X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=test%2Fsslapitest.c;h=10bfc8ac14d6ce3ef8238b6ee0959c047ae66967;hp=626e26f52b4ae22c5eee991eb64401670c6fcf3b;hb=693cf80c6ff54ae276a44d305d4ad07168ec6895;hpb=36ff232cf2bf5dfcaf9e60a8c492439428a243bb diff --git a/test/sslapitest.c b/test/sslapitest.c index 626e26f52b..10bfc8ac14 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -1072,9 +1072,22 @@ static int execute_test_session(int maxprot, int use_int_cache, || !TEST_ptr(sess2 = SSL_get1_session(serverssl1))) goto end; - /* Should fail because it should already be in the cache */ - if (use_int_cache && !TEST_false(SSL_CTX_add_session(sctx, sess2))) - goto end; + if (use_int_cache) { + if (maxprot == TLS1_3_VERSION && !use_ext_cache) { + /* + * In TLSv1.3 it should not have been added to the internal cache, + * except in the case where we also have an external cache (in that + * case it gets added to the cache in order to generate remove + * events after timeout). + */ + if (!TEST_false(SSL_CTX_remove_session(sctx, sess2))) + goto end; + } else { + /* Should fail because it should already be in the cache */ + if (!TEST_false(SSL_CTX_add_session(sctx, sess2))) + goto end; + } + } if (use_ext_cache) { SSL_SESSION *tmp = sess2; @@ -1088,7 +1101,7 @@ static int execute_test_session(int maxprot, int use_int_cache, * the external cache. We take a copy first because * SSL_CTX_remove_session() also marks the session as non-resumable. */ - if (use_int_cache) { + if (use_int_cache && maxprot != TLS1_3_VERSION) { if (!TEST_ptr(tmp = SSL_SESSION_dup(sess2)) || !TEST_true(SSL_CTX_remove_session(sctx, sess2))) goto end; @@ -1184,11 +1197,35 @@ static int test_session_with_both_cache(void) #endif } -SSL_SESSION *sesscache[9]; +static SSL_SESSION *sesscache[6]; +static int do_cache; static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess) { - sesscache[new_called++] = sess; + if (do_cache) { + sesscache[new_called] = sess; + } else { + /* We don't need the reference to the session, so free it */ + SSL_SESSION_free(sess); + } + new_called++; + + return 1; +} + +static int post_handshake_verify(SSL *sssl, SSL *cssl) +{ + SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL); + if (!TEST_true(SSL_verify_client_post_handshake(sssl))) + return 0; + + /* Start handshake on the server and client */ + if (!TEST_int_eq(SSL_do_handshake(sssl), 1) + || !TEST_int_le(SSL_read(cssl, NULL, 0), 0) + || !TEST_int_le(SSL_read(sssl, NULL, 0), 0) + || !TEST_true(create_ssl_connection(sssl, cssl, + SSL_ERROR_NONE))) + return 0; return 1; } @@ -1203,6 +1240,7 @@ static int test_tickets(int idx) /* idx is the test number, but also the number of tickets we want */ new_called = 0; + do_cache = 1; if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), TLS1_VERSION, TLS_MAX_VERSION, &sctx, @@ -1227,34 +1265,40 @@ static int test_tickets(int idx) goto end; /* After a post-handshake authentication we should get new tickets issued */ - SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL); - if (!TEST_true(SSL_verify_client_post_handshake(serverssl))) - goto end; - - /* Start handshake on the server and client */ - if (!TEST_int_eq(SSL_do_handshake(serverssl), 1) - || !TEST_int_le(SSL_read(clientssl, NULL, 0), 0) - || !TEST_int_le(SSL_read(serverssl, NULL, 0), 0) - || !TEST_true(create_ssl_connection(serverssl, clientssl, - SSL_ERROR_NONE)) + if (!post_handshake_verify(serverssl, clientssl) || !TEST_int_eq(idx * 2, new_called)) goto end; - SSL_CTX_sess_set_new_cb(cctx, NULL); SSL_shutdown(clientssl); SSL_shutdown(serverssl); SSL_free(serverssl); SSL_free(clientssl); serverssl = clientssl = NULL; + /* Stop caching sessions - just count them */ + do_cache = 0; + /* Test that we can resume with all the tickets we got given */ - for (i = 0; i < new_called; i++) { + for (i = 0; i < idx * 2; i++) { + new_called = 0; if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) - || !TEST_true(SSL_set_session(clientssl, sesscache[i])) - || !TEST_true(create_ssl_connection(serverssl, clientssl, + || !TEST_true(SSL_set_session(clientssl, sesscache[i]))) + goto end; + + SSL_force_post_handshake_auth(clientssl); + + if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) - || !TEST_true(SSL_session_reused(clientssl))) + || !TEST_true(SSL_session_reused(clientssl)) + /* Following a resumption we only get 1 ticket */ + || !TEST_int_eq(new_called, 1)) + goto end; + + new_called = 0; + /* After a post-handshake authentication we should get 1 new ticket */ + if (!post_handshake_verify(serverssl, clientssl) + || !TEST_int_eq(new_called, 1)) goto end; SSL_shutdown(clientssl); @@ -1271,8 +1315,10 @@ static int test_tickets(int idx) end: SSL_free(serverssl); SSL_free(clientssl); - for (j = 0; j < OSSL_NELEM(sesscache); j++) + for (j = 0; j < OSSL_NELEM(sesscache); j++) { SSL_SESSION_free(sesscache[j]); + sesscache[j] = NULL; + } SSL_CTX_free(sctx); SSL_CTX_free(cctx); @@ -2305,15 +2351,6 @@ static int test_early_data_not_sent(int idx) || !TEST_size_t_eq(written, strlen(MSG2))) goto end; - /* - * Should block due to the NewSessionTicket arrival unless we're using - * read_ahead, or PSKs - */ - if (idx != 1 && idx != 2) { - if (!TEST_false(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes))) - goto end; - } - if (!TEST_true(SSL_read_ex(clientssl, buf, sizeof(buf), &readbytes)) || !TEST_mem_eq(buf, readbytes, MSG2, strlen(MSG2))) goto end; @@ -4427,7 +4464,9 @@ static int test_info_callback(int tst) int tlsvers; if (tst < 2) { -#ifndef OPENSSL_NO_TLS1_2 +/* We need either ECDHE or DHE for the TLSv1.2 test to work */ +#if !defined(OPENSSL_NO_TLS1_2) && (!defined(OPENSSL_NO_EC) \ + || !defined(OPENSSL_NO_DH)) tlsvers = TLS1_2_VERSION; #else return 1;