From: Matt Caswell Date: Wed, 15 Jan 2020 14:48:57 +0000 (+0000) Subject: Add a test for SSL_CTX_new_with_libctx() X-Git-Tag: openssl-3.0.0-alpha1~542 X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=9aa78c36ec3bdcf09742f6dea403fc09d40d420f;p=oweals%2Fopenssl.git Add a test for SSL_CTX_new_with_libctx() We test that SSL_CTX_new_with_libctx() can be used to control the libctx that is in use for SSL operations. Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/10854) --- diff --git a/test/build.info b/test/build.info index 680660a3bb..9129d0651d 100644 --- a/test/build.info +++ b/test/build.info @@ -45,8 +45,8 @@ IF[{- !$disabled{tests} -}] dtlsv1listentest ct_test threadstest afalgtest d2i_test \ ssl_test_ctx_test ssl_test x509aux cipherlist_test asynciotest \ bio_callback_test bio_memleak_test param_build_test \ - bioprinttest sslapitest dtlstest sslcorrupttest bio_enc_test \ - pkey_meth_test pkey_meth_kdf_test evp_kdf_test uitest \ + bioprinttest sslapitest sslprovidertest dtlstest sslcorrupttest \ + bio_enc_test pkey_meth_test pkey_meth_kdf_test evp_kdf_test uitest \ cipherbytes_test \ asn1_encode_test asn1_decode_test asn1_string_table_test \ x509_time_test x509_dup_cert_test x509_check_cert_pkey_test \ @@ -321,6 +321,10 @@ IF[{- !$disabled{tests} -}] INCLUDE[sslapitest]=../include ../apps/include .. DEPEND[sslapitest]=../libcrypto ../libssl libtestutil.a + SOURCE[sslprovidertest]=sslprovidertest.c ssltestlib.c + INCLUDE[sslprovidertest]=../include ../apps/include .. + DEPEND[sslprovidertest]=../libcrypto ../libssl libtestutil.a + SOURCE[ocspapitest]=ocspapitest.c INCLUDE[ocspapitest]=../include ../apps/include DEPEND[ocspapitest]=../libcrypto libtestutil.a diff --git a/test/recipes/90-test_sslprovider.t b/test/recipes/90-test_sslprovider.t new file mode 100644 index 0000000000..9781091bba --- /dev/null +++ b/test/recipes/90-test_sslprovider.t @@ -0,0 +1,21 @@ +#! /usr/bin/env perl +# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Utils; +use OpenSSL::Test qw/:DEFAULT srctop_dir/; + +setup("test_sslprovider"); + +plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build" + if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls")); + +plan tests => 1; + +ok(run(test(["sslprovidertest", srctop_dir("test", "certs")])), + "running sslprovidertest"); diff --git a/test/sslprovidertest.c b/test/sslprovidertest.c new file mode 100644 index 0000000000..9a27d009ce --- /dev/null +++ b/test/sslprovidertest.c @@ -0,0 +1,128 @@ +/* + * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include + +#include "ssltestlib.h" +#include "testutil.h" + +static char *cert = NULL; +static char *privkey = NULL; + +/* TODO(3.0): Re-enable this code. See comment in setup_tests() */ +#if 0 +OSSL_PROVIDER *defctxlegacy = NULL; +#endif + +static int test_different_libctx(void) +{ + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; + int testresult = 0; + OPENSSL_CTX *libctx = OPENSSL_CTX_new(); + +/* TODO(3.0): Re-enable this code. See comment in setup_tests() */ +#if 0 + /* Verify that the default provider in the default libctx is not available */ + if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))) + goto end; +#endif + + cctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_client_method()); + if (!TEST_ptr(cctx)) + goto end; + sctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_server_method()); + if (!TEST_ptr(sctx)) + goto end; + + if (!TEST_true(create_ssl_ctx_pair(NULL, + NULL, + TLS1_VERSION, + 0, + &sctx, NULL, cert, privkey))) + goto end; + + if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, + NULL, NULL))) + goto end; + + /* This time we expect success */ + if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE))) + goto end; + +/* TODO(3.0): Re-enable this code. See comment in setup_tests() */ +#if 0 + /* + * Verify that the default provider in the default libctx is still not + * available + */ + if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))) + goto end; +#endif + + testresult = 1; + + end: + SSL_free(serverssl); + SSL_free(clientssl); + SSL_CTX_free(sctx); + SSL_CTX_free(cctx); + + OPENSSL_CTX_free(libctx); + + return testresult; +} + +int setup_tests(void) +{ + char *certsdir = NULL; + /* + * TODO(3.0): Re-enable this code when key generation is provider aware. At + * the moment the below causes the tests to fail because libssl attempts to + * generate a key for the key_share, which ultimately invokes RAND_bytes(). + * However, because key generation is not yet provider aware it just uses + * the default library context - and hence fails. + */ +#if 0 + /* + * For tests in this file we want to ensure the default ctx does not have + * the default provider loaded into the default ctx. So we load "legacy" to + * prevent default from being auto-loaded. This tests that there is no + * "leakage", i.e. when using SSL_CTX_new_with_libctx() we expect only the + * specific libctx to be used - nothing should fall back to the default + * libctx + */ + defctxlegacy = OSSL_PROVIDER_load(NULL, "legacy"); +#endif + + if (!TEST_ptr(certsdir = test_get_argument(0))) + return 0; + + cert = test_mk_file_path(certsdir, "servercert.pem"); + if (cert == NULL) + return 0; + + privkey = test_mk_file_path(certsdir, "serverkey.pem"); + if (privkey == NULL) { + OPENSSL_free(cert); + return 0; + } + + ADD_TEST(test_different_libctx); + + return 1; +} + +void cleanup_tests(void) +{ + /* TODO(3.0): Re-enable this code. See comment in setup_tests() */ +#if 0 + OSSL_PROVIDER_unload(defctxlegacy); +#endif +} diff --git a/test/ssltestlib.c b/test/ssltestlib.c index 67d8cd0284..3f63cf9c20 100644 --- a/test/ssltestlib.c +++ b/test/ssltestlib.c @@ -724,10 +724,18 @@ int create_ssl_ctx_pair(const SSL_METHOD *sm, const SSL_METHOD *cm, SSL_CTX *serverctx = NULL; SSL_CTX *clientctx = NULL; - if (!TEST_ptr(serverctx = SSL_CTX_new(sm)) - || (cctx != NULL && !TEST_ptr(clientctx = SSL_CTX_new(cm)))) + if (*sctx != NULL) + serverctx = *sctx; + else if (!TEST_ptr(serverctx = SSL_CTX_new(sm))) goto err; + if (cctx != NULL) { + if (*cctx != NULL) + clientctx = *cctx; + else if (!TEST_ptr(clientctx = SSL_CTX_new(cm))) + goto err; + } + if ((min_proto_version > 0 && !TEST_true(SSL_CTX_set_min_proto_version(serverctx, min_proto_version)))