summaryrefslogtreecommitdiff
path: root/lib/ssl/test/ssl_session_ticket_SUITE.erl
diff options
context:
space:
mode:
Diffstat (limited to 'lib/ssl/test/ssl_session_ticket_SUITE.erl')
-rw-r--r--lib/ssl/test/ssl_session_ticket_SUITE.erl172
1 files changed, 156 insertions, 16 deletions
diff --git a/lib/ssl/test/ssl_session_ticket_SUITE.erl b/lib/ssl/test/ssl_session_ticket_SUITE.erl
index 0c981b5b83..6e07a845e9 100644
--- a/lib/ssl/test/ssl_session_ticket_SUITE.erl
+++ b/lib/ssl/test/ssl_session_ticket_SUITE.erl
@@ -1,6 +1,4 @@
%%
-%% %CopyrightBegin%
-%%
%% Copyright Ericsson AB 2007-2022. All Rights Reserved.
%%
%% Licensed under the Apache License, Version 2.0 (the "License");
@@ -45,6 +43,8 @@
ticket_reuse_anti_replay/1,
ticket_reuse_anti_replay_server_restart/0,
ticket_reuse_anti_replay_server_restart/1,
+ ticket_reuse_anti_replay_server_restart_reused_seed/0,
+ ticket_reuse_anti_replay_server_restart_reused_seed/1,
basic_stateful_stateless/0,
basic_stateful_stateless/1,
basic_stateless_stateful/0,
@@ -78,7 +78,9 @@
early_data_basic/0,
early_data_basic/1,
early_data_basic_auth/0,
- early_data_basic_auth/1]).
+ early_data_basic_auth/1,
+ stateless_multiple_servers/0,
+ stateless_multiple_servers/1]).
-include("tls_handshake.hrl").
@@ -98,13 +100,13 @@ all() ->
groups() ->
[{'tlsv1.3', [], [{group, stateful},
{group, stateless},
+ {group, stateful_with_cert},
+ {group, stateless_with_cert},
{group, mixed}]},
{stateful, [], session_tests()},
- {stateless, [], session_tests() ++
- [ticketage_smaller_than_windowsize_anti_replay,
- ticketage_bigger_than_windowsize_anti_replay,
- ticketage_out_of_lifetime_anti_replay, ticket_reuse_anti_replay,
- ticket_reuse_anti_replay_server_restart]},
+ {stateless, [], session_tests() ++ anti_replay_tests()},
+ {stateful_with_cert, [], session_tests()},
+ {stateless_with_cert, [], session_tests() ++ anti_replay_tests()},
{mixed, [], mixed_tests()}].
session_tests() ->
@@ -121,6 +123,16 @@ session_tests() ->
early_data_basic,
early_data_basic_auth].
+anti_replay_tests() ->
+ [
+ ticketage_smaller_than_windowsize_anti_replay,
+ ticketage_bigger_than_windowsize_anti_replay,
+ ticketage_out_of_lifetime_anti_replay, ticket_reuse_anti_replay,
+ ticket_reuse_anti_replay_server_restart,
+ ticket_reuse_anti_replay_server_restart_reused_seed,
+ stateless_multiple_servers
+ ].
+
mixed_tests() ->
[
basic_stateful_stateless,
@@ -145,10 +157,12 @@ end_per_suite(_Config) ->
ssl:stop(),
application:stop(crypto).
-init_per_group(stateful, Config) ->
- [{server_ticket_mode, stateful} | proplists:delete(server_ticket_mode, Config)];
-init_per_group(stateless, Config) ->
- [{server_ticket_mode, stateless} | proplists:delete(server_ticket_mode, Config)];
+init_per_group(GroupName, Config)
+ when GroupName == stateful
+ orelse GroupName == stateless
+ orelse GroupName == stateful_with_cert
+ orelse GroupName == stateless_with_cert ->
+ [{server_ticket_mode, GroupName} | proplists:delete(server_ticket_mode, Config)];
init_per_group(GroupName, Config) ->
ssl_test_lib:init_per_group(GroupName, Config).
@@ -164,6 +178,7 @@ init_per_testcase(_, Config) ->
end_per_testcase(_TestCase, Config) ->
application:unset_env(ssl, server_session_ticket_max_early_data),
+ application:unset_env(ssl, server_session_ticket_lifetime),
Config.
%%--------------------------------------------------------------------
@@ -202,6 +217,15 @@ basic(Config) when is_list(Config) ->
{from, self()}, {options, ClientOpts}]),
ssl_test_lib:check_result(Server0, ok, Client0, ok),
+ Server0 ! get_socket,
+ SSocket0 =
+ receive
+ {Server0, {socket, Socket0}} ->
+ Socket0
+ end,
+
+ {ok, ClientCert} = ssl:peercert(SSocket0),
+
Server0 ! {listen, {mfa, {ssl_test_lib,
verify_active_session_resumption,
[true]}}},
@@ -220,6 +244,21 @@ basic(Config) when is_list(Config) ->
{from, self()}, {options, ClientOpts}]),
ssl_test_lib:check_result(Server0, ok, Client1, ok),
+ Server0 ! get_socket,
+ SSocket1 =
+ receive
+ {Server0, {socket, Socket1}} ->
+ Socket1
+ end,
+
+ ExpectedPeercert = case ServerTicketMode of
+ stateful_with_cert -> {ok, ClientCert};
+ stateless_with_cert -> {ok, ClientCert};
+ _ -> {error, no_peercert}
+ end,
+
+ ExpectedPeercert = ssl:peercert(SSocket1),
+
process_flag(trap_exit, false),
ssl_test_lib:close(Server0),
ssl_test_lib:close(Client1).
@@ -243,7 +282,7 @@ ticketage_smaller_than_windowsize_anti_replay(Config) when is_list(Config) ->
ticketage_bigger_than_windowsize_anti_replay() ->
[{doc, "Session resumption with stateless tickets and anti_replay enabled."
"Fresh ClientHellos."
- "Ticket age bigger than windowsize. 0-RTT is expected to fail."
+ "Ticket age bigger than windowsize. 0-RTT is expected to succeed."
"(Erlang client - Erlang server)"}].
ticketage_bigger_than_windowsize_anti_replay(Config) when is_list(Config) ->
WindowSize = 3,
@@ -252,10 +291,10 @@ ticketage_bigger_than_windowsize_anti_replay(Config) when is_list(Config) ->
ssl_test_lib:check_result(Server0, ok, Client0, ok),
Client1 = anti_replay_helper_connect(Server0, Client0, Port0, ClientNode,
Hostname, ClientOpts,
- {seconds, WindowSize + 2}, false),
+ {seconds, WindowSize + 2}, true),
Client2 = anti_replay_helper_connect(Server0, Client0, Port0, ClientNode,
Hostname, ClientOpts,
- {seconds, 2*WindowSize + 2}, false),
+ {seconds, 2*WindowSize + 2}, true),
process_flag(trap_exit, false),
[ssl_test_lib:close(A) || A <- [Server0, Client0, Client1, Client2]].
@@ -325,6 +364,36 @@ ticket_reuse_anti_replay_server_restart(Config) when is_list(Config) ->
process_flag(trap_exit, false),
[ssl_test_lib:close(A) || A <- [Server0, Client2, Server1]].
+ticket_reuse_anti_replay_server_restart_reused_seed() ->
+ [{doc, "Verify 2 connection attempts with same stateless tickets "
+ "and server restart between, with the server using the same session "
+ "ticket encryption seed between restarts. Second attempt is expected to "
+ "fail as long as the Bloom filter window overlaps with startup time."
+ }].
+ticket_reuse_anti_replay_server_restart_reused_seed(Config) when is_list(Config) ->
+ WindowSize = 10,
+ Seed = crypto:strong_rand_bytes(32),
+ Config1 = [{server_ticket_seed, Seed} | Config],
+ {Server1 , Port1} = anti_replay_helper_start_server(Config1, WindowSize),
+ {ClientNode, _ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+ ClientOpts0 = ssl_test_lib:ssl_options(client_rsa_verify_opts, Config),
+ ClientOpts1 = [{session_tickets, manual},
+ {versions, ['tlsv1.2','tlsv1.3']} | ClientOpts0],
+ Client1 = ssl_test_lib:start_client([{node, ClientNode},
+ {port, Port1}, {host, Hostname},
+ {mfa, {ssl_test_lib, %% full handshake
+ verify_active_session_resumption,
+ [false, wait_reply, {tickets, 1}]}},
+ {from, self()}, {options, ClientOpts1}]),
+ [Ticket] = ssl_test_lib:check_tickets(Client1),
+ ssl_test_lib:check_result(Server1, ok),
+ ClientOpts2 = [{use_ticket, [Ticket]} | ClientOpts1],
+ {Server2, Port2} = anti_replay_helper_start_server(Config1, WindowSize),
+ Client2 = anti_replay_helper_connect(Server2, Client1, Port2, ClientNode,
+ Hostname, ClientOpts2, 0, false, false),
+ process_flag(trap_exit, false),
+ [ssl_test_lib:close(A) || A <- [Server1, Client2, Server2]].
+
anti_replay_helper_init(Config, Mode, WindowSize) ->
DefaultLifetime = ssl_config:get_ticket_lifetime(),
anti_replay_helper_init(Config, Mode, WindowSize, DefaultLifetime).
@@ -360,9 +429,17 @@ anti_replay_helper_start_server(Config, WindowSize) ->
{_ClientNode, ServerNode, _Hostname} = ssl_test_lib:run_where(Config),
ServerOpts0 = ssl_test_lib:ssl_options(server_rsa_verify_opts, Config),
ServerTicketMode = proplists:get_value(server_ticket_mode, Config),
+ ServerTicketSeed =
+ case proplists:get_value(server_ticket_seed, Config) of
+ undefined ->
+ [];
+ Seed ->
+ [{stateless_tickets_seed, Seed}]
+ end,
ServerOpts = [{session_tickets, ServerTicketMode},
{anti_replay, {WindowSize, 5, 72985}},
- {versions, ['tlsv1.2','tlsv1.3']}|ServerOpts0],
+ {versions, ['tlsv1.2','tlsv1.3']}|ServerOpts0
+ ] ++ ServerTicketSeed,
Server =
ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
@@ -1227,6 +1304,69 @@ early_data_basic_auth(Config) when is_list(Config) ->
ssl_test_lib:close(Server0),
ssl_test_lib:close(Client1).
+stateless_multiple_servers() ->
+ [{doc, "Test session resumption with session tickets, resuming on different server"}].
+stateless_multiple_servers(Config) when is_list(Config) ->
+ ClientOpts0 = ssl_test_lib:ssl_options(client_rsa_verify_opts, Config),
+ ServerOpts0 = ssl_test_lib:ssl_options(server_rsa_verify_opts, Config),
+ {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+
+ Seed = crypto:strong_rand_bytes(64),
+
+ %% Configure session tickets
+ ClientOpts = [{session_tickets, auto},
+ {versions, ['tlsv1.2','tlsv1.3']} | ClientOpts0],
+ ServerOpts = [{session_tickets, stateless},
+ {stateless_tickets_seed, Seed},
+ {versions, ['tlsv1.2','tlsv1.3']} | ServerOpts0],
+
+ Server0 =
+ ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
+ {from, self()},
+ {mfa, {ssl_test_lib,
+ verify_active_session_resumption,
+ [false]}},
+ {options, ServerOpts}]),
+ Port0 = ssl_test_lib:inet_port(Server0),
+
+ Server1 =
+ ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
+ {from, self()},
+ {mfa, {ssl_test_lib, %% Short handshake
+ verify_active_session_resumption,
+ [true]}},
+ {options, ServerOpts}]),
+ Port1 = ssl_test_lib:inet_port(Server1),
+
+ %% Store ticket from first connection to server 0
+ Client0 =
+ ssl_test_lib:start_client([{node, ClientNode},
+ {port, Port0}, {host, Hostname},
+ {mfa, {ssl_test_lib, %% Full handshake
+ verify_active_session_resumption,
+ [false]}},
+ {from, self()}, {options, ClientOpts}]),
+ ssl_test_lib:check_result(Server0, ok, Client0, ok),
+
+ %% Wait for session ticket
+ ct:sleep(100),
+
+ ssl_test_lib:close(Client0),
+
+ %% Use ticket when connecting to server 1
+ Client1 =
+ ssl_test_lib:start_client([{node, ClientNode},
+ {port, Port1}, {host, Hostname},
+ {mfa, {ssl_test_lib, %% Short handshake
+ verify_active_session_resumption,
+ [true]}},
+ {from, self()}, {options, ClientOpts}]),
+ ssl_test_lib:check_result(Server1, ok, Client1, ok),
+
+ process_flag(trap_exit, false),
+ ssl_test_lib:close(Server0),
+ ssl_test_lib:close(Server1),
+ ssl_test_lib:close(Client1).
%%--------------------------------------------------------------------
%% Internal functions ------------------------------------------------
View Lorry Controller Status