Commit graph

2347 commits

Author SHA1 Message Date
Billy Brumley
30c41bfb15 [test] ECC: make sure negative tests pass for the right reasons
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7028)
2018-09-03 20:25:41 +02:00
wzhang
a7eeefeadc Fix the comment of PEM_read_bio_ex
Add one more unit test case

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
(Merged from https://github.com/openssl/openssl/pull/6892)
2018-09-03 20:35:11 +08:00
Matthias Kraft
ea5def1478 Extend dladdr() for AIX, consequence from changes for openssl#6368.
The shared libraries are now stored as members of archives, as it is usual
on AIX. To correctly address this the custom dladdr()-implementation as
well as the dlfcn_load() routine need to be able to cope with such a
construct: libname.a(libname.so).

Signed-off-by: Matthias Kraft <Matthias.Kraft@softwareag.com>

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6872)
2018-08-22 21:50:33 +02:00
Matt Caswell
2fe3e2b682 Fix BoringSSL external test failures
We recently turned on the TLSv1.3 downgrade sentinels by default.
Unfortunately we are using a very old version of the BoringSSL test
runner which uses an old draft implementation of TLSv1.3 that also
uses the downgrade sentinels by default. The two implementations do
not play well together and were causing spurious test failures. Until
such time as we update the BoringSSL test runner we disable the failing
tests:

SendFallbackSCSV

In this test the client is OpenSSL and the server is the boring test runner.
The client and server fail to negotiate TLSv1.3 because the test runner is
using an old draft TLSv1.3 version. The server does however add the
TLSv1.3->TLSv1.2 downgrade sentinel in the ServerHello random. Since we
recently turned on checking of the downgrade sentinels on the client side
this causes the connection to fail.

VersionNegotiationExtension-TLS11

In this test the test runner is the client and OpenSSL is the server. The
test modifies the supported_versions extension sent by the client to only
include TLSv1.1 (and some other spurious versions), even though the client
does actually support TLSv1.2. The server successfully selects TLSv1.1, but
adds the TLSv1.3->TLSv1.1 downgrade sentinel. This behaviour was recently
switched on by default. The test runner then checks the downgrade sentinel
and aborts the connection because it knows that it really supports TLSv1.2.

VersionNegotiationExtension-TLS1
VersionNegotiationExtension-SSL3

The same as VersionNegotiationExtension-TLS11 but for TLSv1 and SSLv3.

ConflictingVersionNegotiation

In this test the client is the test runner, and OpenSSL is the server. The
client offers TLSv1.2 in ClientHello.version, but also adds a
supported_versions extension that only offers TLSv1.1. The
supported_versions extension takes precedence and the server (correctly)
selects TLSv1.1. However it also adds the TLSv1.3->TLSv1.1 downgrade
sentinel. On the client side it knows it actually offered TLSv1.2 and so the
downgrade sentinel check fails.

[extended tests]

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7013)
2018-08-22 15:15:19 +01:00
Matt Caswell
5627f9f217 Don't detect a downgrade where the server has a protocol version hole
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7013)
2018-08-22 15:15:19 +01:00
Matt Caswell
3e7cb13dff Test that a client protocol "hole" doesn't get detected as a downgrade
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7013)
2018-08-22 15:15:19 +01:00
Pauli
3b8e97ab61 Zero memory in CRYPTO_secure_malloc.
This commit destroys the free list pointers which would otherwise be
present in the returned memory blocks.  This in turn helps prevent
information leakage from the secure memory area.

Note: CRYPTO_secure_malloc is not guaranteed to return zeroed memory:
before the secure memory system is initialised or if it isn't implemented.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/7011)
2018-08-22 09:20:18 +10:00
Nicola Tuveri
5d92b853f6 Replace GFp ladder implementation with ladd-2002-it-4 from EFD
The EFD database does not state that the "ladd-2002-it-3" algorithm
assumes X1 != 0.
Consequently the current implementation, based on it, fails to compute
correctly if the affine x coordinate of the scalar multiplication input
point is 0.

We replace this implementation using the alternative algorithm based on
Eq. (9) and (10) from the same paper, which being derived from the
additive relation of (6) does not incur in this problem, but costs one
extra field multiplication.

The EFD entry for this algorithm is at
https://hyperelliptic.org/EFD/g1p/auto-shortw-xz.html#ladder-ladd-2002-it-4
and the code to implement it was generated with tooling.

Regression tests add one positive test for each named curve that has
such a point. The `SharedSecret` was generated independently from the
OpenSSL codebase with sage.

This bug was originally reported by Dmitry Belyavsky on the
openssl-users maling list:
https://mta.openssl.org/pipermail/openssl-users/2018-August/008540.html

Co-authored-by: Billy Brumley <bbrumley@gmail.com>

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7000)
2018-08-21 09:51:18 +01:00
Matt Caswell
e97be71804 Add support for SSL_CTX_set_post_handshake_auth()
We already have SSL_set_post_handshake_auth(). This just adds the SSL_CTX
equivalent.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6938)
2018-08-20 15:14:01 +01:00
Matt Caswell
32097b33bd Change Post Handshake auth so that it is opt-in
Having post handshake auth automatically switched on breaks some
applications written for TLSv1.2. This changes things so that an explicit
function call is required for a client to indicate support for
post-handshake auth.

Fixes #6933.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6938)
2018-08-20 15:14:01 +01:00
Pauli
4cceb185b1 Add a helper routine so that evp_test can compare memory without producing
spurious output when checking for error conditions.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6899)
2018-08-20 06:52:11 +10:00
Dr. Matthias St. Pierre
95c91cb3fc test/recipes/30-test_evp_data: fix two typos
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7001)
2018-08-18 06:57:42 +02:00
Matt Caswell
86ed2e1cb0 Fix a bug in test_sslversions
The TLSv1.4 tolerance test wasn't testing what we thought it was.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6741)
2018-08-15 12:33:30 +01:00
Matt Caswell
9f22c52723 Turn on TLSv1.3 downgrade protection by default
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6741)
2018-08-15 12:33:30 +01:00
Matt Caswell
35e742ecac Update code for the final RFC version of TLSv1.3 (RFC8446)
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6741)
2018-08-15 12:33:30 +01:00
Pauli
58094ab60f Add SHA3 HMAC test vectors from NIST.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6963)
2018-08-15 11:43:34 +10:00
Matt Caswell
9b287d53db Add a test for TLSv1.3 fallback
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6894)
2018-08-09 10:53:09 +01:00
Matt Caswell
f460e8396f Add a test for unencrypted alert
Test that a server can handle an unecrypted alert when normally the next
message is encrypted.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6887)
2018-08-08 10:16:58 +01:00
Dr. Matthias St. Pierre
080769102a test/asn1_internal_test.c: silence the new check for the ASN1 method table
In 38eca7fed0 a new check for the pem_str member of the entries of the
ASN1 method table was introduced. Because the test condition was split
into two TEST_true(...) conditions, the test outputs error diagnostics
for all entries which have pem_str != NULL. This commit joins the two
test conditions into a single condition.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6888)
2018-08-07 23:35:06 +02:00
Richard Levitte
38eca7fed0 Make EVP_PKEY_asn1_new() stricter with its input
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6880)
2018-08-07 07:53:08 +02:00
Pauli
3ef97bd8cb Relocate memcmp test.
The CRYPTO_memcmp test isn't testing the test framework.
It would seem to better belong in the sanity tests.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6878)
2018-08-07 10:51:01 +10:00
Matt Caswell
43a0f2733a Fix some TLSv1.3 alert issues
Ensure that the certificate required alert actually gets sent (and doesn't
get translated into handshake failure in TLSv1.3).

Ensure that proper reason codes are given for the new TLSv1.3 alerts.

Remove an out of date macro for TLS13_AD_END_OF_EARLY_DATA. This is a left
over from an earlier TLSv1.3 draft that is no longer used.

Fixes #6804

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6809)
2018-07-31 09:31:50 +01:00
Matt Caswell
9cc570d4c4 Use the new non-curve type specific EC functions internally
Fixes #6646

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6815)
2018-07-31 09:08:38 +01:00
Bryan Donlan
cb809437d3 Add test for DSA signatures of raw digests of various sizes
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6749)
2018-07-29 21:27:36 +02:00
Benjamin Kaduk
45a2353056 Fix ossl_shim SNI handling
To start with, actually set an SNI callback (copied from bssl_shim); we
weren't actually testing much otherwise (and just happened to have been
passing due to buggy libssl behavior prior to
commit 1c4aa31d79).

Also use proper C++ code for handling C strings -- when a C API
(SSL_get_servername()) returns NULL instead of a string, special-case
that instead of blindly trying to compare NULL against a std::string,
and perform the comparsion using the std::string operators instead of
falling back to pointer comparison.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6792)
2018-07-26 15:06:53 -05:00
Matt Caswell
d8434cf856 Validate legacy_version
The spec says that a client MUST set legacy_version to TLSv1.2, and
requires servers to verify that it isn't SSLv3.

Fixes #6600

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6747)
2018-07-20 10:52:02 +01:00
Matt Caswell
d6ce9da49b Update the TLSv1.3 test vectors
Use the latest version of the test vectors available in:
https://tools.ietf.org/html/draft-ietf-tls-tls13-vectors-06

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6746)
2018-07-20 10:45:41 +01:00
Matt Caswell
0efa0ba4e6 Test early_data sent after a second ClientHello causes a failure
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6737)
2018-07-19 12:46:43 +01:00
Matt Caswell
9e6a32025e Add a test for mismatch between key OID and sig alg
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6732)
2018-07-18 09:58:56 +01:00
Matt Caswell
910fff7eb6 Skip the GOST test where appropriate
The GOST ciphers are dynamically loaded via the GOST engine, so we must
be able to support that. The engine also uses DSA and CMS symbols, so we
skip the test on no-dsa or no-cms.

Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6730)
2018-07-17 11:57:46 +01:00
Matt Caswell
fbe9dafddd Fix a memory leak in the ticket test
Also fixes a function name typo.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/6729)
2018-07-17 11:19:10 +01:00
Matt Caswell
03cdf55914 Test that a failed resumption issues the correct number of tickets
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6722)
2018-07-17 10:12:10 +01:00
Matt Caswell
04d7814a80 Improve testing of stateful tickets
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6722)
2018-07-17 10:12:10 +01:00
Billy Brumley
66b0bca887 [test] test some important ladder corner cases
and catch corner cases better and earlier

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6690)
2018-07-16 10:17:40 +01:00
Andy Polyakov
dfd5fb0950 test/.../evppkey.txt: X25519 regression test vectors.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6699)
2018-07-15 19:05:50 +02:00
Matt Caswell
1e83954580 Add a GOST test
Test that we never negotiate TLSv1.3 using GOST

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6650)
2018-07-13 18:14:43 +01:00
Pauli
c9ecb13191 NCONF_get_number refix.
Fix the NULL check lack in a different way that is more compatible with
non-NULL branch.  Refer #6632

Also mark and pop the error stack instead of clearing all errors when something
goes awry in CONF_get_number.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6643)
2018-07-11 09:03:22 +10:00
Rich Salz
f99648638c Add tests for the "req" command, -addext flag
Also fixed a memory leak found by the test.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6681)
2018-07-09 14:55:17 -04:00
Matt Caswell
0d1b778901 Add a test for the recv_max_early_data setting
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6655)
2018-07-06 09:26:39 +01:00
Rich Salz
2ddee136ec Reject duplicate -addext parameters
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6636)
2018-07-05 19:57:22 -04:00
Matt Caswell
a97d19f7ce Fix no-tls1_2
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6634)
2018-07-04 10:38:57 +01:00
Pauli
a9f3f1ccbb Tests for MD5-SHA1 combined digest.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6642)
2018-07-04 08:07:02 +10:00
Matt Caswell
4cb004573a Remove TLSv1.3 tickets from the client cache as we use them
Tickets are supposed to be single use so we remove them from the cache on
use.

Fixes #6377

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6601)
2018-07-03 09:44:46 +01:00
Pauli
c36b39b5cd Check for NULL conf in NCONF_get_number
The problematic case falls back to a NULL conf which returns the result
of getenv(2).  If this returns NULL, everything was good.  If this returns
a string an attempt to convert it to a number is made using the function
pointers from conf.

This fix uses the strtol(3) function instead, we don't have the
configuration settings and this behaves as the default would.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6632)
2018-07-03 13:14:17 +10:00
Matt Caswell
3bb5e5b09e Add the ability to configure anti-replay via SSL_CONF
This also adds the ability to control this through s_server

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6469)
2018-07-02 15:06:12 +01:00
Matt Caswell
5a42141565 Add a test for the new early data callback
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6469)
2018-07-02 15:06:12 +01:00
Billy Brumley
249330de02 More EVP ECC testing: positive and negative
1. For every named curve, two "golden" keypair positive tests.
2. Also two "golden" stock ECDH positive tests.
3. For named curves with non-trivial cofactors, additionally two "golden"
   ECC CDH positive tests.
4. For named curves with non-trivial cofactors, additionally two negative
   tests.

There is some overlap with existing EVP tests, especially for the NIST
curves (for example, positive testing ECC CDH KATs for NIST curves).

"Golden" here means all the values are independent from OpenSSL's ECC
code. I used sage to calculate them. What comes from OpenSSL is:

1. The OIDs (parsed by tooling)
2. The curve parameters (parsing ecparam output with tooling)

The values inside the PEMs (private keys, public keys) and shared keys
are from sage. The PEMs themselves are the output of asn1parse, with
input taken from sage.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6608)
2018-06-29 12:29:12 +02:00
Matt Caswell
358ffa05cd Return a fatal error if application data is encountered during shutdown
Currently if you encounter application data while waiting for a
close_notify from the peer, and you have called SSL_shutdown() then
you will get a -1 return (fatal error) and SSL_ERROR_SYSCALL from
SSL_get_error(). This isn't accurate (it should be SSL_ERROR_SSL) and
isn't persistent (you can call SSL_shutdown() again and it might then work).

We change this into a proper fatal error that is persistent.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6340)
2018-06-27 10:03:37 +01:00
Matt Caswell
ba70904949 Return SSL_ERROR_WANT_READ if SSL_shutdown() encounters handshake data
In the case where we are shutdown for writing and awaiting a close_notify
back from a subsequent SSL_shutdown() call we skip over handshake data
that is received. This should not be treated as an error - instead it
should be signalled with SSL_ERROR_WANT_READ.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6340)
2018-06-27 10:03:20 +01:00
Matt Caswell
c748834ff7 Add a bi-directional shutdown test
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6340)
2018-06-27 10:03:20 +01:00
Matt Caswell
6cc0b3c217 Respect SSL_OP_NO_TICKET in TLSv1.3
Implement support for stateful TLSv1.3 tickets, and use them if
SSL_OP_NO_TICKET is set.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6563)
2018-06-26 18:09:46 +01:00
Bernd Edlinger
09fb65d5e4 Fix negative test result in sm2 test
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6548)
2018-06-22 14:55:28 +02:00
Andy Polyakov
bd3d8c1260 recipes/90-test_shlibload.t: disable tests on AIX till further notice.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6487)
2018-06-22 10:58:00 +02:00
Nicola Tuveri
3f5abab941 enable-ec_nistp_64_gcc_128: Fix function prototype warning [-Wstrict-prototypes]
Fix prototype warnings triggered by -Wstrict-prototypes when configuring
with `enable-ec_nistp_64_gcc_128`

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6556)
2018-06-22 08:08:01 +02:00
Dr. Matthias St. Pierre
12bd4e141e testutil/driver.c: Fix function prototype warning [-Wstrict-prototypes]
(introduced by commit 9186016582, which added -Wstrict-prototypes)

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6555)
2018-06-22 01:04:34 +02:00
Shane Lontis
7d79d13a56 Fixed range of random produced in BN_is_prime_fasttest_ex() to be 1 < rand < w-1. It was using 1<= rand < w (which is wrong by 1 on both ends)
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6547)
2018-06-22 07:07:20 +10:00
Bernd Edlinger
9186016582 Add -Wstrict-prototypes option to --strict-warnings
[extended tests]

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6542)
2018-06-21 19:04:19 +02:00
Billy Brumley
a766aab93a [crypto/ec] don't assume points are of order group->order
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6535)
2018-06-21 13:33:42 +02:00
Matt Caswell
fd38836ba8 Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6538)
2018-06-20 15:29:23 +01:00
Matt Caswell
c86acc9f83 Fix no-sm2
Fixes #6525

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6531)
2018-06-20 14:29:31 +01:00
Bernd Edlinger
f73164ca1e Fix test sm2 test failure with ec blinding
[extended tests]

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6529)
2018-06-20 14:22:59 +01:00
Jack Lloyd
ddb634fe6f Move SM2 algos to SM2 specific PKEY method
Use EVP_PKEY_set_alias_type to access

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6443)
2018-06-19 11:29:44 +01:00
David von Oheimb
8263e6cb98 add cast in test/x509aux.c preventing compiler warning for VC-WIN64A architecture
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6217)
2018-06-18 10:45:35 +01:00
Matt Caswell
896dcb8065 Fix no-ec
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6437)
2018-06-08 16:45:04 +01:00
Matt Caswell
bb5f281ad0 Add a test for the raw private/public key getters
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6394)
2018-06-08 10:04:09 +01:00
Matt Caswell
6cf2dbd9fa Don't store the ticket nonce in the session
We generate the secrets based on the nonce immediately so there is no
need to keep the nonce.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6415)
2018-06-07 10:58:35 +01:00
Matt Caswell
2167239aba Use lowercase for internal SM2 symbols
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6386)
2018-06-04 11:59:56 +01:00
Matt Caswell
e14d6cf691 Improve use of the test framework in the SM2 internal tests
Also general clean up of those tests

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6386)
2018-06-04 11:59:56 +01:00
Matt Caswell
266291aa8d Add test recipes for internal SM2 tests
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6386)
2018-06-04 11:59:40 +01:00
Jack Lloyd
e425f90fff Make SM2 functions private
Address issue #5670

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6386)
2018-06-04 11:59:40 +01:00
Richard Levitte
1e8d5ea5df OSSL_STORE: don't test file: URIs on Mingw
Under a mingw shell, the command line path conversion either mangles
file: URIs to something useless (file;C:\...) or not at all (which
can't be opened by the Windows C RTL unless we're really lucky), so we
simply skip testing them in that environment.

Fixes #6369

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6376)
2018-05-30 16:10:42 +02:00
Matt Caswell
adf652436a Test that a ^ 0 mod -1 is always 0
Check all functions that do this.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6355)
2018-05-29 16:43:18 +01:00
Matt Caswell
83cf7abf8e Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6371)
2018-05-29 13:16:04 +01:00
David Benjamin
2de108dfa3 Save and restore the Windows error around TlsGetValue.
TlsGetValue clears the last error even on success, so that callers may
distinguish it successfully returning NULL or failing. This error-mangling
behavior interferes with the caller's use of GetLastError. In particular
SSL_get_error queries the error queue to determine whether the caller should
look at the OS's errors. To avoid destroying state, save and restore the
Windows error.

Fixes #6299.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6316)
2018-05-23 17:34:54 -04:00
David Benjamin
fc6f579a9e Fix explicit EC curve encoding.
Per SEC 1, the curve coefficients must be padded up to size. See C.2's
definition of Curve, C.1's definition of FieldElement, and 2.3.5's definition
of how to encode the field elements in http://www.secg.org/sec1-v2.pdf.

This comes up for P-521, where b needs a leading zero.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6314)
2018-05-23 17:32:41 -04:00
Viktor Dukhovni
d02d80b2e8 Limit scope of CN name constraints
Don't apply DNS name constraints to the subject CN when there's a
least one DNS-ID subjectAlternativeName.

Don't apply DNS name constraints to subject CN's that are sufficiently
unlike DNS names.  Checked name must have at least two labels, with
all labels non-empty, no trailing '.' and all hyphens must be
internal in each label.  In addition to the usual LDH characters,
we also allow "_", since some sites use these for hostnames despite
all the standards.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2018-05-23 11:12:13 -04:00
Matt Caswell
0422591573 Fix no-ec, no-tls1_3 and no-tls
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6321)
2018-05-23 10:44:04 +01:00
Kurt Roeckx
693cf80c6f Enable SSL_MODE_AUTO_RETRY by default
Because TLS 1.3 sends more non-application data records some clients run
into problems because they don't expect SSL_read() to return and set
SSL_ERROR_WANT_READ after processing it.

This can cause problems for clients that use blocking I/O and use
select() to see if data is available. It can be cleared using
SSL_CTX_clear_mode().

Reviewed-by: Matt Caswell <matt@openssl.org>
GH: #6260
2018-05-22 22:45:28 +02:00
Matt Caswell
1aac20f509 Fix no-ec in combination with no-dh
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6321)
2018-05-22 13:21:24 +01:00
Matt Caswell
ee94ec2ef8 Don't cache stateless tickets in TLSv1.3
In TLSv1.2 and below we always cache new sessions by default on the server
side in the internal cache (even when we're using session tickets). This is
in order to support resumption from a session id.

In TLSv1.3 there is no session id. It is only possible to resume using the
ticket. Therefore, in the default case,  there is no point in caching the
session in the internal store.

There is still a reason to call the external cache new session callback
because applications may be using the callbacks just to know about when
sessions are created (and not necessarily implementing a full cache). If
the application also implements the remove session callback then we are
forced to also store it in the internal cache so that we can create
timeout events. Otherwise the external cache could just fill up
indefinitely.

This mostly addresses the issue described in #5628. That issue also proposes
having an option to not create full stateless tickets when using the
internal cache. That aspect hasn't been addressed yet.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/6293)
2018-05-21 10:36:03 +01:00
Dr. Matthias St. Pierre
8a59c08583 DH: add some basic tests (and comments)
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6273)
2018-05-18 08:53:48 +02:00
Matt Caswell
c22365b399 Improve testing of tickets with post-handshake auth
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5227)
2018-05-17 16:48:25 +01:00
Matt Caswell
36ff232cf2 Change the default number of NewSessionTickets we send to 2
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5227)
2018-05-17 16:48:25 +01:00
Matt Caswell
73cc84a132 Suport TLSv1.3 draft 28
Also retains support for drafts 27 and 26

Fixes #6257

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6258)
2018-05-15 10:02:59 +01:00
Matt Caswell
ba8b48e98d Fix no-tls1_2
Also fixes no-tls1_2-method, no-tls1_3, no-tls, no-ec

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6253)
2018-05-14 17:43:19 +01:00
Matt Caswell
61fb59238d Rework the decrypt ticket callback
Don't call the decrypt ticket callback if we've already encountered a
fatal error. Do call it if we have an empty ticket present.

Change the return code to have 5 distinct returns codes and separate it
from the input status value.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6198)
2018-05-11 14:51:09 +01:00
Matt Caswell
c20e3b282c Fix mem leak in sslapi test
The recent change in behaviour where you do not get a NewSessionTicket
message sent if you established the connection using a PSK caused a mem
leak to be triggered in sslapitest. It was actually a latent bug and we
were just lucky we never hit it before. The problem is due to complexity
with the way PSK sessions were set up in the early_data tests. PSK session
reference counting was handled differently to normal session reference
counting. This meant there were lots of special cases in the code where
we don't free a session if it is a PSK. It makes things easier if we just
handle PSK reference counts in the same way as other session reference
counts, and then we can remove all of the special case code.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6198)
2018-05-11 14:51:08 +01:00
Matt Caswell
d0191fe059 Add a test for the ticket callbacks
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6198)
2018-05-11 14:51:08 +01:00
Matt Caswell
c0638adeec Fix ticket callbacks in TLSv1.3
The return value from the ticket_key callback was not properly handled in
TLSv1.3, so that a ticket was *always* renewed even if the callback
requested that it should not be.

Also the ticket decrypt callback was not being called at all in TLSv1.3.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6198)
2018-05-11 14:51:08 +01:00
Matt Caswell
e825109236 Add some more SSL_pending() and SSL_has_pending() tests
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6159)
2018-05-11 14:20:57 +01:00
Matt Caswell
0d8da77908 Test an old style PSK callback with no cert will prefer SHA-256
If using an old style PSK callback and no certificate is configured for
the server, we should prefer ciphersuites based on SHA-256, because that
is the default hash for those callbacks as specified in the TLSv1.3 spec.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6215)
2018-05-11 13:47:13 +01:00
Kurt Roeckx
3cb7c5cfef Use void in all function definitions that do not take any arguments
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #6208
2018-05-11 14:37:48 +02:00
Matt Caswell
c3114a7732 Set the ossl_shim to auto retry if not running asynchronously
In certain circumstances in the DTLS code we have to drop a record (e.g. if
it is a stale retransmit). We then have to move on to try and read the next
record. Some applications using blocking sockets (e.g. s_server/s_client
will hang if there isn't actually any data to be read from the socket yet).
Others can tolerate this. Therefore SSL_read()/SSL_write() can sometimes
return SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE even when using blocking
sockets. Applications can use the mode SSL_MODE_AUTO_RETRY, to switch this
behaviour off so that we never return unless we have read the data we
wanted to.

Commit ad96225285 fixed a DTLS problem where we always retried even if
SSL_MODE_AUTO_RETRY was not set. However that fix caused the Boring
ossl_shim to fail in some tests because it was relying on the previous
(buggy) behaviour. The ossl_shim should be set into SSL_MODE_AUTO_RETRY if
it is not operating asynchronously to avoid this problem.

[extended tests]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6216)
2018-05-11 10:29:04 +01:00
Matt Caswell
a01b9cd5a7 Fix no-cms
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6205)
2018-05-09 23:22:11 +01:00
Matt Caswell
60155b9ae1 Fix no-tls1_2, no-tls1_2-method, no-chacha and no-poly1305
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6205)
2018-05-09 23:22:11 +01:00
Matt Caswell
61e96557f9 Add a DTLS test for dropped records
Drop a record from a handshake and check that we can still complete the
handshake. Repeat for all records in the handshake.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6170)
2018-05-08 09:40:17 +01:00
Matt Caswell
e15e92dbd5 Add a CMS API test
Previous tests only invoked CMS via the command line app. This test uses
the CMS API directly to do and encrypt and decrypt operation. This test
would have caught the memory leak fixed by the previous commit (when
building with enable-crypto-mdebug).

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6142)
2018-05-08 08:43:39 +01:00
Matt Caswell
e401389a0c Add a test for SSL_get_shared_ciphers()
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6113)
2018-05-02 23:30:47 +01:00
Matt Caswell
6021d8ec5a Fix a bug in create_ssl_ctx_pair()
The max protocol version was only being set on the server side. It should
have been done on both the client and the server.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6113)
2018-05-02 23:30:47 +01:00
FdaSilvaYY
c7e10755fa opensslconf.h inclusion cleanup
No need to buildtest on opensslconf.h

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6149)
2018-05-02 23:42:21 +02:00
Matt Caswell
6ec5fce25e Update copyright year
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6145)
2018-05-01 13:34:30 +01:00
Kurt Roeckx
d1ae34e92d Use the config file from the source not the host for the tests
Fixes: #6046

Reviewed-by: Rich Salz <rsalz@openssl.org>

GH: #6125
2018-04-30 12:00:51 +02:00
Billy Brumley
9e5b50b54d fix: BN_swap mishandles flags
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6099)
2018-04-27 09:54:37 +01:00
Richard Levitte
6fb7b08987 15-test_out_option: Refactor and don't test directory write on VMS
To my surprise, it turns out that on OpenVMS, opening './' (which
is translated to '[]') for writing actually creates a file, '[].'.
On OpenVMS, this is a perfectly valid file with no name or extension,
just the delimiter between the two.

Because of the mess the exception would generate in the test recipe,
it gets refactored again, to clearly separate each test inside it,
and use skips to avoid some of them (that makes it clear that they are
skipped and why, when running the recipe).

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6100)
2018-04-26 21:19:49 +02:00
Richard Levitte
39e32be1cc test/recipes/15-test_out_option.t: refine tests
Test writing to the null device.  This should be successful.

Also, refactor so the planned number of tests is calculated.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6033)
2018-04-25 11:44:25 +02:00
Nicola Tuveri
22f0c72b92 [SM2_sign] add minimal EVP_PKEY functionality testing
The actual functionality of generating signatures through the `EVP_PKEY`
API is completely untested.
Current tests under the `EVP_PKEY` API
(`test/recipes/30-test_evp_data/evppkey.txt`) only cover `Verify` and
`Decrypt`, while encryption and signature generation are tested with
ad-hoc clients (`test/sm2crypttest.c`, `test/sm2signtest.c`) that do not
call the `EVP_PKEY` interface at all but soon-to-be private functions
that bypass it (cf. PR#5895 ).

It is my opinion that an ideal solution for the future would consist on
enhancing the `test/evp_pkey` facility and syntax to allow tests to take
control of the PRNG to inject known nonces and validate the results of
`EVP_PKEY` implementations against deterministic known answer tests, but
it is probably too late to work on this feature in time for next release.

Given that commit b5a85f70d8 highlights some critical bugs in the hook
between the `EVP_PKEY` interface and SM2 signature generation and that
these defects escaped testing and code review, I think that at least for
now it is beneficial to at least add the kind of "bogus" testing
provided by this patch:
this is a "fake" test as it does only verify that the SM2 `EVP_PKEY`
interface is capable of creating a signature without failing, but it
does not say anything about the generated signature being valid, nor
does it test the functional correctness of the cryptosystem.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6066)
2018-04-25 10:24:43 +01:00
Matt Caswell
6862de63d4 Add a test to verify the ClientHello version is the same in a reneg
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6059)
2018-04-24 09:54:31 +01:00
Matt Caswell
7500bc337a Allow TLSv1.3 EC certs to use compressed points
The spec does not prohib certs form using compressed points. It only
requires that points in a key share are uncompressed. It says nothing
about point compression for certs, so we should not fail if a cert uses a
compressed point.

Fixes #5743

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/6055)
2018-04-24 09:28:17 +01:00
Matt Caswell
4a432af895 Add a test for SSL_pending()
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6020)
2018-04-20 11:51:57 +01:00
Matt Caswell
033c181ba6 Test the state of SSL_in_init() from the info_callback
Check that in a handshake done event SSL_in_init() is 0 (see #4574)

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6019)
2018-04-20 11:46:12 +01:00
Matt Caswell
7f6dfa19df Add a test for a NULL X509_STORE in X509_STORE_CTX_init
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6001)
2018-04-19 08:53:40 +01:00
Matt Caswell
6e07834ca0 Fix no-ec
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5997)
2018-04-19 08:36:45 +01:00
Andy Polyakov
c4220c0f9a recipes/70-test_ssl{cbcpadding,extension,records}: make it work w/fragmentation.
This fixes only those tests that were failing when network data was
fragmented. Remaining ones might succeed for "wrong reasons". Bunch
of tests have to fail to be considered successful and when data is
fragmented they might fail for reasons other than originally intended.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5975)
2018-04-18 19:57:54 +02:00
Peter Wu
d4da95a773 test: Remove redundant SSL_CTX_set_max_early_data
Client can only send early data if the PSK allows for it, the
max_early_data_size field can only be configured for the server side.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5702)
2018-04-18 08:15:00 +01:00
Peter Wu
01a2a65488 Add support for logging early exporter secret
This will be necessary to enable Wireshark to decrypt QUIC 0-RTT data.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5702)
2018-04-18 08:15:00 +01:00
Peter Wu
cffe973c45 Add test for CLIENT_EARLY_TRAFFIC_SECRET key logging
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5702)
2018-04-18 08:15:00 +01:00
Peter Wu
6329ce8fd8 Add support for logging TLS 1.3 exporter secret
NSS 3.34 and boringssl have support for "EXPORTER_SECRET"
(https://bugzilla.mozilla.org/show_bug.cgi?id=1287711) which is needed
for QUIC 1-RTT decryption support in Wireshark.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5702)
2018-04-18 08:15:00 +01:00
Matt Caswell
7d4488bbd7 Extend the SSL_set_bio() tests
The SSL_set_bio() tests only did standalone testing without being in the
context of an actual connection. We extend this to do additional tests
following a successful or failed connection attempt. This would have
caught the issue fixed in the previous commit.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5966)
2018-04-17 17:02:33 +01:00
Matt Caswell
5718fe4560 Add a test for the info callback
Make sure the info callback gets called in all the places we expect it to.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5874)
2018-04-17 16:51:03 +01:00
Dr. Matthias St. Pierre
43687d685f DRBG: fix coverity issues
- drbg_lib.c: Silence coverity warning: the comment preceding the
  RAND_DRBG_instantiate() call explicitely states that the error
  is ignored and explains the reason why.

- drbgtest: Add checks for the return values of RAND_bytes() and
  RAND_priv_bytes() to run_multi_thread_test().

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5976)
2018-04-17 17:24:50 +02:00
Bernd Edlinger
dbabc86296 Add a config option to disable automatic config loading
./config no-autoload-config

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5959)
2018-04-17 16:33:15 +02:00
Richard Levitte
28428130db Update copyright year
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5990)
2018-04-17 15:18:40 +02:00
Andy Polyakov
de5b3a8645 TLSProxy/Proxy.pm: bind s_server to loopback interface.
Bind even test/ssltest_old.c to loopback interface. This allows to avoid
unnecessary alerts from Windows and Mac OS X firewalls.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5933)
2018-04-14 19:59:02 +02:00
Richard Levitte
1b9f41a0df test/recipes/test_genrsa.t : don't fail because of size limit changes
There is a test to check that 'genrsa' doesn't accept absurdly low
number of bits.  Apart from that, this test is designed to check the
working functionality of 'openssl genrsa', so instead of having a hard
coded lower limit on the size key, let's figure out what it is.

Partially fixes #5751

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/5754)

(cherry picked from commit ec46830f8a)
2018-04-13 17:45:22 +02:00
Matt Caswell
76fd7a1d61 Add a test for SRP
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5925)
2018-04-13 09:37:39 +01:00
Andy Polyakov
f5e3115361 test/asn1_time_test.c: make it work on 64-bit HP-UX.
HP-UX gmtime fails with ERANGE past 19011213204552Z, so skip some tests.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5742)
2018-04-08 11:17:44 +02:00
Matt Caswell
a53b5be6a0 Fix configuration of TLSv1.3 ciphersuites
Configuration of TLSv1.3 ciphersuites wasn't working in some cases.

Fixes #5740

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5855)
2018-04-04 16:17:26 +01:00
Matt Caswell
034cb87b6c Add some tests for configuring the TLSv1.3 ciphersuites
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5855)
2018-04-04 16:17:26 +01:00
David Benjamin
dc55e4f70f Fix a bug in ecp_nistp224.c.
felem_neg does not produce an output within the tight bounds suitable
for felem_contract. This affects build configurations which set
enable-ec_nistp_64_gcc_128.

point_double and point_add, in the non-z*_is_zero cases, tolerate and
fix up the wider bounds, so this only affects point_add calls where the
other point is infinity. Thus it only affects the final addition in
arbitrary-point multiplication, giving the wrong y-coordinate. This is a
no-op for ECDH and ECDSA, which only use the x-coordinate of
arbitrary-point operations.

Note: ecp_nistp521.c has the same issue in that the documented
preconditions are violated by the test case. I have not addressed this
in this PR. ecp_nistp521.c does not immediately produce the wrong
answer; felem_contract there appears to be a bit more tolerant than its
documented preconditions. However, I haven't checked the point_add
property above holds. ecp_nistp521.c should either get this same fix, to
be conservative, or have the bounds analysis and comments reworked for
the wider bounds.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5779)
2018-04-03 16:09:20 -04:00
Matt Caswell
c4d3c19b4c Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5851)
2018-04-03 13:57:12 +01:00
Kurt Roeckx
2a70d65b99 Make sure we use a nonce when a nonce is required
If a nonce is required and the get_nonce callback is NULL, request 50%
more entropy following NIST SP800-90Ar1 section 9.1.

Reviewed-by: Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
GH: #5503
2018-04-01 21:11:26 +02:00
Bernd Edlinger
26db32469f Fix a gcc-8 warning -Wcast-function-type
Casting to the generic function type "void (*)(void)"
prevents the warning.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/5816)
2018-03-31 16:58:06 +02:00
Richard Levitte
efe749c840 Refuse to run test_cipherlist unless shared library matches build
test/cipherlist_test.c is an internal consistency check, and therefore
requires that the shared library it runs against matches what it was
built for.  test/recipes/test_cipherlist.t is made to refuse running
unless library version and build version match.

This adds a helper program test/versions.c, that simply displays the
library and the build version.

Partially fixes #5751

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5753)

(cherry picked from commit cde87deafa)
2018-03-31 16:40:07 +02:00
Bernd Edlinger
f91e026e38 Fix a possible crash in BN_from_montgomery_word
Thanks to Darovskikh Andrei for for reporting this issue.

Fixes: #5785

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5793)
2018-03-31 16:31:37 +02:00
Richard Levitte
9d74090959 Faster fuzz test: teach the fuzz test programs to handle directories
Instead of invoking the fuzz test programs once for every corpora
file, we invoke them once for each directory of corpora files.  This
dramatically reduces the number of program invikations, as well as the
time 99-test_fuzz.t takes to complete.

fuzz/test-corpus.c was enhanced to handle directories as well as
regular files.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5776)
2018-03-29 09:24:56 +02:00
Matt Caswell
dcf8b01f44 Tolerate a Certificate using a non-supported group on server side
If a server has been configured to use an ECDSA certificate, we should
allow it regardless of whether the server's own supported groups list
includes the certificate's group.

Fixes #2033

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5601)
2018-03-28 15:08:09 +01:00
Matt Caswell
7814cdf3eb Revert "Temporarily disable some tests that hang"
This reverts commit 37a3859564.

These tests should now be fixed by commit e6e9170d6.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/5765)
2018-03-28 14:59:16 +01:00
Matt Caswell
37a3859564 Temporarily disable some tests that hang
The previous commit causes some tests to hang so we temporarily disable them.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5757)
2018-03-27 17:15:24 +01:00
Andy Polyakov
75a8f1eff0 test/test_test.c: add CRYPTO_memcmp regression test.
Reviewed-by: Matt Caswell <matt@openssl.org>
2018-03-27 10:22:49 +01:00
Richard Levitte
84e68a1bba test/shlibloadtest.c: make some variables block local
myDSO_dsobyaddr and myDSO_free are only used in a narrow block of
code, and can therefore be made local to that block.  Otherwise, some
compilers may warn that they are unused.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5733)
2018-03-23 14:18:16 +01:00
Richard Levitte
cfaad1713e test/shlibloadtest.c: fix various errors
These errors were hidden because compiling this file didn't get the
macros derived from the dso_scheme attribute, and therefore, some code
never got compiled.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5733)
2018-03-23 01:05:41 +01:00
Richard Levitte
b71fa7b32d Include "internal/dso_conf.h" where needed and appropriate
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5733)
2018-03-23 01:05:23 +01:00
Patrick Steuer
e613b1eff4 aes ctr_drbg: add cavs tests
Signed-off-by: Patrick Steuer <patrick.steuer@de.ibm.com>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #5580
2018-03-21 21:32:47 +01:00
Matthias Kraft
4af14b7b01 Add dladdr() for AIX
Although it deviates from the actual prototype of DSO_dsobyaddr(), this
is now ISO C compliant and gcc -Wpedantic accepts the code.

Added DATA segment checking to catch ptrgl virtual addresses. Avoid
memleaks with every AIX/dladdr() call. Removed debug-fprintf()s.
Added test case for DSO_dsobyaddr(), which will eventually call dladdr().
Removed unecessary AIX ifdefs again.

The implementation can only lookup function symbols, no data symbols.
Added PIC-flag to aix*-cc build targets.

As AIX is missing a dladdr() implementation it is currently uncertain our
exit()-handlers can still be called when the application exits. After
dlclose() the whole library might have been unloaded already.

Signed-off-by: Matthias Kraft <makr@gmx.eu>

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5668)
2018-03-20 21:33:50 -04:00
Matt Caswell
9e0d82f681 Reduce the verbosity of test_store
The travis logs are going above 4Mb causing the builds to fail. One
test creates excessive output. This change reduces that output by approx
180k.

[extended tests]

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5694)
2018-03-20 16:46:59 +00:00
Matt Caswell
b0edda11cb Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5689)
2018-03-20 13:08:46 +00:00
Dr. Matthias St. Pierre
59f124f90f Fix: drbgtest fails when tests are executed in random order
[extended tests]

The test_rand_reseed assumed that the global DRBGs were not used
previously. This assumption is false when the tests are executed
in random order (OPENSSL_TEST_RAND_ORDER). So we uninstantiate
them first and add a test for the first instantiation.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5680)
2018-03-19 22:55:11 +00:00
Richard Levitte
3830c1943b Don't generate buildtest_*err.c
The error string header files aren't supposed to be included directly,
so there's no point testing that they can.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5678)
2018-03-19 18:54:27 +01:00
Richard Levitte
7d7f6834e5 Enhance ssltestlib's create_ssl_ctx_pair to take min and max proto version
Have all test programs using that function specify those versions.
Additionally, have the remaining test programs that use SSL_CTX_new
directly specify at least the maximum protocol version.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5663)
2018-03-19 18:24:30 +01:00
Matt Caswell
1bf2cc237e Fix no-sm2
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5673)
2018-03-19 17:12:19 +00:00