randombit / botan / 21698354930

coverage: 90.073% (+0.002%) from 90.071%
21698354930

Pull #5285

github

web-flow 
Merge 8ee775e73 into 28378faea
Pull Request #5285: Various header inclusion cleanups

102236 of 113503 relevant lines covered (90.07%)

11458235.6 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

98.98
/src/tests/test_tls_session_manager.cpp
1 
/*
2 
* (C) 2022 Jack Lloyd
3 
* (C) 2022 René Meusel - Rohde & Schwarz Cybersecurity
4 
*
5 
* Botan is released under the Simplified BSD License (see license.txt)
6 
*/
7 









8



#include "tests.h"










9












10



#if defined(BOTAN_HAS_TLS)










11












12



   #include <botan/credentials_manager.h>










13



   #include <botan/rng.h>










14



   #include <botan/tls_callbacks.h>










15



   #include <botan/tls_policy.h>










16



   #include <botan/tls_session_manager_hybrid.h>










17



   #include <botan/tls_session_manager_memory.h>










18



   #include <botan/tls_session_manager_stateless.h>










19



   #include <botan/internal/fmt.h>










20



   #include <array>










21



   #include <chrono>










22












23



   #if defined(BOTAN_HAS_TLS_SQLITE3_SESSION_MANAGER)










24



      #include <botan/tls_session_manager_sqlite.h>










25



   #endif










26












27



   #if defined(BOTAN_HAS_TLS_13)










28



      #include <botan/tls_psk_identity_13.h>










29



   #endif










30












31



   #if defined(BOTAN_TARGET_OS_HAS_FILESYSTEM)










32



      #include <version>










33



      #if defined(__cpp_lib_filesystem)










34



         #include <filesystem>










35



      #endif










36



   #endif










37












38



// This file contains a number of `Botan::TLS::Version_Code::TLS_V**` protocol










39



// version specifications. This is to work around a compiler bug in GCC 11.3










40



// where `Botan::TLS::Protocol_Version::TLS_V12` would lead to an "Internal










41



// Compiler Error" when used in the affected context.










42



//










43



// TODO: remove the workaround once GCC 11 is not supported anymore.










44












45



namespace Botan_Tests {










46












47



class Test_Credentials_Manager : public Botan::Credentials_Manager {




7





48



   public:










49



      Botan::secure_vector<uint8_t> session_ticket_key() override {




55





50



         return Botan::hex_decode_locked("DEADFACECAFEBAAD");




55





51



      }










52



};










53












54



class Other_Test_Credentials_Manager : public Botan::Credentials_Manager {




1





55



   public:










56



      Botan::secure_vector<uint8_t> session_ticket_key() override {




1





57



         return Botan::hex_decode_locked("CAFEBAADFACEBABE");




1





58



      }










59



};










60












61



class Empty_Credentials_Manager : public Botan::Credentials_Manager {};




4





62












63



class Session_Manager_Callbacks : public Botan::TLS::Callbacks {




3





64



   public:










65



      void tls_emit_data(std::span<const uint8_t> /*data*/) override { BOTAN_ASSERT_NOMSG(false); }




×







66












67



      void tls_record_received(uint64_t /*record*/, std::span<const uint8_t> /*data*/) override {




×







68



         BOTAN_ASSERT_NOMSG(false);




×







69



      }










70












71



      void tls_alert(Botan::TLS::Alert /*alert*/) override { BOTAN_ASSERT_NOMSG(false); }




×







72












73



      void tls_session_established(const Botan::TLS::Session_Summary& /*summary*/) override {




×







74



         BOTAN_ASSERT_NOMSG(false);




×







75



      }










76












77



      std::chrono::system_clock::time_point tls_current_timestamp() override {




225





78



         return std::chrono::system_clock::now() + std::chrono::hours(m_ticks);




225





79



      }










80












81



      void tick() { ++m_ticks; }




13





82












83



   private:










84



      uint64_t m_ticks = 0;










85



};










86












87



class Session_Manager_Policy : public Botan::TLS::Policy {




6





88



   public:










89



      std::chrono::seconds session_ticket_lifetime() const override { return std::chrono::minutes(30); }




198





90












91



      bool reuse_session_tickets() const override { return m_allow_session_reuse; }




27





92












93



      size_t maximum_session_tickets_per_client_hello() const override { return m_session_limit; }




58





94












95



      void set_session_limit(size_t l) { m_session_limit = l; }




6





96












97



      void set_allow_session_reuse(bool b) { m_allow_session_reuse = b; }




4





98












99



   private:










100



      size_t m_session_limit = 1000;  // basically 'no limit'










101



      bool m_allow_session_reuse = true;










102



};










103












104



namespace {










105












106



decltype(auto) random_id(Botan::RandomNumberGenerator& rng) {




60





107



   return rng.random_vec<Botan::TLS::Session_ID>(32);




58





108



}










109












110



decltype(auto) random_ticket(Botan::RandomNumberGenerator& rng) {




29





111



   return rng.random_vec<Botan::TLS::Session_Ticket>(32);




27





112



}










113












114



decltype(auto) random_opaque_handle(Botan::RandomNumberGenerator& rng) {




1





115



   return rng.random_vec<Botan::TLS::Opaque_Session_Handle>(32);




1





116



}










117












118



const Botan::TLS::Server_Information& server_info() {




151





119



   static const Botan::TLS::Server_Information si("botan.randombit.net");




151





120



   return si;




151





121



}










122












123



decltype(auto) default_session(Botan::TLS::Connection_Side side,




118





124



                               Botan::TLS::Callbacks& cbs,










125



                               Botan::TLS::Protocol_Version version = Botan::TLS::Protocol_Version::TLS_V12) {










126



   if(version.is_pre_tls_13()) {




118





127



      return Botan::TLS::Session(




108





128



         {}, version, 0x009C, side, true, true, {}, server_info(), 0, cbs.tls_current_timestamp());




216





129



   } else {










130



   #if defined(BOTAN_HAS_TLS_13)










131



      return Botan::TLS::Session({},




10





132



                                 std::nullopt,










133



                                 0,










134



                                 std::chrono::seconds(1024),




10





135



                                 Botan::TLS::Protocol_Version::TLS_V13,










136



                                 Botan::TLS::Ciphersuite::from_name("AES_128_GCM_SHA256")->ciphersuite_code(),




10





137



                                 side,










138



                                 {},










139



                                 nullptr,










140



                                 server_info(),










141



                                 cbs.tls_current_timestamp());




20





142



   #else










143



      throw Test_Error("TLS 1.3 is not available in this build");










144



   #endif










145



   }










146



}










147












148



using namespace std::literals;










149












150



std::vector<Test::Result> test_session_manager_in_memory() {




1





151



   auto rng = Test::new_shared_rng(__func__);




1





152












153



   const Botan::TLS::Session_ID default_id = random_id(*rng);




1





154












155



   std::optional<Botan::TLS::Session_Manager_In_Memory> mgr;




1





156












157



   Session_Manager_Callbacks cbs;




1





158



   Session_Manager_Policy plcy;




1





159












160



   return {




1





161



      CHECK("creation", [&](auto&) { mgr.emplace(rng, 5); }),




1





162












163



      CHECK("empty cache does not obtain anything",










164



            [&](auto& result) {




1





165



               result.confirm("no session found via server info", mgr->find(server_info(), cbs, plcy).empty());




2





166












167



               Botan::TLS::Session_ID const mock_id = random_id(*rng);




1





168



               auto mock_ticket = rng->random_vec<Botan::TLS::Session_Ticket>(128);




1





169












170



               result.confirm("no session found via ID", !mgr->retrieve(mock_id, cbs, plcy));




4





171



               result.confirm("no session found via ID", !mgr->retrieve(mock_ticket, cbs, plcy));




4





172



            }),




2





173












174



      CHECK("clearing empty cache",










175



            [&](auto& result) { result.test_eq("does not delete anything", mgr->remove_all(), 0); }),




2





176












177



      CHECK("establish new session",










178



            [&](auto& result) {




1





179



               auto handle = mgr->establish(default_session(Botan::TLS::Connection_Side::Server, cbs), default_id);




1





180



               if(result.confirm("establishment was successful", handle.has_value())) {




2





181



                  result.require("session id was set", handle->id().has_value());




2





182



                  result.confirm("session ticket was empty", !handle->ticket().has_value());




2





183



                  result.test_is_eq("session id is correct", handle->id().value(), default_id);




3





184



               }










185



            }),




1





186












187



      CHECK("obtain session from server info",










188



            [&](auto& result) {




1





189



               auto sessions = mgr->find(server_info(), cbs, plcy);




1





190



               if(result.confirm("session was found successfully", sessions.size() == 1)) {




2





191



                  result.test_is_eq("protocol version was echoed",




1





192



                                    sessions[0].session.version(),




1





193



                                    Botan::TLS::Protocol_Version(Botan::TLS::Version_Code::TLS_V12));




1





194



                  result.test_is_eq("ciphersuite was echoed", sessions[0].session.ciphersuite_code(), uint16_t(0x009C));




1





195



                  result.test_is_eq("ID was echoed", sessions[0].handle.id().value(), default_id);




3





196



                  result.confirm("not a ticket", !sessions[0].handle.ticket().has_value());




2





197



               }










198



            }),




1





199












200



      CHECK("obtain session from ID",










201



            [&](auto& result) {




1





202



               auto session = mgr->retrieve(default_id, cbs, plcy);




2





203



               if(result.confirm("session was found successfully", session.has_value())) {




2





204



                  result.test_is_eq("protocol version was echoed",




1





205



                                    session->version(),




1





206



                                    Botan::TLS::Protocol_Version(Botan::TLS::Version_Code::TLS_V12));




1





207



                  result.test_is_eq("ciphersuite was echoed", session->ciphersuite_code(), uint16_t(0x009C));




2





208



               }










209



            }),




1





210












211



      CHECK("obtain session from ID disguised as opaque handle",










212



            [&](auto& result) {




1





213



               auto session = mgr->retrieve(Botan::TLS::Opaque_Session_Handle(default_id), cbs, plcy);




2





214



               if(result.confirm("session was found successfully", session.has_value())) {




2





215



                  result.test_is_eq("protocol version was echoed",




1





216



                                    session->version(),




1





217



                                    Botan::TLS::Protocol_Version(Botan::TLS::Version_Code::TLS_V12));




1





218



                  result.test_is_eq("ciphersuite was echoed", session->ciphersuite_code(), uint16_t(0x009C));




2





219



               }










220



            }),




1





221












222



      CHECK("obtain session from ticket == id does not work",










223



            [&](auto& result) {




1





224



               auto session = mgr->retrieve(Botan::TLS::Session_Ticket(default_id), cbs, plcy);




2





225



               result.confirm("session was not found", !session.has_value());




2





226



            }),




1





227












228



      CHECK("invalid ticket causes std::nullopt",










229



            [&](auto& result) {




1





230



               auto no_session = mgr->retrieve(random_ticket(*rng), cbs, plcy);




2





231



               result.confirm("std::nullopt on bogus ticket", !no_session.has_value());




2





232



            }),




1





233












234



      CHECK("invalid ID causes std::nullopt",










235



            [&](auto& result) {




1





236



               auto no_session = mgr->retrieve(random_id(*rng), cbs, plcy);




2





237



               result.confirm("std::nullopt on bogus ID", !no_session.has_value());




2





238



            }),




1





239












240



      CHECK("remove_all",










241



            [&](auto& result) {




1





242



               result.test_eq("removed one element", mgr->remove_all(), 1);




1





243



               result.test_eq("should be empty now", mgr->remove_all(), 0);




1





244



            }),




1





245












246



      CHECK("add session with ID",










247



            [&](auto& result) {




1





248



               Botan::TLS::Session_ID const new_id = random_id(*rng);




1





249












250



               mgr->store(default_session(Botan::TLS::Connection_Side::Client, cbs), new_id);




3





251



               result.require("obtain via ID", mgr->retrieve(new_id, cbs, plcy).has_value());




5





252












253



               auto sessions = mgr->find(server_info(), cbs, plcy);




1





254



               if(result.confirm("found via server info", sessions.size() == 1)) {




2





255



                  result.test_is_eq("protocol version was echoed",




1





256



                                    sessions[0].session.version(),




1





257



                                    Botan::TLS::Protocol_Version(Botan::TLS::Version_Code::TLS_V12));




1





258



                  result.test_is_eq("ciphersuite was echoed", sessions[0].session.ciphersuite_code(), uint16_t(0x009C));




2





259



                  result.test_is_eq("ID was echoed", sessions[0].handle.id().value(), new_id);




3





260



                  result.confirm("ticket was not stored", !sessions[0].handle.ticket().has_value());




2





261



               }










262












263



               mgr->remove_all();




1





264



            }),




2





265












266



      CHECK("add session with ticket",










267



            [&](auto& result) {




1





268



               Botan::TLS::Session_Ticket const new_ticket = random_ticket(*rng);




1





269












270



               mgr->store(default_session(Botan::TLS::Connection_Side::Client, cbs), new_ticket);




3





271



               // cannot be obtained by (non-existent) ID or randomly generated ticket










272












273



               auto sessions = mgr->find(server_info(), cbs, plcy);




1





274



               if(result.confirm("found via server info", sessions.size() == 1)) {




2





275



                  result.test_is_eq("protocol version was echoed",




1





276



                                    sessions[0].session.version(),




1





277



                                    Botan::TLS::Protocol_Version(Botan::TLS::Version_Code::TLS_V12));




1





278



                  result.test_is_eq("ciphersuite was echoed", sessions[0].session.ciphersuite_code(), uint16_t(0x009C));




2





279



                  result.confirm("ID was not stored", !sessions[0].handle.id().has_value());




2





280



                  result.test_is_eq("ticket was echoed", sessions[0].handle.ticket().value(), new_ticket);




3





281



               }










282












283



               mgr->remove_all();




1





284



            }),




2





285












286



      CHECK("removing by ID or opaque handle",










287



            [&](auto& result) {




1





288



               Botan::TLS::Session_Manager_In_Memory local_mgr(rng);




1





289












290



               const auto new_session1 =




1





291



                  local_mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs), default_id);










292



               const auto new_session2 = local_mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




1





293



               result.require(




1





294



                  "saving worked",










295



                  new_session1.has_value() && new_session1->id().has_value() && !new_session1->ticket().has_value());




4





296



               result.require(




1





297



                  "saving worked",










298



                  new_session2.has_value() && new_session2->id().has_value() && !new_session2->ticket().has_value());




4





299












300



               result.test_is_eq(




1





301



                  "can find via server info", local_mgr.find(server_info(), cbs, plcy).size(), size_t(2));




2





302












303



               result.test_is_eq("one was deleted", local_mgr.remove(default_id), size_t(1));




4





304



               result.confirm("cannot obtain via default ID anymore",




1





305



                              !local_mgr.retrieve(default_id, cbs, plcy).has_value());




4





306



               result.test_is_eq(




1





307



                  "can find less via server info", local_mgr.find(server_info(), cbs, plcy).size(), size_t(1));




2





308












309



               result.test_is_eq("last one was deleted",




2





310



                                 local_mgr.remove(Botan::TLS::Opaque_Session_Handle(new_session2->id().value())),




3





311



                                 size_t(1));




1





312



               result.confirm("cannot obtain via ID anymore",




1





313



                              !local_mgr.retrieve(new_session2->id().value(), cbs, plcy).has_value());




4





314



               result.confirm("cannot find via server info", local_mgr.find(server_info(), cbs, plcy).empty());




2





315



            }),




2





316












317



      CHECK("removing by ticket or opaque handle",










318



            [&](auto& result) {




1





319



               Botan::TLS::Session_Manager_In_Memory local_mgr(rng);




1





320












321



               Botan::TLS::Session_Ticket const ticket1 = random_ticket(*rng);




1





322



               Botan::TLS::Session_Ticket const ticket2 = random_ticket(*rng);




1





323



               Botan::TLS::Session_Ticket ticket3 = random_ticket(*rng);




1





324












325



               local_mgr.store(default_session(Botan::TLS::Connection_Side::Client, cbs), ticket1);




2





326



               local_mgr.store(default_session(Botan::TLS::Connection_Side::Client, cbs), ticket2);




2





327



               local_mgr.store(default_session(Botan::TLS::Connection_Side::Client, cbs), ticket3);




2





328



               result.test_is_eq(




1





329



                  "can find them via server info ", local_mgr.find(server_info(), cbs, plcy).size(), size_t(3));




2





330












331



               result.test_is_eq("remove one session by ticket", local_mgr.remove(ticket2), size_t(1));




4





332



               result.test_is_eq(




1





333



                  "can find two via server info", local_mgr.find(server_info(), cbs, plcy).size(), size_t(2));




2





334












335



               result.test_is_eq("remove one session by opaque handle",




2





336



                                 local_mgr.remove(Botan::TLS::Opaque_Session_Handle(ticket3.get())),




2





337



                                 size_t(1));




1





338



               result.test_is_eq(




1





339



                  "can find only one via server info", local_mgr.find(server_info(), cbs, plcy).size(), size_t(1));




2





340



            }),




3





341












342



      CHECK(










343



         "session purging",










344



         [&](auto& result) {




1





345



            result.require("max sessions is 5", mgr->capacity() == 5);




1





346












347



            // fill the Session_Manager up fully










348



            std::vector<Botan::TLS::Session_Handle> handles;




1





349



            handles.reserve(mgr->capacity());




1





350



            for(size_t i = 0; i < mgr->capacity(); ++i) {




6





351



               handles.push_back(




5





352



                  mgr->establish(default_session(Botan::TLS::Connection_Side::Server, cbs), random_id(*rng)).value());




15





353



            }










354












355



            for(const auto& handle : handles) {




6





356



               result.confirm("session still there", mgr->retrieve(handle, cbs, plcy).has_value());




15





357



            }










358












359



            // add one more session (causing a first purge to happen)










360



            handles.push_back(




1





361



               mgr->establish(default_session(Botan::TLS::Connection_Side::Server, cbs), random_id(*rng)).value());




3





362












363



            result.confirm("oldest session gone", !mgr->retrieve(handles[0], cbs, plcy).has_value());




2





364



            for(size_t i = 1; i < handles.size(); ++i) {




6





365



               result.confirm("session still there", mgr->retrieve(handles[i], cbs, plcy).has_value());




15





366



            }










367












368



            // remove a session to cause a 'gap' in the FIFO










369



            mgr->remove(handles[4]);




1





370



            result.confirm("oldest session gone", !mgr->retrieve(handles[0], cbs, plcy).has_value());




2





371



            result.confirm("deleted session gone", !mgr->retrieve(handles[4], cbs, plcy).has_value());




2





372



            for(size_t i = 1; i < handles.size(); ++i) {




6





373



               result.confirm("session still there", i == 4 || mgr->retrieve(handles[i], cbs, plcy).has_value());




14





374



            }










375












376



            // insert enough new sessions to fully purge the ones currently held










377



            for(size_t i = 0; i < mgr->capacity(); ++i) {




6





378



               handles.push_back(




5





379



                  mgr->establish(default_session(Botan::TLS::Connection_Side::Server, cbs), random_id(*rng)).value());




15





380



            }










381












382



            for(size_t i = 0; i < handles.size() - mgr->capacity(); ++i) {




7





383



               result.confirm("session gone", !mgr->retrieve(handles[i], cbs, plcy).has_value());




12





384



            }










385












386



            for(size_t i = handles.size() - mgr->capacity(); i < handles.size(); ++i) {




6





387



               result.confirm("session still there", mgr->retrieve(handles[i], cbs, plcy).has_value());




15





388



            }










389












390



            // clear it all out










391



            result.test_eq("rest of the sessions removed", mgr->remove_all(), size_t(5));




1





392



         }),




1





393



   };




17





394



}




5





395












396



std::vector<Test::Result> test_session_manager_choose_ticket() {




1





397



   #if defined(BOTAN_HAS_TLS_13)










398



   Session_Manager_Callbacks cbs;




1





399



   Session_Manager_Policy plcy;




1





400












401



   auto rng = Test::new_shared_rng(__func__);




1





402












403



   auto default_session = [&](const std::string& suite,




9





404



                              Botan::TLS::Callbacks& mycbs,










405



                              Botan::TLS::Protocol_Version version = Botan::TLS::Protocol_Version::TLS_V13) {










406



      return (version.is_pre_tls_13())




8





407



                ? Botan::TLS::Session({},




8





408



                                      version,










409



                                      Botan::TLS::Ciphersuite::from_name(suite)->ciphersuite_code(),




1





410



                                      Botan::TLS::Connection_Side::Server,










411



                                      true,










412



                                      true,










413



                                      {},










414



                                      server_info(),










415



                                      0,










416



                                      mycbs.tls_current_timestamp())




1





417



                : Botan::TLS::Session({},










418



                                      std::nullopt,










419



                                      0,










420



                                      std::chrono::seconds(1024),




7





421



                                      version,










422



                                      Botan::TLS::Ciphersuite::from_name(suite)->ciphersuite_code(),




7





423



                                      Botan::TLS::Connection_Side::Server,










424



                                      {},










425



                                      nullptr,










426



                                      server_info(),










427



                                      mycbs.tls_current_timestamp());




23





428



   };










429












430



   auto ticket = [&](std::span<const uint8_t> identity) {




16





431



      return Botan::TLS::PskIdentity(std::vector(identity.begin(), identity.end()), 0);




15





432



   };










433












434



   return {




1





435



      CHECK("empty manager has nothing to choose from",










436



            [&](auto& result) {




1





437



               Botan::TLS::Session_Manager_In_Memory mgr(rng);




1





438












439



               Botan::TLS::Session_Ticket random_session_ticket = random_ticket(*rng);




1





440












441



               result.confirm("empty ticket list, no session",




1





442



                              !mgr.choose_from_offered_tickets({}, "SHA-256", cbs, plcy).has_value());




2





443



               result.confirm(




1





444



                  "empty session manager, no session",










445



                  !mgr.choose_from_offered_tickets(std::vector{ticket(random_session_ticket)}, "SHA-256", cbs, plcy)




3





446



                      .has_value());




3





447



            }),




3





448












449



      CHECK("choose ticket by ID",










450



            [&](auto& result) {




1





451



               Botan::TLS::Session_Manager_In_Memory mgr(rng);




1





452



               std::vector<Botan::TLS::Session_Handle> handles;




1





453












454



               handles.push_back(mgr.establish(default_session("AES_128_GCM_SHA256", cbs)).value());




3





455



               handles.push_back(mgr.establish(default_session("AES_128_GCM_SHA256", cbs)).value());




3





456












457



               // choose from a list of tickets that contains only handles[0]










458



               auto session1 =




2





459



                  mgr.choose_from_offered_tickets(std::vector{ticket(handles[0].id().value())}, "SHA-256", cbs, plcy);




3





460



               result.require("ticket was chosen and produced a session (1)", session1.has_value());




1





461



               result.test_is_eq("chosen offset", session1->second, uint16_t(0));




1





462












463



               // choose from a list of tickets that contains only handles[1]










464



               auto session2 =




2





465



                  mgr.choose_from_offered_tickets(std::vector{ticket(handles[1].id().value())}, "SHA-256", cbs, plcy);




3





466



               result.require("ticket was chosen and produced a session (2)", session2.has_value());




1





467



               result.test_is_eq("chosen offset", session2->second, uint16_t(0));




1





468












469



               // choose from a list of tickets that contains a random ticket and handles[1]










470



               auto session3 = mgr.choose_from_offered_tickets(




2





471



                  std::vector{ticket(random_ticket(*rng)), ticket(handles[1].id().value())}, "SHA-256", cbs, plcy);




5





472



               result.require("ticket was chosen and produced a session (3)", session3.has_value());




1





473



               result.test_is_eq("chosen second offset", session3->second, uint16_t(1));




2





474



            }),




13





475












476



      CHECK("choose ticket by ticket",










477



            [&](auto& result) {




1





478



               auto creds = std::make_shared<Test_Credentials_Manager>();










479



               Botan::TLS::Session_Manager_Stateless mgr(creds, rng);




1





480



               std::vector<Botan::TLS::Session_Handle> handles;




1





481












482



               handles.push_back(mgr.establish(default_session("AES_128_GCM_SHA256", cbs)).value());




3





483



               handles.push_back(mgr.establish(default_session("AES_128_GCM_SHA256", cbs)).value());




3





484












485



               // choose from a list of tickets that contains only handles[0]










486



               auto session1 = mgr.choose_from_offered_tickets(




2





487



                  std::vector{ticket(handles[0].ticket().value())}, "SHA-256", cbs, plcy);




4





488



               result.require("ticket was chosen and produced a session (1)", session1.has_value());




1





489



               result.test_is_eq("chosen offset", session1->second, uint16_t(0));




1





490












491



               // choose from a list of tickets that contains only handles[1]










492



               auto session2 = mgr.choose_from_offered_tickets(




2





493



                  std::vector{ticket(handles[1].ticket().value())}, "SHA-256", cbs, plcy);




4





494



               result.require("ticket was chosen and produced a session (2)", session2.has_value());




1





495



               result.test_is_eq("chosen offset", session2->second, uint16_t(0));




1





496












497



               // choose from a list of tickets that contains a random ticket and handles[1]










498



               auto session3 = mgr.choose_from_offered_tickets(




2





499



                  std::vector{ticket(random_ticket(*rng)), ticket(handles[1].ticket().value())}, "SHA-256", cbs, plcy);




5





500



               result.require("ticket was chosen and produced a session (3)", session3.has_value());




1





501



               result.test_is_eq("chosen second offset", session3->second, uint16_t(1));




2





502



            }),




14





503












504



      CHECK("choose ticket based on requested hash function",










505



            [&](auto& result) {




1





506



               auto creds = std::make_shared<Test_Credentials_Manager>();










507



               Botan::TLS::Session_Manager_Stateless mgr(creds, rng);




1





508



               std::vector<Botan::TLS::Session_Handle> handles;




1





509












510



               handles.push_back(mgr.establish(default_session("AES_128_GCM_SHA256", cbs)).value());




3





511



               handles.push_back(mgr.establish(default_session("AES_256_GCM_SHA384", cbs)).value());




3





512












513



               auto session = mgr.choose_from_offered_tickets(std::vector{ticket(random_ticket(*rng)),




5





514



                                                                          ticket(handles[0].ticket().value()),




1





515



                                                                          ticket(handles[1].ticket().value())},




1





516



                                                              "SHA-384",










517



                                                              cbs,










518



                                                              plcy);










519



               result.require("ticket was chosen and produced a session", session.has_value());




1





520



               result.test_is_eq("chosen second offset", session->second, uint16_t(2));




2





521



            }),




7





522












523



      CHECK("choose ticket based on protocol version",










524



            [&](auto& result) {




1





525



               auto creds = std::make_shared<Test_Credentials_Manager>();










526



               Botan::TLS::Session_Manager_Stateless mgr(creds, rng);




1





527



               std::vector<Botan::TLS::Session_Handle> handles;




1





528












529



               handles.push_back(




1





530



                  mgr.establish(default_session("AES_128_GCM_SHA256", cbs, Botan::TLS::Version_Code::TLS_V12)).value());




3





531



               handles.push_back(




1





532



                  mgr.establish(default_session("AES_128_GCM_SHA256", cbs, Botan::TLS::Version_Code::TLS_V13)).value());




3





533












534



               auto session = mgr.choose_from_offered_tickets(std::vector{ticket(random_ticket(*rng)),




5





535



                                                                          ticket(handles[0].ticket().value()),




1





536



                                                                          ticket(handles[1].ticket().value())},




1





537



                                                              "SHA-256",










538



                                                              cbs,










539



                                                              plcy);










540



               result.require("ticket was chosen and produced a session", session.has_value());




1





541



               result.test_is_eq("chosen second offset (TLS 1.3 ticket)", session->second, uint16_t(2));




2





542



            }),




7





543



   };




7





544



   #else










545



   return {};










546



   #endif










547



}




2





548












549



std::vector<Test::Result> test_session_manager_stateless() {




1





550



   auto creds = std::make_shared<Test_Credentials_Manager>();




1





551












552



   auto rng = Test::new_shared_rng(__func__);




1





553












554



   Botan::TLS::Session_Manager_Stateless mgr(creds, rng);




1





555












556



   Session_Manager_Callbacks cbs;




1





557



   Session_Manager_Policy plcy;




1





558












559



   return {




1





560



      CHECK("establish with default parameters",










561



            [&](auto& result) {




1





562



               result.confirm("will emit tickets", mgr.emits_session_tickets());




2





563



               auto ticket = mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




1





564



               result.confirm("returned ticket", ticket.has_value() && ticket->is_ticket());




2





565



            }),




1





566












567



      CHECK("establish with disabled tickets",










568



            [&](auto& result) {




1





569



               result.confirm("will emit tickets", mgr.emits_session_tickets());




2





570



               auto ticket =




1





571



                  mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs), std::nullopt, true);




1





572



               result.confirm("returned std::nullopt", !ticket.has_value());




2





573



            }),




1





574












575



      CHECK("establish without ticket key in credentials manager",










576



            [&](auto& result) {




1





577



               Botan::TLS::Session_Manager_Stateless local_mgr(std::make_shared<Empty_Credentials_Manager>(), rng);




2





578












579



               result.confirm("won't emit tickets", !local_mgr.emits_session_tickets());




2





580



               auto ticket = local_mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




1





581



               result.confirm("returned std::nullopt", !ticket.has_value());




2





582



            }),




1





583












584



      CHECK("retrieve via ticket",










585



            [&](auto& result) {




1





586



               auto ticket1 = mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




1





587



               auto ticket2 = mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




1





588



               result.require("tickets created successfully", ticket1.has_value() && ticket2.has_value());




1





589












590



               Botan::TLS::Session_Manager_Stateless local_mgr(creds, rng);




1





591



               result.confirm("can retrieve ticket 1", mgr.retrieve(ticket1.value(), cbs, plcy).has_value());




2





592



               result.confirm("can retrieve ticket 2 from different manager but sam credentials",




1





593



                              local_mgr.retrieve(ticket2.value(), cbs, plcy).has_value());




1





594



            }),




3





595












596



      CHECK("retrieve via ID does not work",










597



            [&](auto& result) {




1





598



               auto ticket1 = mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




1





599



               result.require("tickets created successfully", ticket1.has_value() && ticket1.has_value());




1





600












601



               result.confirm("retrieval by ID does not work", !mgr.retrieve(random_id(*rng), cbs, plcy).has_value());




3





602



            }),




1





603












604



      CHECK("retrieve via opaque handle does work",










605



            [&](auto& result) {




1





606



               auto ticket1 = mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




1





607



               result.require("tickets created successfully", ticket1.has_value() && ticket1.has_value());




1





608












609



               result.confirm("retrieval by opaque handle",




1





610



                              mgr.retrieve(ticket1->opaque_handle(), cbs, plcy).has_value());




3





611



            }),




1





612












613



      CHECK("no retrieve without or with wrong ticket key",










614



            [&](auto& result) {




1





615



               auto ticket1 = mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




1





616



               result.require("tickets created successfully", ticket1.has_value() && ticket1.has_value());




1





617












618



               Botan::TLS::Session_Manager_Stateless local_mgr1(std::make_shared<Empty_Credentials_Manager>(), rng);




2





619












620



               Botan::TLS::Session_Manager_Stateless local_mgr2(std::make_shared<Other_Test_Credentials_Manager>(),




2





621



                                                                rng);










622












623



               result.confirm("no successful retrieval (without key)",




1





624



                              !local_mgr1.retrieve(ticket1.value(), cbs, plcy).has_value());




1





625



               result.confirm("no successful retrieval (with wrong key)",




1





626



                              !local_mgr2.retrieve(ticket1.value(), cbs, plcy).has_value());




1





627



               result.confirm("successful retrieval", mgr.retrieve(ticket1.value(), cbs, plcy).has_value());




2





628



            }),




2





629












630



      CHECK("Clients cannot be stateless",










631



            [&](auto& result) {




1





632



               result.test_throws("::store() does not work with ID", [&] {




2





633



                  mgr.store(default_session(Botan::TLS::Connection_Side::Client, cbs), random_id(*rng));




3





634



               });










635



               result.test_throws("::store() does not work with ticket", [&] {




2





636



                  mgr.store(default_session(Botan::TLS::Connection_Side::Client, cbs), random_ticket(*rng));




3





637



               });










638



               result.test_throws("::store() does not work with opaque handle", [&] {




2





639



                  mgr.store(default_session(Botan::TLS::Connection_Side::Client, cbs), random_opaque_handle(*rng));




3





640



               });










641












642



               auto ticket1 = mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




1





643



               result.require("tickets created successfully", ticket1.has_value() && ticket1.has_value());




1





644



               result.confirm("finding tickets does not work", mgr.find(server_info(), cbs, plcy).empty());




2





645



            }),




1





646












647



      CHECK("remove is a NOOP",










648



            [&](auto& result) {




1





649



               auto ticket1 = mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




1





650



               result.require("tickets created successfully", ticket1.has_value() && ticket1.has_value());




1





651












652



               result.test_is_eq("remove the ticket", mgr.remove(ticket1.value()), size_t(0));




1





653



               result.confirm("successful retrieval 1", mgr.retrieve(ticket1.value(), cbs, plcy).has_value());




2





654












655



               result.test_is_eq("remove the ticket", mgr.remove_all(), size_t(0));




1





656



               result.confirm("successful retrieval 1", mgr.retrieve(ticket1.value(), cbs, plcy).has_value());




3





657



            }),




1





658












659



      CHECK(










660



         "retrieval via ticket reconstructs the start_time stamp",










661



         [&](auto& result) {




1





662



            auto session_before = default_session(Botan::TLS::Connection_Side::Server, cbs);




1





663



            auto ticket = mgr.establish(session_before);




2





664



            result.require("got a ticket", ticket.has_value() && ticket->is_ticket());




1





665



            auto session_after = mgr.retrieve(ticket.value(), cbs, plcy);




1





666



            result.require("got the session back", session_after.has_value());




2





667












668



            result.test_is_eq(




1





669



               "timestamps match",










670



               std::chrono::duration_cast<std::chrono::seconds>(session_before.start_time().time_since_epoch()).count(),




2





671



               std::chrono::duration_cast<std::chrono::seconds>(session_after->start_time().time_since_epoch())




1





672



                  .count());




2





673



         }),




2





674



   };




11





675



}




4





676












677



std::vector<Test::Result> test_session_manager_hybrid() {




1





678



   auto rng = Test::new_shared_rng(__func__);




1





679












680



   auto creds = std::make_shared<Test_Credentials_Manager>();




1





681



   Session_Manager_Callbacks cbs;




1





682



   Session_Manager_Policy plcy;




1





683












684



   // Runs the passed-in hybrid manager test lambdas for all available stateful










685



   // managers. The `make_manager()` helper is passed into the test code and










686



   // transparently constructs a hybrid manager with the respective internal










687



   // stateful manager.










688



   auto CHECK_all = [&](const std::string& name, auto lambda) -> std::vector<Test::Result> {




4





689



      std::vector<std::pair<std::string, std::function<std::unique_ptr<Botan::TLS::Session_Manager>()>>> const










690



         stateful_manager_factories = {




9





691



            {"In Memory",










692



             [&rng]() -> std::unique_ptr<Botan::TLS::Session_Manager> {




9





693



                return std::make_unique<Botan::TLS::Session_Manager_In_Memory>(rng, 10);




6





694



             }},










695



   #if defined(BOTAN_HAS_TLS_SQLITE3_SESSION_MANAGER)










696



            {"SQLite",










697



             [&rng]() -> std::




9





698



                         unique_ptr<Botan::TLS::Session_Manager> {










699



                            return std::make_unique<Botan::TLS::Session_Manager_SQLite>(










700



                               "secure_pw", rng, Test::temp_file_name("tls_session_manager_sqlite"), 10);




6





701



                         }},










702



   #endif










703



         };










704












705



      std::vector<Test::Result> results;




3





706



      using namespace std::placeholders;










707



      for(const auto& factory_and_name : stateful_manager_factories) {




15





708



         const auto& stateful_manager_name = factory_and_name.first;




6





709



         const auto& stateful_manager_factory = factory_and_name.second;




6





710



         auto make_manager = [stateful_manager_factory, &creds, &rng](bool prefer_tickets) {




42





711



            return Botan::TLS::Session_Manager_Hybrid(stateful_manager_factory(), creds, rng, prefer_tickets);




48





712



         };










713












714



         auto nm = Botan::fmt("{} ({})", name, stateful_manager_name);




6





715



         auto fn = std::bind(lambda, make_manager, _1);  // NOLINT(*-avoid-bind)




6





716



         results.push_back(CHECK(nm.c_str(), fn));




18





717



      }










718



      return results;




3





719



   };




7





720












721



   return Test::flatten_result_lists({




3





722



      CHECK_all("ticket vs ID preference in establishment",




1





723



                [&](const auto& make_manager, auto& result) {




2





724



                   auto mgr_prefers_tickets = make_manager(true);




2





725



                   auto ticket1 =




2





726



                      mgr_prefers_tickets.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




2





727



                   result.confirm("emits a ticket", ticket1.has_value() && ticket1->is_ticket());




4





728












729



                   auto mgr_prefers_ids = make_manager(false);




2





730



                   auto ticket2 = mgr_prefers_ids.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




2





731



                   result.confirm("emits an ID", ticket2.has_value() && ticket2->is_id());




4





732












733



                   auto ticket3 = mgr_prefers_ids.establish(default_session(Botan::TLS::Connection_Side::Server, cbs),




2





734



                                                            std::nullopt,










735



                                                            true /* TLS 1.2 no ticket support */);










736



                   result.confirm("emits an ID", ticket3.has_value() && ticket3->is_id());




4





737












738



                   auto ticket4 = mgr_prefers_ids.establish(default_session(Botan::TLS::Connection_Side::Server, cbs),




2





739



                                                            std::nullopt,










740



                                                            true /* TLS 1.2 no ticket support */);










741



                   result.confirm("emits an ID", ticket4.has_value() && ticket4->is_id());




4





742



                }),




8





743












744



      CHECK_all("ticket vs ID preference in retrieval",




1





745



                [&](const auto& make_manager, auto& result) {




2





746



                   auto mgr_prefers_tickets = make_manager(true);




2





747



                   auto mgr_prefers_ids = make_manager(false);




2





748












749



                   auto id1 = mgr_prefers_tickets.underlying_stateful_manager()->establish(




2





750



                      default_session(Botan::TLS::Connection_Side::Server, cbs));










751



                   auto id2 = mgr_prefers_ids.underlying_stateful_manager()->establish(




2





752



                      default_session(Botan::TLS::Connection_Side::Server, cbs));










753



                   auto ticket =




2





754



                      mgr_prefers_tickets.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




2





755












756



                   result.require("establishments worked", id1.has_value() && id2.has_value() && ticket.has_value());




2





757












758



                   result.confirm("mgr1 + ID1", mgr_prefers_tickets.retrieve(id1.value(), cbs, plcy).has_value());




4





759



                   result.confirm("mgr1 + ID2", !mgr_prefers_tickets.retrieve(id2.value(), cbs, plcy).has_value());




4





760



                   result.confirm("mgr2 + ID1", !mgr_prefers_ids.retrieve(id1.value(), cbs, plcy).has_value());




4





761



                   result.confirm("mgr2 + ID2", mgr_prefers_ids.retrieve(id2.value(), cbs, plcy).has_value());




4





762



                   result.confirm("mgr1 + ticket", mgr_prefers_tickets.retrieve(ticket.value(), cbs, plcy).has_value());




4





763



                   result.confirm("mgr2 + ticket", mgr_prefers_ids.retrieve(ticket.value(), cbs, plcy).has_value());




6





764



                }),




6





765












766



      CHECK_all("no session tickets if hybrid manager cannot create them",




1





767



                [&](const auto& make_manager, auto& result) {




2





768



                   Botan::TLS::Session_Manager_Hybrid empty_mgr(




8





769



                      std::make_unique<Botan::TLS::Session_Manager_In_Memory>(rng, 10),




4





770



                      std::make_shared<Empty_Credentials_Manager>(),










771



                      rng);










772



                   auto mgr_prefers_tickets = make_manager(true);




2





773



                   auto mgr_prefers_ids = make_manager(false);




2





774












775



                   result.confirm("does not emit tickets", !empty_mgr.emits_session_tickets());




4





776



                   result.confirm("does emit tickets 1", mgr_prefers_tickets.emits_session_tickets());




4





777



                   result.confirm("does emit tickets 2", mgr_prefers_ids.emits_session_tickets());




4





778



                }),




2





779



   });




4





780



}




4





781












782



namespace {










783












784



class Temporary_Database_File {










785



   private:










786



      std::string m_temp_file;










787












788



   public:










789



      explicit Temporary_Database_File(const std::string& db_file) :




1





790



            m_temp_file(Test::data_file_as_temporary_copy(db_file)) {




1





791



         if(m_temp_file.empty()) {




1





792



            throw Test_Error("Failed to create temporary database file");




×







793



         }










794



      }




1





795












796



      ~Temporary_Database_File() {




1





797



   #if defined(BOTAN_TARGET_OS_HAS_FILESYSTEM) && defined(__cpp_lib_filesystem)










798



         if(!m_temp_file.empty()) {




1





799



            std::filesystem::remove(m_temp_file);




1





800



         }










801



   #endif










802



      }




1





803












804



      const std::string& get() const { return m_temp_file; }










805












806



      Temporary_Database_File(const Temporary_Database_File&) = delete;










807



      Temporary_Database_File& operator=(const Temporary_Database_File&) = delete;










808



      Temporary_Database_File(Temporary_Database_File&&) = delete;










809



      Temporary_Database_File& operator=(Temporary_Database_File&&) = delete;










810



};










811












812



}  // namespace










813












814



std::vector<Test::Result> test_session_manager_sqlite() {




1





815



   #if defined(BOTAN_HAS_TLS_SQLITE3_SESSION_MANAGER)










816



   auto rng = Test::new_shared_rng(__func__);




1





817



   Session_Manager_Callbacks cbs;




1





818



   Session_Manager_Policy plcy;




1





819












820



   return {




1





821



      CHECK("migrate session database scheme (purges database)",










822



            [&](auto& result) {




1





823



               Temporary_Database_File const dbfile("tls-sessions/botan-2.19.3.sqlite");




1





824












825



               // legacy database (encrypted with 'thetruthisoutthere') containing:










826



               //    $ sqlite3 src/tests/data/tls-sessions/botan-2.19.3.sqlite  'SELECT * FROM tls_sessions;'










827



               //    63C136FAD49F05A184F910FD6568A3884164216C11E41CEBFDCD149AF66C1714|1673606906|cloudflare.com|443|...










828



               //    63C137030387E4A6CDAD303CCB1F53884944FDE5B4EDD91E6FCF74DCB033DCEB|1673606915|randombit.net|443|...










829



               Botan::TLS::Session_Manager_SQLite legacy_db("thetruthisoutthere", rng, dbfile.get());




1





830












831



               result.confirm("Session_ID for randombit.net is gone",




1





832



                              !legacy_db










833



                                  .retrieve(Botan::TLS::Session_ID(Botan::hex_decode(




2





834



                                               "63C137030387E4A6CDAD303CCB1F53884944FDE5B4EDD91E6FCF74DCB033DCEB")),










835



                                            cbs,










836



                                            plcy)










837



                                  .has_value());




3





838



               result.confirm("Session_ID for cloudflare.com is gone",




1





839



                              !legacy_db










840



                                  .retrieve(Botan::TLS::Session_ID(Botan::hex_decode(




2





841



                                               "63C136FAD49F05A184F910FD6568A3884164216C11E41CEBFDCD149AF66C1714")),










842



                                            cbs,










843



                                            plcy)










844



                                  .has_value());




3





845



               result.confirm("no more session for randombit.net",




1





846



                              legacy_db.find(Botan::TLS::Server_Information("randombit.net", 443), cbs, plcy).empty());




2





847



               result.confirm("no more session for cloudflare.com",




1





848



                              legacy_db.find(Botan::TLS::Server_Information("cloudflare.com", 443), cbs, plcy).empty());




2





849












850



               result.test_is_eq("empty database won't get more empty", legacy_db.remove_all(), size_t(0));




2





851



            }),




1





852












853



      CHECK("clearing empty database",










854



            [&](auto& result) {




1





855



               Botan::TLS::Session_Manager_SQLite mgr("thetruthisoutthere", rng, Test::temp_file_name("empty.sqlite"));




1





856



               result.test_eq("does not delete anything", mgr.remove_all(), 0);




2





857



            }),




1





858












859



      CHECK("establish new session",










860



            [&](auto& result) {




1





861



               Botan::TLS::Session_Manager_SQLite mgr(




1





862



                  "thetruthisoutthere", rng, Test::temp_file_name("new_session.sqlite"));




1





863



               auto some_random_id = random_id(*rng);




1





864



               auto some_random_handle =




1





865



                  mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs), some_random_id);










866



               result.require("establishment was successful", some_random_handle.has_value());




2





867



               result.require("session id was set", some_random_handle->id().has_value());




2





868



               result.test_is_eq("session id is correct", some_random_handle->id().value(), some_random_id);




3





869












870



               auto some_virtual_handle = mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




1





871



               result.require("establishment was successful", some_virtual_handle.has_value());




2





872



               result.require("session id was set", some_virtual_handle->id().has_value());




2





873



            }),




3





874












875



      CHECK("retrieve session by ID",










876



            [&](auto& result) {




1





877



               Botan::TLS::Session_Manager_SQLite mgr(




1





878



                  "thetruthisoutthere", rng, Test::temp_file_name("retrieve_by_id.sqlite"));




1





879



               auto some_random_id = random_id(*rng);




1





880



               auto some_random_handle =




1





881



                  mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs), some_random_id);










882



               auto some_virtual_handle = mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




1





883












884



               result.require("establishment was successful",




1





885



                              some_random_handle->is_id() && some_virtual_handle->is_id());




1





886












887



               auto session1 = mgr.retrieve(some_random_handle.value(), cbs, plcy);




1





888



               if(result.confirm("found session by user-provided ID", session1.has_value())) {




2





889



                  result.test_is_eq("protocol version was echoed",




1





890



                                    session1->version(),




1





891



                                    Botan::TLS::Protocol_Version(Botan::TLS::Version_Code::TLS_V12));




1





892



                  result.test_is_eq("ciphersuite was echoed", session1->ciphersuite_code(), uint16_t(0x009C));




2





893



               }










894












895



               auto session2 = mgr.retrieve(some_virtual_handle.value(), cbs, plcy);




1





896



               if(result.confirm("found session by manager-generated ID", session2.has_value())) {




2





897



                  result.test_is_eq("protocol version was echoed",




1





898



                                    session2->version(),




1





899



                                    Botan::TLS::Protocol_Version(Botan::TLS::Version_Code::TLS_V12));




1





900



                  result.test_is_eq("ciphersuite was echoed", session2->ciphersuite_code(), uint16_t(0x009C));




2





901



               }










902












903



               auto session3 = mgr.retrieve(random_id(*rng), cbs, plcy);




2





904



               result.confirm("random ID creates empty result", !session3.has_value());




2





905



            }),




6





906












907



      CHECK("retrieval via ticket creates empty result",










908



            [&](auto& result) {




1





909



               Botan::TLS::Session_Manager_SQLite mgr(




1





910



                  "thetruthisoutthere", rng, Test::temp_file_name("retrieve_by_ticket.sqlite"));




1





911



               auto some_random_handle =




1





912



                  mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs), random_id(*rng));




1





913



               auto some_virtual_handle = mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




1





914












915



               result.confirm("std::nullopt on random ticket",




1





916



                              !mgr.retrieve(random_ticket(*rng), cbs, plcy).has_value());




3





917



            }),




2





918












919



      CHECK("storing sessions and finding them by server info",










920



            [&](auto& result) {




1





921



               Botan::TLS::Session_Manager_SQLite mgr(




1





922



                  "thetruthisoutthere", rng, Test::temp_file_name("store_and_find.sqlite"));




1





923



               auto id = random_id(*rng);




1





924



               auto ticket = random_ticket(*rng);




1





925



               mgr.store(default_session(Botan::TLS::Connection_Side::Client, cbs), id);




2





926



               mgr.store(default_session(Botan::TLS::Connection_Side::Client, cbs), ticket);




2





927












928



               auto found_sessions = mgr.find(server_info(), cbs, plcy);




1





929



               if(result.test_is_eq("found both sessions", found_sessions.size(), size_t(2))) {




1





930



                  for(const auto& [session, handle] : found_sessions) {




3





931



                     result.confirm("ID matches", !handle.is_id() || handle.id().value() == id);




5





932



                     result.confirm("ticket matches", !handle.is_ticket() || handle.ticket().value() == ticket);




5





933



                  }










934



               }










935



            }),




3





936












937



      CHECK("removing sessions",










938



            [&](auto& result) {




1





939



               Botan::TLS::Session_Manager_SQLite mgr("thetruthisoutthere", rng, Test::temp_file_name("remove.sqlite"));




1





940



               auto id = random_id(*rng);




1





941



               auto ticket = random_ticket(*rng);




1





942



               mgr.store(default_session(Botan::TLS::Connection_Side::Client, cbs), id);




2





943



               mgr.store(default_session(Botan::TLS::Connection_Side::Client, cbs), ticket);




2





944



               mgr.store(default_session(Botan::TLS::Connection_Side::Client, cbs), random_id(*rng));




2





945



               mgr.store(default_session(Botan::TLS::Connection_Side::Client, cbs), random_ticket(*rng));




2





946












947



               result.test_is_eq("deletes one session by ID", mgr.remove(id), size_t(1));




4





948



               result.test_is_eq("deletes one session by ticket", mgr.remove(ticket), size_t(1));




4





949












950



               auto found_sessions = mgr.find(server_info(), cbs, plcy);




1





951



               if(result.test_is_eq("found some other sessions", found_sessions.size(), size_t(2))) {




1





952



                  for(const auto& [session, handle] : found_sessions) {




3





953



                     result.confirm("ID does not match", !handle.is_id() || handle.id().value() != id);




6





954



                     result.confirm("ticket does not match", !handle.is_ticket() || handle.ticket().value() != ticket);




6





955



                  }










956



               }










957












958



               result.test_is_eq("removing the rest of the sessions", mgr.remove_all(), size_t(2));




1





959



            }),




3





960












961



      CHECK("old sessions are purged when needed",










962



            [&](auto& result) {




1





963



               Botan::TLS::Session_Manager_SQLite mgr(




1





964



                  "thetruthisoutthere", rng, Test::temp_file_name("purging.sqlite"), 1);




1





965












966



               std::vector<Botan::TLS::Session_ID> ids = {random_id(*rng), random_id(*rng), random_id(*rng)};




5





967



               mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs), ids[0]);




2





968



               result.require("new ID exists", mgr.retrieve(ids[0], cbs, plcy).has_value());




5





969












970



               // Session timestamps are saved with second-resolution. If more than










971



               // one session has the same (coarse) timestamp it is undefined which










972



               // will be purged first. The clock tick ensures that session's










973



               // timestamps are unique.










974



               cbs.tick();




1





975



               mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs), ids[1]);




2





976



               result.require("first ID is gone", !mgr.retrieve(ids[0], cbs, plcy).has_value());




4





977



               result.require("new ID exists", mgr.retrieve(ids[1], cbs, plcy).has_value());




5





978












979



               cbs.tick();




1





980



               mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs), ids[2]);




2





981



               result.require("second ID is gone", !mgr.retrieve(ids[1], cbs, plcy).has_value());




4





982



               result.require("new ID exists", mgr.retrieve(ids[2], cbs, plcy).has_value());




5





983












984



               result.test_is_eq("only one entry exists", mgr.remove_all(), size_t(1));




1





985



            }),




2





986












987



      CHECK("session purging can be disabled",










988



            [&](auto& result) {




1





989



               Botan::TLS::Session_Manager_SQLite mgr(




1





990



                  "thetruthisoutthere", rng, Test::temp_file_name("purging.sqlite"), 0 /* no pruning! */);




1





991












992



               for(size_t i = 0; i < 25; ++i) {




26





993



                  mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs), random_id(*rng));




50





994



               }










995












996



               result.test_is_eq("no entries were purged along the way", mgr.remove_all(), size_t(25));




2





997



            }),




1





998



   };




10





999



   #else










1000



   return {};










1001



   #endif










1002



}




3





1003












1004



std::vector<Test::Result> tls_session_manager_expiry() {




1





1005



   auto rng = Test::new_shared_rng(__func__);




1





1006



   Session_Manager_Callbacks cbs;




1





1007



   Session_Manager_Policy plcy;




1





1008












1009



   auto CHECK_all = [&](const std::string& name, auto lambda) -> std::vector<Test::Result> {




6





1010



      const std::vector<std::pair<std::string, std::function<std::unique_ptr<Botan::TLS::Session_Manager>()>>>










1011



         stateful_manager_factories = {




20





1012



            {"In Memory",










1013



             [&rng]() -> std::unique_ptr<Botan::TLS::Session_Manager> {




10





1014



                return std::make_unique<Botan::TLS::Session_Manager_In_Memory>(rng, 10);




5





1015



             }},










1016



            {"Stateless",










1017



             [&]() -> std::unique_ptr<Botan::TLS::Session_Manager> {




7





1018



                return std::make_unique<Botan::TLS::Session_Manager_Stateless>(










1019



                   std::make_shared<Test_Credentials_Manager>(), rng);




2





1020



             }},










1021



   #if defined(BOTAN_HAS_TLS_SQLITE3_SESSION_MANAGER)










1022



            {"SQLite",










1023



             [&rng]() -> std::unique_ptr<Botan::TLS::Session_Manager> {




10





1024



                return std::make_unique<Botan::TLS::Session_Manager_SQLite>(










1025



                   "secure_pw", rng, Test::temp_file_name("tls_session_manager_sqlite"), 10);




5





1026



             }},










1027



   #endif










1028



         };










1029












1030



      std::vector<Test::Result> results;




5





1031



      results.reserve(stateful_manager_factories.size());




5





1032



      using namespace std::placeholders;










1033



      for(const auto& [sub_name, factory] : stateful_manager_factories) {




20





1034



         auto nm = Botan::fmt("{} ({})", name, sub_name);




15





1035



         auto fn = std::bind(lambda, sub_name, factory, _1);  // NOLINT(*-avoid-bind)




15





1036



         results.push_back(CHECK(nm.c_str(), fn));




30





1037



      }










1038



      return results;




5





1039



   };




11





1040












1041



   return Test::flatten_result_lists({




5





1042



      CHECK_all("sessions expire",




1





1043



                [&](const auto&, const auto& factory, auto& result) {




3





1044



                   auto mgr = factory();




3





1045












1046



                   auto handle = mgr->establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




3





1047



                   result.require("saved successfully", handle.has_value());




6





1048



                   result.require("session was found", mgr->retrieve(handle.value(), cbs, plcy).has_value());




6





1049



                   cbs.tick();




3





1050



                   result.confirm("session has expired", !mgr->retrieve(handle.value(), cbs, plcy).has_value());




6





1051



                   result.test_is_eq("session was deleted when it expired", mgr->remove_all(), size_t(0));




6





1052



                }),




6





1053












1054



         CHECK_all("expired sessions are not found",




1





1055



                   [&](const std::string& type, const auto& factory, auto& result) {




3





1056



                      if(type == "Stateless") {




3





1057



                         return;  // this manager can neither store nor find anything




1





1058



                      }










1059












1060



                      auto mgr = factory();




2





1061












1062



                      auto handle_old = random_id(*rng);




2





1063



                      mgr->store(default_session(Botan::TLS::Connection_Side::Client, cbs), handle_old);




6





1064



                      result.require("session was found", mgr->retrieve(handle_old, cbs, plcy).has_value());




10





1065












1066



                      cbs.tick();




2





1067



                      auto handle_new = random_id(*rng);




2





1068



                      mgr->store(default_session(Botan::TLS::Connection_Side::Client, cbs), handle_new);




6





1069



                      result.require("session was found", mgr->retrieve(handle_new, cbs, plcy).has_value());




10





1070












1071



                      auto sessions_and_handles = mgr->find(server_info(), cbs, plcy);




2





1072



                      result.require("sessions are found", !sessions_and_handles.empty());




2





1073



                      result.test_is_eq("exactly one session is found", sessions_and_handles.size(), size_t(1));




4





1074



                      result.test_is_eq(




4





1075



                         "the new session is found", sessions_and_handles.front().handle.id().value(), handle_new);




4





1076












1077



                      result.test_is_eq("old session was deleted when it expired", mgr->remove_all(), size_t(1));




2





1078



                   }),




8





1079












1080



         CHECK_all(




1





1081



            "session tickets are not reused",










1082



            [&](const std::string& type, const auto& factory, auto& result) {




3





1083



               if(type == "Stateless") {




3





1084



                  return;  // this manager can neither store nor find anything




1





1085



               }










1086












1087



               auto mgr = factory();




2





1088












1089



               auto handle_1 = random_id(*rng);




2





1090



               mgr->store(default_session(Botan::TLS::Connection_Side::Client, cbs, Botan::TLS::Version_Code::TLS_V12),




6





1091



                          handle_1);










1092



               auto handle_2 = random_ticket(*rng);




2





1093



               mgr->store(default_session(Botan::TLS::Connection_Side::Client, cbs, Botan::TLS::Version_Code::TLS_V12),




6





1094



                          handle_2);










1095












1096



   #if defined(BOTAN_HAS_TLS_13)










1097



               auto handle_3 = random_id(*rng);




2





1098



               mgr->store(default_session(Botan::TLS::Connection_Side::Client, cbs, Botan::TLS::Version_Code::TLS_V13),




6





1099



                          handle_3);










1100



               auto handle_4 = random_ticket(*rng);




2





1101



               mgr->store(default_session(Botan::TLS::Connection_Side::Client, cbs, Botan::TLS::Version_Code::TLS_V13),




6





1102



                          handle_4);










1103



   #endif










1104












1105



               plcy.set_allow_session_reuse(false);




2





1106












1107



               auto sessions_and_handles1 = mgr->find(server_info(), cbs, plcy);




2





1108



               result.require("all sessions are found", sessions_and_handles1.size() > 1);




4





1109












1110



               auto sessions_and_handles2 = mgr->find(server_info(), cbs, plcy);




2





1111



               result.test_is_eq("only one session is found", sessions_and_handles2.size(), size_t(1));




4





1112



               result.confirm("found session is the Session_ID", sessions_and_handles2.front().handle.is_id());




4





1113



               result.test_is_eq(




4





1114



                  "found session is the Session_ID", sessions_and_handles2.front().handle.id().value(), handle_1);




6





1115



               result.confirm("found session is TLS 1.2",




4





1116



                              sessions_and_handles2.front().session.version().is_pre_tls_13());




2





1117



            }),




12





1118












1119



         CHECK_all("number of found tickets is capped",




1





1120



                   [&](const std::string& type, const auto& factory, auto& result) {




3





1121



                      if(type == "Stateless") {




3





1122



                         return;  // this manager can neither store nor find anything




1





1123



                      }










1124












1125



                      auto mgr = factory();




2





1126












1127



                      std::array<Botan::TLS::Session_Ticket, 5> tickets;




2





1128



                      for(auto& ticket : tickets) {




12





1129



                         ticket = random_ticket(*rng);




10





1130



                         mgr->store(default_session(Botan::TLS::Connection_Side::Client, cbs), ticket);




30





1131



                      }










1132












1133



                      plcy.set_allow_session_reuse(true);




2





1134












1135



                      plcy.set_session_limit(1);




2





1136



                      result.test_is_eq("find one",




2





1137



                                        mgr->find(server_info(), cbs, plcy).size(),




4





1138



                                        plcy.maximum_session_tickets_per_client_hello());




2





1139












1140



                      plcy.set_session_limit(3);




2





1141



                      result.test_is_eq("find three",




2





1142



                                        mgr->find(server_info(), cbs, plcy).size(),




4





1143



                                        plcy.maximum_session_tickets_per_client_hello());




2





1144












1145



                      plcy.set_session_limit(10);




2





1146



                      result.test_is_eq("find all five", mgr->find(server_info(), cbs, plcy).size(), size_t(5));




4





1147



                   }),




4





1148












1149



   #if defined(BOTAN_HAS_TLS_13)










1150



         CHECK_all("expired tickets are not selected for PSK resumption",




1





1151



                   [&](const auto&, const auto& factory, auto& result) {




3





1152



                      auto ticket = [&](const Botan::TLS::Session_Handle& handle) {




12





1153



                         return Botan::TLS::PskIdentity(handle.opaque_handle().get(), 0);




12





1154



                      };










1155












1156



                      auto mgr = factory();




3





1157












1158



                      auto old_handle = mgr->establish(




3





1159



                         default_session(Botan::TLS::Connection_Side::Server, cbs, Botan::TLS::Version_Code::TLS_V13));










1160



                      cbs.tick();




3





1161



                      auto new_handle = mgr->establish(




3





1162



                         default_session(Botan::TLS::Connection_Side::Server, cbs, Botan::TLS::Version_Code::TLS_V13));










1163



                      result.require("both sessions are stored", old_handle.has_value() && new_handle.has_value());




6





1164












1165



                      auto session_and_index = mgr->choose_from_offered_tickets(




12





1166



                         std::vector{ticket(old_handle.value()), ticket(new_handle.value())}, "SHA-256", cbs, plcy);




6





1167



                      result.require("a ticket was chosen", session_and_index.has_value());




3





1168



                      result.test_is_eq("the new ticket was chosen", session_and_index->second, uint16_t(1));




3





1169












1170



                      cbs.tick();




3





1171












1172



                      auto nothing = mgr->choose_from_offered_tickets(




12





1173



                         std::vector{ticket(new_handle.value()), ticket(old_handle.value())}, "SHA-256", cbs, plcy);




6





1174



                      result.require("all tickets are expired", !nothing.has_value());




6





1175



                   }),




33





1176



   #endif










1177



   });




6





1178



}




3





1179












1180



}  // namespace










1181












1182



BOTAN_REGISTER_TEST_FN("tls",










1183



                       "tls_session_manager",










1184



                       test_session_manager_in_memory,










1185



                       test_session_manager_choose_ticket,










1186



                       test_session_manager_stateless,










1187



                       test_session_manager_hybrid,










1188



                       test_session_manager_sqlite,










1189



                       tls_session_manager_expiry);










1190












1191



}  // namespace Botan_Tests










1192












1193



#endif  // BOTAN_HAS_TLS
























    

  • 

    •