From 19c62f90e4608fc57f382cdbe8799ffdb98c9dda Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 16 Aug 2018 10:50:39 +0200 Subject: [PATCH] Add test for session resumption --- library/ssl_tls.c | 11 ++++++----- tests/ssl-opt.sh | 26 ++++++++++++++++++++++++++ 2 files changed, 32 insertions(+), 5 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index b25d9bfe7..530f283b4 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -2861,10 +2861,7 @@ int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl ) if( ssl->handshake->retransmit_state != MBEDTLS_SSL_RETRANS_SENDING ) { - MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialise fligh transmission" ) ); - - MBEDTLS_SSL_DEBUG_MSG( 2, ( "max handshake fragment length: %u", - max_hs_fragment_len ) ); + MBEDTLS_SSL_DEBUG_MSG( 2, ( "initialise flight transmission" ) ); ssl->handshake->cur_msg = ssl->handshake->flight; ssl->handshake->cur_msg_p = ssl->handshake->flight->p + 12; @@ -2906,7 +2903,11 @@ int mbedtls_ssl_flight_transmit( mbedtls_ssl_context *ssl ) ? max_hs_fragment_len : rem_len; if( frag_off == 0 && frag_len != hs_len ) - MBEDTLS_SSL_DEBUG_MSG( 2, ( "fragmenting handshake message" ) ); + { + MBEDTLS_SSL_DEBUG_MSG( 2, ( "fragmenting handshake message (%u > %u)", + (unsigned) hs_len, + (unsigned) max_hs_fragment_len ) ); + } /* Messages are stored with handshake headers as if not fragmented, * copy beginning of headers then fill fragmentation fields. diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 833b5e37f..7028a0738 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -5068,6 +5068,32 @@ run_test "DTLS fragmenting: proxy MTU, simple handshake" \ -c "found fragmented DTLS handshake message" \ -C "error" +# This ensures things still work after session_reset(), +# for example it would have caught #1941. +# It also exercises the "resumed hanshake" flow. +# Since we don't support reading fragmented ClientHello yet, +# up the MTU to 1450 (larger than ClientHello with session ticket, +# but still smaller than client's Certificate to ensure fragmentation). +requires_config_enabled MBEDTLS_SSL_PROTO_DTLS +requires_config_enabled MBEDTLS_RSA_C +requires_config_enabled MBEDTLS_ECDSA_C +run_test "DTLS fragmenting: proxy MTU, resumed handshake" \ + -p "$P_PXY mtu=1450" \ + "$P_SRV dtls=1 debug_level=2 auth_mode=required \ + crt_file=data_files/server7_int-ca.crt \ + key_file=data_files/server7.key \ + mtu=1450" \ + "$P_CLI dtls=1 debug_level=2 \ + crt_file=data_files/server8_int-ca2.crt \ + key_file=data_files/server8.key \ + mtu=1450 reconnect=1" \ + 0 \ + -S "resend" \ + -C "resend" \ + -s "found fragmented DTLS handshake message" \ + -c "found fragmented DTLS handshake message" \ + -C "error" + requires_config_enabled MBEDTLS_SSL_PROTO_DTLS requires_config_enabled MBEDTLS_RSA_C requires_config_enabled MBEDTLS_ECDSA_C