generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add session reuse tests.

Browse Source 
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #2452
This commit is contained in:
Kurt Roeckx 2016-03-27 20:53:01 +02:00
parent 1ed6587154
commit b7dffce017
2 changed files with 189 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

48
test/recipes/80-test_ssl.t
View File

@ -63,10 +63,13 @@ my $P2req="reqP2.ss";
my $P2cert="certP2.ss"; my $P2cert="certP2.ss";
my $P2intermediate="tmp_intP2.ss"; my $P2intermediate="tmp_intP2.ss";
my $server_sess="server.ss";
my $client_sess="client.ss";
plan tests => plan tests =>
1 # For testss 1 # For testss
+ 1 # For ssltest -test_cipherlist + 1 # For ssltest -test_cipherlist
+ 13 # For the first testssl + 15 # For the first testssl
+ 16 # For the first testsslproxy + 16 # For the first testsslproxy
+ 16 # For the second testsslproxy + 16 # For the second testsslproxy
; ;
@ -805,6 +808,49 @@ sub testssl {
}}}}} }}}}}
}; };
subtest 'TLS session reuse' => sub {
plan tests => 12;
ok(run(test([@ssltest, "-server_sess_out", $server_sess, "-client_sess_out", $client_sess])));
ok(run(test([@ssltest, "-server_sess_in", $server_sess, "-client_sess_in", $client_sess, "-should_reuse", "1", "-should_negotiate", "tls1.2"])));
ok(run(test([@ssltest, "-server_max_proto", "tls1.1", "-server_sess_in", $server_sess, "-client_sess_in", $client_sess, "-should_reuse", "0", "-should_negotiate", "tls1.1"])));
ok(run(test([@ssltest, "-server_max_proto", "tls1.1", "-server_sess_out", $server_sess, "-client_sess_out", $client_sess])));
ok(run(test([@ssltest, "-server_max_proto", "tls1.1", "-server_sess_in", $server_sess, "-client_sess_in", $client_sess, "-should_reuse", "1", "-should_negotiate", "tls1.1"])));
ok(run(test([@ssltest, "-server_sess_in", $server_sess, "-client_sess_in", $client_sess, "-should_reuse", "0", "-should_negotiate", "tls1.2"])));
ok(run(test([@ssltest, "-no_ticket", "-server_sess_out", $server_sess, "-client_sess_out", $client_sess])));
ok(run(test([@ssltest, "-no_ticket", "-server_sess_in", $server_sess, "-client_sess_in", $client_sess, "-should_reuse", "1", "-should_negotiate", "tls1.2"])));
ok(run(test([@ssltest, "-no_ticket", "-server_max_proto", "tls1.1", "-server_sess_in", $server_sess, "-client_sess_in", $client_sess, "-should_reuse", "0", "-should_negotiate", "tls1.1"])));
ok(run(test([@ssltest, "-no_ticket", "-server_max_proto", "tls1.1", "-server_sess_out", $server_sess, "-client_sess_out", $client_sess])));
ok(run(test([@ssltest, "-no_ticket", "-server_max_proto", "tls1.1", "-server_sess_in", $server_sess, "-client_sess_in", $client_sess, "-should_reuse", "1", "-should_negotiate", "tls1.1"])));
ok(run(test([@ssltest, "-no_ticket", "-server_sess_in", $server_sess, "-client_sess_in", $client_sess, "-should_reuse", "0", "-should_negotiate", "tls1.2"])));
};
subtest 'DTLS session reuse' => sub {
plan tests => 12;
SKIP: {
skip "DTLS disabled", 12 if $no_dtls;
ok(run(test([@ssltest, "-dtls", "-server_sess_out", $server_sess, "-client_sess_out", $client_sess])));
ok(run(test([@ssltest, "-dtls", "-server_sess_in", $server_sess, "-client_sess_in", $client_sess, "-should_reuse", "1", "-should_negotiate", "dtls1.2"])));
ok(run(test([@ssltest, "-dtls", "-server_max_proto", "dtls1", "-server_sess_in", $server_sess, "-client_sess_in", $client_sess, "-should_reuse", "0", "-should_negotiate", "dtls1"])));
ok(run(test([@ssltest, "-dtls", "-server_max_proto", "dtls1", "-server_sess_out", $server_sess, "-client_sess_out", $client_sess])));
ok(run(test([@ssltest, "-dtls", "-server_max_proto", "dtls1", "-server_sess_in", $server_sess, "-client_sess_in", $client_sess, "-should_reuse", "1", "-should_negotiate", "dtls1"])));
ok(run(test([@ssltest, "-dtls", "-server_sess_in", $server_sess, "-client_sess_in", $client_sess, "-should_reuse", "0", "-should_negotiate", "dtls1.2"])));
ok(run(test([@ssltest, "-dtls", "-no_ticket", "-server_sess_out", $server_sess, "-client_sess_out", $client_sess])));
ok(run(test([@ssltest, "-dtls", "-no_ticket", "-server_sess_in", $server_sess, "-client_sess_in", $client_sess, "-should_reuse", "1", "-should_negotiate", "dtls1.2"])));
ok(run(test([@ssltest, "-dtls", "-no_ticket", "-server_max_proto", "dtls1", "-server_sess_in", $server_sess, "-client_sess_in", $client_sess, "-should_reuse", "0", "-should_negotiate", "dtls1"])));
ok(run(test([@ssltest, "-dtls", "-no_ticket", "-server_max_proto", "dtls1", "-server_sess_out", $server_sess, "-client_sess_out", $client_sess])));
ok(run(test([@ssltest, "-dtls", "-no_ticket", "-server_max_proto", "dtls1", "-server_sess_in", $server_sess, "-client_sess_in", $client_sess, "-should_reuse", "1", "-should_negotiate", "dtls1"])));
ok(run(test([@ssltest, "-dtls", "-no_ticket", "-server_sess_in", $server_sess, "-client_sess_in", $client_sess, "-should_reuse", "0", "-should_negotiate", "dtls1.2"])));
}
};
subtest 'Certificate Transparency tests' => sub { subtest 'Certificate Transparency tests' => sub {
###################################################################### ######################################################################

142
test/ssltest.c
View File

@ -383,6 +383,12 @@ static const char *sn_client;
static const char *sn_server1; static const char *sn_server1;
static const char *sn_server2; static const char *sn_server2;
static int sn_expect = 0; static int sn_expect = 0;
static const char *server_sess_out;
static const char *server_sess_in;
static const char *client_sess_out;
static const char *client_sess_in;
static SSL_SESSION *server_sess;
static SSL_SESSION *client_sess;
static int servername_cb(SSL *s, int *ad, void *arg) static int servername_cb(SSL *s, int *ad, void *arg)
{ {
@ -900,6 +906,12 @@ static void sv_usage(void)
fprintf(stderr, " -sn_server2 <string> - have server context 2 respond to this servername\n"); fprintf(stderr, " -sn_server2 <string> - have server context 2 respond to this servername\n");
fprintf(stderr, " -sn_expect1 - expected server 1\n"); fprintf(stderr, " -sn_expect1 - expected server 1\n");
fprintf(stderr, " -sn_expect2 - expected server 2\n"); fprintf(stderr, " -sn_expect2 - expected server 2\n");
fprintf(stderr, " -server_sess_out <file> - Save the server session to a file\n");
fprintf(stderr, " -server_sess_in <file> - Read the server session from a file\n");
fprintf(stderr, " -client_sess_out <file> - Save the client session to a file\n");
fprintf(stderr, " -client_sess_in <file> - Read the client session from a file\n");
fprintf(stderr, " -should_reuse <number> - The expected state of reusing the session\n");
fprintf(stderr, " -no_ticket - do not issue TLS session ticket\n");
} }
static void print_key_details(BIO *out, EVP_PKEY *key) static void print_key_details(BIO *out, EVP_PKEY *key)
@ -997,6 +1009,43 @@ static int protocol_from_string(const char *value)
return -1; return -1;
} }
static SSL_SESSION *read_session(const char *filename)
{
SSL_SESSION *sess;
BIO *f = BIO_new_file(filename, "r");
if (f == NULL) {
BIO_printf(bio_err, "Can't open session file %s\n", filename);
ERR_print_errors(bio_err);
return NULL;
}
sess = PEM_read_bio_SSL_SESSION(f, NULL, 0, NULL);
if (sess == NULL) {
BIO_printf(bio_err, "Can't parse session file %s\n", filename);
ERR_print_errors(bio_err);
}
BIO_free(f);
return sess;
}
static int write_session(const char *filename, SSL_SESSION *sess)
{
BIO *f = BIO_new_file(filename, "w");
if (sess == NULL) {
BIO_printf(bio_err, "No session information\n");
return 0;
}
if (f == NULL) {
BIO_printf(bio_err, "Can't open session file %s\n", filename);
ERR_print_errors(bio_err);
return 0;
}
PEM_write_bio_SSL_SESSION(f, sess);
BIO_free(f);
return 1;
}
/* /*
* set_protocol_version - Sets protocol version minimum or maximum * set_protocol_version - Sets protocol version minimum or maximum
* *
@ -1031,6 +1080,8 @@ int main(int argc, char *argv[])
const SSL_METHOD *meth = NULL; const SSL_METHOD *meth = NULL;
SSL *c_ssl, *s_ssl; SSL *c_ssl, *s_ssl;
int number = 1, reuse = 0; int number = 1, reuse = 0;
int should_reuse = -1;
int no_ticket = 0;
long bytes = 256L; long bytes = 256L;
#ifndef OPENSSL_NO_DH #ifndef OPENSSL_NO_DH
DH *dh; DH *dh;
@ -1342,6 +1393,28 @@ int main(int argc, char *argv[])
sn_expect = 1; sn_expect = 1;
} else if (strcmp(*argv, "-sn_expect2") == 0) { } else if (strcmp(*argv, "-sn_expect2") == 0) {
sn_expect = 2; sn_expect = 2;
} else if (strcmp(*argv, "-server_sess_out") == 0) {
if (--argc < 1)
goto bad;
server_sess_out = *(++argv);
} else if (strcmp(*argv, "-server_sess_in") == 0) {
if (--argc < 1)
goto bad;
server_sess_in = *(++argv);
} else if (strcmp(*argv, "-client_sess_out") == 0) {
if (--argc < 1)
goto bad;
client_sess_out = *(++argv);
} else if (strcmp(*argv, "-client_sess_in") == 0) {
if (--argc < 1)
goto bad;
client_sess_in = *(++argv);
} else if (strcmp(*argv, "-should_reuse") == 0) {
if (--argc < 1)
goto bad;
should_reuse = !!atoi(*(++argv));
} else if (strcmp(*argv, "-no_ticket") == 0) {
no_ticket = 1;
} else { } else {
int rv; int rv;
arg = argv[0]; arg = argv[0];
@ -1536,6 +1609,11 @@ int main(int argc, char *argv[])
SSL_CTX_set_security_level(s_ctx, 0); SSL_CTX_set_security_level(s_ctx, 0);
SSL_CTX_set_security_level(s_ctx2, 0); SSL_CTX_set_security_level(s_ctx2, 0);
if (no_ticket) {
SSL_CTX_set_options(c_ctx, SSL_OP_NO_TICKET);
SSL_CTX_set_options(s_ctx, SSL_OP_NO_TICKET);
}
if (SSL_CTX_set_min_proto_version(c_ctx, min_version) == 0) if (SSL_CTX_set_min_proto_version(c_ctx, min_version) == 0)
goto end; goto end;
if (SSL_CTX_set_max_proto_version(c_ctx, max_version) == 0) if (SSL_CTX_set_max_proto_version(c_ctx, max_version) == 0)
@ -1828,6 +1906,28 @@ int main(int argc, char *argv[])
OPENSSL_free(alpn); OPENSSL_free(alpn);
} }
if (server_sess_in != NULL) {
server_sess = read_session(server_sess_in);
if (server_sess == NULL)
goto end;
}
if (client_sess_in != NULL) {
client_sess = read_session(client_sess_in);
if (client_sess == NULL)
goto end;
}
if (server_sess_out != NULL || server_sess_in != NULL) {
char *keys;
long size;
/* Use a fixed key so that we can decrypt the ticket. */
size = SSL_CTX_set_tlsext_ticket_keys(s_ctx, NULL, 0);
keys = OPENSSL_zalloc(size);
SSL_CTX_set_tlsext_ticket_keys(s_ctx, keys, size);
OPENSSL_free(keys);
}
if (sn_server1 != NULL || sn_server2 != NULL) if (sn_server1 != NULL || sn_server2 != NULL)
SSL_CTX_set_tlsext_servername_callback(s_ctx, servername_cb); SSL_CTX_set_tlsext_servername_callback(s_ctx, servername_cb);
@ -1846,6 +1946,14 @@ int main(int argc, char *argv[])
if (!set_protocol_version(client_max_proto, c_ssl, SSL_CTRL_SET_MAX_PROTO_VERSION)) if (!set_protocol_version(client_max_proto, c_ssl, SSL_CTRL_SET_MAX_PROTO_VERSION))
goto end; goto end;
if (server_sess) {
if (SSL_CTX_add_session(s_ctx, server_sess) == 0) {
BIO_printf(bio_err, "Can't add server session\n");
ERR_print_errors(bio_err);
goto end;
}
}
BIO_printf(bio_stdout, "Doing handshakes=%d bytes=%ld\n", number, bytes); BIO_printf(bio_stdout, "Doing handshakes=%d bytes=%ld\n", number, bytes);
for (i = 0; i < number; i++) { for (i = 0; i < number; i++) {
if (!reuse) { if (!reuse) {
@ -1854,6 +1962,13 @@ int main(int argc, char *argv[])
goto end; goto end;
} }
} }
if (client_sess_in != NULL) {
if (SSL_set_session(c_ssl, client_sess) == 0) {
BIO_printf(bio_err, "Can't set client session\n");
ERR_print_errors(bio_err);
goto end;
}
}
switch (bio_type) { switch (bio_type) {
case BIO_MEM: case BIO_MEM:
ret = doit(s_ssl, c_ssl, bytes); ret = doit(s_ssl, c_ssl, bytes);
@ -1897,6 +2012,30 @@ int main(int argc, char *argv[])
} }
} }
if (should_reuse != -1) {
if (SSL_session_reused(s_ssl) != should_reuse ||
SSL_session_reused(c_ssl) != should_reuse) {
BIO_printf(bio_err, "Unexpected session reuse state. "
"Expected: %d, server: %d, client: %d\n", should_reuse,
SSL_session_reused(s_ssl), SSL_session_reused(c_ssl));
ret = 1;
goto err;
}
}
if (server_sess_out != NULL) {
if (write_session(server_sess_out, SSL_get_session(s_ssl)) == 0) {
ret = 1;
goto err;
}
}
if (client_sess_out != NULL) {
if (write_session(client_sess_out, SSL_get_session(c_ssl)) == 0) {
ret = 1;
goto err;
}
}
if (!verbose) { if (!verbose) {
print_details(c_ssl, ""); print_details(c_ssl, "");
} }
@ -1934,6 +2073,9 @@ int main(int argc, char *argv[])
BIO_free(bio_stdout); BIO_free(bio_stdout);
SSL_SESSION_free(server_sess);
SSL_SESSION_free(client_sess);
#ifndef OPENSSL_NO_CRYPTO_MDEBUG #ifndef OPENSSL_NO_CRYPTO_MDEBUG
if (CRYPTO_mem_leaks(bio_err) <= 0) if (CRYPTO_mem_leaks(bio_err) <= 0)
ret = 1; ret = 1;