1 /*
2 * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License").
5 * You may not use this file except in compliance with the License.
6 * A copy of the License is located at
7 *
8 * http://aws.amazon.com/apache2.0
9 *
10 * or in the "license" file accompanying this file. This file is distributed
11 * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
12 * express or implied. See the License for the specific language governing
13 * permissions and limitations under the License.
14 */
15
16 #include "s2n_test.h"
17
18 #include "testlib/s2n_testlib.h"
19
20 #include <fcntl.h>
21 #include <errno.h>
22
23 #include <s2n.h>
24
25 #include "crypto/s2n_fips.h"
26 #include "utils/s2n_safety.h"
27 #include "utils/s2n_bitmap.h"
28
29 #define S2N_SESSION_STATE_CONFIGURABLE_LIFETIME_IN_SECS (S2N_TICKET_ENCRYPT_DECRYPT_KEY_LIFETIME_IN_NANOS + S2N_TICKET_DECRYPT_KEY_LIFETIME_IN_NANOS) / ONE_SEC_IN_NANOS
30 #define S2N_PARTIAL_SESSION_STATE_INFO_IN_BYTES S2N_STATE_FORMAT_LEN + S2N_SESSION_TICKET_SIZE_LEN
31
32 #define S2N_CLOCK_SYS CLOCK_REALTIME
33
mock_nanoseconds_since_epoch(void * data,uint64_t * nanoseconds)34 int mock_nanoseconds_since_epoch(void *data, uint64_t *nanoseconds)
35 {
36 struct timespec current_time;
37
38 clock_gettime(S2N_CLOCK_SYS, ¤t_time);
39
40 *nanoseconds = current_time.tv_sec * 1000000000;
41 *nanoseconds += current_time.tv_nsec;
42 *nanoseconds += *(uint64_t *) data;
43
44 return 0;
45 }
46
mock_time(void * data,uint64_t * nanoseconds)47 static int mock_time(void *data, uint64_t *nanoseconds)
48 {
49 *nanoseconds = 1000000000;
50 return S2N_SUCCESS;
51 }
52
53 uint8_t cb_session_data[S2N_TLS12_SESSION_SIZE * 2] = { 0 };
54 size_t cb_session_data_len = 0;
55 uint32_t cb_session_lifetime = 0;
s2n_test_session_ticket_callback(struct s2n_connection * conn,void * ctx,struct s2n_session_ticket * ticket)56 static int s2n_test_session_ticket_callback(struct s2n_connection *conn, void *ctx, struct s2n_session_ticket *ticket)
57 {
58 EXPECT_NOT_NULL(conn);
59 EXPECT_NOT_NULL(ticket);
60
61 /* Store the callback data for comparison at the end of the connection. */
62 EXPECT_SUCCESS(s2n_session_ticket_get_data_len(ticket, &cb_session_data_len));
63 EXPECT_SUCCESS(s2n_session_ticket_get_data(ticket, sizeof(cb_session_data), cb_session_data));
64 EXPECT_SUCCESS(s2n_session_ticket_get_lifetime(ticket, &cb_session_lifetime));
65
66 return S2N_SUCCESS;
67 }
68
main(int argc,char ** argv)69 int main(int argc, char **argv)
70 {
71 char *cert_chain;
72 char *private_key;
73 struct s2n_cert_chain_and_key *chain_and_key;
74 struct s2n_connection *client_conn;
75 struct s2n_connection *server_conn;
76 struct s2n_config *client_config;
77 struct s2n_config *server_config;
78 uint64_t now;
79 struct s2n_ticket_key *ticket_key;
80 uint32_t ticket_keys_len = 0;
81
82 size_t serialized_session_state_length = 0;
83 uint8_t s2n_state_with_session_id = S2N_STATE_WITH_SESSION_ID;
84 uint8_t serialized_session_state[S2N_PARTIAL_SESSION_STATE_INFO_IN_BYTES + S2N_TLS12_TICKET_SIZE_IN_BYTES + S2N_TLS12_STATE_SIZE_IN_BYTES] = { 0 };
85
86 /* Session ticket keys. Taken from test vectors in https://tools.ietf.org/html/rfc5869 */
87 uint8_t ticket_key_name1[16] = "2016.07.26.15\0";
88 uint8_t ticket_key_name2[16] = "2017.07.26.15\0";
89 uint8_t ticket_key_name3[16] = "2018.07.26.15\0";
90 uint8_t ticket_key1[32] = {0x07, 0x77, 0x09, 0x36, 0x2c, 0x2e, 0x32, 0xdf, 0x0d, 0xdc,
91 0x3f, 0x0d, 0xc4, 0x7b, 0xba, 0x63, 0x90, 0xb6, 0xc7, 0x3b,
92 0xb5, 0x0f, 0x9c, 0x31, 0x22, 0xec, 0x84, 0x4a, 0xd7, 0xc2,
93 0xb3, 0xe5 };
94 uint8_t ticket_key2[32] = {0x06, 0xa6, 0xb8, 0x8c, 0x58, 0x53, 0x36, 0x1a, 0x06, 0x10,
95 0x4c, 0x9c, 0xeb, 0x35, 0xb4, 0x5c, 0xef, 0x76, 0x00, 0x14,
96 0x90, 0x46, 0x71, 0x01, 0x4a, 0x19, 0x3f, 0x40, 0xc1, 0x5f,
97 0xc2, 0x44 };
98 uint8_t ticket_key3[32] = {0x19, 0xef, 0x24, 0xa3, 0x2c, 0x71, 0x7b, 0x16, 0x7f, 0x33,
99 0xa9, 0x1d, 0x6f, 0x64, 0x8b, 0xdf, 0x96, 0x59, 0x67, 0x76,
100 0xaf, 0xdb, 0x63, 0x77, 0xac, 0x43, 0x4c, 0x1c, 0x29, 0x3c,
101 0xcb, 0x04};
102
103 /* Testcases:
104 * 1) Client sends empty ST extension. Server issues NST.
105 * 2) Client sends empty ST extension. Server does a full handshake, but is unable to issue NST due to absence of an encrypt-decrypt key.
106 * 3) Client sends non-empty ST extension. Server does an abbreviated handshake without issuing NST.
107 * 4) Client sends non-empty ST extension. Server does an abbreviated handshake and issues a NST because the key is in decrypt-only state.
108 * 5) Client sends non-empty ST extension. Server does an abbreviated handshake, but does not issue a NST even though the key is in
109 * decrypt-only state due to absence of encrypt-decrypt key.
110 * 6) Client sends non-empty ST extension. Server does a full handshake and issues a NST because the key is not found.
111 * 7) Client sends non-empty ST extension. Server does a full handshake and issues a NST because the key has expired.
112 * 8) Client sends non-empty ST extension. Server does a full handshake and issues a NST because the ticket has non-standard size.
113 * 9) Client sends non-empty ST extension, but server cannot or does not want to honor the ticket.
114 * 10) Client sets corrupted ST extension.
115 * 11) User tries adding a duplicate key to the server.
116 * 12) Testing expired keys are removed from the server config while adding new keys.
117 * 13) Scenario 1: Client sends empty ST and server has multiple encrypt-decrypt keys to choose from for encrypting NST.
118 * 14) Scenario 2: Client sends empty ST and server has multiple encrypt-decrypt keys to choose from for encrypting NST.
119 * 15) Testing s2n_config_set_ticket_encrypt_decrypt_key_lifetime and s2n_config_set_ticket_decrypt_key_lifetime calls.
120 * 16) Add keys out of order and pre-emptively add a key.
121 * 17) Handshake with client auth and session ticket enabled.
122 * 18) Session resumption APIs and session_ticket_cb return the same values when receiving a new ticket in TLS1.2
123 * 19) Session resumption APIs and session_ticket_cb return sane values when receiving a new ticket in TLS1.3
124 * 20) Client has TLS1.3 ticket but negotiates TLS1.2, so does full handshake
125 */
126
127 BEGIN_TEST();
128 EXPECT_SUCCESS(s2n_disable_tls13());
129
130 DEFER_CLEANUP(struct s2n_stuffer tls13_serialized_session_state = { 0 }, s2n_stuffer_free);
131 EXPECT_SUCCESS(s2n_stuffer_growable_alloc(&tls13_serialized_session_state, 0));
132
133 struct s2n_test_io_pair io_pair;
134 EXPECT_SUCCESS(s2n_io_pair_init_non_blocking(&io_pair));
135
136 EXPECT_NOT_NULL(cert_chain = malloc(S2N_MAX_TEST_PEM_SIZE));
137 EXPECT_NOT_NULL(private_key = malloc(S2N_MAX_TEST_PEM_SIZE));
138 EXPECT_SUCCESS(s2n_read_test_pem(S2N_DEFAULT_TEST_CERT_CHAIN, cert_chain, S2N_MAX_TEST_PEM_SIZE));
139 EXPECT_SUCCESS(s2n_read_test_pem(S2N_DEFAULT_TEST_PRIVATE_KEY, private_key, S2N_MAX_TEST_PEM_SIZE));
140 EXPECT_NOT_NULL(chain_and_key = s2n_cert_chain_and_key_new());
141 EXPECT_SUCCESS(s2n_cert_chain_and_key_load_pem(chain_and_key, cert_chain, private_key));
142
143 struct s2n_cert_chain_and_key *ecdsa_chain_and_key = NULL;
144 EXPECT_SUCCESS(s2n_test_cert_chain_and_key_new(&ecdsa_chain_and_key,
145 S2N_DEFAULT_ECDSA_TEST_CERT_CHAIN, S2N_DEFAULT_ECDSA_TEST_PRIVATE_KEY));
146
147 EXPECT_SUCCESS(setenv("S2N_DONT_MLOCK", "1", 0));
148
149 /* Client sends empty ST extension. Server issues NST. */
150 {
151 EXPECT_NOT_NULL(client_conn = s2n_connection_new(S2N_CLIENT));
152
153 EXPECT_NOT_NULL(client_config = s2n_config_new());
154 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(client_config, 1));
155 EXPECT_SUCCESS(s2n_config_disable_x509_verification(client_config));
156 EXPECT_SUCCESS(s2n_connection_set_config(client_conn, client_config));
157
158 EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_SERVER));
159 EXPECT_NOT_NULL(server_config = s2n_config_new());
160 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(server_config, 1));
161 EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, chain_and_key));
162
163 /* Create nonblocking pipes */
164 EXPECT_SUCCESS(s2n_connections_set_io_pair(client_conn, server_conn, &io_pair));
165
166 /* Set session state lifetime for 15 hours which is equal to the default lifetime of a ticket key */
167 EXPECT_SUCCESS(s2n_config_set_session_state_lifetime(server_config, S2N_SESSION_STATE_CONFIGURABLE_LIFETIME_IN_SECS));
168
169 /* Add one ST key */
170 POSIX_GUARD(server_config->wall_clock(server_config->sys_clock_ctx, &now));
171 EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(server_config, ticket_key_name1, strlen((char *)ticket_key_name1), ticket_key1, sizeof(ticket_key1), now/ONE_SEC_IN_NANOS));
172
173 EXPECT_SUCCESS(s2n_connection_set_config(server_conn, server_config));
174
175 /* A newly created connection should not be considered resumed */
176 EXPECT_FALSE(s2n_connection_is_session_resumed(server_conn));
177 EXPECT_FALSE(s2n_connection_is_session_resumed(client_conn));
178 EXPECT_SUCCESS(s2n_negotiate_test_server_and_client(server_conn, client_conn));
179
180 /* Verify that the server did a full handshake and issued NST */
181 EXPECT_TRUE(IS_FULL_HANDSHAKE(server_conn));
182 EXPECT_TRUE(IS_ISSUING_NEW_SESSION_TICKET(server_conn));
183
184 /* Verify that the client received NST */
185 serialized_session_state_length = s2n_connection_get_session_length(client_conn);
186 EXPECT_EQUAL(s2n_connection_get_session(client_conn, serialized_session_state, serialized_session_state_length), serialized_session_state_length);
187 EXPECT_BYTEARRAY_EQUAL(serialized_session_state + S2N_PARTIAL_SESSION_STATE_INFO_IN_BYTES, ticket_key_name1, strlen((char *)ticket_key_name1));
188
189 /* Verify the lifetime hint from the server */
190 EXPECT_EQUAL(s2n_connection_get_session_ticket_lifetime_hint(client_conn), S2N_SESSION_STATE_CONFIGURABLE_LIFETIME_IN_SECS);
191
192 EXPECT_SUCCESS(s2n_shutdown_test_server_and_client(server_conn, client_conn));
193
194 EXPECT_SUCCESS(s2n_connection_free(server_conn));
195 EXPECT_SUCCESS(s2n_connection_free(client_conn));
196
197 EXPECT_SUCCESS(s2n_config_free(server_config));
198 EXPECT_SUCCESS(s2n_config_free(client_config));
199 }
200
201 /* Client sends empty ST extension. Server does a full handshake, but is unable
202 * to issue NST due to absence of an encrypt-decrypt key. */
203 {
204 EXPECT_NOT_NULL(client_conn = s2n_connection_new(S2N_CLIENT));
205 EXPECT_NOT_NULL(client_config = s2n_config_new());
206 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(client_config, 1));
207 EXPECT_SUCCESS(s2n_config_disable_x509_verification(client_config));
208 EXPECT_SUCCESS(s2n_connection_set_config(client_conn, client_config));
209
210 EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_SERVER));
211 EXPECT_NOT_NULL(server_config = s2n_config_new());
212 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(server_config, 1));
213 EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, chain_and_key));
214
215 /* Create nonblocking pipes */
216 EXPECT_SUCCESS(s2n_connections_set_io_pair(client_conn, server_conn, &io_pair));
217
218 /* Set session state lifetime for 15 hours which is equal to the default lifetime of a ticket key */
219 EXPECT_SUCCESS(s2n_config_set_session_state_lifetime(server_config, S2N_SESSION_STATE_CONFIGURABLE_LIFETIME_IN_SECS));
220
221 EXPECT_SUCCESS(s2n_connection_set_config(server_conn, server_config));
222
223 EXPECT_SUCCESS(s2n_negotiate_test_server_and_client(server_conn, client_conn));
224
225 /* Verify that the server did a full handshake and did not issue NST */
226 EXPECT_TRUE(IS_FULL_HANDSHAKE(server_conn));
227 EXPECT_FALSE(IS_ISSUING_NEW_SESSION_TICKET(server_conn));
228
229 EXPECT_SUCCESS(s2n_shutdown_test_server_and_client(server_conn, client_conn));
230
231 EXPECT_SUCCESS(s2n_connection_free(server_conn));
232 EXPECT_SUCCESS(s2n_connection_free(client_conn));
233
234 EXPECT_SUCCESS(s2n_config_free(server_config));
235 EXPECT_SUCCESS(s2n_config_free(client_config));
236 }
237
238 /* Client sends non-empty ST extension. Server does an abbreviated handshake without issuing NST. */
239 {
240 EXPECT_NOT_NULL(client_conn = s2n_connection_new(S2N_CLIENT));
241
242 /* Set client ST and session state */
243 EXPECT_SUCCESS(s2n_connection_set_session(client_conn, serialized_session_state, serialized_session_state_length));
244
245 EXPECT_NOT_NULL(client_config = s2n_config_new());
246 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(client_config, 1));
247 EXPECT_SUCCESS(s2n_connection_set_config(client_conn, client_config));
248
249 EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_SERVER));
250 EXPECT_NOT_NULL(server_config = s2n_config_new());
251 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(server_config, 1));
252 EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, chain_and_key));
253
254 /* Create nonblocking pipes */
255 EXPECT_SUCCESS(s2n_connections_set_io_pair(client_conn, server_conn, &io_pair));
256
257 /* Set session state lifetime for 15 hours which is equal to the default lifetime of a ticket key */
258 EXPECT_SUCCESS(s2n_config_set_session_state_lifetime(server_config, S2N_SESSION_STATE_CONFIGURABLE_LIFETIME_IN_SECS));
259
260 /* Add one ST key */
261 EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(server_config, ticket_key_name1, strlen((char *)ticket_key_name1), ticket_key1, sizeof(ticket_key1), 0));
262
263 EXPECT_SUCCESS(s2n_connection_set_config(server_conn, server_config));
264
265 EXPECT_SUCCESS(s2n_negotiate_test_server_and_client(server_conn, client_conn));
266
267 /* Verify that the server did an abbreviated handshake and not issue NST */
268 EXPECT_TRUE(IS_RESUMPTION_HANDSHAKE(server_conn));
269 EXPECT_TRUE(s2n_connection_is_session_resumed(server_conn));
270 EXPECT_FALSE(IS_ISSUING_NEW_SESSION_TICKET(server_conn));
271
272 /* Verify that client_ticket is same as before because server didn't issue a NST */
273 uint8_t old_session_ticket[S2N_PARTIAL_SESSION_STATE_INFO_IN_BYTES + S2N_TLS12_TICKET_SIZE_IN_BYTES];
274 EXPECT_MEMCPY_SUCCESS(old_session_ticket, serialized_session_state, S2N_PARTIAL_SESSION_STATE_INFO_IN_BYTES + S2N_TLS12_TICKET_SIZE_IN_BYTES);
275 EXPECT_TRUE(s2n_connection_is_session_resumed(client_conn));
276 s2n_connection_get_session(client_conn, serialized_session_state, serialized_session_state_length);
277 EXPECT_BYTEARRAY_EQUAL(old_session_ticket, serialized_session_state, S2N_PARTIAL_SESSION_STATE_INFO_IN_BYTES + S2N_TLS12_TICKET_SIZE_IN_BYTES);
278
279 /* Verify that the server lifetime hint is 0 because server didn't issue a NST */
280 EXPECT_EQUAL(s2n_connection_get_session_ticket_lifetime_hint(client_conn), 0);
281
282 EXPECT_SUCCESS(s2n_shutdown_test_server_and_client(server_conn, client_conn));
283
284 EXPECT_SUCCESS(s2n_connection_free(server_conn));
285 EXPECT_SUCCESS(s2n_connection_free(client_conn));
286
287 EXPECT_SUCCESS(s2n_config_free(server_config));
288 EXPECT_SUCCESS(s2n_config_free(client_config));
289 }
290
291 /* Client sends non-empty ST extension. Server does an abbreviated handshake and issues a NST
292 * because the key is in decrypt-only state.
293 */
294 {
295 EXPECT_NOT_NULL(client_conn = s2n_connection_new(S2N_CLIENT));
296
297 /* Set client ST and session state */
298 EXPECT_SUCCESS(s2n_connection_set_session(client_conn, serialized_session_state, serialized_session_state_length));
299
300 EXPECT_NOT_NULL(client_config = s2n_config_new());
301 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(client_config, 1));
302 EXPECT_SUCCESS(s2n_connection_set_config(client_conn, client_config));
303
304 EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_SERVER));
305
306 EXPECT_NOT_NULL(server_config = s2n_config_new());
307 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(server_config, 1));
308 EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, chain_and_key));
309
310 /* Create nonblocking pipes */
311 EXPECT_SUCCESS(s2n_connections_set_io_pair(client_conn, server_conn, &io_pair));
312
313 /* Set session state lifetime for 15 hours which is equal to the default lifetime of a ticket key */
314 EXPECT_SUCCESS(s2n_config_set_session_state_lifetime(server_config, S2N_SESSION_STATE_CONFIGURABLE_LIFETIME_IN_SECS));
315
316 /* Add one ST key */
317 EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(server_config, ticket_key_name1, strlen((char *)ticket_key_name1), ticket_key1, sizeof(ticket_key1), 0));
318
319 /* Add a mock delay such that key 1 moves to decrypt-only state */
320 uint64_t mock_delay = server_config->encrypt_decrypt_key_lifetime_in_nanos;
321 EXPECT_SUCCESS(s2n_config_set_wall_clock(server_config, mock_nanoseconds_since_epoch, &mock_delay));
322
323 /* Add a second ST key */
324 EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(server_config, ticket_key_name2, strlen((char *)ticket_key_name2), ticket_key2, strlen((char *)ticket_key2), 0));
325
326 EXPECT_SUCCESS(s2n_connection_set_config(server_conn, server_config));
327
328 EXPECT_SUCCESS(s2n_negotiate_test_server_and_client(server_conn, client_conn));
329
330 /* Verify that the server did an abbreviated handshake and issued NST */
331 EXPECT_TRUE(IS_RESUMPTION_HANDSHAKE(server_conn));
332 EXPECT_TRUE(IS_ISSUING_NEW_SESSION_TICKET(server_conn));
333
334 /* Verify that client_ticket is not same as before because server issued a NST */
335 uint8_t old_session_ticket[S2N_PARTIAL_SESSION_STATE_INFO_IN_BYTES + S2N_TLS12_TICKET_SIZE_IN_BYTES];
336 EXPECT_MEMCPY_SUCCESS(old_session_ticket, serialized_session_state, S2N_PARTIAL_SESSION_STATE_INFO_IN_BYTES + S2N_TLS12_TICKET_SIZE_IN_BYTES);
337
338 s2n_connection_get_session(client_conn, serialized_session_state, serialized_session_state_length);
339 EXPECT_TRUE(memcmp(old_session_ticket, serialized_session_state, S2N_PARTIAL_SESSION_STATE_INFO_IN_BYTES + S2N_TLS12_TICKET_SIZE_IN_BYTES));
340
341 /* Verify the lifetime hint from the server */
342 EXPECT_EQUAL(s2n_connection_get_session_ticket_lifetime_hint(client_conn), S2N_SESSION_STATE_CONFIGURABLE_LIFETIME_IN_SECS);
343
344 /* Verify that the new NST is encrypted using second ST */
345 EXPECT_BYTEARRAY_EQUAL(serialized_session_state + S2N_PARTIAL_SESSION_STATE_INFO_IN_BYTES, ticket_key_name2, strlen((char *)ticket_key_name2));
346
347 EXPECT_SUCCESS(s2n_shutdown_test_server_and_client(server_conn, client_conn));
348
349 EXPECT_SUCCESS(s2n_connection_free(server_conn));
350 EXPECT_SUCCESS(s2n_connection_free(client_conn));
351
352 EXPECT_SUCCESS(s2n_config_free(server_config));
353 EXPECT_SUCCESS(s2n_config_free(client_config));
354 }
355
356 /* Client sends non-empty ST extension. Server does an abbreviated handshake,
357 * but does not issue a NST even though the key is in decrypt-only state due to
358 * the absence of encrypt-decrypt key.
359 */
360 {
361 EXPECT_NOT_NULL(client_conn = s2n_connection_new(S2N_CLIENT));
362
363 /* Set client ST and session state */
364 EXPECT_SUCCESS(s2n_connection_set_session(client_conn, serialized_session_state, serialized_session_state_length));
365
366 EXPECT_NOT_NULL(client_config = s2n_config_new());
367 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(client_config, 1));
368 EXPECT_SUCCESS(s2n_connection_set_config(client_conn, client_config));
369
370 EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_SERVER));
371
372 EXPECT_NOT_NULL(server_config = s2n_config_new());
373 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(server_config, 1));
374 EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, chain_and_key));
375
376 /* Create nonblocking pipes */
377 EXPECT_SUCCESS(s2n_connections_set_io_pair(client_conn, server_conn, &io_pair));
378
379 /* Set session state lifetime for 15 hours which is equal to the default lifetime of a ticket key */
380 EXPECT_SUCCESS(s2n_config_set_session_state_lifetime(server_config, S2N_SESSION_STATE_CONFIGURABLE_LIFETIME_IN_SECS));
381
382 /* Add one ST key */
383 EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(server_config, ticket_key_name2, strlen((char *)ticket_key_name2), ticket_key2, strlen((char *)ticket_key2), 0));
384
385 /* Add a mock delay such that key 1 moves to decrypt-only state */
386 uint64_t mock_delay = server_config->encrypt_decrypt_key_lifetime_in_nanos;
387 EXPECT_SUCCESS(s2n_config_set_wall_clock(server_config, mock_nanoseconds_since_epoch, &mock_delay));
388
389 EXPECT_SUCCESS(s2n_connection_set_config(server_conn, server_config));
390
391 EXPECT_SUCCESS(s2n_negotiate_test_server_and_client(server_conn, client_conn));
392
393 /* Verify that the server did an abbreviated handshake and did not issue a NST */
394 EXPECT_TRUE(IS_RESUMPTION_HANDSHAKE(server_conn));
395 EXPECT_FALSE(IS_ISSUING_NEW_SESSION_TICKET(server_conn));
396
397 /* Verify that client_ticket is same as before because server did not issue a NST */
398 uint8_t old_session_ticket[S2N_PARTIAL_SESSION_STATE_INFO_IN_BYTES + S2N_TLS12_TICKET_SIZE_IN_BYTES];
399 EXPECT_MEMCPY_SUCCESS(old_session_ticket, serialized_session_state, S2N_PARTIAL_SESSION_STATE_INFO_IN_BYTES + S2N_TLS12_TICKET_SIZE_IN_BYTES);
400
401 s2n_connection_get_session(client_conn, serialized_session_state, serialized_session_state_length);
402 EXPECT_FALSE(memcmp(old_session_ticket, serialized_session_state, S2N_PARTIAL_SESSION_STATE_INFO_IN_BYTES + S2N_TLS12_TICKET_SIZE_IN_BYTES));
403
404 EXPECT_SUCCESS(s2n_shutdown_test_server_and_client(server_conn, client_conn));
405
406 EXPECT_SUCCESS(s2n_connection_free(server_conn));
407 EXPECT_SUCCESS(s2n_connection_free(client_conn));
408
409 EXPECT_SUCCESS(s2n_config_free(server_config));
410 EXPECT_SUCCESS(s2n_config_free(client_config));
411 }
412
413 /* Client sends non-empty ST extension. Server does a
414 * full handshake and issues a NST because the key is not found.
415 */
416 {
417 EXPECT_NOT_NULL(client_config = s2n_config_new());
418 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(client_config, 1));
419 EXPECT_SUCCESS(s2n_config_disable_x509_verification(client_config));
420 EXPECT_NOT_NULL(client_conn = s2n_connection_new(S2N_CLIENT));
421
422 /* Set client ST and session state */
423 EXPECT_SUCCESS(s2n_connection_set_session(client_conn, serialized_session_state, serialized_session_state_length));
424
425 EXPECT_SUCCESS(s2n_connection_set_config(client_conn, client_config));
426
427 EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_SERVER));
428
429 EXPECT_NOT_NULL(server_config = s2n_config_new());
430 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(server_config, 1));
431 EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, chain_and_key));
432
433 /* Create nonblocking pipes */
434 EXPECT_SUCCESS(s2n_connections_set_io_pair(client_conn, server_conn, &io_pair));
435
436 /* Set session state lifetime for 15 hours which is equal to the default lifetime of a ticket key */
437 EXPECT_SUCCESS(s2n_config_set_session_state_lifetime(server_config, S2N_SESSION_STATE_CONFIGURABLE_LIFETIME_IN_SECS));
438
439 EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(server_config, ticket_key_name1, strlen((char *)ticket_key_name1), ticket_key1, sizeof(ticket_key1), 0));
440
441 EXPECT_SUCCESS(s2n_connection_set_config(server_conn, server_config));
442
443 EXPECT_SUCCESS(s2n_negotiate_test_server_and_client(server_conn, client_conn));
444
445 /* Verify that the server did a full handshake and issued NST */
446 EXPECT_TRUE(IS_FULL_HANDSHAKE(server_conn));
447 EXPECT_TRUE(IS_ISSUING_NEW_SESSION_TICKET(server_conn));
448
449 /* Verify that the client received NST */
450 serialized_session_state_length = s2n_connection_get_session_length(client_conn);
451 EXPECT_EQUAL(s2n_connection_get_session(client_conn, serialized_session_state, serialized_session_state_length), serialized_session_state_length);
452 EXPECT_BYTEARRAY_EQUAL(serialized_session_state + S2N_PARTIAL_SESSION_STATE_INFO_IN_BYTES, ticket_key_name1, strlen((char *)ticket_key_name1));
453
454 /* Verify the lifetime hint from the server */
455 EXPECT_EQUAL(s2n_connection_get_session_ticket_lifetime_hint(client_conn), S2N_SESSION_STATE_CONFIGURABLE_LIFETIME_IN_SECS);
456
457 EXPECT_SUCCESS(s2n_shutdown_test_server_and_client(server_conn, client_conn));
458
459 EXPECT_SUCCESS(s2n_connection_free(server_conn));
460 EXPECT_SUCCESS(s2n_connection_free(client_conn));
461
462 EXPECT_SUCCESS(s2n_config_free(server_config));
463 EXPECT_SUCCESS(s2n_config_free(client_config));
464 }
465
466 /* Client sends non-empty ST extension. Server does a full handshake and issues a NST
467 * because the key has expired.
468 */
469 {
470 EXPECT_NOT_NULL(client_config = s2n_config_new());
471 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(client_config, 1));
472 EXPECT_SUCCESS(s2n_config_disable_x509_verification(client_config));
473 EXPECT_NOT_NULL(client_conn = s2n_connection_new(S2N_CLIENT));
474
475 /* Set client ST and session state */
476 EXPECT_SUCCESS(s2n_connection_set_session(client_conn, serialized_session_state, serialized_session_state_length));
477
478 EXPECT_SUCCESS(s2n_connection_set_config(client_conn, client_config));
479
480 EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_SERVER));
481
482 EXPECT_NOT_NULL(server_config = s2n_config_new());
483 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(server_config, 1));
484 EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, chain_and_key));
485
486 /* Create nonblocking pipes */
487 EXPECT_SUCCESS(s2n_connections_set_io_pair(client_conn, server_conn, &io_pair));
488
489 /* Set session state lifetime for 15 hours which is equal to the default lifetime of a ticket key */
490 EXPECT_SUCCESS(s2n_config_set_session_state_lifetime(server_config, S2N_SESSION_STATE_CONFIGURABLE_LIFETIME_IN_SECS));
491
492 /* Add one ST key */
493 EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(server_config, ticket_key_name1, strlen((char *)ticket_key_name1), ticket_key1, sizeof(ticket_key1), 0));
494
495 /* Add a mock delay such that the key used to encrypt ST expires */
496 uint64_t mock_delay = server_config->decrypt_key_lifetime_in_nanos + server_config->encrypt_decrypt_key_lifetime_in_nanos;
497 EXPECT_SUCCESS(s2n_config_set_wall_clock(server_config, mock_nanoseconds_since_epoch, &mock_delay));
498
499 /* Add a second ST key */
500 EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(server_config, ticket_key_name2, strlen((char *)ticket_key_name2), ticket_key2, strlen((char *)ticket_key2), 0));
501
502 EXPECT_SUCCESS(s2n_connection_set_config(server_conn, server_config));
503
504 EXPECT_SUCCESS(s2n_negotiate_test_server_and_client(server_conn, client_conn));
505
506 /* Verify that the server did a full handshake and issued NST */
507 EXPECT_TRUE(IS_FULL_HANDSHAKE(server_conn));
508 EXPECT_TRUE(IS_ISSUING_NEW_SESSION_TICKET(server_conn));
509
510 /* Verify that the server has only the unexpired key */
511 EXPECT_OK(s2n_set_get(server_config->ticket_keys, 0, (void **)&ticket_key));
512 EXPECT_BYTEARRAY_EQUAL(ticket_key->key_name, ticket_key_name2, strlen((char *)ticket_key_name2));
513 EXPECT_OK(s2n_set_len(server_config->ticket_keys, &ticket_keys_len));
514 EXPECT_EQUAL(ticket_keys_len, 1);
515
516 /* Verify that the client received NST */
517 serialized_session_state_length = s2n_connection_get_session_length(client_conn);
518 EXPECT_EQUAL(s2n_connection_get_session(client_conn, serialized_session_state, serialized_session_state_length), serialized_session_state_length);
519 EXPECT_BYTEARRAY_EQUAL(serialized_session_state + S2N_PARTIAL_SESSION_STATE_INFO_IN_BYTES, ticket_key_name2, strlen((char *)ticket_key_name2));
520
521 /* Verify the lifetime hint from the server */
522 EXPECT_EQUAL(s2n_connection_get_session_ticket_lifetime_hint(client_conn), S2N_SESSION_STATE_CONFIGURABLE_LIFETIME_IN_SECS);
523
524 EXPECT_SUCCESS(s2n_shutdown_test_server_and_client(server_conn, client_conn));
525
526 EXPECT_SUCCESS(s2n_connection_free(server_conn));
527 EXPECT_SUCCESS(s2n_connection_free(client_conn));
528
529 EXPECT_SUCCESS(s2n_config_free(server_config));
530 EXPECT_SUCCESS(s2n_config_free(client_config));
531 }
532
533 /* Client sends non-empty ST extension. Server does a full handshake and issues a NST because the ticket has non-standard size. */
534 {
535 EXPECT_NOT_NULL(client_config = s2n_config_new());
536 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(client_config, 1));
537 EXPECT_SUCCESS(s2n_config_disable_x509_verification(client_config));
538 EXPECT_NOT_NULL(client_conn = s2n_connection_new(S2N_CLIENT));
539
540 /* Tamper session state to make session ticket size smaller than what we expect */
541 /* Verify that client_ticket is same as before because server did not issue a NST */
542 uint8_t tampered_session_state[sizeof(serialized_session_state) - 1];
543 /* Copy session format */
544 tampered_session_state[0] = serialized_session_state[0];
545 /* Copy and reduce by 1 the session ticket length */
546 tampered_session_state[1] = serialized_session_state[1];
547 tampered_session_state[2] = serialized_session_state[2] - 1;
548 /* Skip 1 byte of the session ticket and copy the rest */
549 EXPECT_MEMCPY_SUCCESS(tampered_session_state + 3, serialized_session_state + 4, sizeof(tampered_session_state) - 4);
550
551 /* Set client tampered ST and session state */
552 EXPECT_SUCCESS(s2n_connection_set_session(client_conn, tampered_session_state, serialized_session_state_length - 1));
553
554 EXPECT_SUCCESS(s2n_connection_set_config(client_conn, client_config));
555
556 EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_SERVER));
557
558 EXPECT_NOT_NULL(server_config = s2n_config_new());
559 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(server_config, 1));
560 EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, chain_and_key));
561
562 /* Create nonblocking pipes */
563 EXPECT_SUCCESS(s2n_connections_set_io_pair(client_conn, server_conn, &io_pair));
564
565 /* Set session state lifetime for 15 hours which is equal to the default lifetime of a ticket key */
566 EXPECT_SUCCESS(s2n_config_set_session_state_lifetime(server_config, S2N_SESSION_STATE_CONFIGURABLE_LIFETIME_IN_SECS));
567
568 EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(server_config, ticket_key_name1, strlen((char *)ticket_key_name1), ticket_key1, sizeof(ticket_key1), 0));
569
570 EXPECT_SUCCESS(s2n_connection_set_config(server_conn, server_config));
571
572 EXPECT_SUCCESS(s2n_negotiate_test_server_and_client(server_conn, client_conn));
573
574 /* Verify that the server did a full handshake and issued NST */
575 EXPECT_TRUE(IS_FULL_HANDSHAKE(server_conn));
576 EXPECT_TRUE(IS_ISSUING_NEW_SESSION_TICKET(server_conn));
577
578 /* Verify that the client received NST */
579 serialized_session_state_length = s2n_connection_get_session_length(client_conn);
580 EXPECT_EQUAL(s2n_connection_get_session(client_conn, serialized_session_state, serialized_session_state_length), serialized_session_state_length);
581 EXPECT_BYTEARRAY_EQUAL(serialized_session_state + S2N_PARTIAL_SESSION_STATE_INFO_IN_BYTES, ticket_key_name1, strlen((char *)ticket_key_name1));
582
583 /* Verify the lifetime hint from the server */
584 EXPECT_EQUAL(s2n_connection_get_session_ticket_lifetime_hint(client_conn), S2N_SESSION_STATE_CONFIGURABLE_LIFETIME_IN_SECS);
585
586 EXPECT_SUCCESS(s2n_shutdown_test_server_and_client(server_conn, client_conn));
587
588 EXPECT_SUCCESS(s2n_connection_free(server_conn));
589 EXPECT_SUCCESS(s2n_connection_free(client_conn));
590
591 EXPECT_SUCCESS(s2n_config_free(server_config));
592 EXPECT_SUCCESS(s2n_config_free(client_config));
593 }
594
595 /* Client sends non-empty ST extension, but server cannot or does not want to honor the ticket. */
596 {
597 EXPECT_NOT_NULL(client_config = s2n_config_new());
598 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(client_config, 1));
599 EXPECT_SUCCESS(s2n_config_disable_x509_verification(client_config));
600 EXPECT_NOT_NULL(client_conn = s2n_connection_new(S2N_CLIENT));
601
602 /* Set client ST and session state */
603 EXPECT_SUCCESS(s2n_connection_set_session(client_conn, serialized_session_state, serialized_session_state_length));
604
605 EXPECT_SUCCESS(s2n_connection_set_config(client_conn, client_config));
606
607 EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_SERVER));
608
609 EXPECT_NOT_NULL(server_config = s2n_config_new());
610 EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, chain_and_key));
611
612 /* Create nonblocking pipes */
613 EXPECT_SUCCESS(s2n_connections_set_io_pair(client_conn, server_conn, &io_pair));
614
615 /* Not enabling resumption using ST */
616
617 EXPECT_SUCCESS(s2n_connection_set_config(server_conn, server_config));
618
619 EXPECT_SUCCESS(s2n_negotiate_test_server_and_client(server_conn, client_conn));
620
621 /* Verify that the server did a full handshake and did not issue NST */
622 EXPECT_TRUE(IS_FULL_HANDSHAKE(server_conn));
623 EXPECT_FALSE(IS_ISSUING_NEW_SESSION_TICKET(server_conn));
624
625 /* Verify that client_ticket is empty */
626 EXPECT_EQUAL(s2n_connection_get_session(client_conn, serialized_session_state, serialized_session_state_length), 1 + 1 + client_conn->session_id_len + S2N_TLS12_STATE_SIZE_IN_BYTES);
627 EXPECT_EQUAL(memcmp(serialized_session_state, &s2n_state_with_session_id, 1), 0);
628 EXPECT_NOT_EQUAL(memcmp(serialized_session_state + S2N_PARTIAL_SESSION_STATE_INFO_IN_BYTES, ticket_key_name2, strlen((char *)ticket_key_name2)), 0);
629
630 /* Verify the lifetime hint from the server */
631 EXPECT_FAILURE_WITH_ERRNO(s2n_connection_get_session_ticket_lifetime_hint(client_conn), S2N_ERR_SESSION_TICKET_NOT_SUPPORTED);
632
633 EXPECT_SUCCESS(s2n_shutdown_test_server_and_client(server_conn, client_conn));
634
635 EXPECT_SUCCESS(s2n_connection_free(server_conn));
636 EXPECT_SUCCESS(s2n_connection_free(client_conn));
637
638 EXPECT_SUCCESS(s2n_config_free(server_config));
639 EXPECT_SUCCESS(s2n_config_free(client_config));
640 }
641
642 /* Client sets corrupted ST extension. */
643 {
644 EXPECT_NOT_NULL(client_conn = s2n_connection_new(S2N_CLIENT));
645
646 memset(serialized_session_state, 0, serialized_session_state_length);
647
648 /* Set client ST and session state */
649 EXPECT_FAILURE(s2n_connection_set_session(client_conn, serialized_session_state, serialized_session_state_length));
650
651 EXPECT_SUCCESS(s2n_connection_free(client_conn));
652 }
653
654 /* User tries adding a duplicate key to the server */
655 {
656 EXPECT_NOT_NULL(server_config = s2n_config_new());
657 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(server_config, 1));
658
659 EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(server_config, ticket_key_name1, strlen((char *)ticket_key_name1), ticket_key1, sizeof(ticket_key1), 0));
660
661 /* Try adding the same key, but with a different name */
662 EXPECT_EQUAL(-1, s2n_config_add_ticket_crypto_key(server_config, ticket_key_name2, strlen((char *)ticket_key_name2), ticket_key1, sizeof(ticket_key1), 0));
663
664 /* Try adding a different key, but with the same name */
665 EXPECT_EQUAL(-1, s2n_config_add_ticket_crypto_key(server_config, ticket_key_name1, strlen((char *)ticket_key_name1), ticket_key2, sizeof(ticket_key2), 0));
666 EXPECT_EQUAL(s2n_errno, S2N_ERR_INVALID_TICKET_KEY_NAME_OR_NAME_LENGTH);
667
668 /* Try adding a key with invalid key length */
669 EXPECT_EQUAL(-1, s2n_config_add_ticket_crypto_key(server_config, ticket_key_name2, strlen((char *)ticket_key_name2), ticket_key2, 0, 0));
670 EXPECT_EQUAL(s2n_errno, S2N_ERR_INVALID_TICKET_KEY_LENGTH);
671
672 EXPECT_SUCCESS(s2n_config_free(server_config));
673 }
674
675 /* Testing expired keys are removed from the server config while adding new keys. */
676 {
677 EXPECT_NOT_NULL(server_config = s2n_config_new());
678 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(server_config, 1));
679
680 /* Add 2 ST keys */
681 EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(server_config, ticket_key_name1, strlen((char *)ticket_key_name1), ticket_key1, sizeof(ticket_key1), 0));
682 EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(server_config, ticket_key_name2, strlen((char *)ticket_key_name2), ticket_key2, sizeof(ticket_key2), 0));
683
684 /* Add a mock delay such that the first two keys expire */
685 uint64_t mock_delay = server_config->decrypt_key_lifetime_in_nanos + server_config->encrypt_decrypt_key_lifetime_in_nanos;
686 EXPECT_SUCCESS(s2n_config_set_wall_clock(server_config, mock_nanoseconds_since_epoch, &mock_delay));
687
688 /* Add a third ST key */
689 EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(server_config, ticket_key_name3, strlen((char *)ticket_key_name3), ticket_key3, sizeof(ticket_key3), 0));
690
691 /* Try adding the expired keys */
692 EXPECT_EQUAL(s2n_config_add_ticket_crypto_key(server_config, ticket_key_name2, strlen((char *)ticket_key_name2), ticket_key2, sizeof(ticket_key2), 0), -1);
693 EXPECT_EQUAL(s2n_config_add_ticket_crypto_key(server_config, ticket_key_name1, strlen((char *)ticket_key_name1), ticket_key1, sizeof(ticket_key1), 0), -1);
694
695 /* Verify that the config has only one unexpired key */
696 EXPECT_OK(s2n_set_get(server_config->ticket_keys, 0, (void **)&ticket_key));
697 EXPECT_BYTEARRAY_EQUAL(ticket_key->key_name, ticket_key_name3, strlen((char *)ticket_key_name3));
698 EXPECT_OK(s2n_set_len(server_config->ticket_keys, &ticket_keys_len));
699 EXPECT_EQUAL(ticket_keys_len, 1);
700
701 /* Verify that the total number of key hashes is three */
702 EXPECT_OK(s2n_set_len(server_config->ticket_key_hashes, &ticket_keys_len));
703 EXPECT_EQUAL(ticket_keys_len, 3);
704
705 EXPECT_SUCCESS(s2n_config_free(server_config));
706 }
707
708 /* Scenario 1: Client sends empty ST and server has multiple encrypt-decrypt keys to choose from for encrypting NST. */
709 {
710 EXPECT_NOT_NULL(client_config = s2n_config_new());
711 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(client_config, 1));
712 EXPECT_SUCCESS(s2n_config_disable_x509_verification(client_config));
713 EXPECT_NOT_NULL(client_conn = s2n_connection_new(S2N_CLIENT));
714
715 EXPECT_SUCCESS(s2n_connection_set_config(client_conn, client_config));
716
717 EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_SERVER));
718
719 EXPECT_NOT_NULL(server_config = s2n_config_new());
720 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(server_config, 1));
721 EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, chain_and_key));
722
723 /* Create nonblocking pipes */
724 EXPECT_SUCCESS(s2n_connections_set_io_pair(client_conn, server_conn, &io_pair));
725
726 /* Set session state lifetime for 15 hours which is equal to the default lifetime of a ticket key */
727 EXPECT_SUCCESS(s2n_config_set_session_state_lifetime(server_config, S2N_SESSION_STATE_CONFIGURABLE_LIFETIME_IN_SECS));
728
729 /* Add one ST key */
730 EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(server_config, ticket_key_name1, strlen((char *)ticket_key_name1), ticket_key1, sizeof(ticket_key1), 0));
731
732 /* Add a mock delay such that the first key is close to it's encryption peak */
733 uint64_t mock_delay = (server_config->encrypt_decrypt_key_lifetime_in_nanos / 2) - ONE_SEC_IN_NANOS;
734 EXPECT_SUCCESS(s2n_config_set_wall_clock(server_config, mock_nanoseconds_since_epoch, &mock_delay));
735
736 /* Add two more ST keys */
737 EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(server_config, ticket_key_name2, strlen((char *)ticket_key_name2), ticket_key2, sizeof(ticket_key2), 0));
738 EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(server_config, ticket_key_name3, strlen((char *)ticket_key_name3), ticket_key3, sizeof(ticket_key3), 0));
739
740 EXPECT_SUCCESS(s2n_connection_set_config(server_conn, server_config));
741
742 EXPECT_SUCCESS(s2n_negotiate_test_server_and_client(server_conn, client_conn));
743
744 /* Verify that the server did a full handshake and issued NST */
745 EXPECT_TRUE(IS_FULL_HANDSHAKE(server_conn));
746 EXPECT_TRUE(IS_ISSUING_NEW_SESSION_TICKET(server_conn));
747
748 /* Verify that the client received NST which is encrypted using a key which is at it's peak encryption */
749 serialized_session_state_length = s2n_connection_get_session_length(client_conn);
750 EXPECT_EQUAL(s2n_connection_get_session(client_conn, serialized_session_state, serialized_session_state_length), serialized_session_state_length);
751 EXPECT_BYTEARRAY_EQUAL(serialized_session_state + S2N_PARTIAL_SESSION_STATE_INFO_IN_BYTES, ticket_key_name1, strlen((char *)ticket_key_name1));
752
753 /* Verify the lifetime hint from the server */
754 EXPECT_EQUAL(s2n_connection_get_session_ticket_lifetime_hint(client_conn), S2N_SESSION_STATE_CONFIGURABLE_LIFETIME_IN_SECS);
755
756 EXPECT_SUCCESS(s2n_shutdown_test_server_and_client(server_conn, client_conn));
757
758 EXPECT_SUCCESS(s2n_connection_free(server_conn));
759 EXPECT_SUCCESS(s2n_connection_free(client_conn));
760
761 EXPECT_SUCCESS(s2n_config_free(server_config));
762 EXPECT_SUCCESS(s2n_config_free(client_config));
763 }
764
765 /* Scenario 2: Client sends empty ST and server has multiple encrypt-decrypt keys to choose from for encrypting NST */
766 {
767 EXPECT_NOT_NULL(client_config = s2n_config_new());
768 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(client_config, 1));
769 EXPECT_SUCCESS(s2n_config_disable_x509_verification(client_config));
770 EXPECT_NOT_NULL(client_conn = s2n_connection_new(S2N_CLIENT));
771
772 EXPECT_SUCCESS(s2n_connection_set_config(client_conn, client_config));
773
774 EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_SERVER));
775
776 EXPECT_NOT_NULL(server_config = s2n_config_new());
777 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(server_config, 1));
778 EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, chain_and_key));
779
780 /* Create nonblocking pipes */
781 EXPECT_SUCCESS(s2n_connections_set_io_pair(client_conn, server_conn, &io_pair));
782
783 /* Set session state lifetime for 15 hours which is equal to the default lifetime of a ticket key */
784 EXPECT_SUCCESS(s2n_config_set_session_state_lifetime(server_config, S2N_SESSION_STATE_CONFIGURABLE_LIFETIME_IN_SECS));
785
786 /* Add one ST key */
787 EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(server_config, ticket_key_name1, strlen((char *)ticket_key_name1), ticket_key1, sizeof(ticket_key1), 0));
788
789 /* Add second key when the first key is very close to it's encryption peak */
790 uint64_t mock_delay = (server_config->encrypt_decrypt_key_lifetime_in_nanos / 2) - ONE_SEC_IN_NANOS;
791 EXPECT_SUCCESS(s2n_config_set_wall_clock(server_config, mock_nanoseconds_since_epoch, &mock_delay));
792 EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(server_config, ticket_key_name2, strlen((char *)ticket_key_name2), ticket_key2, sizeof(ticket_key2), 0));
793
794 /* Add third key when the second key is very close to it's encryption peak and
795 * the first key is about to transition from encrypt-decrypt state to decrypt-only state
796 */
797 mock_delay = server_config->encrypt_decrypt_key_lifetime_in_nanos - ONE_SEC_IN_NANOS;
798 EXPECT_SUCCESS(s2n_config_set_wall_clock(server_config, mock_nanoseconds_since_epoch, &mock_delay));
799 EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(server_config, ticket_key_name3, strlen((char *)ticket_key_name3), ticket_key3, sizeof(ticket_key3), 0));
800
801 EXPECT_SUCCESS(s2n_connection_set_config(server_conn, server_config));
802
803 EXPECT_SUCCESS(s2n_negotiate_test_server_and_client(server_conn, client_conn));
804
805 /* Verify that the server did a full handshake and issued NST */
806 EXPECT_TRUE(IS_FULL_HANDSHAKE(server_conn));
807 EXPECT_TRUE(IS_ISSUING_NEW_SESSION_TICKET(server_conn));
808
809 /* Verify that the client received NST which is encrypted using a key which is at it's peak encryption */
810 serialized_session_state_length = s2n_connection_get_session_length(client_conn);
811 EXPECT_EQUAL(s2n_connection_get_session(client_conn, serialized_session_state, serialized_session_state_length), serialized_session_state_length);
812 EXPECT_BYTEARRAY_EQUAL(serialized_session_state + S2N_PARTIAL_SESSION_STATE_INFO_IN_BYTES, ticket_key_name2, strlen((char *)ticket_key_name2));
813
814 /* Verify the lifetime hint from the server */
815 EXPECT_EQUAL(s2n_connection_get_session_ticket_lifetime_hint(client_conn), S2N_SESSION_STATE_CONFIGURABLE_LIFETIME_IN_SECS);
816
817 EXPECT_SUCCESS(s2n_shutdown_test_server_and_client(server_conn, client_conn));
818
819 EXPECT_SUCCESS(s2n_connection_free(server_conn));
820 EXPECT_SUCCESS(s2n_connection_free(client_conn));
821
822 EXPECT_SUCCESS(s2n_config_free(server_config));
823 EXPECT_SUCCESS(s2n_config_free(client_config));
824 }
825
826 /* Testing s2n_config_set_ticket_encrypt_decrypt_key_lifetime and
827 * s2n_config_set_ticket_decrypt_key_lifetime calls */
828 {
829 EXPECT_NOT_NULL(client_config = s2n_config_new());
830 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(client_config, 1));
831 EXPECT_SUCCESS(s2n_config_disable_x509_verification(client_config));
832 EXPECT_NOT_NULL(client_conn = s2n_connection_new(S2N_CLIENT));
833
834 EXPECT_SUCCESS(s2n_connection_set_config(client_conn, client_config));
835
836 EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_SERVER));
837
838 EXPECT_NOT_NULL(server_config = s2n_config_new());
839 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(server_config, 1));
840 EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, chain_and_key));
841
842 /* Create nonblocking pipes */
843 EXPECT_SUCCESS(s2n_connections_set_io_pair(client_conn, server_conn, &io_pair));
844
845 /* Set session state lifetime for 15 hours which is equal to the default lifetime of a ticket key */
846 EXPECT_SUCCESS(s2n_config_set_session_state_lifetime(server_config, S2N_SESSION_STATE_CONFIGURABLE_LIFETIME_IN_SECS));
847
848 /* Set encrypt-decrypt key expire time to 24 hours */
849 EXPECT_SUCCESS(s2n_config_set_ticket_encrypt_decrypt_key_lifetime(server_config, 86400));
850
851 /* Set decrypt-only key expire time to 5 hours */
852 EXPECT_SUCCESS(s2n_config_set_ticket_decrypt_key_lifetime(server_config, 18000));
853
854 /* Add one ST key */
855 EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(server_config, ticket_key_name1, strlen((char *)ticket_key_name1), ticket_key1, sizeof(ticket_key1), 0));
856
857 /* Add second key when the first key is very close to it's encryption peak */
858 uint64_t mock_delay = (server_config->encrypt_decrypt_key_lifetime_in_nanos / 2) - ONE_SEC_IN_NANOS;
859 EXPECT_SUCCESS(s2n_config_set_wall_clock(server_config, mock_nanoseconds_since_epoch, &mock_delay));
860 EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(server_config, ticket_key_name2, strlen((char *)ticket_key_name2), ticket_key2, sizeof(ticket_key2), 0));
861
862 /* Add third key when the second key is very close to it's encryption peak and
863 * the first key is about to transition from encrypt-decrypt state to decrypt-only state
864 */
865 mock_delay = server_config->encrypt_decrypt_key_lifetime_in_nanos - ONE_SEC_IN_NANOS;
866 EXPECT_SUCCESS(s2n_config_set_wall_clock(server_config, mock_nanoseconds_since_epoch, &mock_delay));
867 EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(server_config, ticket_key_name3, strlen((char *)ticket_key_name3), ticket_key3, sizeof(ticket_key3), 0));
868
869 EXPECT_SUCCESS(s2n_connection_set_config(server_conn, server_config));
870
871 EXPECT_SUCCESS(s2n_negotiate_test_server_and_client(server_conn, client_conn));
872
873 /* Verify that the server did a full handshake and issued NST */
874 EXPECT_TRUE(IS_FULL_HANDSHAKE(server_conn));
875 EXPECT_TRUE(IS_ISSUING_NEW_SESSION_TICKET(server_conn));
876
877 /* Verify that the client received NST which is encrypted using a key which is at it's peak encryption */
878 serialized_session_state_length = s2n_connection_get_session_length(client_conn);
879 EXPECT_EQUAL(s2n_connection_get_session(client_conn, serialized_session_state, serialized_session_state_length), serialized_session_state_length);
880 EXPECT_BYTEARRAY_EQUAL(serialized_session_state + S2N_PARTIAL_SESSION_STATE_INFO_IN_BYTES, ticket_key_name2, strlen((char *)ticket_key_name2));
881
882 /* Verify the lifetime hint from the server */
883 EXPECT_EQUAL(s2n_connection_get_session_ticket_lifetime_hint(client_conn), 86400 + 18000);
884
885 EXPECT_SUCCESS(s2n_shutdown_test_server_and_client(server_conn, client_conn));
886
887 EXPECT_SUCCESS(s2n_connection_free(server_conn));
888 EXPECT_SUCCESS(s2n_connection_free(client_conn));
889
890 EXPECT_SUCCESS(s2n_config_free(server_config));
891 EXPECT_SUCCESS(s2n_config_free(client_config));
892 }
893
894 /* Add keys out of order and pre-emptively add a key */
895 {
896 EXPECT_NOT_NULL(client_config = s2n_config_new());
897 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(client_config, 1));
898 EXPECT_SUCCESS(s2n_config_disable_x509_verification(client_config));
899 EXPECT_NOT_NULL(client_conn = s2n_connection_new(S2N_CLIENT));
900
901 EXPECT_SUCCESS(s2n_connection_set_config(client_conn, client_config));
902
903 EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_SERVER));
904
905 EXPECT_NOT_NULL(server_config = s2n_config_new());
906 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(server_config, 1));
907 EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, chain_and_key));
908
909 /* Create nonblocking pipes */
910 EXPECT_SUCCESS(s2n_connections_set_io_pair(client_conn, server_conn, &io_pair));
911
912 /* Set session state lifetime for 15 hours which is equal to the default lifetime of a ticket key */
913 EXPECT_SUCCESS(s2n_config_set_session_state_lifetime(server_config, S2N_SESSION_STATE_CONFIGURABLE_LIFETIME_IN_SECS));
914
915 /* Add a key. After 1 hour it will be considered an encrypt-decrypt key. */
916 POSIX_GUARD(server_config->wall_clock(server_config->sys_clock_ctx, &now));
917 EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(server_config, ticket_key_name1, strlen((char *)ticket_key_name1), ticket_key1, sizeof(ticket_key1), (now/ONE_SEC_IN_NANOS) + 3600));
918
919 /* Add a key. After 1 hour it will reach it's peak */
920 EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(server_config, ticket_key_name2, strlen((char *)ticket_key_name2), ticket_key2, sizeof(ticket_key2), now/ONE_SEC_IN_NANOS ));
921
922 /* Add a key pre-emptively. It can be used only after 10 hours */
923 EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(server_config, ticket_key_name3, strlen((char *)ticket_key_name3), ticket_key3, sizeof(ticket_key3), now/ONE_SEC_IN_NANOS + 36000));
924
925 /* Add a mock delay such that negotiation happens after 1 hour */
926 uint64_t mock_delay = (server_config->encrypt_decrypt_key_lifetime_in_nanos / 2) - ONE_SEC_IN_NANOS;
927 EXPECT_SUCCESS(s2n_config_set_wall_clock(server_config, mock_nanoseconds_since_epoch, &mock_delay));
928
929 EXPECT_SUCCESS(s2n_connection_set_config(server_conn, server_config));
930
931 EXPECT_SUCCESS(s2n_negotiate_test_server_and_client(server_conn, client_conn));
932
933 /* Verify that the server did a full handshake and issued NST */
934 EXPECT_TRUE(IS_FULL_HANDSHAKE(server_conn));
935 EXPECT_TRUE(IS_ISSUING_NEW_SESSION_TICKET(server_conn));
936
937 /* Verify that the client received NST which is encrypted using a key which is at it's peak encryption */
938 serialized_session_state_length = s2n_connection_get_session_length(client_conn);
939 EXPECT_EQUAL(s2n_connection_get_session(client_conn, serialized_session_state, serialized_session_state_length), serialized_session_state_length);
940 EXPECT_BYTEARRAY_EQUAL(serialized_session_state + S2N_PARTIAL_SESSION_STATE_INFO_IN_BYTES, ticket_key_name2, strlen((char *)ticket_key_name2));
941
942 /* Verify that the keys are stored from oldest to newest */
943 EXPECT_OK(s2n_set_get(server_config->ticket_keys, 0, (void **)&ticket_key));
944 EXPECT_BYTEARRAY_EQUAL(ticket_key->key_name, ticket_key_name2, strlen((char *)ticket_key_name2));
945 EXPECT_OK(s2n_set_get(server_config->ticket_keys, 1, (void **)&ticket_key));
946 EXPECT_BYTEARRAY_EQUAL(ticket_key->key_name, ticket_key_name1, strlen((char *)ticket_key_name1));
947 EXPECT_OK(s2n_set_get(server_config->ticket_keys, 2, (void **)&ticket_key));
948 EXPECT_BYTEARRAY_EQUAL(ticket_key->key_name, ticket_key_name3, strlen((char *)ticket_key_name3));
949
950 EXPECT_SUCCESS(s2n_shutdown_test_server_and_client(server_conn, client_conn));
951
952 EXPECT_SUCCESS(s2n_connection_free(server_conn));
953 EXPECT_SUCCESS(s2n_connection_free(client_conn));
954
955 EXPECT_SUCCESS(s2n_config_free(server_config));
956 EXPECT_SUCCESS(s2n_config_free(client_config));
957 }
958
959 /* Handshake with client auth and session ticket enabled */
960 {
961 EXPECT_NOT_NULL(client_config = s2n_config_new());
962 EXPECT_SUCCESS(s2n_config_disable_x509_verification(client_config));
963
964 /* Client has session ticket and mutual auth enabled */
965 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(client_config, 1));
966 EXPECT_SUCCESS(s2n_config_set_client_auth_type(client_config, S2N_CERT_AUTH_OPTIONAL));
967
968 EXPECT_NOT_NULL(client_conn = s2n_connection_new(S2N_CLIENT));
969 EXPECT_SUCCESS(s2n_connection_set_config(client_conn, client_config));
970
971 EXPECT_NOT_NULL(server_config = s2n_config_new());
972 EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, chain_and_key));
973
974 EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_SERVER));
975
976 /* Server has session ticket and mutual auth enabled */
977 EXPECT_SUCCESS(s2n_connection_set_client_auth_type(server_conn, S2N_CERT_AUTH_OPTIONAL));
978 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(server_config, 1));
979 EXPECT_SUCCESS(s2n_connection_set_config(server_conn, server_config));
980
981 /* Create nonblocking pipes */
982 EXPECT_SUCCESS(s2n_connections_set_io_pair(client_conn, server_conn, &io_pair));
983
984 EXPECT_SUCCESS(s2n_negotiate_test_server_and_client(server_conn, client_conn));
985
986 /* Verify that the server did a full handshake and did not issue NST since client
987 * auth is enabled in server mode */
988 EXPECT_TRUE(IS_FULL_HANDSHAKE(server_conn));
989 EXPECT_FALSE(IS_ISSUING_NEW_SESSION_TICKET(server_conn));
990
991 EXPECT_SUCCESS(s2n_shutdown_test_server_and_client(server_conn, client_conn));
992
993 EXPECT_SUCCESS(s2n_connection_free(server_conn));
994 EXPECT_SUCCESS(s2n_connection_free(client_conn));
995
996 EXPECT_SUCCESS(s2n_config_free(server_config));
997 EXPECT_SUCCESS(s2n_config_free(client_config));
998 }
999
1000 /* s2n_decrypt_session_ticket fails to decrypt when presented with a valid ticket_key, valid iv and invalid encrypted blob */
1001 {
1002 EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_SERVER));
1003 EXPECT_NOT_NULL(server_config = s2n_config_new());
1004
1005 /* Add Session Ticket key on the server config */
1006 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(server_config, 1));
1007 EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(server_config, ticket_key_name1, strlen((char *)ticket_key_name1), ticket_key1, sizeof(ticket_key1), 0));
1008 EXPECT_SUCCESS(s2n_connection_set_config(server_conn, server_config));
1009
1010 /* Setup stuffers value containing the valid key name, valid iv and invalid encrypted blob */
1011 POSIX_GUARD(s2n_stuffer_write_bytes(&server_conn->client_ticket_to_decrypt, ticket_key_name1, sizeof(ticket_key_name1)));
1012
1013 uint8_t valid_iv[S2N_TLS_GCM_IV_LEN] = {0};
1014 POSIX_GUARD(s2n_stuffer_write_bytes(&server_conn->client_ticket_to_decrypt, valid_iv, sizeof(valid_iv)));
1015
1016 uint8_t invalid_en_data[S2N_TLS12_STATE_SIZE_IN_BYTES + S2N_TLS_GCM_TAG_LEN] = {0};
1017 POSIX_GUARD(s2n_stuffer_write_bytes(&server_conn->client_ticket_to_decrypt, invalid_en_data, sizeof(invalid_en_data)));
1018
1019 server_conn->session_ticket_status = S2N_DECRYPT_TICKET;
1020 EXPECT_FAILURE_WITH_ERRNO(s2n_decrypt_session_ticket(server_conn, &server_conn->client_ticket_to_decrypt), S2N_ERR_DECRYPT);
1021
1022 EXPECT_SUCCESS(s2n_connection_free(server_conn));
1023 EXPECT_SUCCESS(s2n_config_free(server_config));
1024 }
1025
1026 /* s2n_decrypt_session_ticket fails with a key not found error when presented with an invalid ticket_key, valid iv and invalid encrypted blob */
1027 {
1028 EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_SERVER));
1029 EXPECT_NOT_NULL(server_config = s2n_config_new());
1030
1031 /* Add Session Ticket key on the server config */
1032 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(server_config, 1));
1033 EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(server_config, ticket_key_name1, strlen((char *)ticket_key_name1), ticket_key1, sizeof(ticket_key1), 0));
1034 EXPECT_SUCCESS(s2n_connection_set_config(server_conn, server_config));
1035
1036 /* Setup stuffers value containing the invalid key name, valid iv and invalid encrypted blob */
1037 POSIX_GUARD(s2n_stuffer_write_bytes(&server_conn->client_ticket_to_decrypt, ticket_key_name2, sizeof(ticket_key_name2)));
1038
1039 uint8_t valid_iv[S2N_TLS_GCM_IV_LEN] = {0};
1040 POSIX_GUARD(s2n_stuffer_write_bytes(&server_conn->client_ticket_to_decrypt, valid_iv, sizeof(valid_iv)));
1041
1042 uint8_t invalid_en_data[S2N_TLS12_STATE_SIZE_IN_BYTES + S2N_TLS_GCM_TAG_LEN] = {0};
1043 POSIX_GUARD(s2n_stuffer_write_bytes(&server_conn->client_ticket_to_decrypt, invalid_en_data, sizeof(invalid_en_data)));
1044
1045 server_conn->session_ticket_status = S2N_DECRYPT_TICKET;
1046 EXPECT_FAILURE_WITH_ERRNO(s2n_decrypt_session_ticket(server_conn, &server_conn->client_ticket_to_decrypt), S2N_ERR_KEY_USED_IN_SESSION_TICKET_NOT_FOUND);
1047
1048 EXPECT_SUCCESS(s2n_connection_free(server_conn));
1049 EXPECT_SUCCESS(s2n_config_free(server_config));
1050 }
1051
1052 /* Test s2n_connection_is_session_resumed */
1053 {
1054 /* TLS1.2 */
1055 {
1056 struct s2n_connection *conn = s2n_connection_new(S2N_SERVER);
1057 EXPECT_NOT_NULL(conn);
1058 conn->actual_protocol_version = S2N_TLS12;
1059
1060 conn->handshake.handshake_type = INITIAL;
1061 EXPECT_FALSE(s2n_connection_is_session_resumed(conn));
1062
1063 conn->handshake.handshake_type = NEGOTIATED | WITH_SESSION_TICKET;
1064 EXPECT_TRUE(s2n_connection_is_session_resumed(conn));
1065
1066 /* Ignores PSK mode */
1067 conn->psk_params.type = S2N_PSK_TYPE_EXTERNAL;
1068 EXPECT_TRUE(s2n_connection_is_session_resumed(conn));
1069
1070 EXPECT_SUCCESS(s2n_connection_free(conn));
1071 }
1072
1073 /* TLS1.3 */
1074 {
1075 struct s2n_connection *conn = s2n_connection_new(S2N_SERVER);
1076 EXPECT_NOT_NULL(conn);
1077 conn->actual_protocol_version = S2N_TLS13;
1078
1079 conn->handshake.handshake_type = INITIAL;
1080 conn->psk_params.type = S2N_PSK_TYPE_EXTERNAL;
1081 EXPECT_FALSE(s2n_connection_is_session_resumed(conn));
1082
1083 conn->handshake.handshake_type = NEGOTIATED;
1084 conn->psk_params.type = S2N_PSK_TYPE_EXTERNAL;
1085 EXPECT_FALSE(s2n_connection_is_session_resumed(conn));
1086
1087 conn->handshake.handshake_type = NEGOTIATED;
1088 conn->psk_params.type = S2N_PSK_TYPE_RESUMPTION;
1089 EXPECT_TRUE(s2n_connection_is_session_resumed(conn));
1090
1091 EXPECT_SUCCESS(s2n_connection_free(conn));
1092 }
1093 }
1094
1095 /* Session resumption APIs and session_ticket_cb return the same values
1096 * when receiving a new ticket in TLS1.2
1097 */
1098 {
1099 EXPECT_NOT_NULL(client_conn = s2n_connection_new(S2N_CLIENT));
1100
1101 EXPECT_NOT_NULL(client_config = s2n_config_new());
1102 EXPECT_SUCCESS(s2n_config_set_wall_clock(client_config, mock_time, NULL));
1103 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(client_config, 1));
1104 EXPECT_SUCCESS(s2n_config_disable_x509_verification(client_config));
1105
1106 /* Client will use callback when server nst is received */
1107 EXPECT_SUCCESS(s2n_config_set_session_ticket_cb(client_config, s2n_test_session_ticket_callback, NULL));
1108 EXPECT_SUCCESS(s2n_connection_set_config(client_conn, client_config));
1109
1110 EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_SERVER));
1111 EXPECT_NOT_NULL(server_config = s2n_config_new());
1112 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(server_config, 1));
1113 EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(server_config, chain_and_key));
1114
1115 /* Create nonblocking pipes */
1116 EXPECT_SUCCESS(s2n_connections_set_io_pair(client_conn, server_conn, &io_pair));
1117
1118 /* Set session state lifetime for 15 hours which is equal to the default lifetime of a ticket key */
1119 EXPECT_SUCCESS(s2n_config_set_session_state_lifetime(server_config, S2N_SESSION_STATE_CONFIGURABLE_LIFETIME_IN_SECS));
1120
1121 /* Add one ST key */
1122 POSIX_GUARD(server_config->wall_clock(server_config->sys_clock_ctx, &now));
1123 EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(server_config, ticket_key_name1, strlen((char *)ticket_key_name1), ticket_key1, sizeof(ticket_key1), now/ONE_SEC_IN_NANOS));
1124
1125 EXPECT_SUCCESS(s2n_connection_set_config(server_conn, server_config));
1126
1127 EXPECT_SUCCESS(s2n_negotiate_test_server_and_client(server_conn, client_conn));
1128
1129 /* Expect values from the session_ticket_cb are equivalent to values from the APIs */
1130 EXPECT_EQUAL(cb_session_data_len, s2n_connection_get_session_length(client_conn));
1131 uint8_t session_data[S2N_TLS12_SESSION_SIZE] = { 0 };
1132 EXPECT_SUCCESS(s2n_connection_get_session(client_conn, session_data, cb_session_data_len));
1133 EXPECT_BYTEARRAY_EQUAL(cb_session_data, session_data, cb_session_data_len);
1134
1135 EXPECT_EQUAL(cb_session_lifetime, s2n_connection_get_session_ticket_lifetime_hint(client_conn));
1136
1137 EXPECT_SUCCESS(s2n_shutdown_test_server_and_client(server_conn, client_conn));
1138
1139 EXPECT_SUCCESS(s2n_connection_free(server_conn));
1140 EXPECT_SUCCESS(s2n_connection_free(client_conn));
1141
1142 EXPECT_SUCCESS(s2n_config_free(server_config));
1143 EXPECT_SUCCESS(s2n_config_free(client_config));
1144 }
1145
1146 EXPECT_SUCCESS(s2n_reset_tls13());
1147
1148 /* Session resumption APIs and session_ticket_cb return the same values
1149 * when receiving a new ticket in TLS1.3
1150 */
1151 if (s2n_is_tls13_fully_supported()) {
1152 struct s2n_config *config = s2n_config_new();
1153 EXPECT_NOT_NULL(config);
1154 EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, ecdsa_chain_and_key));
1155 EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config));
1156 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(config, 1));
1157 EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(config, ticket_key_name1, strlen((char *)ticket_key_name1),
1158 ticket_key1, sizeof(ticket_key1), 0));
1159 EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default_tls13"));
1160
1161 /* Freeze time */
1162 POSIX_GUARD(config->wall_clock(config->sys_clock_ctx, &now));
1163 EXPECT_OK(s2n_config_mock_wall_clock(config, &now));
1164
1165 /* Send one NewSessionTicket */
1166 cb_session_data_len = 0;
1167 EXPECT_SUCCESS(s2n_config_set_session_ticket_cb(config, s2n_test_session_ticket_callback, NULL));
1168 EXPECT_SUCCESS(s2n_config_set_initial_ticket_count(config, 1));
1169
1170 EXPECT_NOT_NULL(client_conn = s2n_connection_new(S2N_CLIENT));
1171 EXPECT_SUCCESS(s2n_connection_set_config(client_conn, config));
1172
1173 EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_SERVER));
1174 EXPECT_SUCCESS(s2n_connection_set_blinding(server_conn, S2N_SELF_SERVICE_BLINDING));
1175 EXPECT_SUCCESS(s2n_connection_set_config(server_conn, config));
1176
1177 EXPECT_SUCCESS(s2n_connections_set_io_pair(client_conn, server_conn, &io_pair));
1178 EXPECT_SUCCESS(s2n_negotiate_test_server_and_client(server_conn, client_conn));
1179
1180 /* Verify that TLS1.3 was negotiated */
1181 EXPECT_EQUAL(client_conn->actual_protocol_version, S2N_TLS13);
1182 EXPECT_EQUAL(server_conn->actual_protocol_version, S2N_TLS13);
1183
1184 /* Old TLS1.2 customer code will likely attempt to read the ticket here -- ensure we indicate no ticket yet */
1185 EXPECT_EQUAL(s2n_connection_get_session_length(client_conn), 0);
1186
1187 /* Receive and save the issued session ticket for the next test */
1188 s2n_blocked_status blocked = S2N_NOT_BLOCKED;
1189 uint8_t out = 0;
1190 EXPECT_FAILURE_WITH_ERRNO(s2n_recv(client_conn, &out, 1, &blocked), S2N_ERR_IO_BLOCKED);
1191 EXPECT_NOT_EQUAL(cb_session_data_len, 0);
1192 EXPECT_SUCCESS(s2n_stuffer_write_bytes(&tls13_serialized_session_state, cb_session_data, cb_session_data_len));
1193
1194 /* Verify correct session ticket lifetime "hint" */
1195 EXPECT_EQUAL(s2n_connection_get_session_ticket_lifetime_hint(client_conn), cb_session_lifetime);
1196
1197 /* Verify the session ticket APIs produce the same results as the callback */
1198 DEFER_CLEANUP(struct s2n_blob legacy_api_ticket = { 0 }, s2n_free);
1199 EXPECT_SUCCESS(s2n_realloc(&legacy_api_ticket, cb_session_data_len));
1200 EXPECT_EQUAL(s2n_connection_get_session_length(client_conn), cb_session_data_len);
1201 EXPECT_SUCCESS(s2n_connection_get_session(client_conn, legacy_api_ticket.data, legacy_api_ticket.size));
1202 EXPECT_BYTEARRAY_EQUAL(cb_session_data, legacy_api_ticket.data, legacy_api_ticket.size);
1203
1204 EXPECT_SUCCESS(s2n_shutdown_test_server_and_client(server_conn, client_conn));
1205 EXPECT_SUCCESS(s2n_connection_free(server_conn));
1206 EXPECT_SUCCESS(s2n_connection_free(client_conn));
1207 EXPECT_SUCCESS(s2n_config_free(config));
1208 }
1209
1210 /* Client has TLS1.3 ticket but negotiates TLS1.2 */
1211 if (s2n_is_tls13_fully_supported()) {
1212 s2n_extension_type_id client_session_ticket_ext_id = 0, psk_ext_id = 0;
1213 EXPECT_SUCCESS(s2n_extension_supported_iana_value_to_id(TLS_EXTENSION_PRE_SHARED_KEY, &psk_ext_id));
1214 EXPECT_SUCCESS(s2n_extension_supported_iana_value_to_id(TLS_EXTENSION_SESSION_TICKET, &client_session_ticket_ext_id));
1215
1216 struct s2n_config *config = s2n_config_new();
1217 EXPECT_NOT_NULL(config);
1218 EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, chain_and_key));
1219 EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config));
1220 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(config, 1));
1221 EXPECT_SUCCESS(s2n_config_set_session_state_lifetime(config, S2N_SESSION_STATE_CONFIGURABLE_LIFETIME_IN_SECS));
1222 EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(config, ticket_key_name1, strlen((char *)ticket_key_name1),
1223 ticket_key1, sizeof(ticket_key1), 0));
1224
1225 EXPECT_NOT_NULL(client_conn = s2n_connection_new(S2N_CLIENT));
1226 EXPECT_SUCCESS(s2n_connection_set_config(client_conn, config));
1227 EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(client_conn, "test_all"));
1228 EXPECT_SUCCESS(s2n_connection_set_session(client_conn, tls13_serialized_session_state.blob.data,
1229 s2n_stuffer_data_available(&tls13_serialized_session_state)));
1230
1231 EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_SERVER));
1232 EXPECT_SUCCESS(s2n_connection_set_blinding(server_conn, S2N_SELF_SERVICE_BLINDING));
1233 EXPECT_SUCCESS(s2n_connection_set_config(server_conn, config));
1234 EXPECT_SUCCESS(s2n_connection_set_cipher_preferences(server_conn, "default"));
1235
1236 EXPECT_SUCCESS(s2n_connections_set_io_pair(client_conn, server_conn, &io_pair));
1237 EXPECT_SUCCESS(s2n_negotiate_test_server_and_client(server_conn, client_conn));
1238
1239 /* Verify that TLS1.2 was negotiated */
1240 EXPECT_EQUAL(client_conn->actual_protocol_version, S2N_TLS12);
1241 EXPECT_EQUAL(server_conn->actual_protocol_version, S2N_TLS12);
1242
1243 /* Verify that the client did NOT try to use TLS1.2 tickets */
1244 EXPECT_FALSE(S2N_CBIT_TEST(client_conn->extension_requests_sent, client_session_ticket_ext_id));
1245 EXPECT_FALSE(S2N_CBIT_TEST(client_conn->extension_requests_sent, client_session_ticket_ext_id));
1246
1247 /* Verify that the client tried to use TLS1.3 tickets, but the server ignored them */
1248 EXPECT_TRUE(S2N_CBIT_TEST(client_conn->extension_requests_sent, psk_ext_id));
1249 EXPECT_FALSE(S2N_CBIT_TEST(server_conn->extension_requests_sent, psk_ext_id));
1250
1251 /* Verify that a full handshake occurred instead */
1252 EXPECT_TRUE(IS_FULL_HANDSHAKE(client_conn));
1253 EXPECT_TRUE(IS_FULL_HANDSHAKE(server_conn));
1254
1255 EXPECT_SUCCESS(s2n_shutdown_test_server_and_client(server_conn, client_conn));
1256 EXPECT_SUCCESS(s2n_connection_free(server_conn));
1257 EXPECT_SUCCESS(s2n_connection_free(client_conn));
1258 EXPECT_SUCCESS(s2n_config_free(config));
1259 }
1260
1261 EXPECT_SUCCESS(s2n_io_pair_close(&io_pair));
1262 EXPECT_SUCCESS(s2n_cert_chain_and_key_free(chain_and_key));
1263 EXPECT_SUCCESS(s2n_cert_chain_and_key_free(ecdsa_chain_and_key));
1264 free(cert_chain);
1265 free(private_key);
1266 END_TEST();
1267 return 0;
1268 }
1269