From: Matt Caswell Date: Fri, 11 May 2018 16:47:27 +0000 (+0100) Subject: Improve testing of tickets with post-handshake auth X-Git-Tag: OpenSSL_1_1_1-pre7~39 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=c22365b399f62af4a81e9202500cd2cbd9c23a9d;p=oweals%2Fopenssl.git Improve testing of tickets with post-handshake auth Reviewed-by: Viktor Dukhovni Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/5227) --- diff --git a/test/sslapitest.c b/test/sslapitest.c index 626e26f52b..fe355f2f4c 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -1184,11 +1184,35 @@ static int test_session_with_both_cache(void) #endif } -SSL_SESSION *sesscache[9]; +static SSL_SESSION *sesscache[6]; +static int do_cache; static int new_cachesession_cb(SSL *ssl, SSL_SESSION *sess) { - sesscache[new_called++] = sess; + if (do_cache) { + sesscache[new_called] = sess; + } else { + /* We don't need the reference to the session, so free it */ + SSL_SESSION_free(sess); + } + new_called++; + + return 1; +} + +static int post_handshake_verify(SSL *sssl, SSL *cssl) +{ + SSL_set_verify(sssl, SSL_VERIFY_PEER, NULL); + if (!TEST_true(SSL_verify_client_post_handshake(sssl))) + return 0; + + /* Start handshake on the server and client */ + if (!TEST_int_eq(SSL_do_handshake(sssl), 1) + || !TEST_int_le(SSL_read(cssl, NULL, 0), 0) + || !TEST_int_le(SSL_read(sssl, NULL, 0), 0) + || !TEST_true(create_ssl_connection(sssl, cssl, + SSL_ERROR_NONE))) + return 0; return 1; } @@ -1203,6 +1227,7 @@ static int test_tickets(int idx) /* idx is the test number, but also the number of tickets we want */ new_called = 0; + do_cache = 1; if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), TLS1_VERSION, TLS_MAX_VERSION, &sctx, @@ -1227,34 +1252,40 @@ static int test_tickets(int idx) goto end; /* After a post-handshake authentication we should get new tickets issued */ - SSL_set_verify(serverssl, SSL_VERIFY_PEER, NULL); - if (!TEST_true(SSL_verify_client_post_handshake(serverssl))) - goto end; - - /* Start handshake on the server and client */ - if (!TEST_int_eq(SSL_do_handshake(serverssl), 1) - || !TEST_int_le(SSL_read(clientssl, NULL, 0), 0) - || !TEST_int_le(SSL_read(serverssl, NULL, 0), 0) - || !TEST_true(create_ssl_connection(serverssl, clientssl, - SSL_ERROR_NONE)) + if (!post_handshake_verify(serverssl, clientssl) || !TEST_int_eq(idx * 2, new_called)) goto end; - SSL_CTX_sess_set_new_cb(cctx, NULL); SSL_shutdown(clientssl); SSL_shutdown(serverssl); SSL_free(serverssl); SSL_free(clientssl); serverssl = clientssl = NULL; + /* Stop caching sessions - just count them */ + do_cache = 0; + /* Test that we can resume with all the tickets we got given */ - for (i = 0; i < new_called; i++) { + for (i = 0; i < idx * 2; i++) { + new_called = 0; if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, NULL)) - || !TEST_true(SSL_set_session(clientssl, sesscache[i])) - || !TEST_true(create_ssl_connection(serverssl, clientssl, + || !TEST_true(SSL_set_session(clientssl, sesscache[i]))) + goto end; + + SSL_force_post_handshake_auth(clientssl); + + if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) - || !TEST_true(SSL_session_reused(clientssl))) + || !TEST_true(SSL_session_reused(clientssl)) + /* Following a resumption we only get 1 ticket */ + || !TEST_int_eq(new_called, 1)) + goto end; + + new_called = 0; + /* After a post-handshake authentication we should get 1 new ticket */ + if (!post_handshake_verify(serverssl, clientssl) + || !TEST_int_eq(new_called, 1)) goto end; SSL_shutdown(clientssl); @@ -1271,8 +1302,10 @@ static int test_tickets(int idx) end: SSL_free(serverssl); SSL_free(clientssl); - for (j = 0; j < OSSL_NELEM(sesscache); j++) + for (j = 0; j < OSSL_NELEM(sesscache); j++) { SSL_SESSION_free(sesscache[j]); + sesscache[j] = NULL; + } SSL_CTX_free(sctx); SSL_CTX_free(cctx);