QUIC: Test connection with large client and server cert chains

Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/22476)
2025-04-06 20:20:50 +08:00 · 2023-10-05 19:48:15 +02:00 · 2023-10-05 19:48:15 +02:00 · 3860ef2ae6
commit 3860ef2ae6
parent dc1cc3e483
4 changed files with 61 additions and 49 deletions
--- a/test/helpers/ssltestlib.c
+++ b/test/helpers/ssltestlib.c
@ -1403,3 +1403,51 @@ SSL_SESSION *create_a_psk(SSL *ssl, size_t mdsize)
    }
    return sess;
 }
+
+#define NUM_EXTRA_CERTS 40
+
+int ssl_ctx_add_large_cert_chain(OSSL_LIB_CTX *libctx, SSL_CTX *sctx,
+                                 const char *cert_file)
+{
+    BIO *certbio = NULL;
+    X509 *chaincert = NULL;
+    int certlen;
+    int ret = 0;
+    int i;
+
+    if (!TEST_ptr(certbio = BIO_new_file(cert_file, "r")))
+        goto end;
+
+    if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
+        goto end;
+
+    if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
+        goto end;
+    BIO_free(certbio);
+    certbio = NULL;
+
+    /*
+     * We assume the supplied certificate is big enough so that if we add
+     * NUM_EXTRA_CERTS it will make the overall message large enough. The
+     * default buffer size is requested to be 16k, but due to the way BUF_MEM
+     * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
+     * test we need to have a message larger than that.
+     */
+    certlen = i2d_X509(chaincert, NULL);
+    OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
+                   (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
+    for (i = 0; i < NUM_EXTRA_CERTS; i++) {
+        if (!X509_up_ref(chaincert))
+            goto end;
+        if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
+            X509_free(chaincert);
+            goto end;
+        }
+    }
+
+    ret = 1;
+ end:
+    BIO_free(certbio);
+    X509_free(chaincert);
+    return ret;
+}
--- a/test/helpers/ssltestlib.h
+++ b/test/helpers/ssltestlib.h
@ -77,4 +77,8 @@ DEFINE_STACK_OF(MEMPACKET)

 SSL_SESSION *create_a_psk(SSL *ssl, size_t mdsize);

+/* Add cert from `cert_file` multiple times to create large extra cert chain */
+int ssl_ctx_add_large_cert_chain(OSSL_LIB_CTX *libctx, SSL_CTX *sctx,
+                                 const char *cert_file);
+
 #endif /* OSSL_TEST_SSLTESTLIB_H */
--- a/test/quicapitest.c
+++ b/test/quicapitest.c
@ -1230,6 +1230,12 @@ static int test_client_auth(int idx)
                                             &clientquic, NULL, NULL)))
        goto err;

+    if (idx > 1) {
+        if (!TEST_true(ssl_ctx_add_large_cert_chain(libctx, cctx, ccert))
+            || !TEST_true(ssl_ctx_add_large_cert_chain(libctx, sctx, cert)))
+            goto err;
+    }
+
    if (idx == 0) {
        if (!TEST_false(qtest_create_quic_connection(qtserv, clientquic)))
            goto err;
@ -1629,7 +1635,7 @@ int setup_tests(void)
    ADD_TEST(test_multiple_dgrams);
    ADD_ALL_TESTS(test_non_io_retry, 2);
    ADD_TEST(test_quic_psk);
-    ADD_ALL_TESTS(test_client_auth, 2);
+    ADD_ALL_TESTS(test_client_auth, 3);
    ADD_ALL_TESTS(test_alpn, 2);
    ADD_ALL_TESTS(test_noisy_dgram, 2);
    ADD_TEST(test_get_shutdown);
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@ -115,7 +115,6 @@ static int cdummyarg = 1;
 static X509 *ocspcert = NULL;
 #endif

-#define NUM_EXTRA_CERTS 40
 #define CLIENT_VERSION_LEN      2

 /*
@ -954,51 +953,6 @@ end:
 }
 #endif

-static int add_large_cert_chain(SSL_CTX *sctx)
-{
-    BIO *certbio = NULL;
-    X509 *chaincert = NULL;
-    int certlen;
-    int ret = 0;
-    int i;
-
-    if (!TEST_ptr(certbio = BIO_new_file(cert, "r")))
-        goto end;
-
-    if (!TEST_ptr(chaincert = X509_new_ex(libctx, NULL)))
-        goto end;
-
-    if (PEM_read_bio_X509(certbio, &chaincert, NULL, NULL) == NULL)
-        goto end;
-    BIO_free(certbio);
-    certbio = NULL;
-
-    /*
-     * We assume the supplied certificate is big enough so that if we add
-     * NUM_EXTRA_CERTS it will make the overall message large enough. The
-     * default buffer size is requested to be 16k, but due to the way BUF_MEM
-     * works, it ends up allocating a little over 21k (16 * 4/3). So, in this
-     * test we need to have a message larger than that.
-     */
-    certlen = i2d_X509(chaincert, NULL);
-    OPENSSL_assert(certlen * NUM_EXTRA_CERTS >
-                   (SSL3_RT_MAX_PLAIN_LENGTH * 4) / 3);
-    for (i = 0; i < NUM_EXTRA_CERTS; i++) {
-        if (!X509_up_ref(chaincert))
-            goto end;
-        if (!SSL_CTX_add_extra_chain_cert(sctx, chaincert)) {
-            X509_free(chaincert);
-            goto end;
-        }
-    }
-
-    ret = 1;
- end:
-    BIO_free(certbio);
-    X509_free(chaincert);
-    return ret;
-}
-
 static int execute_test_large_message(const SSL_METHOD *smeth,
                                      const SSL_METHOD *cmeth,
                                      int min_version, int max_version,
@ -1034,7 +988,7 @@ static int execute_test_large_message(const SSL_METHOD *smeth,
        SSL_CTX_set_read_ahead(cctx, 1);
    }

-    if (!add_large_cert_chain(sctx))
+    if (!ssl_ctx_add_large_cert_chain(libctx, sctx, cert))
        goto end;

    if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl,
@ -11087,7 +11041,7 @@ static int test_handshake_retry(int idx)
     * Add a large amount of data to fill the buffering BIO used by the SSL
     * object
     */
-    if ((idx & 1) == 1 && !add_large_cert_chain(sctx))
+    if ((idx & 1) == 1 && !ssl_ctx_add_large_cert_chain(libctx, sctx, cert))
        goto end;

    /*