randombit / botan / 22020292790

coverage: 90.067% (+0.008%) from 90.059%
22020292790

push

github

web-flow 
Merge pull request #5330 from randombit/jack/tests-no-assert

Avoid including assert.h into tests.h

102241 of 113517 relevant lines covered (90.07%)

11570076.55 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

98.97
/src/tests/test_tls_session_manager.cpp
1 
/*
2 
* (C) 2022 Jack Lloyd
3 
* (C) 2022 René Meusel - Rohde & Schwarz Cybersecurity
4 
*
5 
* Botan is released under the Simplified BSD License (see license.txt)
6 
*/
7 









8



#include "tests.h"










9












10



#if defined(BOTAN_HAS_TLS)










11












12



   #include <botan/assert.h>










13



   #include <botan/credentials_manager.h>










14



   #include <botan/hex.h>










15



   #include <botan/rng.h>










16



   #include <botan/tls_callbacks.h>










17



   #include <botan/tls_policy.h>










18



   #include <botan/tls_session_manager_hybrid.h>










19



   #include <botan/tls_session_manager_memory.h>










20



   #include <botan/tls_session_manager_stateless.h>










21



   #include <botan/internal/fmt.h>










22



   #include <array>










23



   #include <chrono>










24












25



   #if defined(BOTAN_HAS_TLS_SQLITE3_SESSION_MANAGER)










26



      #include <botan/tls_session_manager_sqlite.h>










27



   #endif










28












29



   #if defined(BOTAN_HAS_TLS_13)










30



      #include <botan/tls_psk_identity_13.h>










31



   #endif










32












33



   #if defined(BOTAN_TARGET_OS_HAS_FILESYSTEM)










34



      #include <version>










35



      #if defined(__cpp_lib_filesystem)










36



         #include <filesystem>










37



      #endif










38



   #endif










39












40



// This file contains a number of `Botan::TLS::Version_Code::TLS_V**` protocol










41



// version specifications. This is to work around a compiler bug in GCC 11.3










42



// where `Botan::TLS::Protocol_Version::TLS_V12` would lead to an "Internal










43



// Compiler Error" when used in the affected context.










44



//










45



// TODO: remove the workaround once GCC 11 is not supported anymore.










46












47



namespace Botan_Tests {










48












49



class Test_Credentials_Manager : public Botan::Credentials_Manager {




7





50



   public:










51



      Botan::secure_vector<uint8_t> session_ticket_key() override {




55





52



         return Botan::hex_decode_locked("DEADFACECAFEBAAD");




55





53



      }










54



};










55












56



class Other_Test_Credentials_Manager : public Botan::Credentials_Manager {




1





57



   public:










58



      Botan::secure_vector<uint8_t> session_ticket_key() override {




1





59



         return Botan::hex_decode_locked("CAFEBAADFACEBABE");




1





60



      }










61



};










62












63



class Empty_Credentials_Manager : public Botan::Credentials_Manager {};




4





64












65



class Session_Manager_Callbacks : public Botan::TLS::Callbacks {




3





66



   public:










67



      void tls_emit_data(std::span<const uint8_t> /*data*/) override { BOTAN_ASSERT_NOMSG(false); }




×







68












69



      void tls_record_received(uint64_t /*record*/, std::span<const uint8_t> /*data*/) override {




×







70



         BOTAN_ASSERT_NOMSG(false);




×







71



      }










72












73



      void tls_alert(Botan::TLS::Alert /*alert*/) override { BOTAN_ASSERT_NOMSG(false); }




×







74












75



      void tls_session_established(const Botan::TLS::Session_Summary& /*summary*/) override {




×







76



         BOTAN_ASSERT_NOMSG(false);




×







77



      }










78












79



      std::chrono::system_clock::time_point tls_current_timestamp() override {




225





80



         return std::chrono::system_clock::now() + std::chrono::hours(m_ticks);




225





81



      }










82












83



      void tick() { ++m_ticks; }




13





84












85



   private:










86



      uint64_t m_ticks = 0;










87



};










88












89



class Session_Manager_Policy : public Botan::TLS::Policy {




6





90



   public:










91



      std::chrono::seconds session_ticket_lifetime() const override { return std::chrono::minutes(30); }




198





92












93



      bool reuse_session_tickets() const override { return m_allow_session_reuse; }




27





94












95



      size_t maximum_session_tickets_per_client_hello() const override { return m_session_limit; }




58





96












97



      void set_session_limit(size_t l) { m_session_limit = l; }




6





98












99



      void set_allow_session_reuse(bool b) { m_allow_session_reuse = b; }




4





100












101



   private:










102



      size_t m_session_limit = 1000;  // basically 'no limit'










103



      bool m_allow_session_reuse = true;










104



};










105












106



namespace {










107












108



decltype(auto) random_id(Botan::RandomNumberGenerator& rng) {




60





109



   return rng.random_vec<Botan::TLS::Session_ID>(32);




58





110



}










111












112



decltype(auto) random_ticket(Botan::RandomNumberGenerator& rng) {




29





113



   return rng.random_vec<Botan::TLS::Session_Ticket>(32);




27





114



}










115












116



decltype(auto) random_opaque_handle(Botan::RandomNumberGenerator& rng) {




1





117



   return rng.random_vec<Botan::TLS::Opaque_Session_Handle>(32);




1





118



}










119












120



const Botan::TLS::Server_Information& server_info() {




151





121



   static const Botan::TLS::Server_Information si("botan.randombit.net");




151





122



   return si;




151





123



}










124












125



decltype(auto) default_session(Botan::TLS::Connection_Side side,




118





126



                               Botan::TLS::Callbacks& cbs,










127



                               Botan::TLS::Protocol_Version version = Botan::TLS::Protocol_Version::TLS_V12) {










128



   if(version.is_pre_tls_13()) {




118





129



      return Botan::TLS::Session(




108





130



         {}, version, 0x009C, side, true, true, {}, server_info(), 0, cbs.tls_current_timestamp());




216





131



   } else {










132



   #if defined(BOTAN_HAS_TLS_13)










133



      return Botan::TLS::Session({},




10





134



                                 std::nullopt,










135



                                 0,










136



                                 std::chrono::seconds(1024),




10





137



                                 Botan::TLS::Protocol_Version::TLS_V13,










138



                                 Botan::TLS::Ciphersuite::from_name("AES_128_GCM_SHA256")->ciphersuite_code(),




10





139



                                 side,










140



                                 {},










141



                                 nullptr,










142



                                 server_info(),










143



                                 cbs.tls_current_timestamp());




20





144



   #else










145



      throw Test_Error("TLS 1.3 is not available in this build");










146



   #endif










147



   }










148



}










149












150



using namespace std::literals;










151












152



std::vector<Test::Result> test_session_manager_in_memory() {




1





153



   auto rng = Test::new_shared_rng(__func__);




1





154












155



   const Botan::TLS::Session_ID default_id = random_id(*rng);




1





156












157



   std::optional<Botan::TLS::Session_Manager_In_Memory> mgr;




1





158












159



   Session_Manager_Callbacks cbs;




1





160



   Session_Manager_Policy plcy;




1





161












162



   return {




1





163



      CHECK("creation", [&](auto&) { mgr.emplace(rng, 5); }),




1





164












165



      CHECK("empty cache does not obtain anything",










166



            [&](auto& result) {




1





167



               result.confirm("no session found via server info", mgr->find(server_info(), cbs, plcy).empty());




1





168












169



               const Botan::TLS::Session_ID mock_id = random_id(*rng);




1





170



               auto mock_ticket = rng->random_vec<Botan::TLS::Session_Ticket>(128);




1





171












172



               result.confirm("no session found via ID", !mgr->retrieve(mock_id, cbs, plcy));




3





173



               result.confirm("no session found via ID", !mgr->retrieve(mock_ticket, cbs, plcy));




3





174



            }),




2





175












176



      CHECK("clearing empty cache",










177



            [&](auto& result) { result.test_sz_eq("does not delete anything", mgr->remove_all(), 0); }),




1





178












179



      CHECK("establish new session",










180



            [&](auto& result) {




1





181



               auto handle = mgr->establish(default_session(Botan::TLS::Connection_Side::Server, cbs), default_id);




1





182



               if(result.confirm("establishment was successful", handle.has_value())) {




1





183



                  result.require("session id was set", handle->id().has_value());




1





184



                  result.confirm("session ticket was empty", !handle->ticket().has_value());




1





185



                  result.test_is_eq("session id is correct", handle->id().value(), default_id);




2





186



               }










187



            }),




1





188












189



      CHECK("obtain session from server info",










190



            [&](auto& result) {




1





191



               auto sessions = mgr->find(server_info(), cbs, plcy);




1





192



               if(result.confirm("session was found successfully", sessions.size() == 1)) {




1





193



                  result.test_is_eq("protocol version was echoed",




1





194



                                    sessions[0].session.version(),




1





195



                                    Botan::TLS::Protocol_Version(Botan::TLS::Version_Code::TLS_V12));




1





196



                  result.test_is_eq("ciphersuite was echoed", sessions[0].session.ciphersuite_code(), uint16_t(0x009C));




1





197



                  result.test_is_eq("ID was echoed", sessions[0].handle.id().value(), default_id);




2





198



                  result.confirm("not a ticket", !sessions[0].handle.ticket().has_value());




1





199



               }










200



            }),




1





201












202



      CHECK("obtain session from ID",










203



            [&](auto& result) {




1





204



               auto session = mgr->retrieve(default_id, cbs, plcy);




2





205



               if(result.confirm("session was found successfully", session.has_value())) {




1





206



                  result.test_is_eq("protocol version was echoed",




1





207



                                    session->version(),




1





208



                                    Botan::TLS::Protocol_Version(Botan::TLS::Version_Code::TLS_V12));




1





209



                  result.test_is_eq("ciphersuite was echoed", session->ciphersuite_code(), uint16_t(0x009C));




1





210



               }










211



            }),




1





212












213



      CHECK("obtain session from ID disguised as opaque handle",










214



            [&](auto& result) {




1





215



               auto session = mgr->retrieve(Botan::TLS::Opaque_Session_Handle(default_id), cbs, plcy);




2





216



               if(result.confirm("session was found successfully", session.has_value())) {




1





217



                  result.test_is_eq("protocol version was echoed",




1





218



                                    session->version(),




1





219



                                    Botan::TLS::Protocol_Version(Botan::TLS::Version_Code::TLS_V12));




1





220



                  result.test_is_eq("ciphersuite was echoed", session->ciphersuite_code(), uint16_t(0x009C));




1





221



               }










222



            }),




1





223












224



      CHECK("obtain session from ticket == id does not work",










225



            [&](auto& result) {




1





226



               auto session = mgr->retrieve(Botan::TLS::Session_Ticket(default_id), cbs, plcy);




2





227



               result.confirm("session was not found", !session.has_value());




1





228



            }),




1





229












230



      CHECK("invalid ticket causes std::nullopt",










231



            [&](auto& result) {




1





232



               auto no_session = mgr->retrieve(random_ticket(*rng), cbs, plcy);




2





233



               result.confirm("std::nullopt on bogus ticket", !no_session.has_value());




1





234



            }),




1





235












236



      CHECK("invalid ID causes std::nullopt",










237



            [&](auto& result) {




1





238



               auto no_session = mgr->retrieve(random_id(*rng), cbs, plcy);




2





239



               result.confirm("std::nullopt on bogus ID", !no_session.has_value());




1





240



            }),




1





241












242



      CHECK("remove_all",










243



            [&](auto& result) {




1





244



               result.test_sz_eq("removed one element", mgr->remove_all(), 1);




1





245



               result.test_sz_eq("should be empty now", mgr->remove_all(), 0);




1





246



            }),




1





247












248



      CHECK("add session with ID",










249



            [&](auto& result) {




1





250



               const Botan::TLS::Session_ID new_id = random_id(*rng);




1





251












252



               mgr->store(default_session(Botan::TLS::Connection_Side::Client, cbs), new_id);




3





253



               result.require("obtain via ID", mgr->retrieve(new_id, cbs, plcy).has_value());




4





254












255



               auto sessions = mgr->find(server_info(), cbs, plcy);




1





256



               if(result.confirm("found via server info", sessions.size() == 1)) {




1





257



                  result.test_is_eq("protocol version was echoed",




1





258



                                    sessions[0].session.version(),




1





259



                                    Botan::TLS::Protocol_Version(Botan::TLS::Version_Code::TLS_V12));




1





260



                  result.test_is_eq("ciphersuite was echoed", sessions[0].session.ciphersuite_code(), uint16_t(0x009C));




1





261



                  result.test_is_eq("ID was echoed", sessions[0].handle.id().value(), new_id);




2





262



                  result.confirm("ticket was not stored", !sessions[0].handle.ticket().has_value());




1





263



               }










264












265



               mgr->remove_all();




1





266



            }),




2





267












268



      CHECK("add session with ticket",










269



            [&](auto& result) {




1





270



               const Botan::TLS::Session_Ticket new_ticket = random_ticket(*rng);




1





271












272



               mgr->store(default_session(Botan::TLS::Connection_Side::Client, cbs), new_ticket);




3





273



               // cannot be obtained by (non-existent) ID or randomly generated ticket










274












275



               auto sessions = mgr->find(server_info(), cbs, plcy);




1





276



               if(result.confirm("found via server info", sessions.size() == 1)) {




1





277



                  result.test_is_eq("protocol version was echoed",




1





278



                                    sessions[0].session.version(),




1





279



                                    Botan::TLS::Protocol_Version(Botan::TLS::Version_Code::TLS_V12));




1





280



                  result.test_is_eq("ciphersuite was echoed", sessions[0].session.ciphersuite_code(), uint16_t(0x009C));




1





281



                  result.confirm("ID was not stored", !sessions[0].handle.id().has_value());




1





282



                  result.test_is_eq("ticket was echoed", sessions[0].handle.ticket().value(), new_ticket);




2





283



               }










284












285



               mgr->remove_all();




1





286



            }),




2





287












288



      CHECK("removing by ID or opaque handle",










289



            [&](auto& result) {




1





290



               Botan::TLS::Session_Manager_In_Memory local_mgr(rng);




1





291












292



               const auto new_session1 =




1





293



                  local_mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs), default_id);










294



               const auto new_session2 = local_mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




1





295



               result.require(




1





296



                  "saving worked",










297



                  new_session1.has_value() && new_session1->id().has_value() && !new_session1->ticket().has_value());




4





298



               result.require(




1





299



                  "saving worked",










300



                  new_session2.has_value() && new_session2->id().has_value() && !new_session2->ticket().has_value());




4





301












302



               result.test_sz_eq("can find via server info", local_mgr.find(server_info(), cbs, plcy).size(), 2);




1





303












304



               result.test_sz_eq("one was deleted", local_mgr.remove(default_id), 1);




3





305



               result.confirm("cannot obtain via default ID anymore",




1





306



                              !local_mgr.retrieve(default_id, cbs, plcy).has_value());




4





307



               result.test_sz_eq("can find less via server info", local_mgr.find(server_info(), cbs, plcy).size(), 1);




1





308












309



               result.test_sz_eq("last one was deleted",




2





310



                                 local_mgr.remove(Botan::TLS::Opaque_Session_Handle(new_session2->id().value())),




3





311



                                 1);










312



               result.confirm("cannot obtain via ID anymore",




1





313



                              !local_mgr.retrieve(new_session2->id().value(), cbs, plcy).has_value());




4





314



               result.confirm("cannot find via server info", local_mgr.find(server_info(), cbs, plcy).empty());




1





315



            }),




2





316












317



      CHECK("removing by ticket or opaque handle",










318



            [&](auto& result) {




1





319



               Botan::TLS::Session_Manager_In_Memory local_mgr(rng);




1





320












321



               const Botan::TLS::Session_Ticket ticket1 = random_ticket(*rng);




1





322



               const Botan::TLS::Session_Ticket ticket2 = random_ticket(*rng);




1





323



               Botan::TLS::Session_Ticket ticket3 = random_ticket(*rng);




1





324












325



               local_mgr.store(default_session(Botan::TLS::Connection_Side::Client, cbs), ticket1);




2





326



               local_mgr.store(default_session(Botan::TLS::Connection_Side::Client, cbs), ticket2);




2





327



               local_mgr.store(default_session(Botan::TLS::Connection_Side::Client, cbs), ticket3);




2





328



               result.test_sz_eq("can find them via server info ", local_mgr.find(server_info(), cbs, plcy).size(), 3);




1





329












330



               result.test_sz_eq("remove one session by ticket", local_mgr.remove(ticket2), 1);




2





331



               result.test_sz_eq("can find two via server info", local_mgr.find(server_info(), cbs, plcy).size(), 2);




1





332












333



               result.test_sz_eq("remove one session by opaque handle",




2





334



                                 local_mgr.remove(Botan::TLS::Opaque_Session_Handle(ticket3.get())),




2





335



                                 1);










336



               result.test_sz_eq(




1





337



                  "can find only one via server info", local_mgr.find(server_info(), cbs, plcy).size(), 1);










338



            }),




3





339












340



      CHECK(










341



         "session purging",










342



         [&](auto& result) {




1





343



            result.require("max sessions is 5", mgr->capacity() == 5);




1





344












345



            // fill the Session_Manager up fully










346



            std::vector<Botan::TLS::Session_Handle> handles;




1





347



            handles.reserve(mgr->capacity());




1





348



            for(size_t i = 0; i < mgr->capacity(); ++i) {




6





349



               handles.push_back(




5





350



                  mgr->establish(default_session(Botan::TLS::Connection_Side::Server, cbs), random_id(*rng)).value());




15





351



            }










352












353



            for(const auto& handle : handles) {




6





354



               result.confirm("session still there", mgr->retrieve(handle, cbs, plcy).has_value());




10





355



            }










356












357



            // add one more session (causing a first purge to happen)










358



            handles.push_back(




1





359



               mgr->establish(default_session(Botan::TLS::Connection_Side::Server, cbs), random_id(*rng)).value());




3





360












361



            result.confirm("oldest session gone", !mgr->retrieve(handles[0], cbs, plcy).has_value());




1





362



            for(size_t i = 1; i < handles.size(); ++i) {




6





363



               result.confirm("session still there", mgr->retrieve(handles[i], cbs, plcy).has_value());




10





364



            }










365












366



            // remove a session to cause a 'gap' in the FIFO










367



            mgr->remove(handles[4]);




1





368



            result.confirm("oldest session gone", !mgr->retrieve(handles[0], cbs, plcy).has_value());




1





369



            result.confirm("deleted session gone", !mgr->retrieve(handles[4], cbs, plcy).has_value());




1





370



            for(size_t i = 1; i < handles.size(); ++i) {




6





371



               result.confirm("session still there", i == 4 || mgr->retrieve(handles[i], cbs, plcy).has_value());




9





372



            }










373












374



            // insert enough new sessions to fully purge the ones currently held










375



            for(size_t i = 0; i < mgr->capacity(); ++i) {




6





376



               handles.push_back(




5





377



                  mgr->establish(default_session(Botan::TLS::Connection_Side::Server, cbs), random_id(*rng)).value());




15





378



            }










379












380



            for(size_t i = 0; i < handles.size() - mgr->capacity(); ++i) {




7





381



               result.confirm("session gone", !mgr->retrieve(handles[i], cbs, plcy).has_value());




6





382



            }










383












384



            for(size_t i = handles.size() - mgr->capacity(); i < handles.size(); ++i) {




6





385



               result.confirm("session still there", mgr->retrieve(handles[i], cbs, plcy).has_value());




10





386



            }










387












388



            // clear it all out










389



            result.test_sz_eq("rest of the sessions removed", mgr->remove_all(), size_t(5));




1





390



         }),




1





391



   };




17





392



}




5





393












394



std::vector<Test::Result> test_session_manager_choose_ticket() {




1





395



   #if defined(BOTAN_HAS_TLS_13)










396



   Session_Manager_Callbacks cbs;




1





397



   Session_Manager_Policy plcy;




1





398












399



   auto rng = Test::new_shared_rng(__func__);




1





400












401



   auto default_session = [&](const std::string& suite,




9





402



                              Botan::TLS::Callbacks& mycbs,










403



                              Botan::TLS::Protocol_Version version = Botan::TLS::Protocol_Version::TLS_V13) {










404



      return (version.is_pre_tls_13())




8





405



                ? Botan::TLS::Session({},




8





406



                                      version,










407



                                      Botan::TLS::Ciphersuite::from_name(suite)->ciphersuite_code(),




1





408



                                      Botan::TLS::Connection_Side::Server,










409



                                      true,










410



                                      true,










411



                                      {},










412



                                      server_info(),










413



                                      0,










414



                                      mycbs.tls_current_timestamp())




1





415



                : Botan::TLS::Session({},










416



                                      std::nullopt,










417



                                      0,










418



                                      std::chrono::seconds(1024),




7





419



                                      version,










420



                                      Botan::TLS::Ciphersuite::from_name(suite)->ciphersuite_code(),




7





421



                                      Botan::TLS::Connection_Side::Server,










422



                                      {},










423



                                      nullptr,










424



                                      server_info(),










425



                                      mycbs.tls_current_timestamp());




23





426



   };










427












428



   auto ticket = [&](std::span<const uint8_t> identity) {




16





429



      return Botan::TLS::PskIdentity(std::vector(identity.begin(), identity.end()), 0);




15





430



   };










431












432



   return {




1





433



      CHECK("empty manager has nothing to choose from",










434



            [&](auto& result) {




1





435



               Botan::TLS::Session_Manager_In_Memory mgr(rng);




1





436












437



               Botan::TLS::Session_Ticket random_session_ticket = random_ticket(*rng);




1





438












439



               result.confirm("empty ticket list, no session",




1





440



                              !mgr.choose_from_offered_tickets({}, "SHA-256", cbs, plcy).has_value());




2





441



               result.confirm(




1





442



                  "empty session manager, no session",










443



                  !mgr.choose_from_offered_tickets(std::vector{ticket(random_session_ticket)}, "SHA-256", cbs, plcy)




3





444



                      .has_value());




3





445



            }),




3





446












447



      CHECK("choose ticket by ID",










448



            [&](auto& result) {




1





449



               Botan::TLS::Session_Manager_In_Memory mgr(rng);




1





450



               std::vector<Botan::TLS::Session_Handle> handles;




1





451












452



               handles.push_back(mgr.establish(default_session("AES_128_GCM_SHA256", cbs)).value());




3





453



               handles.push_back(mgr.establish(default_session("AES_128_GCM_SHA256", cbs)).value());




3





454












455



               // choose from a list of tickets that contains only handles[0]










456



               auto session1 =




2





457



                  mgr.choose_from_offered_tickets(std::vector{ticket(handles[0].id().value())}, "SHA-256", cbs, plcy);




3





458



               result.require("ticket was chosen and produced a session (1)", session1.has_value());




1





459



               result.test_is_eq("chosen offset", session1->second, uint16_t(0));




1





460












461



               // choose from a list of tickets that contains only handles[1]










462



               auto session2 =




2





463



                  mgr.choose_from_offered_tickets(std::vector{ticket(handles[1].id().value())}, "SHA-256", cbs, plcy);




3





464



               result.require("ticket was chosen and produced a session (2)", session2.has_value());




1





465



               result.test_is_eq("chosen offset", session2->second, uint16_t(0));




1





466












467



               // choose from a list of tickets that contains a random ticket and handles[1]










468



               auto session3 = mgr.choose_from_offered_tickets(




2





469



                  std::vector{ticket(random_ticket(*rng)), ticket(handles[1].id().value())}, "SHA-256", cbs, plcy);




5





470



               result.require("ticket was chosen and produced a session (3)", session3.has_value());




1





471



               result.test_is_eq("chosen second offset", session3->second, uint16_t(1));




1





472



            }),




13





473












474



      CHECK("choose ticket by ticket",










475



            [&](auto& result) {




1





476



               auto creds = std::make_shared<Test_Credentials_Manager>();










477



               Botan::TLS::Session_Manager_Stateless mgr(creds, rng);




1





478



               std::vector<Botan::TLS::Session_Handle> handles;




1





479












480



               handles.push_back(mgr.establish(default_session("AES_128_GCM_SHA256", cbs)).value());




3





481



               handles.push_back(mgr.establish(default_session("AES_128_GCM_SHA256", cbs)).value());




3





482












483



               // choose from a list of tickets that contains only handles[0]










484



               auto session1 = mgr.choose_from_offered_tickets(




2





485



                  std::vector{ticket(handles[0].ticket().value())}, "SHA-256", cbs, plcy);




4





486



               result.require("ticket was chosen and produced a session (1)", session1.has_value());




1





487



               result.test_is_eq("chosen offset", session1->second, uint16_t(0));




1





488












489



               // choose from a list of tickets that contains only handles[1]










490



               auto session2 = mgr.choose_from_offered_tickets(




2





491



                  std::vector{ticket(handles[1].ticket().value())}, "SHA-256", cbs, plcy);




4





492



               result.require("ticket was chosen and produced a session (2)", session2.has_value());




1





493



               result.test_is_eq("chosen offset", session2->second, uint16_t(0));




1





494












495



               // choose from a list of tickets that contains a random ticket and handles[1]










496



               auto session3 = mgr.choose_from_offered_tickets(




2





497



                  std::vector{ticket(random_ticket(*rng)), ticket(handles[1].ticket().value())}, "SHA-256", cbs, plcy);




5





498



               result.require("ticket was chosen and produced a session (3)", session3.has_value());




1





499



               result.test_is_eq("chosen second offset", session3->second, uint16_t(1));




1





500



            }),




14





501












502



      CHECK("choose ticket based on requested hash function",










503



            [&](auto& result) {




1





504



               auto creds = std::make_shared<Test_Credentials_Manager>();










505



               Botan::TLS::Session_Manager_Stateless mgr(creds, rng);




1





506



               std::vector<Botan::TLS::Session_Handle> handles;




1





507












508



               handles.push_back(mgr.establish(default_session("AES_128_GCM_SHA256", cbs)).value());




3





509



               handles.push_back(mgr.establish(default_session("AES_256_GCM_SHA384", cbs)).value());




3





510












511



               auto session = mgr.choose_from_offered_tickets(std::vector{ticket(random_ticket(*rng)),




5





512



                                                                          ticket(handles[0].ticket().value()),




1





513



                                                                          ticket(handles[1].ticket().value())},




1





514



                                                              "SHA-384",










515



                                                              cbs,










516



                                                              plcy);










517



               result.require("ticket was chosen and produced a session", session.has_value());




1





518



               result.test_is_eq("chosen second offset", session->second, uint16_t(2));




1





519



            }),




7





520












521



      CHECK("choose ticket based on protocol version",










522



            [&](auto& result) {




1





523



               auto creds = std::make_shared<Test_Credentials_Manager>();










524



               Botan::TLS::Session_Manager_Stateless mgr(creds, rng);




1





525



               std::vector<Botan::TLS::Session_Handle> handles;




1





526












527



               handles.push_back(




1





528



                  mgr.establish(default_session("AES_128_GCM_SHA256", cbs, Botan::TLS::Version_Code::TLS_V12)).value());




3





529



               handles.push_back(




1





530



                  mgr.establish(default_session("AES_128_GCM_SHA256", cbs, Botan::TLS::Version_Code::TLS_V13)).value());




3





531












532



               auto session = mgr.choose_from_offered_tickets(std::vector{ticket(random_ticket(*rng)),




5





533



                                                                          ticket(handles[0].ticket().value()),




1





534



                                                                          ticket(handles[1].ticket().value())},




1





535



                                                              "SHA-256",










536



                                                              cbs,










537



                                                              plcy);










538



               result.require("ticket was chosen and produced a session", session.has_value());




1





539



               result.test_is_eq("chosen second offset (TLS 1.3 ticket)", session->second, uint16_t(2));




1





540



            }),




7





541



   };




7





542



   #else










543



   return {};










544



   #endif










545



}




2





546












547



std::vector<Test::Result> test_session_manager_stateless() {




1





548



   auto creds = std::make_shared<Test_Credentials_Manager>();




1





549












550



   auto rng = Test::new_shared_rng(__func__);




1





551












552



   Botan::TLS::Session_Manager_Stateless mgr(creds, rng);




1





553












554



   Session_Manager_Callbacks cbs;




1





555



   Session_Manager_Policy plcy;




1





556












557



   return {




1





558



      CHECK("establish with default parameters",










559



            [&](auto& result) {




1





560



               result.confirm("will emit tickets", mgr.emits_session_tickets());




1





561



               auto ticket = mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




1





562



               result.confirm("returned ticket", ticket.has_value() && ticket->is_ticket());




1





563



            }),




1





564












565



      CHECK("establish with disabled tickets",










566



            [&](auto& result) {




1





567



               result.confirm("will emit tickets", mgr.emits_session_tickets());




1





568



               auto ticket =




1





569



                  mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs), std::nullopt, true);




1





570



               result.confirm("returned std::nullopt", !ticket.has_value());




1





571



            }),




1





572












573



      CHECK("establish without ticket key in credentials manager",










574



            [&](auto& result) {




1





575



               Botan::TLS::Session_Manager_Stateless local_mgr(std::make_shared<Empty_Credentials_Manager>(), rng);




2





576












577



               result.confirm("won't emit tickets", !local_mgr.emits_session_tickets());




1





578



               auto ticket = local_mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




1





579



               result.confirm("returned std::nullopt", !ticket.has_value());




1





580



            }),




1





581












582



      CHECK("retrieve via ticket",










583



            [&](auto& result) {




1





584



               auto ticket1 = mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




1





585



               auto ticket2 = mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




1





586



               result.require("tickets created successfully", ticket1.has_value() && ticket2.has_value());




1





587












588



               Botan::TLS::Session_Manager_Stateless local_mgr(creds, rng);




1





589



               result.confirm("can retrieve ticket 1", mgr.retrieve(ticket1.value(), cbs, plcy).has_value());




1





590



               result.confirm("can retrieve ticket 2 from different manager but sam credentials",




1





591



                              local_mgr.retrieve(ticket2.value(), cbs, plcy).has_value());




1





592



            }),




3





593












594



      CHECK("retrieve via ID does not work",










595



            [&](auto& result) {




1





596



               auto ticket1 = mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




1





597



               result.require("tickets created successfully", ticket1.has_value() && ticket1.has_value());




1





598












599



               result.confirm("retrieval by ID does not work", !mgr.retrieve(random_id(*rng), cbs, plcy).has_value());




2





600



            }),




1





601












602



      CHECK("retrieve via opaque handle does work",










603



            [&](auto& result) {




1





604



               auto ticket1 = mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




1





605



               result.require("tickets created successfully", ticket1.has_value() && ticket1.has_value());




1





606












607



               result.confirm("retrieval by opaque handle",




1





608



                              mgr.retrieve(ticket1->opaque_handle(), cbs, plcy).has_value());




3





609



            }),




1





610












611



      CHECK("no retrieve without or with wrong ticket key",










612



            [&](auto& result) {




1





613



               auto ticket1 = mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




1





614



               result.require("tickets created successfully", ticket1.has_value() && ticket1.has_value());




1





615












616



               Botan::TLS::Session_Manager_Stateless local_mgr1(std::make_shared<Empty_Credentials_Manager>(), rng);




2





617












618



               Botan::TLS::Session_Manager_Stateless local_mgr2(std::make_shared<Other_Test_Credentials_Manager>(),




2





619



                                                                rng);










620












621



               result.confirm("no successful retrieval (without key)",




1





622



                              !local_mgr1.retrieve(ticket1.value(), cbs, plcy).has_value());




1





623



               result.confirm("no successful retrieval (with wrong key)",




1





624



                              !local_mgr2.retrieve(ticket1.value(), cbs, plcy).has_value());




1





625



               result.confirm("successful retrieval", mgr.retrieve(ticket1.value(), cbs, plcy).has_value());




1





626



            }),




2





627












628



      CHECK("Clients cannot be stateless",










629



            [&](auto& result) {




1





630



               result.test_throws("::store() does not work with ID", [&] {




1





631



                  mgr.store(default_session(Botan::TLS::Connection_Side::Client, cbs), random_id(*rng));




3





632



               });










633



               result.test_throws("::store() does not work with ticket", [&] {




1





634



                  mgr.store(default_session(Botan::TLS::Connection_Side::Client, cbs), random_ticket(*rng));




3





635



               });










636



               result.test_throws("::store() does not work with opaque handle", [&] {




1





637



                  mgr.store(default_session(Botan::TLS::Connection_Side::Client, cbs), random_opaque_handle(*rng));




3





638



               });










639












640



               auto ticket1 = mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




1





641



               result.require("tickets created successfully", ticket1.has_value() && ticket1.has_value());




1





642



               result.confirm("finding tickets does not work", mgr.find(server_info(), cbs, plcy).empty());




1





643



            }),




1





644












645



      CHECK("remove is a NOOP",










646



            [&](auto& result) {




1





647



               auto ticket1 = mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




1





648



               result.require("tickets created successfully", ticket1.has_value() && ticket1.has_value());




1





649












650



               result.test_sz_eq("remove the ticket", mgr.remove(ticket1.value()), 0);




1





651



               result.confirm("successful retrieval 1", mgr.retrieve(ticket1.value(), cbs, plcy).has_value());




1





652












653



               result.test_sz_eq("remove the ticket", mgr.remove_all(), 0);




1





654



               result.confirm("successful retrieval 1", mgr.retrieve(ticket1.value(), cbs, plcy).has_value());




2





655



            }),




1





656












657



      CHECK(










658



         "retrieval via ticket reconstructs the start_time stamp",










659



         [&](auto& result) {




1





660



            auto session_before = default_session(Botan::TLS::Connection_Side::Server, cbs);




1





661



            auto ticket = mgr.establish(session_before);




2





662



            result.require("got a ticket", ticket.has_value() && ticket->is_ticket());




1





663



            auto session_after = mgr.retrieve(ticket.value(), cbs, plcy);




1





664



            result.require("got the session back", session_after.has_value());




1





665












666



            result.test_is_eq(




1





667



               "timestamps match",










668



               std::chrono::duration_cast<std::chrono::seconds>(session_before.start_time().time_since_epoch()).count(),




2





669



               std::chrono::duration_cast<std::chrono::seconds>(session_after->start_time().time_since_epoch())




1





670



                  .count());




1





671



         }),




2





672



   };




11





673



}




4





674












675



std::vector<Test::Result> test_session_manager_hybrid() {




1





676



   auto rng = Test::new_shared_rng(__func__);




1





677












678



   auto creds = std::make_shared<Test_Credentials_Manager>();




1





679



   Session_Manager_Callbacks cbs;




1





680



   Session_Manager_Policy plcy;




1





681












682



   // Runs the passed-in hybrid manager test lambdas for all available stateful










683



   // managers. The `make_manager()` helper is passed into the test code and










684



   // transparently constructs a hybrid manager with the respective internal










685



   // stateful manager.










686



   auto CHECK_all = [&](const std::string& name, auto lambda) -> std::vector<Test::Result> {




4





687



      const std::vector<std::pair<std::string, std::function<std::unique_ptr<Botan::TLS::Session_Manager>()>>>










688



         stateful_manager_factories = {




9





689



            {"In Memory",










690



             [&rng]() -> std::unique_ptr<Botan::TLS::Session_Manager> {




9





691



                return std::make_unique<Botan::TLS::Session_Manager_In_Memory>(rng, 10);




6





692



             }},










693



   #if defined(BOTAN_HAS_TLS_SQLITE3_SESSION_MANAGER)










694



            {"SQLite",










695



             [&rng]() -> std::unique_ptr<Botan::TLS::Session_Manager> {




9





696



                return std::make_unique<Botan::TLS::Session_Manager_SQLite>(










697



                   "secure_pw", rng, Test::temp_file_name("tls_session_manager_sqlite"), 10);




6





698



             }},










699



   #endif










700



         };










701












702



      std::vector<Test::Result> results;




3





703



      using namespace std::placeholders;










704



      for(const auto& factory_and_name : stateful_manager_factories) {




15





705



         const auto& stateful_manager_name = factory_and_name.first;




6





706



         const auto& stateful_manager_factory = factory_and_name.second;




6





707



         auto make_manager = [stateful_manager_factory, &creds, &rng](bool prefer_tickets) {




42





708



            return Botan::TLS::Session_Manager_Hybrid(stateful_manager_factory(), creds, rng, prefer_tickets);




48





709



         };










710












711



         auto nm = Botan::fmt("{} ({})", name, stateful_manager_name);




6





712



         auto fn = std::bind(lambda, make_manager, _1);  // NOLINT(*-avoid-bind)




6





713



         results.push_back(CHECK(nm.c_str(), fn));




18





714



      }










715



      return results;




3





716



   };




7





717












718



   return Test::flatten_result_lists({




3





719



      CHECK_all("ticket vs ID preference in establishment",




1





720



                [&](const auto& make_manager, auto& result) {




2





721



                   auto mgr_prefers_tickets = make_manager(true);




2





722



                   auto ticket1 =




2





723



                      mgr_prefers_tickets.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




2





724



                   result.confirm("emits a ticket", ticket1.has_value() && ticket1->is_ticket());




2





725












726



                   auto mgr_prefers_ids = make_manager(false);




2





727



                   auto ticket2 = mgr_prefers_ids.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




2





728



                   result.confirm("emits an ID", ticket2.has_value() && ticket2->is_id());




2





729












730



                   auto ticket3 = mgr_prefers_ids.establish(default_session(Botan::TLS::Connection_Side::Server, cbs),




2





731



                                                            std::nullopt,










732



                                                            true /* TLS 1.2 no ticket support */);










733



                   result.confirm("emits an ID", ticket3.has_value() && ticket3->is_id());




2





734












735



                   auto ticket4 = mgr_prefers_ids.establish(default_session(Botan::TLS::Connection_Side::Server, cbs),




2





736



                                                            std::nullopt,










737



                                                            true /* TLS 1.2 no ticket support */);










738



                   result.confirm("emits an ID", ticket4.has_value() && ticket4->is_id());




2





739



                }),




8





740












741



      CHECK_all("ticket vs ID preference in retrieval",




1





742



                [&](const auto& make_manager, auto& result) {




2





743



                   auto mgr_prefers_tickets = make_manager(true);




2





744



                   auto mgr_prefers_ids = make_manager(false);




2





745












746



                   auto id1 = mgr_prefers_tickets.underlying_stateful_manager()->establish(




2





747



                      default_session(Botan::TLS::Connection_Side::Server, cbs));










748



                   auto id2 = mgr_prefers_ids.underlying_stateful_manager()->establish(




2





749



                      default_session(Botan::TLS::Connection_Side::Server, cbs));










750



                   auto ticket =




2





751



                      mgr_prefers_tickets.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




2





752












753



                   result.require("establishments worked", id1.has_value() && id2.has_value() && ticket.has_value());




2





754












755



                   result.confirm("mgr1 + ID1", mgr_prefers_tickets.retrieve(id1.value(), cbs, plcy).has_value());




2





756



                   result.confirm("mgr1 + ID2", !mgr_prefers_tickets.retrieve(id2.value(), cbs, plcy).has_value());




2





757



                   result.confirm("mgr2 + ID1", !mgr_prefers_ids.retrieve(id1.value(), cbs, plcy).has_value());




2





758



                   result.confirm("mgr2 + ID2", mgr_prefers_ids.retrieve(id2.value(), cbs, plcy).has_value());




2





759



                   result.confirm("mgr1 + ticket", mgr_prefers_tickets.retrieve(ticket.value(), cbs, plcy).has_value());




2





760



                   result.confirm("mgr2 + ticket", mgr_prefers_ids.retrieve(ticket.value(), cbs, plcy).has_value());




4





761



                }),




6





762












763



      CHECK_all("no session tickets if hybrid manager cannot create them",




1





764



                [&](const auto& make_manager, auto& result) {




2





765



                   Botan::TLS::Session_Manager_Hybrid empty_mgr(




8





766



                      std::make_unique<Botan::TLS::Session_Manager_In_Memory>(rng, 10),




4





767



                      std::make_shared<Empty_Credentials_Manager>(),










768



                      rng);










769



                   auto mgr_prefers_tickets = make_manager(true);




2





770



                   auto mgr_prefers_ids = make_manager(false);




2





771












772



                   result.confirm("does not emit tickets", !empty_mgr.emits_session_tickets());




2





773



                   result.confirm("does emit tickets 1", mgr_prefers_tickets.emits_session_tickets());




2





774



                   result.confirm("does emit tickets 2", mgr_prefers_ids.emits_session_tickets());




2





775



                }),




2





776



   });




4





777



}




4





778












779



namespace {










780












781



class Temporary_Database_File {










782



   private:










783



      std::string m_temp_file;










784












785



   public:










786



      explicit Temporary_Database_File(const std::string& db_file) :




1





787



            m_temp_file(Test::data_file_as_temporary_copy(db_file)) {




1





788



         if(m_temp_file.empty()) {




1





789



            throw Test_Error("Failed to create temporary database file");




×







790



         }










791



      }




1





792












793



      ~Temporary_Database_File() {




1





794



   #if defined(BOTAN_TARGET_OS_HAS_FILESYSTEM) && defined(__cpp_lib_filesystem)










795



         if(!m_temp_file.empty()) {




1





796



            std::filesystem::remove(m_temp_file);




1





797



         }










798



   #endif










799



      }




1





800












801



      const std::string& get() const { return m_temp_file; }










802












803



      Temporary_Database_File(const Temporary_Database_File&) = delete;










804



      Temporary_Database_File& operator=(const Temporary_Database_File&) = delete;










805



      Temporary_Database_File(Temporary_Database_File&&) = delete;










806



      Temporary_Database_File& operator=(Temporary_Database_File&&) = delete;










807



};










808












809



}  // namespace










810












811



std::vector<Test::Result> test_session_manager_sqlite() {




1





812



   #if defined(BOTAN_HAS_TLS_SQLITE3_SESSION_MANAGER)










813



   auto rng = Test::new_shared_rng(__func__);




1





814



   Session_Manager_Callbacks cbs;




1





815



   Session_Manager_Policy plcy;




1





816












817



   return {




1





818



      CHECK("migrate session database scheme (purges database)",










819



            [&](auto& result) {




1





820



               const Temporary_Database_File dbfile("tls-sessions/botan-2.19.3.sqlite");




1





821












822



               // legacy database (encrypted with 'thetruthisoutthere') containing:










823



               //    $ sqlite3 src/tests/data/tls-sessions/botan-2.19.3.sqlite  'SELECT * FROM tls_sessions;'










824



               //    63C136FAD49F05A184F910FD6568A3884164216C11E41CEBFDCD149AF66C1714|1673606906|cloudflare.com|443|...










825



               //    63C137030387E4A6CDAD303CCB1F53884944FDE5B4EDD91E6FCF74DCB033DCEB|1673606915|randombit.net|443|...










826



               Botan::TLS::Session_Manager_SQLite legacy_db("thetruthisoutthere", rng, dbfile.get());




1





827












828



               result.confirm("Session_ID for randombit.net is gone",




1





829



                              !legacy_db










830



                                  .retrieve(Botan::TLS::Session_ID(Botan::hex_decode(




2





831



                                               "63C137030387E4A6CDAD303CCB1F53884944FDE5B4EDD91E6FCF74DCB033DCEB")),










832



                                            cbs,










833



                                            plcy)










834



                                  .has_value());




3





835



               result.confirm("Session_ID for cloudflare.com is gone",




1





836



                              !legacy_db










837



                                  .retrieve(Botan::TLS::Session_ID(Botan::hex_decode(




2





838



                                               "63C136FAD49F05A184F910FD6568A3884164216C11E41CEBFDCD149AF66C1714")),










839



                                            cbs,










840



                                            plcy)










841



                                  .has_value());




3





842



               result.confirm("no more session for randombit.net",




2





843



                              legacy_db.find(Botan::TLS::Server_Information("randombit.net", 443), cbs, plcy).empty());




1





844



               result.confirm("no more session for cloudflare.com",




2





845



                              legacy_db.find(Botan::TLS::Server_Information("cloudflare.com", 443), cbs, plcy).empty());




1





846












847



               result.test_sz_eq("empty database won't get more empty", legacy_db.remove_all(), 0);




1





848



            }),




1





849












850



      CHECK("clearing empty database",










851



            [&](auto& result) {




1





852



               Botan::TLS::Session_Manager_SQLite mgr("thetruthisoutthere", rng, Test::temp_file_name("empty.sqlite"));




1





853



               result.test_sz_eq("does not delete anything", mgr.remove_all(), 0);




1





854



            }),




1





855












856



      CHECK("establish new session",










857



            [&](auto& result) {




1





858



               Botan::TLS::Session_Manager_SQLite mgr(




1





859



                  "thetruthisoutthere", rng, Test::temp_file_name("new_session.sqlite"));




1





860



               auto some_random_id = random_id(*rng);




1





861



               auto some_random_handle =




1





862



                  mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs), some_random_id);










863



               result.require("establishment was successful", some_random_handle.has_value());




1





864



               result.require("session id was set", some_random_handle->id().has_value());




1





865



               result.test_is_eq("session id is correct", some_random_handle->id().value(), some_random_id);




2





866












867



               auto some_virtual_handle = mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




1





868



               result.require("establishment was successful", some_virtual_handle.has_value());




1





869



               result.require("session id was set", some_virtual_handle->id().has_value());




1





870



            }),




3





871












872



      CHECK("retrieve session by ID",










873



            [&](auto& result) {




1





874



               Botan::TLS::Session_Manager_SQLite mgr(




1





875



                  "thetruthisoutthere", rng, Test::temp_file_name("retrieve_by_id.sqlite"));




1





876



               auto some_random_id = random_id(*rng);




1





877



               auto some_random_handle =




1





878



                  mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs), some_random_id);










879



               auto some_virtual_handle = mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




1





880












881



               result.require("establishment was successful",




1





882



                              some_random_handle->is_id() && some_virtual_handle->is_id());




1





883












884



               auto session1 = mgr.retrieve(some_random_handle.value(), cbs, plcy);




1





885



               if(result.confirm("found session by user-provided ID", session1.has_value())) {




1





886



                  result.test_is_eq("protocol version was echoed",




1





887



                                    session1->version(),




1





888



                                    Botan::TLS::Protocol_Version(Botan::TLS::Version_Code::TLS_V12));




1





889



                  result.test_is_eq("ciphersuite was echoed", session1->ciphersuite_code(), uint16_t(0x009C));




1





890



               }










891












892



               auto session2 = mgr.retrieve(some_virtual_handle.value(), cbs, plcy);




1





893



               if(result.confirm("found session by manager-generated ID", session2.has_value())) {




1





894



                  result.test_is_eq("protocol version was echoed",




1





895



                                    session2->version(),




1





896



                                    Botan::TLS::Protocol_Version(Botan::TLS::Version_Code::TLS_V12));




1





897



                  result.test_is_eq("ciphersuite was echoed", session2->ciphersuite_code(), uint16_t(0x009C));




1





898



               }










899












900



               auto session3 = mgr.retrieve(random_id(*rng), cbs, plcy);




2





901



               result.confirm("random ID creates empty result", !session3.has_value());




1





902



            }),




6





903












904



      CHECK("retrieval via ticket creates empty result",










905



            [&](auto& result) {




1





906



               Botan::TLS::Session_Manager_SQLite mgr(




1





907



                  "thetruthisoutthere", rng, Test::temp_file_name("retrieve_by_ticket.sqlite"));




1





908



               auto some_random_handle =




1





909



                  mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs), random_id(*rng));




1





910



               auto some_virtual_handle = mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




1





911












912



               result.confirm("std::nullopt on random ticket",




1





913



                              !mgr.retrieve(random_ticket(*rng), cbs, plcy).has_value());




3





914



            }),




2





915












916



      CHECK("storing sessions and finding them by server info",










917



            [&](auto& result) {




1





918



               Botan::TLS::Session_Manager_SQLite mgr(




1





919



                  "thetruthisoutthere", rng, Test::temp_file_name("store_and_find.sqlite"));




1





920



               auto id = random_id(*rng);




1





921



               auto ticket = random_ticket(*rng);




1





922



               mgr.store(default_session(Botan::TLS::Connection_Side::Client, cbs), id);




2





923



               mgr.store(default_session(Botan::TLS::Connection_Side::Client, cbs), ticket);




2





924












925



               auto found_sessions = mgr.find(server_info(), cbs, plcy);




1





926



               if(result.test_sz_eq("found both sessions", found_sessions.size(), 2)) {




1





927



                  for(const auto& [session, handle] : found_sessions) {




3





928



                     result.confirm("ID matches", !handle.is_id() || handle.id().value() == id);




3





929



                     result.confirm("ticket matches", !handle.is_ticket() || handle.ticket().value() == ticket);




3





930



                  }










931



               }










932



            }),




3





933












934



      CHECK("removing sessions",










935



            [&](auto& result) {




1





936



               Botan::TLS::Session_Manager_SQLite mgr("thetruthisoutthere", rng, Test::temp_file_name("remove.sqlite"));




1





937



               auto id = random_id(*rng);




1





938



               auto ticket = random_ticket(*rng);




1





939



               mgr.store(default_session(Botan::TLS::Connection_Side::Client, cbs), id);




2





940



               mgr.store(default_session(Botan::TLS::Connection_Side::Client, cbs), ticket);




2





941



               mgr.store(default_session(Botan::TLS::Connection_Side::Client, cbs), random_id(*rng));




2





942



               mgr.store(default_session(Botan::TLS::Connection_Side::Client, cbs), random_ticket(*rng));




2





943












944



               result.test_sz_eq("deletes one session by ID", mgr.remove(id), 1);




2





945



               result.test_sz_eq("deletes one session by ticket", mgr.remove(ticket), 1);




2





946












947



               auto found_sessions = mgr.find(server_info(), cbs, plcy);




1





948



               if(result.test_sz_eq("found some other sessions", found_sessions.size(), 2)) {




1





949



                  for(const auto& [session, handle] : found_sessions) {




3





950



                     result.confirm("ID does not match", !handle.is_id() || handle.id().value() != id);




4





951



                     result.confirm("ticket does not match", !handle.is_ticket() || handle.ticket().value() != ticket);




4





952



                  }










953



               }










954












955



               result.test_sz_eq("removing the rest of the sessions", mgr.remove_all(), 2);




1





956



            }),




3





957












958



      CHECK("old sessions are purged when needed",










959



            [&](auto& result) {




1





960



               Botan::TLS::Session_Manager_SQLite mgr(




1





961



                  "thetruthisoutthere", rng, Test::temp_file_name("purging.sqlite"), 1);




1





962












963



               std::vector<Botan::TLS::Session_ID> ids = {random_id(*rng), random_id(*rng), random_id(*rng)};




5





964



               mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs), ids[0]);




2





965



               result.require("new ID exists", mgr.retrieve(ids[0], cbs, plcy).has_value());




4





966












967



               // Session timestamps are saved with second-resolution. If more than










968



               // one session has the same (coarse) timestamp it is undefined which










969



               // will be purged first. The clock tick ensures that session's










970



               // timestamps are unique.










971



               cbs.tick();




1





972



               mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs), ids[1]);




2





973



               result.require("first ID is gone", !mgr.retrieve(ids[0], cbs, plcy).has_value());




3





974



               result.require("new ID exists", mgr.retrieve(ids[1], cbs, plcy).has_value());




4





975












976



               cbs.tick();




1





977



               mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs), ids[2]);




2





978



               result.require("second ID is gone", !mgr.retrieve(ids[1], cbs, plcy).has_value());




3





979



               result.require("new ID exists", mgr.retrieve(ids[2], cbs, plcy).has_value());




4





980












981



               result.test_sz_eq("only one entry exists", mgr.remove_all(), 1);




1





982



            }),




2





983












984



      CHECK("session purging can be disabled",










985



            [&](auto& result) {




1





986



               Botan::TLS::Session_Manager_SQLite mgr(




1





987



                  "thetruthisoutthere", rng, Test::temp_file_name("purging.sqlite"), 0 /* no pruning! */);




1





988












989



               for(size_t i = 0; i < 25; ++i) {




26





990



                  mgr.establish(default_session(Botan::TLS::Connection_Side::Server, cbs), random_id(*rng));




50





991



               }










992












993



               result.test_sz_eq("no entries were purged along the way", mgr.remove_all(), 25);




1





994



            }),




1





995



   };




10





996



   #else










997



   return {};










998



   #endif










999



}




3





1000












1001



std::vector<Test::Result> tls_session_manager_expiry() {




1





1002



   auto rng = Test::new_shared_rng(__func__);




1





1003



   Session_Manager_Callbacks cbs;




1





1004



   Session_Manager_Policy plcy;




1





1005












1006



   auto CHECK_all = [&](const std::string& name, auto lambda) -> std::vector<Test::Result> {




6





1007



      const std::vector<std::pair<std::string, std::function<std::unique_ptr<Botan::TLS::Session_Manager>()>>>










1008



         stateful_manager_factories = {




20





1009



            {"In Memory",










1010



             [&rng]() -> std::unique_ptr<Botan::TLS::Session_Manager> {




10





1011



                return std::make_unique<Botan::TLS::Session_Manager_In_Memory>(rng, 10);




5





1012



             }},










1013



            {"Stateless",










1014



             [&]() -> std::unique_ptr<Botan::TLS::Session_Manager> {




7





1015



                return std::make_unique<Botan::TLS::Session_Manager_Stateless>(










1016



                   std::make_shared<Test_Credentials_Manager>(), rng);




2





1017



             }},










1018



   #if defined(BOTAN_HAS_TLS_SQLITE3_SESSION_MANAGER)










1019



            {"SQLite",










1020



             [&rng]() -> std::unique_ptr<Botan::TLS::Session_Manager> {




10





1021



                return std::make_unique<Botan::TLS::Session_Manager_SQLite>(










1022



                   "secure_pw", rng, Test::temp_file_name("tls_session_manager_sqlite"), 10);




5





1023



             }},










1024



   #endif










1025



         };










1026












1027



      std::vector<Test::Result> results;




5





1028



      results.reserve(stateful_manager_factories.size());




5





1029



      using namespace std::placeholders;










1030



      for(const auto& [sub_name, factory] : stateful_manager_factories) {




20





1031



         auto nm = Botan::fmt("{} ({})", name, sub_name);




15





1032



         auto fn = std::bind(lambda, sub_name, factory, _1);  // NOLINT(*-avoid-bind)




15





1033



         results.push_back(CHECK(nm.c_str(), fn));




30





1034



      }










1035



      return results;




5





1036



   };




11





1037












1038



   return Test::flatten_result_lists({




5





1039



      CHECK_all("sessions expire",




1





1040



                [&](const auto&, const auto& factory, auto& result) {




3





1041



                   auto mgr = factory();




3





1042












1043



                   auto handle = mgr->establish(default_session(Botan::TLS::Connection_Side::Server, cbs));




3





1044



                   result.require("saved successfully", handle.has_value());




3





1045



                   result.require("session was found", mgr->retrieve(handle.value(), cbs, plcy).has_value());




3





1046



                   cbs.tick();




3





1047



                   result.confirm("session has expired", !mgr->retrieve(handle.value(), cbs, plcy).has_value());




3





1048



                   result.test_sz_eq("session was deleted when it expired", mgr->remove_all(), 0);




3





1049



                }),




6





1050












1051



         CHECK_all("expired sessions are not found",




1





1052



                   [&](const std::string& type, const auto& factory, auto& result) {




3





1053



                      if(type == "Stateless") {




3





1054



                         return;  // this manager can neither store nor find anything




1





1055



                      }










1056












1057



                      auto mgr = factory();




2





1058












1059



                      auto handle_old = random_id(*rng);




2





1060



                      mgr->store(default_session(Botan::TLS::Connection_Side::Client, cbs), handle_old);




6





1061



                      result.require("session was found", mgr->retrieve(handle_old, cbs, plcy).has_value());




8





1062












1063



                      cbs.tick();




2





1064



                      auto handle_new = random_id(*rng);




2





1065



                      mgr->store(default_session(Botan::TLS::Connection_Side::Client, cbs), handle_new);




6





1066



                      result.require("session was found", mgr->retrieve(handle_new, cbs, plcy).has_value());




8





1067












1068



                      auto sessions_and_handles = mgr->find(server_info(), cbs, plcy);




2





1069



                      result.require("sessions are found", !sessions_and_handles.empty());




2





1070



                      result.test_sz_eq("exactly one session is found", sessions_and_handles.size(), 1);




2





1071



                      result.test_is_eq(




2





1072



                         "the new session is found", sessions_and_handles.front().handle.id().value(), handle_new);




6





1073












1074



                      result.test_sz_eq("old session was deleted when it expired", mgr->remove_all(), 1);




2





1075



                   }),




8





1076












1077



         CHECK_all(




1





1078



            "session tickets are not reused",










1079



            [&](const std::string& type, const auto& factory, auto& result) {




3





1080



               if(type == "Stateless") {




3





1081



                  return;  // this manager can neither store nor find anything




1





1082



               }










1083












1084



               auto mgr = factory();




2





1085












1086



               auto handle_1 = random_id(*rng);




2





1087



               mgr->store(default_session(Botan::TLS::Connection_Side::Client, cbs, Botan::TLS::Version_Code::TLS_V12),




6





1088



                          handle_1);










1089



               auto handle_2 = random_ticket(*rng);




2





1090



               mgr->store(default_session(Botan::TLS::Connection_Side::Client, cbs, Botan::TLS::Version_Code::TLS_V12),




6





1091



                          handle_2);










1092












1093



   #if defined(BOTAN_HAS_TLS_13)










1094



               auto handle_3 = random_id(*rng);




2





1095



               mgr->store(default_session(Botan::TLS::Connection_Side::Client, cbs, Botan::TLS::Version_Code::TLS_V13),




6





1096



                          handle_3);










1097



               auto handle_4 = random_ticket(*rng);




2





1098



               mgr->store(default_session(Botan::TLS::Connection_Side::Client, cbs, Botan::TLS::Version_Code::TLS_V13),




6





1099



                          handle_4);










1100



   #endif










1101












1102



               plcy.set_allow_session_reuse(false);




2





1103












1104



               auto sessions_and_handles1 = mgr->find(server_info(), cbs, plcy);




2





1105



               result.require("all sessions are found", sessions_and_handles1.size() > 1);




2





1106












1107



               auto sessions_and_handles2 = mgr->find(server_info(), cbs, plcy);




2





1108



               result.test_sz_eq("only one session is found", sessions_and_handles2.size(), 1);




2





1109



               result.confirm("found session is the Session_ID", sessions_and_handles2.front().handle.is_id());




2





1110



               result.test_is_eq(




2





1111



                  "found session is the Session_ID", sessions_and_handles2.front().handle.id().value(), handle_1);




6





1112



               result.confirm("found session is TLS 1.2",




2





1113



                              sessions_and_handles2.front().session.version().is_pre_tls_13());




2





1114



            }),




12





1115












1116



         CHECK_all("number of found tickets is capped",




1





1117



                   [&](const std::string& type, const auto& factory, auto& result) {




3





1118



                      if(type == "Stateless") {




3





1119



                         return;  // this manager can neither store nor find anything




1





1120



                      }










1121












1122



                      auto mgr = factory();




2





1123












1124



                      std::array<Botan::TLS::Session_Ticket, 5> tickets;




2





1125



                      for(auto& ticket : tickets) {




12





1126



                         ticket = random_ticket(*rng);




10





1127



                         mgr->store(default_session(Botan::TLS::Connection_Side::Client, cbs), ticket);




30





1128



                      }










1129












1130



                      plcy.set_allow_session_reuse(true);




2





1131












1132



                      plcy.set_session_limit(1);




2





1133



                      result.test_is_eq("find one",




2





1134



                                        mgr->find(server_info(), cbs, plcy).size(),




2





1135



                                        plcy.maximum_session_tickets_per_client_hello());




2





1136












1137



                      plcy.set_session_limit(3);




2





1138



                      result.test_is_eq("find three",




2





1139



                                        mgr->find(server_info(), cbs, plcy).size(),




2





1140



                                        plcy.maximum_session_tickets_per_client_hello());




2





1141












1142



                      plcy.set_session_limit(10);




2





1143



                      result.test_sz_eq("find all five", mgr->find(server_info(), cbs, plcy).size(), 5);




2





1144



                   }),




4





1145












1146



   #if defined(BOTAN_HAS_TLS_13)










1147



         CHECK_all("expired tickets are not selected for PSK resumption",




1





1148



                   [&](const auto&, const auto& factory, auto& result) {




3





1149



                      auto ticket = [&](const Botan::TLS::Session_Handle& handle) {




12





1150



                         return Botan::TLS::PskIdentity(handle.opaque_handle().get(), 0);




12





1151



                      };










1152












1153



                      auto mgr = factory();




3





1154












1155



                      auto old_handle = mgr->establish(




3





1156



                         default_session(Botan::TLS::Connection_Side::Server, cbs, Botan::TLS::Version_Code::TLS_V13));










1157



                      cbs.tick();




3





1158



                      auto new_handle = mgr->establish(




3





1159



                         default_session(Botan::TLS::Connection_Side::Server, cbs, Botan::TLS::Version_Code::TLS_V13));










1160



                      result.require("both sessions are stored", old_handle.has_value() && new_handle.has_value());




3





1161












1162



                      auto session_and_index = mgr->choose_from_offered_tickets(




12





1163



                         std::vector{ticket(old_handle.value()), ticket(new_handle.value())}, "SHA-256", cbs, plcy);




6





1164



                      result.require("a ticket was chosen", session_and_index.has_value());




3





1165



                      result.test_is_eq("the new ticket was chosen", session_and_index->second, uint16_t(1));




3





1166












1167



                      cbs.tick();




3





1168












1169



                      auto nothing = mgr->choose_from_offered_tickets(




12





1170



                         std::vector{ticket(new_handle.value()), ticket(old_handle.value())}, "SHA-256", cbs, plcy);




6





1171



                      result.require("all tickets are expired", !nothing.has_value());




3





1172



                   }),




33





1173



   #endif










1174



   });




6





1175



}




3





1176












1177



}  // namespace










1178












1179



BOTAN_REGISTER_TEST_FN("tls",










1180



                       "tls_session_manager",










1181



                       test_session_manager_in_memory,










1182



                       test_session_manager_choose_ticket,










1183



                       test_session_manager_stateless,










1184



                       test_session_manager_hybrid,










1185



                       test_session_manager_sqlite,










1186



                       tls_session_manager_expiry);










1187












1188



}  // namespace Botan_Tests










1189












1190



#endif  // BOTAN_HAS_TLS
























    

  • 

    •