Add test case use of mbedtls_ssl_ticket_rotate
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
This commit is contained in:
Glenn Strauss
parent
a950938ff0
commit
e328245618
2 changed files with 43 additions and 0 deletions
|
|
@ -119,6 +119,7 @@ int main( void )
|
||||||
#define DFL_MFL_CODE MBEDTLS_SSL_MAX_FRAG_LEN_NONE
|
#define DFL_MFL_CODE MBEDTLS_SSL_MAX_FRAG_LEN_NONE
|
||||||
#define DFL_TRUNC_HMAC -1
|
#define DFL_TRUNC_HMAC -1
|
||||||
#define DFL_TICKETS MBEDTLS_SSL_SESSION_TICKETS_ENABLED
|
#define DFL_TICKETS MBEDTLS_SSL_SESSION_TICKETS_ENABLED
|
||||||
|
#define DFL_TICKET_ROTATE 0
|
||||||
#define DFL_TICKET_TIMEOUT 86400
|
#define DFL_TICKET_TIMEOUT 86400
|
||||||
#define DFL_TICKET_AEAD MBEDTLS_CIPHER_AES_256_GCM
|
#define DFL_TICKET_AEAD MBEDTLS_CIPHER_AES_256_GCM
|
||||||
#define DFL_CACHE_MAX -1
|
#define DFL_CACHE_MAX -1
|
||||||
|
|
@ -286,6 +287,7 @@ int main( void )
|
||||||
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
#if defined(MBEDTLS_SSL_SESSION_TICKETS)
|
||||||
#define USAGE_TICKETS \
|
#define USAGE_TICKETS \
|
||||||
" tickets=%%d default: 1 (enabled)\n" \
|
" tickets=%%d default: 1 (enabled)\n" \
|
||||||
|
" ticket_rotate=%%d default: 0 (disabled)\n" \
|
||||||
" ticket_timeout=%%d default: 86400 (one day)\n" \
|
" ticket_timeout=%%d default: 86400 (one day)\n" \
|
||||||
" ticket_aead=%%s default: \"AES-256-GCM\"\n"
|
" ticket_aead=%%s default: \"AES-256-GCM\"\n"
|
||||||
#else
|
#else
|
||||||
|
|
@ -613,6 +615,7 @@ struct options
|
||||||
unsigned char mfl_code; /* code for maximum fragment length */
|
unsigned char mfl_code; /* code for maximum fragment length */
|
||||||
int trunc_hmac; /* accept truncated hmac? */
|
int trunc_hmac; /* accept truncated hmac? */
|
||||||
int tickets; /* enable / disable session tickets */
|
int tickets; /* enable / disable session tickets */
|
||||||
|
int ticket_rotate; /* session ticket rotate (code coverage) */
|
||||||
int ticket_timeout; /* session ticket lifetime */
|
int ticket_timeout; /* session ticket lifetime */
|
||||||
int ticket_aead; /* session ticket protection */
|
int ticket_aead; /* session ticket protection */
|
||||||
int cache_max; /* max number of session cache entries */
|
int cache_max; /* max number of session cache entries */
|
||||||
|
|
@ -1542,6 +1545,7 @@ int main( int argc, char *argv[] )
|
||||||
opt.mfl_code = DFL_MFL_CODE;
|
opt.mfl_code = DFL_MFL_CODE;
|
||||||
opt.trunc_hmac = DFL_TRUNC_HMAC;
|
opt.trunc_hmac = DFL_TRUNC_HMAC;
|
||||||
opt.tickets = DFL_TICKETS;
|
opt.tickets = DFL_TICKETS;
|
||||||
|
opt.ticket_rotate = DFL_TICKET_ROTATE;
|
||||||
opt.ticket_timeout = DFL_TICKET_TIMEOUT;
|
opt.ticket_timeout = DFL_TICKET_TIMEOUT;
|
||||||
opt.ticket_aead = DFL_TICKET_AEAD;
|
opt.ticket_aead = DFL_TICKET_AEAD;
|
||||||
opt.cache_max = DFL_CACHE_MAX;
|
opt.cache_max = DFL_CACHE_MAX;
|
||||||
|
|
@ -1915,6 +1919,12 @@ int main( int argc, char *argv[] )
|
||||||
if( opt.tickets < 0 || opt.tickets > 1 )
|
if( opt.tickets < 0 || opt.tickets > 1 )
|
||||||
goto usage;
|
goto usage;
|
||||||
}
|
}
|
||||||
|
else if( strcmp( p, "ticket_rotate" ) == 0 )
|
||||||
|
{
|
||||||
|
opt.ticket_rotate = atoi( q );
|
||||||
|
if( opt.ticket_rotate < 0 || opt.ticket_rotate > 1 )
|
||||||
|
goto usage;
|
||||||
|
}
|
||||||
else if( strcmp( p, "ticket_timeout" ) == 0 )
|
else if( strcmp( p, "ticket_timeout" ) == 0 )
|
||||||
{
|
{
|
||||||
opt.ticket_timeout = atoi( q );
|
opt.ticket_timeout = atoi( q );
|
||||||
|
|
@ -2737,6 +2747,24 @@ int main( int argc, char *argv[] )
|
||||||
mbedtls_ssl_ticket_write,
|
mbedtls_ssl_ticket_write,
|
||||||
mbedtls_ssl_ticket_parse,
|
mbedtls_ssl_ticket_parse,
|
||||||
&ticket_ctx );
|
&ticket_ctx );
|
||||||
|
|
||||||
|
/* exercise manual ticket rotation (not required for typical use)
|
||||||
|
* (used for external synchronization of session ticket encryption keys)
|
||||||
|
*/
|
||||||
|
if( opt.ticket_rotate ) {
|
||||||
|
#define MAX_KEY_BYTES 32 /* 256 bits *//* library/ssl_ticket.c */
|
||||||
|
unsigned char kbuf[MAX_KEY_BYTES];
|
||||||
|
unsigned char name[4]; /* match mbedtls_ssl_ticket_key name[4] */
|
||||||
|
if( ( ret = rng_get( &rng, name, sizeof( name ) ) ) != 0 ||
|
||||||
|
( ret = rng_get( &rng, kbuf, sizeof( kbuf ) ) ) != 0 ||
|
||||||
|
( ret = mbedtls_ssl_ticket_rotate( &ticket_ctx,
|
||||||
|
name, sizeof(name), kbuf, sizeof(kbuf),
|
||||||
|
opt.ticket_timeout ) ) != 0 )
|
||||||
|
{
|
||||||
|
mbedtls_printf( " failed\n ! mbedtls_ssl_ticket_rotate returned %d\n\n", ret );
|
||||||
|
goto exit;
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -2707,6 +2707,21 @@ run_test "Session resume using tickets: basic" \
|
||||||
-s "a session has been resumed" \
|
-s "a session has been resumed" \
|
||||||
-c "a session has been resumed"
|
-c "a session has been resumed"
|
||||||
|
|
||||||
|
requires_config_disabled MBEDTLS_USE_PSA_CRYPTO
|
||||||
|
run_test "Session resume using tickets: manual rotation" \
|
||||||
|
"$P_SRV debug_level=3 tickets=1 ticket_rotate=1" \
|
||||||
|
"$P_CLI debug_level=3 tickets=1 reconnect=1" \
|
||||||
|
0 \
|
||||||
|
-c "client hello, adding session ticket extension" \
|
||||||
|
-s "found session ticket extension" \
|
||||||
|
-s "server hello, adding session ticket extension" \
|
||||||
|
-c "found session_ticket extension" \
|
||||||
|
-c "parse new session ticket" \
|
||||||
|
-S "session successfully restored from cache" \
|
||||||
|
-s "session successfully restored from ticket" \
|
||||||
|
-s "a session has been resumed" \
|
||||||
|
-c "a session has been resumed"
|
||||||
|
|
||||||
run_test "Session resume using tickets: cache disabled" \
|
run_test "Session resume using tickets: cache disabled" \
|
||||||
"$P_SRV debug_level=3 tickets=1 cache_max=0" \
|
"$P_SRV debug_level=3 tickets=1 cache_max=0" \
|
||||||
"$P_CLI debug_level=3 tickets=1 reconnect=1" \
|
"$P_CLI debug_level=3 tickets=1 reconnect=1" \
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue