Add NewSessionTicket test suite

Add a set of tests for checking that NewSessionTicket messages are
behaving as expected.

Reviewed-by: Tim Hudson <tjh@openssl.org>

test/Makefile

@@ -73,6 +73,7 @@ CLIENTHELLOTEST=	clienthellotest
 PACKETTEST=	packettest
 SSLVERTOLTEST=	sslvertoltest.pl
 SSLEXTENSIONTEST=	sslextensiontest.pl
+SSLSESSIONTICKTEST= 	sslsessionticktest.pl
 SSLSKEWITH0PTEST=	sslskewith0ptest.pl
 
 TESTS=		alltests
@@ -160,7 +161,7 @@ alltests: \
 	test_srp test_cms test_v3name test_ocsp \
 	test_gost2814789 test_heartbeat test_p5_crpt2 \
 	test_constant_time test_verify_extra test_clienthello test_packet \
-	test_sslvertol test_sslextension test_sslskewith0p
+	test_sslvertol test_sslextension test_sslsessionticket test_sslskewith0p
 
 test_evp: $(EVPTEST)$(EXE_EXT) evptests.txt
 	@echo $(START) $@
@@ -432,6 +433,11 @@ test_sslextension: ../apps/openssl$(EXE_EXT)
 	[ -z "$(SHARED_LIBS)" ] || OPENSSL_ENGINES=../engines ../util/shlib_wrap.sh $(PERL) -I../util -w ./$(SSLEXTENSIONTEST) "OPENSSL_ia32cap='~0x200000200000000' ../apps/openssl$(EXE_EXT)" ../apps/server.pem
 	@[ -n "$(SHARED_LIBS)" ] || echo test_sslextension can only be performed with OpenSSL configured shared
 
+test_sslsessionticket: ../apps/openssl$(EXE_EXT)
+	@echo $(START) $@
+	[ -z "$(SHARED_LIBS)" ] || PERL5LIB=$$PERL5LIB:../util OPENSSL_ENGINES=../engines ../util/shlib_wrap.sh ./$(SSLSESSIONTICKTEST) "OPENSSL_ia32cap='~0x200000200000000' ../apps/openssl$(EXE_EXT)" ../apps/server.pem
+	@[ -n "$(SHARED_LIBS)" ] || echo test_sslsessionticket can only be performed with OpenSSL configured shared
+
 test_sslskewith0p: ../apps/openssl$(EXE_EXT)
 	@echo $(START) $@
 	[ -z "$(SHARED_LIBS)" ] || OPENSSL_ENGINES=../engines ../util/shlib_wrap.sh $(PERL) -I../util -w ./$(SSLSKEWITH0PTEST) "OPENSSL_ia32cap='~0x200000200000000' ../apps/openssl$(EXE_EXT)" ../apps/server.pem

test/sslsessionticktest.pl

@@ -0,0 +1,173 @@
+#!/usr/bin/perl
+# Written by Matt Caswell for the OpenSSL project.
+# ====================================================================
+# Copyright (c) 1998-2015 The OpenSSL Project.  All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+#    notice, this list of conditions and the following disclaimer.
+#
+# 2. Redistributions in binary form must reproduce the above copyright
+#    notice, this list of conditions and the following disclaimer in
+#    the documentation and/or other materials provided with the
+#    distribution.
+#
+# 3. All advertising materials mentioning features or use of this
+#    software must display the following acknowledgment:
+#    "This product includes software developed by the OpenSSL Project
+#    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+#
+# 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+#    endorse or promote products derived from this software without
+#    prior written permission. For written permission, please contact
+#    openssl-core@openssl.org.
+#
+# 5. Products derived from this software may not be called "OpenSSL"
+#    nor may "OpenSSL" appear in their names without prior written
+#    permission of the OpenSSL Project.
+#
+# 6. Redistributions of any form whatsoever must retain the following
+#    acknowledgment:
+#    "This product includes software developed by the OpenSSL Project
+#    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+#
+# THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+# EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+# PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+# ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+# OF THE POSSIBILITY OF SUCH DAMAGE.
+# ====================================================================
+#
+# This product includes cryptographic software written by Eric Young
+# (eay@cryptsoft.com).  This product includes software written by Tim
+# Hudson (tjh@cryptsoft.com).
+
+use strict;
+use TLSProxy::Proxy;
+use File::Temp qw(tempfile);
+
+my $chellotickext = 0;
+my $shellotickext = 0;
+my $fullhand = 0;
+my $ticketseen = 0;
+
+my $proxy = TLSProxy::Proxy->new(
+    undef,
+    @ARGV
+);
+
+#Test 1: By default with no existing session we should get a session ticket
+#Expected result: ClientHello extension seen; ServerHello extension seen
+#                 NewSessionTicket message seen; Full handshake
+$proxy->start();
+checkmessages(1, "Default session ticket test", 1, 1, 1, 1);
+
+#Test 2: If the server does not accept tickets we should get a normal handshake
+#with no session tickets
+#Expected result: ClientHello extension seen; ServerHello extension not seen
+#                 NewSessionTicket message not seen; Full handshake
+clearall();
+$proxy->serverflags("-no_ticket");
+$proxy->start();
+checkmessages(2, "No server support session ticket test", 1, 0, 0, 1);
+
+#Test 3: If the client does not accept tickets we should get a normal handshake
+#with no session tickets
+#Expected result: ClientHello extension not seen; ServerHello extension not seen
+#                 NewSessionTicket message not seen; Full handshake
+clearall();
+$proxy->clientflags("-no_ticket");
+$proxy->start();
+checkmessages(3, "No client support session ticket test", 0, 0, 0, 1);
+
+#Test 4: Test session resumption with session ticket
+#Expected result: ClientHello extension seen; ServerHello extension not seen
+#                 NewSessionTicket message not seen; Abbreviated handshake
+clearall();
+(my $fh, my $session) = tempfile();
+$proxy->serverconnects(2);
+$proxy->clientflags("-sess_out ".$session);
+$proxy->start();
+$proxy->clear();
+$proxy->clientflags("-sess_in ".$session);
+$proxy->clientstart();
+checkmessages(4, "Session resumption session ticket test", 1, 0, 0, 0);
+
+#Test 5: Test session resumption with ticket capable client without a ticket
+#Expected result: ClientHello extension seen; ServerHello extension seen
+#                 NewSessionTicket message seen; Abbreviated handshake
+clearall();
+(my $fh, my $session) = tempfile();
+$proxy->serverconnects(2);
+$proxy->clientflags("-sess_out ".$session." -no_ticket");
+$proxy->start();
+$proxy->clear();
+$proxy->clientflags("-sess_in ".$session);
+$proxy->clientstart();
+checkmessages(5, "Session resumption with ticket capable client without a "
+                 ."ticket", 1, 1, 1, 0);
+
+sub checkmessages()
+{
+    my ($testno, $testname, $testch, $testsh, $testtickseen, $testhand) = @_;
+
+    foreach my $message (@{$proxy->message_list}) {
+        if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO
+                || $message->mt == TLSProxy::Message::MT_SERVER_HELLO) {
+            #Get the extensions data
+            my %extensions = %{$message->extension_data};
+            if (defined
+                    $extensions{TLSProxy::ClientHello::EXT_SESSION_TICKET}) {
+                if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
+                    $chellotickext = 1;
+                } else {
+                    $shellotickext = 1;
+                }
+            }
+        } elsif ($message->mt == TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE) {
+            #Must be doing a full handshake
+            $fullhand = 1;
+        } elsif ($message->mt == TLSProxy::Message::MT_NEW_SESSION_TICKET) {
+            $ticketseen = 1;
+        }
+    }
+
+    TLSProxy::Message->success or die "FAILED: $testname: Hanshake failed "
+                                      ."(Test $testno)\n";
+    if (($testch && !$chellotickext) || (!$testch && $chellotickext)) {
+        die "FAILED: $testname: ClientHello extension Session Ticket check "
+            ."failed (Test $testno)\n";
+    }
+    if (($testsh && !$shellotickext) || (!$testsh && $shellotickext)) {
+        die "FAILED: $testname: ServerHello extension Session Ticket check "
+            ."failed (Test $testno)\n";
+    }
+    if (($testtickseen && !$ticketseen) || (!$testtickseen && $ticketseen)) {
+        die "FAILED: $testname: Session Ticket message presence check failed "
+            ."(Test $testno)\n";
+    }
+    if (($testhand && !$fullhand) || (!$testhand && $fullhand)) {
+        die "FAILED: $testname: Session Ticket full handshake check failed "
+            ."(Test $testno)\n";
+    }
+    print "SUCCESS: $testname (Test#$testno)\n";
+}
+
+sub clearall()
+{
+    $chellotickext = 0;
+    $shellotickext = 0;
+    $fullhand = 0;
+    $ticketseen = 0;
+    $proxy->clear();
+}

util/TLSProxy/ClientHello.pm

@@ -58,7 +58,8 @@ package TLSProxy::ClientHello;
 use parent 'TLSProxy::Message';
 
 use constant {
-    EXT_ENCRYPT_THEN_MAC => 22
+    EXT_ENCRYPT_THEN_MAC => 22,
+    EXT_SESSION_TICKET => 35
 };
 
 sub new

util/TLSProxy/Proxy.pm

@@ -79,13 +79,16 @@ sub new
         server_addr => "localhost",
         server_port => 4443,
         filter => $filter,
+        serverflags => "",
+        clientflags => "",
+        serverconnects => 1,
 
         #Public read
         execute => $execute,
         cert => $cert,
         debug => $debug,
-        cipherc => "AES128-SHA",
+        cipherc => "",
-        ciphers => "",
+        ciphers => "AES128-SHA",
         flight => 0,
         record_list => [],
         message_list => [],
@@ -101,12 +104,15 @@ sub clear
 {
     my $self = shift;
 
-    $self->{cipherc} = "AES128-SHA";
+    $self->{cipherc} = "";
-    $self->{ciphers} = "";
+    $self->{ciphers} = "AES128-SHA";
     $self->{flight} = 0;
     $self->{record_list} = [];
     $self->{message_list} = [];
     $self->{message_rec_list} = [];
+    $self->{serverflags} = "";
+    $self->{clientflags} = "";
+    $self->{serverconnects} = 1;
 
     TLSProxy::Message->clear();
     TLSProxy::Record->clear();
@@ -120,6 +126,14 @@ sub restart
     $self->start;
 }
 
+sub clientrestart
+{
+    my $self = shift;
+
+    $self->clear;
+    $self->clientstart;
+}
+
 sub start
 {
     my ($self) = shift;
@@ -132,13 +146,22 @@ sub start
         open(STDERR, ">&STDOUT");
         my $execcmd = $self->execute." s_server -rev -engine ossltest -accept "
             .($self->server_port)
-            ." -cert ".$self->cert." -naccept 1";
+            ." -cert ".$self->cert." -naccept ".$self->serverconnects;
         if ($self->ciphers ne "") {
             $execcmd .= " -cipher ".$self->ciphers;
         }
+        if ($self->serverflags ne "") {
+            $execcmd .= " ".$self->serverflags;
+        }
         exec($execcmd);
     }
 
+    $self->clientstart;
+}
+
+sub clientstart
+{
+    my ($self) = shift;
     my $oldstdout;
 
     if(!$self->debug) {
@@ -173,6 +196,9 @@ sub start
             if ($self->cipherc ne "") {
                 $execcmd .= " -cipher ".$self->cipherc;
             }
+            if ($self->clientflags ne "") {
+                $execcmd .= " ".$self->clientflags;
+            }
             exec($execcmd);
         }
     }
@@ -274,7 +300,9 @@ sub process_packet
     print "\n";
 
     #Finished parsing. Call user provided filter here
-    $self->filter->($self);
+    if(defined $self->filter) {
+        $self->filter->($self);
+    }
 
     #Reconstruct the packet
     $packet = "";
@@ -392,4 +420,28 @@ sub ciphers
     }
     return $self->{ciphers};
 }
+sub serverflags
+{
+    my $self = shift;
+    if (@_) {
+      $self->{serverflags} = shift;
+    }
+    return $self->{serverflags};
+}
+sub clientflags
+{
+    my $self = shift;
+    if (@_) {
+      $self->{clientflags} = shift;
+    }
+    return $self->{clientflags};
+}
+sub serverconnects
+{
+    my $self = shift;
+    if (@_) {
+      $self->{serverconnects} = shift;
+    }
+    return $self->{serverconnects};
+}
 1;