From db344ed61fa2deeda99600e9a259498b361305db Mon Sep 17 00:00:00 2001
From: Ingela Anderton Andin <ingela@erlang.org>
Date: Thu, 17 Nov 2011 17:45:06 +0100
Subject: Mitigate Computational DoS attack

---
 lib/ssl/test/ssl_basic_SUITE.erl | 49 +++++++++++++++++++++++++++++++++++++++-
 1 file changed, 48 insertions(+), 1 deletion(-)

(limited to 'lib/ssl/test')

diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index d9cb8002ed..fc8aafa426 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -36,6 +36,7 @@
 -define(LONG_TIMEOUT, 600000).
 -define(EXPIRE, 10).
 -define(SLEEP, 500).
+-define(RENEGOTIATION_DISABLE_TIME, 12000).
 
 %% Test server callback functions
 %%--------------------------------------------------------------------
@@ -256,7 +257,7 @@ all() ->
      %%different_ca_peer_sign,
      no_reuses_session_server_restart_new_cert,
      no_reuses_session_server_restart_new_cert_file, reuseaddr,
-     hibernate, connect_twice
+     hibernate, connect_twice, renegotiate_dos_mitigate
     ].
 
 groups() -> 
@@ -3647,7 +3648,40 @@ connect_twice(Config) when is_list(Config) ->
     ssl_test_lib:close(Client),
     ssl_test_lib:close(Client1).
 
+%%--------------------------------------------------------------------
+renegotiate_dos_mitigate(doc) -> 
+    ["Mitigate DOS computational attack by not allowing client to renegotiate many times in a row",
+    "immediately after each other"];
+
+renegotiate_dos_mitigate(suite) -> 
+    [];
+
+renegotiate_dos_mitigate(Config) when is_list(Config) -> 
+    ServerOpts = ?config(server_opts, Config),  
+    ClientOpts = ?config(client_opts, Config),  
+
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+    
+    Server = 
+	ssl_test_lib:start_server([{node, ServerNode}, {port, 0}, 
+				   {from, self()},
+				   {mfa, {?MODULE, send_recv_result_active, []}},
+				   {options, [ServerOpts]}]),
+    Port = ssl_test_lib:inet_port(Server),
+ 
+    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
+					{host, Hostname},
+					{from, self()}, 
+					{mfa, {?MODULE, 
+					       renegotiate_immediately, []}},
+					{options, ClientOpts}]),
+    
+    ssl_test_lib:check_result(Client, ok, Server, ok), 
+    ssl_test_lib:close(Server),
+    ssl_test_lib:close(Client).
 
+  
+    
 %%--------------------------------------------------------------------
 %%% Internal functions
 %%--------------------------------------------------------------------
@@ -3690,6 +3724,19 @@ renegotiate_reuse_session(Socket, Data) ->
     test_server:sleep(?SLEEP),
     renegotiate(Socket, Data).
 
+renegotiate_immediately(Socket) ->
+    receive 
+	{ssl, Socket, "Hello world"} ->
+	    ok
+    end,
+    ok = ssl:renegotiate(Socket),  
+    {error, renegotiation_rejected} = ssl:renegotiate(Socket),
+    test_server:sleep(?RENEGOTIATION_DISABLE_TIME +1),
+    ok = ssl:renegotiate(Socket),
+    test_server:format("Renegotiated again"),
+    ssl:send(Socket, "Hello world"),
+    ok.
+    
 new_config(PrivDir, ServerOpts0) ->
     CaCertFile = proplists:get_value(cacertfile, ServerOpts0),
     CertFile = proplists:get_value(certfile, ServerOpts0),
-- 
cgit v1.2.3