Add a test that does a session resumption with session ID with downgrade

Author: julek-wolfssl

tests/api/test_tls.c

@@ -768,3 +768,75 @@ int test_tls_set_curves_list_ecc_fallback(void)
     return EXPECT_RESULT();
 }
 
+int test_tls_session_id_resume_downgrade(void)
+{
+    EXPECT_DECLS;
+#if defined(HAVE_MANUAL_MEMIO_TESTS_DEPENDENCIES) && \
+    !defined(WOLFSSL_NO_TLS12) && !defined(NO_SESSION_CACHE)
+    struct {
+        method_provider client_meth_v12;
+        method_provider server_meth;
+        method_provider client_meth;
+        int expected_version;
+    } params[] = {
+#ifdef WOLFSSL_TLS13
+        /* TLS 1.2 client → server, then client resumes at 1.2 */
+        { wolfTLSv1_2_client_method, wolfTLS_server_method,
+          wolfTLS_client_method, TLS1_2_VERSION },
+#endif
+#if defined(WOLFSSL_DTLS) && defined(WOLFSSL_DTLS13)
+        /* DTLS 1.2 client → server, then client resumes at 1.2 */
+        { wolfDTLSv1_2_client_method, wolfDTLS_server_method,
+          wolfDTLS_client_method, DTLS1_2_VERSION },
+#endif
+    };
+    size_t i;
+
+    for (i = 0; i < sizeof(params)/sizeof(*params) && !EXPECT_FAIL(); i++) {
+        struct test_memio_ctx test_ctx;
+        WOLFSSL_CTX *ctx_c = NULL, *ctx_s = NULL;
+        WOLFSSL *ssl_c = NULL, *ssl_s = NULL;
+        WOLFSSL_SESSION *sess = NULL;
+
+        /* --- first connection: v1.2-only client to server --- */
+        XMEMSET(&test_ctx, 0, sizeof(test_ctx));
+        ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c,
+                        &ssl_s, params[i].client_meth_v12,
+                        params[i].server_meth), 0);
+        /* Disable tickets so resumption must use session IDs */
+        if (EXPECT_SUCCESS())
+            wolfSSL_CTX_set_options(ctx_s, WOLFSSL_OP_NO_TICKET);
+        ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
+        ExpectIntEQ(wolfSSL_version(ssl_c), params[i].expected_version);
+
+        ExpectNotNull(sess = wolfSSL_get1_session(ssl_c));
+#ifdef HAVE_SESSION_TICKET
+        ExpectIntEQ(sess->ticketLen, 0);
+#endif
+
+        wolfSSL_free(ssl_c);  ssl_c = NULL;
+        wolfSSL_free(ssl_s);  ssl_s = NULL;
+        wolfSSL_CTX_free(ctx_c); ctx_c = NULL;
+        /* keep ctx_s so the server session cache is available */
+
+        /* --- second connection: client resumes the v1.2 session --- */
+        XMEMSET(&test_ctx, 0, sizeof(test_ctx));
+        ExpectIntEQ(test_memio_setup(&test_ctx, &ctx_c, &ctx_s, &ssl_c,
+                        &ssl_s, params[i].client_meth,
+                        params[i].server_meth), 0);
+        ExpectIntEQ(wolfSSL_set_session(ssl_c, sess), WOLFSSL_SUCCESS);
+        ExpectIntEQ(test_memio_do_handshake(ssl_c, ssl_s, 10, NULL), 0);
+
+        ExpectTrue(wolfSSL_session_reused(ssl_c));
+        ExpectIntEQ(wolfSSL_version(ssl_c), params[i].expected_version);
+
+        wolfSSL_SESSION_free(sess);
+        wolfSSL_free(ssl_c);
+        wolfSSL_free(ssl_s);
+        wolfSSL_CTX_free(ctx_c);
+        wolfSSL_CTX_free(ctx_s);
+    }
+#endif
+    return EXPECT_RESULT();
+}
+

tests/api/test_tls.h

@@ -31,6 +31,7 @@ int test_tls_certreq_order(void);
 int test_tls12_bad_cv_sig_alg(void);
 int test_tls12_no_null_compression(void);
 int test_tls_set_curves_list_ecc_fallback(void);
+int test_tls_session_id_resume_downgrade(void);
 
 #define TEST_TLS_DECLS                                                         \
         TEST_DECL_GROUP("tls", test_utils_memio_move_message),                 \
@@ -41,6 +42,7 @@ int test_tls_set_curves_list_ecc_fallback(void);
         TEST_DECL_GROUP("tls", test_tls_certreq_order),                        \
         TEST_DECL_GROUP("tls", test_tls12_bad_cv_sig_alg),                     \
         TEST_DECL_GROUP("tls", test_tls12_no_null_compression),                \
-        TEST_DECL_GROUP("tls", test_tls_set_curves_list_ecc_fallback)
+        TEST_DECL_GROUP("tls", test_tls_set_curves_list_ecc_fallback),         \
+        TEST_DECL_GROUP("tls", test_tls_session_id_resume_downgrade)
 
 #endif /* TESTS_API_TEST_TLS_H */