diff options
author | Todd Short <todd.short@me.com> | 2022-03-23 18:55:10 -0400 |
---|---|---|
committer | Todd Short <todd.short@me.com> | 2022-03-25 12:46:15 -0400 |
commit | 0089cc7f9d42f6e39872161199fb8b6a99da2492 (patch) | |
tree | 7bb4e2d785cf687ca07ed65796750543549e7268 /test/sslapitest.c | |
parent | 37816ef5757e458be9648481e56bf698ee3bfbb1 (diff) | |
download | openssl-0089cc7f9d42f6e39872161199fb8b6a99da2492.tar.gz |
ticket_lifetime_hint may exceed 1 week in TLSv1.3
For TLSv1.3, limit ticket lifetime hint to 1 week per RFC8446
Fixes #17948
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/17952)
Diffstat (limited to 'test/sslapitest.c')
-rw-r--r-- | test/sslapitest.c | 59 |
1 files changed, 59 insertions, 0 deletions
diff --git a/test/sslapitest.c b/test/sslapitest.c index 437a9c8f25..c7d52817e5 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -9410,6 +9410,64 @@ end: SSL_CTX_free(cctx); return testresult; } + +/* + * Test that the lifetime hint of a TLSv1.3 ticket is no more than 1 week + * 0 = TLSv1.2 + * 1 = TLSv1.3 + */ +static int test_ticket_lifetime(int idx) +{ + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; + int testresult = 0; + int version = TLS1_3_VERSION; + +#define ONE_WEEK_SEC (7 * 24 * 60 * 60) +#define TWO_WEEK_SEC (2 * ONE_WEEK_SEC) + + if (idx == 0) { + version = TLS1_2_VERSION; + } + + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), + TLS_client_method(), version, version, + &sctx, &cctx, cert, privkey))) + goto end; + + if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, + &clientssl, NULL, NULL))) + goto end; + + /* + * Set the timeout to be more than 1 week + * make sure the returned value is the default + */ + if (!TEST_long_eq(SSL_CTX_set_timeout(sctx, TWO_WEEK_SEC), + SSL_get_default_timeout(serverssl))) + goto end; + + if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) + goto end; + + if (idx == 0) { + /* TLSv1.2 uses the set value */ + if (!TEST_ulong_eq(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), TWO_WEEK_SEC)) + goto end; + } else { + /* TLSv1.3 uses the limited value */ + if (!TEST_ulong_le(SSL_SESSION_get_ticket_lifetime_hint(SSL_get_session(clientssl)), ONE_WEEK_SEC)) + goto end; + } + testresult = 1; + +end: + SSL_free(serverssl); + SSL_free(clientssl); + SSL_CTX_free(sctx); + SSL_CTX_free(cctx); + return testresult; +} #endif /* * Test that setting an ALPN does not violate RFC @@ -9780,6 +9838,7 @@ int setup_tests(void) #endif #ifndef OSSL_NO_USABLE_TLS1_3 ADD_TEST(test_sni_tls13); + ADD_ALL_TESTS(test_ticket_lifetime, 2); #endif ADD_TEST(test_inherit_verify_param); ADD_TEST(test_set_alpn); |