Merge remote-tracking branch 'public/pr/1972' into mbedtls-2.7
diff --git a/ChangeLog b/ChangeLog
index 5861841..866693e 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -5,6 +5,8 @@
Bugfix
* Fix failure in hmac_drbg in the benchmark sample application, when
MBEDTLS_THREADING_C is defined. Found by TrinityTonic, #1095
+ * Fix a bug in the update function for SSL ticket keys which previously
+ invalidated keys of a lifetime of less than a 1s. Fixes #1968.
= mbed TLS 2.7.6 branch released 2018-08-31
@@ -41,6 +43,7 @@
Changes
* Improve compatibility with some alternative CCM implementations by using
CCM test vectors from RAM.
+ * Add tests for session resumption in DTLS.
= mbed TLS 2.7.5 branch released 2018-07-25
diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c
index 4d9116d..ad2d526 100644
--- a/library/ssl_ticket.c
+++ b/library/ssl_ticket.c
@@ -101,7 +101,7 @@
uint32_t current_time = (uint32_t) mbedtls_time( NULL );
uint32_t key_time = ctx->keys[ctx->active].generation_time;
- if( current_time > key_time &&
+ if( current_time >= key_time &&
current_time - key_time < ctx->ticket_lifetime )
{
return( 0 );
diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh
index d3d1589..9f2dbc6 100755
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@@ -1364,6 +1364,71 @@
-s "session successfully restored from ticket" \
-s "a session has been resumed"
+# Tests for Session Tickets with DTLS
+
+run_test "Session resume using tickets, DTLS: basic" \
+ "$P_SRV debug_level=3 dtls=1 tickets=1" \
+ "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1" \
+ 0 \
+ -c "client hello, adding session ticket extension" \
+ -s "found session ticket extension" \
+ -s "server hello, adding session ticket extension" \
+ -c "found session_ticket extension" \
+ -c "parse new session ticket" \
+ -S "session successfully restored from cache" \
+ -s "session successfully restored from ticket" \
+ -s "a session has been resumed" \
+ -c "a session has been resumed"
+
+run_test "Session resume using tickets, DTLS: cache disabled" \
+ "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0" \
+ "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1" \
+ 0 \
+ -c "client hello, adding session ticket extension" \
+ -s "found session ticket extension" \
+ -s "server hello, adding session ticket extension" \
+ -c "found session_ticket extension" \
+ -c "parse new session ticket" \
+ -S "session successfully restored from cache" \
+ -s "session successfully restored from ticket" \
+ -s "a session has been resumed" \
+ -c "a session has been resumed"
+
+run_test "Session resume using tickets, DTLS: timeout" \
+ "$P_SRV debug_level=3 dtls=1 tickets=1 cache_max=0 ticket_timeout=1" \
+ "$P_CLI debug_level=3 dtls=1 tickets=1 reconnect=1 reco_delay=2" \
+ 0 \
+ -c "client hello, adding session ticket extension" \
+ -s "found session ticket extension" \
+ -s "server hello, adding session ticket extension" \
+ -c "found session_ticket extension" \
+ -c "parse new session ticket" \
+ -S "session successfully restored from cache" \
+ -S "session successfully restored from ticket" \
+ -S "a session has been resumed" \
+ -C "a session has been resumed"
+
+run_test "Session resume using tickets, DTLS: openssl server" \
+ "$O_SRV -dtls1" \
+ "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \
+ 0 \
+ -c "client hello, adding session ticket extension" \
+ -c "found session_ticket extension" \
+ -c "parse new session ticket" \
+ -c "a session has been resumed"
+
+run_test "Session resume using tickets, DTLS: openssl client" \
+ "$P_SRV dtls=1 debug_level=3 tickets=1" \
+ "( $O_CLI -dtls1 -sess_out $SESSION; \
+ $O_CLI -dtls1 -sess_in $SESSION; \
+ rm -f $SESSION )" \
+ 0 \
+ -s "found session ticket extension" \
+ -s "server hello, adding session ticket extension" \
+ -S "session successfully restored from cache" \
+ -s "session successfully restored from ticket" \
+ -s "a session has been resumed"
+
# Tests for Session Resume based on session-ID and cache
run_test "Session resume using cache: tickets enabled on client" \
@@ -1459,6 +1524,101 @@
-C "parse new session ticket" \
-c "a session has been resumed"
+# Tests for Session Resume based on session-ID and cache, DTLS
+
+run_test "Session resume using cache, DTLS: tickets enabled on client" \
+ "$P_SRV dtls=1 debug_level=3 tickets=0" \
+ "$P_CLI dtls=1 debug_level=3 tickets=1 reconnect=1" \
+ 0 \
+ -c "client hello, adding session ticket extension" \
+ -s "found session ticket extension" \
+ -S "server hello, adding session ticket extension" \
+ -C "found session_ticket extension" \
+ -C "parse new session ticket" \
+ -s "session successfully restored from cache" \
+ -S "session successfully restored from ticket" \
+ -s "a session has been resumed" \
+ -c "a session has been resumed"
+
+run_test "Session resume using cache, DTLS: tickets enabled on server" \
+ "$P_SRV dtls=1 debug_level=3 tickets=1" \
+ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
+ 0 \
+ -C "client hello, adding session ticket extension" \
+ -S "found session ticket extension" \
+ -S "server hello, adding session ticket extension" \
+ -C "found session_ticket extension" \
+ -C "parse new session ticket" \
+ -s "session successfully restored from cache" \
+ -S "session successfully restored from ticket" \
+ -s "a session has been resumed" \
+ -c "a session has been resumed"
+
+run_test "Session resume using cache, DTLS: cache_max=0" \
+ "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=0" \
+ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
+ 0 \
+ -S "session successfully restored from cache" \
+ -S "session successfully restored from ticket" \
+ -S "a session has been resumed" \
+ -C "a session has been resumed"
+
+run_test "Session resume using cache, DTLS: cache_max=1" \
+ "$P_SRV dtls=1 debug_level=3 tickets=0 cache_max=1" \
+ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
+ 0 \
+ -s "session successfully restored from cache" \
+ -S "session successfully restored from ticket" \
+ -s "a session has been resumed" \
+ -c "a session has been resumed"
+
+run_test "Session resume using cache, DTLS: timeout > delay" \
+ "$P_SRV dtls=1 debug_level=3 tickets=0" \
+ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=0" \
+ 0 \
+ -s "session successfully restored from cache" \
+ -S "session successfully restored from ticket" \
+ -s "a session has been resumed" \
+ -c "a session has been resumed"
+
+run_test "Session resume using cache, DTLS: timeout < delay" \
+ "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=1" \
+ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
+ 0 \
+ -S "session successfully restored from cache" \
+ -S "session successfully restored from ticket" \
+ -S "a session has been resumed" \
+ -C "a session has been resumed"
+
+run_test "Session resume using cache, DTLS: no timeout" \
+ "$P_SRV dtls=1 debug_level=3 tickets=0 cache_timeout=0" \
+ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1 reco_delay=2" \
+ 0 \
+ -s "session successfully restored from cache" \
+ -S "session successfully restored from ticket" \
+ -s "a session has been resumed" \
+ -c "a session has been resumed"
+
+run_test "Session resume using cache, DTLS: openssl client" \
+ "$P_SRV dtls=1 debug_level=3 tickets=0" \
+ "( $O_CLI -dtls1 -sess_out $SESSION; \
+ $O_CLI -dtls1 -sess_in $SESSION; \
+ rm -f $SESSION )" \
+ 0 \
+ -s "found session ticket extension" \
+ -S "server hello, adding session ticket extension" \
+ -s "session successfully restored from cache" \
+ -S "session successfully restored from ticket" \
+ -s "a session has been resumed"
+
+run_test "Session resume using cache, DTLS: openssl server" \
+ "$O_SRV -dtls1" \
+ "$P_CLI dtls=1 debug_level=3 tickets=0 reconnect=1" \
+ 0 \
+ -C "found session_ticket extension" \
+ -C "parse new session ticket" \
+ -c "a session has been resumed"
+
# Tests for Max Fragment Length extension
MAX_CONTENT_LEN_EXPECT='16384'