diff options
author | Matt Caswell <matt@openssl.org> | 2018-06-13 15:57:39 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2018-06-26 18:09:46 +0100 |
commit | 6cc0b3c2171e26379e898574cb6d42b8d8dcc113 (patch) | |
tree | abc151eedbe6c46563085d8f690b7b008b3c1c8e /test | |
parent | 6a11d5c5ededa1543c2eeb2f9edcbe39bc58bb70 (diff) |
Respect SSL_OP_NO_TICKET in TLSv1.3
Implement support for stateful TLSv1.3 tickets, and use them if
SSL_OP_NO_TICKET is set.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6563)
Diffstat (limited to 'test')
-rw-r--r-- | test/handshake_helper.c | 26 | ||||
-rw-r--r-- | test/ssl-tests/10-resumption.conf | 32 | ||||
-rw-r--r-- | test/ssl-tests/11-dtls_resumption.conf | 8 | ||||
-rw-r--r-- | test/ssl-tests/protocol_version.pm | 1 | ||||
-rw-r--r-- | test/sslapitest.c | 3 |
5 files changed, 64 insertions, 6 deletions
diff --git a/test/handshake_helper.c b/test/handshake_helper.c index 3ebf64dfe3..c40a0e7c92 100644 --- a/test/handshake_helper.c +++ b/test/handshake_helper.c @@ -1396,7 +1396,8 @@ static int create_sctp_socks(int *ssock, int *csock) static HANDSHAKE_RESULT *do_handshake_internal( SSL_CTX *server_ctx, SSL_CTX *server2_ctx, SSL_CTX *client_ctx, const SSL_TEST_CTX *test_ctx, const SSL_TEST_EXTRA_CONF *extra, - SSL_SESSION *session_in, SSL_SESSION **session_out) + SSL_SESSION *session_in, SSL_SESSION *serv_sess_in, + SSL_SESSION **session_out, SSL_SESSION **serv_sess_out) { PEER server, client; BIO *client_to_server = NULL, *server_to_client = NULL; @@ -1452,10 +1453,14 @@ static HANDSHAKE_RESULT *do_handshake_internal( configure_handshake_ssl(server.ssl, client.ssl, extra); if (session_in != NULL) { + SSL_SESSION_get_id(serv_sess_in, &sess_id_len); /* In case we're testing resumption without tickets. */ - if (!TEST_true(SSL_CTX_add_session(server_ctx, session_in)) + if ((sess_id_len > 0 + && !TEST_true(SSL_CTX_add_session(server_ctx, + serv_sess_in))) || !TEST_true(SSL_set_session(client.ssl, session_in))) goto err; + sess_id_len = 0; } ret->result = SSL_TEST_INTERNAL_ERROR; @@ -1657,6 +1662,16 @@ static HANDSHAKE_RESULT *do_handshake_internal( if (session_out != NULL) *session_out = SSL_get1_session(client.ssl); + if (serv_sess_out != NULL) { + SSL_SESSION *tmp = SSL_get_session(server.ssl); + + /* + * We create a fresh copy that is not in the server session ctx linked + * list. + */ + if (tmp != NULL) + *serv_sess_out = SSL_SESSION_dup(tmp); + } if (SSL_get_server_tmp_key(client.ssl, &tmp_key)) { ret->tmp_key_type = pkey_type(tmp_key); @@ -1699,11 +1714,11 @@ HANDSHAKE_RESULT *do_handshake(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, const SSL_TEST_CTX *test_ctx) { HANDSHAKE_RESULT *result; - SSL_SESSION *session = NULL; + SSL_SESSION *session = NULL, *serv_sess = NULL; result = do_handshake_internal(server_ctx, server2_ctx, client_ctx, test_ctx, &test_ctx->extra, - NULL, &session); + NULL, NULL, &session, &serv_sess); if (result == NULL || test_ctx->handshake_mode != SSL_TEST_HANDSHAKE_RESUME || result->result == SSL_TEST_INTERNAL_ERROR) @@ -1718,8 +1733,9 @@ HANDSHAKE_RESULT *do_handshake(SSL_CTX *server_ctx, SSL_CTX *server2_ctx, /* We don't support SNI on second handshake yet, so server2_ctx is NULL. */ result = do_handshake_internal(resume_server_ctx, NULL, resume_client_ctx, test_ctx, &test_ctx->resume_extra, - session, NULL); + session, serv_sess, NULL, NULL); end: SSL_SESSION_free(session); + SSL_SESSION_free(serv_sess); return result; } diff --git a/test/ssl-tests/10-resumption.conf b/test/ssl-tests/10-resumption.conf index 73955de754..73de974ab0 100644 --- a/test/ssl-tests/10-resumption.conf +++ b/test/ssl-tests/10-resumption.conf @@ -90,6 +90,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1 +Options = SessionTicket PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [0-resumption-client] @@ -126,6 +127,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1 +Options = -SessionTicket PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [1-resumption-client] @@ -162,6 +164,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.1 +Options = SessionTicket PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [2-resumption-client] @@ -198,6 +201,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.1 +Options = -SessionTicket PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [3-resumption-client] @@ -234,6 +238,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.2 +Options = SessionTicket PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [4-resumption-client] @@ -270,6 +275,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.2 +Options = -SessionTicket PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [5-resumption-client] @@ -306,6 +312,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.3 +Options = SessionTicket PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [6-resumption-client] @@ -342,6 +349,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.3 +Options = -SessionTicket PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [7-resumption-client] @@ -378,6 +386,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1 +Options = SessionTicket PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [8-resumption-client] @@ -414,6 +423,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1 +Options = -SessionTicket PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [9-resumption-client] @@ -450,6 +460,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.1 +Options = SessionTicket PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [10-resumption-client] @@ -486,6 +497,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.1 +Options = -SessionTicket PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [11-resumption-client] @@ -522,6 +534,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.2 +Options = SessionTicket PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [12-resumption-client] @@ -558,6 +571,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.2 +Options = -SessionTicket PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [13-resumption-client] @@ -594,6 +608,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.3 +Options = SessionTicket PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [14-resumption-client] @@ -630,6 +645,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.3 +Options = -SessionTicket PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [15-resumption-client] @@ -666,6 +682,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1 +Options = SessionTicket PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [16-resumption-client] @@ -702,6 +719,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1 +Options = -SessionTicket PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [17-resumption-client] @@ -738,6 +756,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.1 +Options = SessionTicket PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [18-resumption-client] @@ -774,6 +793,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.1 +Options = -SessionTicket PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [19-resumption-client] @@ -810,6 +830,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.2 +Options = SessionTicket PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [20-resumption-client] @@ -846,6 +867,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.2 +Options = -SessionTicket PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [21-resumption-client] @@ -882,6 +904,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.3 +Options = SessionTicket PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [22-resumption-client] @@ -918,6 +941,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.3 +Options = -SessionTicket PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [23-resumption-client] @@ -954,6 +978,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1 +Options = SessionTicket PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [24-resumption-client] @@ -990,6 +1015,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1 +Options = -SessionTicket PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [25-resumption-client] @@ -1026,6 +1052,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.1 +Options = SessionTicket PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [26-resumption-client] @@ -1062,6 +1089,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.1 +Options = -SessionTicket PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [27-resumption-client] @@ -1098,6 +1126,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.2 +Options = SessionTicket PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [28-resumption-client] @@ -1134,6 +1163,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.2 +Options = -SessionTicket PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [29-resumption-client] @@ -1170,6 +1200,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.3 +Options = SessionTicket PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [30-resumption-client] @@ -1206,6 +1237,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = TLSv1.3 +Options = -SessionTicket PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [31-resumption-client] diff --git a/test/ssl-tests/11-dtls_resumption.conf b/test/ssl-tests/11-dtls_resumption.conf index ceed959744..a981fa51df 100644 --- a/test/ssl-tests/11-dtls_resumption.conf +++ b/test/ssl-tests/11-dtls_resumption.conf @@ -41,6 +41,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = DTLSv1 +Options = SessionTicket PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [0-resumption-client] @@ -78,6 +79,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = DTLSv1 +Options = -SessionTicket PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [1-resumption-client] @@ -115,6 +117,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = DTLSv1.2 +Options = SessionTicket PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [2-resumption-client] @@ -152,6 +155,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = DTLSv1.2 +Options = -SessionTicket PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [3-resumption-client] @@ -189,6 +193,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = DTLSv1 +Options = SessionTicket PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [4-resumption-client] @@ -226,6 +231,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = DTLSv1 +Options = -SessionTicket PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [5-resumption-client] @@ -263,6 +269,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = DTLSv1.2 +Options = SessionTicket PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [6-resumption-client] @@ -300,6 +307,7 @@ PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem CipherString = DEFAULT MaxProtocol = DTLSv1.2 +Options = -SessionTicket PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem [7-resumption-client] diff --git a/test/ssl-tests/protocol_version.pm b/test/ssl-tests/protocol_version.pm index 215f9e8c4f..943719e84a 100644 --- a/test/ssl-tests/protocol_version.pm +++ b/test/ssl-tests/protocol_version.pm @@ -210,6 +210,7 @@ sub generate_resumption_tests { }, "resume_server" => { "MaxProtocol" => $protocols[$resume_protocol], + "Options" => $ticket, }, "test" => { "ExpectedProtocol" => $protocols[$resume_protocol], diff --git a/test/sslapitest.c b/test/sslapitest.c index 9b0237e060..61619a327c 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -1062,7 +1062,8 @@ static int execute_test_session(int maxprot, int use_int_cache, sess2 = NULL; SSL_CTX_set_max_proto_version(sctx, maxprot); - SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET); + if (maxprot == TLS1_2_VERSION) + SSL_CTX_set_options(sctx, SSL_OP_NO_TICKET); new_called = remove_called = get_called = 0; if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl1, &clientssl1, NULL, NULL)) |