From 4f528c2a8ac9c63db3fa78c02b5fbbb7bcb6504f Mon Sep 17 00:00:00 2001
From: =?utf8?q?Felix=20D=C3=B6rre?= <felix@dogcraft.de>
Date: Sun, 22 Jun 2014 20:55:48 +0200
Subject: [PATCH] Add a testCase against client-initiated renegotiation.

---
 .classpath                                |   2 +
 tests/org/cacert/gigi/InitTruststore.java |  13 +++
 tests/org/cacert/gigi/TestSSL.java        | 103 ++++++++++++++++++++++
 3 files changed, 118 insertions(+)
 create mode 100644 tests/org/cacert/gigi/InitTruststore.java
 create mode 100644 tests/org/cacert/gigi/TestSSL.java

diff --git a/.classpath b/.classpath
index cbb4307e..53dea8df 100644
--- a/.classpath
+++ b/.classpath
@@ -4,6 +4,8 @@
 	<classpathentry kind="src" path="lib/servlet-api"/>
 	<classpathentry kind="src" path="lib/jetty"/>
 	<classpathentry kind="src" path="util"/>
+	<classpathentry kind="src" path="tests"/>
 	<classpathentry kind="con" path="org.eclipse.jdt.launching.JRE_CONTAINER"/>
+	<classpathentry kind="con" path="org.eclipse.jdt.junit.JUNIT_CONTAINER/4"/>
 	<classpathentry kind="output" path="bin"/>
 </classpath>
diff --git a/tests/org/cacert/gigi/InitTruststore.java b/tests/org/cacert/gigi/InitTruststore.java
new file mode 100644
index 00000000..65c48fee
--- /dev/null
+++ b/tests/org/cacert/gigi/InitTruststore.java
@@ -0,0 +1,13 @@
+package org.cacert.gigi;
+
+public class InitTruststore {
+	private InitTruststore() {
+	}
+	static {
+		System.setProperty("javax.net.ssl.trustStorePassword", "changeit");
+		System.setProperty("javax.net.ssl.trustStore", "config/cacerts.jks");
+	}
+	public static void run() {
+
+	}
+}
diff --git a/tests/org/cacert/gigi/TestSSL.java b/tests/org/cacert/gigi/TestSSL.java
new file mode 100644
index 00000000..2ae757f9
--- /dev/null
+++ b/tests/org/cacert/gigi/TestSSL.java
@@ -0,0 +1,103 @@
+package org.cacert.gigi;
+
+import java.io.EOFException;
+import java.io.IOException;
+import java.net.InetSocketAddress;
+import java.nio.ByteBuffer;
+import java.nio.channels.SocketChannel;
+import java.security.NoSuchAlgorithmException;
+import javax.net.ssl.SSLContext;
+import javax.net.ssl.SSLEngine;
+import javax.net.ssl.SSLEngineResult;
+import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLEngineResult.HandshakeStatus;
+
+import org.junit.Test;
+
+public class TestSSL {
+	private ByteBuffer in;
+	private ByteBuffer inC;
+	private ByteBuffer outC;
+	private ByteBuffer out;
+	static {
+		InitTruststore.run();
+	}
+	@Test
+	public void testClientIntitiatedRenegotiation()
+			throws NoSuchAlgorithmException, IOException {
+		SSLContext sc = SSLContext.getDefault();
+		SSLEngine se = sc.createSSLEngine();
+		SocketChannel s = SocketChannel.open(new InetSocketAddress("localhost",
+				443));
+
+		in = ByteBuffer.allocate(se.getSession().getApplicationBufferSize());
+		inC = ByteBuffer.allocate(se.getSession().getPacketBufferSize());
+		inC.limit(0);
+		out = ByteBuffer.allocate(se.getSession().getApplicationBufferSize());
+		outC = ByteBuffer.allocate(se.getSession().getPacketBufferSize());
+		outC.limit(0);
+		se.setUseClientMode(true);
+		se.beginHandshake();
+
+		work(se, s);
+		se.beginHandshake();
+		try {
+			work(se, s);
+			throw new Error(
+					"Client re-negotiation failed (possible DoS vurnability");
+		} catch (EOFException e) {
+			// Cool, server closed connection
+		}
+
+	}
+	private void work(SSLEngine se, SocketChannel s) throws SSLException,
+			IOException {
+		while (se.getHandshakeStatus() != HandshakeStatus.NOT_HANDSHAKING
+				&& se.getHandshakeStatus() != HandshakeStatus.FINISHED) {
+			switch (se.getHandshakeStatus()) {
+				case NEED_WRAP :
+					wrap(se, s);
+					break;
+				case NEED_UNWRAP :
+					unwrap(se, s);
+					break;
+				case NEED_TASK :
+					se.getDelegatedTask().run();
+					break;
+				default :
+					System.out.println(se.getHandshakeStatus());
+			}
+		}
+	}
+	private SSLEngineResult unwrap(SSLEngine se, SocketChannel s)
+			throws IOException, SSLException {
+		if (inC.remaining() == 0) {
+			inC.clear();
+			s.read(inC);
+			inC.flip();
+		}
+		SSLEngineResult result = se.unwrap(inC, in);
+		if (result.getStatus() == javax.net.ssl.SSLEngineResult.Status.BUFFER_UNDERFLOW) {
+			int pos = inC.position();
+			int limit = inC.limit();
+			inC.limit(inC.capacity());
+			inC.position(limit);
+			int read = s.read(inC);
+			if (read <= 0) {
+				throw new EOFException();
+			}
+			inC.limit(inC.position());
+			inC.position(pos);
+		}
+		return result;
+	}
+	private SSLEngineResult wrap(SSLEngine se, SocketChannel s)
+			throws SSLException, IOException {
+		outC.clear();
+		SSLEngineResult result = se.wrap(out, outC);
+		outC.flip();
+		s.write(outC);
+
+		return result;
+	}
+}
-- 
2.39.2