added testing

aws · Feb 4, 2025 · 1e19892 · 1e19892
1 parent 807b100
commit 1e19892
Show file tree

Hide file tree

Showing 2 changed files with 45 additions and 3 deletions.
diff --git a/ssl/ssl_cert.cc b/ssl/ssl_cert.cc
@@ -1002,8 +1002,7 @@ int SSL_CTX_use_cert_and_key(SSL_CTX *ctx, X509 *x509, EVP_PKEY *privatekey,
   if (!leaf_buf) {
     return 0;
   }
-
-  leaf_and_chain.push_back(leaf_buf.get());
+  leaf_and_chain.push_back(leaf_buf.release());
 
   // Convert chain certificates to CRYPTO_BUFFER objects
   if (chain != nullptr) {
@@ -1021,7 +1020,7 @@ int SSL_CTX_use_cert_and_key(SSL_CTX *ctx, X509 *x509, EVP_PKEY *privatekey,
         return 0;
       }
 
-      leaf_and_chain.push_back(chain_buf.get());
+      leaf_and_chain.push_back(chain_buf.release());
     }
   }
 

diff --git a/ssl/ssl_test.cc b/ssl/ssl_test.cc
@@ -6226,6 +6226,12 @@ TEST(SSLTest, SetChainAndKeyMismatch) {
   ASSERT_FALSE(SSL_CTX_set_chain_and_key(ctx.get(), &chain[0], chain.size(),
                                          key.get(), nullptr));
   ERR_clear_error();
+
+  // Ensure |SSL_CTX_use_cert_and_key| also fails
+  bssl::UniquePtr<X509> x509_leaf = X509FromBuffer(GetChainTestCertificateBuffer());
+  ASSERT_FALSE(SSL_CTX_use_cert_and_key(ctx.get(), x509_leaf.get(),
+                                        key.get(), NULL, 1));
+  ERR_clear_error();
 }
 
 TEST(SSLTest, SetChainAndKey) {
@@ -6264,6 +6270,43 @@ TEST(SSLTest, SetChainAndKey) {
                                      server_ctx.get()));
 }
 
+TEST(SSLTest, SetLeafChainAndKey) {
+  bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
+  ASSERT_TRUE(client_ctx);
+  bssl::UniquePtr<SSL_CTX> server_ctx(SSL_CTX_new(TLS_with_buffers_method()));
+  ASSERT_TRUE(server_ctx);
+
+  ASSERT_EQ(nullptr, SSL_CTX_get0_chain(server_ctx.get()));
+
+  bssl::UniquePtr<EVP_PKEY> key = GetChainTestKey();
+  ASSERT_TRUE(key);
+  bssl::UniquePtr<X509> leaf = X509FromBuffer(GetChainTestCertificateBuffer());
+  ASSERT_TRUE(leaf);
+  bssl::UniquePtr<X509> intermediate =
+      X509FromBuffer(GetChainTestIntermediateBuffer());
+  bssl::UniquePtr<STACK_OF(X509)> chain(sk_X509_new_null());
+  ASSERT_TRUE(chain);
+  ASSERT_TRUE(PushToStack(chain.get(), std::move(intermediate)));
+
+  ASSERT_TRUE(SSL_CTX_use_cert_and_key(server_ctx.get(), leaf.get(),
+                                        key.get(), chain.get(), 1));
+
+  SSL_CTX_set_custom_verify(
+      client_ctx.get(), SSL_VERIFY_PEER,
+      [](SSL *ssl, uint8_t *out_alert) -> ssl_verify_result_t {
+        return ssl_verify_ok;
+      });
+
+  bssl::UniquePtr<SSL> client, server;
+  ASSERT_TRUE(ConnectClientAndServer(&client, &server, client_ctx.get(),
+                                     server_ctx.get()));
+
+  // Try setting on previously populated fields without an override
+  ASSERT_FALSE(SSL_CTX_use_cert_and_key(server_ctx.get(), leaf.get(),
+                                        key.get(), chain.get(), 0));
+  ERR_clear_error();
+}
+
 TEST(SSLTest, BuffersFailWithoutCustomVerify) {
   bssl::UniquePtr<SSL_CTX> client_ctx(SSL_CTX_new(TLS_with_buffers_method()));
   ASSERT_TRUE(client_ctx);