]>
Commit | Line | Data |
---|---|---|
596d6b7e | 1 | #! /usr/bin/env perl |
6738bf14 | 2 | # Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. |
ddcc5e5b | 3 | # |
596d6b7e RS |
4 | # Licensed under the OpenSSL license (the "License"). You may not use |
5 | # this file except in compliance with the License. You can obtain a copy | |
6 | # in the file LICENSE in the source distribution or at | |
7 | # https://www.openssl.org/source/license.html | |
ddcc5e5b MC |
8 | |
9 | use strict; | |
42e0ccdf | 10 | use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file bldtop_dir/; |
3f22ed2f | 11 | use OpenSSL::Test::Utils; |
ddcc5e5b MC |
12 | use TLSProxy::Proxy; |
13 | use File::Temp qw(tempfile); | |
14 | ||
c27a4049 RL |
15 | my $test_name = "test_sslsessiontick"; |
16 | setup($test_name); | |
17 | ||
60f9f1e1 | 18 | plan skip_all => "TLSProxy isn't usable on $^O" |
c5856878 | 19 | if $^O =~ /^(VMS)$/; |
60f9f1e1 | 20 | |
2dd400bd | 21 | plan skip_all => "$test_name needs the dynamic engine feature enabled" |
19ab5790 | 22 | if disabled("engine") || disabled("dynamic-engine"); |
c27a4049 | 23 | |
f9e55034 MC |
24 | plan skip_all => "$test_name needs the sock feature enabled" |
25 | if disabled("sock"); | |
26 | ||
9362c93e MC |
27 | plan skip_all => "$test_name needs SSLv3, TLSv1, TLSv1.1 or TLSv1.2 enabled" |
28 | if alldisabled(("ssl3", "tls1", "tls1_1", "tls1_2")); | |
b273fcc5 | 29 | |
c27a4049 RL |
30 | $ENV{OPENSSL_ia32cap} = '~0x200000200000000'; |
31 | ||
32 | sub checkmessages($$$$$$); | |
5427976d | 33 | sub clearclient(); |
c27a4049 RL |
34 | sub clearall(); |
35 | ||
ddcc5e5b MC |
36 | my $chellotickext = 0; |
37 | my $shellotickext = 0; | |
38 | my $fullhand = 0; | |
39 | my $ticketseen = 0; | |
40 | ||
41 | my $proxy = TLSProxy::Proxy->new( | |
42 | undef, | |
25c78440 | 43 | cmdstr(app(["openssl"]), display => 1), |
b44b935e RL |
44 | srctop_file("apps", "server.pem"), |
45 | (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) | |
ddcc5e5b MC |
46 | ); |
47 | ||
48 | #Test 1: By default with no existing session we should get a session ticket | |
49 | #Expected result: ClientHello extension seen; ServerHello extension seen | |
50 | # NewSessionTicket message seen; Full handshake | |
9362c93e | 51 | $proxy->clientflags("-no_tls1_3"); |
b02b5743 MC |
52 | $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; |
53 | plan tests => 10; | |
ddcc5e5b MC |
54 | checkmessages(1, "Default session ticket test", 1, 1, 1, 1); |
55 | ||
56 | #Test 2: If the server does not accept tickets we should get a normal handshake | |
57 | #with no session tickets | |
58 | #Expected result: ClientHello extension seen; ServerHello extension not seen | |
59 | # NewSessionTicket message not seen; Full handshake | |
60 | clearall(); | |
9362c93e | 61 | $proxy->clientflags("-no_tls1_3"); |
ddcc5e5b MC |
62 | $proxy->serverflags("-no_ticket"); |
63 | $proxy->start(); | |
64 | checkmessages(2, "No server support session ticket test", 1, 0, 0, 1); | |
65 | ||
66 | #Test 3: If the client does not accept tickets we should get a normal handshake | |
67 | #with no session tickets | |
68 | #Expected result: ClientHello extension not seen; ServerHello extension not seen | |
69 | # NewSessionTicket message not seen; Full handshake | |
70 | clearall(); | |
9362c93e | 71 | $proxy->clientflags("-no_tls1_3 -no_ticket"); |
ddcc5e5b MC |
72 | $proxy->start(); |
73 | checkmessages(3, "No client support session ticket test", 0, 0, 0, 1); | |
74 | ||
75 | #Test 4: Test session resumption with session ticket | |
76 | #Expected result: ClientHello extension seen; ServerHello extension not seen | |
77 | # NewSessionTicket message not seen; Abbreviated handshake | |
78 | clearall(); | |
b38c43f7 | 79 | (undef, my $session) = tempfile(); |
ddcc5e5b | 80 | $proxy->serverconnects(2); |
9362c93e | 81 | $proxy->clientflags("-no_tls1_3 -sess_out ".$session); |
ddcc5e5b | 82 | $proxy->start(); |
5427976d | 83 | $proxy->clearClient(); |
9362c93e | 84 | $proxy->clientflags("-no_tls1_3 -sess_in ".$session); |
ddcc5e5b MC |
85 | $proxy->clientstart(); |
86 | checkmessages(4, "Session resumption session ticket test", 1, 0, 0, 0); | |
b38c43f7 | 87 | unlink $session; |
ddcc5e5b MC |
88 | |
89 | #Test 5: Test session resumption with ticket capable client without a ticket | |
90 | #Expected result: ClientHello extension seen; ServerHello extension seen | |
91 | # NewSessionTicket message seen; Abbreviated handshake | |
92 | clearall(); | |
b38c43f7 | 93 | (undef, $session) = tempfile(); |
ddcc5e5b | 94 | $proxy->serverconnects(2); |
9362c93e | 95 | $proxy->clientflags("-no_tls1_3 -sess_out ".$session." -no_ticket"); |
ddcc5e5b | 96 | $proxy->start(); |
5427976d | 97 | $proxy->clearClient(); |
9362c93e | 98 | $proxy->clientflags("-no_tls1_3 -sess_in ".$session); |
ddcc5e5b MC |
99 | $proxy->clientstart(); |
100 | checkmessages(5, "Session resumption with ticket capable client without a " | |
101 | ."ticket", 1, 1, 1, 0); | |
b38c43f7 | 102 | unlink $session; |
ddcc5e5b | 103 | |
7f6d90ac EK |
104 | #Test 6: Client accepts empty ticket. |
105 | #Expected result: ClientHello extension seen; ServerHello extension seen; | |
106 | # NewSessionTicket message seen; Full handshake. | |
107 | clearall(); | |
108 | $proxy->filter(\&ticket_filter); | |
9362c93e | 109 | $proxy->clientflags("-no_tls1_3"); |
7f6d90ac EK |
110 | $proxy->start(); |
111 | checkmessages(6, "Empty ticket test", 1, 1, 1, 1); | |
112 | ||
cf7f8592 EK |
113 | #Test 7-8: Client keeps existing ticket on empty ticket. |
114 | clearall(); | |
b38c43f7 | 115 | (undef, $session) = tempfile(); |
cf7f8592 EK |
116 | $proxy->serverconnects(3); |
117 | $proxy->filter(undef); | |
9362c93e | 118 | $proxy->clientflags("-no_tls1_3 -sess_out ".$session); |
cf7f8592 | 119 | $proxy->start(); |
5427976d | 120 | $proxy->clearClient(); |
9362c93e | 121 | $proxy->clientflags("-no_tls1_3 -sess_in ".$session." -sess_out ".$session); |
cf7f8592 EK |
122 | $proxy->filter(\&inject_empty_ticket_filter); |
123 | $proxy->clientstart(); | |
124 | #Expected result: ClientHello extension seen; ServerHello extension seen; | |
125 | # NewSessionTicket message seen; Abbreviated handshake. | |
126 | checkmessages(7, "Empty ticket resumption test", 1, 1, 1, 0); | |
5427976d | 127 | clearclient(); |
9362c93e | 128 | $proxy->clientflags("-no_tls1_3 -sess_in ".$session); |
cf7f8592 EK |
129 | $proxy->filter(undef); |
130 | $proxy->clientstart(); | |
131 | #Expected result: ClientHello extension seen; ServerHello extension not seen; | |
132 | # NewSessionTicket message not seen; Abbreviated handshake. | |
133 | checkmessages(8, "Empty ticket resumption test", 1, 0, 0, 0); | |
b38c43f7 | 134 | unlink $session; |
cf7f8592 | 135 | |
5f726759 MC |
136 | #Test 9: Bad server sends the ServerHello extension but does not send a |
137 | #NewSessionTicket | |
138 | #Expected result: Connection failure | |
139 | clearall(); | |
9362c93e | 140 | $proxy->clientflags("-no_tls1_3"); |
5f726759 MC |
141 | $proxy->serverflags("-no_ticket"); |
142 | $proxy->filter(\&inject_ticket_extension_filter); | |
143 | $proxy->start(); | |
144 | ok(TLSProxy::Message->fail, "Server sends ticket extension but no ticket test"); | |
145 | ||
146 | #Test10: Bad server does not send the ServerHello extension but does send a | |
147 | #NewSessionTicket | |
148 | #Expected result: Connection failure | |
149 | clearall(); | |
9362c93e | 150 | $proxy->clientflags("-no_tls1_3"); |
5f726759 MC |
151 | $proxy->serverflags("-no_ticket"); |
152 | $proxy->filter(\&inject_empty_ticket_filter); | |
153 | $proxy->start(); | |
154 | ok(TLSProxy::Message->fail, "No server ticket extension but ticket sent test"); | |
7f6d90ac EK |
155 | |
156 | sub ticket_filter | |
157 | { | |
158 | my $proxy = shift; | |
159 | ||
160 | foreach my $message (@{$proxy->message_list}) { | |
161 | if ($message->mt == TLSProxy::Message::MT_NEW_SESSION_TICKET) { | |
162 | $message->ticket(""); | |
163 | $message->repack(); | |
164 | } | |
165 | } | |
166 | } | |
167 | ||
cf7f8592 EK |
168 | sub inject_empty_ticket_filter { |
169 | my $proxy = shift; | |
170 | ||
171 | foreach my $message (@{$proxy->message_list}) { | |
172 | if ($message->mt == TLSProxy::Message::MT_NEW_SESSION_TICKET) { | |
173 | # Only inject the message first time we're called. | |
174 | return; | |
175 | } | |
176 | } | |
177 | ||
178 | my @new_message_list = (); | |
179 | foreach my $message (@{$proxy->message_list}) { | |
180 | push @new_message_list, $message; | |
181 | if ($message->mt == TLSProxy::Message::MT_SERVER_HELLO) { | |
aa474d1f | 182 | $message->set_extension(TLSProxy::Message::EXT_SESSION_TICKET, ""); |
cf7f8592 EK |
183 | $message->repack(); |
184 | # Tack NewSessionTicket onto the ServerHello record. | |
185 | # This only works if the ServerHello is exactly one record. | |
186 | my $record = ${$message->records}[0]; | |
187 | ||
188 | my $offset = $message->startoffset + $message->encoded_length; | |
189 | my $newsessionticket = TLSProxy::NewSessionTicket->new( | |
190 | 1, "", [$record], $offset, []); | |
191 | $newsessionticket->repack(); | |
192 | push @new_message_list, $newsessionticket; | |
193 | } | |
194 | } | |
195 | $proxy->message_list([@new_message_list]); | |
196 | } | |
197 | ||
5f726759 MC |
198 | sub inject_ticket_extension_filter |
199 | { | |
200 | my $proxy = shift; | |
201 | ||
202 | # We're only interested in the initial ServerHello | |
203 | if ($proxy->flight != 1) { | |
204 | return; | |
205 | } | |
206 | ||
207 | foreach my $message (@{$proxy->message_list}) { | |
208 | if ($message->mt == TLSProxy::Message::MT_SERVER_HELLO) { | |
209 | #Add the session ticket extension to the ServerHello even though | |
210 | #we are not going to send a NewSessionTicket message | |
211 | $message->set_extension(TLSProxy::Message::EXT_SESSION_TICKET, ""); | |
212 | ||
213 | $message->repack(); | |
214 | } | |
215 | } | |
216 | } | |
217 | ||
c27a4049 | 218 | sub checkmessages($$$$$$) |
ddcc5e5b MC |
219 | { |
220 | my ($testno, $testname, $testch, $testsh, $testtickseen, $testhand) = @_; | |
221 | ||
c27a4049 RL |
222 | subtest $testname => sub { |
223 | ||
224 | foreach my $message (@{$proxy->message_list}) { | |
225 | if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO | |
ddcc5e5b | 226 | || $message->mt == TLSProxy::Message::MT_SERVER_HELLO) { |
c27a4049 RL |
227 | #Get the extensions data |
228 | my %extensions = %{$message->extension_data}; | |
229 | if (defined | |
aa474d1f | 230 | $extensions{TLSProxy::Message::EXT_SESSION_TICKET}) { |
c27a4049 RL |
231 | if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) { |
232 | $chellotickext = 1; | |
233 | } else { | |
234 | $shellotickext = 1; | |
235 | } | |
236 | } | |
0f1e51ea | 237 | } elsif ($message->mt == TLSProxy::Message::MT_CERTIFICATE) { |
c27a4049 RL |
238 | #Must be doing a full handshake |
239 | $fullhand = 1; | |
240 | } elsif ($message->mt == TLSProxy::Message::MT_NEW_SESSION_TICKET) { | |
241 | $ticketseen = 1; | |
242 | } | |
243 | } | |
ddcc5e5b | 244 | |
c27a4049 RL |
245 | plan tests => 5; |
246 | ||
7f6d90ac | 247 | ok(TLSProxy::Message->success, "Handshake"); |
c27a4049 RL |
248 | ok(($testch && $chellotickext) || (!$testch && !$chellotickext), |
249 | "ClientHello extension Session Ticket check"); | |
250 | ok(($testsh && $shellotickext) || (!$testsh && !$shellotickext), | |
251 | "ServerHello extension Session Ticket check"); | |
252 | ok(($testtickseen && $ticketseen) || (!$testtickseen && !$ticketseen), | |
253 | "Session Ticket message presence check"); | |
254 | ok(($testhand && $fullhand) || (!$testhand && !$fullhand), | |
255 | "Session Ticket full handshake check"); | |
ddcc5e5b | 256 | } |
ddcc5e5b MC |
257 | } |
258 | ||
5427976d MC |
259 | |
260 | sub clearclient() | |
ddcc5e5b MC |
261 | { |
262 | $chellotickext = 0; | |
263 | $shellotickext = 0; | |
264 | $fullhand = 0; | |
265 | $ticketseen = 0; | |
5427976d MC |
266 | $proxy->clearClient(); |
267 | } | |
268 | ||
269 | sub clearall() | |
270 | { | |
271 | clearclient(); | |
ddcc5e5b MC |
272 | $proxy->clear(); |
273 | } |