SSL asynchronous signature: basic test of recovery after error

Add test cases where the server goes through an async operation which fails, then the server makes a successful connection.
2025-11-04 04:32:24 -05:00 · 2018-01-08 11:28:05 +01:00 · 2018-01-08 11:28:05 +01:00 · 60ee4cadce
commit 60ee4cadce
parent f9f15ae5a1
2 changed files with 64 additions and 5 deletions
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@ -203,7 +203,8 @@ int main( void )
    "    async_private_delay1=%%d  Asynchronous delay for key_file or preloaded key\n" \
    "    async_private_delay2=%%d  Asynchronous delay for key_file2\n" \
    "                              default: -1 (not asynchronous)\n" \
-    "    async_private_error=%%d   Async callback error injection (default=0=none, 1=start, 2=cancel, 3=resume, 4=pk)"
+    "    async_private_error=%%d   Async callback error injection (default=0=none,\n" \
+    "                              1=start, 2=cancel, 3=resume, 4=pk, negative=first time only)"
 #else
 #define USAGE_SSL_ASYNC ""
 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE_C */
@ -1238,7 +1239,8 @@ int main( int argc, char *argv[] )
        else if( strcmp( p, "async_private_error" ) == 0 )
        {
            int n = atoi( q );
-            if( n < 0 || n > SSL_ASYNC_INJECT_ERROR_MAX )
+            if( n < -SSL_ASYNC_INJECT_ERROR_MAX ||
+                n > SSL_ASYNC_INJECT_ERROR_MAX )
            {
                ret = 2;
                goto usage;
@ -2152,7 +2154,9 @@ int main( int argc, char *argv[] )
 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE_C)
    if( opt.async_private_delay1 >= 0 || opt.async_private_delay2 >= 0 )
    {
-        ssl_async_keys.inject_error = opt.async_private_error;
+        ssl_async_keys.inject_error = ( opt.async_private_error < 0 ?
+                                        - opt.async_private_error :
+                                        opt.async_private_error );
        ssl_async_keys.f_rng = mbedtls_ctr_drbg_random;
        ssl_async_keys.p_rng = &ctr_drbg;
        mbedtls_ssl_conf_async_private_cb( &conf,
@ -2338,10 +2342,10 @@ handshake:
        ret = mbedtls_ssl_handshake( &ssl );
 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE_C)
        if( ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS &&
-            opt.async_private_error == SSL_ASYNC_INJECT_ERROR_CANCEL )
+            ssl_async_keys.inject_error == SSL_ASYNC_INJECT_ERROR_CANCEL )
        {
            mbedtls_printf( " cancelling on injected error\n" );
-            goto reset;
+            break;
        }
 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE_C */
    }
@ -2371,6 +2375,11 @@ handshake:
        }
 #endif

+#if defined(MBEDTLS_SSL_ASYNC_PRIVATE_C)
+        if( opt.async_private_error < 0 )
+            /* Injected error only the first time round, to test reset */
+            ssl_async_keys.inject_error = SSL_ASYNC_INJECT_ERROR_NONE;
+#endif
        goto reset;
    }
    else /* ret == 0 */
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@ -3737,6 +3737,56 @@ run_test    "SSL async private: error in pk" \
            -s "Async resume callback: done but injected error" \
            -s "! mbedtls_ssl_handshake returned"

+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE_C
+run_test    "SSL async private: cancel after start then operate correctly" \
+            "$P_SRV async_private_delay1=1 async_private_delay2=1 async_private_error=-2" \
+            "$P_CLI; [ \$? -eq 1 ] && $P_CLI" \
+            0 \
+            -s "Async cancel" \
+            -s "! mbedtls_ssl_handshake returned" \
+            -s "Async resume" \
+            -s "Successful connection"
+
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE_C
+run_test    "SSL async private: error in resume then operate correctly" \
+            "$P_SRV async_private_delay1=1 async_private_delay2=1 async_private_error=-3" \
+            "$P_CLI; [ \$? -eq 1 ] && $P_CLI" \
+            0 \
+            -s "! mbedtls_ssl_handshake returned" \
+            -s "Async resume" \
+            -s "Successful connection"
+
+# key1: ECDSA, key2: RSA; use key1 through async, then key2 directly
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE_C
+run_test    "SSL async private: cancel after start then fall back to transparent key" \
+            "$P_SRV key_file=data_files/server5.key crt_file=data_files/server5.crt \
+             key_file2=data_files/server2.key crt_file2=data_files/server2.crt \
+             async_private_delay1=1 async_private_error=-2" \
+            "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256;
+             [ \$? -eq 1 ] &&
+             $P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
+            0 \
+            -S "Async resume" \
+            -s "Async cancel" \
+            -s "! mbedtls_ssl_handshake returned" \
+            -s "Async sign callback: no key matches this certificate." \
+            -s "Successful connection"
+
+# key1: ECDSA, key2: RSA; use key1 through async, then key2 directly
+requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE_C
+run_test    "SSL async private: error in resume then fall back to transparent key" \
+            "$P_SRV key_file=data_files/server5.key crt_file=data_files/server5.crt \
+             key_file2=data_files/server2.key crt_file2=data_files/server2.crt \
+             async_private_delay1=1 async_private_error=-3" \
+            "$P_CLI force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256;
+             [ \$? -eq 1 ] &&
+             $P_CLI force_ciphersuite=TLS-ECDHE-RSA-WITH-AES-128-CBC-SHA256" \
+            0 \
+            -s "Async resume" \
+            -s "! mbedtls_ssl_handshake returned" \
+            -s "Async sign callback: no key matches this certificate." \
+            -s "Successful connection"
+
 requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE_C
 requires_config_enabled MBEDTLS_SSL_RENEGOTIATION
 run_test    "SSL async private: renegotiation: client-initiated" \