TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / d903a86e52f21a65b45fa27699aabfe2d9a8cd81^! / . / tests
commitd903a86e52f21a65b45fa27699aabfe2d9a8cd81[log] [tgz]
authorRonald Cron <ronald.cron@arm.com>Mon Jan 15 15:57:17 2024 +0100
committerRonald Cron <ronald.cron@arm.com>Mon Jan 22 09:37:45 2024 +0100
tree45fde20ac7d96126302ef3be7a6318c45495fd80
parent77abfe67db1ff1bdae3ff1c93e7878e8ee0826f8 [diff]
tests: tls13: Add session resume with ticket unit test

This aims to provide a basis for negative testing
around TLS 1.3 ticket, replacing eventually the
negative tests done in ssl-opt.sh using the
dummy_ticket option.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>

diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data
index de998e3..37895f0 100644
--- a/tests/suites/test_suite_ssl.data
+++ b/tests/suites/test_suite_ssl.data

@@ -3270,3 +3270,6 @@
 
 Test Elliptic curves' info parsing
 elliptic_curve_get_properties
+
+TLS 1.3 resume session with ticket
+tls13_resume_session_with_ticket

diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 8a03d1b..9ca2058 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function

@@ -3519,3 +3519,96 @@
     MD_OR_USE_PSA_DONE();
 }
 /* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_SSL_PROTO_TLS1_3:MBEDTLS_SSL_CLI_C:MBEDTLS_SSL_SRV_C:MBEDTLS_TEST_AT_LEAST_ONE_TLS1_3_CIPHERSUITE:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED:MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED:MBEDTLS_MD_CAN_SHA256:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_SSL_SESSION_TICKETS */
+void tls13_resume_session_with_ticket()
+{
+    int ret = -1;
+    unsigned char buf[64];
+    mbedtls_test_ssl_endpoint client_ep, server_ep;
+    mbedtls_test_handshake_test_options client_options;
+    mbedtls_test_handshake_test_options server_options;
+    mbedtls_ssl_session saved_session;
+
+    /*
+     * Test set-up
+     */
+    mbedtls_platform_zeroize(&client_ep, sizeof(client_ep));
+    mbedtls_platform_zeroize(&server_ep, sizeof(server_ep));
+    mbedtls_test_init_handshake_options(&client_options);
+    mbedtls_test_init_handshake_options(&server_options);
+    mbedtls_ssl_session_init(&saved_session);
+
+    MD_OR_USE_PSA_INIT();
+
+    client_options.pk_alg = MBEDTLS_PK_ECDSA;
+    ret = mbedtls_test_ssl_endpoint_init(&client_ep, MBEDTLS_SSL_IS_CLIENT,
+                                         &client_options, NULL, NULL, NULL,
+                                         NULL);
+    TEST_EQUAL(ret, 0);
+
+    server_options.pk_alg = MBEDTLS_PK_ECDSA;
+    ret = mbedtls_test_ssl_endpoint_init(&server_ep, MBEDTLS_SSL_IS_SERVER,
+                                         &server_options, NULL, NULL, NULL,
+                                         NULL);
+    mbedtls_ssl_conf_session_tickets_cb(&server_ep.conf,
+                                        mbedtls_test_ticket_write,
+                                        mbedtls_test_ticket_parse,
+                                        NULL);
+    TEST_EQUAL(ret, 0);
+
+    ret = mbedtls_test_mock_socket_connect(&(client_ep.socket),
+                                           &(server_ep.socket), 1024);
+    TEST_EQUAL(ret, 0);
+
+    /*
+     * Run initial handshake: ephemeral key exchange mode, certificate with
+     * RSA key, signed with PKCS15, verified with PKCS21. Then, get the ticket
+     * sent by the server at the end of its handshake sequence.
+     */
+    TEST_ASSERT(mbedtls_test_move_handshake_to_state(
+                    &(server_ep.ssl), &(client_ep.ssl),
+                    MBEDTLS_SSL_HANDSHAKE_OVER) == 0);
+
+    do {
+        ret = mbedtls_ssl_read(&(client_ep.ssl), buf, sizeof(buf));
+    } while (ret != MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET);
+
+    /*
+     * Save client session and reset the SSL context of the two endpoints.
+     */
+    ret = mbedtls_ssl_get_session(&(client_ep.ssl), &saved_session);
+    TEST_EQUAL(ret, 0);
+
+    ret = mbedtls_ssl_session_reset(&(client_ep.ssl));
+    TEST_EQUAL(ret, 0);
+
+    ret = mbedtls_ssl_session_reset(&(server_ep.ssl));
+    TEST_EQUAL(ret, 0);
+
+    /*
+     * Set saved session on client side and handshake using the ticket
+     * included in that session.
+     */
+
+    ret = mbedtls_ssl_set_session(&(client_ep.ssl), &saved_session);
+    TEST_EQUAL(ret, 0);
+
+    TEST_ASSERT(mbedtls_test_move_handshake_to_state(
+                    &(server_ep.ssl), &(client_ep.ssl),
+                    MBEDTLS_SSL_HANDSHAKE_WRAPUP) == 0);
+
+    TEST_EQUAL(server_ep.ssl.handshake->resume, 1);
+    TEST_EQUAL(server_ep.ssl.handshake->new_session_tickets_count, 1);
+    TEST_EQUAL(server_ep.ssl.handshake->key_exchange_mode,
+               MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL);
+
+exit:
+    mbedtls_test_ssl_endpoint_free(&client_ep, NULL);
+    mbedtls_test_ssl_endpoint_free(&server_ep, NULL);
+    mbedtls_test_free_handshake_options(&client_options);
+    mbedtls_test_free_handshake_options(&server_options);
+    mbedtls_ssl_session_free(&saved_session);
+    MD_OR_USE_PSA_DONE();
+}
+/* END_CASE */