From: Norbert Pocs <norbertp@openssl.org>
Date: Wed, 28 May 2025 20:12:06 +0000 (+0200)
Subject: sslapitest: Add failing test for quic double free
X-Git-Tag: openssl-3.5.1~69
X-Git-Url: http://git.ipfire.org/gitweb/gitweb.cgi?a=commitdiff_plain;h=f551f9da8756a4c9ac5902adacc25adf39a96958;p=thirdparty%2Fopenssl.git

sslapitest: Add failing test for quic double free

The double free happened on the EVP_MD object, when we used external
quic implementation. This test makes the yield secret callback fail, to
make the kdfdigest free path happen.

Signed-off-by: Norbert Pocs <norbertp@openssl.org>

Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Neil Horman <nhorman@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/27713)

(cherry picked from commit 9ed90fd44cc1b8039d82610d90f56275d519c204)
---

diff --git a/test/sslapitest.c b/test/sslapitest.c
index 7143bd01a7b..551b28f851b 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -12714,6 +12714,22 @@ static int yield_secret_cb(SSL *s, uint32_t prot_level, int direction,
     return 0;
 }
 
+static int yield_secret_cb_fail(SSL *s, uint32_t prot_level, int direction,
+                                const unsigned char *secret, size_t secret_len,
+                                void *arg)
+{
+    (void)s;
+    (void)prot_level;
+    (void)direction;
+    (void)secret;
+    (void)secret_len;
+    (void)arg;
+    /*
+     * This callback is to test double free in quic tls
+     */
+    return 0;
+}
+
 static int got_transport_params_cb(SSL *s, const unsigned char *params,
                                    size_t params_len,
                                    void *arg)
@@ -12754,13 +12770,14 @@ static int alert_cb(SSL *s, unsigned char alert_code, void *arg)
  * Test 0: Normal run
  * Test 1: Force a failure
  * Test 3: Use a CCM based ciphersuite
+ * Test 4: fail yield_secret_cb to see double free
  */
 static int test_quic_tls(int idx)
 {
     SSL_CTX *sctx = NULL, *cctx = NULL;
     SSL *serverssl = NULL, *clientssl = NULL;
     int testresult = 0;
-    const OSSL_DISPATCH qtdis[] = {
+    OSSL_DISPATCH qtdis[] = {
         {OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_SEND, (void (*)(void))crypto_send_cb},
         {OSSL_FUNC_SSL_QUIC_TLS_CRYPTO_RECV_RCD,
          (void (*)(void))crypto_recv_rcd_cb},
@@ -12782,6 +12799,9 @@ static int test_quic_tls(int idx)
     };
     int i;
 
+    if (idx == 4)
+        qtdis[3].function = (void (*)(void))yield_secret_cb_fail;
+
     memset(&sdata, 0, sizeof(sdata));
     memset(&cdata, 0, sizeof(cdata));
     sdata.peer = &cdata;
@@ -12820,7 +12840,7 @@ static int test_quic_tls(int idx)
                                                             sizeof(sparams))))
         goto end;
 
-    if (idx != 1) {
+    if (idx != 1 && idx != 4) {
         if (!TEST_true(create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)))
             goto end;
     } else {
@@ -13357,7 +13377,7 @@ int setup_tests(void)
 #endif
     ADD_ALL_TESTS(test_alpn, 4);
 #if !defined(OSSL_NO_USABLE_TLS1_3)
-    ADD_ALL_TESTS(test_quic_tls, 3);
+    ADD_ALL_TESTS(test_quic_tls, 5);
     ADD_TEST(test_quic_tls_early_data);
 #endif
     return 1;