Commit graph

1862 commits

Author SHA1 Message Date
Benjamin Kaduk
3cb6a4d6d6 Fix memory leak in session cache test
When we are using the internal cache we have to make a copy of the
session before removing it from the parent context's cache, since
we want our copy to still be resumable.  However, SSL_CTX_remove_session()
just detaches the session from the SSL_CTX; it does not free the session.
So, we must call SSL_SESSION_free() ourselves before overwriting the
variable that we dup'd from.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4126)
2017-08-09 13:50:02 -05:00
Matt Caswell
7a301f08bc Test server side session caching
In particular this covers the scenario mentioned in #4014

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4072)
2017-08-09 13:37:06 +10:00
Johannes Bauer
402f26e6ee Fix building without scrypt
Building without the scrypt KDF is now possible, the OPENSSL_NO_SCRYPT
define is honored in code. Previous this lead to undefined references.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4116)
2017-08-08 20:50:44 +01:00
Dr. Stephen Henson
5d09b003c0 Add test for ECDH CMS key only
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4115)
2017-08-08 18:55:56 +01:00
Johannes Bauer
6aa907a6bf Add PKEY_METHOD macro tests
Added the pkey_meth_kdf_test tests which test the PKEY_METHOD macros (at
the moment, of HKDF and scrypt).

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Stephen Henson <steve@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4026)
2017-08-08 15:44:49 +01:00
Johannes Bauer
cefa762ee5 Add interface to the scrypt KDF by means of PKEY_METHOD
Add an interface that allows accessing the scrypt KDF as a PKEY_METHOD.
This fixes #4021 (at least for the scrypt portion of the issue).

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Stephen Henson <steve@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4026)
2017-08-08 15:44:49 +01:00
Pauli
99801878c0 Change SETUP_TEST_FIXTURE so that the fixture structure is passed by
reference not by value.  This allows an error return from the setup function.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4083)
2017-08-07 08:57:05 +10:00
Todd Short
cf37aaa335 Consolidate to a single asn1_time_from_tm() function
Add missing ASN1_TIME functions

Do some cleanup of the ASN1_TIME code.
Add ASN1_TIME_normalize() to normalize ASN1_TIME structures.
Add ASN1_TIME_compare() to compare two ASN1_TIME structures.
Add ASN1_TIME_cmp_time_t() to compare an ASN1_TIME to time_t
(generic version of ASN1_UTCTIME_cmp_time_t()).

Replace '0' .. '9' compares with isdigit()

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2753)
2017-08-04 11:24:03 +10:00
Pauli
2326bba0e5 Test fixtures changed to pointers.
Change the fixture types to pointers to structures that are heap allocated in the tests that use SETUP_TEST_FIXTURE.  This will permit error returns from the setup function and allow for future running tests in parallel.

Also removed a call of `exit(2)` which allows the remaining tests to run if one fails to initialise.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4071)
2017-08-04 07:37:21 +10:00
Andy Polyakov
fbf9d108df recipes/80-test_ca.t: make it work with spaces in pathnames.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2017-08-03 21:28:26 +02:00
Rich Salz
75e2c87765 Switch from ossl_rand to DRBG rand
If RAND_add wraps around, XOR with existing. Add test to drbgtest that
does the wrap-around.

Re-order seeding and stop after first success.

Add RAND_poll_ex()

Use the DF and therefore lower RANDOMNESS_NEEDED.  Also, for child DRBG's,
mix in the address as the personalization bits.

Centralize the entropy callbacks, from drbg_lib to rand_lib.
(Conceptually, entropy is part of the enclosing application.)
Thanks to Dr. Matthias St Pierre for the suggestion.

Various code cleanups:
    -Make state an enum; inline RANDerr calls.
    -Add RAND_POLL_RETRIES (thanks Pauli for the idea)
    -Remove most RAND_seed calls from rest of library
    -Rename DRBG_CTX to RAND_DRBG, etc.
    -Move some code from drbg_lib to drbg_rand; drbg_lib is now only the
     implementation of NIST DRBG.
    -Remove blocklength

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4019)
2017-08-03 09:23:28 -04:00
Dr. Stephen Henson
b15d5ab617 Allow use of long name for KDFs
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/4079)
2017-08-03 02:18:44 +01:00
Pauli
7e885b7bdf Simplify some of the sslapitest code.
Removing the use of SETUP_TEST_FIXTURE reduces complxity in those tests that
used it.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4066)
2017-08-02 11:59:51 +10:00
Pauli
fa9ad41476 Remove EXECUTE_TEST_NO_TEARDOWN.
Simplify the only test that uses this macro so it doesn't need it anymore.
Clean up the formatting a little.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4034)
2017-08-02 08:29:28 +10:00
Paul Yang
a9dee23037 Add test case for ASN1_TIME_print
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4061)
2017-08-01 22:35:10 +02:00
Matt Caswell
c0537ebdf1 Add a test to check we get a new session even if s->hit is true in TLSv1.3
In TLSv1.3 we can resume, but still get a new session. This adds a test to
make sure that is happening.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/4068)
2017-08-01 13:09:52 +01:00
David Benjamin
ee1ed1d380 Fix the names of older ciphers.
The names of these ciphers have an "SSL_" prefix, but the RFC names use
"TLS_":
https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-4

This dates back to these ciphers being originally defined in SSLv3. As
SSLv3 is on its way out anyway and this is a new set of APIs,
consistently use the TLS names.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4007)
2017-07-31 09:11:18 -04:00
Dr. Stephen Henson
48ed9c23b0 Add public key method enumeration function.
Add functions to enumerate public key methods. Add test to ensure table
is in the correct order.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4015)
2017-07-29 23:04:09 +01:00
Bernd Edlinger
8bf2d93057 Add some test coverage for OPENSSL_secure_clear_free
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4044)
2017-07-29 19:31:12 +02:00
Bernd Edlinger
0443b1171d Add some test coverage for PEM_read_bio_PrivateKey
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4047)
2017-07-29 14:55:30 +02:00
Paul Yang
190b9a03b7 Make SSL_set_tlsext_host_name no effect from server side
Documentation and test cases are also updated

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3783)
2017-07-28 11:51:59 -04:00
Richard Levitte
102c9e1296 Perl: Use File::Glob::bsd_glob rather than File::Glob::glob
File::Glob::glob is deprecated, it's use generates this kind of
message:

    File::Glob::glob() will disappear in perl 5.30. Use File::Glob::bsd_glob() instead. at ../master/Configure line 277.

So instead, use a construction that makes the caller glob() use
File::Glob::bsd_glob().

Note that we're still excluding VMS, as it's directory specs use '['
and ']', which have a different meaning with bsd_glob and would need
some extra quoting.  This might change, but later.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4040)
2017-07-28 14:45:17 +02:00
Pauli
735e350555 Formatting & declaration cleanse.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4032)
2017-07-28 09:26:40 +10:00
Pauli
e89f5fb370 OPENSSL_NO_ENGINE defined causes build failures
TEST_note as an undefined link symbol is the symptom.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4032)
2017-07-28 09:25:59 +10:00
Pauli
43405889f4 Fix the two new tests since approval.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3953)
2017-07-27 08:08:36 +10:00
Pauli
ad887416f1 Update the test framework so that the need for test_main is removed. Everything
that needed test_main now works using the same infrastructure as tests that used
register_tests.

This meant:
* renaming register_tests to setup_tests and giving it a success/failure return.
* renaming the init_test function to setup_test_framework.
* renaming the finish_test function to pulldown_test_framework.
* adding a user provided global_init function that runs before the test frame
    work is initialised.  It returns a failure indication that stops the stest.
* adding helper functions that permit tests to access their command line args.
* spliting the BIO initialisation and finalisation out from the test setup and
    teardown.
* hiding some of the now test internal functions.
* fix the comments in testutil.h

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3953)
2017-07-27 07:53:08 +10:00
Paul Yang
7b608d0828 Add test cases and docs for ASN1_STRING_TABLE_* functions
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3998)
2017-07-26 20:06:51 +02:00
Todd Short
a58eb06d52 Add support to free/allocate SSL buffers
OpenSSL already has the feature of SSL_MODE_RELEASE_BUFFERS that can
be set to release the read or write buffers when data has finished
reading or writing. OpenSSL will automatically re-allocate the buffers
as needed. This can be quite aggressive in terms of memory allocation.

This provides a manual mechanism. SSL_free_buffers() will free
the data buffers if there's no pending data. SSL_alloc_buffers()
will realloc them; but this function is not strictly necessary, as it's
still done automatically in the state machine.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2240)
2017-07-26 11:42:17 -04:00
Andy Polyakov
e4adad92b3 Wire SHA3 EVPs and add tests.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3943)
2017-07-25 21:40:30 +02:00
Richard Levitte
83e0d090b1 test/recipes/80-test_tsa.t: Don't trust 'OPENSSL_CONF'
There's a case when the environment variable OPENSSL_CONF is
useless...  when cross compiling for mingw and your wine environment
has an environment variable OPENSSL_CONF.  The latter will override
anything that's given when starting wine and there make the use of
that environment variable useless in our tests.

Therefore, we should not trust it, and use explicit '-config' options
instead.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3994)
2017-07-24 11:50:46 +02:00
Pauli
1a68e5b0d9 Improve struct tm population
Using Zeller's congruence to fill the day of week field,
Also populate the day of year field.

Add unit test to cover a number of cases.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3999)
2017-07-24 11:24:27 +10:00
Paul Yang
3d0f1cb9fd Add asn1_time_to_tm function and check days in month
Based on discussion in PR #3566. Reduce duplicated code in original
asn1_utctime_to_tm and asn1_generalizedtime_to_tm, and introduce a new
internal function asn1_time_to_tm. This function also checks if the days
in the input time string is valid or not for the corresponding month.

Test cases are also added.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/3905)
2017-07-24 08:27:27 +10:00
Paul Yang
bbb4ceb86e Support converting cipher name to RFC name and vice versa
Fixes: issue #3747

make SSL_CIPHER_standard_name globally available and introduce a new
function OPENSSL_cipher_name.

A new option '-convert' is also added to 'openssl ciphers' app.

Documentation and test cases are added.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/3859)
2017-07-21 07:20:14 +10:00
Benjamin Kaduk
4468b6ed59 Remove trailing whitespace from drbgtest.c
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3971)
2017-07-20 12:12:36 -05:00
Dr. Stephen Henson
d76f646ade Add keygen test data
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3920)
2017-07-19 14:02:20 +01:00
Dr. Stephen Henson
1f0fc03b8a Add keygen test to evp_test
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3920)
2017-07-19 14:02:20 +01:00
Rich Salz
12fb8c3d2d Add DRBG random method
Ported from the last FIPS release, with DUAL_EC and SHA1 and the
self-tests removed.  Since only AES-CTR is supported, other code
simplifications were done.  Removed the "entropy blocklen" concept.

Moved internal functions to new include/internal/rand.h.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/3789)
2017-07-19 03:25:16 -04:00
Matt Caswell
e11b6aa4c9 Add a test for SSL_clear()
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/3954)
2017-07-18 17:35:47 +01:00
Matt Caswell
6b84e6bf19 Add a test for early_data when an HRR occurs
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/3933)
2017-07-18 16:51:58 +01:00
Pauli
20e237c025 Address Coverity issues.
This patch addresses the use of uninitialised data raised in Coverity
issues 1414881 and 1414882.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3929)
2017-07-17 06:59:45 +10:00
Richard Levitte
74df8c4ce3 testutil: stanza files are text files, open them as such
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3939)
2017-07-15 19:11:31 +02:00
Richard Levitte
4c0669dc6f test/recipes/90-test_store.t: Add a few cases with files starting with 'file:'
These cases are performed on Linux only.  They check that files with
names starting with 'file:' can be processed as well.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3907)
2017-07-15 18:53:07 +02:00
Richard Levitte
346bf1a238 test/recipes/90-test_store.t: Test absolute files
We haven't tested plain absolute paths without making them URIs...

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3907)
2017-07-15 18:53:07 +02:00
Richard Levitte
94437cebc4 test/recipes/90-test_store.t: Rename some functions
to_rel_file_uri really treated all files appropriately, absolute and
relative alike, and really just constructs a URI, so gets renamed to
to_file_uri

to_file_uri, on the other hand, forces the path into an absolute one,
so gets renamed to to_abs_file_uri

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3907)
2017-07-15 18:53:07 +02:00
Pauli
9ee27200c9 Remove trailing blanks.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3918)
2017-07-14 07:36:26 +10:00
Pauli
c2500f658b Test cleaning and modernisation
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3917)
2017-07-14 07:35:17 +10:00
Pauli
9e206ce5f8 Fix some issues raise by coverity in the tests.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3846)
2017-07-14 07:31:29 +10:00
Dr. Stephen Henson
d72a00416a Add sanity test for certificate table
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3858)
2017-07-13 12:38:42 +01:00
Dr. Stephen Henson
50a3a1f04b Add additional ECDSA/Ed25519 selection tests.
Add two tests with ECDSA+SHA256 preferred over Ed25519, the second also
excludes P-256 from the supported curves extension which will force the
use of Ed25519 in TLS 1.2, but not TLS 1.3: this would fail before the
certificate table updates.

Add TLS 1.3 test also with P-256 exclude from the groups extension: this
should have no effect as the groups extension is not used for signature
selection in TLS 1.3

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3858)
2017-07-13 12:38:42 +01:00
Matt Caswell
e3c0d76bc7 Do not allow non-dhe kex_modes by default
Allow that mode to be configured if desired.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3833)
2017-07-07 16:08:05 +01:00