TLSv1.3 has a NewSessionTicket message, but it is *completely* different to
the TLSv1.2 one and may as well have been called something else. This commit
removes the old style NewSessionTicket from TLSv1.3. We will have to add the
new style one back in later.
Reviewed-by: Rich Salz <rsalz@openssl.org>
case TLS_ST_CR_SRVR_HELLO:
if (s->hit) {
case TLS_ST_CR_SRVR_HELLO:
if (s->hit) {
- if (s->tlsext_ticket_expected) {
- if (mt == SSL3_MT_NEWSESSION_TICKET) {
- st->hand_state = TLS_ST_CR_SESSION_TICKET;
- return 1;
- }
- } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
+ if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
st->hand_state = TLS_ST_CR_CHANGE;
return 1;
}
st->hand_state = TLS_ST_CR_CHANGE;
return 1;
}
break;
case TLS_ST_CW_FINISHED:
break;
case TLS_ST_CW_FINISHED:
- if (s->tlsext_ticket_expected) {
- if (mt == SSL3_MT_NEWSESSION_TICKET) {
- st->hand_state = TLS_ST_CR_SESSION_TICKET;
- return 1;
- }
- } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
- st->hand_state = TLS_ST_CR_CHANGE;
- return 1;
- }
- break;
-
- case TLS_ST_CR_SESSION_TICKET:
if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
st->hand_state = TLS_ST_CR_CHANGE;
return 1;
if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
st->hand_state = TLS_ST_CR_CHANGE;
return 1;
case TLS_ST_SW_SRVR_HELLO:
if (s->hit)
case TLS_ST_SW_SRVR_HELLO:
if (s->hit)
- st->hand_state = s->tlsext_ticket_expected
- ? TLS_ST_SW_SESSION_TICKET : TLS_ST_SW_CHANGE;
+ st->hand_state = TLS_ST_SW_CHANGE;
else
st->hand_state = TLS_ST_SW_CERT;
else
st->hand_state = TLS_ST_SW_CERT;
ossl_statem_set_in_init(s, 0);
return WRITE_TRAN_CONTINUE;
}
ossl_statem_set_in_init(s, 0);
return WRITE_TRAN_CONTINUE;
}
+ st->hand_state = TLS_ST_SW_CHANGE;
- st->hand_state = s->tlsext_ticket_expected ? TLS_ST_SW_SESSION_TICKET
- : TLS_ST_SW_CHANGE;
return WRITE_TRAN_CONTINUE;
return WRITE_TRAN_CONTINUE;
- case TLS_ST_SW_SESSION_TICKET:
- st->hand_state = TLS_ST_SW_CHANGE;
- return WRITE_TRAN_CONTINUE;
case TLS_ST_SW_CHANGE:
st->hand_state = TLS_ST_SW_FINISHED;
case TLS_ST_SW_CHANGE:
st->hand_state = TLS_ST_SW_FINISHED;
static int tls_use_ticket(SSL *s)
{
static int tls_use_ticket(SSL *s)
{
- if (s->options & SSL_OP_NO_TICKET)
+ if (s->options & SSL_OP_NO_TICKET || SSL_IS_TLS13(s))
return 0;
return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
}
return 0;
return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
}
}
}
#endif /* OPENSSL_NO_EC */
}
}
#endif /* OPENSSL_NO_EC */
- else if (currext->type == TLSEXT_TYPE_session_ticket) {
+ else if (currext->type == TLSEXT_TYPE_session_ticket
+ && !SSL_IS_TLS13(s)) {
if (s->tls_session_ticket_ext_cb &&
!s->tls_session_ticket_ext_cb(s,
PACKET_data(&currext->data),
if (s->tls_session_ticket_ext_cb &&
!s->tls_session_ticket_ext_cb(s,
PACKET_data(&currext->data),
s->tlsext_ticket_expected = 0;
/*
s->tlsext_ticket_expected = 0;
/*
- * If tickets disabled behave as if no ticket present to permit stateful
+ * If tickets disabled or not supported by the protocol version
+ * (e.g. TLSv1.3) behave as if no ticket present to permit stateful
* resumption.
*/
if (s->version <= SSL3_VERSION || !tls_use_ticket(s))
* resumption.
*/
if (s->version <= SSL3_VERSION || !tls_use_ticket(s))
for (; currtest < TOTAL_NUM_TESTS; currtest++) {
testresult = 0;
ctx = SSL_CTX_new(TLS_method());
for (; currtest < TOTAL_NUM_TESTS; currtest++) {
testresult = 0;
ctx = SSL_CTX_new(TLS_method());
+
+ /*
+ * This test is testing session tickets for <= TLS1.2. It isn't relevant
+ * for TLS1.3
+ */
+ if (ctx == NULL || !SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION))
+ goto end;
+
+ if (con == NULL)
+ goto end;
rbio = BIO_new(BIO_s_mem());
wbio = BIO_new(BIO_s_mem());
rbio = BIO_new(BIO_s_mem());
wbio = BIO_new(BIO_s_mem());
+ if (rbio == NULL || wbio == NULL) {
+ BIO_free(rbio);
+ BIO_free(wbio);
+ goto end;
+ }
+
SSL_set_bio(con, rbio, wbio);
SSL_set_connect_state(con);
SSL_set_bio(con, rbio, wbio);
SSL_set_connect_state(con);
plan skip_all => "$test_name needs the sock feature enabled"
if disabled("sock");
plan skip_all => "$test_name needs the sock feature enabled"
if disabled("sock");
-plan skip_all => "$test_name needs TLS enabled"
- if alldisabled(available_protocols("tls"));
+plan skip_all => "$test_name needs SSLv3, TLSv1, TLSv1.1 or TLSv1.2 enabled"
+ if alldisabled(("ssl3", "tls1", "tls1_1", "tls1_2"));
$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
#Test 1: By default with no existing session we should get a session ticket
#Expected result: ClientHello extension seen; ServerHello extension seen
# NewSessionTicket message seen; Full handshake
#Test 1: By default with no existing session we should get a session ticket
#Expected result: ClientHello extension seen; ServerHello extension seen
# NewSessionTicket message seen; Full handshake
+$proxy->clientflags("-no_tls1_3");
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
plan tests => 10;
checkmessages(1, "Default session ticket test", 1, 1, 1, 1);
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
plan tests => 10;
checkmessages(1, "Default session ticket test", 1, 1, 1, 1);
#Expected result: ClientHello extension seen; ServerHello extension not seen
# NewSessionTicket message not seen; Full handshake
clearall();
#Expected result: ClientHello extension seen; ServerHello extension not seen
# NewSessionTicket message not seen; Full handshake
clearall();
+$proxy->clientflags("-no_tls1_3");
$proxy->serverflags("-no_ticket");
$proxy->start();
checkmessages(2, "No server support session ticket test", 1, 0, 0, 1);
$proxy->serverflags("-no_ticket");
$proxy->start();
checkmessages(2, "No server support session ticket test", 1, 0, 0, 1);
#Expected result: ClientHello extension not seen; ServerHello extension not seen
# NewSessionTicket message not seen; Full handshake
clearall();
#Expected result: ClientHello extension not seen; ServerHello extension not seen
# NewSessionTicket message not seen; Full handshake
clearall();
-$proxy->clientflags("-no_ticket");
+$proxy->clientflags("-no_tls1_3 -no_ticket");
$proxy->start();
checkmessages(3, "No client support session ticket test", 0, 0, 0, 1);
$proxy->start();
checkmessages(3, "No client support session ticket test", 0, 0, 0, 1);
clearall();
(undef, my $session) = tempfile();
$proxy->serverconnects(2);
clearall();
(undef, my $session) = tempfile();
$proxy->serverconnects(2);
-$proxy->clientflags("-sess_out ".$session);
+$proxy->clientflags("-no_tls1_3 -sess_out ".$session);
$proxy->start();
$proxy->clearClient();
$proxy->start();
$proxy->clearClient();
-$proxy->clientflags("-sess_in ".$session);
+$proxy->clientflags("-no_tls1_3 -sess_in ".$session);
$proxy->clientstart();
checkmessages(4, "Session resumption session ticket test", 1, 0, 0, 0);
unlink $session;
$proxy->clientstart();
checkmessages(4, "Session resumption session ticket test", 1, 0, 0, 0);
unlink $session;
clearall();
(undef, $session) = tempfile();
$proxy->serverconnects(2);
clearall();
(undef, $session) = tempfile();
$proxy->serverconnects(2);
-$proxy->clientflags("-sess_out ".$session." -no_ticket");
+$proxy->clientflags("-no_tls1_3 -sess_out ".$session." -no_ticket");
$proxy->start();
$proxy->clearClient();
$proxy->start();
$proxy->clearClient();
-$proxy->clientflags("-sess_in ".$session);
+$proxy->clientflags("-no_tls1_3 -sess_in ".$session);
$proxy->clientstart();
checkmessages(5, "Session resumption with ticket capable client without a "
."ticket", 1, 1, 1, 0);
$proxy->clientstart();
checkmessages(5, "Session resumption with ticket capable client without a "
."ticket", 1, 1, 1, 0);
# NewSessionTicket message seen; Full handshake.
clearall();
$proxy->filter(\&ticket_filter);
# NewSessionTicket message seen; Full handshake.
clearall();
$proxy->filter(\&ticket_filter);
+$proxy->clientflags("-no_tls1_3");
$proxy->start();
checkmessages(6, "Empty ticket test", 1, 1, 1, 1);
$proxy->start();
checkmessages(6, "Empty ticket test", 1, 1, 1, 1);
(undef, $session) = tempfile();
$proxy->serverconnects(3);
$proxy->filter(undef);
(undef, $session) = tempfile();
$proxy->serverconnects(3);
$proxy->filter(undef);
-$proxy->clientflags("-sess_out ".$session);
+$proxy->clientflags("-no_tls1_3 -sess_out ".$session);
$proxy->start();
$proxy->clearClient();
$proxy->start();
$proxy->clearClient();
-$proxy->clientflags("-sess_in ".$session." -sess_out ".$session);
+$proxy->clientflags("-no_tls1_3 -sess_in ".$session." -sess_out ".$session);
$proxy->filter(\&inject_empty_ticket_filter);
$proxy->clientstart();
#Expected result: ClientHello extension seen; ServerHello extension seen;
# NewSessionTicket message seen; Abbreviated handshake.
checkmessages(7, "Empty ticket resumption test", 1, 1, 1, 0);
clearclient();
$proxy->filter(\&inject_empty_ticket_filter);
$proxy->clientstart();
#Expected result: ClientHello extension seen; ServerHello extension seen;
# NewSessionTicket message seen; Abbreviated handshake.
checkmessages(7, "Empty ticket resumption test", 1, 1, 1, 0);
clearclient();
-$proxy->clientflags("-sess_in ".$session);
+$proxy->clientflags("-no_tls1_3 -sess_in ".$session);
$proxy->filter(undef);
$proxy->clientstart();
#Expected result: ClientHello extension seen; ServerHello extension not seen;
$proxy->filter(undef);
$proxy->clientstart();
#Expected result: ClientHello extension seen; ServerHello extension not seen;
#NewSessionTicket
#Expected result: Connection failure
clearall();
#NewSessionTicket
#Expected result: Connection failure
clearall();
+$proxy->clientflags("-no_tls1_3");
$proxy->serverflags("-no_ticket");
$proxy->filter(\&inject_ticket_extension_filter);
$proxy->start();
$proxy->serverflags("-no_ticket");
$proxy->filter(\&inject_ticket_extension_filter);
$proxy->start();
#NewSessionTicket
#Expected result: Connection failure
clearall();
#NewSessionTicket
#Expected result: Connection failure
clearall();
+$proxy->clientflags("-no_tls1_3");
$proxy->serverflags("-no_ticket");
$proxy->filter(\&inject_empty_ticket_filter);
$proxy->start();
$proxy->serverflags("-no_ticket");
$proxy->filter(\&inject_empty_ticket_filter);
$proxy->start();
[0-sni-session-ticket-client]
CipherString = DEFAULT
[0-sni-session-ticket-client]
CipherString = DEFAULT
Options = SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
Options = SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[1-sni-session-ticket-client]
CipherString = DEFAULT
[1-sni-session-ticket-client]
CipherString = DEFAULT
Options = SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
Options = SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[2-sni-session-ticket-client]
CipherString = DEFAULT
[2-sni-session-ticket-client]
CipherString = DEFAULT
Options = SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
Options = SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[3-sni-session-ticket-client]
CipherString = DEFAULT
[3-sni-session-ticket-client]
CipherString = DEFAULT
Options = SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
Options = SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[4-sni-session-ticket-client]
CipherString = DEFAULT
[4-sni-session-ticket-client]
CipherString = DEFAULT
Options = SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
Options = SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[5-sni-session-ticket-client]
CipherString = DEFAULT
[5-sni-session-ticket-client]
CipherString = DEFAULT
Options = SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
Options = SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[6-sni-session-ticket-client]
CipherString = DEFAULT
[6-sni-session-ticket-client]
CipherString = DEFAULT
Options = SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
Options = SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[7-sni-session-ticket-client]
CipherString = DEFAULT
[7-sni-session-ticket-client]
CipherString = DEFAULT
Options = SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
Options = SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[8-sni-session-ticket-client]
CipherString = DEFAULT
[8-sni-session-ticket-client]
CipherString = DEFAULT
Options = SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
Options = SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[9-sni-session-ticket-client]
CipherString = DEFAULT
[9-sni-session-ticket-client]
CipherString = DEFAULT
Options = -SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
Options = -SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[10-sni-session-ticket-client]
CipherString = DEFAULT
[10-sni-session-ticket-client]
CipherString = DEFAULT
Options = -SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
Options = -SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[11-sni-session-ticket-client]
CipherString = DEFAULT
[11-sni-session-ticket-client]
CipherString = DEFAULT
Options = -SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
Options = -SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[12-sni-session-ticket-client]
CipherString = DEFAULT
[12-sni-session-ticket-client]
CipherString = DEFAULT
Options = -SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
Options = -SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[13-sni-session-ticket-client]
CipherString = DEFAULT
[13-sni-session-ticket-client]
CipherString = DEFAULT
Options = -SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
Options = -SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[14-sni-session-ticket-client]
CipherString = DEFAULT
[14-sni-session-ticket-client]
CipherString = DEFAULT
Options = -SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
Options = -SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[15-sni-session-ticket-client]
CipherString = DEFAULT
[15-sni-session-ticket-client]
CipherString = DEFAULT
Options = -SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
Options = -SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[16-sni-session-ticket-client]
CipherString = DEFAULT
[16-sni-session-ticket-client]
CipherString = DEFAULT
Options = -SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
Options = -SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
# https://www.openssl.org/source/license.html
# https://www.openssl.org/source/license.html
-## Test version negotiation
+## Test SNI/Session tickets
use strict;
use warnings;
use strict;
use warnings;
+#Note: MaxProtocol is set to TLSv1.2 as session tickets work differently in
+#TLSv1.3.
+#TODO(TLS1.3): Implement TLSv1.3 style session tickets
sub generate_tests() {
foreach my $c ("SessionTicket", "-SessionTicket") {
sub generate_tests() {
foreach my $c ("SessionTicket", "-SessionTicket") {
- foreach my $s1 ("SessionTicket", "-SessionTicket") {
- foreach my $s2 ("SessionTicket", "-SessionTicket") {
- foreach my $n ("server1", "server2") {
- my $result = expected_result($c, $s1, $s2, $n);
+ foreach my $s1 ("SessionTicket", "-SessionTicket") {
+ foreach my $s2 ("SessionTicket", "-SessionTicket") {
+ foreach my $n ("server1", "server2") {
+ my $result = expected_result($c, $s1, $s2, $n);
push @tests, {
"name" => "sni-session-ticket",
"client" => {
push @tests, {
"name" => "sni-session-ticket",
"client" => {
"extra" => {
"ServerName" => $n,
},
"extra" => {
"ServerName" => $n,
},
+ "MaxProtocol" => "TLSv1.2"
},
"server" => {
"Options" => $s1,
},
"server" => {
"Options" => $s1,
"ServerNameCallback" => "IgnoreMismatch",
},
},
"ServerNameCallback" => "IgnoreMismatch",
},
},
- "server2" => {
- "Options" => $s2,
- },
+ "server2" => {
+ "Options" => $s2,
+ },
"test" => {
"ExpectedServerName" => $n,
"ExpectedResult" => "Success",
"test" => {
"ExpectedServerName" => $n,
"ExpectedResult" => "Success",
- "SessionTicketExpected" => $result,
+ "SessionTicketExpected" => $result,
push @tests, {
"name" => "sni-session-ticket",
"client" => {
push @tests, {
"name" => "sni-session-ticket",
"client" => {
- "Options" => "SessionTicket",
+ "MaxProtocol" => "TLSv1.2",
+ "Options" => "SessionTicket",
"extra" => {
"ServerName" => "server1",
}
},
"server" => {
"extra" => {
"ServerName" => "server1",
}
},
"server" => {
- "Options" => "SessionTicket",
+ "Options" => "SessionTicket",
"extra" => {
"BrokenSessionTicket" => "Yes",
},
},
"server2" => {
"extra" => {
"BrokenSessionTicket" => "Yes",
},
},
"server2" => {
- "Options" => "SessionTicket",
+ "Options" => "SessionTicket",
- "ExpectedResult" => "Success",
- "SessionTicketExpected" => "No",
+ "ExpectedResult" => "Success",
+ "SessionTicketExpected" => "No",