mirror of
https://github.com/openssl/openssl.git
synced 2024-12-15 06:01:37 +08:00
5c753de668
When session tickets are used, it's possible that SNI might swtich the SSL_CTX on an SSL. Normally, this is not a problem, because the initial_ctx/session_ctx are used for all session ticket/id processes. However, when the SNI callback occurs, it's possible that the callback may update the options in the SSL from the SSL_CTX, and this could cause SSL_OP_NO_TICKET to be set. If this occurs, then two bad things can happen: 1. The session ticket TLSEXT may not be written when the ticket expected flag is set. The state machine transistions to writing the ticket, and the client responds with an error as its not expecting a ticket. 2. When creating the session ticket, if the ticket key cb returns 0 the crypto/hmac contexts are not initialized, and the code crashes when trying to encrypt the session ticket. To fix 1, if the ticket TLSEXT is not written out, clear the expected ticket flag. To fix 2, consider a return of 0 from the ticket key cb a recoverable error, and write a 0 length ticket and continue. The client-side code can explicitly handle this case. Fix these two cases, and add unit test code to validate ticket behavior. Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/1098) |
||
---|---|---|
.. | ||
certs | ||
ct | ||
d2i-tests | ||
ocsp-tests | ||
recipes | ||
smime-certs | ||
ssl-tests | ||
testlib/OpenSSL | ||
aborttest.c | ||
afalgtest.c | ||
asynciotest.c | ||
asynctest.c | ||
bftest.c | ||
bioprinttest.c | ||
bntest.c | ||
build.info | ||
CAss.cnf | ||
CAssdh.cnf | ||
CAssdsa.cnf | ||
CAssrsa.cnf | ||
casttest.c | ||
CAtsa.cnf | ||
cipherlist_test.c | ||
clienthellotest.c | ||
cms-examples.pl | ||
constant_time_test.c | ||
ct_test.c | ||
d2i_test.c | ||
danetest.c | ||
danetest.in | ||
danetest.pem | ||
destest.c | ||
dhtest.c | ||
dsatest.c | ||
dtlsv1listentest.c | ||
ecdhtest_cavs.h | ||
ecdhtest.c | ||
ecdsatest.c | ||
ectest.c | ||
enginetest.c | ||
evp_extra_test.c | ||
evp_test.c | ||
evptests.txt | ||
exdatatest.c | ||
exptest.c | ||
generate_buildtest.pl | ||
generate_ssl_tests.pl | ||
getsettest.c | ||
gmdifftest.c | ||
handshake_helper.c | ||
handshake_helper.h | ||
heartbeat_test.c | ||
hmactest.c | ||
ideatest.c | ||
igetest.c | ||
md2test.c | ||
md4test.c | ||
md5test.c | ||
mdc2test.c | ||
memleaktest.c | ||
methtest.c | ||
nptest.c | ||
p5_crpt2_test.c | ||
P1ss.cnf | ||
P2ss.cnf | ||
packettest.c | ||
pbelutest.c | ||
pkcs7-1.pem | ||
pkcs7.pem | ||
pkits-test.pl | ||
r160test.c | ||
randtest.c | ||
rc2test.c | ||
rc4test.c | ||
rc5test.c | ||
README | ||
README.ssltest.md | ||
rmdtest.c | ||
rsa_test.c | ||
run_tests.pl | ||
secmemtest.c | ||
serverinfo.pem | ||
sha1test.c | ||
sha256t.c | ||
sha512t.c | ||
smcont.txt | ||
srptest.c | ||
ssl_test_ctx_test.c | ||
ssl_test_ctx_test.conf | ||
ssl_test_ctx.c | ||
ssl_test_ctx.h | ||
ssl_test.c | ||
ssl_test.tmpl | ||
ssltest_old.c | ||
Sssdsa.cnf | ||
Sssrsa.cnf | ||
test.cnf | ||
testcrl.pem | ||
testdsa.pem | ||
testdsapub.pem | ||
testec-p256.pem | ||
testecpub-p256.pem | ||
testp7.pem | ||
testreq2.pem | ||
testrsa.pem | ||
testrsapub.pem | ||
testsid.pem | ||
testutil.c | ||
testutil.h | ||
testx509.pem | ||
threadstest.c | ||
Uss.cnf | ||
v3-cert1.pem | ||
v3-cert2.pem | ||
v3ext.c | ||
v3nametest.c | ||
verify_extra_test.c | ||
wp_test.c | ||
x509aux.c |
How to add recipes ================== For any test that you want to perform, you write a script located in test/recipes/, named {nn}-test_{name}.t, where {nn} is a two digit number and {name} is a unique name of your choice. Please note that if a test involves a new testing executable, you will need to do some additions in test/Makefile. More on this later. Naming convetions ================= A test executable is named test/{name}test.c A test recipe is named test/recipes/{nn}-test_{name}.t, where {nn} is a two digit number and {name} is a unique name of your choice. The number {nn} is (somewhat loosely) grouped as follows: 05 individual symmetric cipher algorithms 10 math (bignum) 15 individual asymmetric cipher algorithms 20 openssl enc 25 certificate forms, generation and verification 30 engine and evp 70 PACKET layer 80 "larger" protocols (CA, CMS, OCSP, SSL, TSA) 90 misc A recipe that just runs a test executable ========================================= A script that just runs a program looks like this: #! /usr/bin/perl use OpenSSL::Test::Simple; simple_test("test_{name}", "{name}test", "{name}"); {name} is the unique name you have chosen for your test. The second argument to `simple_test' is the test executable, and `simple_test' expects it to be located in test/ For documentation on OpenSSL::Test::Simple, do `perldoc test/testlib/OpenSSL/Test/Simple.pm'. A recipe that runs a more complex test ====================================== For more complex tests, you will need to read up on Test::More and OpenSSL::Test. Test::More is normally preinstalled, do `man Test::More' for documentation. For OpenSSL::Test, do `perldoc test/testlib/OpenSSL/Test.pm'. A script to start from could be this: #! /usr/bin/perl use strict; use warnings; use OpenSSL::Test; setup("test_{name}"); plan tests => 2; # The number of tests being performed ok(test1, "test1"); ok(test2, "test1"); sub test1 { # test feature 1 } sub test2 { # test feature 2 } Changes to test/Makefile ======================== Whenever a new test involves a new test executable you need to do the following (at all times, replace {NAME} and {name} with the name of your test): * among the variables for test executables at the beginning, add a line like this: {NAME}TEST= {name}test * add `$({NAME}TEST)$(EXE_EXT)' to the assignment of EXE: * add `$({NAME}TEST).o' to the assignment of OBJ: * add `$({NAME}TEST).c' to the assignment of SRC: * add the following lines for building the executable: $({NAME}TEST)$(EXE_EXT): $({NAME}TEST).o $(DLIBCRYPTO) @target=$({NAME}TEST); $(BUILD_CMD)