mirror of https://github.com/lukechilds/node.git
Browse Source
This test should output roughly the same results as the tls ci-reneg attack pummel test. However, it does not.v0.8.9-release
isaacs
12 years ago
1 changed files with 106 additions and 0 deletions
@ -0,0 +1,106 @@ |
|||
// Copyright Joyent, Inc. and other Node contributors.
|
|||
//
|
|||
// Permission is hereby granted, free of charge, to any person obtaining a
|
|||
// copy of this software and associated documentation files (the
|
|||
// "Software"), to deal in the Software without restriction, including
|
|||
// without limitation the rights to use, copy, modify, merge, publish,
|
|||
// distribute, sublicense, and/or sell copies of the Software, and to permit
|
|||
// persons to whom the Software is furnished to do so, subject to the
|
|||
// following conditions:
|
|||
//
|
|||
// The above copyright notice and this permission notice shall be included
|
|||
// in all copies or substantial portions of the Software.
|
|||
//
|
|||
// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
|
|||
// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
|
|||
// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
|
|||
// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
|
|||
// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
|
|||
// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
|
|||
// USE OR OTHER DEALINGS IN THE SOFTWARE.
|
|||
|
|||
var common = require('../common'); |
|||
var assert = require('assert'); |
|||
var spawn = require('child_process').spawn; |
|||
var tls = require('tls'); |
|||
var https = require('https'); |
|||
var fs = require('fs'); |
|||
|
|||
// renegotiation limits to test
|
|||
var LIMITS = [0, 1, 2, 3, 5, 10, 16]; |
|||
|
|||
if (process.platform === 'win32') { |
|||
console.log('Skipping test, you probably don\'t have openssl installed.'); |
|||
process.exit(); |
|||
} |
|||
|
|||
(function() { |
|||
var n = 0; |
|||
function next() { |
|||
if (n >= LIMITS.length) return; |
|||
tls.CLIENT_RENEG_LIMIT = LIMITS[n++]; |
|||
test(next); |
|||
} |
|||
next(); |
|||
})(); |
|||
|
|||
function test(next) { |
|||
var options = { |
|||
cert: fs.readFileSync(common.fixturesDir + '/test_cert.pem'), |
|||
key: fs.readFileSync(common.fixturesDir + '/test_key.pem') |
|||
}; |
|||
|
|||
var seenError = false; |
|||
|
|||
var server = https.createServer(options, function(req, res) { |
|||
var conn = req.connection; |
|||
conn.on('error', function(err) { |
|||
console.error('Caught exception: ' + err); |
|||
assert(/TLS session renegotiation attack/.test(err)); |
|||
conn.destroy(); |
|||
seenError = true; |
|||
}); |
|||
res.end('ok'); |
|||
}); |
|||
|
|||
server.listen(common.PORT, function() { |
|||
var args = ('s_client -connect 127.0.0.1:' + common.PORT).split(' '); |
|||
var child = spawn('openssl', args); |
|||
|
|||
child.stdout.pipe(process.stdout); |
|||
child.stderr.pipe(process.stderr); |
|||
|
|||
// count handshakes, start the attack after the initial handshake is done
|
|||
var handshakes = 0; |
|||
var renegs = 0; |
|||
|
|||
child.stderr.on('data', function(data) { |
|||
if (seenError) return; |
|||
handshakes += (('' + data).match(/verify return:1/g) || []).length; |
|||
if (handshakes === 2) spam(); |
|||
renegs += (('' + data).match(/RENEGOTIATING/g) || []).length; |
|||
}); |
|||
|
|||
child.on('exit', function() { |
|||
assert.equal(renegs, tls.CLIENT_RENEG_LIMIT + 1); |
|||
server.close(); |
|||
process.nextTick(next); |
|||
}); |
|||
|
|||
var closed = false; |
|||
child.stdin.on('error', function(err) { |
|||
assert.equal(err.code, 'EPIPE'); |
|||
closed = true; |
|||
}); |
|||
child.stdin.on('close', function() { |
|||
closed = true; |
|||
}); |
|||
|
|||
// simulate renegotiation attack
|
|||
function spam() { |
|||
if (closed) return; |
|||
child.stdin.write('R\n'); |
|||
setTimeout(spam, 50); |
|||
} |
|||
}); |
|||
} |
Loading…
Reference in new issue