70-test_sslsessiontick.t 9.3 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271
  1. #! /usr/bin/env perl
  2. # Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
  3. #
  4. # Licensed under the Apache License 2.0 (the "License"). You may not use
  5. # this file except in compliance with the License. You can obtain a copy
  6. # in the file LICENSE in the source distribution or at
  7. # https://www.openssl.org/source/license.html
  8. use strict;
  9. use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/;
  10. use OpenSSL::Test::Utils;
  11. use TLSProxy::Proxy;
  12. use File::Temp qw(tempfile);
  13. my $test_name = "test_sslsessiontick";
  14. setup($test_name);
  15. plan skip_all => "TLSProxy isn't usable on $^O"
  16. if $^O =~ /^(VMS)$/;
  17. plan skip_all => "$test_name needs the dynamic engine feature enabled"
  18. if disabled("engine") || disabled("dynamic-engine");
  19. plan skip_all => "$test_name needs the sock feature enabled"
  20. if disabled("sock");
  21. plan skip_all => "$test_name needs SSLv3, TLSv1, TLSv1.1 or TLSv1.2 enabled"
  22. if alldisabled(("ssl3", "tls1", "tls1_1", "tls1_2"));
  23. sub checkmessages($$$$$$);
  24. sub clearclient();
  25. sub clearall();
  26. my $chellotickext = 0;
  27. my $shellotickext = 0;
  28. my $fullhand = 0;
  29. my $ticketseen = 0;
  30. my $proxy = TLSProxy::Proxy->new(
  31. undef,
  32. cmdstr(app(["openssl"]), display => 1),
  33. srctop_file("apps", "server.pem"),
  34. (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
  35. );
  36. #Test 1: By default with no existing session we should get a session ticket
  37. #Expected result: ClientHello extension seen; ServerHello extension seen
  38. # NewSessionTicket message seen; Full handshake
  39. $proxy->clientflags("-no_tls1_3");
  40. $proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
  41. plan tests => 10;
  42. checkmessages(1, "Default session ticket test", 1, 1, 1, 1);
  43. #Test 2: If the server does not accept tickets we should get a normal handshake
  44. #with no session tickets
  45. #Expected result: ClientHello extension seen; ServerHello extension not seen
  46. # NewSessionTicket message not seen; Full handshake
  47. clearall();
  48. $proxy->clientflags("-no_tls1_3");
  49. $proxy->serverflags("-no_ticket");
  50. $proxy->start();
  51. checkmessages(2, "No server support session ticket test", 1, 0, 0, 1);
  52. #Test 3: If the client does not accept tickets we should get a normal handshake
  53. #with no session tickets
  54. #Expected result: ClientHello extension not seen; ServerHello extension not seen
  55. # NewSessionTicket message not seen; Full handshake
  56. clearall();
  57. $proxy->clientflags("-no_tls1_3 -no_ticket");
  58. $proxy->start();
  59. checkmessages(3, "No client support session ticket test", 0, 0, 0, 1);
  60. #Test 4: Test session resumption with session ticket
  61. #Expected result: ClientHello extension seen; ServerHello extension not seen
  62. # NewSessionTicket message not seen; Abbreviated handshake
  63. clearall();
  64. (undef, my $session) = tempfile();
  65. $proxy->serverconnects(2);
  66. $proxy->clientflags("-no_tls1_3 -sess_out ".$session);
  67. $proxy->start();
  68. $proxy->clearClient();
  69. $proxy->clientflags("-no_tls1_3 -sess_in ".$session);
  70. $proxy->clientstart();
  71. checkmessages(4, "Session resumption session ticket test", 1, 0, 0, 0);
  72. unlink $session;
  73. #Test 5: Test session resumption with ticket capable client without a ticket
  74. #Expected result: ClientHello extension seen; ServerHello extension seen
  75. # NewSessionTicket message seen; Abbreviated handshake
  76. clearall();
  77. (undef, $session) = tempfile();
  78. $proxy->serverconnects(2);
  79. $proxy->clientflags("-no_tls1_3 -sess_out ".$session." -no_ticket");
  80. $proxy->start();
  81. $proxy->clearClient();
  82. $proxy->clientflags("-no_tls1_3 -sess_in ".$session);
  83. $proxy->clientstart();
  84. checkmessages(5, "Session resumption with ticket capable client without a "
  85. ."ticket", 1, 1, 1, 0);
  86. unlink $session;
  87. #Test 6: Client accepts empty ticket.
  88. #Expected result: ClientHello extension seen; ServerHello extension seen;
  89. # NewSessionTicket message seen; Full handshake.
  90. clearall();
  91. $proxy->filter(\&ticket_filter);
  92. $proxy->clientflags("-no_tls1_3");
  93. $proxy->start();
  94. checkmessages(6, "Empty ticket test", 1, 1, 1, 1);
  95. #Test 7-8: Client keeps existing ticket on empty ticket.
  96. clearall();
  97. (undef, $session) = tempfile();
  98. $proxy->serverconnects(3);
  99. $proxy->filter(undef);
  100. $proxy->clientflags("-no_tls1_3 -sess_out ".$session);
  101. $proxy->start();
  102. $proxy->clearClient();
  103. $proxy->clientflags("-no_tls1_3 -sess_in ".$session." -sess_out ".$session);
  104. $proxy->filter(\&inject_empty_ticket_filter);
  105. $proxy->clientstart();
  106. #Expected result: ClientHello extension seen; ServerHello extension seen;
  107. # NewSessionTicket message seen; Abbreviated handshake.
  108. checkmessages(7, "Empty ticket resumption test", 1, 1, 1, 0);
  109. clearclient();
  110. $proxy->clientflags("-no_tls1_3 -sess_in ".$session);
  111. $proxy->filter(undef);
  112. $proxy->clientstart();
  113. #Expected result: ClientHello extension seen; ServerHello extension not seen;
  114. # NewSessionTicket message not seen; Abbreviated handshake.
  115. checkmessages(8, "Empty ticket resumption test", 1, 0, 0, 0);
  116. unlink $session;
  117. #Test 9: Bad server sends the ServerHello extension but does not send a
  118. #NewSessionTicket
  119. #Expected result: Connection failure
  120. clearall();
  121. $proxy->clientflags("-no_tls1_3");
  122. $proxy->serverflags("-no_ticket");
  123. $proxy->filter(\&inject_ticket_extension_filter);
  124. $proxy->start();
  125. ok(TLSProxy::Message->fail, "Server sends ticket extension but no ticket test");
  126. #Test10: Bad server does not send the ServerHello extension but does send a
  127. #NewSessionTicket
  128. #Expected result: Connection failure
  129. clearall();
  130. $proxy->clientflags("-no_tls1_3");
  131. $proxy->serverflags("-no_ticket");
  132. $proxy->filter(\&inject_empty_ticket_filter);
  133. $proxy->start();
  134. ok(TLSProxy::Message->fail, "No server ticket extension but ticket sent test");
  135. sub ticket_filter
  136. {
  137. my $proxy = shift;
  138. foreach my $message (@{$proxy->message_list}) {
  139. if ($message->mt == TLSProxy::Message::MT_NEW_SESSION_TICKET) {
  140. $message->ticket("");
  141. $message->repack();
  142. }
  143. }
  144. }
  145. sub inject_empty_ticket_filter {
  146. my $proxy = shift;
  147. foreach my $message (@{$proxy->message_list}) {
  148. if ($message->mt == TLSProxy::Message::MT_NEW_SESSION_TICKET) {
  149. # Only inject the message first time we're called.
  150. return;
  151. }
  152. }
  153. my @new_message_list = ();
  154. foreach my $message (@{$proxy->message_list}) {
  155. push @new_message_list, $message;
  156. if ($message->mt == TLSProxy::Message::MT_SERVER_HELLO) {
  157. $message->set_extension(TLSProxy::Message::EXT_SESSION_TICKET, "");
  158. $message->repack();
  159. # Tack NewSessionTicket onto the ServerHello record.
  160. # This only works if the ServerHello is exactly one record.
  161. my $record = ${$message->records}[0];
  162. my $offset = $message->startoffset + $message->encoded_length;
  163. my $newsessionticket = TLSProxy::NewSessionTicket->new(
  164. 1, "", [$record], $offset, []);
  165. $newsessionticket->repack();
  166. push @new_message_list, $newsessionticket;
  167. }
  168. }
  169. $proxy->message_list([@new_message_list]);
  170. }
  171. sub inject_ticket_extension_filter
  172. {
  173. my $proxy = shift;
  174. # We're only interested in the initial ServerHello
  175. if ($proxy->flight != 1) {
  176. return;
  177. }
  178. foreach my $message (@{$proxy->message_list}) {
  179. if ($message->mt == TLSProxy::Message::MT_SERVER_HELLO) {
  180. #Add the session ticket extension to the ServerHello even though
  181. #we are not going to send a NewSessionTicket message
  182. $message->set_extension(TLSProxy::Message::EXT_SESSION_TICKET, "");
  183. $message->repack();
  184. }
  185. }
  186. }
  187. sub checkmessages($$$$$$)
  188. {
  189. my ($testno, $testname, $testch, $testsh, $testtickseen, $testhand) = @_;
  190. subtest $testname => sub {
  191. foreach my $message (@{$proxy->message_list}) {
  192. if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO
  193. || $message->mt == TLSProxy::Message::MT_SERVER_HELLO) {
  194. #Get the extensions data
  195. my %extensions = %{$message->extension_data};
  196. if (defined
  197. $extensions{TLSProxy::Message::EXT_SESSION_TICKET}) {
  198. if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
  199. $chellotickext = 1;
  200. } else {
  201. $shellotickext = 1;
  202. }
  203. }
  204. } elsif ($message->mt == TLSProxy::Message::MT_CERTIFICATE) {
  205. #Must be doing a full handshake
  206. $fullhand = 1;
  207. } elsif ($message->mt == TLSProxy::Message::MT_NEW_SESSION_TICKET) {
  208. $ticketseen = 1;
  209. }
  210. }
  211. plan tests => 5;
  212. ok(TLSProxy::Message->success, "Handshake");
  213. ok(($testch && $chellotickext) || (!$testch && !$chellotickext),
  214. "ClientHello extension Session Ticket check");
  215. ok(($testsh && $shellotickext) || (!$testsh && !$shellotickext),
  216. "ServerHello extension Session Ticket check");
  217. ok(($testtickseen && $ticketseen) || (!$testtickseen && !$ticketseen),
  218. "Session Ticket message presence check");
  219. ok(($testhand && $fullhand) || (!$testhand && !$fullhand),
  220. "Session Ticket full handshake check");
  221. }
  222. }
  223. sub clearclient()
  224. {
  225. $chellotickext = 0;
  226. $shellotickext = 0;
  227. $fullhand = 0;
  228. $ticketseen = 0;
  229. $proxy->clearClient();
  230. }
  231. sub clearall()
  232. {
  233. clearclient();
  234. $proxy->clear();
  235. }