From: Matt Caswell <matt@openssl.org>
Date: Mon, 16 Jun 2025 15:01:52 +0000 (+0100)
Subject: Add a test for SSL_set_verify with QUIC
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fbb2a20732277ebf185ecaadb9e8570f8e9771d7;p=thirdparty%2Fopenssl.git

Add a test for SSL_set_verify with QUIC

Check that we get the correct SSL object passed to the callback.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27838)
---

diff --git a/test/quicapitest.c b/test/quicapitest.c
index a8d803501c6..b98a9405530 100644
--- a/test/quicapitest.c
+++ b/test/quicapitest.c
@@ -2807,6 +2807,62 @@ static int test_ssl_accept_connection(void)
     return testresult;
 }
 
+static SSL *quic_verify_ssl = NULL;
+
+static int quic_verify_cb(int ok, X509_STORE_CTX *ctx)
+{
+    SSL *cssl = (SSL *)X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
+
+    /* Confirm we got the SSL object we were expecting */
+    return TEST_ptr_eq(cssl, quic_verify_ssl);
+}
+
+static int test_ssl_set_verify(void)
+{
+    SSL_CTX *cctx = NULL, *sctx = NULL;
+    SSL *clientssl = NULL, *serverssl = NULL, *qlistener = NULL;
+    int testresult = 0;
+    int ret, i;
+
+    if (!TEST_ptr(sctx = create_server_ctx())
+        || !TEST_ptr(cctx = create_client_ctx()))
+        goto err;
+
+    if (!create_quic_ssl_objects(sctx, cctx, &qlistener, &clientssl))
+        goto err;
+
+    quic_verify_ssl = clientssl;
+    SSL_set_verify(clientssl, SSL_VERIFY_PEER, quic_verify_cb);
+
+    /* Send ClientHello and server retry */
+    for (i = 0; i < 2; i++) {
+        ret = SSL_connect(clientssl);
+        if (!TEST_int_le(ret, 0)
+            || !TEST_int_eq(SSL_get_error(clientssl, ret), SSL_ERROR_WANT_READ))
+            goto err;
+        SSL_handle_events(qlistener);
+    }
+
+    /* We expect a server SSL object which has not yet completed its handshake */
+    serverssl = SSL_accept_connection(qlistener, 0);
+
+    /* Call SSL_accept() and SSL_connect() until we are connected */
+    if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl,
+                                              SSL_ERROR_NONE, 0, 0)))
+        goto err;
+
+    testresult = 1;
+
+ err:
+    SSL_free(serverssl);
+    SSL_free(clientssl);
+    SSL_free(qlistener);
+    SSL_CTX_free(sctx);
+    SSL_CTX_free(cctx);
+
+    return testresult;
+}
+
 /***********************************************************************************/
 OPT_TEST_DECLARE_USAGE("provider config certsdir datadir\n")
 
@@ -2907,6 +2963,7 @@ int setup_tests(void)
 #endif
     ADD_TEST(test_server_method_with_ssl_new);
     ADD_TEST(test_ssl_accept_connection);
+    ADD_TEST(test_ssl_set_verify);
     return 1;
  err:
     cleanup_tests();