From: Matt Caswell Date: Fri, 7 Feb 2025 11:53:59 +0000 (+0000) Subject: Add a test for configuring provider certs via config X-Git-Tag: openssl-3.3.4~175 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=873a99ab6aa4f1618454fac23f8127d3b08ef95d;p=thirdparty%2Fopenssl.git Add a test for configuring provider certs via config A bug existed where provider added cert algorithms caused a crash when they were configured via a config file. We add a test for this scenario. Reviewed-by: Viktor Dukhovni Reviewed-by: Dmitry Belyavskiy Reviewed-by: Tomas Mraz Reviewed-by: Tim Hudson (Merged from https://github.com/openssl/openssl/pull/26663) (cherry picked from commit e2bfb61f617fa0f3acf88263a9afc702320660db) --- diff --git a/test/sslapitest.c b/test/sslapitest.c index 15da5683aa5..ad9108c6f38 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -9992,8 +9992,10 @@ static int create_cert_key(int idx, char *certfilename, char *privkeyfilename) * correctly establish a TLS (1.3) connection. * Test 0: Signature algorithm with built-in hashing functionality: "xorhmacsig" * Test 1: Signature algorithm using external SHA2 hashing: "xorhmacsha2sig" - * Test 2: Test 0 using RPK - * Test 3: Test 1 using RPK + * Test 2: Signature algorithm with built-in hashing configured via SSL_CONF_cmd + * Test 3: Test 0 using RPK + * Test 4: Test 1 using RPK + * Test 5: Test 2 using RPK */ static int test_pluggable_signature(int idx) { @@ -10005,8 +10007,14 @@ static int test_pluggable_signature(int idx) OSSL_PROVIDER *defaultprov = OSSL_PROVIDER_load(libctx, "default"); char *certfilename = "tls-prov-cert.pem"; char *privkeyfilename = "tls-prov-key.pem"; - int sigidx = idx % 2; - int rpkidx = idx / 2; + int sigidx = idx % 3; + int rpkidx = idx / 3; + int do_conf_cmd = 0; + + if (sigidx == 2) { + sigidx = 0; + do_conf_cmd = 1; + } /* create key and certificate for the different algorithm types */ if (!TEST_ptr(tlsprov) @@ -10017,9 +10025,40 @@ static int test_pluggable_signature(int idx) TLS_client_method(), TLS1_3_VERSION, TLS1_3_VERSION, - &sctx, &cctx, certfilename, privkeyfilename)) - || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, - NULL, NULL))) + &sctx, &cctx, NULL, NULL))) + goto end; + + if (do_conf_cmd) { + SSL_CONF_CTX *confctx = SSL_CONF_CTX_new(); + + if (!TEST_ptr(confctx)) + goto end; + SSL_CONF_CTX_set_flags(confctx, SSL_CONF_FLAG_FILE + | SSL_CONF_FLAG_SERVER + | SSL_CONF_FLAG_CERTIFICATE + | SSL_CONF_FLAG_REQUIRE_PRIVATE + | SSL_CONF_FLAG_SHOW_ERRORS); + SSL_CONF_CTX_set_ssl_ctx(confctx, sctx); + if (!TEST_int_gt(SSL_CONF_cmd(confctx, "Certificate", certfilename), 0) + || !TEST_int_gt(SSL_CONF_cmd(confctx, "PrivateKey", privkeyfilename), 0) + || !TEST_true(SSL_CONF_CTX_finish(confctx))) { + SSL_CONF_CTX_free(confctx); + goto end; + } + SSL_CONF_CTX_free(confctx); + } else { + if (!TEST_int_eq(SSL_CTX_use_certificate_file(sctx, certfilename, + SSL_FILETYPE_PEM), 1) + || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(sctx, + privkeyfilename, + SSL_FILETYPE_PEM), 1)) + goto end; + } + if (!TEST_int_eq(SSL_CTX_check_private_key(sctx), 1)) + goto end; + + if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, + NULL, NULL))) goto end; /* Enable RPK for server cert */ @@ -12576,7 +12615,7 @@ int setup_tests(void) #endif #ifndef OPENSSL_NO_TLS1_3 ADD_ALL_TESTS(test_pluggable_group, 2); - ADD_ALL_TESTS(test_pluggable_signature, 4); + ADD_ALL_TESTS(test_pluggable_signature, 6); #endif #ifndef OPENSSL_NO_TLS1_2 ADD_TEST(test_ssl_dup);