[openssl-commits] [openssl] master update

Matt Caswell matt at openssl.org
Fri May 13 12:06:19 UTC 2016 

The branch master has been updated
       via  5f7267598d74c2d86c2ef52eab38c91957b19999 (commit)
       via  c45d6b2b0dc9a0b191fc3dcaad8035addd1589e6 (commit)
      from  afdd82fb567dbcd003108eb5faab82998d9fbf4d (commit)


- Log -----------------------------------------------------------------
commit 5f7267598d74c2d86c2ef52eab38c91957b19999
Author: Matt Caswell <matt at openssl.org>
Date:   Wed May 11 12:32:12 2016 +0100

    Add some additional NewSessionTicket tests
    
    If the server does not send a session ticket extension, it should not then
    send the NewSessionTicket message.
    
    If the server sends the session ticket extension, it MUST then send the
    NewSessionTicket message.
    
    Reviewed-by: Emilia Käsper <emilia at openssl.org>

commit c45d6b2b0dc9a0b191fc3dcaad8035addd1589e6
Author: David Benjamin <davidben at google.com>
Date:   Sat Mar 5 19:35:52 2016 -0500

    The NewSessionTicket message is not optional.
    
    Per RFC 4507, section 3.3:
    
       This message [NewSessionTicket] MUST be sent if the
       server included a SessionTicket extension in the ServerHello.  This
       message MUST NOT be sent if the server did not include a
       SessionTicket extension in the ServerHello.
    
    The presence of the NewSessionTicket message should be determined
    entirely from the ServerHello without probing.
    
    RT#4389
    
    Reviewed-by: Emilia Käsper <emilia at openssl.org>
    Reviewed-by: Matt Caswell <matt at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 ssl/statem/statem_clnt.c              |  8 ++++---
 test/recipes/70-test_sslsessiontick.t | 39 ++++++++++++++++++++++++++++++++++-
 2 files changed, 43 insertions(+), 4 deletions(-)

diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 4ede88e..8da3e9b 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -341,9 +341,11 @@ int ossl_statem_client_read_transition(SSL *s, int mt)
         break;
 
     case TLS_ST_CW_FINISHED:
-        if (mt == SSL3_MT_NEWSESSION_TICKET && s->tlsext_ticket_expected) {
-            st->hand_state = TLS_ST_CR_SESSION_TICKET;
-            return 1;
+        if (s->tlsext_ticket_expected) {
+            if (mt == SSL3_MT_NEWSESSION_TICKET) {
+                st->hand_state = TLS_ST_CR_SESSION_TICKET;
+                return 1;
+            }
         } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
             st->hand_state = TLS_ST_CR_CHANGE;
             return 1;
diff --git a/test/recipes/70-test_sslsessiontick.t b/test/recipes/70-test_sslsessiontick.t
index 2bf19e4..c30ac44 100755
--- a/test/recipes/70-test_sslsessiontick.t
+++ b/test/recipes/70-test_sslsessiontick.t
@@ -45,7 +45,7 @@ my $proxy = TLSProxy::Proxy->new(
     (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE})
 );
 
-plan tests => 8;
+plan tests => 10;
 
 #Test 1: By default with no existing session we should get a session ticket
 #Expected result: ClientHello extension seen; ServerHello extension seen
@@ -128,6 +128,23 @@ $proxy->clientstart();
 #                 NewSessionTicket message not seen; Abbreviated handshake.
 checkmessages(8, "Empty ticket resumption test",  1, 0, 0, 0);
 
+#Test 9: Bad server sends the ServerHello extension but does not send a
+#NewSessionTicket
+#Expected result: Connection failure
+clearall();
+$proxy->serverflags("-no_ticket");
+$proxy->filter(\&inject_ticket_extension_filter);
+$proxy->start();
+ok(TLSProxy::Message->fail, "Server sends ticket extension but no ticket test");
+
+#Test10: Bad server does not send the ServerHello extension but does send a
+#NewSessionTicket
+#Expected result: Connection failure
+clearall();
+$proxy->serverflags("-no_ticket");
+$proxy->filter(\&inject_empty_ticket_filter);
+$proxy->start();
+ok(TLSProxy::Message->fail, "No server ticket extension but ticket sent test");
 
 sub ticket_filter
 {
@@ -171,6 +188,26 @@ sub inject_empty_ticket_filter {
     $proxy->message_list([@new_message_list]);
 }
 
+sub inject_ticket_extension_filter
+{
+    my $proxy = shift;
+
+    # We're only interested in the initial ServerHello
+    if ($proxy->flight != 1) {
+        return;
+    }
+
+    foreach my $message (@{$proxy->message_list}) {
+        if ($message->mt == TLSProxy::Message::MT_SERVER_HELLO) {
+            #Add the session ticket extension to the ServerHello even though
+            #we are not going to send a NewSessionTicket message
+            $message->set_extension(TLSProxy::Message::EXT_SESSION_TICKET, "");
+
+            $message->repack();
+        }
+    }
+}
+
 sub checkmessages($$$$$$)
 {
     my ($testno, $testname, $testch, $testsh, $testtickseen, $testhand) = @_;

More information about the openssl-commits mailing list