openssl/test
Todd Short 5c753de668 Fix session ticket and SNI
When session tickets are used, it's possible that SNI might swtich the
SSL_CTX on an SSL. Normally, this is not a problem, because the
initial_ctx/session_ctx are used for all session ticket/id processes.

However, when the SNI callback occurs, it's possible that the callback
may update the options in the SSL from the SSL_CTX, and this could
cause SSL_OP_NO_TICKET to be set. If this occurs, then two bad things
can happen:

1. The session ticket TLSEXT may not be written when the ticket expected
flag is set. The state machine transistions to writing the ticket, and
the client responds with an error as its not expecting a ticket.
2. When creating the session ticket, if the ticket key cb returns 0
the crypto/hmac contexts are not initialized, and the code crashes when
trying to encrypt the session ticket.

To fix 1, if the ticket TLSEXT is not written out, clear the expected
ticket flag.
To fix 2, consider a return of 0 from the ticket key cb a recoverable
error, and write a 0 length ticket and continue. The client-side code
can explicitly handle this case.

Fix these two cases, and add unit test code to validate ticket behavior.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1098)
2016-06-09 13:07:51 -04:00
..
certs Add some accessor API's 2016-06-08 11:37:06 -04:00
ct
d2i-tests
ocsp-tests
recipes Fix session ticket and SNI 2016-06-09 13:07:51 -04:00
smime-certs Add final(?) set of copyrights. 2016-06-01 11:27:25 -04:00
ssl-tests Fix session ticket and SNI 2016-06-09 13:07:51 -04:00
testlib/OpenSSL tests: fix the shutting up of the shell 2016-06-06 15:51:35 +02:00
aborttest.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
afalgtest.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
asynciotest.c Add an async io test 2016-05-20 14:39:45 +01:00
asynctest.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
bftest.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
bioprinttest.c Silence some "may be uninitialized when used" warning 2016-05-27 14:59:47 +01:00
bntest.c Add a BN_mod_word test() 2016-06-07 21:55:31 +01:00
build.info Add some accessor API's 2016-06-08 11:37:06 -04:00
CAss.cnf
CAssdh.cnf
CAssdsa.cnf
CAssrsa.cnf
casttest.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
CAtsa.cnf
cipherlist_test.c Replace cipherlist test 2016-05-11 18:59:46 +02:00
clienthellotest.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
cms-examples.pl
constant_time_test.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
ct_test.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
d2i_test.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
danetest.c Add checks on CRYPTO_set_ex_data return value 2016-05-23 13:43:31 +01:00
danetest.in Add final(?) set of copyrights. 2016-06-01 11:27:25 -04:00
danetest.pem
destest.c RT4337: Crash in DES 2016-06-01 09:28:53 -04:00
dhtest.c Deprecate the flags that switch off constant time 2016-06-06 11:09:06 +01:00
dsatest.c Deprecate the flags that switch off constant time 2016-06-06 11:09:06 +01:00
dtlsv1listentest.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
ecdhtest_cavs.h Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
ecdhtest.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
ecdsatest.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
ectest.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
enginetest.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
evp_extra_test.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
evp_test.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
evptests.txt Add final(?) set of copyrights. 2016-06-01 11:27:25 -04:00
exdatatest.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
exptest.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
generate_buildtest.pl Generate simple build test files 2016-06-04 01:22:08 +02:00
generate_ssl_tests.pl Fix session ticket and SNI 2016-06-09 13:07:51 -04:00
getsettest.c Add an SSL get/set test 2016-06-07 17:05:52 +01:00
gmdifftest.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
handshake_helper.c Fix session ticket and SNI 2016-06-09 13:07:51 -04:00
handshake_helper.h Fix session ticket and SNI 2016-06-09 13:07:51 -04:00
heartbeat_test.c Simplify SSL BIO buffering logic 2016-05-20 14:11:11 +01:00
hmactest.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
ideatest.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
igetest.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
md2test.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
md4test.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
md5test.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
mdc2test.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
memleaktest.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
methtest.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
nptest.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
p5_crpt2_test.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
P1ss.cnf
P2ss.cnf
packettest.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
pbelutest.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
pkcs7-1.pem
pkcs7.pem
pkits-test.pl
r160test.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
randtest.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
rc2test.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
rc4test.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
rc5test.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
README
README.ssltest.md Fix session ticket and SNI 2016-06-09 13:07:51 -04:00
rmdtest.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
rsa_test.c Deprecate the flags that switch off constant time 2016-06-06 11:09:06 +01:00
run_tests.pl perl: use the 'if' module to conditionally load File::Glob 2016-05-30 11:55:46 +02:00
secmemtest.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
serverinfo.pem
sha1test.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
sha256t.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
sha512t.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
smcont.txt
srptest.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
ssl_test_ctx_test.c Fix session ticket and SNI 2016-06-09 13:07:51 -04:00
ssl_test_ctx_test.conf Fix session ticket and SNI 2016-06-09 13:07:51 -04:00
ssl_test_ctx.c Fix session ticket and SNI 2016-06-09 13:07:51 -04:00
ssl_test_ctx.h Fix session ticket and SNI 2016-06-09 13:07:51 -04:00
ssl_test.c Fix session ticket and SNI 2016-06-09 13:07:51 -04:00
ssl_test.tmpl Fix session ticket and SNI 2016-06-09 13:07:51 -04:00
ssltest_old.c Fixes to get -ansi working 2016-06-08 20:18:04 +01:00
Sssdsa.cnf
Sssrsa.cnf
test.cnf
testcrl.pem
testdsa.pem
testdsapub.pem
testec-p256.pem
testecpub-p256.pem
testp7.pem
testreq2.pem
testrsa.pem
testrsapub.pem
testsid.pem
testutil.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
testutil.h Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
testx509.pem
threadstest.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
Uss.cnf
v3-cert1.pem
v3-cert2.pem
v3ext.c Add some accessor API's 2016-06-08 11:37:06 -04:00
v3nametest.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
verify_extra_test.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
wp_test.c Copyright consolidation 02/10 2016-05-17 14:20:27 -04:00
x509aux.c

How to add recipes
==================

For any test that you want to perform, you write a script located in
test/recipes/, named {nn}-test_{name}.t, where {nn} is a two digit number and
{name} is a unique name of your choice.

Please note that if a test involves a new testing executable, you will need to
do some additions in test/Makefile.  More on this later.


Naming convetions
=================

A test executable is named test/{name}test.c

A test recipe is named test/recipes/{nn}-test_{name}.t, where {nn} is a two
digit number and {name} is a unique name of your choice.

The number {nn} is (somewhat loosely) grouped as follows:

05  individual symmetric cipher algorithms
10  math (bignum)
15  individual asymmetric cipher algorithms
20  openssl enc
25  certificate forms, generation and verification
30  engine and evp
70  PACKET layer
80  "larger" protocols (CA, CMS, OCSP, SSL, TSA)
90  misc


A recipe that just runs a test executable
=========================================

A script that just runs a program looks like this:

    #! /usr/bin/perl
    
    use OpenSSL::Test::Simple;
    
    simple_test("test_{name}", "{name}test", "{name}");

{name} is the unique name you have chosen for your test.

The second argument to `simple_test' is the test executable, and `simple_test'
expects it to be located in test/

For documentation on OpenSSL::Test::Simple, do
`perldoc test/testlib/OpenSSL/Test/Simple.pm'.


A recipe that runs a more complex test
======================================

For more complex tests, you will need to read up on Test::More and
OpenSSL::Test.  Test::More is normally preinstalled, do `man Test::More' for
documentation.  For OpenSSL::Test, do `perldoc test/testlib/OpenSSL/Test.pm'.

A script to start from could be this:

    #! /usr/bin/perl
    
    use strict;
    use warnings;
    use OpenSSL::Test;
    
    setup("test_{name}");
    
    plan tests => 2;                # The number of tests being performed
    
    ok(test1, "test1");
    ok(test2, "test1");
    
    sub test1
    {
        # test feature 1
    }
    
    sub test2
    {
        # test feature 2
    }
    

Changes to test/Makefile
========================

Whenever a new test involves a new test executable you need to do the
following (at all times, replace {NAME} and {name} with the name of your
test):

* among the variables for test executables at the beginning, add a line like
  this:

    {NAME}TEST= {name}test

* add `$({NAME}TEST)$(EXE_EXT)' to the assignment of EXE:

* add `$({NAME}TEST).o' to the assignment of OBJ:

* add `$({NAME}TEST).c' to the assignment of SRC:

* add the following lines for building the executable:

    $({NAME}TEST)$(EXE_EXT): $({NAME}TEST).o $(DLIBCRYPTO)
           @target=$({NAME}TEST); $(BUILD_CMD)