randombit / botan / 22018375255

coverage: 90.069% (+0.007%) from 90.062%
22018375255

Pull #5330

github

web-flow 
Merge d3b2de7c6 into fa5638d32
Pull Request #5330: Avoid including assert.h into tests.h

102246 of 113520 relevant lines covered (90.07%)

11438982.24 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

98.98
/src/tests/test_tls_session_manager.cpp
1 
/*
2 
* (C) 2022 Jack Lloyd
3 
* (C) 2022 René Meusel - Rohde & Schwarz Cybersecurity
4 
*
5 
* Botan is released under the Simplified BSD License (see license.txt)
6 
*/
7 









8



#include "tests.h"










9












10



#if defined(BOTAN_HAS_TLS)










11












12



   #include <botan/assert.h>










13



   #include <botan/credentials_manager.h>










14



   #include <botan/hex.h>










15



   #include <botan/rng.h>










16



   #include <botan/tls_callbacks.h>










17



   #include <botan/tls_policy.h>










18



   #include <botan/tls_session_manager_hybrid.h>










19



   #include <botan/tls_session_manager_memory.h>










20



   #include <botan/tls_session_manager_stateless.h>










21



   #include <botan/internal/fmt.h>










22



   #include <array>










23



   #include <chrono>










24












25



   #if defined(BOTAN_HAS_TLS_SQLITE3_SESSION_MANAGER)










26



      #include <botan/tls_session_manager_sqlite.h>










27



   #endif










28












29



   #if defined(BOTAN_HAS_TLS_13)










30



      #include <botan/tls_psk_identity_13.h>










31



   #endif










32












33



   #if defined(BOTAN_TARGET_OS_HAS_FILESYSTEM)










34



      #include <version>










35



      #if defined(__cpp_lib_filesystem)










36



         #include <filesystem>










37



      #endif










38



   #endif










39












40



// This file contains a number of `Botan::TLS::Version_Code::TLS_V**` protocol










41



// version specifications. This is to work around a compiler bug in GCC 11.3










42



// where `Botan::TLS::Protocol_Version::TLS_V12` would lead to an "Internal










43



// Compiler Error" when used in the affected context.










44



//










45



// TODO: remove the workaround once GCC 11 is not supported anymore.










46












47



namespace Botan_Tests {










48












49



class Test_Credentials_Manager : public Botan::Credentials_Manager {




7





50



   public:










51



      Botan::secure_vector<uint8_t> session_ticket_key() override {




55





52



         return Botan::hex_decode_locked("DEADFACECAFEBAAD");




55





53



      }










54



};










55












56



class Other_Test_Credentials_Manager : public Botan::Credentials_Manager {




1





57



   public:










58



      Botan::secure_vector<uint8_t> session_ticket_key() override {




1





59



         return Botan::hex_decode_locked("CAFEBAADFACEBABE");




1





60



      }










61



};










62












63



class Empty_Credentials_Manager : public Botan::Credentials_Manager {};




4





64












65



class Session_Manager_Callbacks : public Botan::TLS::Callbacks {




3





66



   public:










67



      void tls_emit_data(std::span<const uint8_t> /*data*/) override { BOTAN_ASSERT_NOMSG(false); }




×







68












69



      void tls_record_received(uint64_t /*record*/, std::span<const uint8_t> /*data*/) override {




×







70



         BOTAN_ASSERT_NOMSG(false);




×







71



      }










72












73



      void tls_alert(Botan::TLS::Alert /*alert*/) override { BOTAN_ASSERT_NOMSG(false); }




×







74












75



      void tls_session_established(const Botan::TLS::Session_Summary& /*summary*/) override {




×







76



         BOTAN_ASSERT_NOMSG(false);




×







77



      }










78












79



      std::chrono::system_clock::time_point tls_current_timestamp() override {




225





80



         return std::chrono::system_clock::now() + std::chrono::hours(m_ticks);




225





81



      }










82












83



      void tick() { ++m_ticks; }




13





84












85



   private:










86



      uint64_t m_ticks = 0;










87



};










88












89



class Session_Manager_Policy : public Botan::TLS::Policy {




6





90



   public:










91



      std::chrono::seconds session_ticket_lifetime() const override { return std::chrono::minutes(30); }




198





92












93



      bool reuse_session_tickets() const override { return m_allow_session_reuse; }




27





94












95



      size_t maximum_session_tickets_per_client_hello() const override { return m_session_limit; }




58





96












97



      void set_session_limit(size_t l) { m_session_limit = l; }




6





98












99



      void set_allow_session_reuse(bool b) { m_allow_session_reuse = b; }




4





100












101



   private:










102



      size_t m_session_limit = 1000;  // basically 'no limit'










103



      bool m_allow_session_reuse = true;










104



};










105












106



namespace {










107












108



decltype(auto) random_id(Botan::RandomNumberGenerator& rng) {




60





109



   return rng.random_vec<Botan::TLS::Session_ID>(32);




58





110



}










111












112



decltype(auto) random_ticket(Botan::RandomNumberGenerator& rng) {




29





113



   return rng.random_vec<Botan::TLS::Session_Ticket>(32);




27





114



}










115












116



decltype(auto) random_opaque_handle(Botan::RandomNumberGenerator& rng) {




1





117



   return rng.random_vec<Botan::TLS::Opaque_Session_Handle>(32);




1





118



}










119












120



const Botan::TLS::Server_Information& server_info() {




151





121



   static const Botan::TLS::Server_Information si("botan.randombit.net");




151





122



   return si;




151





123



}










124












125



decltype(auto) default_session(Botan::TLS::Connection_Side side,




118





126



                               Botan::TLS::Callbacks& cbs,










127



                               Botan::TLS::Protocol_Version version = Botan::TLS::Protocol_Version::TLS_V12) {










128



   if(version.is_pre_tls_13()) {




118





129



      return Botan::TLS::Session(




108





130



         {}, version, 0x009C, side, true, true, {}, server_info(), 0, cbs.tls_current_timestamp());




216





131



   } else {










132



   #if defined(BOTAN_HAS_TLS_13)










133



      return Botan::TLS::Session({},




10





134



                                 std::nullopt,










135



                                 0,










136



                                 std::chrono::seconds(1024),




10





137



                                 Botan::TLS::Protocol_Version::TLS_V13,










138



                                 Botan::TLS::Ciphersuite::from_name("AES_128_GCM_SHA256")->ciphersuite_code(),




10





139



                                 side,










140



                                 {},










141



                                 nullptr,










142



                                 server_info(),










143



                                 cbs.tls_current_timestamp());




20





144



   #else










145



      throw Test_Error("TLS 1.3 is not available in this build");










146



   #endif










147



   }










148



}










149












150



using namespace std::literals;










151












152



std::vector<Test::Result> test_session_manager_in_memory() {




1





153



   auto rng = Test::new_shared_rng(__func__);




1





154












155



   const Botan::TLS::Session_ID default_id = random_id(*rng);




1





156












157



   std::optional<Botan::TLS::Session_Manager_In_Memory> mgr;




1





158












159



   Session_Manager_Callbacks cbs;




1





160



   Session_Manager_Policy plcy;




1





161












162



   return {




1





163



      CHECK("creation", [&](auto&) { mgr.emplace(rng, 5); }),




1





164












165



      CHECK("empty cache does not obtain anything",










166



            [&](auto& result) {




1





167



               result.confirm("no session found via server info", mgr->find(server_info(), cbs, plcy).empty());




1





168












169



               Botan::TLS::Session_ID const mock_id = random_id(*rng);




1





170



               auto mock_ticket = rng->random_vec<Botan::TLS::Session_Ticket>(128);




1





171












172



               result.confirm("no session found via ID", !mgr->retrieve(mock_id, cbs, plcy));




3





173



               result.confirm("no session found via ID", !mgr->retrieve(mock_ticket, cbs, plcy));




3





174



            }),




2





175












176



      CHECK("clearing empty cache",










177



            [&](auto& result) { result.test_eq("does not delete anything", mgr->remove_all(), 0); }),




1





178












179



      CHECK("establish new session",










180



            [&](auto& result) {




1





181



               auto handle = mgr->establish(default_session(Botan::TLS::Connection_Side::Server, cbs), default_id);




1





182



               if(result.confirm("establishment was successful", handle.has_value())) {




1





183



                  result.require("session id was set", handle->id().has_value());




1





184



                  result.confirm("session ticket was empty", !handle->ticket().has_value());




1





185



                  result.test_is_eq("session id is correct", handle->id().value(), default_id);




2





186



               }










187



            }),




1





188












189



      CHECK("obtain session from server info",










190



            [&](auto& result) {




1





191



               auto sessions = mgr->find(server_info(), cbs, plcy);




1





192



               if(result.confirm("session was found successfully", sessions.size() == 1)) {




1





193



                  result.test_is_eq("protocol version was echoed",




1





194



                                    sessions[0].session.version(),




1





195



                                    Botan::TLS::Protocol_Version(Botan::TLS::Version_Code::TLS_V12));




1





196



                  result.test_is_eq("ciphersuite was echoed", sessions[0].session.ciphersuite_code(), uint16_t(0x009C));




1





197



                  result.test_is_eq("ID was echoed", sessions[0].handle.id().value(), default_id);




2





198



                  result.confirm("not a ticket", !sessions[0].handle.ticket().has_value());




1





199



               }










200



            }),




1





201












202



      CHECK("obtain session from ID",










203



            [&](auto& result) {




1





204



               auto session = mgr->retrieve(default_id, cbs, plcy);




2





205



               if(result.confirm("session was found successfully", session.has_value())) {




1





206



                  result.test_is_eq("protocol version was echoed",




1





207



                                    session->version(),




1





208



                                    Botan::TLS::Protocol_Version(Botan::TLS::Version_Code::TLS_V12));




1





209



                  result.test_is_eq("ciphersuite was echoed", session->ciphersuite_code(), uint16_t(0x009C));




1





210



               }










211



            }),




1





212












213



      CHECK("obtain session from ID disguised as opaque handle",










214



            [&](auto& result) {




1





215



               auto session = mgr->retrieve(Botan::TLS::Opaque_Session_Handle(default_id), cbs, plcy);




2





216



               if(result.confirm("session was found successfully", session.has_value())) {




1





217



                  result.test_is_eq("protocol version was echoed",




1





218



                                    session->version(),




1





219



                                    Botan::TLS::Protocol_Version(Botan::TLS::Version_Code::TLS_V12));




1





220



                  result.test_is_eq("ciphersuite was echoed", session->ciphersuite_code(), uint16_t(0x009C));




1





221



               }










222



            }),




1





223












224



      CHECK("obtain session from ticket == id does not work",










225



            [&](auto& result) {




1





226



               auto session = mgr->retrieve(Botan::TLS::Session_Ticket(default_id), cbs, plcy);




2





227



               result.confirm("session was not found", !session.has_value());




1





228



            }),




1





229












230



      CHECK("invalid ticket causes std::nullopt",










231



            [&](auto& result) {




1





232



               auto no_session = mgr->retrieve(random_ticket(*rng), cbs, plcy);




2





233



               result.confirm("std::nullopt on bogus ticket", !no_session.has_value());




1





234



            }),




1





235












236



      CHECK("invalid ID causes std::nullopt",










237



            [&](auto& result) {




1





238



               auto no_session = mgr->retrieve(random_id(*rng), cbs, plcy);




2





239



               result.confirm("std::nullopt on bogus ID", !no_session.has_value());




1





240



            }),




1





241












242



      CHECK("remove_all",










243



            [&](auto& result) {




1





244



               result.test_eq("removed one element", mgr->remove_all(), 1);




1





245



               result.test_eq("should be empty now", mgr->remove_all(), 0);




1





246



            }),




1





247












248



      CHECK("add session with ID",










249



            [&](auto& result) {




1





250



               Botan::TLS::Session_ID const new_id = random_id(*rng);




1





251












252



               mgr->store(default_session(Botan::TLS::Connection_Side::Client, cbs), new_id);




3





253



               result.require("obtain via ID", mgr->retrieve(new_id, cbs, plcy).has_value());




4





254












255



               auto sessions = mgr->find(server_info(), cbs, plcy);




1





256



               if(result.confirm("found via server info", sessions.size() == 1)) {




1





257



                  result.test_is_eq("protocol version was echoed",




1





258



                                    sessions[0].session.version(),




1





259



                                    Botan::TLS::Protocol_Version(Botan::TLS::Version_Code::TLS_V12));




1





260



                  result.test_is_eq("ciphersuite was echoed", sessions[0].session.ciphersuite_code(), uint16_t(0x009C));




1





261



                  result.test_is_eq("ID was echoed", sessions[0].handle.id().value(), new_id);




2





262



                  result.confirm("ticket was not stored", !sessions[0].handle.ticket().has_value());




1





263



               }










264












265



               mgr->remove_all();




1





266



            }),




2





267












268



      CHECK("add session with ticket",










269



            [&](auto& result) {




1





270



               Botan::TLS::Session_Ticket const new_ticket = random_ticket(*rng);




1





271












272



               mgr->store(default_session(Botan::TLS::Connection_Side::Client, cbs), new_ticket);




3





273



               // cannot be obtained by (non-existent) ID or randomly generated ticket










274












275



               auto sessions = mgr->find(server_info(), cbs, plcy);




1





276



               if(result.confirm("found via server info", sessions.size() == 1)) {




1





277



                  result.test_is_eq("protocol version was echoed",




1





278



                                    sessions[0].session.version(),




1





279



                                    Botan::TLS::Protocol_Version(Botan::TLS::Version_Code::TLS_V12));




1





280



                  result.test_is_eq("ciphersuite was echoed", sessions[0].session.ciphersuite_code(), uint16_t(0x009C));




1





281



                  result.confirm("ID was not stored", !sessions[0].handle.id().has_value());




1





282



                  result.test_is_eq("ticket was echoed", sessions[0].handle.ticket().value(), new_ticket);




2





283



               }










284












285



               mgr->remove_all();




1





286



            }),




2





287












288



      CHECK("removing by ID or opaque handle",










289



            [&](auto& result) {




1





290



               Botan::TLS::Session_Manager_In_Memory local_mgr(rng);




1





291












292



               const auto new_session1 =




1





293



                  local_mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs), default_id);










294



               const auto new_session2 = local_mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




1





295



               result.require(




1





296



                  "saving worked",










297



                  new_session1.has_value() && new_session1->id().has_value() && !new_session1->ticket().has_value());




4





298



               result.require(




1





299



                  "saving worked",










300



                  new_session2.has_value() && new_session2->id().has_value() && !new_session2->ticket().has_value());




4





301












302



               result.test_is_eq(




1





303



                  "can find via server info", local_mgr.find(server_info(), cbs, plcy).size(), size_t(2));




1





304












305



               result.test_is_eq("one was deleted", local_mgr.remove(default_id), size_t(1));




3





306



               result.confirm("cannot obtain via default ID anymore",




1





307



                              !local_mgr.retrieve(default_id, cbs, plcy).has_value());




4





308



               result.test_is_eq(




1





309



                  "can find less via server info", local_mgr.find(server_info(), cbs, plcy).size(), size_t(1));




1





310












311



               result.test_is_eq("last one was deleted",




1





312



                                 local_mgr.remove(Botan::TLS::Opaque_Session_Handle(new_session2->id().value())),




3





313



                                 size_t(1));




1





314



               result.confirm("cannot obtain via ID anymore",




1





315



                              !local_mgr.retrieve(new_session2->id().value(), cbs, plcy).has_value());




4





316



               result.confirm("cannot find via server info", local_mgr.find(server_info(), cbs, plcy).empty());




1





317



            }),




2





318












319



      CHECK("removing by ticket or opaque handle",










320



            [&](auto& result) {




1





321



               Botan::TLS::Session_Manager_In_Memory local_mgr(rng);




1





322












323



               Botan::TLS::Session_Ticket const ticket1 = random_ticket(*rng);




1





324



               Botan::TLS::Session_Ticket const ticket2 = random_ticket(*rng);




1





325



               Botan::TLS::Session_Ticket ticket3 = random_ticket(*rng);




1





326












327



               local_mgr.store(default_session(Botan::TLS::Connection_Side::Client, cbs), ticket1);




2





328



               local_mgr.store(default_session(Botan::TLS::Connection_Side::Client, cbs), ticket2);




2





329



               local_mgr.store(default_session(Botan::TLS::Connection_Side::Client, cbs), ticket3);




2





330



               result.test_is_eq(




1





331



                  "can find them via server info ", local_mgr.find(server_info(), cbs, plcy).size(), size_t(3));




1





332












333



               result.test_is_eq("remove one session by ticket", local_mgr.remove(ticket2), size_t(1));




3





334



               result.test_is_eq(




1





335



                  "can find two via server info", local_mgr.find(server_info(), cbs, plcy).size(), size_t(2));




1





336












337



               result.test_is_eq("remove one session by opaque handle",




1





338



                                 local_mgr.remove(Botan::TLS::Opaque_Session_Handle(ticket3.get())),




2





339



                                 size_t(1));




1





340



               result.test_is_eq(




1





341



                  "can find only one via server info", local_mgr.find(server_info(), cbs, plcy).size(), size_t(1));




1





342



            }),




3





343












344



      CHECK(










345



         "session purging",










346



         [&](auto& result) {




1





347



            result.require("max sessions is 5", mgr->capacity() == 5);




1





348












349



            // fill the Session_Manager up fully










350



            std::vector<Botan::TLS::Session_Handle> handles;




1





351



            handles.reserve(mgr->capacity());




1





352



            for(size_t i = 0; i < mgr->capacity(); ++i) {




6





353



               handles.push_back(




5





354



                  mgr->establish(default_session(Botan::TLS::Connection_Side::Server, cbs), random_id(*rng)).value());




15





355



            }










356












357



            for(const auto& handle : handles) {




6





358



               result.confirm("session still there", mgr->retrieve(handle, cbs, plcy).has_value());




10





359



            }










360












361



            // add one more session (causing a first purge to happen)










362



            handles.push_back(




1





363



               mgr->establish(default_session(Botan::TLS::Connection_Side::Server, cbs), random_id(*rng)).value());




3





364












365



            result.confirm("oldest session gone", !mgr->retrieve(handles[0], cbs, plcy).has_value());




1





366



            for(size_t i = 1; i < handles.size(); ++i) {




6





367



               result.confirm("session still there", mgr->retrieve(handles[i], cbs, plcy).has_value());




10





368



            }










369












370



            // remove a session to cause a 'gap' in the FIFO










371



            mgr->remove(handles[4]);




1





372



            result.confirm("oldest session gone", !mgr->retrieve(handles[0], cbs, plcy).has_value());




1





373



            result.confirm("deleted session gone", !mgr->retrieve(handles[4], cbs, plcy).has_value());




1





374



            for(size_t i = 1; i < handles.size(); ++i) {




6





375



               result.confirm("session still there", i == 4 || mgr->retrieve(handles[i], cbs, plcy).has_value());




9





376



            }










377












378



            // insert enough new sessions to fully purge the ones currently held










379



            for(size_t i = 0; i < mgr->capacity(); ++i) {




6





380



               handles.push_back(




5





381



                  mgr->establish(default_session(Botan::TLS::Connection_Side::Server, cbs), random_id(*rng)).value());




15





382



            }










383












384



            for(size_t i = 0; i < handles.size() - mgr->capacity(); ++i) {




7





385



               result.confirm("session gone", !mgr->retrieve(handles[i], cbs, plcy).has_value());




6





386



            }










387












388



            for(size_t i = handles.size() - mgr->capacity(); i < handles.size(); ++i) {




6





389



               result.confirm("session still there", mgr->retrieve(handles[i], cbs, plcy).has_value());




10





390



            }










391












392



            // clear it all out










393



            result.test_eq("rest of the sessions removed", mgr->remove_all(), size_t(5));




1





394



         }),




1





395



   };




17





396



}




5





397












398



std::vector<Test::Result> test_session_manager_choose_ticket() {




1





399



   #if defined(BOTAN_HAS_TLS_13)










400



   Session_Manager_Callbacks cbs;




1





401



   Session_Manager_Policy plcy;




1





402












403



   auto rng = Test::new_shared_rng(__func__);




1





404












405



   auto default_session = [&](const std::string& suite,




9





406



                              Botan::TLS::Callbacks& mycbs,










407



                              Botan::TLS::Protocol_Version version = Botan::TLS::Protocol_Version::TLS_V13) {










408



      return (version.is_pre_tls_13())




8





409



                ? Botan::TLS::Session({},




8





410



                                      version,










411



                                      Botan::TLS::Ciphersuite::from_name(suite)->ciphersuite_code(),




1





412



                                      Botan::TLS::Connection_Side::Server,










413



                                      true,










414



                                      true,










415



                                      {},










416



                                      server_info(),










417



                                      0,










418



                                      mycbs.tls_current_timestamp())




1





419



                : Botan::TLS::Session({},










420



                                      std::nullopt,










421



                                      0,










422



                                      std::chrono::seconds(1024),




7





423



                                      version,










424



                                      Botan::TLS::Ciphersuite::from_name(suite)->ciphersuite_code(),




7





425



                                      Botan::TLS::Connection_Side::Server,










426



                                      {},










427



                                      nullptr,










428



                                      server_info(),










429



                                      mycbs.tls_current_timestamp());




23





430



   };










431












432



   auto ticket = [&](std::span<const uint8_t> identity) {




16





433



      return Botan::TLS::PskIdentity(std::vector(identity.begin(), identity.end()), 0);




15





434



   };










435












436



   return {




1





437



      CHECK("empty manager has nothing to choose from",










438



            [&](auto& result) {




1





439



               Botan::TLS::Session_Manager_In_Memory mgr(rng);




1





440












441



               Botan::TLS::Session_Ticket random_session_ticket = random_ticket(*rng);




1





442












443



               result.confirm("empty ticket list, no session",




1





444



                              !mgr.choose_from_offered_tickets({}, "SHA-256", cbs, plcy).has_value());




2





445



               result.confirm(




1





446



                  "empty session manager, no session",










447



                  !mgr.choose_from_offered_tickets(std::vector{ticket(random_session_ticket)}, "SHA-256", cbs, plcy)




3





448



                      .has_value());




3





449



            }),




3





450












451



      CHECK("choose ticket by ID",










452



            [&](auto& result) {




1





453



               Botan::TLS::Session_Manager_In_Memory mgr(rng);




1





454



               std::vector<Botan::TLS::Session_Handle> handles;




1





455












456



               handles.push_back(mgr.establish(default_session("AES_128_GCM_SHA256", cbs)).value());




3





457



               handles.push_back(mgr.establish(default_session("AES_128_GCM_SHA256", cbs)).value());




3





458












459



               // choose from a list of tickets that contains only handles[0]










460



               auto session1 =




2





461



                  mgr.choose_from_offered_tickets(std::vector{ticket(handles[0].id().value())}, "SHA-256", cbs, plcy);




3





462



               result.require("ticket was chosen and produced a session (1)", session1.has_value());




1





463



               result.test_is_eq("chosen offset", session1->second, uint16_t(0));




1





464












465



               // choose from a list of tickets that contains only handles[1]










466



               auto session2 =




2





467



                  mgr.choose_from_offered_tickets(std::vector{ticket(handles[1].id().value())}, "SHA-256", cbs, plcy);




3





468



               result.require("ticket was chosen and produced a session (2)", session2.has_value());




1





469



               result.test_is_eq("chosen offset", session2->second, uint16_t(0));




1





470












471



               // choose from a list of tickets that contains a random ticket and handles[1]










472



               auto session3 = mgr.choose_from_offered_tickets(




2





473



                  std::vector{ticket(random_ticket(*rng)), ticket(handles[1].id().value())}, "SHA-256", cbs, plcy);




5





474



               result.require("ticket was chosen and produced a session (3)", session3.has_value());




1





475



               result.test_is_eq("chosen second offset", session3->second, uint16_t(1));




1





476



            }),




13





477












478



      CHECK("choose ticket by ticket",










479



            [&](auto& result) {




1





480



               auto creds = std::make_shared<Test_Credentials_Manager>();










481



               Botan::TLS::Session_Manager_Stateless mgr(creds, rng);




1





482



               std::vector<Botan::TLS::Session_Handle> handles;




1





483












484



               handles.push_back(mgr.establish(default_session("AES_128_GCM_SHA256", cbs)).value());




3





485



               handles.push_back(mgr.establish(default_session("AES_128_GCM_SHA256", cbs)).value());




3





486












487



               // choose from a list of tickets that contains only handles[0]










488



               auto session1 = mgr.choose_from_offered_tickets(




2





489



                  std::vector{ticket(handles[0].ticket().value())}, "SHA-256", cbs, plcy);




4





490



               result.require("ticket was chosen and produced a session (1)", session1.has_value());




1





491



               result.test_is_eq("chosen offset", session1->second, uint16_t(0));




1





492












493



               // choose from a list of tickets that contains only handles[1]










494



               auto session2 = mgr.choose_from_offered_tickets(




2





495



                  std::vector{ticket(handles[1].ticket().value())}, "SHA-256", cbs, plcy);




4





496



               result.require("ticket was chosen and produced a session (2)", session2.has_value());




1





497



               result.test_is_eq("chosen offset", session2->second, uint16_t(0));




1





498












499



               // choose from a list of tickets that contains a random ticket and handles[1]










500



               auto session3 = mgr.choose_from_offered_tickets(




2





501



                  std::vector{ticket(random_ticket(*rng)), ticket(handles[1].ticket().value())}, "SHA-256", cbs, plcy);




5





502



               result.require("ticket was chosen and produced a session (3)", session3.has_value());




1





503



               result.test_is_eq("chosen second offset", session3->second, uint16_t(1));




1





504



            }),




14





505












506



      CHECK("choose ticket based on requested hash function",










507



            [&](auto& result) {




1





508



               auto creds = std::make_shared<Test_Credentials_Manager>();










509



               Botan::TLS::Session_Manager_Stateless mgr(creds, rng);




1





510



               std::vector<Botan::TLS::Session_Handle> handles;




1





511












512



               handles.push_back(mgr.establish(default_session("AES_128_GCM_SHA256", cbs)).value());




3





513



               handles.push_back(mgr.establish(default_session("AES_256_GCM_SHA384", cbs)).value());




3





514












515



               auto session = mgr.choose_from_offered_tickets(std::vector{ticket(random_ticket(*rng)),




5





516



                                                                          ticket(handles[0].ticket().value()),




1





517



                                                                          ticket(handles[1].ticket().value())},




1





518



                                                              "SHA-384",










519



                                                              cbs,










520



                                                              plcy);










521



               result.require("ticket was chosen and produced a session", session.has_value());




1





522



               result.test_is_eq("chosen second offset", session->second, uint16_t(2));




1





523



            }),




7





524












525



      CHECK("choose ticket based on protocol version",










526



            [&](auto& result) {




1





527



               auto creds = std::make_shared<Test_Credentials_Manager>();










528



               Botan::TLS::Session_Manager_Stateless mgr(creds, rng);




1





529



               std::vector<Botan::TLS::Session_Handle> handles;




1





530












531



               handles.push_back(




1





532



                  mgr.establish(default_session("AES_128_GCM_SHA256", cbs, Botan::TLS::Version_Code::TLS_V12)).value());




3





533



               handles.push_back(




1





534



                  mgr.establish(default_session("AES_128_GCM_SHA256", cbs, Botan::TLS::Version_Code::TLS_V13)).value());




3





535












536



               auto session = mgr.choose_from_offered_tickets(std::vector{ticket(random_ticket(*rng)),




5





537



                                                                          ticket(handles[0].ticket().value()),




1





538



                                                                          ticket(handles[1].ticket().value())},




1





539



                                                              "SHA-256",










540



                                                              cbs,










541



                                                              plcy);










542



               result.require("ticket was chosen and produced a session", session.has_value());




1





543



               result.test_is_eq("chosen second offset (TLS 1.3 ticket)", session->second, uint16_t(2));




1





544



            }),




7





545



   };




7





546



   #else










547



   return {};










548



   #endif










549



}




2





550












551



std::vector<Test::Result> test_session_manager_stateless() {




1





552



   auto creds = std::make_shared<Test_Credentials_Manager>();




1





553












554



   auto rng = Test::new_shared_rng(__func__);




1





555












556



   Botan::TLS::Session_Manager_Stateless mgr(creds, rng);




1





557












558



   Session_Manager_Callbacks cbs;




1





559



   Session_Manager_Policy plcy;




1





560












561



   return {




1





562



      CHECK("establish with default parameters",










563



            [&](auto& result) {




1





564



               result.confirm("will emit tickets", mgr.emits_session_tickets());




1





565



               auto ticket = mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




1





566



               result.confirm("returned ticket", ticket.has_value() && ticket->is_ticket());




1





567



            }),




1





568












569



      CHECK("establish with disabled tickets",










570



            [&](auto& result) {




1





571



               result.confirm("will emit tickets", mgr.emits_session_tickets());




1





572



               auto ticket =




1





573



                  mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs), std::nullopt, true);




1





574



               result.confirm("returned std::nullopt", !ticket.has_value());




1





575



            }),




1





576












577



      CHECK("establish without ticket key in credentials manager",










578



            [&](auto& result) {




1





579



               Botan::TLS::Session_Manager_Stateless local_mgr(std::make_shared<Empty_Credentials_Manager>(), rng);




2





580












581



               result.confirm("won't emit tickets", !local_mgr.emits_session_tickets());




1





582



               auto ticket = local_mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




1





583



               result.confirm("returned std::nullopt", !ticket.has_value());




1





584



            }),




1





585












586



      CHECK("retrieve via ticket",










587



            [&](auto& result) {




1





588



               auto ticket1 = mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




1





589



               auto ticket2 = mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




1





590



               result.require("tickets created successfully", ticket1.has_value() && ticket2.has_value());




1





591












592



               Botan::TLS::Session_Manager_Stateless local_mgr(creds, rng);




1





593



               result.confirm("can retrieve ticket 1", mgr.retrieve(ticket1.value(), cbs, plcy).has_value());




1





594



               result.confirm("can retrieve ticket 2 from different manager but sam credentials",




1





595



                              local_mgr.retrieve(ticket2.value(), cbs, plcy).has_value());




1





596



            }),




3





597












598



      CHECK("retrieve via ID does not work",










599



            [&](auto& result) {




1





600



               auto ticket1 = mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




1





601



               result.require("tickets created successfully", ticket1.has_value() && ticket1.has_value());




1





602












603



               result.confirm("retrieval by ID does not work", !mgr.retrieve(random_id(*rng), cbs, plcy).has_value());




2





604



            }),




1





605












606



      CHECK("retrieve via opaque handle does work",










607



            [&](auto& result) {




1





608



               auto ticket1 = mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




1





609



               result.require("tickets created successfully", ticket1.has_value() && ticket1.has_value());




1





610












611



               result.confirm("retrieval by opaque handle",




1





612



                              mgr.retrieve(ticket1->opaque_handle(), cbs, plcy).has_value());




3





613



            }),




1





614












615



      CHECK("no retrieve without or with wrong ticket key",










616



            [&](auto& result) {




1





617



               auto ticket1 = mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




1





618



               result.require("tickets created successfully", ticket1.has_value() && ticket1.has_value());




1





619












620



               Botan::TLS::Session_Manager_Stateless local_mgr1(std::make_shared<Empty_Credentials_Manager>(), rng);




2





621












622



               Botan::TLS::Session_Manager_Stateless local_mgr2(std::make_shared<Other_Test_Credentials_Manager>(),




2





623



                                                                rng);










624












625



               result.confirm("no successful retrieval (without key)",




1





626



                              !local_mgr1.retrieve(ticket1.value(), cbs, plcy).has_value());




1





627



               result.confirm("no successful retrieval (with wrong key)",




1





628



                              !local_mgr2.retrieve(ticket1.value(), cbs, plcy).has_value());




1





629



               result.confirm("successful retrieval", mgr.retrieve(ticket1.value(), cbs, plcy).has_value());




1





630



            }),




2





631












632



      CHECK("Clients cannot be stateless",










633



            [&](auto& result) {




1





634



               result.test_throws("::store() does not work with ID", [&] {




1





635



                  mgr.store(default_session(Botan::TLS::Connection_Side::Client, cbs), random_id(*rng));




3





636



               });










637



               result.test_throws("::store() does not work with ticket", [&] {




1





638



                  mgr.store(default_session(Botan::TLS::Connection_Side::Client, cbs), random_ticket(*rng));




3





639



               });










640



               result.test_throws("::store() does not work with opaque handle", [&] {




1





641



                  mgr.store(default_session(Botan::TLS::Connection_Side::Client, cbs), random_opaque_handle(*rng));




3





642



               });










643












644



               auto ticket1 = mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




1





645



               result.require("tickets created successfully", ticket1.has_value() && ticket1.has_value());




1





646



               result.confirm("finding tickets does not work", mgr.find(server_info(), cbs, plcy).empty());




1





647



            }),




1





648












649



      CHECK("remove is a NOOP",










650



            [&](auto& result) {




1





651



               auto ticket1 = mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




1





652



               result.require("tickets created successfully", ticket1.has_value() && ticket1.has_value());




1





653












654



               result.test_is_eq("remove the ticket", mgr.remove(ticket1.value()), size_t(0));




1





655



               result.confirm("successful retrieval 1", mgr.retrieve(ticket1.value(), cbs, plcy).has_value());




1





656












657



               result.test_is_eq("remove the ticket", mgr.remove_all(), size_t(0));




1





658



               result.confirm("successful retrieval 1", mgr.retrieve(ticket1.value(), cbs, plcy).has_value());




2





659



            }),




1





660












661



      CHECK(










662



         "retrieval via ticket reconstructs the start_time stamp",










663



         [&](auto& result) {




1





664



            auto session_before = default_session(Botan::TLS::Connection_Side::Server, cbs);




1





665



            auto ticket = mgr.establish(session_before);




2





666



            result.require("got a ticket", ticket.has_value() && ticket->is_ticket());




1





667



            auto session_after = mgr.retrieve(ticket.value(), cbs, plcy);




1





668



            result.require("got the session back", session_after.has_value());




1





669












670



            result.test_is_eq(




1





671



               "timestamps match",










672



               std::chrono::duration_cast<std::chrono::seconds>(session_before.start_time().time_since_epoch()).count(),




2





673



               std::chrono::duration_cast<std::chrono::seconds>(session_after->start_time().time_since_epoch())




1





674



                  .count());




1





675



         }),




2





676



   };




11





677



}




4





678












679



std::vector<Test::Result> test_session_manager_hybrid() {




1





680



   auto rng = Test::new_shared_rng(__func__);




1





681












682



   auto creds = std::make_shared<Test_Credentials_Manager>();




1





683



   Session_Manager_Callbacks cbs;




1





684



   Session_Manager_Policy plcy;




1





685












686



   // Runs the passed-in hybrid manager test lambdas for all available stateful










687



   // managers. The `make_manager()` helper is passed into the test code and










688



   // transparently constructs a hybrid manager with the respective internal










689



   // stateful manager.










690



   auto CHECK_all = [&](const std::string& name, auto lambda) -> std::vector<Test::Result> {




4





691



      std::vector<std::pair<std::string, std::function<std::unique_ptr<Botan::TLS::Session_Manager>()>>> const










692



         stateful_manager_factories = {




9





693



            {"In Memory",










694



             [&rng]() -> std::unique_ptr<Botan::TLS::Session_Manager> {




9





695



                return std::make_unique<Botan::TLS::Session_Manager_In_Memory>(rng, 10);




6





696



             }},










697



   #if defined(BOTAN_HAS_TLS_SQLITE3_SESSION_MANAGER)










698



            {"SQLite",










699



             [&rng]() -> std::




9





700



                         unique_ptr<Botan::TLS::Session_Manager> {










701



                            return std::make_unique<Botan::TLS::Session_Manager_SQLite>(










702



                               "secure_pw", rng, Test::temp_file_name("tls_session_manager_sqlite"), 10);




6





703



                         }},










704



   #endif










705



         };










706












707



      std::vector<Test::Result> results;




3





708



      using namespace std::placeholders;










709



      for(const auto& factory_and_name : stateful_manager_factories) {




15





710



         const auto& stateful_manager_name = factory_and_name.first;




6





711



         const auto& stateful_manager_factory = factory_and_name.second;




6





712



         auto make_manager = [stateful_manager_factory, &creds, &rng](bool prefer_tickets) {




42





713



            return Botan::TLS::Session_Manager_Hybrid(stateful_manager_factory(), creds, rng, prefer_tickets);




48





714



         };










715












716



         auto nm = Botan::fmt("{} ({})", name, stateful_manager_name);




6





717



         auto fn = std::bind(lambda, make_manager, _1);  // NOLINT(*-avoid-bind)




6





718



         results.push_back(CHECK(nm.c_str(), fn));




18





719



      }










720



      return results;




3





721



   };




7





722












723



   return Test::flatten_result_lists({




3





724



      CHECK_all("ticket vs ID preference in establishment",




1





725



                [&](const auto& make_manager, auto& result) {




2





726



                   auto mgr_prefers_tickets = make_manager(true);




2





727



                   auto ticket1 =




2





728



                      mgr_prefers_tickets.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




2





729



                   result.confirm("emits a ticket", ticket1.has_value() && ticket1->is_ticket());




2





730












731



                   auto mgr_prefers_ids = make_manager(false);




2





732



                   auto ticket2 = mgr_prefers_ids.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




2





733



                   result.confirm("emits an ID", ticket2.has_value() && ticket2->is_id());




2





734












735



                   auto ticket3 = mgr_prefers_ids.establish(default_session(Botan::TLS::Connection_Side::Server, cbs),




2





736



                                                            std::nullopt,










737



                                                            true /* TLS 1.2 no ticket support */);










738



                   result.confirm("emits an ID", ticket3.has_value() && ticket3->is_id());




2





739












740



                   auto ticket4 = mgr_prefers_ids.establish(default_session(Botan::TLS::Connection_Side::Server, cbs),




2





741



                                                            std::nullopt,










742



                                                            true /* TLS 1.2 no ticket support */);










743



                   result.confirm("emits an ID", ticket4.has_value() && ticket4->is_id());




2





744



                }),




8





745












746



      CHECK_all("ticket vs ID preference in retrieval",




1





747



                [&](const auto& make_manager, auto& result) {




2





748



                   auto mgr_prefers_tickets = make_manager(true);




2





749



                   auto mgr_prefers_ids = make_manager(false);




2





750












751



                   auto id1 = mgr_prefers_tickets.underlying_stateful_manager()->establish(




2





752



                      default_session(Botan::TLS::Connection_Side::Server, cbs));










753



                   auto id2 = mgr_prefers_ids.underlying_stateful_manager()->establish(




2





754



                      default_session(Botan::TLS::Connection_Side::Server, cbs));










755



                   auto ticket =




2





756



                      mgr_prefers_tickets.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




2





757












758



                   result.require("establishments worked", id1.has_value() && id2.has_value() && ticket.has_value());




2





759












760



                   result.confirm("mgr1 + ID1", mgr_prefers_tickets.retrieve(id1.value(), cbs, plcy).has_value());




2





761



                   result.confirm("mgr1 + ID2", !mgr_prefers_tickets.retrieve(id2.value(), cbs, plcy).has_value());




2





762



                   result.confirm("mgr2 + ID1", !mgr_prefers_ids.retrieve(id1.value(), cbs, plcy).has_value());




2





763



                   result.confirm("mgr2 + ID2", mgr_prefers_ids.retrieve(id2.value(), cbs, plcy).has_value());




2





764



                   result.confirm("mgr1 + ticket", mgr_prefers_tickets.retrieve(ticket.value(), cbs, plcy).has_value());




2





765



                   result.confirm("mgr2 + ticket", mgr_prefers_ids.retrieve(ticket.value(), cbs, plcy).has_value());




4





766



                }),




6





767












768



      CHECK_all("no session tickets if hybrid manager cannot create them",




1





769



                [&](const auto& make_manager, auto& result) {




2





770



                   Botan::TLS::Session_Manager_Hybrid empty_mgr(




8





771



                      std::make_unique<Botan::TLS::Session_Manager_In_Memory>(rng, 10),




4





772



                      std::make_shared<Empty_Credentials_Manager>(),










773



                      rng);










774



                   auto mgr_prefers_tickets = make_manager(true);




2





775



                   auto mgr_prefers_ids = make_manager(false);




2





776












777



                   result.confirm("does not emit tickets", !empty_mgr.emits_session_tickets());




2





778



                   result.confirm("does emit tickets 1", mgr_prefers_tickets.emits_session_tickets());




2





779



                   result.confirm("does emit tickets 2", mgr_prefers_ids.emits_session_tickets());




2





780



                }),




2





781



   });




4





782



}




4





783












784



namespace {










785












786



class Temporary_Database_File {










787



   private:










788



      std::string m_temp_file;










789












790



   public:










791



      explicit Temporary_Database_File(const std::string& db_file) :




1





792



            m_temp_file(Test::data_file_as_temporary_copy(db_file)) {




1





793



         if(m_temp_file.empty()) {




1





794



            throw Test_Error("Failed to create temporary database file");




×







795



         }










796



      }




1





797












798



      ~Temporary_Database_File() {




1





799



   #if defined(BOTAN_TARGET_OS_HAS_FILESYSTEM) && defined(__cpp_lib_filesystem)










800



         if(!m_temp_file.empty()) {




1





801



            std::filesystem::remove(m_temp_file);




1





802



         }










803



   #endif










804



      }




1





805












806



      const std::string& get() const { return m_temp_file; }










807












808



      Temporary_Database_File(const Temporary_Database_File&) = delete;










809



      Temporary_Database_File& operator=(const Temporary_Database_File&) = delete;










810



      Temporary_Database_File(Temporary_Database_File&&) = delete;










811



      Temporary_Database_File& operator=(Temporary_Database_File&&) = delete;










812



};










813












814



}  // namespace










815












816



std::vector<Test::Result> test_session_manager_sqlite() {




1





817



   #if defined(BOTAN_HAS_TLS_SQLITE3_SESSION_MANAGER)










818



   auto rng = Test::new_shared_rng(__func__);




1





819



   Session_Manager_Callbacks cbs;




1





820



   Session_Manager_Policy plcy;




1





821












822



   return {




1





823



      CHECK("migrate session database scheme (purges database)",










824



            [&](auto& result) {




1





825



               Temporary_Database_File const dbfile("tls-sessions/botan-2.19.3.sqlite");




1





826












827



               // legacy database (encrypted with 'thetruthisoutthere') containing:










828



               //    $ sqlite3 src/tests/data/tls-sessions/botan-2.19.3.sqlite  'SELECT * FROM tls_sessions;'










829



               //    63C136FAD49F05A184F910FD6568A3884164216C11E41CEBFDCD149AF66C1714|1673606906|cloudflare.com|443|...










830



               //    63C137030387E4A6CDAD303CCB1F53884944FDE5B4EDD91E6FCF74DCB033DCEB|1673606915|randombit.net|443|...










831



               Botan::TLS::Session_Manager_SQLite legacy_db("thetruthisoutthere", rng, dbfile.get());




1





832












833



               result.confirm("Session_ID for randombit.net is gone",




1





834



                              !legacy_db










835



                                  .retrieve(Botan::TLS::Session_ID(Botan::hex_decode(




2





836



                                               "63C137030387E4A6CDAD303CCB1F53884944FDE5B4EDD91E6FCF74DCB033DCEB")),










837



                                            cbs,










838



                                            plcy)










839



                                  .has_value());




3





840



               result.confirm("Session_ID for cloudflare.com is gone",




1





841



                              !legacy_db










842



                                  .retrieve(Botan::TLS::Session_ID(Botan::hex_decode(




2





843



                                               "63C136FAD49F05A184F910FD6568A3884164216C11E41CEBFDCD149AF66C1714")),










844



                                            cbs,










845



                                            plcy)










846



                                  .has_value());




3





847



               result.confirm("no more session for randombit.net",




2





848



                              legacy_db.find(Botan::TLS::Server_Information("randombit.net", 443), cbs, plcy).empty());




1





849



               result.confirm("no more session for cloudflare.com",




2





850



                              legacy_db.find(Botan::TLS::Server_Information("cloudflare.com", 443), cbs, plcy).empty());




1





851












852



               result.test_is_eq("empty database won't get more empty", legacy_db.remove_all(), size_t(0));




1





853



            }),




1





854












855



      CHECK("clearing empty database",










856



            [&](auto& result) {




1





857



               Botan::TLS::Session_Manager_SQLite mgr("thetruthisoutthere", rng, Test::temp_file_name("empty.sqlite"));




1





858



               result.test_eq("does not delete anything", mgr.remove_all(), 0);




1





859



            }),




1





860












861



      CHECK("establish new session",










862



            [&](auto& result) {




1





863



               Botan::TLS::Session_Manager_SQLite mgr(




1





864



                  "thetruthisoutthere", rng, Test::temp_file_name("new_session.sqlite"));




1





865



               auto some_random_id = random_id(*rng);




1





866



               auto some_random_handle =




1





867



                  mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs), some_random_id);










868



               result.require("establishment was successful", some_random_handle.has_value());




1





869



               result.require("session id was set", some_random_handle->id().has_value());




1





870



               result.test_is_eq("session id is correct", some_random_handle->id().value(), some_random_id);




2





871












872



               auto some_virtual_handle = mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




1





873



               result.require("establishment was successful", some_virtual_handle.has_value());




1





874



               result.require("session id was set", some_virtual_handle->id().has_value());




1





875



            }),




3





876












877



      CHECK("retrieve session by ID",










878



            [&](auto& result) {




1





879



               Botan::TLS::Session_Manager_SQLite mgr(




1





880



                  "thetruthisoutthere", rng, Test::temp_file_name("retrieve_by_id.sqlite"));




1





881



               auto some_random_id = random_id(*rng);




1





882



               auto some_random_handle =




1





883



                  mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs), some_random_id);










884



               auto some_virtual_handle = mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




1





885












886



               result.require("establishment was successful",




1





887



                              some_random_handle->is_id() && some_virtual_handle->is_id());




1





888












889



               auto session1 = mgr.retrieve(some_random_handle.value(), cbs, plcy);




1





890



               if(result.confirm("found session by user-provided ID", session1.has_value())) {




1





891



                  result.test_is_eq("protocol version was echoed",




1





892



                                    session1->version(),




1





893



                                    Botan::TLS::Protocol_Version(Botan::TLS::Version_Code::TLS_V12));




1





894



                  result.test_is_eq("ciphersuite was echoed", session1->ciphersuite_code(), uint16_t(0x009C));




1





895



               }










896












897



               auto session2 = mgr.retrieve(some_virtual_handle.value(), cbs, plcy);




1





898



               if(result.confirm("found session by manager-generated ID", session2.has_value())) {




1





899



                  result.test_is_eq("protocol version was echoed",




1





900



                                    session2->version(),




1





901



                                    Botan::TLS::Protocol_Version(Botan::TLS::Version_Code::TLS_V12));




1





902



                  result.test_is_eq("ciphersuite was echoed", session2->ciphersuite_code(), uint16_t(0x009C));




1





903



               }










904












905



               auto session3 = mgr.retrieve(random_id(*rng), cbs, plcy);




2





906



               result.confirm("random ID creates empty result", !session3.has_value());




1





907



            }),




6





908












909



      CHECK("retrieval via ticket creates empty result",










910



            [&](auto& result) {




1





911



               Botan::TLS::Session_Manager_SQLite mgr(




1





912



                  "thetruthisoutthere", rng, Test::temp_file_name("retrieve_by_ticket.sqlite"));




1





913



               auto some_random_handle =




1





914



                  mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs), random_id(*rng));




1





915



               auto some_virtual_handle = mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




1





916












917



               result.confirm("std::nullopt on random ticket",




1





918



                              !mgr.retrieve(random_ticket(*rng), cbs, plcy).has_value());




3





919



            }),




2





920












921



      CHECK("storing sessions and finding them by server info",










922



            [&](auto& result) {




1





923



               Botan::TLS::Session_Manager_SQLite mgr(




1





924



                  "thetruthisoutthere", rng, Test::temp_file_name("store_and_find.sqlite"));




1





925



               auto id = random_id(*rng);




1





926



               auto ticket = random_ticket(*rng);




1





927



               mgr.store(default_session(Botan::TLS::Connection_Side::Client, cbs), id);




2





928



               mgr.store(default_session(Botan::TLS::Connection_Side::Client, cbs), ticket);




2





929












930



               auto found_sessions = mgr.find(server_info(), cbs, plcy);




1





931



               if(result.test_is_eq("found both sessions", found_sessions.size(), size_t(2))) {




1





932



                  for(const auto& [session, handle] : found_sessions) {




3





933



                     result.confirm("ID matches", !handle.is_id() || handle.id().value() == id);




3





934



                     result.confirm("ticket matches", !handle.is_ticket() || handle.ticket().value() == ticket);




3





935



                  }










936



               }










937



            }),




3





938












939



      CHECK("removing sessions",










940



            [&](auto& result) {




1





941



               Botan::TLS::Session_Manager_SQLite mgr("thetruthisoutthere", rng, Test::temp_file_name("remove.sqlite"));




1





942



               auto id = random_id(*rng);




1





943



               auto ticket = random_ticket(*rng);




1





944



               mgr.store(default_session(Botan::TLS::Connection_Side::Client, cbs), id);




2





945



               mgr.store(default_session(Botan::TLS::Connection_Side::Client, cbs), ticket);




2





946



               mgr.store(default_session(Botan::TLS::Connection_Side::Client, cbs), random_id(*rng));




2





947



               mgr.store(default_session(Botan::TLS::Connection_Side::Client, cbs), random_ticket(*rng));




2





948












949



               result.test_is_eq("deletes one session by ID", mgr.remove(id), size_t(1));




3





950



               result.test_is_eq("deletes one session by ticket", mgr.remove(ticket), size_t(1));




3





951












952



               auto found_sessions = mgr.find(server_info(), cbs, plcy);




1





953



               if(result.test_is_eq("found some other sessions", found_sessions.size(), size_t(2))) {




1





954



                  for(const auto& [session, handle] : found_sessions) {




3





955



                     result.confirm("ID does not match", !handle.is_id() || handle.id().value() != id);




4





956



                     result.confirm("ticket does not match", !handle.is_ticket() || handle.ticket().value() != ticket);




4





957



                  }










958



               }










959












960



               result.test_is_eq("removing the rest of the sessions", mgr.remove_all(), size_t(2));




1





961



            }),




3





962












963



      CHECK("old sessions are purged when needed",










964



            [&](auto& result) {




1





965



               Botan::TLS::Session_Manager_SQLite mgr(




1





966



                  "thetruthisoutthere", rng, Test::temp_file_name("purging.sqlite"), 1);




1





967












968



               std::vector<Botan::TLS::Session_ID> ids = {random_id(*rng), random_id(*rng), random_id(*rng)};




5





969



               mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs), ids[0]);




2





970



               result.require("new ID exists", mgr.retrieve(ids[0], cbs, plcy).has_value());




4





971












972



               // Session timestamps are saved with second-resolution. If more than










973



               // one session has the same (coarse) timestamp it is undefined which










974



               // will be purged first. The clock tick ensures that session's










975



               // timestamps are unique.










976



               cbs.tick();




1





977



               mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs), ids[1]);




2





978



               result.require("first ID is gone", !mgr.retrieve(ids[0], cbs, plcy).has_value());




3





979



               result.require("new ID exists", mgr.retrieve(ids[1], cbs, plcy).has_value());




4





980












981



               cbs.tick();




1





982



               mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs), ids[2]);




2





983



               result.require("second ID is gone", !mgr.retrieve(ids[1], cbs, plcy).has_value());




3





984



               result.require("new ID exists", mgr.retrieve(ids[2], cbs, plcy).has_value());




4





985












986



               result.test_is_eq("only one entry exists", mgr.remove_all(), size_t(1));




1





987



            }),




2





988












989



      CHECK("session purging can be disabled",










990



            [&](auto& result) {




1





991



               Botan::TLS::Session_Manager_SQLite mgr(




1





992



                  "thetruthisoutthere", rng, Test::temp_file_name("purging.sqlite"), 0 /* no pruning! */);




1





993












994



               for(size_t i = 0; i < 25; ++i) {




26





995



                  mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs), random_id(*rng));




50





996



               }










997












998



               result.test_is_eq("no entries were purged along the way", mgr.remove_all(), size_t(25));




1





999



            }),




1





1000



   };




10





1001



   #else










1002



   return {};










1003



   #endif










1004



}




3





1005












1006



std::vector<Test::Result> tls_session_manager_expiry() {




1





1007



   auto rng = Test::new_shared_rng(__func__);




1





1008



   Session_Manager_Callbacks cbs;




1





1009



   Session_Manager_Policy plcy;




1





1010












1011



   auto CHECK_all = [&](const std::string& name, auto lambda) -> std::vector<Test::Result> {




6





1012



      const std::vector<std::pair<std::string, std::function<std::unique_ptr<Botan::TLS::Session_Manager>()>>>










1013



         stateful_manager_factories = {




20





1014



            {"In Memory",










1015



             [&rng]() -> std::unique_ptr<Botan::TLS::Session_Manager> {




10





1016



                return std::make_unique<Botan::TLS::Session_Manager_In_Memory>(rng, 10);




5





1017



             }},










1018



            {"Stateless",










1019



             [&]() -> std::unique_ptr<Botan::TLS::Session_Manager> {




7





1020



                return std::make_unique<Botan::TLS::Session_Manager_Stateless>(










1021



                   std::make_shared<Test_Credentials_Manager>(), rng);




2





1022



             }},










1023



   #if defined(BOTAN_HAS_TLS_SQLITE3_SESSION_MANAGER)










1024



            {"SQLite",










1025



             [&rng]() -> std::unique_ptr<Botan::TLS::Session_Manager> {




10





1026



                return std::make_unique<Botan::TLS::Session_Manager_SQLite>(










1027



                   "secure_pw", rng, Test::temp_file_name("tls_session_manager_sqlite"), 10);




5





1028



             }},










1029



   #endif










1030



         };










1031












1032



      std::vector<Test::Result> results;




5





1033



      results.reserve(stateful_manager_factories.size());




5





1034



      using namespace std::placeholders;










1035



      for(const auto& [sub_name, factory] : stateful_manager_factories) {




20





1036



         auto nm = Botan::fmt("{} ({})", name, sub_name);




15





1037



         auto fn = std::bind(lambda, sub_name, factory, _1);  // NOLINT(*-avoid-bind)




15





1038



         results.push_back(CHECK(nm.c_str(), fn));




30





1039



      }










1040



      return results;




5





1041



   };




11





1042












1043



   return Test::flatten_result_lists({




5





1044



      CHECK_all("sessions expire",




1





1045



                [&](const auto&, const auto& factory, auto& result) {




3





1046



                   auto mgr = factory();




3





1047












1048



                   auto handle = mgr->establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




3





1049



                   result.require("saved successfully", handle.has_value());




3





1050



                   result.require("session was found", mgr->retrieve(handle.value(), cbs, plcy).has_value());




3





1051



                   cbs.tick();




3





1052



                   result.confirm("session has expired", !mgr->retrieve(handle.value(), cbs, plcy).has_value());




3





1053



                   result.test_is_eq("session was deleted when it expired", mgr->remove_all(), size_t(0));




3





1054



                }),




6





1055












1056



         CHECK_all("expired sessions are not found",




1





1057



                   [&](const std::string& type, const auto& factory, auto& result) {




3





1058



                      if(type == "Stateless") {




3





1059



                         return;  // this manager can neither store nor find anything




1





1060



                      }










1061












1062



                      auto mgr = factory();




2





1063












1064



                      auto handle_old = random_id(*rng);




2





1065



                      mgr->store(default_session(Botan::TLS::Connection_Side::Client, cbs), handle_old);




6





1066



                      result.require("session was found", mgr->retrieve(handle_old, cbs, plcy).has_value());




8





1067












1068



                      cbs.tick();




2





1069



                      auto handle_new = random_id(*rng);




2





1070



                      mgr->store(default_session(Botan::TLS::Connection_Side::Client, cbs), handle_new);




6





1071



                      result.require("session was found", mgr->retrieve(handle_new, cbs, plcy).has_value());




8





1072












1073



                      auto sessions_and_handles = mgr->find(server_info(), cbs, plcy);




2





1074



                      result.require("sessions are found", !sessions_and_handles.empty());




2





1075



                      result.test_is_eq("exactly one session is found", sessions_and_handles.size(), size_t(1));




2





1076



                      result.test_is_eq(




2





1077



                         "the new session is found", sessions_and_handles.front().handle.id().value(), handle_new);




4





1078












1079



                      result.test_is_eq("old session was deleted when it expired", mgr->remove_all(), size_t(1));




2





1080



                   }),




8





1081












1082



         CHECK_all(




1





1083



            "session tickets are not reused",










1084



            [&](const std::string& type, const auto& factory, auto& result) {




3





1085



               if(type == "Stateless") {




3





1086



                  return;  // this manager can neither store nor find anything




1





1087



               }










1088












1089



               auto mgr = factory();




2





1090












1091



               auto handle_1 = random_id(*rng);




2





1092



               mgr->store(default_session(Botan::TLS::Connection_Side::Client, cbs, Botan::TLS::Version_Code::TLS_V12),




6





1093



                          handle_1);










1094



               auto handle_2 = random_ticket(*rng);




2





1095



               mgr->store(default_session(Botan::TLS::Connection_Side::Client, cbs, Botan::TLS::Version_Code::TLS_V12),




6





1096



                          handle_2);










1097












1098



   #if defined(BOTAN_HAS_TLS_13)










1099



               auto handle_3 = random_id(*rng);




2





1100



               mgr->store(default_session(Botan::TLS::Connection_Side::Client, cbs, Botan::TLS::Version_Code::TLS_V13),




6





1101



                          handle_3);










1102



               auto handle_4 = random_ticket(*rng);




2





1103



               mgr->store(default_session(Botan::TLS::Connection_Side::Client, cbs, Botan::TLS::Version_Code::TLS_V13),




6





1104



                          handle_4);










1105



   #endif










1106












1107



               plcy.set_allow_session_reuse(false);




2





1108












1109



               auto sessions_and_handles1 = mgr->find(server_info(), cbs, plcy);




2





1110



               result.require("all sessions are found", sessions_and_handles1.size() > 1);




2





1111












1112



               auto sessions_and_handles2 = mgr->find(server_info(), cbs, plcy);




2





1113



               result.test_is_eq("only one session is found", sessions_and_handles2.size(), size_t(1));




2





1114



               result.confirm("found session is the Session_ID", sessions_and_handles2.front().handle.is_id());




2





1115



               result.test_is_eq(




2





1116



                  "found session is the Session_ID", sessions_and_handles2.front().handle.id().value(), handle_1);




6





1117



               result.confirm("found session is TLS 1.2",




2





1118



                              sessions_and_handles2.front().session.version().is_pre_tls_13());




2





1119



            }),




12





1120












1121



         CHECK_all("number of found tickets is capped",




1





1122



                   [&](const std::string& type, const auto& factory, auto& result) {




3





1123



                      if(type == "Stateless") {




3





1124



                         return;  // this manager can neither store nor find anything




1





1125



                      }










1126












1127



                      auto mgr = factory();




2





1128












1129



                      std::array<Botan::TLS::Session_Ticket, 5> tickets;




2





1130



                      for(auto& ticket : tickets) {




12





1131



                         ticket = random_ticket(*rng);




10





1132



                         mgr->store(default_session(Botan::TLS::Connection_Side::Client, cbs), ticket);




30





1133



                      }










1134












1135



                      plcy.set_allow_session_reuse(true);




2





1136












1137



                      plcy.set_session_limit(1);




2





1138



                      result.test_is_eq("find one",




2





1139



                                        mgr->find(server_info(), cbs, plcy).size(),




2





1140



                                        plcy.maximum_session_tickets_per_client_hello());




2





1141












1142



                      plcy.set_session_limit(3);




2





1143



                      result.test_is_eq("find three",




2





1144



                                        mgr->find(server_info(), cbs, plcy).size(),




2





1145



                                        plcy.maximum_session_tickets_per_client_hello());




2





1146












1147



                      plcy.set_session_limit(10);




2





1148



                      result.test_is_eq("find all five", mgr->find(server_info(), cbs, plcy).size(), size_t(5));




2





1149



                   }),




4





1150












1151



   #if defined(BOTAN_HAS_TLS_13)










1152



         CHECK_all("expired tickets are not selected for PSK resumption",




1





1153



                   [&](const auto&, const auto& factory, auto& result) {




3





1154



                      auto ticket = [&](const Botan::TLS::Session_Handle& handle) {




12





1155



                         return Botan::TLS::PskIdentity(handle.opaque_handle().get(), 0);




12





1156



                      };










1157












1158



                      auto mgr = factory();




3





1159












1160



                      auto old_handle = mgr->establish(




3





1161



                         default_session(Botan::TLS::Connection_Side::Server, cbs, Botan::TLS::Version_Code::TLS_V13));










1162



                      cbs.tick();




3





1163



                      auto new_handle = mgr->establish(




3





1164



                         default_session(Botan::TLS::Connection_Side::Server, cbs, Botan::TLS::Version_Code::TLS_V13));










1165



                      result.require("both sessions are stored", old_handle.has_value() && new_handle.has_value());




3





1166












1167



                      auto session_and_index = mgr->choose_from_offered_tickets(




12





1168



                         std::vector{ticket(old_handle.value()), ticket(new_handle.value())}, "SHA-256", cbs, plcy);




6





1169



                      result.require("a ticket was chosen", session_and_index.has_value());




3





1170



                      result.test_is_eq("the new ticket was chosen", session_and_index->second, uint16_t(1));




3





1171












1172



                      cbs.tick();




3





1173












1174



                      auto nothing = mgr->choose_from_offered_tickets(




12





1175



                         std::vector{ticket(new_handle.value()), ticket(old_handle.value())}, "SHA-256", cbs, plcy);




6





1176



                      result.require("all tickets are expired", !nothing.has_value());




3





1177



                   }),




33





1178



   #endif










1179



   });




6





1180



}




3





1181












1182



}  // namespace










1183












1184



BOTAN_REGISTER_TEST_FN("tls",










1185



                       "tls_session_manager",










1186



                       test_session_manager_in_memory,










1187



                       test_session_manager_choose_ticket,










1188



                       test_session_manager_stateless,










1189



                       test_session_manager_hybrid,










1190



                       test_session_manager_sqlite,










1191



                       tls_session_manager_expiry);










1192












1193



}  // namespace Botan_Tests










1194












1195



#endif  // BOTAN_HAS_TLS
























    

  • 

    •