ssl: add load ca tests

Chilledheart · May 23, 2024 · 11f3ca3 · 11f3ca3
1 parent 2122a6c
commit 11f3ca3
Show file tree

Hide file tree

Showing 4 changed files with 77 additions and 10 deletions.
diff --git a/CMakeLists.txt b/CMakeLists.txt
@@ -2862,7 +2862,7 @@ if (USE_BUILTIN_CA_BUNDLE_CRT)
   target_include_directories(asio_ca_bundle_crt PRIVATE third_party/ca-certificates)
 
   list(APPEND YASS_APP_FEATURES "ca-certificates 20240203.3.98")
-  target_link_libraries(asio PRIVATE asio_ca_bundle_crt)
+  target_link_libraries(asio PUBLIC asio_ca_bundle_crt)
 endif()
 
 #
@@ -4673,6 +4673,7 @@ if (BUILD_TESTS)
     src/config/config_test.cpp
     src/core/process_utils_test.cpp
     src/core/utils_test.cpp
+    src/net/asio_ssl_test.cpp
     src/net/cipher_test.cpp
     src/net/c-ares_test.cpp
     src/net/padding_test.cpp

diff --git a/src/net/asio_ssl.cpp b/src/net/asio_ssl.cpp
@@ -1,7 +1,7 @@
 // SPDX-License-Identifier: GPL-2.0
 /* Copyright (c) 2022-2024 Chilledheart  */
 
-#include "net/asio.hpp"
+#include "net/asio_ssl_internal.hpp"
 
 #ifdef _WIN32
 #include "core/windows/dirent.h"
@@ -36,9 +36,6 @@
 
 #ifdef HAVE_BUILTIN_CA_BUNDLE_CRT
 
-extern "C" const char _binary_ca_bundle_crt_start[];
-extern "C" const char _binary_ca_bundle_crt_end[];
-
 // Use internal ca-bundle.crt if necessary
 // we take care of the ca-bundle if windows version is below windows 8.1
 ABSL_FLAG(bool,
@@ -54,9 +51,6 @@ ABSL_FLAG(bool,
 
 #endif  // HAVE_BUILTIN_CA_BUNDLE_CRT
 
-extern "C" const char _binary_supplementary_ca_bundle_crt_start[];
-extern "C" const char _binary_supplementary_ca_bundle_crt_end[];
-
 std::ostream& operator<<(std::ostream& o, asio::error_code ec) {
 #ifdef _WIN32
   return o << ec.message() << " value: " << ec.value();
@@ -329,7 +323,7 @@ static bool load_ca_content_to_x509_trust(X509_STORE* store, std::string_view ca
 }
 
 static constexpr std::string_view kEndCertificateMark = "-----END CERTIFICATE-----\n";
-static int load_ca_to_ssl_ctx_from_mem(SSL_CTX* ssl_ctx, std::string_view cadata) {
+int load_ca_to_ssl_ctx_from_mem(SSL_CTX* ssl_ctx, std::string_view cadata) {
   X509_STORE* store = nullptr;
   int count = 0;
   store = SSL_CTX_get_cert_store(ssl_ctx);
@@ -508,7 +502,7 @@ static int load_ca_to_ssl_ctx_yass_ca_bundle(SSL_CTX* ssl_ctx) {
   return 0;
 }
 
-static int load_ca_to_ssl_ctx_system(SSL_CTX* ssl_ctx) {
+int load_ca_to_ssl_ctx_system(SSL_CTX* ssl_ctx) {
 #ifdef _WIN32
   HCERTSTORE cert_store = NULL;
   asio::error_code ec;

diff --git a/src/net/asio_ssl_internal.hpp b/src/net/asio_ssl_internal.hpp
@@ -0,0 +1,24 @@
+// SPDX-License-Identifier: GPL-2.0
+/* Copyright (c) 2024 Chilledheart  */
+
+#ifndef H_NET_ASIO_SSL_INTERNAL
+#define H_NET_ASIO_SSL_INTERNAL
+
+#include "net/asio.hpp"
+
+#include <string_view>
+
+#ifdef HAVE_BUILTIN_CA_BUNDLE_CRT
+
+extern "C" const char _binary_ca_bundle_crt_start[];
+extern "C" const char _binary_ca_bundle_crt_end[];
+
+#endif
+
+extern "C" const char _binary_supplementary_ca_bundle_crt_start[];
+extern "C" const char _binary_supplementary_ca_bundle_crt_end[];
+
+int load_ca_to_ssl_ctx_from_mem(SSL_CTX* ssl_ctx, std::string_view cadata);
+int load_ca_to_ssl_ctx_system(SSL_CTX* ssl_ctx);
+
+#endif  // H_NET_ASIO_SSL_INTERNAL
diff --git a/src/net/asio_ssl_test.cpp b/src/net/asio_ssl_test.cpp
@@ -0,0 +1,48 @@
+// SPDX-License-Identifier: GPL-2.0
+/* Copyright (c) 2024 Chilledheart  */
+
+#include <build/build_config.h>
+#include <gtest/gtest.h>
+
+#include "core/utils.hpp"
+#include "net/asio_ssl_internal.hpp"
+
+#ifdef HAVE_BUILTIN_CA_BUNDLE_CRT
+TEST(SSL_TEST, LoadBuiltinCaBundle) {
+  bssl::UniquePtr<SSL_CTX> ssl_ctx;
+  ssl_ctx.reset(::SSL_CTX_new(::TLS_client_method()));
+  std::string_view ca_bundle_content(_binary_ca_bundle_crt_start,
+                                     _binary_ca_bundle_crt_end - _binary_ca_bundle_crt_start);
+  ASSERT_FALSE(ca_bundle_content.empty());
+  int result = load_ca_to_ssl_ctx_from_mem(ssl_ctx.get(), ca_bundle_content);
+  ASSERT_NE(result, 0);
+}
+#endif
+
+TEST(SSL_TEST, LoadSupplementaryCaBundle) {
+  bssl::UniquePtr<SSL_CTX> ssl_ctx;
+  ssl_ctx.reset(::SSL_CTX_new(::TLS_client_method()));
+  std::string_view ca_content(_binary_supplementary_ca_bundle_crt_start,
+                              _binary_supplementary_ca_bundle_crt_end - _binary_supplementary_ca_bundle_crt_start);
+  ASSERT_FALSE(ca_content.empty());
+  int result = load_ca_to_ssl_ctx_from_mem(ssl_ctx.get(), ca_content);
+  ASSERT_NE(result, 0);
+}
+
+TEST(SSL_TEST, LoadSystemCa) {
+  bssl::UniquePtr<SSL_CTX> ssl_ctx;
+  ssl_ctx.reset(::SSL_CTX_new(::TLS_client_method()));
+  int result = load_ca_to_ssl_ctx_system(ssl_ctx.get());
+#ifdef _WIN32
+  if (IsWindowsVersionBNOrGreater(6, 3, 0)) {
+    ASSERT_NE(result, 0);
+  } else {
+    GTEST_SKIP() << "skipped as system version is too low";
+  }
+#elif BUILDFLAG(IS_MAC) || BUILDFLAG(IS_ANDROID) || BUILDFLAG(IS_OHOS) || !defined(HAVE_BUILTIN_CA_BUNDLE_CRT)
+  ASSERT_NE(result, 0);
+#else
+  // we don't test on openwrt
+  GTEST_SKIP() << "skipped as system is not supported";
+#endif
+}