1// Copyright Joyent, Inc. and other Node contributors. 2// 3// Permission is hereby granted, free of charge, to any person obtaining a 4// copy of this software and associated documentation files (the 5// "Software"), to deal in the Software without restriction, including 6// without limitation the rights to use, copy, modify, merge, publish, 7// distribute, sublicense, and/or sell copies of the Software, and to permit 8// persons to whom the Software is furnished to do so, subject to the 9// following conditions: 10// 11// The above copyright notice and this permission notice shall be included 12// in all copies or substantial portions of the Software. 13// 14// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 15// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF 16// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN 17// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, 18// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR 19// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE 20// USE OR OTHER DEALINGS IN THE SOFTWARE. 21 22'use strict'; 23const common = require('../common'); 24if (!common.hasCrypto) 25 common.skip('missing crypto'); 26 27if (!common.opensslCli) 28 common.skip('node compiled without OpenSSL CLI.'); 29 30const assert = require('assert'); 31const tls = require('tls'); 32const fixtures = require('../common/fixtures'); 33 34// Renegotiation as a protocol feature was dropped after TLS1.2. 35tls.DEFAULT_MAX_VERSION = 'TLSv1.2'; 36 37// Renegotiation limits to test 38const LIMITS = [0, 1, 2, 3, 5, 10, 16]; 39 40{ 41 let n = 0; 42 function next() { 43 if (n >= LIMITS.length) return; 44 tls.CLIENT_RENEG_LIMIT = LIMITS[n++]; 45 test(next); 46 } 47 next(); 48} 49 50function test(next) { 51 const options = { 52 cert: fixtures.readKey('rsa_cert.crt'), 53 key: fixtures.readKey('rsa_private.pem'), 54 }; 55 56 const server = tls.createServer(options, (conn) => { 57 conn.on('error', (err) => { 58 console.error(`Caught exception: ${err}`); 59 assert(/TLS session renegotiation attack/.test(err)); 60 conn.destroy(); 61 }); 62 conn.pipe(conn); 63 }); 64 65 server.listen(0, () => { 66 const options = { 67 host: server.address().host, 68 port: server.address().port, 69 rejectUnauthorized: false, 70 }; 71 const client = tls.connect(options, spam); 72 73 let renegs = 0; 74 75 client.on('close', () => { 76 assert.strictEqual(renegs, tls.CLIENT_RENEG_LIMIT + 1); 77 server.close(); 78 process.nextTick(next); 79 }); 80 81 client.on('error', (err) => { 82 console.log('CLIENT ERR', err); 83 throw err; 84 }); 85 86 client.on('close', (hadErr) => { 87 assert.strictEqual(hadErr, false); 88 }); 89 90 // Simulate renegotiation attack 91 function spam() { 92 client.write(''); 93 client.renegotiate({}, (err) => { 94 assert.ifError(err); 95 assert.ok(renegs <= tls.CLIENT_RENEG_LIMIT); 96 spam(); 97 }); 98 renegs++; 99 } 100 }); 101} 102