mirror of
https://github.com/openssl/openssl.git
synced 2024-12-18 22:43:41 +08:00
9362c93ebc
TLSv1.3 has a NewSessionTicket message, but it is *completely* different to the TLSv1.2 one and may as well have been called something else. This commit removes the old style NewSessionTicket from TLSv1.3. We will have to add the new style one back in later. Reviewed-by: Rich Salz <rsalz@openssl.org>
274 lines
9.0 KiB
Perl
Executable File
274 lines
9.0 KiB
Perl
Executable File
#! /usr/bin/env perl
|
|
# Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved.
|
|
#
|
|
# Licensed under the OpenSSL license (the "License"). You may not use
|
|
# this file except in compliance with the License. You can obtain a copy
|
|
# in the file LICENSE in the source distribution or at
|
|
# https://www.openssl.org/source/license.html
|
|
|
|
use strict;
|
|
use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/;
|
|
use OpenSSL::Test::Utils;
|
|
use TLSProxy::Proxy;
|
|
use File::Temp qw(tempfile);
|
|
|
|
my $test_name = "test_sslsessiontick";
|
|
setup($test_name);
|
|
|
|
plan skip_all => "TLSProxy isn't usable on $^O"
|
|
if $^O =~ /^(VMS|MSWin32)$/;
|
|
|
|
plan skip_all => "$test_name needs the dynamic engine feature enabled"
|
|
if disabled("engine") || disabled("dynamic-engine");
|
|
|
|
plan skip_all => "$test_name needs the sock feature enabled"
|
|
if disabled("sock");
|
|
|
|
plan skip_all => "$test_name needs SSLv3, TLSv1, TLSv1.1 or TLSv1.2 enabled"
|
|
if alldisabled(("ssl3", "tls1", "tls1_1", "tls1_2"));
|
|
|
|
$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
|
|
|
|
sub checkmessages($$$$$$);
|
|
sub clearclient();
|
|
sub clearall();
|
|
|
|
my $chellotickext = 0;
|
|
my $shellotickext = 0;
|
|
my $fullhand = 0;
|
|
my $ticketseen = 0;
|
|
|
|
my $proxy = TLSProxy::Proxy->new(
|
|
undef,
|
|
cmdstr(app(["openssl"]), display => 1),
|
|
srctop_file("apps", "server.pem"),
|
|
(!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
|
|
);
|
|
|
|
#Test 1: By default with no existing session we should get a session ticket
|
|
#Expected result: ClientHello extension seen; ServerHello extension seen
|
|
# NewSessionTicket message seen; Full handshake
|
|
$proxy->clientflags("-no_tls1_3");
|
|
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
|
|
plan tests => 10;
|
|
checkmessages(1, "Default session ticket test", 1, 1, 1, 1);
|
|
|
|
#Test 2: If the server does not accept tickets we should get a normal handshake
|
|
#with no session tickets
|
|
#Expected result: ClientHello extension seen; ServerHello extension not seen
|
|
# NewSessionTicket message not seen; Full handshake
|
|
clearall();
|
|
$proxy->clientflags("-no_tls1_3");
|
|
$proxy->serverflags("-no_ticket");
|
|
$proxy->start();
|
|
checkmessages(2, "No server support session ticket test", 1, 0, 0, 1);
|
|
|
|
#Test 3: If the client does not accept tickets we should get a normal handshake
|
|
#with no session tickets
|
|
#Expected result: ClientHello extension not seen; ServerHello extension not seen
|
|
# NewSessionTicket message not seen; Full handshake
|
|
clearall();
|
|
$proxy->clientflags("-no_tls1_3 -no_ticket");
|
|
$proxy->start();
|
|
checkmessages(3, "No client support session ticket test", 0, 0, 0, 1);
|
|
|
|
#Test 4: Test session resumption with session ticket
|
|
#Expected result: ClientHello extension seen; ServerHello extension not seen
|
|
# NewSessionTicket message not seen; Abbreviated handshake
|
|
clearall();
|
|
(undef, my $session) = tempfile();
|
|
$proxy->serverconnects(2);
|
|
$proxy->clientflags("-no_tls1_3 -sess_out ".$session);
|
|
$proxy->start();
|
|
$proxy->clearClient();
|
|
$proxy->clientflags("-no_tls1_3 -sess_in ".$session);
|
|
$proxy->clientstart();
|
|
checkmessages(4, "Session resumption session ticket test", 1, 0, 0, 0);
|
|
unlink $session;
|
|
|
|
#Test 5: Test session resumption with ticket capable client without a ticket
|
|
#Expected result: ClientHello extension seen; ServerHello extension seen
|
|
# NewSessionTicket message seen; Abbreviated handshake
|
|
clearall();
|
|
(undef, $session) = tempfile();
|
|
$proxy->serverconnects(2);
|
|
$proxy->clientflags("-no_tls1_3 -sess_out ".$session." -no_ticket");
|
|
$proxy->start();
|
|
$proxy->clearClient();
|
|
$proxy->clientflags("-no_tls1_3 -sess_in ".$session);
|
|
$proxy->clientstart();
|
|
checkmessages(5, "Session resumption with ticket capable client without a "
|
|
."ticket", 1, 1, 1, 0);
|
|
unlink $session;
|
|
|
|
#Test 6: Client accepts empty ticket.
|
|
#Expected result: ClientHello extension seen; ServerHello extension seen;
|
|
# NewSessionTicket message seen; Full handshake.
|
|
clearall();
|
|
$proxy->filter(\&ticket_filter);
|
|
$proxy->clientflags("-no_tls1_3");
|
|
$proxy->start();
|
|
checkmessages(6, "Empty ticket test", 1, 1, 1, 1);
|
|
|
|
#Test 7-8: Client keeps existing ticket on empty ticket.
|
|
clearall();
|
|
(undef, $session) = tempfile();
|
|
$proxy->serverconnects(3);
|
|
$proxy->filter(undef);
|
|
$proxy->clientflags("-no_tls1_3 -sess_out ".$session);
|
|
$proxy->start();
|
|
$proxy->clearClient();
|
|
$proxy->clientflags("-no_tls1_3 -sess_in ".$session." -sess_out ".$session);
|
|
$proxy->filter(\&inject_empty_ticket_filter);
|
|
$proxy->clientstart();
|
|
#Expected result: ClientHello extension seen; ServerHello extension seen;
|
|
# NewSessionTicket message seen; Abbreviated handshake.
|
|
checkmessages(7, "Empty ticket resumption test", 1, 1, 1, 0);
|
|
clearclient();
|
|
$proxy->clientflags("-no_tls1_3 -sess_in ".$session);
|
|
$proxy->filter(undef);
|
|
$proxy->clientstart();
|
|
#Expected result: ClientHello extension seen; ServerHello extension not seen;
|
|
# NewSessionTicket message not seen; Abbreviated handshake.
|
|
checkmessages(8, "Empty ticket resumption test", 1, 0, 0, 0);
|
|
unlink $session;
|
|
|
|
#Test 9: Bad server sends the ServerHello extension but does not send a
|
|
#NewSessionTicket
|
|
#Expected result: Connection failure
|
|
clearall();
|
|
$proxy->clientflags("-no_tls1_3");
|
|
$proxy->serverflags("-no_ticket");
|
|
$proxy->filter(\&inject_ticket_extension_filter);
|
|
$proxy->start();
|
|
ok(TLSProxy::Message->fail, "Server sends ticket extension but no ticket test");
|
|
|
|
#Test10: Bad server does not send the ServerHello extension but does send a
|
|
#NewSessionTicket
|
|
#Expected result: Connection failure
|
|
clearall();
|
|
$proxy->clientflags("-no_tls1_3");
|
|
$proxy->serverflags("-no_ticket");
|
|
$proxy->filter(\&inject_empty_ticket_filter);
|
|
$proxy->start();
|
|
ok(TLSProxy::Message->fail, "No server ticket extension but ticket sent test");
|
|
|
|
sub ticket_filter
|
|
{
|
|
my $proxy = shift;
|
|
|
|
foreach my $message (@{$proxy->message_list}) {
|
|
if ($message->mt == TLSProxy::Message::MT_NEW_SESSION_TICKET) {
|
|
$message->ticket("");
|
|
$message->repack();
|
|
}
|
|
}
|
|
}
|
|
|
|
sub inject_empty_ticket_filter {
|
|
my $proxy = shift;
|
|
|
|
foreach my $message (@{$proxy->message_list}) {
|
|
if ($message->mt == TLSProxy::Message::MT_NEW_SESSION_TICKET) {
|
|
# Only inject the message first time we're called.
|
|
return;
|
|
}
|
|
}
|
|
|
|
my @new_message_list = ();
|
|
foreach my $message (@{$proxy->message_list}) {
|
|
push @new_message_list, $message;
|
|
if ($message->mt == TLSProxy::Message::MT_SERVER_HELLO) {
|
|
$message->set_extension(TLSProxy::Message::EXT_SESSION_TICKET, "");
|
|
$message->repack();
|
|
# Tack NewSessionTicket onto the ServerHello record.
|
|
# This only works if the ServerHello is exactly one record.
|
|
my $record = ${$message->records}[0];
|
|
|
|
my $offset = $message->startoffset + $message->encoded_length;
|
|
my $newsessionticket = TLSProxy::NewSessionTicket->new(
|
|
1, "", [$record], $offset, []);
|
|
$newsessionticket->repack();
|
|
push @new_message_list, $newsessionticket;
|
|
}
|
|
}
|
|
$proxy->message_list([@new_message_list]);
|
|
}
|
|
|
|
sub inject_ticket_extension_filter
|
|
{
|
|
my $proxy = shift;
|
|
|
|
# We're only interested in the initial ServerHello
|
|
if ($proxy->flight != 1) {
|
|
return;
|
|
}
|
|
|
|
foreach my $message (@{$proxy->message_list}) {
|
|
if ($message->mt == TLSProxy::Message::MT_SERVER_HELLO) {
|
|
#Add the session ticket extension to the ServerHello even though
|
|
#we are not going to send a NewSessionTicket message
|
|
$message->set_extension(TLSProxy::Message::EXT_SESSION_TICKET, "");
|
|
|
|
$message->repack();
|
|
}
|
|
}
|
|
}
|
|
|
|
sub checkmessages($$$$$$)
|
|
{
|
|
my ($testno, $testname, $testch, $testsh, $testtickseen, $testhand) = @_;
|
|
|
|
subtest $testname => sub {
|
|
|
|
foreach my $message (@{$proxy->message_list}) {
|
|
if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO
|
|
|| $message->mt == TLSProxy::Message::MT_SERVER_HELLO) {
|
|
#Get the extensions data
|
|
my %extensions = %{$message->extension_data};
|
|
if (defined
|
|
$extensions{TLSProxy::Message::EXT_SESSION_TICKET}) {
|
|
if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
|
|
$chellotickext = 1;
|
|
} else {
|
|
$shellotickext = 1;
|
|
}
|
|
}
|
|
} elsif ($message->mt == TLSProxy::Message::MT_CERTIFICATE) {
|
|
#Must be doing a full handshake
|
|
$fullhand = 1;
|
|
} elsif ($message->mt == TLSProxy::Message::MT_NEW_SESSION_TICKET) {
|
|
$ticketseen = 1;
|
|
}
|
|
}
|
|
|
|
plan tests => 5;
|
|
|
|
ok(TLSProxy::Message->success, "Handshake");
|
|
ok(($testch && $chellotickext) || (!$testch && !$chellotickext),
|
|
"ClientHello extension Session Ticket check");
|
|
ok(($testsh && $shellotickext) || (!$testsh && !$shellotickext),
|
|
"ServerHello extension Session Ticket check");
|
|
ok(($testtickseen && $ticketseen) || (!$testtickseen && !$ticketseen),
|
|
"Session Ticket message presence check");
|
|
ok(($testhand && $fullhand) || (!$testhand && !$fullhand),
|
|
"Session Ticket full handshake check");
|
|
}
|
|
}
|
|
|
|
|
|
sub clearclient()
|
|
{
|
|
$chellotickext = 0;
|
|
$shellotickext = 0;
|
|
$fullhand = 0;
|
|
$ticketseen = 0;
|
|
$proxy->clearClient();
|
|
}
|
|
|
|
sub clearall()
|
|
{
|
|
clearclient();
|
|
$proxy->clear();
|
|
}
|