diff options
author | Matt Caswell <matt@openssl.org> | 2020-03-18 18:17:37 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2020-04-19 15:40:55 +0200 |
commit | 5e30f2fd58bac0db5c23e33e865fa70bd6eb4349 (patch) | |
tree | acaf649f6e91384529b104d220e6903f96764c3d | |
parent | dhparam: white space cleaning (diff) | |
download | openssl-5e30f2fd58bac0db5c23e33e865fa70bd6eb4349.tar.xz openssl-5e30f2fd58bac0db5c23e33e865fa70bd6eb4349.zip |
Use a non-default libctx in sslapitest
We also don't load the default provider into the default libctx to make
sure there is no accidental "leakage".
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11508)
-rw-r--r-- | test/asynciotest.c | 3 | ||||
-rw-r--r-- | test/dtlstest.c | 8 | ||||
-rw-r--r-- | test/fatalerrtest.c | 2 | ||||
-rw-r--r-- | test/gosttest.c | 2 | ||||
-rw-r--r-- | test/recipes/90-test_sslapi.t | 26 | ||||
-rw-r--r-- | test/recordlentest.c | 3 | ||||
-rw-r--r-- | test/servername_test.c | 2 | ||||
-rw-r--r-- | test/sslapitest.c | 221 | ||||
-rw-r--r-- | test/sslbuffertest.c | 2 | ||||
-rw-r--r-- | test/sslcorrupttest.c | 3 | ||||
-rw-r--r-- | test/sslprovidertest.c | 12 | ||||
-rw-r--r-- | test/ssltestlib.c | 7 | ||||
-rw-r--r-- | test/ssltestlib.h | 8 | ||||
-rw-r--r-- | test/tls13ccstest.c | 4 |
14 files changed, 189 insertions, 114 deletions
diff --git a/test/asynciotest.c b/test/asynciotest.c index dcdee1068d..57f895b655 100644 --- a/test/asynciotest.c +++ b/test/asynciotest.c @@ -296,7 +296,8 @@ static int test_asyncio(int test) const char testdata[] = "Test data"; char buf[sizeof(testdata)]; - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), + if (!TEST_true(create_ssl_ctx_pair(NULL, TLS_server_method(), + TLS_client_method(), TLS1_VERSION, 0, &serverctx, &clientctx, cert, privkey))) goto end; diff --git a/test/dtlstest.c b/test/dtlstest.c index 607768832b..1ab89250d3 100644 --- a/test/dtlstest.c +++ b/test/dtlstest.c @@ -61,7 +61,7 @@ static int test_dtls_unprocessed(int testidx) timer_cb_count = 0; - if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(), + if (!TEST_true(create_ssl_ctx_pair(NULL, DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0, &sctx, &cctx, cert, privkey))) @@ -156,7 +156,7 @@ static int test_dtls_drop_records(int idx) SSL_SESSION *sess = NULL; int cli_to_srv_epoch0, cli_to_srv_epoch1, srv_to_cli_epoch0; - if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(), + if (!TEST_true(create_ssl_ctx_pair(NULL, DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0, &sctx, &cctx, cert, privkey))) @@ -267,7 +267,7 @@ static int test_cookie(void) SSL *serverssl = NULL, *clientssl = NULL; int testresult = 0; - if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(), + if (!TEST_true(create_ssl_ctx_pair(NULL, DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0, &sctx, &cctx, cert, privkey))) @@ -299,7 +299,7 @@ static int test_dtls_duplicate_records(void) SSL *serverssl = NULL, *clientssl = NULL; int testresult = 0; - if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(), + if (!TEST_true(create_ssl_ctx_pair(NULL, DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0, &sctx, &cctx, cert, privkey))) diff --git a/test/fatalerrtest.c b/test/fatalerrtest.c index 184392cff2..c1e95af4b8 100644 --- a/test/fatalerrtest.c +++ b/test/fatalerrtest.c @@ -28,7 +28,7 @@ static int test_fatalerr(void) 0x17, 0x03, 0x03, 0x00, 0x05, 'D', 'u', 'm', 'm', 'y' }; - if (!TEST_true(create_ssl_ctx_pair(TLS_method(), TLS_method(), + if (!TEST_true(create_ssl_ctx_pair(NULL, TLS_method(), TLS_method(), TLS1_VERSION, 0, &sctx, &cctx, cert, privkey))) goto err; diff --git a/test/gosttest.c b/test/gosttest.c index f619ebd35d..b61e4efa49 100644 --- a/test/gosttest.c +++ b/test/gosttest.c @@ -46,7 +46,7 @@ static int test_tls13(int idx) SSL *clientssl = NULL, *serverssl = NULL; int testresult = 0; - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), + if (!TEST_true(create_ssl_ctx_pair(NULL, TLS_server_method(), TLS_client_method(), TLS1_VERSION, 0, diff --git a/test/recipes/90-test_sslapi.t b/test/recipes/90-test_sslapi.t index f01056c6f6..18ca860e23 100644 --- a/test/recipes/90-test_sslapi.t +++ b/test/recipes/90-test_sslapi.t @@ -8,21 +8,41 @@ use OpenSSL::Test::Utils; -use OpenSSL::Test qw/:DEFAULT srctop_file srctop_dir/; +use OpenSSL::Test qw/:DEFAULT srctop_file srctop_dir bldtop_dir bldtop_file/; use File::Temp qw(tempfile); +BEGIN { setup("test_sslapi"); +} + +use lib srctop_dir('Configurations'); +use lib bldtop_dir('.'); +use platform; + plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build" if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls")); -plan tests => 1; +plan tests => 2; (undef, my $tmpfilename) = tempfile(); + +$ENV{OPENSSL_MODULES} = bldtop_dir("providers"); +$ENV{OPENSSL_CONF_INCLUDE} = bldtop_dir("providers"); + +ok(run(app(['openssl', 'fipsinstall', + '-out', bldtop_file('providers', 'fipsinstall.cnf'), + '-module', bldtop_file('providers', platform->dso('fips')), + '-provider_name', 'fips', '-mac_name', 'HMAC', + '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00', + '-section_name', 'fips_sect'])), + "fipsinstall"); + ok(run(test(["sslapitest", srctop_dir("test", "certs"), srctop_file("test", "recipes", "90-test_sslapi_data", - "passwd.txt"), $tmpfilename])), + "passwd.txt"), $tmpfilename, "default", + srctop_file("test", "default.cnf")])), "running sslapitest"); unlink $tmpfilename; diff --git a/test/recordlentest.c b/test/recordlentest.c index 01cc53469b..a9932bfddc 100644 --- a/test/recordlentest.c +++ b/test/recordlentest.c @@ -102,7 +102,8 @@ static int test_record_overflow(int idx) ERR_clear_error(); - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), + if (!TEST_true(create_ssl_ctx_pair(NULL, TLS_server_method(), + TLS_client_method(), TLS1_VERSION, 0, &sctx, &cctx, cert, privkey))) goto end; diff --git a/test/servername_test.c b/test/servername_test.c index 33e62a169b..64e9eeb93b 100644 --- a/test/servername_test.c +++ b/test/servername_test.c @@ -190,7 +190,7 @@ static int server_setup_sni(void) SSL *clientssl = NULL, *serverssl = NULL; int testresult = 0; - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), + if (!TEST_true(create_ssl_ctx_pair(NULL, TLS_server_method(), TLS_client_method(), TLS1_VERSION, 0, &sctx, &cctx, cert, privkey)) diff --git a/test/sslapitest.c b/test/sslapitest.c index 7956353f49..ef078ad244 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -28,6 +28,7 @@ #include <openssl/aes.h> #include <openssl/rand.h> #include <openssl/core_names.h> +#include <openssl/provider.h> #include "ssltestlib.h" #include "testutil.h" @@ -36,6 +37,9 @@ #include "internal/ktls.h" #include "../ssl/ssl_local.h" +static OPENSSL_CTX *libctx = NULL; +static OSSL_PROVIDER *defctxnull = NULL; + #ifndef OPENSSL_NO_TLS1_3 static SSL_SESSION *clientpsk = NULL; @@ -339,7 +343,7 @@ static int test_keylog(void) server_log_buffer_index = 0; error_writing_log = 0; - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), TLS1_VERSION, 0, &sctx, &cctx, cert, privkey))) @@ -423,8 +427,8 @@ static int test_keylog_no_master_key(void) server_log_buffer_index = 0; error_writing_log = 0; - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, 0, + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), + TLS_client_method(), TLS1_VERSION, 0, &sctx, &cctx, cert, privkey)) || !TEST_true(SSL_CTX_set_max_early_data(sctx, SSL3_RT_MAX_PLAIN_LENGTH))) @@ -569,8 +573,8 @@ static int test_client_hello_cb(void) SSL *clientssl = NULL, *serverssl = NULL; int testctr = 0, testresult = 0; - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, 0, + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), + TLS_client_method(), TLS1_VERSION, 0, &sctx, &cctx, cert, privkey))) goto end; SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr); @@ -611,7 +615,7 @@ static int test_no_ems(void) SSL *clientssl = NULL, *serverssl = NULL; int testresult = 0; - if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), + if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), TLS1_VERSION, TLS1_2_VERSION, &sctx, &cctx, cert, privkey)) { printf("Unable to create SSL_CTX pair\n"); @@ -671,7 +675,7 @@ static int test_ccs_change_cipher(void) * Create a conection so we can resume and potentially (but not) use * a different cipher in the second connection. */ - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), TLS1_VERSION, TLS1_2_VERSION, &sctx, &cctx, cert, privkey)) @@ -783,8 +787,9 @@ static int execute_test_large_message(const SSL_METHOD *smeth, if (!TEST_ptr(chaincert)) goto end; - if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version, - &sctx, &cctx, cert, privkey))) + if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version, + max_version, &sctx, &cctx, cert, + privkey))) goto end; if (read_ahead) { @@ -967,7 +972,7 @@ static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx, return 1; /* Create a session based on SHA-256 */ - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), TLS1_2_VERSION, TLS1_2_VERSION, &sctx, &cctx, cert, privkey)) @@ -1081,7 +1086,7 @@ static int test_ktls_sendfile(void) } /* Create a session based on SHA-256 */ - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), TLS1_2_VERSION, TLS1_2_VERSION, &sctx, &cctx, cert, privkey)) @@ -1278,7 +1283,7 @@ static int ocsp_server_cb(SSL *s, void *arg) return SSL_TLSEXT_ERR_ALERT_FATAL; id = sk_OCSP_RESPID_value(ids, 0); - if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, NULL, NULL)) + if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL)) return SSL_TLSEXT_ERR_ALERT_FATAL; } else if (*argi != 1) { return SSL_TLSEXT_ERR_ALERT_FATAL; @@ -1318,7 +1323,7 @@ static int test_tlsext_status_type(void) OCSP_RESPID *id = NULL; BIO *certbio = NULL; - if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), + if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), TLS1_VERSION, 0, &sctx, &cctx, cert, privkey)) return 0; @@ -1406,7 +1411,7 @@ static int test_tlsext_status_type(void) || !TEST_ptr(ids = sk_OCSP_RESPID_new_null()) || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio, NULL, NULL, NULL)) - || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, NULL, NULL)) + || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL)) || !TEST_true(sk_OCSP_RESPID_push(ids, id))) goto end; id = NULL; @@ -1487,8 +1492,8 @@ static int execute_test_session(int maxprot, int use_int_cache, if (maxprot == TLS1_3_VERSION) numnewsesstick = 2; - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, 0, + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), + TLS_client_method(), TLS1_VERSION, 0, &sctx, &cctx, cert, privkey))) return 0; @@ -1835,9 +1840,9 @@ static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx, { int sess_id_ctx = 1; - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, 0, sctx, - cctx, cert, privkey)) + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), + TLS_client_method(), TLS1_VERSION, 0, + sctx, cctx, cert, privkey)) || !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx)) || !TEST_true(SSL_CTX_set_session_id_context(*sctx, (void *)&sess_id_ctx, @@ -2035,9 +2040,9 @@ static int test_psk_tickets(void) int testresult = 0; int sess_id_ctx = 1; - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, 0, &sctx, - &cctx, NULL, NULL)) + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), + TLS_client_method(), TLS1_VERSION, 0, + &sctx, &cctx, NULL, NULL)) || !TEST_true(SSL_CTX_set_session_id_context(sctx, (void *)&sess_id_ctx, sizeof(sess_id_ctx)))) @@ -2161,8 +2166,8 @@ static int test_ssl_set_bio(int idx) conntype = idx % 2; } - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, 0, + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), + TLS_client_method(), TLS1_VERSION, 0, &sctx, &cctx, cert, privkey))) goto end; @@ -2265,7 +2270,7 @@ static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio) SSL *ssl = NULL; int testresult = 0; - if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method())) + if (!TEST_ptr(ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method())) || !TEST_ptr(ssl = SSL_new(ctx)) || !TEST_ptr(sslbio = BIO_new(BIO_f_ssl())) || !TEST_ptr(membio1 = BIO_new(BIO_s_mem()))) @@ -2384,8 +2389,8 @@ static int test_set_sigalgs(int idx) curr = testctx ? &testsigalgs[idx] : &testsigalgs[idx - OSSL_NELEM(testsigalgs)]; - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, 0, + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), + TLS_client_method(), TLS1_VERSION, 0, &sctx, &cctx, cert, privkey))) return 0; @@ -2623,7 +2628,7 @@ static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl, SSL **serverssl, SSL_SESSION **sess, int idx) { if (*sctx == NULL - && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), + && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), TLS1_VERSION, 0, sctx, cctx, cert, privkey))) @@ -2950,9 +2955,9 @@ static int test_early_data_replay_int(int idx, int usecb, int confopt) allow_ed_cb_called = 0; - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, 0, &sctx, - &cctx, cert, privkey))) + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), + TLS_client_method(), TLS1_VERSION, 0, + &sctx, &cctx, cert, privkey))) return 0; if (usecb > 0) { @@ -3670,8 +3675,8 @@ static int test_set_ciphersuite(int idx) SSL *clientssl = NULL, *serverssl = NULL; int testresult = 0; - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, 0, + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), + TLS_client_method(), TLS1_VERSION, 0, &sctx, &cctx, cert, privkey)) || !TEST_true(SSL_CTX_set_ciphersuites(sctx, "TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256"))) @@ -3740,8 +3745,8 @@ static int test_ciphersuite_change(void) const SSL_CIPHER *aes_128_gcm_sha256 = NULL; /* Create a session based on SHA-256 */ - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, 0, + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), + TLS_client_method(), TLS1_VERSION, 0, &sctx, &cctx, cert, privkey)) || !TEST_true(SSL_CTX_set_ciphersuites(cctx, "TLS_AES_128_GCM_SHA256")) @@ -3953,9 +3958,10 @@ static int test_key_exchange(int idx) return 1; } - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, max_version, - &sctx, &cctx, cert, privkey))) + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), + TLS_client_method(), TLS1_VERSION, + max_version, &sctx, &cctx, cert, + privkey))) goto end; if (!TEST_true(SSL_CTX_set_ciphersuites(sctx, @@ -4071,7 +4077,7 @@ static int test_tls13_ciphersuite(int idx) # endif for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) { t13_cipher = t13_ciphers[i]; - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), TLS1_VERSION, max_ver, &sctx, &cctx, cert, privkey))) @@ -4172,8 +4178,8 @@ static int test_tls13_psk(int idx) }; int testresult = 0; - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, 0, + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), + TLS_client_method(), TLS1_VERSION, 0, &sctx, &cctx, idx == 3 ? NULL : cert, idx == 3 ? NULL : privkey))) goto end; @@ -4425,8 +4431,8 @@ static int test_stateless(void) SSL *serverssl = NULL, *clientssl = NULL; int testresult = 0; - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, 0, + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), + TLS_client_method(), TLS1_VERSION, 0, &sctx, &cctx, cert, privkey))) goto end; @@ -4649,13 +4655,13 @@ static int test_custom_exts(int tst) clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0; snicb = 0; - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, 0, + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), + TLS_client_method(), TLS1_VERSION, 0, &sctx, &cctx, cert, privkey))) goto end; if (tst == 2 - && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL, + && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL, TLS1_VERSION, 0, &sctx2, NULL, cert, privkey))) goto end; @@ -4847,7 +4853,7 @@ static int test_serverinfo(int tst) int ret, expected, testresult = 0; SSL_CTX *ctx; - ctx = SSL_CTX_new(TLS_method()); + ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method()); if (!TEST_ptr(ctx)) goto end; @@ -4935,8 +4941,8 @@ static int test_export_key_mat(int tst) if (tst >= 3) return 1; #endif - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, 0, + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), + TLS_client_method(), TLS1_VERSION, 0, &sctx, &cctx, cert, privkey))) goto end; @@ -5132,7 +5138,7 @@ static int test_key_update(void) char buf[20]; static char *mess = "A test message"; - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), TLS1_3_VERSION, 0, @@ -5195,7 +5201,7 @@ static int test_key_update_in_write(int tst) SSL *peerupdate = NULL, *peerwrite = NULL; if (!TEST_ptr(bretry) - || !TEST_true(create_ssl_ctx_pair(TLS_server_method(), + || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), TLS1_3_VERSION, 0, @@ -5275,8 +5281,8 @@ static int test_ssl_clear(int idx) #endif /* Create an initial connection */ - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, 0, + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), + TLS_client_method(), TLS1_VERSION, 0, &sctx, &cctx, cert, privkey)) || (idx == 1 && !TEST_true(SSL_CTX_set_max_proto_version(cctx, @@ -5385,7 +5391,7 @@ static int test_max_fragment_len_ext(int idx_tst) int testresult = 0, MFL_mode = 0; BIO *rbio, *wbio; - ctx = SSL_CTX_new(TLS_method()); + ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method()); if (!TEST_ptr(ctx)) goto end; @@ -5435,8 +5441,8 @@ static int test_pha_key_update(void) SSL *clientssl = NULL, *serverssl = NULL; int testresult = 0; - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, 0, + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), + TLS_client_method(), TLS1_VERSION, 0, &sctx, &cctx, cert, privkey))) return 0; @@ -5534,7 +5540,7 @@ static int create_new_vfile(char *userid, char *password, const char *filename) goto end; gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt], - &row[DB_srpverifier], NULL, NULL, NULL, NULL); + &row[DB_srpverifier], NULL, NULL, libctx, NULL); if (!TEST_ptr(gNid)) goto end; @@ -5591,7 +5597,7 @@ static int create_new_vbase(char *userid, char *password) goto end; if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier, - lgN->N, lgN->g, NULL, NULL))) + lgN->N, lgN->g, libctx, NULL))) goto end; user_pwd = OPENSSL_zalloc(sizeof(*user_pwd)); @@ -5658,8 +5664,8 @@ static int test_srp(int tst) goto end; } - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, 0, + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), + TLS_client_method(), TLS1_VERSION, 0, &sctx, &cctx, cert, privkey))) goto end; @@ -5919,7 +5925,7 @@ static int test_info_callback(int tst) } #endif - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), tlsvers, tlsvers, &sctx, &cctx, cert, privkey))) @@ -5979,14 +5985,14 @@ static int test_ssl_pending(int tst) size_t written, readbytes; if (tst == 0) { - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), TLS1_VERSION, 0, &sctx, &cctx, cert, privkey))) goto end; } else { #ifndef OPENSSL_NO_DTLS - if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(), + if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(), DTLS_client_method(), DTLS1_VERSION, 0, &sctx, &cctx, cert, privkey))) @@ -6098,7 +6104,7 @@ static int test_ssl_get_shared_ciphers(int tst) int testresult = 0; char buf[1024]; - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), TLS1_VERSION, shared_ciphers_data[tst].maxprot, @@ -6205,16 +6211,26 @@ static int tick_key_cb(SSL *s, unsigned char key_name[16], { const unsigned char tick_aes_key[16] = "0123456789abcdef"; const unsigned char tick_hmac_key[16] = "0123456789abcdef"; + EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL); + EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL); + int ret; tick_key_cb_called = 1; memset(iv, 0, AES_BLOCK_SIZE); memset(key_name, 0, 16); - if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc) - || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), - EVP_sha256(), NULL)) - return -1; + if (aes128cbc == NULL + || sha256 == NULL + || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc) + || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256, + NULL)) + ret = -1; + else + ret = tick_key_renew ? 2 : 1; - return tick_key_renew ? 2 : 1; + EVP_CIPHER_free(aes128cbc); + EVP_MD_free(sha256); + + return ret; } #endif @@ -6225,6 +6241,8 @@ static int tick_key_evp_cb(SSL *s, unsigned char key_name[16], const unsigned char tick_aes_key[16] = "0123456789abcdef"; unsigned char tick_hmac_key[16] = "0123456789abcdef"; OSSL_PARAM params[3]; + EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL); + int ret; tick_key_cb_called = 1; memset(iv, 0, AES_BLOCK_SIZE); @@ -6235,12 +6253,17 @@ static int tick_key_evp_cb(SSL *s, unsigned char key_name[16], tick_hmac_key, sizeof(tick_hmac_key)); params[2] = OSSL_PARAM_construct_end(); - if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc) + if (aes128cbc == NULL + || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc) || !EVP_MAC_CTX_set_params(hctx, params) || !EVP_MAC_init(hctx)) - return -1; + ret = -1; + else + ret = tick_key_renew ? 2 : 1; + + EVP_CIPHER_free(aes128cbc); - return tick_key_renew ? 2 : 1; + return ret; } /* @@ -6316,7 +6339,7 @@ static int test_ticket_callbacks(int tst) tick_dec_ret = SSL_TICKET_RETURN_ABORT; } - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), TLS1_VERSION, ((tst % 2) == 0) ? TLS1_2_VERSION @@ -6440,7 +6463,7 @@ static int test_shutdown(int tst) return 1; #endif - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), TLS1_VERSION, (tst <= 1) ? TLS1_2_VERSION @@ -6680,7 +6703,7 @@ static int test_cert_cb_int(int prot, int tst) return 1; #endif - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), TLS1_VERSION, prot, @@ -6814,7 +6837,7 @@ static int test_client_cert_cb(int tst) return 1; #endif - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), TLS1_VERSION, tst == 0 ? TLS1_2_VERSION @@ -6878,7 +6901,7 @@ static int test_ca_names_int(int prot, int tst) goto end; } - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), TLS1_VERSION, prot, @@ -7036,8 +7059,9 @@ static int test_multiblock_write(int test_index) /* Set up a buffer with some data that will be sent to the client */ RAND_bytes(msg, sizeof(msg)); - if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version, - &sctx, &cctx, cert, privkey))) + if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version, + max_version, &sctx, &cctx, cert, + privkey))) goto end; if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE))) @@ -7109,7 +7133,7 @@ static int test_servername(int tst) return 1; #endif - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), TLS1_VERSION, (tst <= 4) ? TLS1_2_VERSION @@ -7234,10 +7258,27 @@ static int test_servername(int tst) return testresult; } -OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile\n") +OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n") int setup_tests(void) { + char *modulename; + char *configfile; + + libctx = OPENSSL_CTX_new(); + if (!TEST_ptr(libctx)) + return 0; + + defctxnull = OSSL_PROVIDER_load(NULL, "null"); + + /* + * Verify that the default and fips providers in the default libctx are not + * available + */ + if (!TEST_false(OSSL_PROVIDER_available(NULL, "default")) + || !TEST_false(OSSL_PROVIDER_available(NULL, "fips"))) + return 0; + if (!test_skip_common_options()) { TEST_error("Error parsing test options\n"); return 0; @@ -7245,7 +7286,21 @@ int setup_tests(void) if (!TEST_ptr(certsdir = test_get_argument(0)) || !TEST_ptr(srpvfile = test_get_argument(1)) - || !TEST_ptr(tmpfilename = test_get_argument(2))) + || !TEST_ptr(tmpfilename = test_get_argument(2)) + || !TEST_ptr(modulename = test_get_argument(3)) + || !TEST_ptr(configfile = test_get_argument(4))) + return 0; + + if (!TEST_true(OPENSSL_CTX_load_config(libctx, configfile))) + return 0; + + /* Check we have the expected provider available */ + if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename))) + return 0; + + /* Check the default provider is not available */ + if (strcmp(modulename, "default") != 0 + && !TEST_false(OSSL_PROVIDER_available(libctx, "default"))) return 0; if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) { @@ -7400,4 +7455,6 @@ void cleanup_tests(void) OPENSSL_free(privkey); bio_s_mempacket_test_free(); bio_s_always_retry_free(); + OSSL_PROVIDER_unload(defctxnull); + OPENSSL_CTX_free(libctx); } diff --git a/test/sslbuffertest.c b/test/sslbuffertest.c index 3bce667b46..fa7bb8daeb 100644 --- a/test/sslbuffertest.c +++ b/test/sslbuffertest.c @@ -165,7 +165,7 @@ int setup_tests(void) || !TEST_ptr(pkey = test_get_argument(1))) return 0; - if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), + if (!create_ssl_ctx_pair(NULL, TLS_server_method(), TLS_client_method(), TLS1_VERSION, 0, &serverctx, &clientctx, cert, pkey)) { TEST_error("Failed to create SSL_CTX pair\n"); diff --git a/test/sslcorrupttest.c b/test/sslcorrupttest.c index d201cd2b27..fd958b6510 100644 --- a/test/sslcorrupttest.c +++ b/test/sslcorrupttest.c @@ -193,7 +193,8 @@ static int test_ssl_corrupt(int testidx) TEST_info("Starting #%d, %s", testidx, cipher_list[testidx]); - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), + if (!TEST_true(create_ssl_ctx_pair(NULL, TLS_server_method(), + TLS_client_method(), TLS1_VERSION, 0, &sctx, &cctx, cert, privkey))) return 0; diff --git a/test/sslprovidertest.c b/test/sslprovidertest.c index 5f78554fb9..fd29f797aa 100644 --- a/test/sslprovidertest.c +++ b/test/sslprovidertest.c @@ -50,20 +50,14 @@ static int test_different_libctx(void) goto end; TEST_note("%s provider loaded", modulename); - cctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_client_method()); - if (!TEST_ptr(cctx)) - goto end; - sctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_server_method()); - if (!TEST_ptr(sctx)) - goto end; - /* * TODO(3.0): Make this work in TLSv1.3. Currently we can only do RSA key * exchange, because we don't have key gen/param gen for EC yet - which * implies TLSv1.2 only */ - if (!TEST_true(create_ssl_ctx_pair(NULL, - NULL, + if (!TEST_true(create_ssl_ctx_pair(libctx, + TLS_server_method(), + TLS_client_method(), TLS1_VERSION, TLS1_2_VERSION, &sctx, &cctx, cert, privkey))) diff --git a/test/ssltestlib.c b/test/ssltestlib.c index e579ceff92..f61767f8f5 100644 --- a/test/ssltestlib.c +++ b/test/ssltestlib.c @@ -684,7 +684,8 @@ static int always_retry_puts(BIO *bio, const char *str) return -1; } -int create_ssl_ctx_pair(const SSL_METHOD *sm, const SSL_METHOD *cm, +int create_ssl_ctx_pair(OPENSSL_CTX *libctx, const SSL_METHOD *sm, +const SSL_METHOD *cm, int min_proto_version, int max_proto_version, SSL_CTX **sctx, SSL_CTX **cctx, char *certfile, char *privkeyfile) @@ -694,13 +695,13 @@ int create_ssl_ctx_pair(const SSL_METHOD *sm, const SSL_METHOD *cm, if (*sctx != NULL) serverctx = *sctx; - else if (!TEST_ptr(serverctx = SSL_CTX_new(sm))) + else if (!TEST_ptr(serverctx = SSL_CTX_new_with_libctx(libctx, NULL, sm))) goto err; if (cctx != NULL) { if (*cctx != NULL) clientctx = *cctx; - else if (!TEST_ptr(clientctx = SSL_CTX_new(cm))) + else if (!TEST_ptr(clientctx = SSL_CTX_new_with_libctx(libctx, NULL, cm))) goto err; } diff --git a/test/ssltestlib.h b/test/ssltestlib.h index a45aaf81de..ac8bcb12ff 100644 --- a/test/ssltestlib.h +++ b/test/ssltestlib.h @@ -12,10 +12,10 @@ # include <openssl/ssl.h> -int create_ssl_ctx_pair(const SSL_METHOD *sm, const SSL_METHOD *cm, - int min_proto_version, int max_proto_version, - SSL_CTX **sctx, SSL_CTX **cctx, char *certfile, - char *privkeyfile); +int create_ssl_ctx_pair(OPENSSL_CTX *libctx, const SSL_METHOD *sm, + const SSL_METHOD *cm, int min_proto_version, + int max_proto_version, SSL_CTX **sctx, SSL_CTX **cctx, + char *certfile, char *privkeyfile); int create_ssl_objects(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl, SSL **cssl, BIO *s_to_c_fbio, BIO *c_to_s_fbio); int create_bare_ssl_connection(SSL *serverssl, SSL *clientssl, int want, diff --git a/test/tls13ccstest.c b/test/tls13ccstest.c index 2820a0e8fa..2e1d76b395 100644 --- a/test/tls13ccstest.c +++ b/test/tls13ccstest.c @@ -254,8 +254,8 @@ static int test_tls13ccs(int tst) sappdataseen = cappdataseen = badccs = badvers = badsessid = 0; chsessidlen = 0; - if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), - TLS1_VERSION, 0, + if (!TEST_true(create_ssl_ctx_pair(NULL, TLS_server_method(), + TLS_client_method(), TLS1_VERSION, 0, &sctx, &cctx, cert, privkey)) || !TEST_true(SSL_CTX_set_max_early_data(sctx, SSL3_RT_MAX_PLAIN_LENGTH))) |