()
| 44 | |
| 45 | let serverCount = 0; |
| 46 | function createServer() { |
| 47 | const id = serverCount++; |
| 48 | |
| 49 | let counter = 0; |
| 50 | let previousKey = null; |
| 51 | |
| 52 | const server = tls.createServer({ |
| 53 | key: fixtures.readKey('agent1-key.pem'), |
| 54 | cert: fixtures.readKey('agent1-cert.pem'), |
| 55 | ticketKeys: keys |
| 56 | }, common.mustCallAtLeast(function(c) { |
| 57 | serverLog.push(id); |
| 58 | // TODO(@sam-github) Triggers close_notify before NewSessionTicket bug. |
| 59 | // c.end(); |
| 60 | c.end('x'); |
| 61 | |
| 62 | counter++; |
| 63 | |
| 64 | // Rotate ticket keys |
| 65 | // |
| 66 | // Take especial care to account for TLS1.2 and TLS1.3 differences around |
| 67 | // when ticket keys are encrypted. In TLS1.2, they are encrypted before the |
| 68 | // handshake complete callback, but in TLS1.3, they are encrypted after. |
| 69 | // There is no callback or way for us to know when they were sent, so hook |
| 70 | // the client's reception of the keys, and use it as proof that the current |
| 71 | // keys were used, and its safe to rotate them. |
| 72 | // |
| 73 | // Rotation can occur right away if the session was reused, the keys were |
| 74 | // already decrypted or we wouldn't have a reused session. |
| 75 | function setTicketKeys(keys) { |
| 76 | if (c.isSessionReused()) |
| 77 | server.setTicketKeys(keys); |
| 78 | else |
| 79 | s.once('session', () => { |
| 80 | server.setTicketKeys(keys); |
| 81 | }); |
| 82 | } |
| 83 | if (counter === 1) { |
| 84 | previousKey = server.getTicketKeys(); |
| 85 | assert.strictEqual(previousKey.compare(keys), 0); |
| 86 | setTicketKeys(crypto.randomBytes(48)); |
| 87 | } else if (counter === 2) { |
| 88 | setTicketKeys(previousKey); |
| 89 | } else if (counter === 3) { |
| 90 | // Use keys from counter=2 |
| 91 | } else { |
| 92 | throw new Error('UNREACHABLE'); |
| 93 | } |
| 94 | })); |
| 95 | |
| 96 | return server; |
| 97 | } |
| 98 | |
| 99 | const naturalServers = [ createServer(), createServer(), createServer() ]; |
| 100 |
no test coverage detected
searching dependent graphs…