diff options
author | Ben Noordhuis <info@bnoordhuis.nl> | 2012-06-18 04:05:21 +0200 |
---|---|---|
committer | Ben Noordhuis <info@bnoordhuis.nl> | 2012-06-18 04:31:40 +0200 |
commit | ff552ddbaa3cde93301f5227c95971ddd02682ef (patch) | |
tree | 1a08a3527449d34faaccf804f222ecc7e9025cd7 /test/pummel | |
parent | ae5b0e1fc190118957e2eaa4f4c71424adbf9c6e (diff) | |
download | node-new-ff552ddbaa3cde93301f5227c95971ddd02682ef.tar.gz |
tls: fix off-by-one error in renegotiation check
Make CLIENT_RENEG_LIMIT inclusive instead of exclusive, i.e. a limit of 2
means the peer can renegotiate twice, not just once.
Update pummel/test-tls-ci-reneg-attack accordingly and make it less timing
sensitive (and run faster) while we're at it.
Diffstat (limited to 'test/pummel')
-rw-r--r-- | test/pummel/test-tls-ci-reneg-attack.js | 14 |
1 files changed, 9 insertions, 5 deletions
diff --git a/test/pummel/test-tls-ci-reneg-attack.js b/test/pummel/test-tls-ci-reneg-attack.js index e9748c116f..778e288ca7 100644 --- a/test/pummel/test-tls-ci-reneg-attack.js +++ b/test/pummel/test-tls-ci-reneg-attack.js @@ -49,11 +49,14 @@ function test(next) { key: fs.readFileSync(common.fixturesDir + '/test_key.pem') }; + var seenError = false; + var server = tls.createServer(options, function(conn) { conn.on('error', function(err) { console.error('Caught exception: ' + err); assert(/TLS session renegotiation attack/.test(err)); conn.destroy(); + seenError = true; }); conn.pipe(conn); }); @@ -67,16 +70,17 @@ function test(next) { // count handshakes, start the attack after the initial handshake is done var handshakes = 0; + var renegs = 0; + child.stderr.on('data', function(data) { + if (seenError) return; handshakes += (('' + data).match(/verify return:1/g) || []).length; if (handshakes === 2) spam(); + renegs += (('' + data).match(/RENEGOTIATING/g) || []).length; }); child.on('exit', function() { - // with a renegotiation limit <= 1, we always see 4 handshake markers: - // two for the initial handshake and another two for the attempted - // renegotiation - assert.equal(handshakes, 2 * Math.max(2, tls.CLIENT_RENEG_LIMIT)); + assert.equal(renegs, tls.CLIENT_RENEG_LIMIT + 1); server.close(); process.nextTick(next); }); @@ -94,7 +98,7 @@ function test(next) { function spam() { if (closed) return; child.stdin.write('R\n'); - setTimeout(spam, 250); + setTimeout(spam, 50); } }); } |