diff options
| author | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2018-11-10 08:33:46 +0000 |
|---|---|---|
| committer | Alexander Bluhm <bluhm@cvs.openbsd.org> | 2018-11-10 08:33:46 +0000 |
| commit | 3d7aa9080ccd6d58a70b43d504564e1e67008d38 (patch) | |
| tree | ccfac4d9fb274f4c297cd6bfcc4e4beaee0c8fc1 /regress/lib/libssl | |
| parent | 2de54af3352f1dea08ed328f5c7725888d1ca666 (diff) | |
Regress client and server can do session reuse now. Test this with
all combinations of LibreSSL, OpenSSL 1.0.2, and OpenSSL 1.1. It
is currently disabled for TLS 1.3 as this needs more setup.
Diffstat (limited to 'regress/lib/libssl')
| -rw-r--r-- | regress/lib/libssl/interop/Makefile | 7 | ||||
| -rw-r--r-- | regress/lib/libssl/interop/client.c | 146 | ||||
| -rw-r--r-- | regress/lib/libssl/interop/openssl/Makefile | 4 | ||||
| -rw-r--r-- | regress/lib/libssl/interop/openssl11/Makefile | 4 | ||||
| -rw-r--r-- | regress/lib/libssl/interop/server.c | 151 | ||||
| -rw-r--r-- | regress/lib/libssl/interop/session/Makefile | 37 |
6 files changed, 220 insertions, 129 deletions
diff --git a/regress/lib/libssl/interop/Makefile b/regress/lib/libssl/interop/Makefile index 0226cae4abe..f538f873666 100644 --- a/regress/lib/libssl/interop/Makefile +++ b/regress/lib/libssl/interop/Makefile @@ -1,5 +1,8 @@ -# $OpenBSD: Makefile,v 1.3 2018/11/09 06:30:41 bluhm Exp $ +# $OpenBSD: Makefile,v 1.4 2018/11/10 08:33:45 bluhm Exp $ -SUBDIR = libressl openssl openssl11 cert +SUBDIR = libressl openssl openssl11 +# the above binaries must have been built before we can continue +SUBDIR += session +SUBDIR += cert .include <bsd.subdir.mk> diff --git a/regress/lib/libssl/interop/client.c b/regress/lib/libssl/interop/client.c index c312d7ae8ad..0b5827c4476 100644 --- a/regress/lib/libssl/interop/client.c +++ b/regress/lib/libssl/interop/client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: client.c,v 1.4 2018/11/09 06:30:41 bluhm Exp $ */ +/* $OpenBSD: client.c,v 1.5 2018/11/10 08:33:45 bluhm Exp $ */ /* * Copyright (c) 2018 Alexander Bluhm <bluhm@openbsd.org> * @@ -35,7 +35,7 @@ void __dead usage(void) { fprintf(stderr, - "usage: client [-c] [-C CA] [-c crt -k key] host port"); + "usage: client [-sv] [-C CA] [-c crt -k key] host port"); exit(2); } @@ -46,13 +46,13 @@ main(int argc, char *argv[]) SSL_CTX *ctx; SSL *ssl; BIO *bio; - SSL_SESSION *session; - int error, verify = 0; + SSL_SESSION *session = NULL; + int error, sessionreuse = 0, verify = 0; char buf[256], ch; char *ca = NULL, *crt = NULL, *key = NULL; char *host_port, *host, *port; - while ((ch = getopt(argc, argv, "C:c:k:v")) != -1) { + while ((ch = getopt(argc, argv, "C:c:k:sv")) != -1) { switch (ch) { case 'C': ca = optarg; @@ -63,6 +63,10 @@ main(int argc, char *argv[]) case 'k': key = optarg; break; + case 's': + /* multiple reueses are possible */ + sessionreuse++; + break; case 'v': verify = 1; break; @@ -122,63 +126,85 @@ main(int argc, char *argv[]) SSL_CTX_set_verify(ctx, verify ? SSL_VERIFY_PEER : SSL_VERIFY_NONE, verify_callback); - /* setup ssl and bio for socket operations */ - ssl = SSL_new(ctx); - if (ssl == NULL) - err_ssl(1, "SSL_new"); - bio = BIO_new_connect(host_port); - if (bio == NULL) - err_ssl(1, "BIO_new_connect"); - print_ciphers(SSL_get_ciphers(ssl)); - - /* connect */ - if (BIO_do_connect(bio) <= 0) - err_ssl(1, "BIO_do_connect"); - printf("connect "); - print_sockname(bio); - printf("connect "); - print_peername(bio); - - /* do ssl client handshake */ - SSL_set_bio(ssl, bio, bio); - if ((error = SSL_connect(ssl)) <= 0) - err_ssl(1, "SSL_connect %d", error); - - /* print session statistics */ - session = SSL_get_session(ssl); - if (session == NULL) - err_ssl(1, "SSL_get_session"); - if (SSL_SESSION_print_fp(stdout, session) <= 0) - err_ssl(1, "SSL_SESSION_print_fp"); - - /* read server greeting and write client hello over TLS connection */ - if ((error = SSL_read(ssl, buf, 9)) <= 0) - err_ssl(1, "SSL_read %d", error); - if (error != 9) - errx(1, "read not 9 bytes greeting: %d", error); - buf[9] = '\0'; - printf("<<< %s", buf); - if (fflush(stdout) != 0) - err(1, "fflush stdout"); - strlcpy(buf, "hello\n", sizeof(buf)); - printf(">>> %s", buf); - if (fflush(stdout) != 0) - err(1, "fflush stdout"); - if ((error = SSL_write(ssl, buf, 6)) <= 0) - err_ssl(1, "SSL_write %d", error); - if (error != 6) - errx(1, "write not 6 bytes hello: %d", error); - - /* shutdown connection */ - if ((error = SSL_shutdown(ssl)) < 0) - err_ssl(1, "SSL_shutdown unidirectional %d", error); - if (error <= 0) { - if ((error = SSL_shutdown(ssl)) <= 0) - err_ssl(1, "SSL_shutdown bidirectional %d", error); + if (sessionreuse) { + SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT); } - /* cleanup and free resources */ - SSL_free(ssl); + do { + /* setup bio for socket operations */ + bio = BIO_new_connect(host_port); + if (bio == NULL) + err_ssl(1, "BIO_new_connect"); + + /* connect */ + if (BIO_do_connect(bio) <= 0) + err_ssl(1, "BIO_do_connect"); + printf("connect "); + print_sockname(bio); + printf("connect "); + print_peername(bio); + + /* do ssl client handshake */ + ssl = SSL_new(ctx); + if (ssl == NULL) + err_ssl(1, "SSL_new"); + print_ciphers(SSL_get_ciphers(ssl)); + SSL_set_bio(ssl, bio, bio); + /* resuse session if possible */ + if (session != NULL) { + if (SSL_set_session(ssl, session) <= 0) + err_ssl(1, "SSL_set_session"); + } + if ((error = SSL_connect(ssl)) <= 0) + err_ssl(1, "SSL_connect %d", error); + printf("session %d: %s\n", sessionreuse, + SSL_session_reused(ssl) ? "reuse" : "new"); + if (fflush(stdout) != 0) + err(1, "fflush stdout"); + + /* print session statistics */ + if (sessionreuse) { + session = SSL_get1_session(ssl); + if (session == NULL) + err_ssl(1, "SSL1_get_session"); + } else { + session = SSL_get_session(ssl); + if (session == NULL) + err_ssl(1, "SSL_get_session"); + } + if (SSL_SESSION_print_fp(stdout, session) <= 0) + err_ssl(1, "SSL_SESSION_print_fp"); + + /* read server greeting and write client hello over TLS */ + if ((error = SSL_read(ssl, buf, 9)) <= 0) + err_ssl(1, "SSL_read %d", error); + if (error != 9) + errx(1, "read not 9 bytes greeting: %d", error); + buf[9] = '\0'; + printf("<<< %s", buf); + if (fflush(stdout) != 0) + err(1, "fflush stdout"); + strlcpy(buf, "hello\n", sizeof(buf)); + printf(">>> %s", buf); + if (fflush(stdout) != 0) + err(1, "fflush stdout"); + if ((error = SSL_write(ssl, buf, 6)) <= 0) + err_ssl(1, "SSL_write %d", error); + if (error != 6) + errx(1, "write not 6 bytes hello: %d", error); + + /* shutdown connection */ + if ((error = SSL_shutdown(ssl)) < 0) + err_ssl(1, "SSL_shutdown unidirectional %d", error); + if (error <= 0) { + if ((error = SSL_shutdown(ssl)) <= 0) + err_ssl(1, "SSL_shutdown bidirectional %d", + error); + } + + SSL_free(ssl); + } while (sessionreuse--); + SSL_CTX_free(ctx); printf("success\n"); diff --git a/regress/lib/libssl/interop/openssl/Makefile b/regress/lib/libssl/interop/openssl/Makefile index 5c51c029cea..80f313da3e5 100644 --- a/regress/lib/libssl/interop/openssl/Makefile +++ b/regress/lib/libssl/interop/openssl/Makefile @@ -1,8 +1,8 @@ -# $OpenBSD: Makefile,v 1.4 2018/11/09 06:30:41 bluhm Exp $ +# $OpenBSD: Makefile,v 1.5 2018/11/10 08:33:45 bluhm Exp $ .if ! exists(/usr/local/bin/eopenssl) regress: - # install openssl-1.0.2p from ports for interop tests + # install openssl-1.0.2 from ports for interop tests @echo SKIPPED .endif diff --git a/regress/lib/libssl/interop/openssl11/Makefile b/regress/lib/libssl/interop/openssl11/Makefile index ec6f6db7ec6..ef625dffb8c 100644 --- a/regress/lib/libssl/interop/openssl11/Makefile +++ b/regress/lib/libssl/interop/openssl11/Makefile @@ -1,8 +1,8 @@ -# $OpenBSD: Makefile,v 1.3 2018/11/09 06:30:41 bluhm Exp $ +# $OpenBSD: Makefile,v 1.4 2018/11/10 08:33:45 bluhm Exp $ .if ! exists(/usr/local/bin/eopenssl11) regress: - # install openssl-1.1.1 from ports for interop tests + # install openssl-1.1 from ports for interop tests @echo SKIPPED .endif diff --git a/regress/lib/libssl/interop/server.c b/regress/lib/libssl/interop/server.c index 6c0c720dfec..f50f368bb19 100644 --- a/regress/lib/libssl/interop/server.c +++ b/regress/lib/libssl/interop/server.c @@ -1,4 +1,4 @@ -/* $OpenBSD: server.c,v 1.4 2018/11/09 06:30:41 bluhm Exp $ */ +/* $OpenBSD: server.c,v 1.5 2018/11/10 08:33:45 bluhm Exp $ */ /* * Copyright (c) 2018 Alexander Bluhm <bluhm@openbsd.org> * @@ -21,6 +21,7 @@ #include <err.h> #include <netdb.h> #include <stdio.h> +#include <stdlib.h> #include <string.h> #include <unistd.h> @@ -35,7 +36,7 @@ void __dead usage(void) { fprintf(stderr, - "usage: server [-vv] [-C CA] [-c crt -k key] [host port]"); + "usage: server [-svv] [-C CA] [-c crt -k key] [host port]"); exit(2); } @@ -45,14 +46,14 @@ main(int argc, char *argv[]) const SSL_METHOD *method; SSL_CTX *ctx; SSL *ssl; - BIO *bio; + BIO *abio, *cbio; SSL_SESSION *session; - int error, verify = 0; + int error, sessionreuse = 0, verify = 0; char buf[256], ch; char *ca = NULL, *crt = NULL, *key = NULL; char *host_port, *host = "127.0.0.1", *port = "0"; - while ((ch = getopt(argc, argv, "C:c:k:v")) != -1) { + while ((ch = getopt(argc, argv, "C:c:k:sv")) != -1) { switch (ch) { case 'C': ca = optarg; @@ -63,6 +64,10 @@ main(int argc, char *argv[]) case 'k': key = optarg; break; + case 's': + /* multiple reueses are possible */ + sessionreuse++; + break; case 'v': /* use twice to force client cert */ verify++; @@ -136,74 +141,94 @@ main(int argc, char *argv[]) SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback); - /* setup ssl and bio for socket operations */ - ssl = SSL_new(ctx); - if (ssl == NULL) - err_ssl(1, "SSL_new"); - bio = BIO_new_accept(host_port); - if (bio == NULL) + if (sessionreuse) { + uint32_t context; + + SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_SERVER); + context = arc4random(); + if (SSL_CTX_set_session_id_context(ctx, + (unsigned char *)&context, sizeof(context)) <= 0) + err_ssl(1, "SSL_CTX_set_session_id_context"); + } + + /* setup bio for socket operations */ + abio = BIO_new_accept(host_port); + if (abio == NULL) err_ssl(1, "BIO_new_accept"); - print_ciphers(SSL_get_ciphers(ssl)); /* bind, listen */ - if (BIO_do_accept(bio) <= 0) + if (BIO_do_accept(abio) <= 0) err_ssl(1, "BIO_do_accept setup"); printf("listen "); - print_sockname(bio); + print_sockname(abio); - /* fork to background, set timeout, and accept */ + /* fork to background and set timeout */ if (daemon(1, 1) == -1) err(1, "daemon"); - if ((int)alarm(60) == -1) + if ((int)alarm(10) == -1) err(1, "alarm"); - if (BIO_do_accept(bio) <= 0) - err_ssl(1, "BIO_do_accept wait"); - bio = BIO_pop(bio); - printf("accept "); - print_sockname(bio); - printf("accept "); - print_peername(bio); - - /* do ssl server handshake */ - SSL_set_bio(ssl, bio, bio); - if ((error = SSL_accept(ssl)) <= 0) - err_ssl(1, "SSL_accept %d", error); - - /* print session statistics */ - session = SSL_get_session(ssl); - if (session == NULL) - err_ssl(1, "SSL_get_session"); - if (SSL_SESSION_print_fp(stdout, session) <= 0) - err_ssl(1, "SSL_SESSION_print_fp"); - - /* write server greeting and read client hello over TLS connection */ - strlcpy(buf, "greeting\n", sizeof(buf)); - printf(">>> %s", buf); - if (fflush(stdout) != 0) - err(1, "fflush stdout"); - if ((error = SSL_write(ssl, buf, 9)) <= 0) - err_ssl(1, "SSL_write %d", error); - if (error != 9) - errx(1, "write not 9 bytes greeting: %d", error); - if ((error = SSL_read(ssl, buf, 6)) <= 0) - err_ssl(1, "SSL_read %d", error); - if (error != 6) - errx(1, "read not 6 bytes hello: %d", error); - buf[6] = '\0'; - printf("<<< %s", buf); - if (fflush(stdout) != 0) - err(1, "fflush stdout"); - - /* shutdown connection */ - if ((error = SSL_shutdown(ssl)) < 0) - err_ssl(1, "SSL_shutdown unidirectional %d", error); - if (error <= 0) { - if ((error = SSL_shutdown(ssl)) <= 0) - err_ssl(1, "SSL_shutdown bidirectional %d", error); - } - /* cleanup and free resources */ - SSL_free(ssl); + do { + /* accept connection */ + if (BIO_do_accept(abio) <= 0) + err_ssl(1, "BIO_do_accept wait"); + cbio = BIO_pop(abio); + printf("accept "); + print_sockname(cbio); + printf("accept "); + print_peername(cbio); + + /* do ssl server handshake */ + ssl = SSL_new(ctx); + if (ssl == NULL) + err_ssl(1, "SSL_new"); + print_ciphers(SSL_get_ciphers(ssl)); + SSL_set_bio(ssl, cbio, cbio); + if ((error = SSL_accept(ssl)) <= 0) + err_ssl(1, "SSL_accept %d", error); + printf("session %d: %s\n", sessionreuse, + SSL_session_reused(ssl) ? "reuse" : "new"); + if (fflush(stdout) != 0) + err(1, "fflush stdout"); + + + /* print session statistics */ + session = SSL_get_session(ssl); + if (session == NULL) + err_ssl(1, "SSL_get_session"); + if (SSL_SESSION_print_fp(stdout, session) <= 0) + err_ssl(1, "SSL_SESSION_print_fp"); + + /* write server greeting and read client hello over TLS */ + strlcpy(buf, "greeting\n", sizeof(buf)); + printf(">>> %s", buf); + if (fflush(stdout) != 0) + err(1, "fflush stdout"); + if ((error = SSL_write(ssl, buf, 9)) <= 0) + err_ssl(1, "SSL_write %d", error); + if (error != 9) + errx(1, "write not 9 bytes greeting: %d", error); + if ((error = SSL_read(ssl, buf, 6)) <= 0) + err_ssl(1, "SSL_read %d", error); + if (error != 6) + errx(1, "read not 6 bytes hello: %d", error); + buf[6] = '\0'; + printf("<<< %s", buf); + if (fflush(stdout) != 0) + err(1, "fflush stdout"); + + /* shutdown connection */ + if ((error = SSL_shutdown(ssl)) < 0) + err_ssl(1, "SSL_shutdown unidirectional %d", error); + if (error <= 0) { + if ((error = SSL_shutdown(ssl)) <= 0) + err_ssl(1, "SSL_shutdown bidirectional %d", + error); + } + + SSL_free(ssl); + } while (sessionreuse--); + SSL_CTX_free(ctx); printf("success\n"); diff --git a/regress/lib/libssl/interop/session/Makefile b/regress/lib/libssl/interop/session/Makefile new file mode 100644 index 00000000000..a555f133fb1 --- /dev/null +++ b/regress/lib/libssl/interop/session/Makefile @@ -0,0 +1,37 @@ +# $OpenBSD: Makefile,v 1.1 2018/11/10 08:33:45 bluhm Exp $ + +run-client-openssl11-reuse-server-openssl11-reuse: + @echo '\n======== $@ ========' + # TLS 1.3 needs some extra setup for session reuse + @echo DISABLED + +CLEANFILES += *.out + +.for clib in libressl openssl openssl11 +.for slib in libressl openssl openssl11 + +REGRESS_TARGETS += run-client-${clib}-reuse-server-${slib}-reuse + +run-client-${clib}-reuse-server-${slib}-reuse: 127.0.0.1.crt + @echo '\n======== $@ ========' + LD_LIBRARY_PATH=/usr/local/lib/e${slib} \ + ../${slib}/server >server-${slib}-reuse.out \ + -ss \ + 127.0.0.1 0 + LD_LIBRARY_PATH=/usr/local/lib/e${clib} \ + ../${clib}/client >client-${clib}-reuse.out \ + -ss \ + `sed -n 's/listen sock: //p' server-${slib}-reuse.out` + grep '^success$$' server-${slib}-reuse.out + grep '^success$$' client-${clib}-reuse.out + grep '^session 2: new$$' server-${slib}-reuse.out + grep '^session 2: new$$' client-${clib}-reuse.out + grep '^session 1: reuse$$' server-${slib}-reuse.out + grep '^session 1: reuse$$' client-${clib}-reuse.out + grep '^session 0: reuse$$' server-${slib}-reuse.out + grep '^session 0: reuse$$' client-${clib}-reuse.out + +.endfor +.endfor + +.include <bsd.regress.mk> |