yuzu-emu/mbedtls
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Add test case use of mbedtls_ssl_ticket_rotate

Browse source 
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
This commit is contained in:
Glenn Strauss 2022-02-03 17:23:24 -05:00
parent a950938ff0
commit e328245618
2 changed files with 43 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
programs/ssl/ssl_server2.c
View file

@ -119,6 +119,7 @@ int main( void )
#define DFL_MFL_CODE MBEDTLS_SSL_MAX_FRAG_LEN_NONE
#define DFL_TRUNC_HMAC -1
#define DFL_TICKETS MBEDTLS_SSL_SESSION_TICKETS_ENABLED
#define DFL_TICKET_ROTATE 0
#define DFL_TICKET_TIMEOUT 86400
#define DFL_TICKET_AEAD MBEDTLS_CIPHER_AES_256_GCM
#define DFL_CACHE_MAX -1
@ -286,6 +287,7 @@ int main( void )
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
#define USAGE_TICKETS \
" tickets=%%d default: 1 (enabled)\n" \
" ticket_rotate=%%d default: 0 (disabled)\n" \
" ticket_timeout=%%d default: 86400 (one day)\n" \
" ticket_aead=%%s default: \"AES-256-GCM\"\n"
#else
@ -613,6 +615,7 @@ struct options
unsigned char mfl_code; /* code for maximum fragment length */
int trunc_hmac; /* accept truncated hmac? */
int tickets; /* enable / disable session tickets */
int ticket_rotate; /* session ticket rotate (code coverage) */
int ticket_timeout; /* session ticket lifetime */
int ticket_aead; /* session ticket protection */
int cache_max; /* max number of session cache entries */
@ -1542,6 +1545,7 @@ int main( int argc, char *argv[] )
opt.mfl_code = DFL_MFL_CODE;
opt.trunc_hmac = DFL_TRUNC_HMAC;
opt.tickets = DFL_TICKETS;
opt.ticket_rotate = DFL_TICKET_ROTATE;
opt.ticket_timeout = DFL_TICKET_TIMEOUT;
opt.ticket_aead = DFL_TICKET_AEAD;
opt.cache_max = DFL_CACHE_MAX;
@ -1915,6 +1919,12 @@ int main( int argc, char *argv[] )
if( opt.tickets < 0 || opt.tickets > 1 )
goto usage;
}
else if( strcmp( p, "ticket_rotate" ) == 0 )
{
opt.ticket_rotate = atoi( q );
if( opt.ticket_rotate < 0 || opt.ticket_rotate > 1 )
goto usage;
}
else if( strcmp( p, "ticket_timeout" ) == 0 )
{
opt.ticket_timeout = atoi( q );
@ -2737,6 +2747,24 @@ int main( int argc, char *argv[] )
mbedtls_ssl_ticket_write,
mbedtls_ssl_ticket_parse,
&ticket_ctx );
/* exercise manual ticket rotation (not required for typical use)
* (used for external synchronization of session ticket encryption keys)
*/
if( opt.ticket_rotate ) {
#define MAX_KEY_BYTES 32 /* 256 bits *//* library/ssl_ticket.c */
unsigned char kbuf[MAX_KEY_BYTES];
unsigned char name[4]; /* match mbedtls_ssl_ticket_key name[4] */
if( ( ret = rng_get( &rng, name, sizeof( name ) ) ) != 0 ||
( ret = rng_get( &rng, kbuf, sizeof( kbuf ) ) ) != 0 ||
( ret = mbedtls_ssl_ticket_rotate( &ticket_ctx,
name, sizeof(name), kbuf, sizeof(kbuf),
opt.ticket_timeout ) ) != 0 )
{
mbedtls_printf( " failed\n ! mbedtls_ssl_ticket_rotate returned %d\n\n", ret );
goto exit;
}
}
}
#endif

15
tests/ssl-opt.sh
View file

@ -2707,6 +2707,21 @@ run_test "Session resume using tickets: basic" \
-s "a session has been resumed" \
-c "a session has been resumed"
requires_config_disabled MBEDTLS_USE_PSA_CRYPTO
run_test "Session resume using tickets: manual rotation" \
"$P_SRV debug_level=3 tickets=1 ticket_rotate=1" \
"$P_CLI debug_level=3 tickets=1 reconnect=1" \
0 \
-c "client hello, adding session ticket extension" \
-s "found session ticket extension" \
-s "server hello, adding session ticket extension" \
-c "found session_ticket extension" \
-c "parse new session ticket" \
-S "session successfully restored from cache" \
-s "session successfully restored from ticket" \
-s "a session has been resumed" \
-c "a session has been resumed"
run_test "Session resume using tickets: cache disabled" \
"$P_SRV debug_level=3 tickets=1 cache_max=0" \
"$P_CLI debug_level=3 tickets=1 reconnect=1" \