tests: Do not use global openssl.cnf

The global openssl configuration file automatically loads a pkcs11 provider, but it does it before we set up the token, which makes the pkcs11 tests failing. The workaround is to not load the global configuration, which is delaying the loading of the pkcs11 provider to the time of first use. Consequently, this will require separate integration end-to-end test that will verify the libssh works correctly with the pkcs11 provider loaded early. Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Sahana Prasad <sahana@redhat.com>
2025-12-06 13:20:57 +03:00 · 2024-10-24 18:26:56 +02:00
parent c73a8a824e
commit 46d7417620
3 changed files with 25 additions and 0 deletions
--- a/tests/client/torture_auth_pkcs11.c
+++ b/tests/client/torture_auth_pkcs11.c
@@ -240,6 +240,14 @@ int torture_run_tests(void) {
                                        session_teardown),
    };

+    /* Do not use system openssl.cnf for the pkcs11 uri tests.
+     * It can load a pkcs11 provider too early before we will set up environment
+     * variables that are needed for the pkcs11 provider to access correct
+     * tokens, causing unexpected failures.
+     * Make sure this comes before ssh_init(), which initializes OpenSSL!
+     */
+    setenv("OPENSSL_CONF", "/dev/null", 1);
+
    ssh_init();
    torture_filter_tests(tests);
    rc = cmocka_run_group_tests(tests, sshd_setup, sshd_teardown);
--- a/tests/unittests/torture_pki_ecdsa_uri.c
+++ b/tests/unittests/torture_pki_ecdsa_uri.c
@@ -563,6 +563,14 @@ int torture_run_tests(void) {
    ssh_session session = ssh_new();
    int verbosity = SSH_LOG_FUNCTIONS;

+    /* Do not use system openssl.cnf for the pkcs11 uri tests.
+     * It can load a pkcs11 provider too early before we will set up environment
+     * variables that are needed for the pkcs11 provider to access correct
+     * tokens, causing unexpected failures.
+     * Make sure this comes before ssh_init(), which initializes OpenSSL!
+     */
+    setenv("OPENSSL_CONF", "/dev/null", 1);
+
    ssh_init();
    ssh_options_set(session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);

--- a/tests/unittests/torture_pki_rsa_uri.c
+++ b/tests/unittests/torture_pki_rsa_uri.c
@@ -285,7 +285,16 @@ torture_run_tests(void)
    ssh_session session = ssh_new();
    int verbosity = SSH_LOG_FUNCTIONS;

+    /* Do not use system openssl.cnf for the pkcs11 uri tests.
+     * It can load a pkcs11 provider too early before we will set up environment
+     * variables that are needed for the pkcs11 provider to access correct
+     * tokens, causing unexpected failures.
+     * Make sure this comes before ssh_init(), which initializes OpenSSL!
+     */
+    setenv("OPENSSL_CONF", "/dev/null", 1);
+
    ssh_options_set(session, SSH_OPTIONS_LOG_VERBOSITY, &verbosity);
+
    ssh_init();

    torture_filter_tests(tests);