QUIC: Test connection with large client and server cert chains

Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22476)

4 files changed, 61 insertions, 49 deletions

diff --git a/test/helpers/ssltestlib.c b/test/helpers/ssltestlib.c
index ddc6bb7b64..906aed4b47 100644
--- a/test/helpers/ssltestlib.c
+++ b/test/helpers/ssltestlib.c
@@ -1403,3 +1403,51 @@ SSL_SESSION *create_a_psk(SSL *ssl, size_t mdsize)
     }
     return sess;
 }
+
+#define NUM_EXTRA_CERTS 40
+
+int ssl_ctx_add_large_cert_chain(OSSL_LIB_CTX *libctx, SSL_CTX *sctx,
+                                 const char *cert_file)
+{
+    BIO *certbio = NULL;
+    X509 *chaincert = NULL;
+    int certlen;
+    int ret = 0;
+    int i;
+
+    if (!TEST_ptr(certbio = BIO_new_file(cert_file, "r")))
+        goto end;
+
+    if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
+        goto end;
+
+    if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
+        goto end;
+    BIO_free(certbio);
+    certbio = NULL;
+
+    /*
+     * We assume the supplied certificate is big enough so that if we add
+     * NUM_EXTRA_CERTS it will make the overall message large enough. The
+     * default buffer size is requested to be 16k, but due to the way BUF_MEM
+     * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
+     * test we need to have a message larger than that.
+     */
+    certlen = i2d_X509(chaincert, NULL);
+    OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
+                   (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
+    for (i = 0; i < NUM_EXTRA_CERTS; i++) {
+        if (!X509_up_ref(chaincert))
+            goto end;
+        if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
+            X509_free(chaincert);
+            goto end;
+        }
+    }
+
+    ret = 1;
+ end:
+    BIO_free(certbio);
+    X509_free(chaincert);
+    return ret;
+}
diff --git a/test/helpers/ssltestlib.h b/test/helpers/ssltestlib.h
index eb54b04f2c..871f9bd52e 100644
--- a/test/helpers/ssltestlib.h
+++ b/test/helpers/ssltestlib.h
@@ -77,4 +77,8 @@ DEFINE_STACK_OF(MEMPACKET)
 
 SSL_SESSION *create_a_psk(SSL *ssl, size_t mdsize);
 
+/* Add cert from `cert_file` multiple times to create large extra cert chain */
+int ssl_ctx_add_large_cert_chain(OSSL_LIB_CTX *libctx, SSL_CTX *sctx,
+                                 const char *cert_file);
+
 #endif /* OSSL_TEST_SSLTESTLIB_H */
diff --git a/test/quicapitest.c b/test/quicapitest.c
index 37d7803005..83221885bc 100644
--- a/test/quicapitest.c
+++ b/test/quicapitest.c
@@ -1230,6 +1230,12 @@ static int test_client_auth(int idx)
                                              &clientquic, NULL, NULL)))
         goto err;
 
+    if (idx > 1) {
+        if (!TEST_true(ssl_ctx_add_large_cert_chain(libctx, cctx, ccert))
+            || !TEST_true(ssl_ctx_add_large_cert_chain(libctx, sctx, cert)))
+            goto err;
+    }
+
     if (idx == 0) {
         if (!TEST_false(qtest_create_quic_connection(qtserv, clientquic)))
             goto err;
@@ -1629,7 +1635,7 @@ int setup_tests(void)
     ADD_TEST(test_multiple_dgrams);
     ADD_ALL_TESTS(test_non_io_retry, 2);
     ADD_TEST(test_quic_psk);
-    ADD_ALL_TESTS(test_client_auth, 2);
+    ADD_ALL_TESTS(test_client_auth, 3);
     ADD_ALL_TESTS(test_alpn, 2);
     ADD_ALL_TESTS(test_noisy_dgram, 2);
     ADD_TEST(test_get_shutdown);
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 94eab9981d..88294af16a 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -115,7 +115,6 @@ static int cdummyarg = 1;
 static X509 *ocspcert = NULL;
 #endif
 
-#define NUM_EXTRA_CERTS 40
 #define CLIENT_VERSION_LEN      2
 
 /*
@@ -954,51 +953,6 @@ end:
 }
 #endif
 
-static int add_large_cert_chain(SSL_CTX *sctx)
-{
-    BIO *certbio = NULL;
-    X509 *chaincert = NULL;
-    int certlen;
-    int ret = 0;
-    int i;
-
-    if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
-        goto end;
-
-    if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
-        goto end;
-
-    if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
-        goto end;
-    BIO_free(certbio);
-    certbio = NULL;
-
-    /*
-     * We assume the supplied certificate is big enough so that if we add
-     * NUM_EXTRA_CERTS it will make the overall message large enough. The
-     * default buffer size is requested to be 16k, but due to the way BUF_MEM
-     * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
-     * test we need to have a message larger than that.
-     */
-    certlen = i2d_X509(chaincert, NULL);
-    OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
-                   (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
-    for (i = 0; i < NUM_EXTRA_CERTS; i++) {
-        if (!X509_up_ref(chaincert))
-            goto end;
-        if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
-            X509_free(chaincert);
-            goto end;
-        }
-    }
-
-    ret = 1;
- end:
-    BIO_free(certbio);
-    X509_free(chaincert);
-    return ret;
-}
-
 static int execute_test_large_message(const SSL_METHOD *smeth,
                                       const SSL_METHOD *cmeth,
                                       int min_version, int max_version,
@@ -1034,7 +988,7 @@ static int execute_test_large_message(const SSL_METHOD *smeth,
         SSL_CTX_set_read_ahead(cctx, 1);
     }
 
-    if (!add_large_cert_chain(sctx))
+    if (!ssl_ctx_add_large_cert_chain(libctx, sctx, cert))
         goto end;
 
     if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
@@ -11087,7 +11041,7 @@ static int test_handshake_retry(int idx)
      * Add a large amount of data to fill the buffering BIO used by the SSL
      * object
      */
-    if ((idx & 1) == 1 && !add_large_cert_chain(sctx))
+    if ((idx & 1) == 1 && !ssl_ctx_add_large_cert_chain(libctx, sctx, cert))
         goto end;
 
     /*