From a477b4ec168f04ac0df315d122c436b39dd3c4ca Mon Sep 17 00:00:00 2001 From: Neil Horman Date: Wed, 8 Jan 2025 18:31:55 -0500 Subject: [PATCH] Add a test to validate our new SSL_accept connection objects MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Quick test to validate that: a) our new pending SSL accept callback works and b) That our callback passed SSL objects match those that are returned by SSL_accept_connection Reviewed-by: Matt Caswell Reviewed-by: Tomas Mraz Reviewed-by: Saša Nedvědický (Merged from https://github.com/openssl/openssl/pull/26361) --- test/radix/quic_ops.c | 59 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 59 insertions(+) diff --git a/test/radix/quic_ops.c b/test/radix/quic_ops.c index 3396bcf30fc..0b7647dd018 100644 --- a/test/radix/quic_ops.c +++ b/test/radix/quic_ops.c @@ -131,6 +131,45 @@ static int ssl_attach_bio_dgram(SSL *ssl, return 1; } +/* + * Test to make sure that SSL_accept_connection returns the same ssl object + * that is used in the various TLS callbacks + * + * Unlike TCP, QUIC processes new connections independently from their + * acceptance, and so we need to pre-allocate tls objects to return during + * connection acceptance via the user_ssl. This is just a quic test to validate + * that: + * 1) The new callback to inform the user of a new pending ssl acceptance works + * properly + * 2) That the object returned from SSL_accept_connection matches the one passed + * to various callbacks + * + * It would be better as its own test, but currently the tserver used in the + * other quic_tests doesn't actually accept connections (it pre-creates them + * and fixes them up in place), so testing there is not feasible at the moment + * + * For details on this issue see: + * https://github.com/openssl/project/issues/918 + */ +static SSL *pending_ssl_obj = NULL; +static SSL *client_hello_ssl_obj = NULL; +static int check_pending_match = 0; +static int pending_cb_called = 0; +static int hello_cb_called = 0; +static int new_pending_cb(SSL_CTX *ctx, SSL *new_ssl, void *arg) +{ + pending_ssl_obj = new_ssl; + pending_cb_called = 1; + return 1; +} + +static int client_hello_cb(SSL *s, int *al, void *arg) +{ + client_hello_ssl_obj = s; + hello_cb_called = 1; + return 1; +} + DEF_FUNC(hf_new_ssl) { int ok = 0; @@ -165,6 +204,9 @@ DEF_FUNC(hf_new_ssl) goto err; } else if (is_server) { + SSL_CTX_set_new_pending_ssl_cb(ctx, new_pending_cb, NULL); + SSL_CTX_set_client_hello_cb(ctx, client_hello_cb, NULL); + check_pending_match = 1; if (!TEST_ptr(ssl = SSL_new_listener(ctx, 0))) goto err; } else { @@ -298,6 +340,23 @@ DEF_FUNC(hf_accept_conn) goto err; } + if (check_pending_match) { + if (!pending_cb_called || !hello_cb_called) { + TEST_info("Callbacks not called, skipping user_ssl check\n"); + } else { + if (!TEST_ptr_eq(pending_ssl_obj, client_hello_ssl_obj)) { + SSL_free(conn); + goto err; + } + if (!TEST_ptr_eq(pending_ssl_obj, conn)) { + SSL_free(conn); + goto err; + } + } + pending_ssl_obj = client_hello_ssl_obj = NULL; + check_pending_match = 0; + pending_cb_called = hello_cb_called = 0; + } ok = 1; err: return ok; -- 2.47.2