
+      connect({
+        port,
+        host: '127.0.0.1',
+        servername: 'agent3',
+        session,
+        minVersion,
+        maxVersion,
+        ca: [load('ca1-cert.pem')],
+      }).then((socket) => {
+        socket.destroy();
+        return socket;
+      }),
+      {
+        code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE',
+      },
+    );
+
+    await assert.rejects(
+      connect({
+        port,
+        host: '127.0.0.1',
+        servername: 'agent3',
+        minVersion,
+        maxVersion,
+        ca: [load('ca1-cert.pem')],
+      }).then((socket) => {
+        socket.destroy();
+        return socket;
+      }),
+      {
+        code: 'UNABLE_TO_VERIFY_LEAF_SIGNATURE',
+      },
+    );
+  } finally {
+    server.close();
+    await once(server, 'close');
+  }
+}
+
+(async function() {
+  await testVersion('TLSv1.2', 'TLSv1.2');
+  await testVersion('TLSv1.3', 'TLSv1.3');
+})().then(common.mustCall());
