70-test_sslsessiontick.t 9.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273
  1. #! /usr/bin/env perl
  2. # Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved.
  3. #
  4. # Licensed under the Apache License 2.0 (the "License"). You may not use
  5. # this file except in compliance with the License. You can obtain a copy
  6. # in the file LICENSE in the source distribution or at
  7. # https://www.openssl.org/source/license.html
  8. use strict;
  9. use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/;
  10. use OpenSSL::Test::Utils;
  11. use TLSProxy::Proxy;
  12. use File::Temp qw(tempfile);
  13. my $test_name = "test_sslsessiontick";
  14. setup($test_name);
  15. plan skip_all => "TLSProxy isn't usable on $^O"
  16. if $^O =~ /^(VMS)$/;
  17. plan skip_all => "$test_name needs the dynamic engine feature enabled"
  18. if disabled("engine") || disabled("dynamic-engine");
  19. plan skip_all => "$test_name needs the sock feature enabled"
  20. if disabled("sock");
  21. plan skip_all => "$test_name needs SSLv3, TLSv1, TLSv1.1 or TLSv1.2 enabled"
  22. if alldisabled(("ssl3", "tls1", "tls1_1", "tls1_2"));
  23. $ENV{OPENSSL_ia32cap} = '~0x200000200000000';
  24. sub checkmessages($$$$$$);
  25. sub clearclient();
  26. sub clearall();
  27. my $chellotickext = 0;
  28. my $shellotickext = 0;
  29. my $fullhand = 0;
  30. my $ticketseen = 0;
  31. my $proxy = TLSProxy::Proxy->new(
  32. undef,
  33. cmdstr(app(["openssl"]), display => 1),
  34. srctop_file("apps", "server.pem"),
  35. (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
  36. );
  37. #Test 1: By default with no existing session we should get a session ticket
  38. #Expected result: ClientHello extension seen; ServerHello extension seen
  39. # NewSessionTicket message seen; Full handshake
  40. $proxy->clientflags("-no_tls1_3");
  41. $proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
  42. plan tests => 10;
  43. checkmessages(1, "Default session ticket test", 1, 1, 1, 1);
  44. #Test 2: If the server does not accept tickets we should get a normal handshake
  45. #with no session tickets
  46. #Expected result: ClientHello extension seen; ServerHello extension not seen
  47. # NewSessionTicket message not seen; Full handshake
  48. clearall();
  49. $proxy->clientflags("-no_tls1_3");
  50. $proxy->serverflags("-no_ticket");
  51. $proxy->start();
  52. checkmessages(2, "No server support session ticket test", 1, 0, 0, 1);
  53. #Test 3: If the client does not accept tickets we should get a normal handshake
  54. #with no session tickets
  55. #Expected result: ClientHello extension not seen; ServerHello extension not seen
  56. # NewSessionTicket message not seen; Full handshake
  57. clearall();
  58. $proxy->clientflags("-no_tls1_3 -no_ticket");
  59. $proxy->start();
  60. checkmessages(3, "No client support session ticket test", 0, 0, 0, 1);
  61. #Test 4: Test session resumption with session ticket
  62. #Expected result: ClientHello extension seen; ServerHello extension not seen
  63. # NewSessionTicket message not seen; Abbreviated handshake
  64. clearall();
  65. (undef, my $session) = tempfile();
  66. $proxy->serverconnects(2);
  67. $proxy->clientflags("-no_tls1_3 -sess_out ".$session);
  68. $proxy->start();
  69. $proxy->clearClient();
  70. $proxy->clientflags("-no_tls1_3 -sess_in ".$session);
  71. $proxy->clientstart();
  72. checkmessages(4, "Session resumption session ticket test", 1, 0, 0, 0);
  73. unlink $session;
  74. #Test 5: Test session resumption with ticket capable client without a ticket
  75. #Expected result: ClientHello extension seen; ServerHello extension seen
  76. # NewSessionTicket message seen; Abbreviated handshake
  77. clearall();
  78. (undef, $session) = tempfile();
  79. $proxy->serverconnects(2);
  80. $proxy->clientflags("-no_tls1_3 -sess_out ".$session." -no_ticket");
  81. $proxy->start();
  82. $proxy->clearClient();
  83. $proxy->clientflags("-no_tls1_3 -sess_in ".$session);
  84. $proxy->clientstart();
  85. checkmessages(5, "Session resumption with ticket capable client without a "
  86. ."ticket", 1, 1, 1, 0);
  87. unlink $session;
  88. #Test 6: Client accepts empty ticket.
  89. #Expected result: ClientHello extension seen; ServerHello extension seen;
  90. # NewSessionTicket message seen; Full handshake.
  91. clearall();
  92. $proxy->filter(\&ticket_filter);
  93. $proxy->clientflags("-no_tls1_3");
  94. $proxy->start();
  95. checkmessages(6, "Empty ticket test", 1, 1, 1, 1);
  96. #Test 7-8: Client keeps existing ticket on empty ticket.
  97. clearall();
  98. (undef, $session) = tempfile();
  99. $proxy->serverconnects(3);
  100. $proxy->filter(undef);
  101. $proxy->clientflags("-no_tls1_3 -sess_out ".$session);
  102. $proxy->start();
  103. $proxy->clearClient();
  104. $proxy->clientflags("-no_tls1_3 -sess_in ".$session." -sess_out ".$session);
  105. $proxy->filter(\&inject_empty_ticket_filter);
  106. $proxy->clientstart();
  107. #Expected result: ClientHello extension seen; ServerHello extension seen;
  108. # NewSessionTicket message seen; Abbreviated handshake.
  109. checkmessages(7, "Empty ticket resumption test", 1, 1, 1, 0);
  110. clearclient();
  111. $proxy->clientflags("-no_tls1_3 -sess_in ".$session);
  112. $proxy->filter(undef);
  113. $proxy->clientstart();
  114. #Expected result: ClientHello extension seen; ServerHello extension not seen;
  115. # NewSessionTicket message not seen; Abbreviated handshake.
  116. checkmessages(8, "Empty ticket resumption test", 1, 0, 0, 0);
  117. unlink $session;
  118. #Test 9: Bad server sends the ServerHello extension but does not send a
  119. #NewSessionTicket
  120. #Expected result: Connection failure
  121. clearall();
  122. $proxy->clientflags("-no_tls1_3");
  123. $proxy->serverflags("-no_ticket");
  124. $proxy->filter(\&inject_ticket_extension_filter);
  125. $proxy->start();
  126. ok(TLSProxy::Message->fail, "Server sends ticket extension but no ticket test");
  127. #Test10: Bad server does not send the ServerHello extension but does send a
  128. #NewSessionTicket
  129. #Expected result: Connection failure
  130. clearall();
  131. $proxy->clientflags("-no_tls1_3");
  132. $proxy->serverflags("-no_ticket");
  133. $proxy->filter(\&inject_empty_ticket_filter);
  134. $proxy->start();
  135. ok(TLSProxy::Message->fail, "No server ticket extension but ticket sent test");
  136. sub ticket_filter
  137. {
  138. my $proxy = shift;
  139. foreach my $message (@{$proxy->message_list}) {
  140. if ($message->mt == TLSProxy::Message::MT_NEW_SESSION_TICKET) {
  141. $message->ticket("");
  142. $message->repack();
  143. }
  144. }
  145. }
  146. sub inject_empty_ticket_filter {
  147. my $proxy = shift;
  148. foreach my $message (@{$proxy->message_list}) {
  149. if ($message->mt == TLSProxy::Message::MT_NEW_SESSION_TICKET) {
  150. # Only inject the message first time we're called.
  151. return;
  152. }
  153. }
  154. my @new_message_list = ();
  155. foreach my $message (@{$proxy->message_list}) {
  156. push @new_message_list, $message;
  157. if ($message->mt == TLSProxy::Message::MT_SERVER_HELLO) {
  158. $message->set_extension(TLSProxy::Message::EXT_SESSION_TICKET, "");
  159. $message->repack();
  160. # Tack NewSessionTicket onto the ServerHello record.
  161. # This only works if the ServerHello is exactly one record.
  162. my $record = ${$message->records}[0];
  163. my $offset = $message->startoffset + $message->encoded_length;
  164. my $newsessionticket = TLSProxy::NewSessionTicket->new(
  165. 1, "", [$record], $offset, []);
  166. $newsessionticket->repack();
  167. push @new_message_list, $newsessionticket;
  168. }
  169. }
  170. $proxy->message_list([@new_message_list]);
  171. }
  172. sub inject_ticket_extension_filter
  173. {
  174. my $proxy = shift;
  175. # We're only interested in the initial ServerHello
  176. if ($proxy->flight != 1) {
  177. return;
  178. }
  179. foreach my $message (@{$proxy->message_list}) {
  180. if ($message->mt == TLSProxy::Message::MT_SERVER_HELLO) {
  181. #Add the session ticket extension to the ServerHello even though
  182. #we are not going to send a NewSessionTicket message
  183. $message->set_extension(TLSProxy::Message::EXT_SESSION_TICKET, "");
  184. $message->repack();
  185. }
  186. }
  187. }
  188. sub checkmessages($$$$$$)
  189. {
  190. my ($testno, $testname, $testch, $testsh, $testtickseen, $testhand) = @_;
  191. subtest $testname => sub {
  192. foreach my $message (@{$proxy->message_list}) {
  193. if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO
  194. || $message->mt == TLSProxy::Message::MT_SERVER_HELLO) {
  195. #Get the extensions data
  196. my %extensions = %{$message->extension_data};
  197. if (defined
  198. $extensions{TLSProxy::Message::EXT_SESSION_TICKET}) {
  199. if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) {
  200. $chellotickext = 1;
  201. } else {
  202. $shellotickext = 1;
  203. }
  204. }
  205. } elsif ($message->mt == TLSProxy::Message::MT_CERTIFICATE) {
  206. #Must be doing a full handshake
  207. $fullhand = 1;
  208. } elsif ($message->mt == TLSProxy::Message::MT_NEW_SESSION_TICKET) {
  209. $ticketseen = 1;
  210. }
  211. }
  212. plan tests => 5;
  213. ok(TLSProxy::Message->success, "Handshake");
  214. ok(($testch && $chellotickext) || (!$testch && !$chellotickext),
  215. "ClientHello extension Session Ticket check");
  216. ok(($testsh && $shellotickext) || (!$testsh && !$shellotickext),
  217. "ServerHello extension Session Ticket check");
  218. ok(($testtickseen && $ticketseen) || (!$testtickseen && !$ticketseen),
  219. "Session Ticket message presence check");
  220. ok(($testhand && $fullhand) || (!$testhand && !$fullhand),
  221. "Session Ticket full handshake check");
  222. }
  223. }
  224. sub clearclient()
  225. {
  226. $chellotickext = 0;
  227. $shellotickext = 0;
  228. $fullhand = 0;
  229. $ticketseen = 0;
  230. $proxy->clearClient();
  231. }
  232. sub clearall()
  233. {
  234. clearclient();
  235. $proxy->clear();
  236. }