File 0587-ssl-tls_server_session_ticket-unit-tests-a... of Package erlang

Overview Repositories Revisions Requests Users Attributes Meta

File 0587-ssl-tls_server_session_ticket-unit-tests-added.patch of Package erlang

From d20ca826087bbbdb54c198f4c520385570de312f Mon Sep 17 00:00:00 2001
From: Jakub Witczak <kuba@erlang.org>
Date: Fri, 9 Jul 2021 17:56:24 +0200
Subject: [PATCH] ssl: tls_server_session_ticket unit tests added

- test suite added
- enabled coverage verification
---
 lib/ssl/test/Makefile                         |   3 +-
 .../test/tls_server_session_ticket_SUITE.erl  | 209 ++++++++++++++++++
 2 files changed, 211 insertions(+), 1 deletion(-)
 create mode 100644 lib/ssl/test/tls_server_session_ticket_SUITE.erl

diff --git a/lib/ssl/test/Makefile b/lib/ssl/test/Makefile
index 4e81a761f6..e37fc04dee 100644
--- a/lib/ssl/test/Makefile
+++ b/lib/ssl/test/Makefile
@@ -94,7 +94,8 @@ MODULES = \
 	make_certs \
         x509_test \
 	inet_crypto_dist \
-	openssl_ocsp_SUITE
+	openssl_ocsp_SUITE \
+	tls_server_session_ticket_SUITE
 
 
 ERL_FILES = $(MODULES:%=%.erl)
diff --git a/lib/ssl/test/tls_server_session_ticket_SUITE.erl b/lib/ssl/test/tls_server_session_ticket_SUITE.erl
new file mode 100644
index 0000000000..7f45dee083
--- /dev/null
+++ b/lib/ssl/test/tls_server_session_ticket_SUITE.erl
@@ -0,0 +1,209 @@
+%%
+%% %CopyrightBegin%
+%%
+%% Copyright Ericsson AB 2010-2021. All Rights Reserved.
+%%
+%% Licensed under the Apache License, Version 2.0 (the "License");
+%% you may not use this file except in compliance with the License.
+%% You may obtain a copy of the License at
+%%
+%%     http://www.apache.org/licenses/LICENSE-2.0
+%%
+%% Unless required by applicable law or agreed to in writing, software
+%% distributed under the License is distributed on an "AS IS" BASIS,
+%% WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+%% See the License for the specific language governing permissions and
+%% limitations under the License.
+%%
+%% %CopyrightEnd%
+%%
+-module(tls_server_session_ticket_SUITE).
+-behaviour(ct_suite).
+
+-include_lib("common_test/include/ct.hrl").
+-include_lib("ssl/src/ssl_alert.hrl").
+-include_lib("ssl/src/ssl_cipher.hrl").
+-include_lib("ssl/src/ssl_internal.hrl").
+-include_lib("ssl/src/tls_handshake_1_3.hrl").
+
+%% Callback functions
+-export([all/0, groups/0, init_per_group/2, end_per_group/2,
+         init_per_testcase/2, end_per_testcase/2]).
+%% Testcases
+-export([expired_ticket_test/0,
+         expired_ticket_test/1,
+         invalid_ticket_test/0,
+         invalid_ticket_test/1,
+         main_test/0,
+         main_test/1,
+         misc_test/0,
+         misc_test/1]).
+
+-define(LIFETIME, 1). % tickets expire after 1s
+-define(TICKET_STORE_SIZE, 1).
+-define(MASTER_SECRET, "master_secret").
+-define(PRF, sha).
+-define(VERSION, {3,4}).
+-define(PSK, <<15,168,18,43,216,33,227,142,114,190,70,183,137,57,64,64,66,152,115,94>>).
+
+%%--------------------------------------------------------------------
+%% Common Test interface functions -----------------------------------
+%%--------------------------------------------------------------------
+all() ->
+    [{group, stateful}, {group, stateless}, {group, stateless_antireplay}].
+
+groups() ->
+    [{stateful, [], [main_test, expired_ticket_test, invalid_ticket_test]},
+     {stateless, [], [expired_ticket_test, invalid_ticket_test, main_test]},
+     {stateless_antireplay, [], [main_test, misc_test]}
+    ].
+
+init_per_group(stateless_antireplay, Config) ->
+    check_environment([{server_session_tickets, stateless},
+                       {anti_replay, {10, 20, 30}}]
+                      ++ Config);
+init_per_group(Group = stateless, Config) ->
+    check_environment([{server_session_tickets, Group} | Config]);
+init_per_group(Group = stateful, Config) ->
+    [{server_session_tickets, Group} | Config].
+
+end_per_group(_GroupName, Config) ->
+    Config.
+
+init_per_testcase(_TestCase, Config)  ->
+    {ok, Pid} = tls_server_session_ticket:start_link(
+                  ?config(server_session_tickets, Config), ?LIFETIME,
+                  ?TICKET_STORE_SIZE, _MaxEarlyDataSize = 100,
+                  ?config(anti_replay, Config)),
+    [{server_pid, Pid} | Config].
+
+end_per_testcase(_TestCase, Config) ->
+    Pid = ?config(server_pid, Config),
+    exit(Pid, normal),
+    Config.
+
+%%--------------------------------------------------------------------
+%% Test Cases --------------------------------------------------------
+%%--------------------------------------------------------------------
+main_test() ->
+    [{doc, "Ticket main scenario"}].
+main_test(Config) when is_list(Config) ->
+    Pid = ?config(server_pid, Config),
+    % Fill in GB tree store for stateful setup
+    tls_server_session_ticket:new(Pid, ?PRF, ?MASTER_SECRET),
+    % Reach ticket store size limit - force GB tree pruning
+    SessionTicket = #new_session_ticket{} =
+        tls_server_session_ticket:new(Pid, ?PRF, ?MASTER_SECRET),
+    {HandshakeHist, OferredPsks} = get_handshake_hist(SessionTicket, ?PSK),
+    AcceptResponse = {ok, {0, ?PSK}},
+    AcceptResponse = tls_server_session_ticket:use(Pid, OferredPsks, ?PRF,
+                                      [iolist_to_binary(HandshakeHist)]),
+    % check replay attempt result
+    ExpReplyResult = get_replay_expected_result(Config, AcceptResponse),
+    ExpReplyResult = tls_server_session_ticket:use(Pid, OferredPsks, ?PRF,
+                                      [iolist_to_binary(HandshakeHist)]),
+    true = is_process_alive(Pid).
+
+invalid_ticket_test() ->
+    [{doc, "Verify invalid tickets handling"}].
+invalid_ticket_test(Config) when is_list(Config) ->
+    Pid = ?config(server_pid, Config),
+    #new_session_ticket{ticket=Ticket} =
+        tls_server_session_ticket:new(Pid, ?PRF, ?MASTER_SECRET),
+    Ids = [#psk_identity{identity = <<"wrongidentity">>,
+                         obfuscated_ticket_age = 0},
+           #psk_identity{identity = Ticket,
+                         obfuscated_ticket_age = 0}],
+    OfferedPSKs = #offered_psks{identities = Ids,
+                                binders = [<<"wrongbinder">>, <<"wrongbinder">>]},
+    HandshakeHist = tls_handshake:encode_handshake(
+                      get_client_hello(OfferedPSKs), ?VERSION),
+    ExpectedReason = get_alert_reason(Config),
+    {error, #alert{level = ?FATAL,
+                   description = ?ILLEGAL_PARAMETER,
+                   role = undefined,
+                   reason = ExpectedReason}} =
+        tls_server_session_ticket:use(Pid, OfferedPSKs, ?PRF,
+                                      [iolist_to_binary(HandshakeHist)]),
+    true = is_process_alive(Pid).
+
+expired_ticket_test() ->
+    [{doc, "Expired ticket scenario"}].
+expired_ticket_test(Config) when is_list(Config) ->
+    Pid = ?config(server_pid, Config),
+    SessionTicket = tls_server_session_ticket:new(Pid, ?PRF, ?MASTER_SECRET),
+    {HandshakeHist, OFPSKs} = get_handshake_hist(SessionTicket, ?PSK),
+    ct:sleep({seconds, 2 * ?LIFETIME}),
+    {ok, undefined} = tls_server_session_ticket:use(Pid, OFPSKs, ?PRF,
+                                      [iolist_to_binary(HandshakeHist)]),
+    true = is_process_alive(Pid).
+
+misc_test() ->
+    [{doc, "Miscellaneous functionality"}].
+misc_test(Config) when is_list(Config) ->
+    Pid = ?config(server_pid, Config),
+    ok = gen_server:cast(Pid, some_request),
+    Pid ! rotate_bloom_filters,
+    Pid ! general_handle_info,
+    {ok, state} = tls_server_session_ticket:code_change(old_version, state, extra),
+    Pid = tls_server_session_ticket:format_status(not_relevant, Pid),
+    true = is_process_alive(Pid).
+
+%%--------------------------------------------------------------------
+%% Helpers -----------------------------------------------------------
+%%--------------------------------------------------------------------
+get_handshake_hist(#new_session_ticket{ticket=Ticket} = T, PSK0) ->
+    Ids = [#psk_identity{identity = Ticket, obfuscated_ticket_age = 100}],
+    SomeBinder = <<159, 187, 86, 6, 55, 20, 149, 208, 3, 221, 78, 126, 254, 101,
+                   123, 251, 151, 189, 17, 53>>,
+    OfferedPSKs0 = #offered_psks{identities = Ids, binders = [SomeBinder]},
+    Hello0 = get_client_hello(OfferedPSKs0),
+    M = #{cipher_suite => {nothing, ?PRF},
+          sni => nothing,
+          psk => PSK0,
+          timestamp => erlang:system_time(seconds),
+          ticket => T},
+    TicketData = tls_handshake_1_3:get_ticket_data(self(), manual, [M]),
+    Hello1 = tls_handshake_1_3:maybe_add_binders(Hello0, TicketData, ?VERSION),
+    PSK1 =  maps:get(pre_shared_key, Hello1#client_hello.extensions),
+    OfferedPSKs1 = PSK1#pre_shared_key_client_hello.offered_psks,
+    {tls_handshake:encode_handshake(Hello1, ?VERSION), OfferedPSKs1}.
+
+get_client_hello(OfferedPSKs) ->
+    PreSharedKey = #pre_shared_key_client_hello{offered_psks = OfferedPSKs},
+    Ext0 = ssl_handshake:empty_extensions(?VERSION, client_hello),
+    #client_hello{
+       client_version = ?VERSION,
+       random = <<1:256>>,
+       session_id = <<>>,
+       cipher_suites = [?TLS_AES_256_GCM_SHA384],
+       compression_methods = "",
+       extensions = Ext0#{pre_shared_key => PreSharedKey}}.
+
+get_replay_expected_result(Config, AcceptResponse) ->
+    case get_group(Config) of
+        stateless ->
+            % no protection - replayed ticket is accepted
+            AcceptResponse;
+        _ ->
+            {ok, undefined}
+    end.
+
+get_alert_reason(Config) ->
+    case get_group(Config) of
+        stateful ->
+            stateful;
+        _ ->
+            stateless
+    end.
+
+get_group(Config) ->
+    proplists:get_value(name, ?config(tc_group_properties, Config)).
+
+check_environment(T) ->
+    case ssl_test_lib:sufficient_crypto_support('tlsv1.3') of
+        true ->
+            T;
+        _ ->
+            {skip, insufficient_environment}
+    end.
-- 
2.26.2

Places

File 0587-ssl-tls_server_session_ticket-unit-tests-added.patch of Package erlang

Places