test: remove s_client from test-tls-ci-reneg-attack

Trott · addaleax · commit 271126ad3b6d · 2019-01-28T18:39:45.000+01:00
Rewrite test-tls-ci-reneg-attack to use tls.renegotiate() instead of external (and potentially unpredictable/quirky/buggy) s_client. Refs: #25676 (comment) PR-URL: #25700 Reviewed-By: Sam Roberts <vieuxtech@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
diff --git a/test/pummel/test-tls-ci-reneg-attack.js b/test/pummel/test-tls-ci-reneg-attack.js
@@ -28,7 +28,6 @@ if (!common.opensslCli)
 common.skip('node compiled without OpenSSL CLI.');
 
 const assert = require('assert');
-const spawn = require('child_process').spawn;
 const tls = require('tls');
 const fixtures = require('../common/fixtures');
 
@@ -51,63 +50,49 @@ function test(next){
 key: fixtures.readSync('test_key.pem')
 };
 
- let seenError = false;
-
 const server = tls.createServer(options, function(conn){
 conn.on('error', function(err){
 console.error(`Caught exception: ${err}`);
 assert(/TLS session renegotiation attack/.test(err));
 conn.destroy();
- seenError = true;
 });
 conn.pipe(conn);
 });
 
- server.listen(common.PORT, function(){
- const args = (`s_client -connect 127.0.0.1:${common.PORT}`).split(' ');
- const child = spawn(common.opensslCli, args);
-
- child.stdout.resume();
- child.stderr.resume();
+ server.listen(0, function(){
+ const options ={
+ host: server.address().host,
+ port: server.address().port,
+ rejectUnauthorized: false
+ };
+ const client = tls.connect(options, spam);
 
- // Count handshakes, start the attack after the initial handshake is done
- let handshakes = 0;
 let renegs = 0;
 
- child.stderr.on('data', function(data){
- if (seenError) return;
- handshakes += ((String(data)).match(/verify return:1/g) || []).length;
- if (handshakes === 2) spam();
- renegs += ((String(data)).match(/RENEGOTIATING/g) || []).length;
- });
-
- child.on('exit', function(){
+ client.on('close', function(){
 assert.strictEqual(renegs, tls.CLIENT_RENEG_LIMIT + 1);
 server.close();
 process.nextTick(next);
 });
 
- let closed = false;
- child.stdin.on('error', function(err){
- switch (err.code){
- case 'ECONNRESET':
- case 'EPIPE':
- break;
- default:
- assert.strictEqual(err.code, 'ECONNRESET');
- break;
- }
- closed = true;
+ client.on('error', function(err){
+ console.log('CLIENT ERR', err);
+ throw err;
 });
- child.stdin.on('close', function(){
- closed = true;
+
+ client.on('close', function(hadErr){
+ assert.strictEqual(hadErr, false);
 });
 
 // simulate renegotiation attack
 function spam(){
- if (closed) return;
- child.stdin.write('R\n');
- setTimeout(spam, 50);
+ client.write('');
+ client.renegotiate({}, (err) =>{
+ assert.ifError(err);
+ assert.ok(renegs <= tls.CLIENT_RENEG_LIMIT);
+ spam();
+ });
+ renegs++;
 }
 });
 }

-Original file line number
+Diff line change
 common.skip('node compiled without OpenSSL CLI.');
 constassert=require('assert');
 -constspawn=require('child_process').spawn;
 consttls=require('tls');
 constfixtures=require('../common/fixtures');
 key: fixtures.readSync('test_key.pem')
 };
 -letseenError=false;
+-
 constserver=tls.createServer(options,function(conn){
 conn.on('error',function(err){
 console.error(`Caught exception: ${err}`);
 assert(/TLSsessionrenegotiationattack/.test(err));
 conn.destroy();
 -seenError=true;
 });
 conn.pipe(conn);
 });
 -server.listen(common.PORT,function(){
 -constargs=(`s_client -connect 127.0.0.1:${common.PORT}`).split(' ');
 -constchild=spawn(common.opensslCli,args);
+-
 -child.stdout.resume();
 -child.stderr.resume();
 +server.listen(0,function(){
 +constoptions={
 +host: server.address().host,
 +port: server.address().port,
 +rejectUnauthorized: false
 +};
 +constclient=tls.connect(options,spam);
 -// Count handshakes, start the attack after the initial handshake is done
 -lethandshakes=0;
 letrenegs=0;
 -child.stderr.on('data',function(data){
 -if(seenError)return;
 -handshakes+=((String(data)).match(/verifyreturn:1/g)||[]).length;
 -if(handshakes===2)spam();
 -renegs+=((String(data)).match(/RENEGOTIATING/g)||[]).length;
 -});
+-
 -child.on('exit',function(){
 +client.on('close',function(){
 assert.strictEqual(renegs,tls.CLIENT_RENEG_LIMIT+1);
 server.close();
 process.nextTick(next);
 });
 -letclosed=false;
 -child.stdin.on('error',function(err){
 -switch(err.code){
 -case'ECONNRESET':
 -case'EPIPE':
 -break;
 -default:
 -assert.strictEqual(err.code,'ECONNRESET');
 -break;
 -}
 -closed=true;
 +client.on('error',function(err){
 +console.log('CLIENT ERR',err);
 +throwerr;
 });
 -child.stdin.on('close',function(){
 -closed=true;
++
 +client.on('close',function(hadErr){
 +assert.strictEqual(hadErr,false);
 });
 // simulate renegotiation attack
 functionspam(){
 -if(closed)return;
 -child.stdin.write('R\n');
 -setTimeout(spam,50);
 +client.write('');
 +client.renegotiate({},(err)=>{
 +assert.ifError(err);
 +assert.ok(renegs<=tls.CLIENT_RENEG_LIMIT);
 +spam();
 +});
 +renegs++;
+}
 });
+}