From ddcc5e5b60e2e14a7f65cc8faff0642cb68f4343 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Thu, 13 Aug 2015 15:17:14 +0100 Subject: [PATCH] Add NewSessionTicket test suite Add a set of tests for checking that NewSessionTicket messages are behaving as expected. Reviewed-by: Tim Hudson --- test/Makefile | 8 +- test/sslsessionticktest.pl | 173 +++++++++++++++++++++++++++++++++++ util/TLSProxy/ClientHello.pm | 3 +- util/TLSProxy/Proxy.pm | 64 +++++++++++-- 4 files changed, 240 insertions(+), 8 deletions(-) create mode 100755 test/sslsessionticktest.pl diff --git a/test/Makefile b/test/Makefile index b59613c68e..782a34b404 100644 --- a/test/Makefile +++ b/test/Makefile @@ -73,6 +73,7 @@ CLIENTHELLOTEST= clienthellotest PACKETTEST= packettest SSLVERTOLTEST= sslvertoltest.pl SSLEXTENSIONTEST= sslextensiontest.pl +SSLSESSIONTICKTEST= sslsessionticktest.pl SSLSKEWITH0PTEST= sslskewith0ptest.pl TESTS= alltests @@ -160,7 +161,7 @@ alltests: \ test_srp test_cms test_v3name test_ocsp \ test_gost2814789 test_heartbeat test_p5_crpt2 \ test_constant_time test_verify_extra test_clienthello test_packet \ - test_sslvertol test_sslextension test_sslskewith0p + test_sslvertol test_sslextension test_sslsessionticket test_sslskewith0p test_evp: $(EVPTEST)$(EXE_EXT) evptests.txt @echo $(START) $@ @@ -432,6 +433,11 @@ test_sslextension: ../apps/openssl$(EXE_EXT) [ -z "$(SHARED_LIBS)" ] || OPENSSL_ENGINES=../engines ../util/shlib_wrap.sh $(PERL) -I../util -w ./$(SSLEXTENSIONTEST) "OPENSSL_ia32cap='~0x200000200000000' ../apps/openssl$(EXE_EXT)" ../apps/server.pem @[ -n "$(SHARED_LIBS)" ] || echo test_sslextension can only be performed with OpenSSL configured shared +test_sslsessionticket: ../apps/openssl$(EXE_EXT) + @echo $(START) $@ + [ -z "$(SHARED_LIBS)" ] || PERL5LIB=$$PERL5LIB:../util OPENSSL_ENGINES=../engines ../util/shlib_wrap.sh ./$(SSLSESSIONTICKTEST) "OPENSSL_ia32cap='~0x200000200000000' ../apps/openssl$(EXE_EXT)" ../apps/server.pem + @[ -n "$(SHARED_LIBS)" ] || echo test_sslsessionticket can only be performed with OpenSSL configured shared + test_sslskewith0p: ../apps/openssl$(EXE_EXT) @echo $(START) $@ [ -z "$(SHARED_LIBS)" ] || OPENSSL_ENGINES=../engines ../util/shlib_wrap.sh $(PERL) -I../util -w ./$(SSLSKEWITH0PTEST) "OPENSSL_ia32cap='~0x200000200000000' ../apps/openssl$(EXE_EXT)" ../apps/server.pem diff --git a/test/sslsessionticktest.pl b/test/sslsessionticktest.pl new file mode 100755 index 0000000000..922a3595f4 --- /dev/null +++ b/test/sslsessionticktest.pl @@ -0,0 +1,173 @@ +#!/usr/bin/perl +# Written by Matt Caswell for the OpenSSL project. +# ==================================================================== +# Copyright (c) 1998-2015 The OpenSSL Project. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in +# the documentation and/or other materials provided with the +# distribution. +# +# 3. All advertising materials mentioning features or use of this +# software must display the following acknowledgment: +# "This product includes software developed by the OpenSSL Project +# for use in the OpenSSL Toolkit. (http://www.openssl.org/)" +# +# 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to +# endorse or promote products derived from this software without +# prior written permission. For written permission, please contact +# openssl-core@openssl.org. +# +# 5. Products derived from this software may not be called "OpenSSL" +# nor may "OpenSSL" appear in their names without prior written +# permission of the OpenSSL Project. +# +# 6. Redistributions of any form whatsoever must retain the following +# acknowledgment: +# "This product includes software developed by the OpenSSL Project +# for use in the OpenSSL Toolkit (http://www.openssl.org/)" +# +# THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY +# EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE +# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR +# PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR +# ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, +# SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; +# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) +# HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, +# STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) +# ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED +# OF THE POSSIBILITY OF SUCH DAMAGE. +# ==================================================================== +# +# This product includes cryptographic software written by Eric Young +# (eay@cryptsoft.com). This product includes software written by Tim +# Hudson (tjh@cryptsoft.com). + +use strict; +use TLSProxy::Proxy; +use File::Temp qw(tempfile); + +my $chellotickext = 0; +my $shellotickext = 0; +my $fullhand = 0; +my $ticketseen = 0; + +my $proxy = TLSProxy::Proxy->new( + undef, + @ARGV +); + +#Test 1: By default with no existing session we should get a session ticket +#Expected result: ClientHello extension seen; ServerHello extension seen +# NewSessionTicket message seen; Full handshake +$proxy->start(); +checkmessages(1, "Default session ticket test", 1, 1, 1, 1); + +#Test 2: If the server does not accept tickets we should get a normal handshake +#with no session tickets +#Expected result: ClientHello extension seen; ServerHello extension not seen +# NewSessionTicket message not seen; Full handshake +clearall(); +$proxy->serverflags("-no_ticket"); +$proxy->start(); +checkmessages(2, "No server support session ticket test", 1, 0, 0, 1); + +#Test 3: If the client does not accept tickets we should get a normal handshake +#with no session tickets +#Expected result: ClientHello extension not seen; ServerHello extension not seen +# NewSessionTicket message not seen; Full handshake +clearall(); +$proxy->clientflags("-no_ticket"); +$proxy->start(); +checkmessages(3, "No client support session ticket test", 0, 0, 0, 1); + +#Test 4: Test session resumption with session ticket +#Expected result: ClientHello extension seen; ServerHello extension not seen +# NewSessionTicket message not seen; Abbreviated handshake +clearall(); +(my $fh, my $session) = tempfile(); +$proxy->serverconnects(2); +$proxy->clientflags("-sess_out ".$session); +$proxy->start(); +$proxy->clear(); +$proxy->clientflags("-sess_in ".$session); +$proxy->clientstart(); +checkmessages(4, "Session resumption session ticket test", 1, 0, 0, 0); + +#Test 5: Test session resumption with ticket capable client without a ticket +#Expected result: ClientHello extension seen; ServerHello extension seen +# NewSessionTicket message seen; Abbreviated handshake +clearall(); +(my $fh, my $session) = tempfile(); +$proxy->serverconnects(2); +$proxy->clientflags("-sess_out ".$session." -no_ticket"); +$proxy->start(); +$proxy->clear(); +$proxy->clientflags("-sess_in ".$session); +$proxy->clientstart(); +checkmessages(5, "Session resumption with ticket capable client without a " + ."ticket", 1, 1, 1, 0); + +sub checkmessages() +{ + my ($testno, $testname, $testch, $testsh, $testtickseen, $testhand) = @_; + + foreach my $message (@{$proxy->message_list}) { + if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO + || $message->mt == TLSProxy::Message::MT_SERVER_HELLO) { + #Get the extensions data + my %extensions = %{$message->extension_data}; + if (defined + $extensions{TLSProxy::ClientHello::EXT_SESSION_TICKET}) { + if ($message->mt == TLSProxy::Message::MT_CLIENT_HELLO) { + $chellotickext = 1; + } else { + $shellotickext = 1; + } + } + } elsif ($message->mt == TLSProxy::Message::MT_CLIENT_KEY_EXCHANGE) { + #Must be doing a full handshake + $fullhand = 1; + } elsif ($message->mt == TLSProxy::Message::MT_NEW_SESSION_TICKET) { + $ticketseen = 1; + } + } + + TLSProxy::Message->success or die "FAILED: $testname: Hanshake failed " + ."(Test $testno)\n"; + if (($testch && !$chellotickext) || (!$testch && $chellotickext)) { + die "FAILED: $testname: ClientHello extension Session Ticket check " + ."failed (Test $testno)\n"; + } + if (($testsh && !$shellotickext) || (!$testsh && $shellotickext)) { + die "FAILED: $testname: ServerHello extension Session Ticket check " + ."failed (Test $testno)\n"; + } + if (($testtickseen && !$ticketseen) || (!$testtickseen && $ticketseen)) { + die "FAILED: $testname: Session Ticket message presence check failed " + ."(Test $testno)\n"; + } + if (($testhand && !$fullhand) || (!$testhand && $fullhand)) { + die "FAILED: $testname: Session Ticket full handshake check failed " + ."(Test $testno)\n"; + } + print "SUCCESS: $testname (Test#$testno)\n"; +} + +sub clearall() +{ + $chellotickext = 0; + $shellotickext = 0; + $fullhand = 0; + $ticketseen = 0; + $proxy->clear(); +} diff --git a/util/TLSProxy/ClientHello.pm b/util/TLSProxy/ClientHello.pm index 54fb5bb0d0..0b7dbbcdd6 100644 --- a/util/TLSProxy/ClientHello.pm +++ b/util/TLSProxy/ClientHello.pm @@ -58,7 +58,8 @@ package TLSProxy::ClientHello; use parent 'TLSProxy::Message'; use constant { - EXT_ENCRYPT_THEN_MAC => 22 + EXT_ENCRYPT_THEN_MAC => 22, + EXT_SESSION_TICKET => 35 }; sub new diff --git a/util/TLSProxy/Proxy.pm b/util/TLSProxy/Proxy.pm index af6c8ddaaf..75094f1a44 100644 --- a/util/TLSProxy/Proxy.pm +++ b/util/TLSProxy/Proxy.pm @@ -79,13 +79,16 @@ sub new server_addr => "localhost", server_port => 4443, filter => $filter, + serverflags => "", + clientflags => "", + serverconnects => 1, #Public read execute => $execute, cert => $cert, debug => $debug, - cipherc => "AES128-SHA", - ciphers => "", + cipherc => "", + ciphers => "AES128-SHA", flight => 0, record_list => [], message_list => [], @@ -101,12 +104,15 @@ sub clear { my $self = shift; - $self->{cipherc} = "AES128-SHA"; - $self->{ciphers} = ""; + $self->{cipherc} = ""; + $self->{ciphers} = "AES128-SHA"; $self->{flight} = 0; $self->{record_list} = []; $self->{message_list} = []; $self->{message_rec_list} = []; + $self->{serverflags} = ""; + $self->{clientflags} = ""; + $self->{serverconnects} = 1; TLSProxy::Message->clear(); TLSProxy::Record->clear(); @@ -120,6 +126,14 @@ sub restart $self->start; } +sub clientrestart +{ + my $self = shift; + + $self->clear; + $self->clientstart; +} + sub start { my ($self) = shift; @@ -132,13 +146,22 @@ sub start open(STDERR, ">&STDOUT"); my $execcmd = $self->execute." s_server -rev -engine ossltest -accept " .($self->server_port) - ." -cert ".$self->cert." -naccept 1"; + ." -cert ".$self->cert." -naccept ".$self->serverconnects; if ($self->ciphers ne "") { $execcmd .= " -cipher ".$self->ciphers; } + if ($self->serverflags ne "") { + $execcmd .= " ".$self->serverflags; + } exec($execcmd); } + $self->clientstart; +} + +sub clientstart +{ + my ($self) = shift; my $oldstdout; if(!$self->debug) { @@ -173,6 +196,9 @@ sub start if ($self->cipherc ne "") { $execcmd .= " -cipher ".$self->cipherc; } + if ($self->clientflags ne "") { + $execcmd .= " ".$self->clientflags; + } exec($execcmd); } } @@ -274,7 +300,9 @@ sub process_packet print "\n"; #Finished parsing. Call user provided filter here - $self->filter->($self); + if(defined $self->filter) { + $self->filter->($self); + } #Reconstruct the packet $packet = ""; @@ -392,4 +420,28 @@ sub ciphers } return $self->{ciphers}; } +sub serverflags +{ + my $self = shift; + if (@_) { + $self->{serverflags} = shift; + } + return $self->{serverflags}; +} +sub clientflags +{ + my $self = shift; + if (@_) { + $self->{clientflags} = shift; + } + return $self->{clientflags}; +} +sub serverconnects +{ + my $self = shift; + if (@_) { + $self->{serverconnects} = shift; + } + return $self->{serverconnects}; +} 1; -- 2.25.1