kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add a test for session ID context logic.

Browse Source 
We almost forgot to handle this in TLS 1.3, so add a test for it.

Change-Id: I28600325d8fb6c09365e909db607cbace12ecac7
Reviewed-on: https://boringssl-review.googlesource.com/9093
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
This commit is contained in:
David Benjamin 2016-08-02 19:09:41 -04:00 committed by CQ bot account: commit-bot@chromium.org
parent 33dad1b7a1
commit a20e535fb1
1 changed files with 136 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

143
ssl/ssl_test.cc
View File

@ -1096,7 +1096,8 @@ static ScopedEVP_PKEY GetTestKey() {
} }
static bool ConnectClientAndServer(ScopedSSL *out_client, ScopedSSL *out_server, static bool ConnectClientAndServer(ScopedSSL *out_client, ScopedSSL *out_server,
SSL_CTX *client_ctx, SSL_CTX *server_ctx) { SSL_CTX *client_ctx, SSL_CTX *server_ctx,
SSL_SESSION *session) {
ScopedSSL client(SSL_new(client_ctx)), server(SSL_new(server_ctx)); ScopedSSL client(SSL_new(client_ctx)), server(SSL_new(server_ctx));
if (!client || !server) { if (!client || !server) {
return false; return false;
@ -1104,6 +1105,8 @@ static bool ConnectClientAndServer(ScopedSSL *out_client, ScopedSSL *out_server,
SSL_set_connect_state(client.get()); SSL_set_connect_state(client.get());
SSL_set_accept_state(server.get()); SSL_set_accept_state(server.get());
SSL_set_session(client.get(), session);
BIO *bio1, *bio2; BIO *bio1, *bio2;
if (!BIO_new_bio_pair(&bio1, 0, &bio2, 0)) { if (!BIO_new_bio_pair(&bio1, 0, &bio2, 0)) {
return false; return false;
@ -1159,7 +1162,7 @@ static bool TestSequenceNumber(bool dtls) {
ScopedSSL client, server; ScopedSSL client, server;
if (!ConnectClientAndServer(&client, &server, client_ctx.get(), if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
server_ctx.get())) { server_ctx.get(), nullptr /* no session */)) {
return false; return false;
} }
@ -1228,7 +1231,7 @@ static bool TestOneSidedShutdown() {
ScopedSSL client, server; ScopedSSL client, server;
if (!ConnectClientAndServer(&client, &server, client_ctx.get(), if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
server_ctx.get())) { server_ctx.get(), nullptr /* no session */)) {
return false; return false;
} }
@ -1283,7 +1286,7 @@ static bool TestSessionDuplication() {
ScopedSSL client, server; ScopedSSL client, server;
if (!ConnectClientAndServer(&client, &server, client_ctx.get(), if (!ConnectClientAndServer(&client, &server, client_ctx.get(),
server_ctx.get())) { server_ctx.get(), nullptr /* no session */)) {
return false; return false;
} }
@ -1494,7 +1497,8 @@ static bool TestGetPeerCertificate() {
SSL_CTX_set_cert_verify_callback(ctx.get(), VerifySucceed, NULL); SSL_CTX_set_cert_verify_callback(ctx.get(), VerifySucceed, NULL);
ScopedSSL client, server; ScopedSSL client, server;
if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get())) { if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
nullptr /* no session */)) {
return false; return false;
} }
@ -1561,7 +1565,8 @@ static bool TestRetainOnlySHA256OfCerts() {
SSL_CTX_set_retain_only_sha256_of_client_certs(ctx.get(), 1); SSL_CTX_set_retain_only_sha256_of_client_certs(ctx.get(), 1);
ScopedSSL client, server; ScopedSSL client, server;
if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get())) { if (!ConnectClientAndServer(&client, &server, ctx.get(), ctx.get(),
nullptr /* no session */)) {
return false; return false;
} }
@ -1712,6 +1717,129 @@ static bool TestClientHello() {
return true; return true;
} }
static ScopedSSL_SESSION g_last_session;
static int SaveLastSession(SSL *ssl, SSL_SESSION *session) {
// Save the most recent session.
g_last_session.reset(session);
return 1;
}
static ScopedSSL_SESSION CreateClientSession(SSL_CTX *client_ctx,
SSL_CTX *server_ctx) {
g_last_session = nullptr;
SSL_CTX_sess_set_new_cb(client_ctx, SaveLastSession);
// Connect client and server to get a session.
ScopedSSL client, server;
if (!ConnectClientAndServer(&client, &server, client_ctx, server_ctx,
nullptr /* no session */)) {
fprintf(stderr, "Failed to connect client and server.\n");
return nullptr;
}
// Run the read loop to account for post-handshake tickets in TLS 1.3.
SSL_read(client.get(), nullptr, 0);
SSL_CTX_sess_set_new_cb(client_ctx, nullptr);
if (!g_last_session) {
fprintf(stderr, "Client did not receive a session.\n");
return nullptr;
}
return std::move(g_last_session);
}
static bool ExpectSessionReused(SSL_CTX *client_ctx, SSL_CTX *server_ctx,
SSL_SESSION *session,
bool reused) {
ScopedSSL client, server;
if (!ConnectClientAndServer(&client, &server, client_ctx,
server_ctx, session)) {
fprintf(stderr, "Failed to connect client and server.\n");
return false;
}
if (SSL_session_reused(client.get()) != SSL_session_reused(server.get())) {
fprintf(stderr, "Client and server were inconsistent.\n");
return false;
}
bool was_reused = !!SSL_session_reused(client.get());
if (was_reused != reused) {
fprintf(stderr, "Session was%s reused, but we expected the opposite.\n",
was_reused ? "" : " not");
return false;
}
return true;
}
static bool TestSessionIDContext() {
ScopedX509 cert = GetTestCertificate();
ScopedEVP_PKEY key = GetTestKey();
if (!cert || !key) {
return false;
}
static const uint8_t kContext1[] = {1};
static const uint8_t kContext2[] = {2};
for (uint16_t version : kVersions) {
// TODO(davidben): Enable this when TLS 1.3 resumption is implemented.
if (version == TLS1_3_VERSION) {
continue;
}
ScopedSSL_CTX server_ctx(SSL_CTX_new(TLS_method()));
ScopedSSL_CTX client_ctx(SSL_CTX_new(TLS_method()));
if (!server_ctx || !client_ctx ||
!SSL_CTX_use_certificate(server_ctx.get(), cert.get()) ||
!SSL_CTX_use_PrivateKey(server_ctx.get(), key.get()) ||
!SSL_CTX_set_session_id_context(server_ctx.get(), kContext1,
sizeof(kContext1))) {
return false;
}
SSL_CTX_set_min_version(client_ctx.get(), version);
SSL_CTX_set_max_version(client_ctx.get(), version);
SSL_CTX_set_session_cache_mode(client_ctx.get(), SSL_SESS_CACHE_BOTH);
SSL_CTX_set_min_version(server_ctx.get(), version);
SSL_CTX_set_max_version(server_ctx.get(), version);
SSL_CTX_set_session_cache_mode(server_ctx.get(), SSL_SESS_CACHE_BOTH);
ScopedSSL_SESSION session =
CreateClientSession(client_ctx.get(), server_ctx.get());
if (!session) {
fprintf(stderr, "Error getting session (version = %04x).\n", version);
return false;
}
if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
true /* expect session reused */)) {
fprintf(stderr, "Error resuming session (version = %04x).\n", version);
return false;
}
// Change the session ID context.
if (!SSL_CTX_set_session_id_context(server_ctx.get(), kContext2,
sizeof(kContext2))) {
return false;
}
if (!ExpectSessionReused(client_ctx.get(), server_ctx.get(), session.get(),
false /* expect session not reused */)) {
fprintf(stderr,
"Error connection with different context (version = %04x).\n",
version);
return false;
}
}
return true;
}
int main() { int main() {
CRYPTO_library_init(); CRYPTO_library_init();
@ -1743,7 +1871,8 @@ int main() {
!TestSetBIO() || !TestSetBIO() ||
!TestGetPeerCertificate() || !TestGetPeerCertificate() ||
!TestRetainOnlySHA256OfCerts() || !TestRetainOnlySHA256OfCerts() ||
!TestClientHello()) { !TestClientHello() ||
!TestSessionIDContext()) {
ERR_print_errors_fp(stderr); ERR_print_errors_fp(stderr);
return 1; return 1;
} }