case TLS_ST_CR_SRVR_HELLO:
if (s->hit) {
- if (s->tlsext_ticket_expected) {
- if (mt == SSL3_MT_NEWSESSION_TICKET) {
- st->hand_state = TLS_ST_CR_SESSION_TICKET;
- return 1;
- }
- } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
+ if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
st->hand_state = TLS_ST_CR_CHANGE;
return 1;
}
break;
case TLS_ST_CW_FINISHED:
- if (s->tlsext_ticket_expected) {
- if (mt == SSL3_MT_NEWSESSION_TICKET) {
- st->hand_state = TLS_ST_CR_SESSION_TICKET;
- return 1;
- }
- } else if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
- st->hand_state = TLS_ST_CR_CHANGE;
- return 1;
- }
- break;
-
- case TLS_ST_CR_SESSION_TICKET:
if (mt == SSL3_MT_CHANGE_CIPHER_SPEC) {
st->hand_state = TLS_ST_CR_CHANGE;
return 1;
case TLS_ST_SW_SRVR_HELLO:
if (s->hit)
- st->hand_state = s->tlsext_ticket_expected
- ? TLS_ST_SW_SESSION_TICKET : TLS_ST_SW_CHANGE;
+ st->hand_state = TLS_ST_SW_CHANGE;
else
st->hand_state = TLS_ST_SW_CERT;
ossl_statem_set_in_init(s, 0);
return WRITE_TRAN_CONTINUE;
}
+ st->hand_state = TLS_ST_SW_CHANGE;
- st->hand_state = s->tlsext_ticket_expected ? TLS_ST_SW_SESSION_TICKET
- : TLS_ST_SW_CHANGE;
return WRITE_TRAN_CONTINUE;
- case TLS_ST_SW_SESSION_TICKET:
- st->hand_state = TLS_ST_SW_CHANGE;
- return WRITE_TRAN_CONTINUE;
case TLS_ST_SW_CHANGE:
st->hand_state = TLS_ST_SW_FINISHED;
static int tls_use_ticket(SSL *s)
{
- if (s->options & SSL_OP_NO_TICKET)
+ if (s->options & SSL_OP_NO_TICKET || SSL_IS_TLS13(s))
return 0;
return ssl_security(s, SSL_SECOP_TICKET, 0, 0, NULL);
}
}
}
#endif /* OPENSSL_NO_EC */
- else if (currext->type == TLSEXT_TYPE_session_ticket) {
+ else if (currext->type == TLSEXT_TYPE_session_ticket
+ && !SSL_IS_TLS13(s)) {
if (s->tls_session_ticket_ext_cb &&
!s->tls_session_ticket_ext_cb(s,
PACKET_data(&currext->data),
s->tlsext_ticket_expected = 0;
/*
- * If tickets disabled behave as if no ticket present to permit stateful
+ * If tickets disabled or not supported by the protocol version
+ * (e.g. TLSv1.3) behave as if no ticket present to permit stateful
* resumption.
*/
if (s->version <= SSL3_VERSION || !tls_use_ticket(s))
for (; currtest < TOTAL_NUM_TESTS; currtest++) {
testresult = 0;
ctx = SSL_CTX_new(TLS_method());
+
+ /*
+ * This test is testing session tickets for <= TLS1.2. It isn't relevant
+ * for TLS1.3
+ */
+ if (ctx == NULL || !SSL_CTX_set_max_proto_version(ctx, TLS1_2_VERSION))
+ goto end;
+
con = SSL_new(ctx);
+ if (con == NULL)
+ goto end;
rbio = BIO_new(BIO_s_mem());
wbio = BIO_new(BIO_s_mem());
+ if (rbio == NULL || wbio == NULL) {
+ BIO_free(rbio);
+ BIO_free(wbio);
+ goto end;
+ }
+
SSL_set_bio(con, rbio, wbio);
SSL_set_connect_state(con);
plan skip_all => "$test_name needs the sock feature enabled"
if disabled("sock");
-plan skip_all => "$test_name needs TLS enabled"
- if alldisabled(available_protocols("tls"));
+plan skip_all => "$test_name needs SSLv3, TLSv1, TLSv1.1 or TLSv1.2 enabled"
+ if alldisabled(("ssl3", "tls1", "tls1_1", "tls1_2"));
$ENV{OPENSSL_ia32cap} = '~0x200000200000000';
#Test 1: By default with no existing session we should get a session ticket
#Expected result: ClientHello extension seen; ServerHello extension seen
# NewSessionTicket message seen; Full handshake
+$proxy->clientflags("-no_tls1_3");
$proxy->start() or plan skip_all => "Unable to start up Proxy for tests";
plan tests => 10;
checkmessages(1, "Default session ticket test", 1, 1, 1, 1);
#Expected result: ClientHello extension seen; ServerHello extension not seen
# NewSessionTicket message not seen; Full handshake
clearall();
+$proxy->clientflags("-no_tls1_3");
$proxy->serverflags("-no_ticket");
$proxy->start();
checkmessages(2, "No server support session ticket test", 1, 0, 0, 1);
#Expected result: ClientHello extension not seen; ServerHello extension not seen
# NewSessionTicket message not seen; Full handshake
clearall();
-$proxy->clientflags("-no_ticket");
+$proxy->clientflags("-no_tls1_3 -no_ticket");
$proxy->start();
checkmessages(3, "No client support session ticket test", 0, 0, 0, 1);
clearall();
(undef, my $session) = tempfile();
$proxy->serverconnects(2);
-$proxy->clientflags("-sess_out ".$session);
+$proxy->clientflags("-no_tls1_3 -sess_out ".$session);
$proxy->start();
$proxy->clearClient();
-$proxy->clientflags("-sess_in ".$session);
+$proxy->clientflags("-no_tls1_3 -sess_in ".$session);
$proxy->clientstart();
checkmessages(4, "Session resumption session ticket test", 1, 0, 0, 0);
unlink $session;
clearall();
(undef, $session) = tempfile();
$proxy->serverconnects(2);
-$proxy->clientflags("-sess_out ".$session." -no_ticket");
+$proxy->clientflags("-no_tls1_3 -sess_out ".$session." -no_ticket");
$proxy->start();
$proxy->clearClient();
-$proxy->clientflags("-sess_in ".$session);
+$proxy->clientflags("-no_tls1_3 -sess_in ".$session);
$proxy->clientstart();
checkmessages(5, "Session resumption with ticket capable client without a "
."ticket", 1, 1, 1, 0);
# NewSessionTicket message seen; Full handshake.
clearall();
$proxy->filter(\&ticket_filter);
+$proxy->clientflags("-no_tls1_3");
$proxy->start();
checkmessages(6, "Empty ticket test", 1, 1, 1, 1);
(undef, $session) = tempfile();
$proxy->serverconnects(3);
$proxy->filter(undef);
-$proxy->clientflags("-sess_out ".$session);
+$proxy->clientflags("-no_tls1_3 -sess_out ".$session);
$proxy->start();
$proxy->clearClient();
-$proxy->clientflags("-sess_in ".$session." -sess_out ".$session);
+$proxy->clientflags("-no_tls1_3 -sess_in ".$session." -sess_out ".$session);
$proxy->filter(\&inject_empty_ticket_filter);
$proxy->clientstart();
#Expected result: ClientHello extension seen; ServerHello extension seen;
# NewSessionTicket message seen; Abbreviated handshake.
checkmessages(7, "Empty ticket resumption test", 1, 1, 1, 0);
clearclient();
-$proxy->clientflags("-sess_in ".$session);
+$proxy->clientflags("-no_tls1_3 -sess_in ".$session);
$proxy->filter(undef);
$proxy->clientstart();
#Expected result: ClientHello extension seen; ServerHello extension not seen;
#NewSessionTicket
#Expected result: Connection failure
clearall();
+$proxy->clientflags("-no_tls1_3");
$proxy->serverflags("-no_ticket");
$proxy->filter(\&inject_ticket_extension_filter);
$proxy->start();
#NewSessionTicket
#Expected result: Connection failure
clearall();
+$proxy->clientflags("-no_tls1_3");
$proxy->serverflags("-no_ticket");
$proxy->filter(\&inject_empty_ticket_filter);
$proxy->start();
[0-sni-session-ticket-client]
CipherString = DEFAULT
+MaxProtocol = TLSv1.2
Options = SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[1-sni-session-ticket-client]
CipherString = DEFAULT
+MaxProtocol = TLSv1.2
Options = SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[2-sni-session-ticket-client]
CipherString = DEFAULT
+MaxProtocol = TLSv1.2
Options = SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[3-sni-session-ticket-client]
CipherString = DEFAULT
+MaxProtocol = TLSv1.2
Options = SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[4-sni-session-ticket-client]
CipherString = DEFAULT
+MaxProtocol = TLSv1.2
Options = SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[5-sni-session-ticket-client]
CipherString = DEFAULT
+MaxProtocol = TLSv1.2
Options = SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[6-sni-session-ticket-client]
CipherString = DEFAULT
+MaxProtocol = TLSv1.2
Options = SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[7-sni-session-ticket-client]
CipherString = DEFAULT
+MaxProtocol = TLSv1.2
Options = SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[8-sni-session-ticket-client]
CipherString = DEFAULT
+MaxProtocol = TLSv1.2
Options = SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[9-sni-session-ticket-client]
CipherString = DEFAULT
+MaxProtocol = TLSv1.2
Options = -SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[10-sni-session-ticket-client]
CipherString = DEFAULT
+MaxProtocol = TLSv1.2
Options = -SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[11-sni-session-ticket-client]
CipherString = DEFAULT
+MaxProtocol = TLSv1.2
Options = -SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[12-sni-session-ticket-client]
CipherString = DEFAULT
+MaxProtocol = TLSv1.2
Options = -SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[13-sni-session-ticket-client]
CipherString = DEFAULT
+MaxProtocol = TLSv1.2
Options = -SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[14-sni-session-ticket-client]
CipherString = DEFAULT
+MaxProtocol = TLSv1.2
Options = -SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[15-sni-session-ticket-client]
CipherString = DEFAULT
+MaxProtocol = TLSv1.2
Options = -SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
[16-sni-session-ticket-client]
CipherString = DEFAULT
+MaxProtocol = TLSv1.2
Options = -SessionTicket
VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
VerifyMode = Peer
# https://www.openssl.org/source/license.html
-## Test version negotiation
+## Test SNI/Session tickets
use strict;
use warnings;
our @tests = ();
+#Note: MaxProtocol is set to TLSv1.2 as session tickets work differently in
+#TLSv1.3.
+#TODO(TLS1.3): Implement TLSv1.3 style session tickets
sub generate_tests() {
foreach my $c ("SessionTicket", "-SessionTicket") {
- foreach my $s1 ("SessionTicket", "-SessionTicket") {
- foreach my $s2 ("SessionTicket", "-SessionTicket") {
- foreach my $n ("server1", "server2") {
- my $result = expected_result($c, $s1, $s2, $n);
+ foreach my $s1 ("SessionTicket", "-SessionTicket") {
+ foreach my $s2 ("SessionTicket", "-SessionTicket") {
+ foreach my $n ("server1", "server2") {
+ my $result = expected_result($c, $s1, $s2, $n);
push @tests, {
"name" => "sni-session-ticket",
"client" => {
"extra" => {
"ServerName" => $n,
},
+ "MaxProtocol" => "TLSv1.2"
},
"server" => {
"Options" => $s1,
"ServerNameCallback" => "IgnoreMismatch",
},
},
- "server2" => {
- "Options" => $s2,
- },
+ "server2" => {
+ "Options" => $s2,
+ },
"test" => {
"ExpectedServerName" => $n,
"ExpectedResult" => "Success",
- "SessionTicketExpected" => $result,
+ "SessionTicketExpected" => $result,
}
};
}
push @tests, {
"name" => "sni-session-ticket",
"client" => {
- "Options" => "SessionTicket",
+ "MaxProtocol" => "TLSv1.2",
+ "Options" => "SessionTicket",
"extra" => {
"ServerName" => "server1",
}
},
"server" => {
- "Options" => "SessionTicket",
+ "Options" => "SessionTicket",
"extra" => {
"BrokenSessionTicket" => "Yes",
},
},
"server2" => {
- "Options" => "SessionTicket",
+ "Options" => "SessionTicket",
},
"test" => {
- "ExpectedResult" => "Success",
- "SessionTicketExpected" => "No",
+ "ExpectedResult" => "Success",
+ "SessionTicketExpected" => "No",
}
};
projects / openssl.git / commitdiff