diff options
author | Daiki Ueno <dueno@redhat.com> | 2018-04-17 13:32:18 +0200 |
---|---|---|
committer | Daiki Ueno <dueno@redhat.com> | 2018-05-07 13:03:24 +0200 |
commit | 2e53b43de8180aea67a9e20f9b2ced4ac9eb2dbb (patch) | |
tree | ddf0cbf04aa425bb15268a54424b4cfe2d3ecd10 | |
parent | 220ed0691a493e8ced608a5d77b54c358afba6f0 (diff) | |
download | gnutls-tmp-session-resumption-tls13-openssl-interop.tar.gz |
tests: exercise TLS 1.3 session resumptiontmp-session-resumption-tls13-openssl-interop
This requires a few changes to the resume.c test: because
NewSessionTicket is a post-handshake message,
gnutls_session_get_data2() needs to be called after sending the first
application data. Also, when GNUTLS_E_AGAIN, gnutls_record_recv()
needs to retry.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
-rw-r--r-- | tests/Makefile.am | 11 | ||||
-rw-r--r-- | tests/resume.c | 38 | ||||
-rw-r--r-- | tests/scripts/common.sh | 11 | ||||
-rwxr-xr-x | tests/suite/testcompat-tls13-openssl.sh | 38 |
4 files changed, 79 insertions, 19 deletions
diff --git a/tests/Makefile.am b/tests/Makefile.am index 27560204d7..704c43e023 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -256,6 +256,14 @@ tls12_resume_x509_CFLAGS = -DUSE_X509 -DTLS12 tls12_resume_x509_SOURCES = resume.c tls12_resume_x509_LDADD = $(LDADD) ../gl/libgnu.la +tls13_resume_psk_CFLAGS = -DUSE_PSK -DTLS13 +tls13_resume_psk_SOURCES = resume.c +tls13_resume_psk_LDADD = $(LDADD) ../gl/libgnu.la + +tls13_resume_x509_CFLAGS = -DUSE_X509 -DTLS13 +tls13_resume_x509_SOURCES = resume.c +tls13_resume_x509_LDADD = $(LDADD) ../gl/libgnu.la + dtls_repro_20170915_SOURCES = dtls-repro-20170915.c common-cert-key-exchange.c cert-repro-20170915.h dtls12_cert_key_exchange_SOURCES = common-cert-key-exchange.c dtls12-cert-key-exchange.c common-cert-key-exchange.h dtls10_cert_key_exchange_SOURCES = common-cert-key-exchange.c dtls10-cert-key-exchange.c common-cert-key-exchange.h @@ -347,7 +355,8 @@ endif if HAVE_FORK ctests += x509self x509dn anonself pskself dhepskself \ - setcredcrash tls12-resume-x509 tls12-resume-psk tls12-resume-anon + setcredcrash tls12-resume-x509 tls12-resume-psk tls12-resume-anon \ + tls13-resume-x509 tls13-resume-psk endif gc_CPPFLAGS = $(AM_CPPFLAGS) \ diff --git a/tests/resume.c b/tests/resume.c index cc46e294ef..11073721b3 100644 --- a/tests/resume.c +++ b/tests/resume.c @@ -83,6 +83,7 @@ struct params_res { pid_t child; struct params_res resume_tests[] = { +#ifndef TLS13 {.desc = "try to resume from db", .enable_db = 1, .enable_session_ticket_server = 0, @@ -114,6 +115,7 @@ struct params_res resume_tests[] = { .expect_resume = 0, .first_no_ext_master = 1, .second_no_ext_master = 0}, +#endif {.desc = "try to resume from session ticket", .enable_db = 0, .enable_session_ticket_server = 1, @@ -125,6 +127,7 @@ struct params_res resume_tests[] = { .enable_session_ticket_client = 1, .try_resumed_data = 1, .expect_resume = 1}, +#ifndef TLS13 {.desc = "try to resume from session ticket (ext master secret -> none)", .enable_db = 0, .enable_session_ticket_server = 1, @@ -169,6 +172,7 @@ struct params_res resume_tests[] = { .enable_db = 1, .try_sni = 1, .expect_resume = 1}, +#endif {.desc = "try to resume with ticket and same SNI", .enable_session_ticket_server = 1, .enable_session_ticket_client = 1, @@ -288,6 +292,9 @@ static void verify_group(gnutls_session_t session, gnutls_group_t *group, unsign #ifdef TLS12 # define VERS_STR "+VERS-TLS1.2" #endif +#ifdef TLS13 +# define VERS_STR "-VERS-ALL:+VERS-TLS1.3" +#endif static void client(int sds[], struct params_res *params) { @@ -412,24 +419,7 @@ static void client(int sds[], struct params_res *params) ext_master_secret_check = 0; if (t == 0) { ext_master_secret_check = gnutls_session_ext_master_secret_status(session); - - /* get the session data size */ - ret = - gnutls_session_get_data2(session, - &session_data); - if (ret < 0) - fail("Getting resume data failed\n"); - } else { /* the second time we connect */ - if (params->try_resumed_data) { - gnutls_free(session_data.data); - ret = - gnutls_session_get_data2(session, - &session_data); - if (ret < 0) - fail("Getting resume data failed\n"); - } - /* check if we actually resumed the previous session */ if (gnutls_session_is_resumed(session) != 0) { if (params->expect_resume) { @@ -454,7 +444,9 @@ static void client(int sds[], struct params_res *params) gnutls_record_send(session, MSG, strlen(MSG)); - ret = gnutls_record_recv(session, buffer, MAX_BUF); + do { + ret = gnutls_record_recv(session, buffer, MAX_BUF); + } while (ret == GNUTLS_E_AGAIN); if (ret == 0) { if (debug) success @@ -473,6 +465,16 @@ static void client(int sds[], struct params_res *params) fputs("\n", stdout); } + if (t == 0 || params->try_resumed_data) { + gnutls_free(session_data.data); + /* get the session data size */ + ret = + gnutls_session_get_data2(session, + &session_data); + if (ret < 0) + fail("Getting resume data failed\n"); + } + gnutls_bye(session, GNUTLS_SHUT_RDWR); close(sd); diff --git a/tests/scripts/common.sh b/tests/scripts/common.sh index 4615770f6b..8662d93cf1 100644 --- a/tests/scripts/common.sh +++ b/tests/scripts/common.sh @@ -195,3 +195,14 @@ else LOCKFILE="lockfile global.lock" UNLOCKFILE="rm -f global.lock" fi + +create_testdir() { + local PREFIX=$1 + d=`mktemp -d -t ${PREFIX}.XXXXXX` + if test $? -ne 0; then + d=${TMPDIR}/${PREFIX}.$$ + mkdir "$d" || exit 1 + fi + trap "test -e \"$d\" && rm -rf \"$d\"" 1 15 2 + echo "$d" +} diff --git a/tests/suite/testcompat-tls13-openssl.sh b/tests/suite/testcompat-tls13-openssl.sh index b03e6a2111..4058da8f6a 100755 --- a/tests/suite/testcompat-tls13-openssl.sh +++ b/tests/suite/testcompat-tls13-openssl.sh @@ -210,6 +210,23 @@ run_client_suite() { kill ${PID} wait + # Try resumption + echo_cmd "${PREFIX}Checking TLS 1.3 with resumption..." + testdir=`create_testdir tls13-openssl-resumption` + eval "${GETPORT}" + launch_bare_server $$ s_server -quiet -www -accept "${PORT}" -keyform pem -certform pem ${OPENSSL_DH_PARAMS_OPT} -key "${RSA_KEY}" -cert "${RSA_CERT}" -CAfile "${CA_CERT}" + PID=$! + wait_server ${PID} + + # ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL${ADD}" --x509cafile "${CA_CERT}" --inline-commands | tee "${testdir}/client.out" >> ${OUTPUT} + { echo a; sleep 1; echo '^resume^'; } | \ + ${VALGRIND} "${CLI}" ${DEBUG} -p "${PORT}" 127.0.0.1 --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL${ADD}" --insecure --inline-commands | tee "${testdir}/client.out" >> ${OUTPUT} + grep '^\*\*\* This is a resumed session' "${testdir}/client.out" || \ + fail ${PID} "Failed" + + kill ${PID} + wait + rm -rf "$testdir" } @@ -375,6 +392,27 @@ run_server_suite() { wait done + # Try resumption + echo_cmd "${PREFIX}Checking TLS 1.3 with resumption..." + testdir=`create_testdir tls13-openssl-resumption` + eval "${GETPORT}" + launch_server $$ --priority "NORMAL:-VERS-ALL:+VERS-TLS1.3${ADD}" --x509certfile "${RSA_CERT}" --x509keyfile "${RSA_KEY}" --x509cafile "${CA_CERT}" >>${OUTPUT} 2>&1 + PID=$! + wait_server ${PID} + + { echo a; sleep 1; } | \ + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" -sess_out "${testdir}/sess.pem" 2>&1 | grep "\:error\:" && \ + fail ${PID} "Failed" + ${OPENSSL_CLI} s_client -host localhost -port "${PORT}" -CAfile "${CA_CERT}" -sess_in "${testdir}/sess.pem" </dev/null 2>&1 > "${testdir}/server.out" + grep "\:error\:" "${testdir}/server.out" && \ + fail ${PID} "Failed" + grep "^Reused, TLSv1.3" "${testdir}/server.out" || \ + fail ${PID} "Failed" + + kill ${PID} + wait + rm -rf "$testdir" + } run_server_suite |