summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMatt Caswell <matt@openssl.org>2020-03-18 18:17:37 +0100
committerMatt Caswell <matt@openssl.org>2020-04-19 15:40:55 +0200
commit5e30f2fd58bac0db5c23e33e865fa70bd6eb4349 (patch)
treeacaf649f6e91384529b104d220e6903f96764c3d
parentdhparam: white space cleaning (diff)
downloadopenssl-5e30f2fd58bac0db5c23e33e865fa70bd6eb4349.tar.xz
openssl-5e30f2fd58bac0db5c23e33e865fa70bd6eb4349.zip
Use a non-default libctx in sslapitest
We also don't load the default provider into the default libctx to make sure there is no accidental "leakage". Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11508)
-rw-r--r--test/asynciotest.c3
-rw-r--r--test/dtlstest.c8
-rw-r--r--test/fatalerrtest.c2
-rw-r--r--test/gosttest.c2
-rw-r--r--test/recipes/90-test_sslapi.t26
-rw-r--r--test/recordlentest.c3
-rw-r--r--test/servername_test.c2
-rw-r--r--test/sslapitest.c221
-rw-r--r--test/sslbuffertest.c2
-rw-r--r--test/sslcorrupttest.c3
-rw-r--r--test/sslprovidertest.c12
-rw-r--r--test/ssltestlib.c7
-rw-r--r--test/ssltestlib.h8
-rw-r--r--test/tls13ccstest.c4
14 files changed, 189 insertions, 114 deletions
diff --git a/test/asynciotest.c b/test/asynciotest.c
index dcdee1068d..57f895b655 100644
--- a/test/asynciotest.c
+++ b/test/asynciotest.c
@@ -296,7 +296,8 @@ static int test_asyncio(int test)
const char testdata[] = "Test data";
char buf[sizeof(testdata)];
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ if (!TEST_true(create_ssl_ctx_pair(NULL, TLS_server_method(),
+ TLS_client_method(),
TLS1_VERSION, 0,
&serverctx, &clientctx, cert, privkey)))
goto end;
diff --git a/test/dtlstest.c b/test/dtlstest.c
index 607768832b..1ab89250d3 100644
--- a/test/dtlstest.c
+++ b/test/dtlstest.c
@@ -61,7 +61,7 @@ static int test_dtls_unprocessed(int testidx)
timer_cb_count = 0;
- if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(NULL, DTLS_server_method(),
DTLS_client_method(),
DTLS1_VERSION, 0,
&sctx, &cctx, cert, privkey)))
@@ -156,7 +156,7 @@ static int test_dtls_drop_records(int idx)
SSL_SESSION *sess = NULL;
int cli_to_srv_epoch0, cli_to_srv_epoch1, srv_to_cli_epoch0;
- if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(NULL, DTLS_server_method(),
DTLS_client_method(),
DTLS1_VERSION, 0,
&sctx, &cctx, cert, privkey)))
@@ -267,7 +267,7 @@ static int test_cookie(void)
SSL *serverssl = NULL, *clientssl = NULL;
int testresult = 0;
- if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(NULL, DTLS_server_method(),
DTLS_client_method(),
DTLS1_VERSION, 0,
&sctx, &cctx, cert, privkey)))
@@ -299,7 +299,7 @@ static int test_dtls_duplicate_records(void)
SSL *serverssl = NULL, *clientssl = NULL;
int testresult = 0;
- if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(NULL, DTLS_server_method(),
DTLS_client_method(),
DTLS1_VERSION, 0,
&sctx, &cctx, cert, privkey)))
diff --git a/test/fatalerrtest.c b/test/fatalerrtest.c
index 184392cff2..c1e95af4b8 100644
--- a/test/fatalerrtest.c
+++ b/test/fatalerrtest.c
@@ -28,7 +28,7 @@ static int test_fatalerr(void)
0x17, 0x03, 0x03, 0x00, 0x05, 'D', 'u', 'm', 'm', 'y'
};
- if (!TEST_true(create_ssl_ctx_pair(TLS_method(), TLS_method(),
+ if (!TEST_true(create_ssl_ctx_pair(NULL, TLS_method(), TLS_method(),
TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey)))
goto err;
diff --git a/test/gosttest.c b/test/gosttest.c
index f619ebd35d..b61e4efa49 100644
--- a/test/gosttest.c
+++ b/test/gosttest.c
@@ -46,7 +46,7 @@ static int test_tls13(int idx)
SSL *clientssl = NULL, *serverssl = NULL;
int testresult = 0;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(NULL, TLS_server_method(),
TLS_client_method(),
TLS1_VERSION,
0,
diff --git a/test/recipes/90-test_sslapi.t b/test/recipes/90-test_sslapi.t
index f01056c6f6..18ca860e23 100644
--- a/test/recipes/90-test_sslapi.t
+++ b/test/recipes/90-test_sslapi.t
@@ -8,21 +8,41 @@
use OpenSSL::Test::Utils;
-use OpenSSL::Test qw/:DEFAULT srctop_file srctop_dir/;
+use OpenSSL::Test qw/:DEFAULT srctop_file srctop_dir bldtop_dir bldtop_file/;
use File::Temp qw(tempfile);
+BEGIN {
setup("test_sslapi");
+}
+
+use lib srctop_dir('Configurations');
+use lib bldtop_dir('.');
+use platform;
+
plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build"
if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls"));
-plan tests => 1;
+plan tests => 2;
(undef, my $tmpfilename) = tempfile();
+
+$ENV{OPENSSL_MODULES} = bldtop_dir("providers");
+$ENV{OPENSSL_CONF_INCLUDE} = bldtop_dir("providers");
+
+ok(run(app(['openssl', 'fipsinstall',
+ '-out', bldtop_file('providers', 'fipsinstall.cnf'),
+ '-module', bldtop_file('providers', platform->dso('fips')),
+ '-provider_name', 'fips', '-mac_name', 'HMAC',
+ '-macopt', 'digest:SHA256', '-macopt', 'hexkey:00',
+ '-section_name', 'fips_sect'])),
+ "fipsinstall");
+
ok(run(test(["sslapitest", srctop_dir("test", "certs"),
srctop_file("test", "recipes", "90-test_sslapi_data",
- "passwd.txt"), $tmpfilename])),
+ "passwd.txt"), $tmpfilename, "default",
+ srctop_file("test", "default.cnf")])),
"running sslapitest");
unlink $tmpfilename;
diff --git a/test/recordlentest.c b/test/recordlentest.c
index 01cc53469b..a9932bfddc 100644
--- a/test/recordlentest.c
+++ b/test/recordlentest.c
@@ -102,7 +102,8 @@ static int test_record_overflow(int idx)
ERR_clear_error();
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ if (!TEST_true(create_ssl_ctx_pair(NULL, TLS_server_method(),
+ TLS_client_method(),
TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey)))
goto end;
diff --git a/test/servername_test.c b/test/servername_test.c
index 33e62a169b..64e9eeb93b 100644
--- a/test/servername_test.c
+++ b/test/servername_test.c
@@ -190,7 +190,7 @@ static int server_setup_sni(void)
SSL *clientssl = NULL, *serverssl = NULL;
int testresult = 0;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(NULL, TLS_server_method(),
TLS_client_method(),
TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey))
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 7956353f49..ef078ad244 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -28,6 +28,7 @@
#include <openssl/aes.h>
#include <openssl/rand.h>
#include <openssl/core_names.h>
+#include <openssl/provider.h>
#include "ssltestlib.h"
#include "testutil.h"
@@ -36,6 +37,9 @@
#include "internal/ktls.h"
#include "../ssl/ssl_local.h"
+static OPENSSL_CTX *libctx = NULL;
+static OSSL_PROVIDER *defctxnull = NULL;
+
#ifndef OPENSSL_NO_TLS1_3
static SSL_SESSION *clientpsk = NULL;
@@ -339,7 +343,7 @@ static int test_keylog(void)
server_log_buffer_index = 0;
error_writing_log = 0;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),
TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey)))
@@ -423,8 +427,8 @@ static int test_keylog_no_master_key(void)
server_log_buffer_index = 0;
error_writing_log = 0;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
- TLS1_VERSION, 0,
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey))
|| !TEST_true(SSL_CTX_set_max_early_data(sctx,
SSL3_RT_MAX_PLAIN_LENGTH)))
@@ -569,8 +573,8 @@ static int test_client_hello_cb(void)
SSL *clientssl = NULL, *serverssl = NULL;
int testctr = 0, testresult = 0;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
- TLS1_VERSION, 0,
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey)))
goto end;
SSL_CTX_set_client_hello_cb(sctx, full_client_hello_callback, &testctr);
@@ -611,7 +615,7 @@ static int test_no_ems(void)
SSL *clientssl = NULL, *serverssl = NULL;
int testresult = 0;
- if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
TLS1_VERSION, TLS1_2_VERSION,
&sctx, &cctx, cert, privkey)) {
printf("Unable to create SSL_CTX pair\n");
@@ -671,7 +675,7 @@ static int test_ccs_change_cipher(void)
* Create a conection so we can resume and potentially (but not) use
* a different cipher in the second connection.
*/
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),
TLS1_VERSION, TLS1_2_VERSION,
&sctx, &cctx, cert, privkey))
@@ -783,8 +787,9 @@ static int execute_test_large_message(const SSL_METHOD *smeth,
if (!TEST_ptr(chaincert))
goto end;
- if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
- &sctx, &cctx, cert, privkey)))
+ if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
+ max_version, &sctx, &cctx, cert,
+ privkey)))
goto end;
if (read_ahead) {
@@ -967,7 +972,7 @@ static int execute_test_ktls(int cis_ktls_tx, int cis_ktls_rx,
return 1;
/* Create a session based on SHA-256 */
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),
TLS1_2_VERSION, TLS1_2_VERSION,
&sctx, &cctx, cert, privkey))
@@ -1081,7 +1086,7 @@ static int test_ktls_sendfile(void)
}
/* Create a session based on SHA-256 */
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),
TLS1_2_VERSION, TLS1_2_VERSION,
&sctx, &cctx, cert, privkey))
@@ -1278,7 +1283,7 @@ static int ocsp_server_cb(SSL *s, void *arg)
return SSL_TLSEXT_ERR_ALERT_FATAL;
id = sk_OCSP_RESPID_value(ids, 0);
- if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, NULL, NULL))
+ if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, libctx, NULL))
return SSL_TLSEXT_ERR_ALERT_FATAL;
} else if (*argi != 1) {
return SSL_TLSEXT_ERR_ALERT_FATAL;
@@ -1318,7 +1323,7 @@ static int test_tlsext_status_type(void)
OCSP_RESPID *id = NULL;
BIO *certbio = NULL;
- if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(),
TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey))
return 0;
@@ -1406,7 +1411,7 @@ static int test_tlsext_status_type(void)
|| !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
|| !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
NULL, NULL, NULL))
- || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, NULL, NULL))
+ || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, libctx, NULL))
|| !TEST_true(sk_OCSP_RESPID_push(ids, id)))
goto end;
id = NULL;
@@ -1487,8 +1492,8 @@ static int execute_test_session(int maxprot, int use_int_cache,
if (maxprot == TLS1_3_VERSION)
numnewsesstick = 2;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
- TLS1_VERSION, 0,
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey)))
return 0;
@@ -1835,9 +1840,9 @@ static int setup_ticket_test(int stateful, int idx, SSL_CTX **sctx,
{
int sess_id_ctx = 1;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
- TLS1_VERSION, 0, sctx,
- cctx, cert, privkey))
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION, 0,
+ sctx, cctx, cert, privkey))
|| !TEST_true(SSL_CTX_set_num_tickets(*sctx, idx))
|| !TEST_true(SSL_CTX_set_session_id_context(*sctx,
(void *)&sess_id_ctx,
@@ -2035,9 +2040,9 @@ static int test_psk_tickets(void)
int testresult = 0;
int sess_id_ctx = 1;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
- TLS1_VERSION, 0, &sctx,
- &cctx, NULL, NULL))
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION, 0,
+ &sctx, &cctx, NULL, NULL))
|| !TEST_true(SSL_CTX_set_session_id_context(sctx,
(void *)&sess_id_ctx,
sizeof(sess_id_ctx))))
@@ -2161,8 +2166,8 @@ static int test_ssl_set_bio(int idx)
conntype = idx % 2;
}
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
- TLS1_VERSION, 0,
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey)))
goto end;
@@ -2265,7 +2270,7 @@ static int execute_test_ssl_bio(int pop_ssl, bio_change_t change_bio)
SSL *ssl = NULL;
int testresult = 0;
- if (!TEST_ptr(ctx = SSL_CTX_new(TLS_method()))
+ if (!TEST_ptr(ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method()))
|| !TEST_ptr(ssl = SSL_new(ctx))
|| !TEST_ptr(sslbio = BIO_new(BIO_f_ssl()))
|| !TEST_ptr(membio1 = BIO_new(BIO_s_mem())))
@@ -2384,8 +2389,8 @@ static int test_set_sigalgs(int idx)
curr = testctx ? &testsigalgs[idx]
: &testsigalgs[idx - OSSL_NELEM(testsigalgs)];
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
- TLS1_VERSION, 0,
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey)))
return 0;
@@ -2623,7 +2628,7 @@ static int setupearly_data_test(SSL_CTX **cctx, SSL_CTX **sctx, SSL **clientssl,
SSL **serverssl, SSL_SESSION **sess, int idx)
{
if (*sctx == NULL
- && !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),
TLS1_VERSION, 0,
sctx, cctx, cert, privkey)))
@@ -2950,9 +2955,9 @@ static int test_early_data_replay_int(int idx, int usecb, int confopt)
allow_ed_cb_called = 0;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
- TLS1_VERSION, 0, &sctx,
- &cctx, cert, privkey)))
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION, 0,
+ &sctx, &cctx, cert, privkey)))
return 0;
if (usecb > 0) {
@@ -3670,8 +3675,8 @@ static int test_set_ciphersuite(int idx)
SSL *clientssl = NULL, *serverssl = NULL;
int testresult = 0;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
- TLS1_VERSION, 0,
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey))
|| !TEST_true(SSL_CTX_set_ciphersuites(sctx,
"TLS_AES_128_GCM_SHA256:TLS_AES_128_CCM_SHA256")))
@@ -3740,8 +3745,8 @@ static int test_ciphersuite_change(void)
const SSL_CIPHER *aes_128_gcm_sha256 = NULL;
/* Create a session based on SHA-256 */
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
- TLS1_VERSION, 0,
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey))
|| !TEST_true(SSL_CTX_set_ciphersuites(cctx,
"TLS_AES_128_GCM_SHA256"))
@@ -3953,9 +3958,10 @@ static int test_key_exchange(int idx)
return 1;
}
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
- TLS1_VERSION, max_version,
- &sctx, &cctx, cert, privkey)))
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION,
+ max_version, &sctx, &cctx, cert,
+ privkey)))
goto end;
if (!TEST_true(SSL_CTX_set_ciphersuites(sctx,
@@ -4071,7 +4077,7 @@ static int test_tls13_ciphersuite(int idx)
# endif
for (i = 0; i < OSSL_NELEM(t13_ciphers); i++) {
t13_cipher = t13_ciphers[i];
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),
TLS1_VERSION, max_ver,
&sctx, &cctx, cert, privkey)))
@@ -4172,8 +4178,8 @@ static int test_tls13_psk(int idx)
};
int testresult = 0;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
- TLS1_VERSION, 0,
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION, 0,
&sctx, &cctx, idx == 3 ? NULL : cert,
idx == 3 ? NULL : privkey)))
goto end;
@@ -4425,8 +4431,8 @@ static int test_stateless(void)
SSL *serverssl = NULL, *clientssl = NULL;
int testresult = 0;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
- TLS1_VERSION, 0,
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey)))
goto end;
@@ -4649,13 +4655,13 @@ static int test_custom_exts(int tst)
clntaddnewcb = clntparsenewcb = srvaddnewcb = srvparsenewcb = 0;
snicb = 0;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
- TLS1_VERSION, 0,
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey)))
goto end;
if (tst == 2
- && !TEST_true(create_ssl_ctx_pair(TLS_server_method(), NULL,
+ && !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), NULL,
TLS1_VERSION, 0,
&sctx2, NULL, cert, privkey)))
goto end;
@@ -4847,7 +4853,7 @@ static int test_serverinfo(int tst)
int ret, expected, testresult = 0;
SSL_CTX *ctx;
- ctx = SSL_CTX_new(TLS_method());
+ ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
if (!TEST_ptr(ctx))
goto end;
@@ -4935,8 +4941,8 @@ static int test_export_key_mat(int tst)
if (tst >= 3)
return 1;
#endif
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
- TLS1_VERSION, 0,
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey)))
goto end;
@@ -5132,7 +5138,7 @@ static int test_key_update(void)
char buf[20];
static char *mess = "A test message";
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),
TLS1_3_VERSION,
0,
@@ -5195,7 +5201,7 @@ static int test_key_update_in_write(int tst)
SSL *peerupdate = NULL, *peerwrite = NULL;
if (!TEST_ptr(bretry)
- || !TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ || !TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),
TLS1_3_VERSION,
0,
@@ -5275,8 +5281,8 @@ static int test_ssl_clear(int idx)
#endif
/* Create an initial connection */
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
- TLS1_VERSION, 0,
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey))
|| (idx == 1
&& !TEST_true(SSL_CTX_set_max_proto_version(cctx,
@@ -5385,7 +5391,7 @@ static int test_max_fragment_len_ext(int idx_tst)
int testresult = 0, MFL_mode = 0;
BIO *rbio, *wbio;
- ctx = SSL_CTX_new(TLS_method());
+ ctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_method());
if (!TEST_ptr(ctx))
goto end;
@@ -5435,8 +5441,8 @@ static int test_pha_key_update(void)
SSL *clientssl = NULL, *serverssl = NULL;
int testresult = 0;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
- TLS1_VERSION, 0,
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey)))
return 0;
@@ -5534,7 +5540,7 @@ static int create_new_vfile(char *userid, char *password, const char *filename)
goto end;
gNid = SRP_create_verifier_ex(userid, password, &row[DB_srpsalt],
- &row[DB_srpverifier], NULL, NULL, NULL, NULL);
+ &row[DB_srpverifier], NULL, NULL, libctx, NULL);
if (!TEST_ptr(gNid))
goto end;
@@ -5591,7 +5597,7 @@ static int create_new_vbase(char *userid, char *password)
goto end;
if (!TEST_true(SRP_create_verifier_BN_ex(userid, password, &salt, &verifier,
- lgN->N, lgN->g, NULL, NULL)))
+ lgN->N, lgN->g, libctx, NULL)))
goto end;
user_pwd = OPENSSL_zalloc(sizeof(*user_pwd));
@@ -5658,8 +5664,8 @@ static int test_srp(int tst)
goto end;
}
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
- TLS1_VERSION, 0,
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey)))
goto end;
@@ -5919,7 +5925,7 @@ static int test_info_callback(int tst)
}
#endif
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),
tlsvers, tlsvers, &sctx, &cctx, cert,
privkey)))
@@ -5979,14 +5985,14 @@ static int test_ssl_pending(int tst)
size_t written, readbytes;
if (tst == 0) {
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),
TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey)))
goto end;
} else {
#ifndef OPENSSL_NO_DTLS
- if (!TEST_true(create_ssl_ctx_pair(DTLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(libctx, DTLS_server_method(),
DTLS_client_method(),
DTLS1_VERSION, 0,
&sctx, &cctx, cert, privkey)))
@@ -6098,7 +6104,7 @@ static int test_ssl_get_shared_ciphers(int tst)
int testresult = 0;
char buf[1024];
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),
TLS1_VERSION,
shared_ciphers_data[tst].maxprot,
@@ -6205,16 +6211,26 @@ static int tick_key_cb(SSL *s, unsigned char key_name[16],
{
const unsigned char tick_aes_key[16] = "0123456789abcdef";
const unsigned char tick_hmac_key[16] = "0123456789abcdef";
+ EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
+ EVP_MD *sha256 = EVP_MD_fetch(libctx, "SHA-256", NULL);
+ int ret;
tick_key_cb_called = 1;
memset(iv, 0, AES_BLOCK_SIZE);
memset(key_name, 0, 16);
- if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
- || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key),
- EVP_sha256(), NULL))
- return -1;
+ if (aes128cbc == NULL
+ || sha256 == NULL
+ || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
+ || !HMAC_Init_ex(hctx, tick_hmac_key, sizeof(tick_hmac_key), sha256,
+ NULL))
+ ret = -1;
+ else
+ ret = tick_key_renew ? 2 : 1;
- return tick_key_renew ? 2 : 1;
+ EVP_CIPHER_free(aes128cbc);
+ EVP_MD_free(sha256);
+
+ return ret;
}
#endif
@@ -6225,6 +6241,8 @@ static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
const unsigned char tick_aes_key[16] = "0123456789abcdef";
unsigned char tick_hmac_key[16] = "0123456789abcdef";
OSSL_PARAM params[3];
+ EVP_CIPHER *aes128cbc = EVP_CIPHER_fetch(libctx, "AES-128-CBC", NULL);
+ int ret;
tick_key_cb_called = 1;
memset(iv, 0, AES_BLOCK_SIZE);
@@ -6235,12 +6253,17 @@ static int tick_key_evp_cb(SSL *s, unsigned char key_name[16],
tick_hmac_key,
sizeof(tick_hmac_key));
params[2] = OSSL_PARAM_construct_end();
- if (!EVP_CipherInit_ex(ctx, EVP_aes_128_cbc(), NULL, tick_aes_key, iv, enc)
+ if (aes128cbc == NULL
+ || !EVP_CipherInit_ex(ctx, aes128cbc, NULL, tick_aes_key, iv, enc)
|| !EVP_MAC_CTX_set_params(hctx, params)
|| !EVP_MAC_init(hctx))
- return -1;
+ ret = -1;
+ else
+ ret = tick_key_renew ? 2 : 1;
+
+ EVP_CIPHER_free(aes128cbc);
- return tick_key_renew ? 2 : 1;
+ return ret;
}
/*
@@ -6316,7 +6339,7 @@ static int test_ticket_callbacks(int tst)
tick_dec_ret = SSL_TICKET_RETURN_ABORT;
}
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),
TLS1_VERSION,
((tst % 2) == 0) ? TLS1_2_VERSION
@@ -6440,7 +6463,7 @@ static int test_shutdown(int tst)
return 1;
#endif
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),
TLS1_VERSION,
(tst <= 1) ? TLS1_2_VERSION
@@ -6680,7 +6703,7 @@ static int test_cert_cb_int(int prot, int tst)
return 1;
#endif
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),
TLS1_VERSION,
prot,
@@ -6814,7 +6837,7 @@ static int test_client_cert_cb(int tst)
return 1;
#endif
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),
TLS1_VERSION,
tst == 0 ? TLS1_2_VERSION
@@ -6878,7 +6901,7 @@ static int test_ca_names_int(int prot, int tst)
goto end;
}
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),
TLS1_VERSION,
prot,
@@ -7036,8 +7059,9 @@ static int test_multiblock_write(int test_index)
/* Set up a buffer with some data that will be sent to the client */
RAND_bytes(msg, sizeof(msg));
- if (!TEST_true(create_ssl_ctx_pair(smeth, cmeth, min_version, max_version,
- &sctx, &cctx, cert, privkey)))
+ if (!TEST_true(create_ssl_ctx_pair(libctx, smeth, cmeth, min_version,
+ max_version, &sctx, &cctx, cert,
+ privkey)))
goto end;
if (!TEST_true(SSL_CTX_set_max_send_fragment(sctx, MULTIBLOCK_FRAGSIZE)))
@@ -7109,7 +7133,7 @@ static int test_servername(int tst)
return 1;
#endif
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(),
+ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(),
TLS_client_method(),
TLS1_VERSION,
(tst <= 4) ? TLS1_2_VERSION
@@ -7234,10 +7258,27 @@ static int test_servername(int tst)
return testresult;
}
-OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile\n")
+OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config\n")
int setup_tests(void)
{
+ char *modulename;
+ char *configfile;
+
+ libctx = OPENSSL_CTX_new();
+ if (!TEST_ptr(libctx))
+ return 0;
+
+ defctxnull = OSSL_PROVIDER_load(NULL, "null");
+
+ /*
+ * Verify that the default and fips providers in the default libctx are not
+ * available
+ */
+ if (!TEST_false(OSSL_PROVIDER_available(NULL, "default"))
+ || !TEST_false(OSSL_PROVIDER_available(NULL, "fips")))
+ return 0;
+
if (!test_skip_common_options()) {
TEST_error("Error parsing test options\n");
return 0;
@@ -7245,7 +7286,21 @@ int setup_tests(void)
if (!TEST_ptr(certsdir = test_get_argument(0))
|| !TEST_ptr(srpvfile = test_get_argument(1))
- || !TEST_ptr(tmpfilename = test_get_argument(2)))
+ || !TEST_ptr(tmpfilename = test_get_argument(2))
+ || !TEST_ptr(modulename = test_get_argument(3))
+ || !TEST_ptr(configfile = test_get_argument(4)))
+ return 0;
+
+ if (!TEST_true(OPENSSL_CTX_load_config(libctx, configfile)))
+ return 0;
+
+ /* Check we have the expected provider available */
+ if (!TEST_true(OSSL_PROVIDER_available(libctx, modulename)))
+ return 0;
+
+ /* Check the default provider is not available */
+ if (strcmp(modulename, "default") != 0
+ && !TEST_false(OSSL_PROVIDER_available(libctx, "default")))
return 0;
if (getenv("OPENSSL_TEST_GETCOUNTS") != NULL) {
@@ -7400,4 +7455,6 @@ void cleanup_tests(void)
OPENSSL_free(privkey);
bio_s_mempacket_test_free();
bio_s_always_retry_free();
+ OSSL_PROVIDER_unload(defctxnull);
+ OPENSSL_CTX_free(libctx);
}
diff --git a/test/sslbuffertest.c b/test/sslbuffertest.c
index 3bce667b46..fa7bb8daeb 100644
--- a/test/sslbuffertest.c
+++ b/test/sslbuffertest.c
@@ -165,7 +165,7 @@ int setup_tests(void)
|| !TEST_ptr(pkey = test_get_argument(1)))
return 0;
- if (!create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ if (!create_ssl_ctx_pair(NULL, TLS_server_method(), TLS_client_method(),
TLS1_VERSION, 0,
&serverctx, &clientctx, cert, pkey)) {
TEST_error("Failed to create SSL_CTX pair\n");
diff --git a/test/sslcorrupttest.c b/test/sslcorrupttest.c
index d201cd2b27..fd958b6510 100644
--- a/test/sslcorrupttest.c
+++ b/test/sslcorrupttest.c
@@ -193,7 +193,8 @@ static int test_ssl_corrupt(int testidx)
TEST_info("Starting #%d, %s", testidx, cipher_list[testidx]);
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
+ if (!TEST_true(create_ssl_ctx_pair(NULL, TLS_server_method(),
+ TLS_client_method(),
TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey)))
return 0;
diff --git a/test/sslprovidertest.c b/test/sslprovidertest.c
index 5f78554fb9..fd29f797aa 100644
--- a/test/sslprovidertest.c
+++ b/test/sslprovidertest.c
@@ -50,20 +50,14 @@ static int test_different_libctx(void)
goto end;
TEST_note("%s provider loaded", modulename);
- cctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_client_method());
- if (!TEST_ptr(cctx))
- goto end;
- sctx = SSL_CTX_new_with_libctx(libctx, NULL, TLS_server_method());
- if (!TEST_ptr(sctx))
- goto end;
-
/*
* TODO(3.0): Make this work in TLSv1.3. Currently we can only do RSA key
* exchange, because we don't have key gen/param gen for EC yet - which
* implies TLSv1.2 only
*/
- if (!TEST_true(create_ssl_ctx_pair(NULL,
- NULL,
+ if (!TEST_true(create_ssl_ctx_pair(libctx,
+ TLS_server_method(),
+ TLS_client_method(),
TLS1_VERSION,
TLS1_2_VERSION,
&sctx, &cctx, cert, privkey)))
diff --git a/test/ssltestlib.c b/test/ssltestlib.c
index e579ceff92..f61767f8f5 100644
--- a/test/ssltestlib.c
+++ b/test/ssltestlib.c
@@ -684,7 +684,8 @@ static int always_retry_puts(BIO *bio, const char *str)
return -1;
}
-int create_ssl_ctx_pair(const SSL_METHOD *sm, const SSL_METHOD *cm,
+int create_ssl_ctx_pair(OPENSSL_CTX *libctx, const SSL_METHOD *sm,
+const SSL_METHOD *cm,
int min_proto_version, int max_proto_version,
SSL_CTX **sctx, SSL_CTX **cctx, char *certfile,
char *privkeyfile)
@@ -694,13 +695,13 @@ int create_ssl_ctx_pair(const SSL_METHOD *sm, const SSL_METHOD *cm,
if (*sctx != NULL)
serverctx = *sctx;
- else if (!TEST_ptr(serverctx = SSL_CTX_new(sm)))
+ else if (!TEST_ptr(serverctx = SSL_CTX_new_with_libctx(libctx, NULL, sm)))
goto err;
if (cctx != NULL) {
if (*cctx != NULL)
clientctx = *cctx;
- else if (!TEST_ptr(clientctx = SSL_CTX_new(cm)))
+ else if (!TEST_ptr(clientctx = SSL_CTX_new_with_libctx(libctx, NULL, cm)))
goto err;
}
diff --git a/test/ssltestlib.h b/test/ssltestlib.h
index a45aaf81de..ac8bcb12ff 100644
--- a/test/ssltestlib.h
+++ b/test/ssltestlib.h
@@ -12,10 +12,10 @@
# include <openssl/ssl.h>
-int create_ssl_ctx_pair(const SSL_METHOD *sm, const SSL_METHOD *cm,
- int min_proto_version, int max_proto_version,
- SSL_CTX **sctx, SSL_CTX **cctx, char *certfile,
- char *privkeyfile);
+int create_ssl_ctx_pair(OPENSSL_CTX *libctx, const SSL_METHOD *sm,
+ const SSL_METHOD *cm, int min_proto_version,
+ int max_proto_version, SSL_CTX **sctx, SSL_CTX **cctx,
+ char *certfile, char *privkeyfile);
int create_ssl_objects(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl,
SSL **cssl, BIO *s_to_c_fbio, BIO *c_to_s_fbio);
int create_bare_ssl_connection(SSL *serverssl, SSL *clientssl, int want,
diff --git a/test/tls13ccstest.c b/test/tls13ccstest.c
index 2820a0e8fa..2e1d76b395 100644
--- a/test/tls13ccstest.c
+++ b/test/tls13ccstest.c
@@ -254,8 +254,8 @@ static int test_tls13ccs(int tst)
sappdataseen = cappdataseen = badccs = badvers = badsessid = 0;
chsessidlen = 0;
- if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(),
- TLS1_VERSION, 0,
+ if (!TEST_true(create_ssl_ctx_pair(NULL, TLS_server_method(),
+ TLS_client_method(), TLS1_VERSION, 0,
&sctx, &cctx, cert, privkey))
|| !TEST_true(SSL_CTX_set_max_early_data(sctx,
SSL3_RT_MAX_PLAIN_LENGTH)))