提交 c0537ebd 编写于 作者: M Matt Caswell

Add a test to check we get a new session even if s->hit is true in TLSv1.3

In TLSv1.3 we can resume, but still get a new session. This adds a test to
make sure that is happening.
Reviewed-by: NRich Salz <rsalz@openssl.org>
Reviewed-by: NBen Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4068)
上级 5d61491c
...@@ -786,6 +786,11 @@ static void ssl_session_tear_down(SSL_SESSION_TEST_FIXTURE fixture) ...@@ -786,6 +786,11 @@ static void ssl_session_tear_down(SSL_SESSION_TEST_FIXTURE fixture)
static int new_session_cb(SSL *ssl, SSL_SESSION *sess) static int new_session_cb(SSL *ssl, SSL_SESSION *sess)
{ {
new_called++; new_called++;
/*
* sess has been up-refed for us, but we don't actually need it so free it
* immediately.
*/
SSL_SESSION_free(sess);
return 1; return 1;
} }
...@@ -842,6 +847,32 @@ static int execute_test_session(SSL_SESSION_TEST_FIXTURE fix) ...@@ -842,6 +847,32 @@ static int execute_test_session(SSL_SESSION_TEST_FIXTURE fix)
if (fix.use_ext_cache && (new_called != 1 || remove_called != 0)) if (fix.use_ext_cache && (new_called != 1 || remove_called != 0))
goto end; goto end;
#if !defined(OPENSSL_NO_TLS1_3)
new_called = remove_called = 0;
if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
&clientssl2, NULL, NULL))
|| !TEST_true(SSL_set_session(clientssl2, sess1))
|| !TEST_true(create_ssl_connection(serverssl2, clientssl2,
SSL_ERROR_NONE))
|| !TEST_true(SSL_session_reused(clientssl2)))
goto end;
/*
* In TLSv1.3 we should have created a new session even though we have
* resumed. The original session should also have been removed.
*/
if (fix.use_ext_cache && !TEST_true((new_called == 1
&& remove_called == 1)))
goto end;
SSL_SESSION_free(sess1);
if (!TEST_ptr(sess1 = SSL_get1_session(clientssl2)))
goto end;
shutdown_ssl_connection(serverssl2, clientssl2);
serverssl2 = clientssl2 = NULL;
#endif
new_called = remove_called = 0;
if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2, if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl2,
&clientssl2, NULL, NULL)) &clientssl2, NULL, NULL))
|| !TEST_true(create_ssl_connection(serverssl2, clientssl2, || !TEST_true(create_ssl_connection(serverssl2, clientssl2,
...@@ -851,16 +882,17 @@ static int execute_test_session(SSL_SESSION_TEST_FIXTURE fix) ...@@ -851,16 +882,17 @@ static int execute_test_session(SSL_SESSION_TEST_FIXTURE fix)
if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2))) if (!TEST_ptr(sess2 = SSL_get1_session(clientssl2)))
goto end; goto end;
if (fix.use_ext_cache && (new_called != 2 || remove_called != 0)) if (fix.use_ext_cache && !TEST_true(new_called == 1 && remove_called == 0))
goto end; goto end;
new_called = remove_called = 0;
/* /*
* This should clear sess2 from the cache because it is a "bad" session. * This should clear sess2 from the cache because it is a "bad" session.
* See SSL_set_session() documentation. * See SSL_set_session() documentation.
*/ */
if (!TEST_true(SSL_set_session(clientssl2, sess1))) if (!TEST_true(SSL_set_session(clientssl2, sess1)))
goto end; goto end;
if (fix.use_ext_cache && (new_called != 2 || remove_called != 1)) if (fix.use_ext_cache && !TEST_true(new_called == 0 && remove_called == 1))
goto end; goto end;
if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1)) if (!TEST_ptr_eq(SSL_get_session(clientssl2), sess1))
goto end; goto end;
...@@ -870,35 +902,30 @@ static int execute_test_session(SSL_SESSION_TEST_FIXTURE fix) ...@@ -870,35 +902,30 @@ static int execute_test_session(SSL_SESSION_TEST_FIXTURE fix)
if (!TEST_true(SSL_CTX_add_session(cctx, sess2)) if (!TEST_true(SSL_CTX_add_session(cctx, sess2))
|| !TEST_true(SSL_CTX_remove_session(cctx, sess2))) || !TEST_true(SSL_CTX_remove_session(cctx, sess2)))
goto end; goto end;
/*
* This is for the purposes of internal cache testing...ignore the
* counter for external cache
*/
if (fix.use_ext_cache)
remove_called--;
} }
new_called = remove_called = 0;
/* This shouldn't be in the cache so should fail */ /* This shouldn't be in the cache so should fail */
if (!TEST_false(SSL_CTX_remove_session(cctx, sess2))) if (!TEST_false(SSL_CTX_remove_session(cctx, sess2)))
goto end; goto end;
if (fix.use_ext_cache && (new_called != 2 || remove_called != 2)) if (fix.use_ext_cache && !TEST_true(new_called == 0 && remove_called == 1))
goto end; goto end;
#if !defined(OPENSSL_NO_TLS1_1) && !defined(OPENSSL_NO_TLS1_2) #if !defined(OPENSSL_NO_TLS1_1) && !defined(OPENSSL_NO_TLS1_2)
new_called = remove_called = 0;
/* Force a connection failure */ /* Force a connection failure */
SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION); SSL_CTX_set_max_proto_version(sctx, TLS1_1_VERSION);
if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3, if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl3,
&clientssl3, NULL, NULL)) &clientssl3, NULL, NULL))
|| !TEST_true(SSL_set_session(clientssl3, sess1)) || !TEST_true(SSL_set_session(clientssl3, sess1))
/* This should fail because of the mismatched protocol versions */ /* This should fail because of the mismatched protocol versions */
|| !TEST_false(create_ssl_connection(serverssl3, clientssl3, || !TEST_false(create_ssl_connection(serverssl3, clientssl3,
SSL_ERROR_NONE))) SSL_ERROR_NONE)))
goto end; goto end;
/* We should have automatically removed the session from the cache */ /* We should have automatically removed the session from the cache */
if (fix.use_ext_cache && (new_called != 2 || remove_called != 3)) if (fix.use_ext_cache && !TEST_true(new_called == 0 && remove_called == 1))
goto end; goto end;
/* Should succeed because it should not already be in the cache */ /* Should succeed because it should not already be in the cache */
...@@ -919,14 +946,6 @@ static int execute_test_session(SSL_SESSION_TEST_FIXTURE fix) ...@@ -919,14 +946,6 @@ static int execute_test_session(SSL_SESSION_TEST_FIXTURE fix)
#endif #endif
SSL_SESSION_free(sess1); SSL_SESSION_free(sess1);
SSL_SESSION_free(sess2); SSL_SESSION_free(sess2);
/*
* Check if we need to remove any sessions up-refed for the external cache
*/
if (new_called >= 1)
SSL_SESSION_free(sess1);
if (new_called >= 2)
SSL_SESSION_free(sess2);
SSL_CTX_free(sctx); SSL_CTX_free(sctx);
SSL_CTX_free(cctx); SSL_CTX_free(cctx);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册