From 6b84e6bf19f5afad338f22a1a6d71a75d2d95fbf Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Fri, 14 Jul 2017 12:23:56 +0100 Subject: [PATCH] Add a test for early_data when an HRR occurs Reviewed-by: Ben Kaduk (Merged from https://github.com/openssl/openssl/pull/3933) --- test/sslapitest.c | 57 ++++++++++++++++++++++++++++++++++++++--------- 1 file changed, 47 insertions(+), 10 deletions(-) diff --git a/test/sslapitest.c b/test/sslapitest.c index b77a229d7d..cd869e2dab 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -1536,10 +1536,10 @@ static int test_early_data_read_write(int idx) } /* - * Test that a server attempting to read early data can handle a connection - * from a client where the early data is not acceptable. + * Helper function to test that a server attempting to read early data can + * handle a connection from a client where the early data should be skipped. */ -static int test_early_data_skip(int idx) +static int early_data_skip_helper(int hrr, int idx) { SSL_CTX *cctx = NULL, *sctx = NULL; SSL *clientssl = NULL, *serverssl = NULL; @@ -1552,13 +1552,19 @@ static int test_early_data_skip(int idx) &serverssl, &sess, idx))) goto end; - /* - * Deliberately corrupt the creation time. We take 20 seconds off the time. - * It could be any value as long as it is not within tolerance. This should - * mean the ticket is rejected. - */ - if (!TEST_true(SSL_SESSION_set_time(sess, time(NULL) - 20))) - goto end; + if (hrr) { + /* Force an HRR to occur */ + if (!TEST_true(SSL_set1_groups_list(serverssl, "P-256"))) + goto end; + } else { + /* + * Deliberately corrupt the creation time. We take 20 seconds off the + * time. It could be any value as long as it is not within tolerance. + * This should mean the ticket is rejected. + */ + if (!TEST_true(SSL_SESSION_set_time(sess, time(NULL) - 20))) + goto end; + } /* Write some early data */ if (!TEST_true(SSL_write_early_data(clientssl, MSG1, strlen(MSG1), @@ -1575,6 +1581,18 @@ static int test_early_data_skip(int idx) SSL_EARLY_DATA_REJECTED)) goto end; + if (hrr) { + /* + * Finish off the handshake. We perform the same writes and reads as + * further down but we expect them to fail due to the incomplete + * handshake. + */ + if (!TEST_false(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written)) + || !TEST_false(SSL_read_ex(serverssl, buf, sizeof(buf), + &readbytes))) + goto end; + } + /* Should be able to send normal data despite rejection of early data */ if (!TEST_true(SSL_write_ex(clientssl, MSG2, strlen(MSG2), &written)) || !TEST_size_t_eq(written, strlen(MSG2)) @@ -1595,6 +1613,24 @@ static int test_early_data_skip(int idx) return testresult; } +/* + * Test that a server attempting to read early data can handle a connection + * from a client where the early data is not acceptable. + */ +static int test_early_data_skip(int idx) +{ + return early_data_skip_helper(0, idx); +} + +/* + * Test that a server attempting to read early data can handle a connection + * from a client where an HRR occurs. + */ +static int test_early_data_skip_hrr(int idx) +{ + return early_data_skip_helper(1, idx); +} + /* * Test that a server attempting to read early data can handle a connection * from a client that doesn't send any. @@ -2652,6 +2688,7 @@ int test_main(int argc, char *argv[]) #ifndef OPENSSL_NO_TLS1_3 ADD_ALL_TESTS(test_early_data_read_write, 2); ADD_ALL_TESTS(test_early_data_skip, 2); + ADD_ALL_TESTS(test_early_data_skip_hrr, 2); ADD_ALL_TESTS(test_early_data_not_sent, 2); ADD_ALL_TESTS(test_early_data_not_expected, 2); # ifndef OPENSSL_NO_TLS1_2 -- 2.25.1