tests: tls13: Add session resume with ticket unit test

This aims to provide a basis for negative testing
around TLS 1.3 ticket, replacing eventually the
negative tests done in ssl-opt.sh using the
dummy_ticket option.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This commit is contained in:
Ronald Cron 2024-01-15 15:57:17 +01:00
parent 77abfe67db
commit d903a86e52
2 changed files with 96 additions and 0 deletions

@ -3270,3 +3270,6 @@ ssl_ecjpake_set_password:1
Test Elliptic curves' info parsing
elliptic_curve_get_properties
TLS 1.3 resume session with ticket
tls13_resume_session_with_ticket

@ -3519,3 +3519,96 @@ exit:
MD_OR_USE_PSA_DONE();
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */
void tls13_resume_session_with_ticket()
{
int ret = -1;
unsigned char buf[64];
mbedtls_test_ssl_endpoint client_ep, server_ep;
mbedtls_test_handshake_test_options client_options;
mbedtls_test_handshake_test_options server_options;
mbedtls_ssl_session saved_session;
/*
* Test set-up
*/
mbedtls_platform_zeroize(&client_ep, sizeof(client_ep));
mbedtls_platform_zeroize(&server_ep, sizeof(server_ep));
mbedtls_test_init_handshake_options(&client_options);
mbedtls_test_init_handshake_options(&server_options);
mbedtls_ssl_session_init(&saved_session);
MD_OR_USE_PSA_INIT();
client_options.pk_alg = MBEDTLS_PK_ECDSA;
ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT,
&client_options, NULL, NULL, NULL,
NULL);
TEST_EQUAL(ret, 0);
server_options.pk_alg = MBEDTLS_PK_ECDSA;
ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER,
&server_options, NULL, NULL, NULL,
NULL);
mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf,
mbedtls_test_ticket_write,
mbedtls_test_ticket_parse,
NULL);
TEST_EQUAL(ret, 0);
ret = mbedtls_test_mock_socket_connect(&(client_ep.socket),
&(server_ep.socket), 1024);
TEST_EQUAL(ret, 0);
/*
* Run initial handshake: ephemeral key exchange mode, certificate with
* RSA key, signed with PKCS15, verified with PKCS21. Then, get the ticket
* sent by the server at the end of its handshake sequence.
*/
TEST_ASSERT(mbedtls_test_move_handshake_to_state(
&(server_ep.ssl), &(client_ep.ssl),
MBEDTLS_SSL_HANDSHAKE_OVER) == 0);
do {
ret = mbedtls_ssl_read(&(client_ep.ssl), buf, sizeof(buf));
} while (ret != MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET);
/*
* Save client session and reset the SSL context of the two endpoints.
*/
ret = mbedtls_ssl_get_session(&(client_ep.ssl), &saved_session);
TEST_EQUAL(ret, 0);
ret = mbedtls_ssl_session_reset(&(client_ep.ssl));
TEST_EQUAL(ret, 0);
ret = mbedtls_ssl_session_reset(&(server_ep.ssl));
TEST_EQUAL(ret, 0);
/*
* Set saved session on client side and handshake using the ticket
* included in that session.
*/
ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session);
TEST_EQUAL(ret, 0);
TEST_ASSERT(mbedtls_test_move_handshake_to_state(
&(server_ep.ssl), &(client_ep.ssl),
MBEDTLS_SSL_HANDSHAKE_WRAPUP) == 0);
TEST_EQUAL(server_ep.ssl.handshake->resume, 1);
TEST_EQUAL(server_ep.ssl.handshake->new_session_tickets_count, 1);
TEST_EQUAL(server_ep.ssl.handshake->key_exchange_mode,
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL);
exit:
mbedtls_test_ssl_endpoint_free(&client_ep, NULL);
mbedtls_test_ssl_endpoint_free(&server_ep, NULL);
mbedtls_test_free_handshake_options(&client_options);
mbedtls_test_free_handshake_options(&server_options);
mbedtls_ssl_session_free(&saved_session);
MD_OR_USE_PSA_DONE();
}
/* END_CASE */