11cb0ef41Sopenharmony_ci// Copyright Joyent, Inc. and other Node contributors.
21cb0ef41Sopenharmony_ci//
31cb0ef41Sopenharmony_ci// Permission is hereby granted, free of charge, to any person obtaining a
41cb0ef41Sopenharmony_ci// copy of this software and associated documentation files (the
51cb0ef41Sopenharmony_ci// "Software"), to deal in the Software without restriction, including
61cb0ef41Sopenharmony_ci// without limitation the rights to use, copy, modify, merge, publish,
71cb0ef41Sopenharmony_ci// distribute, sublicense, and/or sell copies of the Software, and to permit
81cb0ef41Sopenharmony_ci// persons to whom the Software is furnished to do so, subject to the
91cb0ef41Sopenharmony_ci// following conditions:
101cb0ef41Sopenharmony_ci//
111cb0ef41Sopenharmony_ci// The above copyright notice and this permission notice shall be included
121cb0ef41Sopenharmony_ci// in all copies or substantial portions of the Software.
131cb0ef41Sopenharmony_ci//
141cb0ef41Sopenharmony_ci// THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
151cb0ef41Sopenharmony_ci// OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
161cb0ef41Sopenharmony_ci// MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN
171cb0ef41Sopenharmony_ci// NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM,
181cb0ef41Sopenharmony_ci// DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR
191cb0ef41Sopenharmony_ci// OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE
201cb0ef41Sopenharmony_ci// USE OR OTHER DEALINGS IN THE SOFTWARE.
211cb0ef41Sopenharmony_ci
221cb0ef41Sopenharmony_ci'use strict';
231cb0ef41Sopenharmony_ciconst common = require('../common');
241cb0ef41Sopenharmony_ciif (!common.hasCrypto)
251cb0ef41Sopenharmony_ci  common.skip('missing crypto');
261cb0ef41Sopenharmony_ci
271cb0ef41Sopenharmony_ciif (!common.opensslCli)
281cb0ef41Sopenharmony_ci  common.skip('node compiled without OpenSSL CLI.');
291cb0ef41Sopenharmony_ci
301cb0ef41Sopenharmony_ciconst assert = require('assert');
311cb0ef41Sopenharmony_ciconst tls = require('tls');
321cb0ef41Sopenharmony_ciconst https = require('https');
331cb0ef41Sopenharmony_ciconst fixtures = require('../common/fixtures');
341cb0ef41Sopenharmony_ci
351cb0ef41Sopenharmony_ci// Renegotiation as a protocol feature was dropped after TLS1.2.
361cb0ef41Sopenharmony_citls.DEFAULT_MAX_VERSION = 'TLSv1.2';
371cb0ef41Sopenharmony_ci
381cb0ef41Sopenharmony_ci// Renegotiation limits to test
391cb0ef41Sopenharmony_ciconst LIMITS = [0, 1, 2, 3, 5, 10, 16];
401cb0ef41Sopenharmony_ci
411cb0ef41Sopenharmony_ci{
421cb0ef41Sopenharmony_ci  let n = 0;
431cb0ef41Sopenharmony_ci  function next() {
441cb0ef41Sopenharmony_ci    if (n >= LIMITS.length) return;
451cb0ef41Sopenharmony_ci    tls.CLIENT_RENEG_LIMIT = LIMITS[n++];
461cb0ef41Sopenharmony_ci    test(next);
471cb0ef41Sopenharmony_ci  }
481cb0ef41Sopenharmony_ci  next();
491cb0ef41Sopenharmony_ci}
501cb0ef41Sopenharmony_ci
511cb0ef41Sopenharmony_cifunction test(next) {
521cb0ef41Sopenharmony_ci  const options = {
531cb0ef41Sopenharmony_ci    cert: fixtures.readKey('rsa_cert.crt'),
541cb0ef41Sopenharmony_ci    key: fixtures.readKey('rsa_private.pem'),
551cb0ef41Sopenharmony_ci  };
561cb0ef41Sopenharmony_ci
571cb0ef41Sopenharmony_ci  const server = https.createServer(options, (req, res) => {
581cb0ef41Sopenharmony_ci    const conn = req.connection;
591cb0ef41Sopenharmony_ci    conn.on('error', (err) => {
601cb0ef41Sopenharmony_ci      console.error(`Caught exception: ${err}`);
611cb0ef41Sopenharmony_ci      assert.match(err.message, /TLS session renegotiation attack/);
621cb0ef41Sopenharmony_ci      conn.destroy();
631cb0ef41Sopenharmony_ci    });
641cb0ef41Sopenharmony_ci    res.end('ok');
651cb0ef41Sopenharmony_ci  });
661cb0ef41Sopenharmony_ci
671cb0ef41Sopenharmony_ci  server.listen(0, () => {
681cb0ef41Sopenharmony_ci    const agent = https.Agent({
691cb0ef41Sopenharmony_ci      keepAlive: true,
701cb0ef41Sopenharmony_ci    });
711cb0ef41Sopenharmony_ci
721cb0ef41Sopenharmony_ci    let client;
731cb0ef41Sopenharmony_ci    let renegs = 0;
741cb0ef41Sopenharmony_ci
751cb0ef41Sopenharmony_ci    const options = {
761cb0ef41Sopenharmony_ci      rejectUnauthorized: false,
771cb0ef41Sopenharmony_ci      agent,
781cb0ef41Sopenharmony_ci    };
791cb0ef41Sopenharmony_ci
801cb0ef41Sopenharmony_ci    const { port } = server.address();
811cb0ef41Sopenharmony_ci
821cb0ef41Sopenharmony_ci    https.get(`https://localhost:${port}/`, options, (res) => {
831cb0ef41Sopenharmony_ci      client = res.socket;
841cb0ef41Sopenharmony_ci
851cb0ef41Sopenharmony_ci      client.on('close', (hadErr) => {
861cb0ef41Sopenharmony_ci        assert.strictEqual(hadErr, false);
871cb0ef41Sopenharmony_ci        assert.strictEqual(renegs, tls.CLIENT_RENEG_LIMIT + 1);
881cb0ef41Sopenharmony_ci        server.close();
891cb0ef41Sopenharmony_ci        process.nextTick(next);
901cb0ef41Sopenharmony_ci      });
911cb0ef41Sopenharmony_ci
921cb0ef41Sopenharmony_ci      client.on('error', (err) => {
931cb0ef41Sopenharmony_ci        console.log('CLIENT ERR', err);
941cb0ef41Sopenharmony_ci        throw err;
951cb0ef41Sopenharmony_ci      });
961cb0ef41Sopenharmony_ci
971cb0ef41Sopenharmony_ci      spam();
981cb0ef41Sopenharmony_ci
991cb0ef41Sopenharmony_ci      // Simulate renegotiation attack
1001cb0ef41Sopenharmony_ci      function spam() {
1011cb0ef41Sopenharmony_ci        client.renegotiate({}, (err) => {
1021cb0ef41Sopenharmony_ci          assert.ifError(err);
1031cb0ef41Sopenharmony_ci          assert.ok(renegs <= tls.CLIENT_RENEG_LIMIT);
1041cb0ef41Sopenharmony_ci          setImmediate(spam);
1051cb0ef41Sopenharmony_ci        });
1061cb0ef41Sopenharmony_ci        renegs++;
1071cb0ef41Sopenharmony_ci      }
1081cb0ef41Sopenharmony_ci    });
1091cb0ef41Sopenharmony_ci
1101cb0ef41Sopenharmony_ci  });
1111cb0ef41Sopenharmony_ci}
112