[openssl-commits] [openssl] master update
Matt Caswell
matt at openssl.org
Tue Sep 4 10:27:05 UTC 2018
The branch master has been updated
via 8614a4eb4ae8e38c3f5064113eb571aa8ca6b272 (commit)
via 51256b34d82d008cca7be0d1903c357bfa99f753 (commit)
from f097e8759820f6f9b78adb99eb4bfced2945d623 (commit)
- Log -----------------------------------------------------------------
commit 8614a4eb4ae8e38c3f5064113eb571aa8ca6b272
Author: Matt Caswell <matt at openssl.org>
Date: Mon Aug 27 01:39:00 2018 +0100
Test creation of tickets when using a TLSv1.3 PSK
Add a test to check that we create the correct number of tickets after a
TLSv1.3 PSK.
Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7097)
commit 51256b34d82d008cca7be0d1903c357bfa99f753
Author: Matt Caswell <matt at openssl.org>
Date: Fri Aug 24 16:16:28 2018 +0100
Send a NewSessionTicket after using an external PSK
Treat a connection using an external PSK like we would a resumption and
send a single NewSessionTicket afterwards.
Fixes #6941
Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7097)
-----------------------------------------------------------------------
Summary of changes:
ssl/statem/extensions_srvr.c | 2 +
test/sslapitest.c | 131 ++++++++++++++++++++++++++++++++++---------
2 files changed, 106 insertions(+), 27 deletions(-)
diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c
index 295d3e7..0f2b223 100644
--- a/ssl/statem/extensions_srvr.c
+++ b/ssl/statem/extensions_srvr.c
@@ -1160,6 +1160,7 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
ext = 1;
if (id == 0)
s->ext.early_data_ok = 1;
+ s->ext.ticket_expected = 1;
} else {
uint32_t ticket_age = 0, now, agesec, agems;
int ret;
@@ -1235,6 +1236,7 @@ int tls_parse_ctos_psk(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
SSL_SESSION_free(sess);
sess = NULL;
s->ext.early_data_ok = 0;
+ s->ext.ticket_expected = 0;
continue;
}
break;
diff --git a/test/sslapitest.c b/test/sslapitest.c
index d21b39d..f9ba60a 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -24,6 +24,24 @@
#include "internal/nelem.h"
#include "../ssl/ssl_locl.h"
+#ifndef OPENSSL_NO_TLS1_3
+
+static SSL_SESSION *clientpsk = NULL;
+static SSL_SESSION *serverpsk = NULL;
+static const char *pskid = "Identity";
+static const char *srvid;
+
+static int use_session_cb(SSL *ssl, const EVP_MD *md, const unsigned char **id,
+ size_t *idlen, SSL_SESSION **sess);
+static int find_session_cb(SSL *ssl, const unsigned char *identity,
+ size_t identity_len, SSL_SESSION **sess);
+
+static int use_session_cb_cnt = 0;
+static int find_session_cb_cnt = 0;
+
+static SSL_SESSION *create_a_psk(SSL *ssl);
+#endif
+
static char *cert = NULL;
static char *privkey = NULL;
static char *srpvfile = NULL;
@@ -1430,6 +1448,61 @@ static int test_stateful_tickets(int idx)
{
return test_tickets(1, idx);
}
+
+static int test_psk_tickets(void)
+{
+ SSL_CTX *sctx = NULL, *cctx = NULL;
+ SSL *serverssl = NULL, *clientssl = NULL;
+ int testresult = 0;
+ int sess_id_ctx = 1;
+
+ if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ TLS1_VERSION, TLS_MAX_VERSION, &sctx,
+ &cctx, NULL, NULL))
+ || !TEST_true(SSL_CTX_set_session_id_context(sctx,
+ (void *)&sess_id_ctx,
+ sizeof(sess_id_ctx))))
+ goto end;
+
+ SSL_CTX_set_session_cache_mode(cctx, SSL_SESS_CACHE_CLIENT
+ | SSL_SESS_CACHE_NO_INTERNAL_STORE);
+ SSL_CTX_set_psk_use_session_callback(cctx, use_session_cb);
+ SSL_CTX_set_psk_find_session_callback(sctx, find_session_cb);
+ SSL_CTX_sess_set_new_cb(cctx, new_session_cb);
+ use_session_cb_cnt = 0;
+ find_session_cb_cnt = 0;
+ srvid = pskid;
+ new_called = 0;
+
+ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
+ NULL, NULL)))
+ goto end;
+ clientpsk = serverpsk = create_a_psk(clientssl);
+ if (!TEST_ptr(clientpsk))
+ goto end;
+ SSL_SESSION_up_ref(clientpsk);
+
+ if (!TEST_true(create_ssl_connection(serverssl, clientssl,
+ SSL_ERROR_NONE))
+ || !TEST_int_eq(1, find_session_cb_cnt)
+ || !TEST_int_eq(1, use_session_cb_cnt)
+ /* We should always get 1 ticket when using external PSK */
+ || !TEST_int_eq(1, new_called))
+ goto end;
+
+ testresult = 1;
+
+ end:
+ SSL_free(serverssl);
+ SSL_free(clientssl);
+ SSL_CTX_free(sctx);
+ SSL_CTX_free(cctx);
+ SSL_SESSION_free(clientpsk);
+ SSL_SESSION_free(serverpsk);
+ clientpsk = serverpsk = NULL;
+
+ return testresult;
+}
#endif
#define USE_NULL 0
@@ -1806,14 +1879,6 @@ static int test_set_sigalgs(int idx)
#endif
#ifndef OPENSSL_NO_TLS1_3
-
-static SSL_SESSION *clientpsk = NULL;
-static SSL_SESSION *serverpsk = NULL;
-static const char *pskid = "Identity";
-static const char *srvid;
-
-static int use_session_cb_cnt = 0;
-static int find_session_cb_cnt = 0;
static int psk_client_cb_cnt = 0;
static int psk_server_cb_cnt = 0;
@@ -1944,6 +2009,35 @@ static unsigned int psk_server_cb(SSL *ssl, const char *identity,
#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
+
+static SSL_SESSION *create_a_psk(SSL *ssl)
+{
+ const SSL_CIPHER *cipher = NULL;
+ const unsigned char key[] = {
+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
+ 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
+ 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
+ 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
+ 0x2c, 0x2d, 0x2e, 0x2f
+ };
+ SSL_SESSION *sess = NULL;
+
+ cipher = SSL_CIPHER_find(ssl, TLS13_AES_256_GCM_SHA384_BYTES);
+ sess = SSL_SESSION_new();
+ if (!TEST_ptr(sess)
+ || !TEST_ptr(cipher)
+ || !TEST_true(SSL_SESSION_set1_master_key(sess, key,
+ sizeof(key)))
+ || !TEST_true(SSL_SESSION_set_cipher(sess, cipher))
+ || !TEST_true(
+ SSL_SESSION_set_protocol_version(sess,
+ TLS1_3_VERSION))) {
+ SSL_SESSION_free(sess);
+ return NULL;
+ }
+ return sess;
+}
+
/*
* Helper method to setup objects for early data test. Caller frees objects on
* error.
@@ -1989,26 +2083,8 @@ static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
return 0;
if (idx == 2) {
- /* Create the PSK */
- const SSL_CIPHER *cipher = NULL;
- const unsigned char key[] = {
- 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, 0x09, 0x0a,
- 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
- 0x16, 0x17, 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f, 0x20,
- 0x21, 0x22, 0x23, 0x24, 0x25, 0x26, 0x27, 0x28, 0x29, 0x2a, 0x2b,
- 0x2c, 0x2d, 0x2e, 0x2f
- };
-
- cipher = SSL_CIPHER_find(*clientssl, TLS13_AES_256_GCM_SHA384_BYTES);
- clientpsk = SSL_SESSION_new();
+ clientpsk = create_a_psk(*clientssl);
if (!TEST_ptr(clientpsk)
- || !TEST_ptr(cipher)
- || !TEST_true(SSL_SESSION_set1_master_key(clientpsk, key,
- sizeof(key)))
- || !TEST_true(SSL_SESSION_set_cipher(clientpsk, cipher))
- || !TEST_true(
- SSL_SESSION_set_protocol_version(clientpsk,
- TLS1_3_VERSION))
/*
* We just choose an arbitrary value for max_early_data which
* should be big enough for testing purposes.
@@ -5426,6 +5502,7 @@ int setup_tests(void)
#ifndef OPENSSL_NO_TLS1_3
ADD_ALL_TESTS(test_stateful_tickets, 3);
ADD_ALL_TESTS(test_stateless_tickets, 3);
+ ADD_TEST(test_psk_tickets);
#endif
ADD_ALL_TESTS(test_ssl_set_bio, TOTAL_SSL_SET_BIO_TESTS);
ADD_TEST(test_ssl_bio_pop_next_bio);
More information about the openssl-commits
mailing list