1 /*
2 * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
3 *
4 * Licensed under the Apache License, Version 2.0 (the "License").
5 * You may not use this file except in compliance with the License.
6 * A copy of the License is located at
7 *
8 * http://aws.amazon.com/apache2.0
9 *
10 * or in the "license" file accompanying this file. This file is distributed
11 * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
12 * express or implied. See the License for the specific language governing
13 * permissions and limitations under the License.
14 */
15
16 #include "s2n_test.h"
17
18 #include "testlib/s2n_testlib.h"
19
20 #include "tls/s2n_tls.h"
21 /* To test static functions */
22 #include "tls/s2n_server_new_session_ticket.c"
23
24 #define TEST_TICKET_AGE_ADD 0x01, 0x02, 0x03, 0x04
25 #define TEST_LIFETIME 0x00, 0x01, 0x01, 0x01
26 #define TEST_TICKET 0x01, 0xFF, 0x23
27
28 #define ONE_HOUR_IN_NANOS 3600000000000
29
30 #define TICKET_AGE_ADD_MARKER sizeof(uint8_t) + /* message id */ \
31 SIZEOF_UINT24 + /* message len */ \
32 sizeof(uint32_t) /* ticket lifetime */
33 #define RECORD_LEN_MARKER sizeof(uint8_t) + /* message type */ \
34 sizeof(uint16_t) /* protocol version */
35
36 #define MAX_TEST_SESSION_SIZE 300
37
38 #define EXPECT_TICKETS_SENT(conn, count) EXPECT_OK(s2n_assert_tickets_sent(conn, count))
39
s2n_assert_tickets_sent(struct s2n_connection * conn,uint16_t expected_tickets_sent)40 static S2N_RESULT s2n_assert_tickets_sent(struct s2n_connection *conn, uint16_t expected_tickets_sent)
41 {
42 uint16_t tickets_sent = 0;
43 RESULT_GUARD_POSIX(s2n_connection_get_tickets_sent(conn, &tickets_sent));
44 RESULT_ENSURE_EQ(tickets_sent, expected_tickets_sent);
45 return S2N_RESULT_OK;
46 }
47
48 size_t cb_session_data_len = 0;
49 uint8_t cb_session_data[MAX_TEST_SESSION_SIZE] = { 0 };
50 uint32_t cb_session_lifetime = 0;
s2n_test_session_ticket_cb(struct s2n_connection * conn,void * ctx,struct s2n_session_ticket * ticket)51 static int s2n_test_session_ticket_cb(struct s2n_connection *conn, void *ctx, struct s2n_session_ticket *ticket)
52 {
53 POSIX_ENSURE_REF(conn);
54 POSIX_ENSURE_REF(ticket);
55
56 EXPECT_SUCCESS(s2n_session_ticket_get_data_len(ticket, &cb_session_data_len));
57 EXPECT_SUCCESS(s2n_session_ticket_get_data(ticket, cb_session_data_len, cb_session_data));
58 EXPECT_SUCCESS(s2n_session_ticket_get_lifetime(ticket, &cb_session_lifetime));
59
60 return S2N_SUCCESS;
61 }
62
s2n_setup_test_ticket_key(struct s2n_config * config)63 static int s2n_setup_test_ticket_key(struct s2n_config *config)
64 {
65 POSIX_ENSURE_REF(config);
66
67 /**
68 *= https://tools.ietf.org/rfc/rfc5869#appendix-A.1
69 *# PRK = 0x077709362c2e32df0ddc3f0dc47bba63
70 *# 90b6c73bb50f9c3122ec844ad7c2b3e5 (32 octets)
71 **/
72 S2N_BLOB_FROM_HEX(ticket_key,
73 "077709362c2e32df0ddc3f0dc47bba63"
74 "90b6c73bb50f9c3122ec844ad7c2b3e5");
75
76 /* Set up encryption key */
77 uint64_t current_time;
78 uint8_t ticket_key_name[16] = "2016.07.26.15\0";
79 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(config, 1));
80 EXPECT_SUCCESS(config->wall_clock(config->sys_clock_ctx, ¤t_time));
81 EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(config, ticket_key_name, strlen((char *)ticket_key_name),
82 ticket_key.data, ticket_key.size, current_time/ONE_SEC_IN_NANOS));
83
84 return S2N_SUCCESS;
85 }
86
s2n_setup_test_resumption_secret(struct s2n_connection * conn)87 static int s2n_setup_test_resumption_secret(struct s2n_connection *conn)
88 {
89 POSIX_ENSURE_REF(conn);
90 /**
91 *= https://tools.ietf.org/rfc/rfc8448#section-3
92 *# PRK (32 octets): 7d f2 35 f2 03 1d 2a 05 12 87 d0 2b 02 41 b0 bf
93 *# da f8 6c c8 56 23 1f 2d 5a ba 46 c4 34 ec 19 6c
94 **/
95 S2N_BLOB_FROM_HEX(test_resumption_secret,
96 "7d f2 35 f2 03 1d 2a 05 12 87 d0 2b 02 41 b0 bf \
97 da f8 6c c8 56 23 1f 2d 5a ba 46 c4 34 ec 19 6c");
98
99 /* Set up resumption secret */
100 struct s2n_blob secret = { 0 };
101 struct s2n_stuffer secret_stuffer = { 0 };
102 EXPECT_SUCCESS(s2n_blob_init(&secret, conn->resumption_master_secret, S2N_TLS_SECRET_LEN));
103 EXPECT_SUCCESS(s2n_stuffer_init(&secret_stuffer, &secret));
104 EXPECT_SUCCESS(s2n_stuffer_write_bytes(&secret_stuffer, test_resumption_secret.data, test_resumption_secret.size));
105
106 return S2N_SUCCESS;
107 }
108
main(int argc,char ** argv)109 int main(int argc, char **argv)
110 {
111 BEGIN_TEST();
112
113 /* s2n_tls13_server_nst_write */
114 {
115 /* Check session ticket message is correctly written. */
116 {
117 struct s2n_config *config;
118 struct s2n_connection *conn;
119 EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER));
120 EXPECT_NOT_NULL(config = s2n_config_new());
121
122 EXPECT_SUCCESS(s2n_setup_test_ticket_key(config));
123 EXPECT_SUCCESS(s2n_connection_set_config(conn, config));
124
125 conn->actual_protocol_version = S2N_TLS13;
126 conn->secure.cipher_suite = &s2n_tls13_aes_256_gcm_sha384;
127 uint16_t test_tickets_sent = 10;
128 conn->tickets_sent = test_tickets_sent;
129
130 /* Set up output stuffer */
131 struct s2n_stuffer output = { 0 };
132 EXPECT_SUCCESS(s2n_stuffer_growable_alloc(&output, 0));
133
134 EXPECT_OK(s2n_tls13_server_nst_write(conn, &output));
135
136 uint8_t message_type = 0;
137 EXPECT_SUCCESS(s2n_stuffer_read_uint8(&output, &message_type));
138 EXPECT_EQUAL(TLS_SERVER_NEW_SESSION_TICKET, message_type);
139
140 uint32_t message_size = 0;
141 EXPECT_SUCCESS(s2n_stuffer_read_uint24(&output, &message_size));
142 EXPECT_EQUAL(message_size, s2n_stuffer_data_available(&output));
143
144 uint32_t ticket_lifetime = 0;
145 EXPECT_SUCCESS(s2n_stuffer_read_uint32(&output, &ticket_lifetime));
146 uint32_t key_lifetime_in_secs =
147 (S2N_TICKET_ENCRYPT_DECRYPT_KEY_LIFETIME_IN_NANOS + S2N_TICKET_DECRYPT_KEY_LIFETIME_IN_NANOS) / ONE_SEC_IN_NANOS;
148 EXPECT_EQUAL(key_lifetime_in_secs, ticket_lifetime);
149
150 /* Skipping random data */
151 EXPECT_SUCCESS(s2n_stuffer_skip_read(&output, sizeof(uint32_t)));
152
153 uint8_t ticket_nonce_len = 0;
154 EXPECT_SUCCESS(s2n_stuffer_read_uint8(&output, &ticket_nonce_len));
155 EXPECT_EQUAL(sizeof(uint16_t), ticket_nonce_len);
156
157 uint8_t ticket_nonce[sizeof(uint16_t)] = { 0 };
158 EXPECT_SUCCESS(s2n_stuffer_read_bytes(&output, ticket_nonce, ticket_nonce_len));
159
160 uint8_t tickets_sent_array[sizeof(uint16_t)] = { 0 };
161 struct s2n_blob blob = { 0 };
162 EXPECT_SUCCESS(s2n_blob_init(&blob, tickets_sent_array, sizeof(uint16_t)));
163 EXPECT_OK(s2n_generate_ticket_nonce(test_tickets_sent, &blob));
164 EXPECT_BYTEARRAY_EQUAL(ticket_nonce, blob.data, ticket_nonce_len);
165
166 uint16_t session_ticket_len = 0;
167 EXPECT_SUCCESS(s2n_stuffer_read_uint16(&output, &session_ticket_len));
168 uint8_t size_of_extensions_size = sizeof(uint16_t);
169 EXPECT_EQUAL(session_ticket_len, (s2n_stuffer_data_available(&output) - size_of_extensions_size));
170
171 /* Skipping encrypted ticket data */
172 EXPECT_SUCCESS(s2n_stuffer_skip_read(&output, session_ticket_len));
173
174 uint16_t extensions_len = 0;
175 EXPECT_SUCCESS(s2n_stuffer_read_uint16(&output, &extensions_len));
176 EXPECT_EQUAL(extensions_len, 0);
177
178 EXPECT_EQUAL(s2n_stuffer_data_available(&output), 0);
179
180 EXPECT_TRUE(conn->tickets_sent == test_tickets_sent + 1);
181
182 EXPECT_SUCCESS(s2n_connection_free(conn));
183 EXPECT_SUCCESS(s2n_stuffer_free(&output));
184 EXPECT_SUCCESS(s2n_config_free(config));
185 }
186
187 /* tickets_sent overflow */
188 {
189 struct s2n_config *config;
190 struct s2n_connection *conn;
191 EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER));
192 EXPECT_NOT_NULL(config = s2n_config_new());
193
194 EXPECT_SUCCESS(s2n_setup_test_ticket_key(config));
195 EXPECT_SUCCESS(s2n_connection_set_config(conn, config));
196
197 conn->actual_protocol_version = S2N_TLS13;
198 conn->secure.cipher_suite = &s2n_tls13_aes_256_gcm_sha384;
199 conn->tickets_sent = UINT16_MAX;
200
201 /* Set up output stuffer */
202 struct s2n_stuffer output = { 0 };
203 EXPECT_SUCCESS(s2n_stuffer_growable_alloc(&output, 0));
204
205 EXPECT_ERROR_WITH_ERRNO(s2n_tls13_server_nst_write(conn, &output), S2N_ERR_INTEGER_OVERFLOW);
206
207 EXPECT_SUCCESS(s2n_connection_free(conn));
208 EXPECT_SUCCESS(s2n_stuffer_free(&output));
209 EXPECT_SUCCESS(s2n_config_free(config));
210 }
211
212 /** ticket_age_add values do not repeat after sending multiple new session tickets
213 *= https://tools.ietf.org/rfc/rfc8446#section-4.6.1
214 *= type=test
215 *# The server MUST generate a fresh value
216 *# for each ticket it sends.
217 **/
218 {
219 struct s2n_config *config;
220 struct s2n_connection *conn;
221 EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER));
222 EXPECT_NOT_NULL(config = s2n_config_new());
223
224 EXPECT_SUCCESS(s2n_setup_test_ticket_key(config));
225 EXPECT_SUCCESS(s2n_connection_set_config(conn, config));
226
227 conn->actual_protocol_version = S2N_TLS13;
228 conn->secure.cipher_suite = &s2n_tls13_aes_256_gcm_sha384;
229
230 /* Set up output stuffer */
231 struct s2n_stuffer output = { 0 };
232 EXPECT_SUCCESS(s2n_stuffer_growable_alloc(&output, 0));
233
234 EXPECT_OK(s2n_tls13_server_nst_write(conn, &output));
235
236 uint32_t original_ticket_age_add = 0;
237 EXPECT_SUCCESS(s2n_stuffer_skip_read(&output, TICKET_AGE_ADD_MARKER));
238 EXPECT_SUCCESS(s2n_stuffer_read_uint32(&output, &original_ticket_age_add));
239
240 EXPECT_SUCCESS(s2n_stuffer_wipe(&output));
241 EXPECT_OK(s2n_tls13_server_nst_write(conn, &output));
242
243 uint32_t new_ticket_age_add = 0;
244 EXPECT_SUCCESS(s2n_stuffer_skip_read(&output, TICKET_AGE_ADD_MARKER));
245 EXPECT_SUCCESS(s2n_stuffer_read_uint32(&output, &new_ticket_age_add));
246
247 EXPECT_NOT_EQUAL(original_ticket_age_add, new_ticket_age_add);
248
249 EXPECT_SUCCESS(s2n_connection_free(conn));
250 EXPECT_SUCCESS(s2n_stuffer_free(&output));
251 EXPECT_SUCCESS(s2n_config_free(config));
252 }
253
254 /* Test that the message written by the server includes extensions.
255 * Specifically, check for the early_data_indication extension. */
256 {
257 const uint32_t expected_max_early_data_size = 10;
258
259 /* Calculate extension list offset. Extension list should be last. */
260 const uint32_t extension_list_offset = sizeof(uint32_t) /* max_early_data_size */
261 + sizeof(uint16_t) /* size of extension */
262 + sizeof(uint16_t) /* type of extension */;
263
264 struct s2n_config *config = s2n_config_new();
265 EXPECT_NOT_NULL(config);
266 EXPECT_SUCCESS(s2n_setup_test_ticket_key(config));
267
268 struct s2n_connection *conn = s2n_connection_new(S2N_SERVER);
269 EXPECT_NOT_NULL(conn);
270 EXPECT_SUCCESS(s2n_connection_set_config(conn, config));
271 EXPECT_SUCCESS(s2n_connection_set_server_max_early_data_size(conn, expected_max_early_data_size));
272 conn->actual_protocol_version = S2N_TLS13;
273 conn->secure.cipher_suite = &s2n_tls13_aes_256_gcm_sha384;
274
275 struct s2n_stuffer output = { 0 };
276 EXPECT_SUCCESS(s2n_stuffer_growable_alloc(&output, 0));
277
278 EXPECT_OK(s2n_tls13_server_nst_write(conn, &output));
279 EXPECT_SUCCESS(s2n_stuffer_skip_read(&output,
280 s2n_stuffer_data_available(&output) - extension_list_offset));
281
282 uint16_t extension_type = 0;
283 EXPECT_SUCCESS(s2n_stuffer_read_uint16(&output, &extension_type));
284 EXPECT_EQUAL(extension_type, TLS_EXTENSION_EARLY_DATA);
285
286 uint16_t extension_size = 0;
287 EXPECT_SUCCESS(s2n_stuffer_read_uint16(&output, &extension_size));
288 EXPECT_EQUAL(extension_size, sizeof(uint32_t));
289
290 uint32_t actual_max_early_data_size = 0;
291 EXPECT_SUCCESS(s2n_stuffer_read_uint32(&output, &actual_max_early_data_size));
292 EXPECT_EQUAL(actual_max_early_data_size, expected_max_early_data_size);
293
294 EXPECT_SUCCESS(s2n_connection_free(conn));
295 EXPECT_SUCCESS(s2n_stuffer_free(&output));
296 EXPECT_SUCCESS(s2n_config_free(config));
297 }
298
299 /* Can't write ticket larger than allowed size of a PSK identity */
300 {
301 struct s2n_config *config = s2n_config_new();
302 EXPECT_NOT_NULL(config);
303 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(config, 1));
304 EXPECT_SUCCESS(s2n_config_set_session_ticket_cb(config, s2n_test_session_ticket_cb, NULL));
305 EXPECT_SUCCESS(s2n_setup_test_ticket_key(config));
306
307 struct s2n_connection *server_conn = s2n_connection_new(S2N_SERVER);
308 EXPECT_NOT_NULL(server_conn);
309 EXPECT_SUCCESS(s2n_connection_set_config(server_conn, config));
310 server_conn->actual_protocol_version = S2N_TLS13;
311 server_conn->secure.cipher_suite = &s2n_tls13_aes_256_gcm_sha384;
312 EXPECT_SUCCESS(s2n_connection_set_server_max_early_data_size(server_conn, 10));
313
314 /* Set context to be UINT16_MAX */
315 uint8_t early_data_context[UINT16_MAX] = { 0 };
316 EXPECT_SUCCESS(s2n_connection_set_server_early_data_context(server_conn,
317 early_data_context, sizeof(early_data_context)));
318
319 DEFER_CLEANUP(struct s2n_stuffer stuffer = { 0 }, s2n_stuffer_free);
320 EXPECT_SUCCESS(s2n_stuffer_growable_alloc(&stuffer, 0));
321
322 EXPECT_ERROR_WITH_ERRNO(s2n_tls13_server_nst_write(server_conn, &stuffer), S2N_ERR_SIZE_MISMATCH);
323
324 EXPECT_SUCCESS(s2n_connection_free(server_conn));
325 EXPECT_SUCCESS(s2n_config_free(config));
326 }
327 }
328
329 /* s2n_generate_ticket_lifetime */
330 {
331 uint32_t min_lifetime = 0;
332 struct s2n_connection *conn;
333 EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER));
334
335 /* Test: encrypt + decrypt key has shortest lifetime */
336 conn->config->encrypt_decrypt_key_lifetime_in_nanos = ONE_HOUR_IN_NANOS;
337 conn->config->decrypt_key_lifetime_in_nanos = ONE_HOUR_IN_NANOS;
338 conn->config->session_state_lifetime_in_nanos = ONE_HOUR_IN_NANOS * 3;
339
340 EXPECT_OK(s2n_generate_ticket_lifetime(conn, &min_lifetime));
341 EXPECT_EQUAL(min_lifetime, (ONE_HOUR_IN_NANOS * 2) / ONE_SEC_IN_NANOS);
342
343 /* Test: Session state has shortest lifetime */
344 conn->config->encrypt_decrypt_key_lifetime_in_nanos = ONE_HOUR_IN_NANOS;
345 conn->config->decrypt_key_lifetime_in_nanos = ONE_HOUR_IN_NANOS;
346 conn->config->session_state_lifetime_in_nanos = ONE_HOUR_IN_NANOS;
347
348 EXPECT_OK(s2n_generate_ticket_lifetime(conn, &min_lifetime));
349 EXPECT_EQUAL(min_lifetime, ONE_HOUR_IN_NANOS / ONE_SEC_IN_NANOS);
350
351 /** Test: Both session state and decrypt key have longer lifetimes than a week
352 *= https://tools.ietf.org/rfc/rfc8446#section-4.6.1
353 *= type=test
354 *# Servers MUST NOT use any value greater than
355 *# 604800 seconds (7 days).
356 **/
357 /* Note: We turn these integer literals into uint64_t values because otherwise
358 * they will be interpreted as uint32_t values and an faulty integer overflow error
359 * will be thrown. */
360 uint64_t one_week_in_sec = ONE_WEEK_IN_SEC;
361 uint64_t one_sec_in_nanos = ONE_SEC_IN_NANOS;
362 uint64_t one_week_in_nanos = one_week_in_sec * one_sec_in_nanos;
363 conn->config->encrypt_decrypt_key_lifetime_in_nanos = one_week_in_nanos;
364 conn->config->decrypt_key_lifetime_in_nanos = one_week_in_nanos;
365 conn->config->session_state_lifetime_in_nanos = one_week_in_nanos + 1;
366
367 EXPECT_OK(s2n_generate_ticket_lifetime(conn, &min_lifetime));
368 EXPECT_EQUAL(min_lifetime, ONE_WEEK_IN_SEC);
369
370 EXPECT_SUCCESS(s2n_connection_free(conn));
371 }
372
373 /* s2n_generate_ticket_nonce */
374 {
375 struct {
376 uint16_t value;
377 uint8_t expected_output[2];
378 } test_cases[] = {
379 { .value = 0, .expected_output = { 0 , 0 } },
380 { .value = 1, .expected_output = { 0 , 1 } },
381 { .value = 20, .expected_output = { 0 , 20 } },
382 { .value = UINT8_MAX, .expected_output = { 0 , UINT8_MAX } },
383 { .value = UINT8_MAX + 1, .expected_output = { 1 , 0 } },
384 { .value = UINT16_MAX, .expected_output = { UINT8_MAX, UINT8_MAX } },
385 { .value = UINT16_MAX - 1, .expected_output = { UINT8_MAX, UINT8_MAX - 1 } },
386 };
387
388 for (size_t i = 0; i < s2n_array_len(test_cases); i++) {
389 uint8_t data[sizeof(uint16_t)] = { 0 };
390 struct s2n_blob blob = { 0 };
391 EXPECT_SUCCESS(s2n_blob_init(&blob, data, sizeof(data)));
392
393 EXPECT_OK(s2n_generate_ticket_nonce(test_cases[i].value, &blob));
394
395 EXPECT_EQUAL(test_cases[i].expected_output[0], data[0]);
396 EXPECT_EQUAL(test_cases[i].expected_output[1], data[1]);
397 }
398 }
399
400 /* s2n_generate_ticket_age_add */
401 {
402 struct {
403 uint8_t value[4];
404 uint32_t expected_output;
405 } test_cases[] = {
406 { .value = { 0, 0, 0, 0 }, .expected_output = 0 },
407 { .value = { 0, 0, 0, 1 }, .expected_output = 1 },
408 { .value = { 0, 0, 0, 20 }, .expected_output = 20 },
409 { .value = { 0, 0, 1, 0 }, .expected_output = UINT8_MAX + 1 },
410 { .value = { 0, 1, 0, 0 }, .expected_output = UINT16_MAX + 1 },
411 { .value = { 0, 0, UINT8_MAX, UINT8_MAX }, .expected_output = UINT16_MAX },
412 { .value = { UINT8_MAX, UINT8_MAX, UINT8_MAX, UINT8_MAX }, .expected_output = UINT32_MAX },
413 { .value = { UINT8_MAX, UINT8_MAX, UINT8_MAX, UINT8_MAX - 1}, .expected_output = UINT32_MAX - 1 },
414 };
415
416 for (size_t i = 0; i < s2n_array_len(test_cases); i++) {
417 uint32_t output = 0;
418 struct s2n_blob blob = { 0 };
419 EXPECT_SUCCESS(s2n_blob_init(&blob, test_cases[i].value, sizeof(test_cases[i].value)));
420 EXPECT_OK(s2n_generate_ticket_age_add(&blob, &output));
421
422 EXPECT_EQUAL(output, test_cases[i].expected_output);
423 }
424 }
425
426 /* s2n_generate_session_secret */
427 {
428 /**
429 *= https://tools.ietf.org/rfc/rfc8448#section-3
430 *# expanded (32 octets): 4e cd 0e b6 ec 3b 4d 87 f5 d6 02 8f 92 2c
431 *# a4 c5 85 1a 27 7f d4 13 11 c9 e6 2d 2c 94 92 e1 c4 f3
432 **/
433 S2N_BLOB_FROM_HEX(expected_session_secret,
434 "4e cd 0e b6 ec 3b 4d 87 f5 d6 02 8f 92 2c \
435 a4 c5 85 1a 27 7f d4 13 11 c9 e6 2d 2c 94 92 e1 c4 f3");
436
437 struct s2n_connection *conn = s2n_connection_new(S2N_CLIENT);
438 EXPECT_NOT_NULL(conn);
439
440 conn->secure.cipher_suite = &s2n_tls13_aes_128_gcm_sha256;
441 EXPECT_SUCCESS(s2n_setup_test_resumption_secret(conn));
442
443 uint8_t nonce_data[sizeof(uint16_t)] = { 0 };
444 struct s2n_blob nonce = { 0 };
445 EXPECT_SUCCESS(s2n_blob_init(&nonce, nonce_data, sizeof(nonce_data)));
446
447 struct s2n_blob *output = &conn->tls13_ticket_fields.session_secret;
448 EXPECT_SUCCESS(s2n_generate_session_secret(conn, &nonce, output));
449 EXPECT_EQUAL(output->size, expected_session_secret.size);
450 EXPECT_BYTEARRAY_EQUAL(output->data, expected_session_secret.data, expected_session_secret.size);
451
452 EXPECT_SUCCESS(s2n_connection_free(conn));
453 }
454
455 /* s2n_tls13_server_nst_recv */
456 {
457 uint8_t test_ticket[] = { TEST_TICKET };
458 uint8_t nst_data[] = {
459 TEST_LIFETIME, /* ticket lifetime */
460 TEST_TICKET_AGE_ADD, /* ticket age add */
461 0x02, /* nonce len */
462 0x00, 0x00, /* nonce */
463 0x00, 0x03, /* ticket len */
464 TEST_TICKET, /* ticket */
465 0x00, 0x00, /* extensions len */
466 };
467
468 /* Does not read ticket message if config->use_tickets is not set */
469 {
470 struct s2n_config *config = s2n_config_new();
471 struct s2n_connection *conn = s2n_connection_new(S2N_CLIENT);
472 EXPECT_NOT_NULL(conn);
473 EXPECT_NOT_NULL(config);
474
475 EXPECT_SUCCESS(s2n_connection_set_config(conn, config));
476
477 /* Set up input stuffer */
478 DEFER_CLEANUP(struct s2n_stuffer input = { 0 }, s2n_stuffer_free);
479 EXPECT_SUCCESS(s2n_stuffer_growable_alloc(&input, 0));
480
481 struct s2n_blob nst_message = { 0 };
482 EXPECT_SUCCESS(s2n_blob_init(&nst_message, nst_data, sizeof(nst_data)));
483 EXPECT_SUCCESS(s2n_stuffer_write(&input, &nst_message));
484
485 EXPECT_OK(s2n_tls13_server_nst_recv(conn, &input));
486
487 EXPECT_EQUAL(conn->client_ticket.size, 0);
488 EXPECT_TRUE(s2n_stuffer_data_available(&input) > 0);
489
490 EXPECT_SUCCESS(s2n_connection_free(conn));
491 EXPECT_SUCCESS(s2n_config_free(config));
492 }
493
494 /* Not allowed in TLS1.2 */
495 {
496 struct s2n_connection *conn = s2n_connection_new(S2N_CLIENT);
497 EXPECT_NOT_NULL(conn);
498 conn->actual_protocol_version = S2N_TLS12;
499
500 /* Set up input stuffer */
501 DEFER_CLEANUP(struct s2n_stuffer input = { 0 }, s2n_stuffer_free);
502 EXPECT_SUCCESS(s2n_stuffer_growable_alloc(&input, 0));
503
504 struct s2n_blob nst_message = { 0 };
505 EXPECT_SUCCESS(s2n_blob_init(&nst_message, nst_data, sizeof(nst_data)));
506 EXPECT_SUCCESS(s2n_stuffer_write(&input, &nst_message));
507
508 EXPECT_ERROR_WITH_ERRNO(s2n_tls13_server_nst_recv(conn, &input), S2N_ERR_BAD_MESSAGE);
509
510 EXPECT_EQUAL(conn->client_ticket.size, 0);
511 EXPECT_TRUE(s2n_stuffer_data_available(&input) > 0);
512
513 EXPECT_SUCCESS(s2n_connection_free(conn));
514 }
515
516 /* Tests session_ticket_cb correctly serializes session data from an arbitrary new session ticket message */
517 {
518 struct s2n_config *config = s2n_config_new();
519 struct s2n_connection *conn = s2n_connection_new(S2N_CLIENT);
520 EXPECT_NOT_NULL(conn);
521 EXPECT_NOT_NULL(config);
522
523 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(config, 1));
524 EXPECT_SUCCESS(s2n_config_set_session_ticket_cb(config, s2n_test_session_ticket_cb, NULL));
525 EXPECT_SUCCESS(s2n_connection_set_config(conn, config));
526
527 conn->actual_protocol_version = S2N_TLS13;
528 conn->secure.cipher_suite = &s2n_tls13_aes_128_gcm_sha256;
529
530 /* Set up input stuffer */
531 struct s2n_stuffer input = { 0 };
532 EXPECT_SUCCESS(s2n_stuffer_growable_alloc(&input, 0));
533
534 struct s2n_blob nst_message = { 0 };
535 EXPECT_SUCCESS(s2n_blob_init(&nst_message, nst_data, sizeof(nst_data)));
536 EXPECT_SUCCESS(s2n_stuffer_write(&input, &nst_message));
537
538 EXPECT_OK(s2n_tls13_server_nst_recv(conn, &input));
539 EXPECT_BYTEARRAY_EQUAL(conn->client_ticket.data, test_ticket, sizeof(test_ticket));
540 EXPECT_EQUAL(s2n_stuffer_data_available(&input), 0);
541
542 /* Initialize a stuffer to examine the serialized data returned in the session ticket callback */
543 struct s2n_blob session_blob = { 0 };
544 struct s2n_stuffer session_stuffer = { 0 };
545 EXPECT_SUCCESS(s2n_blob_init(&session_blob, cb_session_data, cb_session_data_len));
546 EXPECT_SUCCESS(s2n_stuffer_init(&session_stuffer, &session_blob));
547 EXPECT_SUCCESS(s2n_stuffer_skip_write(&session_stuffer, cb_session_data_len));
548
549 /* Check the serialized ticket is what was in the arbitrary nst message */
550 {
551 /* Skip to encrypted ticket size */
552 EXPECT_SUCCESS((s2n_stuffer_skip_read(&session_stuffer, sizeof(uint8_t))));
553
554 uint16_t ticket_size = 0;
555 EXPECT_SUCCESS(s2n_stuffer_read_uint16(&session_stuffer, &ticket_size));
556 EXPECT_EQUAL(ticket_size, sizeof(test_ticket));
557
558 uint8_t *ticket = s2n_stuffer_raw_read(&session_stuffer, ticket_size);
559 EXPECT_NOT_NULL(ticket);
560 EXPECT_BYTEARRAY_EQUAL(ticket, test_ticket, ticket_size);
561 }
562
563 /* Check the serialized ticket_age_add is what was in the arbitrary nst message*/
564 {
565 uint8_t test_ticket_age_add[] = { TEST_TICKET_AGE_ADD };
566 uint8_t ticket_age_add_marker = sizeof(uint8_t) + /* client state format */ \
567 sizeof(uint8_t) + /* protocol version */ \
568 sizeof(uint16_t) + /* cipher suite */ \
569 sizeof(uint64_t); /* time */
570 /* Skip to ticket_age_add */
571 EXPECT_SUCCESS((s2n_stuffer_skip_read(&session_stuffer, ticket_age_add_marker)));
572
573 uint8_t ticket_age_add[sizeof(uint32_t)] = { 0 };
574 EXPECT_SUCCESS(s2n_stuffer_read_bytes(&session_stuffer, ticket_age_add, sizeof(uint32_t)));
575 EXPECT_BYTEARRAY_EQUAL(ticket_age_add, test_ticket_age_add, sizeof(uint32_t));
576 }
577
578 /* Check ticket lifetime is what was in the arbitrary nst message */
579 {
580 uint8_t test_lifetime[] = { TEST_LIFETIME };
581 uint32_t expected_lifetime = test_lifetime[3] | (test_lifetime[2] << 8) | \
582 (test_lifetime[1] << 16) | (test_lifetime[0] << 24);
583 EXPECT_EQUAL(expected_lifetime, cb_session_lifetime);
584 }
585 EXPECT_SUCCESS(s2n_connection_free(conn));
586 EXPECT_SUCCESS(s2n_stuffer_free(&input));
587 EXPECT_SUCCESS(s2n_config_free(config));
588 }
589
590 /* Known values test */
591 {
592 /**
593 * NewSessionTicket handshake message
594 *
595 *= https://tools.ietf.org/rfc/rfc8448#section-3
596 *# NewSessionTicket (205 octets): 04 00 00 c9 00 00 00 1e fa d6 aa
597 *# c5 02 00 00 00 b2 2c 03 5d 82 93 59 ee 5f f7 af 4e c9 00 00 00
598 *# 00 26 2a 64 94 dc 48 6d 2c 8a 34 cb 33 fa 90 bf 1b 00 70 ad 3c
599 *# 49 88 83 c9 36 7c 09 a2 be 78 5a bc 55 cd 22 60 97 a3 a9 82 11
600 *# 72 83 f8 2a 03 a1 43 ef d3 ff 5d d3 6d 64 e8 61 be 7f d6 1d 28
601 *# 27 db 27 9c ce 14 50 77 d4 54 a3 66 4d 4e 6d a4 d2 9e e0 37 25
602 *# a6 a4 da fc d0 fc 67 d2 ae a7 05 29 51 3e 3d a2 67 7f a5 90 6c
603 *# 5b 3f 7d 8f 92 f2 28 bd a4 0d da 72 14 70 f9 fb f2 97 b5 ae a6
604 *# 17 64 6f ac 5c 03 27 2e 97 07 27 c6 21 a7 91 41 ef 5f 7d e6 50
605 *# 5e 5b fb c3 88 e9 33 43 69 40 93 93 4a e4 d3 57 00 08 00 2a 00
606 *# 04 00 00 04 00
607 **/
608 S2N_BLOB_FROM_HEX(nst_message,
609 "04 00 00 c9 00 00 00 1e fa d6 aa \
610 c5 02 00 00 00 b2 2c 03 5d 82 93 59 ee 5f f7 af 4e c9 00 00 00 \
611 00 26 2a 64 94 dc 48 6d 2c 8a 34 cb 33 fa 90 bf 1b 00 70 ad 3c \
612 49 88 83 c9 36 7c 09 a2 be 78 5a bc 55 cd 22 60 97 a3 a9 82 11 \
613 72 83 f8 2a 03 a1 43 ef d3 ff 5d d3 6d 64 e8 61 be 7f d6 1d 28 \
614 27 db 27 9c ce 14 50 77 d4 54 a3 66 4d 4e 6d a4 d2 9e e0 37 25 \
615 a6 a4 da fc d0 fc 67 d2 ae a7 05 29 51 3e 3d a2 67 7f a5 90 6c \
616 5b 3f 7d 8f 92 f2 28 bd a4 0d da 72 14 70 f9 fb f2 97 b5 ae a6 \
617 17 64 6f ac 5c 03 27 2e 97 07 27 c6 21 a7 91 41 ef 5f 7d e6 50 \
618 5e 5b fb c3 88 e9 33 43 69 40 93 93 4a e4 d3 57 00 08 00 2a 00 \
619 04 00 00 04 00");
620
621 struct s2n_config *config = s2n_config_new();
622 struct s2n_connection *conn = s2n_connection_new(S2N_CLIENT);
623 EXPECT_NOT_NULL(conn);
624 EXPECT_NOT_NULL(config);
625
626 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(config, 1));
627 EXPECT_SUCCESS(s2n_config_set_session_ticket_cb(config, s2n_test_session_ticket_cb, NULL));
628 EXPECT_SUCCESS(s2n_connection_set_config(conn, config));
629
630 conn->actual_protocol_version = S2N_TLS13;
631 conn->secure.cipher_suite = &s2n_tls13_aes_128_gcm_sha256;
632
633 /* Set up input stuffer */
634 struct s2n_stuffer input = { 0 };
635 EXPECT_SUCCESS(s2n_stuffer_growable_alloc(&input, 0));
636
637 EXPECT_SUCCESS(s2n_stuffer_write(&input, &nst_message));
638 EXPECT_SUCCESS(s2n_stuffer_skip_read(&input, sizeof(uint8_t) + SIZEOF_UINT24));
639 EXPECT_OK(s2n_tls13_server_nst_recv(conn, &input));
640
641 EXPECT_SUCCESS(s2n_connection_free(conn));
642 EXPECT_SUCCESS(s2n_stuffer_free(&input));
643 EXPECT_SUCCESS(s2n_config_free(config));
644 }
645
646 /* Self-talk test */
647 {
648 struct s2n_config *config = s2n_config_new();
649 struct s2n_connection *client_conn = s2n_connection_new(S2N_CLIENT);
650 EXPECT_NOT_NULL(client_conn);
651 EXPECT_NOT_NULL(config);
652
653 struct s2n_connection *server_conn = s2n_connection_new(S2N_SERVER);
654 EXPECT_NOT_NULL(server_conn);
655
656 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(config, 1));
657 EXPECT_SUCCESS(s2n_setup_test_ticket_key(config));
658 EXPECT_SUCCESS(s2n_connection_set_config(server_conn, config));
659
660 EXPECT_SUCCESS(s2n_config_set_session_ticket_cb(config, s2n_test_session_ticket_cb, NULL));
661 EXPECT_SUCCESS(s2n_connection_set_config(client_conn, config));
662
663 client_conn->actual_protocol_version = S2N_TLS13;
664 server_conn->actual_protocol_version = S2N_TLS13;
665 client_conn->secure.cipher_suite = &s2n_tls13_aes_128_gcm_sha256;
666 server_conn->secure.cipher_suite = &s2n_tls13_aes_128_gcm_sha256;
667
668 struct s2n_stuffer stuffer = { 0 };
669 EXPECT_SUCCESS(s2n_stuffer_growable_alloc(&stuffer, 0));
670
671 EXPECT_OK(s2n_tls13_server_nst_write(server_conn, &stuffer));
672 EXPECT_SUCCESS(s2n_stuffer_skip_read(&stuffer, sizeof(uint8_t) + SIZEOF_UINT24));
673 EXPECT_OK(s2n_tls13_server_nst_recv(client_conn, &stuffer));
674
675 EXPECT_SUCCESS(s2n_connection_free(client_conn));
676 EXPECT_SUCCESS(s2n_connection_free(server_conn));
677 EXPECT_SUCCESS(s2n_stuffer_free(&stuffer));
678 EXPECT_SUCCESS(s2n_config_free(config));
679 }
680
681 /* Test that the client processes extensions.
682 * Specifically, check for the early_data_indication extension. */
683 {
684 const uint32_t expected_max_early_data_size = 17;
685
686 struct s2n_config *config = s2n_config_new();
687 EXPECT_NOT_NULL(config);
688 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(config, 1));
689 EXPECT_SUCCESS(s2n_config_set_session_ticket_cb(config, s2n_test_session_ticket_cb, NULL));
690 EXPECT_SUCCESS(s2n_setup_test_ticket_key(config));
691
692 struct s2n_connection *client_conn = s2n_connection_new(S2N_CLIENT);
693 EXPECT_NOT_NULL(client_conn);
694 client_conn->actual_protocol_version = S2N_TLS13;
695 client_conn->secure.cipher_suite = &s2n_tls13_aes_128_gcm_sha256;
696 EXPECT_SUCCESS(s2n_connection_set_config(client_conn, config));
697
698 struct s2n_connection *server_conn = s2n_connection_new(S2N_SERVER);
699 EXPECT_NOT_NULL(server_conn);
700 server_conn->actual_protocol_version = S2N_TLS13;
701 server_conn->secure.cipher_suite = &s2n_tls13_aes_128_gcm_sha256;
702 EXPECT_SUCCESS(s2n_connection_set_config(server_conn, config));
703 EXPECT_SUCCESS(s2n_connection_set_server_max_early_data_size(server_conn, expected_max_early_data_size));
704
705 struct s2n_stuffer stuffer = { 0 };
706 EXPECT_SUCCESS(s2n_stuffer_growable_alloc(&stuffer, 0));
707
708 EXPECT_EQUAL(client_conn->server_max_early_data_size, 0);
709 EXPECT_OK(s2n_tls13_server_nst_write(server_conn, &stuffer));
710 EXPECT_SUCCESS(s2n_stuffer_skip_read(&stuffer, sizeof(uint8_t) + SIZEOF_UINT24));
711 EXPECT_OK(s2n_tls13_server_nst_recv(client_conn, &stuffer));
712 EXPECT_EQUAL(client_conn->server_max_early_data_size, expected_max_early_data_size);
713
714 EXPECT_SUCCESS(s2n_connection_free(client_conn));
715 EXPECT_SUCCESS(s2n_connection_free(server_conn));
716 EXPECT_SUCCESS(s2n_stuffer_free(&stuffer));
717 EXPECT_SUCCESS(s2n_config_free(config));
718 }
719
720 /* Test that the client can handle different max_early_data_size values. */
721 {
722 const uint32_t expected_max_early_data_sizes[] = { 17, 0, UINT16_MAX, 0, 20, UINT32_MAX, 5, 0 };
723
724 struct s2n_config *config = s2n_config_new();
725 EXPECT_NOT_NULL(config);
726 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(config, 1));
727 EXPECT_SUCCESS(s2n_config_set_session_ticket_cb(config, s2n_test_session_ticket_cb, NULL));
728 EXPECT_SUCCESS(s2n_setup_test_ticket_key(config));
729
730 struct s2n_connection *client_conn = s2n_connection_new(S2N_CLIENT);
731 EXPECT_NOT_NULL(client_conn);
732 client_conn->actual_protocol_version = S2N_TLS13;
733 client_conn->secure.cipher_suite = &s2n_tls13_aes_128_gcm_sha256;
734 EXPECT_SUCCESS(s2n_connection_set_config(client_conn, config));
735
736 struct s2n_connection *server_conn = s2n_connection_new(S2N_SERVER);
737 EXPECT_NOT_NULL(server_conn);
738 server_conn->actual_protocol_version = S2N_TLS13;
739 server_conn->secure.cipher_suite = &s2n_tls13_aes_128_gcm_sha256;
740 EXPECT_SUCCESS(s2n_connection_set_config(server_conn, config));
741
742 struct s2n_stuffer stuffer = { 0 };
743 EXPECT_SUCCESS(s2n_stuffer_growable_alloc(&stuffer, 0));
744
745 for (size_t i = 0; i < s2n_array_len(expected_max_early_data_sizes); i++) {
746 EXPECT_SUCCESS(s2n_connection_set_server_max_early_data_size(server_conn, expected_max_early_data_sizes[i]));
747 EXPECT_OK(s2n_tls13_server_nst_write(server_conn, &stuffer));
748 EXPECT_SUCCESS(s2n_stuffer_skip_read(&stuffer, sizeof(uint8_t) + SIZEOF_UINT24));
749 EXPECT_OK(s2n_tls13_server_nst_recv(client_conn, &stuffer));
750 EXPECT_EQUAL(client_conn->server_max_early_data_size, expected_max_early_data_sizes[i]);
751 EXPECT_SUCCESS(s2n_stuffer_wipe(&stuffer));
752 }
753
754 EXPECT_SUCCESS(s2n_connection_free(client_conn));
755 EXPECT_SUCCESS(s2n_connection_free(server_conn));
756 EXPECT_SUCCESS(s2n_stuffer_free(&stuffer));
757 EXPECT_SUCCESS(s2n_config_free(config));
758 }
759
760 /* Test that the client rejects tickets with invalid ticket_lifetime */
761 {
762 const size_t lifetime_size = sizeof(uint32_t);
763 const uint8_t *nst_data_without_lifetime = nst_data + lifetime_size;
764 const size_t nst_data_without_lifetime_size = sizeof(nst_data) - lifetime_size;
765
766 struct s2n_config *config = s2n_config_new();
767 EXPECT_NOT_NULL(config);
768 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(config, 1));
769 EXPECT_SUCCESS(s2n_config_set_session_ticket_cb(config, s2n_test_session_ticket_cb, NULL));
770
771 /**
772 *= https://tools.ietf.org/rfc/rfc8446#section-4.6.1
773 *= type=test
774 *# The value of zero indicates that the
775 *# ticket should be discarded immediately.
776 */
777 {
778 struct s2n_connection *conn = s2n_connection_new(S2N_CLIENT);
779 EXPECT_NOT_NULL(conn);
780 EXPECT_SUCCESS(s2n_connection_set_config(conn, config));
781 conn->actual_protocol_version = S2N_TLS13;
782
783 DEFER_CLEANUP(struct s2n_stuffer input = { 0 }, s2n_stuffer_free);
784 EXPECT_SUCCESS(s2n_stuffer_growable_alloc(&input, sizeof(nst_data)));
785 EXPECT_SUCCESS(s2n_stuffer_write_uint32(&input, 0));
786 EXPECT_SUCCESS(s2n_stuffer_write_bytes(&input, nst_data_without_lifetime, nst_data_without_lifetime_size));
787
788 EXPECT_OK(s2n_tls13_server_nst_recv(conn, &input));
789 /* Verify that the client only got as far as the ticket_lifetime when parsing */
790 EXPECT_EQUAL(s2n_stuffer_data_available(&input), nst_data_without_lifetime_size);
791 /* Verify that the client did not accept + store the ticket */
792 EXPECT_EQUAL(s2n_connection_get_session_length(conn), 0);
793
794 EXPECT_SUCCESS(s2n_connection_free(conn));
795 }
796
797 /**
798 *= https://tools.ietf.org/rfc/rfc8446#section-4.6.1
799 *= type=test
800 *# Servers MUST NOT use any value greater than
801 *# 604800 seconds (7 days).
802 */
803 {
804 struct s2n_connection *conn = s2n_connection_new(S2N_CLIENT);
805 EXPECT_NOT_NULL(conn);
806 EXPECT_SUCCESS(s2n_connection_set_config(conn, config));
807 conn->actual_protocol_version = S2N_TLS13;
808
809 DEFER_CLEANUP(struct s2n_stuffer input = { 0 }, s2n_stuffer_free);
810 EXPECT_SUCCESS(s2n_stuffer_growable_alloc(&input, sizeof(nst_data)));
811 EXPECT_SUCCESS(s2n_stuffer_write_uint32(&input, UINT32_MAX));
812 EXPECT_SUCCESS(s2n_stuffer_write_bytes(&input, nst_data_without_lifetime, nst_data_without_lifetime_size));
813
814 EXPECT_ERROR_WITH_ERRNO(s2n_tls13_server_nst_recv(conn, &input), S2N_ERR_BAD_MESSAGE);
815 /* Verify that the client only got as far as the ticket_lifetime when parsing */
816 EXPECT_EQUAL(s2n_stuffer_data_available(&input), nst_data_without_lifetime_size);
817 /* Verify that the client did not accept + store the ticket */
818 EXPECT_EQUAL(s2n_connection_get_session_length(conn), 0);
819
820 EXPECT_SUCCESS(s2n_connection_free(conn));
821 }
822
823 EXPECT_SUCCESS(s2n_config_free(config));
824 }
825 }
826
827 /* s2n_tls13_server_nst_send */
828 {
829 /* Mode is not server */
830 {
831 struct s2n_connection *conn;
832 EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_CLIENT));
833 conn->actual_protocol_version = S2N_TLS13;
834 conn->tickets_to_send = 1;
835
836 /* Setup io */
837 struct s2n_stuffer stuffer;
838 EXPECT_SUCCESS(s2n_stuffer_growable_alloc(&stuffer, 0));
839 EXPECT_SUCCESS(s2n_connection_set_io_stuffers(&stuffer, &stuffer, conn));
840
841 s2n_blocked_status blocked = 0;
842 EXPECT_OK(s2n_tls13_server_nst_send(conn, &blocked));
843
844 EXPECT_EQUAL(0, s2n_stuffer_data_available(&stuffer));
845 EXPECT_ERROR_WITH_ERRNO(s2n_assert_tickets_sent(conn, 0), S2N_ERR_CLIENT_MODE);
846
847 EXPECT_SUCCESS(s2n_stuffer_free(&stuffer));
848 EXPECT_SUCCESS(s2n_connection_free(conn));
849 }
850
851 /* Protocol is less than TLS13 */
852 {
853 struct s2n_connection *conn;
854 EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER));
855 conn->actual_protocol_version = S2N_TLS12;
856 conn->tickets_to_send = 1;
857
858 /* Setup io */
859 struct s2n_stuffer stuffer;
860 EXPECT_SUCCESS(s2n_stuffer_growable_alloc(&stuffer, 0));
861 EXPECT_SUCCESS(s2n_connection_set_io_stuffers(&stuffer, &stuffer, conn));
862
863 s2n_blocked_status blocked = 0;
864 EXPECT_OK(s2n_tls13_server_nst_send(conn, &blocked));
865
866 EXPECT_EQUAL(0, s2n_stuffer_data_available(&stuffer));
867 EXPECT_TICKETS_SENT(conn, 0);
868
869 EXPECT_SUCCESS(s2n_stuffer_free(&stuffer));
870 EXPECT_SUCCESS(s2n_connection_free(conn));
871 }
872
873 /* 0 tickets are requested */
874 {
875 struct s2n_config *config = s2n_config_new();
876 EXPECT_NOT_NULL(config);
877 EXPECT_SUCCESS(s2n_setup_test_ticket_key(config));
878
879 struct s2n_connection *conn = s2n_connection_new(S2N_SERVER);
880 EXPECT_NOT_NULL(conn);
881 EXPECT_SUCCESS(s2n_connection_set_config(conn, config));
882 conn->actual_protocol_version = S2N_TLS13;
883 conn->tickets_to_send = 0;
884 EXPECT_NOT_EQUAL(0, s2n_stuffer_space_remaining(&conn->handshake.io));
885
886 /* Setup io */
887 struct s2n_stuffer stuffer;
888 EXPECT_SUCCESS(s2n_stuffer_growable_alloc(&stuffer, 0));
889 EXPECT_SUCCESS(s2n_connection_set_io_stuffers(&stuffer, &stuffer, conn));
890
891 s2n_blocked_status blocked = 0;
892 EXPECT_OK(s2n_tls13_server_nst_send(conn, &blocked));
893
894 /* Check no tickets are written */
895 EXPECT_EQUAL(0, s2n_stuffer_data_available(&stuffer));
896 EXPECT_TICKETS_SENT(conn, 0);
897
898 /* Check handshake.io is cleaned up */
899 EXPECT_EQUAL(0, s2n_stuffer_space_remaining(&conn->handshake.io));
900
901 EXPECT_SUCCESS(s2n_stuffer_free(&stuffer));
902 EXPECT_SUCCESS(s2n_connection_free(conn));
903 EXPECT_SUCCESS(s2n_config_free(config));
904 }
905
906 /* Sends one new session ticket */
907 {
908 struct s2n_config *config;
909 struct s2n_connection *conn;
910 EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER));
911 EXPECT_NOT_NULL(config = s2n_config_new());
912 EXPECT_SUCCESS(s2n_setup_test_ticket_key(config));
913 EXPECT_SUCCESS(s2n_connection_set_config(conn, config));
914
915 conn->actual_protocol_version = S2N_TLS13;
916 conn->secure.cipher_suite = &s2n_tls13_aes_128_gcm_sha256;
917 conn->tickets_to_send = 1;
918 EXPECT_NOT_EQUAL(s2n_stuffer_space_remaining(&conn->handshake.io), 0);
919
920 /* Setup io */
921 struct s2n_stuffer stuffer;
922 EXPECT_SUCCESS(s2n_stuffer_growable_alloc(&stuffer, 0));
923 EXPECT_SUCCESS(s2n_connection_set_io_stuffers(&stuffer, &stuffer, conn));
924
925 s2n_blocked_status blocked = 0;
926 EXPECT_OK(s2n_tls13_server_nst_send(conn, &blocked));
927 EXPECT_TICKETS_SENT(conn, 1);
928
929 /* Check only one record was written */
930 uint16_t record_len = 0;
931 EXPECT_SUCCESS(s2n_stuffer_skip_read(&stuffer, RECORD_LEN_MARKER));
932 EXPECT_SUCCESS(s2n_stuffer_read_uint16(&stuffer, &record_len));
933 EXPECT_TRUE(record_len > 0);
934 EXPECT_SUCCESS(s2n_stuffer_skip_read(&stuffer, record_len));
935 EXPECT_EQUAL(s2n_stuffer_data_available(&stuffer), 0);
936
937 /* Check handshake.io is cleaned up */
938 EXPECT_EQUAL(s2n_stuffer_space_remaining(&conn->handshake.io), 0);
939
940 EXPECT_SUCCESS(s2n_stuffer_free(&stuffer));
941 EXPECT_SUCCESS(s2n_connection_free(conn));
942 EXPECT_SUCCESS(s2n_config_free(config));
943 }
944
945 /* Send no more tickets if keying material is expired
946 *
947 *= https://tools.ietf.org/rfc/rfc8446#section-4.6.1
948 *= type=test
949 *# Note that in principle it is possible to continue issuing new tickets
950 *# which indefinitely extend the lifetime of the keying material
951 *# originally derived from an initial non-PSK handshake (which was most
952 *# likely tied to the peer's certificate). It is RECOMMENDED that
953 *# implementations place limits on the total lifetime of such keying
954 *# material; these limits should take into account the lifetime of the
955 *# peer's certificate, the likelihood of intervening revocation, and the
956 *# time since the peer's online CertificateVerify signature.
957 */
958 {
959 const uint8_t current_tickets = 10;
960 const uint8_t new_tickets = 5;
961
962 struct s2n_config *config = s2n_config_new();
963 EXPECT_NOT_NULL(config);
964 EXPECT_SUCCESS(s2n_setup_test_ticket_key(config));
965
966 struct s2n_connection *conn = s2n_connection_new(S2N_SERVER);
967 EXPECT_NOT_NULL(conn);
968 EXPECT_SUCCESS(s2n_connection_set_config(conn, config));
969 conn->actual_protocol_version = S2N_TLS13;
970 conn->tickets_sent = current_tickets;
971 conn->tickets_to_send = current_tickets;
972 EXPECT_TICKETS_SENT(conn, current_tickets);
973
974 struct s2n_stuffer stuffer;
975 EXPECT_SUCCESS(s2n_stuffer_growable_alloc(&stuffer, 0));
976 EXPECT_SUCCESS(s2n_connection_set_io_stuffers(&stuffer, &stuffer, conn));
977
978 /* Can request new tickets */
979 EXPECT_SUCCESS(s2n_connection_add_new_tickets_to_send(conn, new_tickets));
980 EXPECT_EQUAL(conn->tickets_sent, current_tickets);
981 EXPECT_EQUAL(conn->tickets_to_send, current_tickets + new_tickets);
982 EXPECT_TICKETS_SENT(conn, current_tickets);
983
984 /* Add expired keying material */
985 DEFER_CLEANUP(struct s2n_psk *chosen_psk = s2n_test_psk_new(conn), s2n_psk_free);
986 EXPECT_NOT_NULL(chosen_psk);
987 chosen_psk->type = S2N_PSK_TYPE_RESUMPTION;
988 chosen_psk->keying_material_expiration = 0;
989 conn->psk_params.chosen_psk = chosen_psk;
990
991 /* Despite tickets requested, no tickets sent */
992 s2n_blocked_status blocked = 0;
993 EXPECT_OK(s2n_tls13_server_nst_send(conn, &blocked));
994 EXPECT_EQUAL(s2n_stuffer_data_available(&stuffer), 0);
995 EXPECT_EQUAL(conn->tickets_sent, current_tickets);
996 EXPECT_EQUAL(conn->tickets_to_send, current_tickets);
997 EXPECT_TICKETS_SENT(conn, current_tickets);
998
999 /* Can't request more tickets */
1000 EXPECT_FAILURE_WITH_ERRNO(s2n_connection_add_new_tickets_to_send(conn, new_tickets),
1001 S2N_ERR_KEYING_MATERIAL_EXPIRED);
1002 EXPECT_EQUAL(conn->tickets_sent, current_tickets);
1003 EXPECT_EQUAL(conn->tickets_to_send, current_tickets);
1004 EXPECT_TICKETS_SENT(conn, current_tickets);
1005
1006 EXPECT_SUCCESS(s2n_stuffer_free(&stuffer));
1007 EXPECT_SUCCESS(s2n_connection_free(conn));
1008 EXPECT_SUCCESS(s2n_config_free(config));
1009 }
1010
1011 /* s2n_config_set_session_tickets_onoff used to enable tickets */
1012 {
1013 uint8_t test_data[S2N_TICKET_KEY_NAME_LEN] = "data";
1014 uint64_t current_time = 0;
1015
1016 struct s2n_config *config = s2n_config_new();
1017 EXPECT_NOT_NULL(config);
1018 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(config, true));
1019 EXPECT_SUCCESS(config->wall_clock(config->sys_clock_ctx, ¤t_time));
1020 EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(config, test_data, sizeof(test_data),
1021 test_data, sizeof(test_data), current_time / ONE_SEC_IN_NANOS));
1022
1023 struct s2n_connection *conn = s2n_connection_new(S2N_SERVER);
1024 EXPECT_NOT_NULL(conn);
1025 EXPECT_SUCCESS(s2n_connection_set_config(conn, config));
1026 conn->actual_protocol_version = S2N_TLS13;
1027 conn->secure.cipher_suite = &s2n_tls13_aes_128_gcm_sha256;
1028
1029 /* Setup io */
1030 struct s2n_stuffer stuffer;
1031 EXPECT_SUCCESS(s2n_stuffer_growable_alloc(&stuffer, 0));
1032 EXPECT_SUCCESS(s2n_connection_set_io_stuffers(&stuffer, &stuffer, conn));
1033
1034 s2n_blocked_status blocked = 0;
1035 EXPECT_OK(s2n_tls13_server_nst_send(conn, &blocked));
1036 EXPECT_TICKETS_SENT(conn, 1);
1037 EXPECT_NOT_EQUAL(0, s2n_stuffer_data_available(&stuffer));
1038 EXPECT_SUCCESS(s2n_stuffer_wipe(&stuffer));
1039
1040 /* Request more tickets */
1041 EXPECT_SUCCESS(s2n_connection_add_new_tickets_to_send(conn, 1));
1042 EXPECT_OK(s2n_tls13_server_nst_send(conn, &blocked));
1043 EXPECT_TICKETS_SENT(conn, 2);
1044 EXPECT_NOT_EQUAL(0, s2n_stuffer_data_available(&stuffer));
1045 EXPECT_SUCCESS(s2n_stuffer_wipe(&stuffer));
1046
1047 /* Turn tickets off */
1048 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(config, false));
1049
1050 /* Request more tickets */
1051 EXPECT_SUCCESS(s2n_connection_add_new_tickets_to_send(conn, 1));
1052 EXPECT_OK(s2n_tls13_server_nst_send(conn, &blocked));
1053 EXPECT_TICKETS_SENT(conn, 2);
1054 EXPECT_EQUAL(0, s2n_stuffer_data_available(&stuffer));
1055
1056 EXPECT_SUCCESS(s2n_stuffer_free(&stuffer));
1057 EXPECT_SUCCESS(s2n_connection_free(conn));
1058 EXPECT_SUCCESS(s2n_config_free(config));
1059 }
1060
1061 /* s2n_config_set_initial_ticket_count used to enable tickets */
1062 {
1063 uint8_t test_data[S2N_TICKET_KEY_NAME_LEN] = "data";
1064 uint64_t current_time = 0;
1065
1066 struct s2n_config *config = s2n_config_new();
1067 EXPECT_NOT_NULL(config);
1068 EXPECT_SUCCESS(s2n_config_set_initial_ticket_count(config, 1));
1069 EXPECT_SUCCESS(config->wall_clock(config->sys_clock_ctx, ¤t_time));
1070 EXPECT_SUCCESS(s2n_config_add_ticket_crypto_key(config, test_data, sizeof(test_data),
1071 test_data, sizeof(test_data), current_time / ONE_SEC_IN_NANOS));
1072
1073 struct s2n_connection *conn = s2n_connection_new(S2N_SERVER);
1074 EXPECT_NOT_NULL(conn);
1075 EXPECT_SUCCESS(s2n_connection_set_config(conn, config));
1076 conn->actual_protocol_version = S2N_TLS13;
1077 conn->secure.cipher_suite = &s2n_tls13_aes_128_gcm_sha256;
1078
1079 /* Setup io */
1080 struct s2n_stuffer stuffer;
1081 EXPECT_SUCCESS(s2n_stuffer_growable_alloc(&stuffer, 0));
1082 EXPECT_SUCCESS(s2n_connection_set_io_stuffers(&stuffer, &stuffer, conn));
1083
1084 s2n_blocked_status blocked = 0;
1085 EXPECT_OK(s2n_tls13_server_nst_send(conn, &blocked));
1086 EXPECT_TICKETS_SENT(conn, 1);
1087 EXPECT_NOT_EQUAL(0, s2n_stuffer_data_available(&stuffer));
1088
1089 EXPECT_SUCCESS(s2n_stuffer_free(&stuffer));
1090 EXPECT_SUCCESS(s2n_connection_free(conn));
1091 EXPECT_SUCCESS(s2n_config_free(config));
1092 }
1093
1094 /* Sends multiple new session tickets */
1095 {
1096 struct s2n_config *config;
1097 struct s2n_connection *conn;
1098 EXPECT_NOT_NULL(conn = s2n_connection_new(S2N_SERVER));
1099 EXPECT_NOT_NULL(config = s2n_config_new());
1100
1101 EXPECT_SUCCESS(s2n_setup_test_ticket_key(config));
1102 EXPECT_SUCCESS(s2n_connection_set_config(conn, config));
1103
1104 conn->actual_protocol_version = S2N_TLS13;
1105 conn->secure.cipher_suite = &s2n_tls13_aes_128_gcm_sha256;
1106 uint16_t tickets_to_send = 5;
1107 conn->tickets_to_send = tickets_to_send;
1108
1109 /* Setup io */
1110 struct s2n_stuffer stuffer;
1111 EXPECT_SUCCESS(s2n_stuffer_growable_alloc(&stuffer, 0));
1112 EXPECT_SUCCESS(s2n_connection_set_io_stuffers(&stuffer, &stuffer, conn));
1113
1114 s2n_blocked_status blocked = 0;
1115 EXPECT_OK(s2n_tls13_server_nst_send(conn, &blocked));
1116 EXPECT_TICKETS_SENT(conn, tickets_to_send);
1117
1118 /* Check five records were written */
1119 uint16_t record_len = 0;
1120 for (size_t i = 0; i < tickets_to_send; i++) {
1121 EXPECT_SUCCESS(s2n_stuffer_skip_read(&stuffer, RECORD_LEN_MARKER));
1122 EXPECT_SUCCESS(s2n_stuffer_read_uint16(&stuffer, &record_len));
1123 EXPECT_TRUE(record_len > 0);
1124 EXPECT_SUCCESS(s2n_stuffer_skip_read(&stuffer, record_len));
1125 }
1126 EXPECT_TRUE(s2n_stuffer_data_available(&stuffer) == 0);
1127
1128 /* No more tickets to send */
1129 EXPECT_SUCCESS(s2n_stuffer_rewrite(&stuffer));
1130 EXPECT_OK(s2n_tls13_server_nst_send(conn, &blocked));
1131 EXPECT_EQUAL(0, s2n_stuffer_data_available(&stuffer));
1132
1133 EXPECT_SUCCESS(s2n_stuffer_free(&stuffer));
1134 EXPECT_SUCCESS(s2n_connection_free(conn));
1135 EXPECT_SUCCESS(s2n_config_free(config));
1136 }
1137
1138 /* Test S2N_TLS13_MAX_FIXED_NEW_SESSION_TICKET_SIZE */
1139 {
1140 struct s2n_config *config = s2n_config_new();
1141 EXPECT_NOT_NULL(config);
1142 EXPECT_SUCCESS(s2n_setup_test_ticket_key(config));
1143
1144 struct s2n_connection *conn = s2n_connection_new(S2N_SERVER);
1145 EXPECT_NOT_NULL(conn);
1146 EXPECT_SUCCESS(s2n_connection_set_config(conn, config));
1147
1148 /* TLS1.3 tickets contain extra fields */
1149 conn->actual_protocol_version = S2N_TLS13;
1150 /* Largest possible TLS1.3 secret size */
1151 conn->secure.cipher_suite = &s2n_tls13_aes_256_gcm_sha384;
1152 /* Necessary for extensions, which contribute to size */
1153 EXPECT_SUCCESS(s2n_connection_set_server_max_early_data_size(conn, 10));
1154
1155 /* Setup io */
1156 struct s2n_stuffer output = { 0 };
1157 EXPECT_SUCCESS(s2n_stuffer_growable_alloc(&output, 0));
1158 EXPECT_SUCCESS(s2n_connection_set_io_stuffers(&output, &output, conn));
1159
1160 /* Test with no variable fields */
1161 {
1162 size_t session_state_size = 0;
1163 EXPECT_OK(s2n_connection_get_session_state_size(conn, &session_state_size));
1164 EXPECT_NOT_EQUAL(session_state_size, 0);
1165
1166 s2n_blocked_status blocked = 0;
1167 EXPECT_OK(s2n_tls13_server_nst_send(conn, &blocked));
1168 EXPECT_NOT_EQUAL(s2n_stuffer_data_available(&output), 0);
1169
1170 uint32_t expected_max_size = s2n_stuffer_data_available(&output) - S2N_TLS_RECORD_HEADER_LENGTH;
1171 uint32_t expected_max_fixed_size = expected_max_size - session_state_size;
1172 if (S2N_TLS13_MAX_FIXED_NEW_SESSION_TICKET_SIZE != expected_max_fixed_size) {
1173 fprintf(stdout, "\nS2N_TLS13_MAX_FIXED_NEW_SESSION_TICKET_SIZE (%i) should be %i\n",
1174 (int) S2N_TLS13_MAX_FIXED_NEW_SESSION_TICKET_SIZE, expected_max_fixed_size);
1175 }
1176 EXPECT_EQUAL(S2N_TLS13_MAX_FIXED_NEW_SESSION_TICKET_SIZE, expected_max_fixed_size);
1177 }
1178
1179 EXPECT_SUCCESS(s2n_stuffer_wipe(&output));
1180 conn->tickets_to_send++;
1181
1182 /* Test with some variable fields */
1183 {
1184 const uint8_t early_data_context[] = "early data context";
1185 EXPECT_SUCCESS(s2n_connection_set_server_early_data_context(conn,
1186 early_data_context, sizeof(early_data_context)));
1187
1188 size_t session_state_size = 0;
1189 EXPECT_OK(s2n_connection_get_session_state_size(conn, &session_state_size));
1190 EXPECT_NOT_EQUAL(session_state_size, 0);
1191
1192 s2n_blocked_status blocked = 0;
1193 EXPECT_OK(s2n_tls13_server_nst_send(conn, &blocked));
1194 EXPECT_NOT_EQUAL(s2n_stuffer_data_available(&output), 0);
1195
1196 uint32_t expected_max_size = s2n_stuffer_data_available(&output) - S2N_TLS_RECORD_HEADER_LENGTH;
1197 uint32_t expected_max_fixed_size = expected_max_size - session_state_size;
1198 EXPECT_EQUAL(S2N_TLS13_MAX_FIXED_NEW_SESSION_TICKET_SIZE, expected_max_fixed_size);
1199 }
1200
1201 EXPECT_SUCCESS(s2n_stuffer_wipe(&output));
1202 conn->tickets_to_send++;
1203
1204 /* Test with all variable fields */
1205 {
1206 const uint8_t early_data_context[] = "different early data context";
1207 EXPECT_SUCCESS(s2n_connection_set_server_early_data_context(conn,
1208 early_data_context, sizeof(early_data_context)));
1209
1210 const uint8_t app_protocol[] = "https";
1211 EXPECT_MEMCPY_SUCCESS(conn->application_protocol, app_protocol, sizeof(app_protocol));
1212
1213 size_t session_state_size = 0;
1214 EXPECT_OK(s2n_connection_get_session_state_size(conn, &session_state_size));
1215 EXPECT_NOT_EQUAL(session_state_size, 0);
1216
1217 s2n_blocked_status blocked = 0;
1218 EXPECT_OK(s2n_tls13_server_nst_send(conn, &blocked));
1219 EXPECT_NOT_EQUAL(s2n_stuffer_data_available(&output), 0);
1220
1221 uint32_t expected_max_size = s2n_stuffer_data_available(&output) - S2N_TLS_RECORD_HEADER_LENGTH;
1222 uint32_t expected_max_fixed_size = expected_max_size - session_state_size;
1223 EXPECT_EQUAL(S2N_TLS13_MAX_FIXED_NEW_SESSION_TICKET_SIZE, expected_max_fixed_size);
1224 }
1225
1226 EXPECT_SUCCESS(s2n_stuffer_free(&output));
1227 EXPECT_SUCCESS(s2n_connection_free(conn));
1228 EXPECT_SUCCESS(s2n_config_free(config));
1229 }
1230 }
1231
1232 /* Functional test: s2n_negotiate sends new session tickets after the handshake is complete */
1233 if (s2n_is_tls13_fully_supported()) {
1234 /* Setup connections */
1235 struct s2n_connection *client_conn, *server_conn;
1236 EXPECT_NOT_NULL(client_conn = s2n_connection_new(S2N_CLIENT));
1237 EXPECT_NOT_NULL(server_conn = s2n_connection_new(S2N_SERVER));
1238
1239 /* Setup config */
1240 struct s2n_cert_chain_and_key *chain_and_key;
1241 EXPECT_SUCCESS(s2n_test_cert_chain_and_key_new(&chain_and_key,
1242 S2N_DEFAULT_ECDSA_TEST_CERT_CHAIN, S2N_DEFAULT_ECDSA_TEST_PRIVATE_KEY));
1243 struct s2n_config *config;
1244 EXPECT_NOT_NULL(config = s2n_config_new());
1245 EXPECT_SUCCESS(s2n_config_set_cipher_preferences(config, "default_tls13"));
1246 EXPECT_SUCCESS(s2n_config_set_unsafe_for_testing(config));
1247 EXPECT_SUCCESS(s2n_config_add_cert_chain_and_key_to_store(config, chain_and_key));
1248 EXPECT_SUCCESS(s2n_config_set_session_tickets_onoff(config, 1));
1249 EXPECT_SUCCESS(s2n_connection_set_config(client_conn, config));
1250
1251 EXPECT_SUCCESS(s2n_setup_test_ticket_key(config));
1252 EXPECT_SUCCESS(s2n_connection_set_config(server_conn, config));
1253
1254 uint16_t tickets_to_send = 5;
1255 server_conn->tickets_to_send = tickets_to_send;
1256
1257 struct s2n_stuffer client_to_server;
1258 struct s2n_stuffer server_to_client;
1259
1260 EXPECT_SUCCESS(s2n_stuffer_growable_alloc(&client_to_server, 0));
1261 EXPECT_SUCCESS(s2n_stuffer_growable_alloc(&server_to_client, 0));
1262
1263 EXPECT_SUCCESS(s2n_connection_set_io_stuffers(&server_to_client, &client_to_server, client_conn));
1264 EXPECT_SUCCESS(s2n_connection_set_io_stuffers(&client_to_server, &server_to_client, server_conn));
1265
1266 /* Do handshake */
1267 EXPECT_SUCCESS(s2n_negotiate_test_server_and_client(server_conn, client_conn));
1268 EXPECT_TICKETS_SENT(server_conn, tickets_to_send);
1269
1270 /* Check handshake.io was cleaned up.
1271 * If a ticket was written, this happens afterwards. */
1272 EXPECT_EQUAL(s2n_stuffer_space_remaining(&server_conn->handshake.io), 0);
1273 EXPECT_EQUAL(s2n_stuffer_space_remaining(&client_conn->handshake.io), 0);
1274
1275 /* Check there are five records corresponding to five new session tickets
1276 * not read as part of the handshake */
1277 uint16_t record_len = 0;
1278 for (size_t i = 0; i < tickets_to_send; i++) {
1279 EXPECT_SUCCESS(s2n_stuffer_skip_read(&server_to_client, RECORD_LEN_MARKER));
1280 EXPECT_SUCCESS(s2n_stuffer_read_uint16(&server_to_client, &record_len));
1281 EXPECT_TRUE(record_len > 0);
1282 EXPECT_SUCCESS(s2n_stuffer_skip_read(&server_to_client, record_len));
1283 }
1284 EXPECT_TRUE(s2n_stuffer_data_available(&server_to_client) == 0);
1285
1286 /* Call s2n_negotiate again to ensure no more tickets are sent */
1287 EXPECT_SUCCESS(s2n_negotiate_test_server_and_client(server_conn, client_conn));
1288 EXPECT_EQUAL(0, s2n_stuffer_data_available(&server_to_client));
1289 EXPECT_TICKETS_SENT(server_conn, tickets_to_send);
1290
1291 EXPECT_SUCCESS(s2n_stuffer_free(&client_to_server));
1292 EXPECT_SUCCESS(s2n_stuffer_free(&server_to_client));
1293 EXPECT_SUCCESS(s2n_connection_free(server_conn));
1294 EXPECT_SUCCESS(s2n_connection_free(client_conn));
1295 EXPECT_SUCCESS(s2n_cert_chain_and_key_free(chain_and_key));
1296 EXPECT_SUCCESS(s2n_config_free(config));
1297 }
1298
1299 END_TEST();
1300 }
1301