From 50ba64ab87e1715cc0bf6d6c8bdfa330de4f6699 Mon Sep 17 00:00:00 2001
From: emboss <emboss@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>
Date: Sat, 26 May 2012 00:56:33 +0000
Subject: * ext/openssl/ossl_ssl.c: Allow disabling client-side renegotiation.
 * test/openssl/test_ssl.rb: Simple tests for this.

  Client-side renegotiation is still considered problematic, even
  when used in the context of secure renegotiation (RI, RFC 5746).
  The changes allow users to either completely disable client
  renegotiation on the server, or to specify a maximum number of
  handshakes allowed in total. The number of total handshakes is
  counted in a callback set as SSL_set_info_callback. If the
  maximum number of handshakes is exceeded an error will be raised
  We do not support renegotiation in the OpenSSL extension, therefore
  this feature can only be tested externally.
  The feature is opt-in, the default setting will be to allow
  unlimited client renegotiation, as was the case before.


git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35797 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
---
 test/openssl/test_ssl.rb | 44 ++++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 42 insertions(+), 2 deletions(-)

(limited to 'test/openssl')

diff --git a/test/openssl/test_ssl.rb b/test/openssl/test_ssl.rb
index de4bd34c5f..97b2c22472 100644
--- a/test/openssl/test_ssl.rb
+++ b/test/openssl/test_ssl.rb
@@ -505,14 +505,54 @@ if OpenSSL::SSL::SSLContext::METHODS.include? :TLSv1_2
 
 end
 
+  def test_disable_client_renegotiation
+    ctx_proc = Proc.new { |ctx| ctx.disable_client_renegotiation }
+    start_server_version(:SSLv23, ctx_proc) { |server, port|
+      server_connect(port) { |ssl|
+        assert(ssl.ssl_version)
+      }
+    }
+  end
+
+  def test_allow_client_renegotiation_args
+    ctx = OpenSSL::SSL::SSLContext.new
+    assert_raise(ArgumentError) { ctx.allow_client_renegotiation(0) }
+    assert_raise(ArgumentError) { ctx.allow_client_renegotiation(-1) }
+  end
+
+  def test_allow_client_renegotiation_once
+    ctx_proc = Proc.new { |ctx| ctx.allow_client_renegotiation(2) }
+    start_server_version(:SSLv23, ctx_proc) { |server, port|
+      server_connect(port) { |ssl|
+        assert(ssl.ssl_version)
+      }
+    }
+  end
+
+  def test_allow_arbitrary_client_renegotiation
+    ctx_proc = Proc.new { |ctx| ctx.allow_client_renegotiation }
+    start_server_version(:SSLv23, ctx_proc) { |server, port|
+      server_connect(port) { |ssl|
+        assert(ssl.ssl_version)
+      }
+    }
+  end
+
   private
 
-  def start_server_version(version, ctx_proc=nil, &blk)
+  def start_server_version(version, ctx_proc=nil, server_proc=nil, &blk)
     ctx_wrap = Proc.new { |ctx|
       ctx.ssl_version = version
       ctx_proc.call(ctx) if ctx_proc
     }
-    start_server(PORT, OpenSSL::SSL::VERIFY_NONE, true, :ctx_proc => ctx_wrap, &blk)
+    start_server(
+      PORT, 
+      OpenSSL::SSL::VERIFY_NONE, 
+      true, 
+      :ctx_proc => ctx_wrap, 
+      :server_proc => server_proc, 
+      &blk
+    )
   end
 
   def server_connect(port, ctx=nil)
-- 
cgit v1.2.3