commit 3ff0b1fda3faa242ac023c62441c6c578b8024c4
author Jerry Yu <jerry.h.yu@arm.com> Fri Nov 10 11:29:12 2023 +0800
committer Jerry Yu <jerry.h.yu@arm.com> Tue Nov 21 09:58:18 2023 +0800
tree 25e10fd5a76aba4eab6ab7278c0aa05156c2d89b
parent 31b601aa15e4080573ec75df00ab5be5db33a2bc

Cleanup ticket negative tests.

- improve comments
- case 3/4 is for server age check.
- case 5/6 is for client age check

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>

programs/ssl/ssl_server2.c

diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index a8f4714..aa8afd9 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -1416,44 +1416,45 @@
 
     switch (opt.dummy_ticket % 11) {
         case 1:
-            /* Callback function return INVALID_MAC */
             return MBEDTLS_ERR_SSL_INVALID_MAC;
         case 2:
-            /* Callback function return ticket expired */
             return MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
         case 3:
-            /* Built-in check, the start time is in future. */
-            session->ticket_creation = mbedtls_ms_time() + 10 * 1000;
+            /* Creation time in the future. */
+            session->ticket_creation = mbedtls_ms_time() +
+                                       MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE +
+                                       4 * 1000;
             break;
         case 4:
-            /* Built-in check, ticket expired due to too old. */
-            session->ticket_creation = mbedtls_ms_time() - 10 * 1000 - 7 * 24 * 3600 * 1000;
+            /* Ticket reaches the end of lifetime. */
+            session->ticket_creation = mbedtls_ms_time() - session->ticket_lifetime -
+                                       MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE - 4 * 1000;
             break;
         case 5:
-            /* Built-in check, age outside tolerance window, too young. */
-            session->ticket_creation = mbedtls_ms_time() - 10 * 1000;
+            /* Ticket is valid, but client age is beyond the upper bound of tolerance window. */
+
+            session->ticket_age_add += MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE + 4 * 1000;
+            /* Make sure the execution time does not affect the result */
+            session->ticket_creation = mbedtls_ms_time();
             break;
 
         case 6:
-            /* Built-in check, age outside tolerance window, too old. */
+            /* Ticket is valid, but client age is beyond the lower bound of tolerance window. */
+            session->ticket_age_add -= MBEDTLS_SSL_TLS1_3_TICKET_AGE_TOLERANCE + 4 * 1000;
+            /* Make sure the execution time does not affect the result */
             session->ticket_creation = mbedtls_ms_time();
-            session->ticket_age_add -= 1000;
             break;
         case 7:
-            /* Built-in check, ticket permission check. */
             session->ticket_flags = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE;
             break;
         case 8:
-            /* Built-in check, ticket permission check. */
             session->ticket_flags = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
             break;
         case 9:
-            /* Built-in check, ticket permission check. */
             session->ticket_flags = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
             break;
         case 10:
-            /* Built-in check, ticket permission check. */
             session->ticket_flags = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL;
             break;
 #endif