diff options
author | Tomas Mraz <tomas@openssl.org> | 2023-10-05 19:48:15 +0200 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2023-10-25 11:14:23 +0100 |
commit | 3860ef2ae69ad9187acc17e0d1c78261dbc63125 (patch) | |
tree | 630f9ae769112a05f5c2369982b5fc8ac69f0546 /test | |
parent | dc1cc3e4836e4135c1bf0b5bdd14ff86ff62acd6 (diff) |
QUIC: Test connection with large client and server cert chains
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22476)
Diffstat (limited to 'test')
-rw-r--r-- | test/helpers/ssltestlib.c | 48 | ||||
-rw-r--r-- | test/helpers/ssltestlib.h | 4 | ||||
-rw-r--r-- | test/quicapitest.c | 8 | ||||
-rw-r--r-- | test/sslapitest.c | 50 |
4 files changed, 61 insertions, 49 deletions
diff --git a/test/helpers/ssltestlib.c b/test/helpers/ssltestlib.c index ddc6bb7b64..906aed4b47 100644 --- a/test/helpers/ssltestlib.c +++ b/test/helpers/ssltestlib.c @@ -1403,3 +1403,51 @@ SSL_SESSION *create_a_psk(SSL *ssl, size_t mdsize) } return sess; } + +#define NUM_EXTRA_CERTS 40 + +int ssl_ctx_add_large_cert_chain(OSSL_LIB_CTX *libctx, SSL_CTX *sctx, + const char *cert_file) +{ + BIO *certbio = NULL; + X509 *chaincert = NULL; + int certlen; + int ret = 0; + int i; + + if (!TEST_ptr(certbio = BIO_new_file(cert_file, "r"))) + goto end; + + if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL))) + goto end; + + if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL) + goto end; + BIO_free(certbio); + certbio = NULL; + + /* + * We assume the supplied certificate is big enough so that if we add + * NUM_EXTRA_CERTS it will make the overall message large enough. The + * default buffer size is requested to be 16k, but due to the way BUF_MEM + * works, it ends up allocating a little over 21k (16 * 4/3). So, in this + * test we need to have a message larger than that. + */ + certlen = i2d_X509(chaincert, NULL); + OPENSSL_assert(certlen * NUM_EXTRA_CERTS > + (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3); + for (i = 0; i < NUM_EXTRA_CERTS; i++) { + if (!X509_up_ref(chaincert)) + goto end; + if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) { + X509_free(chaincert); + goto end; + } + } + + ret = 1; + end: + BIO_free(certbio); + X509_free(chaincert); + return ret; +} diff --git a/test/helpers/ssltestlib.h b/test/helpers/ssltestlib.h index eb54b04f2c..871f9bd52e 100644 --- a/test/helpers/ssltestlib.h +++ b/test/helpers/ssltestlib.h @@ -77,4 +77,8 @@ DEFINE_STACK_OF(MEMPACKET) SSL_SESSION *create_a_psk(SSL *ssl, size_t mdsize); +/* Add cert from `cert_file` multiple times to create large extra cert chain */ +int ssl_ctx_add_large_cert_chain(OSSL_LIB_CTX *libctx, SSL_CTX *sctx, + const char *cert_file); + #endif /* OSSL_TEST_SSLTESTLIB_H */ diff --git a/test/quicapitest.c b/test/quicapitest.c index 37d7803005..83221885bc 100644 --- a/test/quicapitest.c +++ b/test/quicapitest.c @@ -1230,6 +1230,12 @@ static int test_client_auth(int idx) &clientquic, NULL, NULL))) goto err; + if (idx > 1) { + if (!TEST_true(ssl_ctx_add_large_cert_chain(libctx, cctx, ccert)) + || !TEST_true(ssl_ctx_add_large_cert_chain(libctx, sctx, cert))) + goto err; + } + if (idx == 0) { if (!TEST_false(qtest_create_quic_connection(qtserv, clientquic))) goto err; @@ -1629,7 +1635,7 @@ int setup_tests(void) ADD_TEST(test_multiple_dgrams); ADD_ALL_TESTS(test_non_io_retry, 2); ADD_TEST(test_quic_psk); - ADD_ALL_TESTS(test_client_auth, 2); + ADD_ALL_TESTS(test_client_auth, 3); ADD_ALL_TESTS(test_alpn, 2); ADD_ALL_TESTS(test_noisy_dgram, 2); ADD_TEST(test_get_shutdown); diff --git a/test/sslapitest.c b/test/sslapitest.c index 94eab9981d..88294af16a 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -115,7 +115,6 @@ static int cdummyarg = 1; static X509 *ocspcert = NULL; #endif -#define NUM_EXTRA_CERTS 40 #define CLIENT_VERSION_LEN 2 /* @@ -954,51 +953,6 @@ end: } #endif -static int add_large_cert_chain(SSL_CTX *sctx) -{ - BIO *certbio = NULL; - X509 *chaincert = NULL; - int certlen; - int ret = 0; - int i; - - if (!TEST_ptr(certbio = BIO_new_file(cert, "r"))) - goto end; - - if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL))) - goto end; - - if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL) - goto end; - BIO_free(certbio); - certbio = NULL; - - /* - * We assume the supplied certificate is big enough so that if we add - * NUM_EXTRA_CERTS it will make the overall message large enough. The - * default buffer size is requested to be 16k, but due to the way BUF_MEM - * works, it ends up allocating a little over 21k (16 * 4/3). So, in this - * test we need to have a message larger than that. - */ - certlen = i2d_X509(chaincert, NULL); - OPENSSL_assert(certlen * NUM_EXTRA_CERTS > - (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3); - for (i = 0; i < NUM_EXTRA_CERTS; i++) { - if (!X509_up_ref(chaincert)) - goto end; - if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) { - X509_free(chaincert); - goto end; - } - } - - ret = 1; - end: - BIO_free(certbio); - X509_free(chaincert); - return ret; -} - static int execute_test_large_message(const SSL_METHOD *smeth, const SSL_METHOD *cmeth, int min_version, int max_version, @@ -1034,7 +988,7 @@ static int execute_test_large_message(const SSL_METHOD *smeth, SSL_CTX_set_read_ahead(cctx, 1); } - if (!add_large_cert_chain(sctx)) + if (!ssl_ctx_add_large_cert_chain(libctx, sctx, cert)) goto end; if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, @@ -11087,7 +11041,7 @@ static int test_handshake_retry(int idx) * Add a large amount of data to fill the buffering BIO used by the SSL * object */ - if ((idx & 1) == 1 && !add_large_cert_chain(sctx)) + if ((idx & 1) == 1 && !ssl_ctx_add_large_cert_chain(libctx, sctx, cert)) goto end; /* |