Fix potential DoS attack
Slava Pestov
parent
fff3f601e3
commit
6df45b864b
|
|
@ -2,85 +2,60 @@ IN: io.sockets.secure.tests
|
||||||
USING: accessors kernel namespaces io io.sockets
|
USING: accessors kernel namespaces io io.sockets
|
||||||
io.sockets.secure io.encodings.ascii io.streams.duplex
|
io.sockets.secure io.encodings.ascii io.streams.duplex
|
||||||
classes words destructors threads tools.test
|
classes words destructors threads tools.test
|
||||||
concurrency.promises byte-arrays ;
|
concurrency.promises byte-arrays locals ;
|
||||||
|
|
||||||
\ <secure-config> must-infer
|
\ <secure-config> must-infer
|
||||||
{ 1 0 } [ [ ] with-secure-context ] must-infer-as
|
{ 1 0 } [ [ ] with-secure-context ] must-infer-as
|
||||||
|
|
||||||
[ ] [ <promise> "port" set ] unit-test
|
[ ] [ <promise> "port" set ] unit-test
|
||||||
|
|
||||||
[ ] [
|
: with-test-context
|
||||||
|
<secure-config>
|
||||||
|
"resource:extra/openssl/test/server.pem" >>key-file
|
||||||
|
"resource:extra/openssl/test/root.pem" >>ca-file
|
||||||
|
"resource:extra/openssl/test/dh1024.pem" >>dh-file
|
||||||
|
"password" >>password
|
||||||
|
swap with-secure-context ;
|
||||||
|
|
||||||
|
:: server-test ( quot -- )
|
||||||
[
|
[
|
||||||
<secure-config>
|
|
||||||
"resource:extra/openssl/test/server.pem" >>key-file
|
|
||||||
"resource:extra/openssl/test/root.pem" >>ca-file
|
|
||||||
"resource:extra/openssl/test/dh1024.pem" >>dh-file
|
|
||||||
"password" >byte-array >>password
|
|
||||||
[
|
[
|
||||||
"127.0.0.1" 0 <inet4> <secure> ascii <server> [
|
"127.0.0.1" 0 <inet4> <secure> ascii <server> [
|
||||||
dup addr>> addrspec>> port>> "port" get fulfill
|
dup addr>> addrspec>> port>> "port" get fulfill
|
||||||
accept [
|
accept [
|
||||||
class word-name write
|
quot call
|
||||||
] curry with-stream
|
] curry with-stream
|
||||||
] with-disposal
|
] with-disposal
|
||||||
] with-secure-context
|
] with-test-context
|
||||||
] "SSL server test" spawn drop
|
] "SSL server test" spawn drop ;
|
||||||
] unit-test
|
|
||||||
|
|
||||||
[ "secure" ] [
|
: client-test
|
||||||
<secure-config> [
|
<secure-config> [
|
||||||
"127.0.0.1" "port" get ?promise <inet4> <secure> ascii <client> drop contents
|
"127.0.0.1" "port" get ?promise <inet4> <secure> ascii <client> drop contents
|
||||||
] with-secure-context
|
] with-secure-context ;
|
||||||
] unit-test
|
|
||||||
|
[ ] [ [ class word-name write ] server-test ] unit-test
|
||||||
|
|
||||||
|
[ "secure" ] [ client-test ] unit-test
|
||||||
|
|
||||||
! Now, see what happens if the server closes the connection prematurely
|
! Now, see what happens if the server closes the connection prematurely
|
||||||
! [ ] [ <promise> "port" set ] unit-test
|
[ ] [ <promise> "port" set ] unit-test
|
||||||
!
|
|
||||||
! [ ] [
|
|
||||||
! [
|
|
||||||
! <secure-config>
|
|
||||||
! "resource:extra/openssl/test/server.pem" >>key-file
|
|
||||||
! "resource:extra/openssl/test/root.pem" >>ca-file
|
|
||||||
! "resource:extra/openssl/test/dh1024.pem" >>dh-file
|
|
||||||
! "password" >byte-array >>password
|
|
||||||
! [
|
|
||||||
! "127.0.0.1" 0 <inet4> <secure> ascii <server> [
|
|
||||||
! dup addr>> addrspec>> port>> "port" get fulfill
|
|
||||||
! accept drop
|
|
||||||
! [
|
|
||||||
! dup in>> stream>> handle>> f >>connected drop
|
|
||||||
! "hello" over stream-write dup stream-flush
|
|
||||||
! ] with-disposal
|
|
||||||
! ] with-disposal
|
|
||||||
! ] with-secure-context
|
|
||||||
! ] "SSL server test" spawn drop
|
|
||||||
! ] unit-test
|
|
||||||
|
|
||||||
! [
|
[ ] [
|
||||||
! <secure-config> [
|
[
|
||||||
! "127.0.0.1" "port" get ?promise <inet4> <secure> ascii <client> drop contents
|
drop
|
||||||
! ] with-secure-context
|
input-stream get stream>> handle>> f >>connected drop
|
||||||
! ] [ \ premature-close = ] must-fail-with
|
"hello" write flush
|
||||||
|
] server-test
|
||||||
|
] unit-test
|
||||||
|
|
||||||
|
[ client-test ] [ premature-close? ] must-fail-with
|
||||||
|
|
||||||
! Now, try validating the certificate. This should fail because its
|
! Now, try validating the certificate. This should fail because its
|
||||||
! actually an invalid certificate
|
! actually an invalid certificate
|
||||||
[ ] [ <promise> "port" set ] unit-test
|
[ ] [ <promise> "port" set ] unit-test
|
||||||
|
|
||||||
[ ] [
|
[ ] [ [ drop ] server-test ] unit-test
|
||||||
[
|
|
||||||
<secure-config>
|
|
||||||
"resource:extra/openssl/test/server.pem" >>key-file
|
|
||||||
"resource:extra/openssl/test/root.pem" >>ca-file
|
|
||||||
"resource:extra/openssl/test/dh1024.pem" >>dh-file
|
|
||||||
"password" >>password
|
|
||||||
[
|
|
||||||
"127.0.0.1" 0 <inet4> <secure> ascii <server> [
|
|
||||||
dup addr>> addrspec>> port>> "port" get fulfill
|
|
||||||
accept drop dispose
|
|
||||||
] with-disposal
|
|
||||||
] with-secure-context
|
|
||||||
] "SSL server test" spawn drop
|
|
||||||
] unit-test
|
|
||||||
|
|
||||||
[
|
[
|
||||||
<secure-config> [
|
<secure-config> [
|
||||||
|
|
|
||||||
|
|
@ -125,12 +125,14 @@ M: secure (accept)
|
||||||
{
|
{
|
||||||
{ 1 [ drop f ] }
|
{ 1 [ drop f ] }
|
||||||
{ 0 [
|
{ 0 [
|
||||||
dup handle>> SSL_want
|
dup handle>> dup f 0 SSL_read 2dup SSL_get_error
|
||||||
{
|
{
|
||||||
{ SSL_NOTHING [ dup handle>> SSL_shutdown check-shutdown-response ] }
|
{ SSL_ERROR_ZERO_RETURN [ 2drop dup handle>> SSL_shutdown check-shutdown-response ] }
|
||||||
{ SSL_READING [ drop +input+ ] }
|
{ SSL_ERROR_WANT_READ [ 3drop +input+ ] }
|
||||||
{ SSL_WRITING [ drop +output+ ] }
|
{ SSL_ERROR_WANT_WRITE [ 3drop +output+ ] }
|
||||||
} case
|
{ SSL_ERROR_SYSCALL [ syscall-error ] }
|
||||||
|
{ SSL_ERROR_SSL [ (ssl-error) ] }
|
||||||
|
} case
|
||||||
] }
|
] }
|
||||||
{ -1 [
|
{ -1 [
|
||||||
handle>> -1 SSL_get_error
|
handle>> -1 SSL_get_error
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue