Commit graph

615 commits

Author SHA1 Message Date
Kurt Roeckx
b1b22b0b77 Test the support curves in tls
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #1472
2016-08-22 22:13:04 +02:00
Matt Caswell
1c55e372b9 Fix no-des
The PKCS12 command line utility is not available if no-des is used.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-22 16:39:28 +01:00
Rich Salz
464d59a5bb RT2676: Reject RSA eponent if even or 1
Also, re-organize RSA check to use goto err.
Add a test case.
Try all checks, not just stopping at first (via Richard Levitte)

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-22 11:25:12 -04:00
Andy Polyakov
1194ea8dc3 crypto/pkcs12: facilitate accessing data with non-interoperable password.
Originally PKCS#12 subroutines treated password strings as ASCII.
It worked as long as they were pure ASCII, but if there were some
none-ASCII characters result was non-interoperable. But fixing it
poses problem accessing data protected with broken password. In
order to make asscess to old data possible add retry with old-style
password.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-22 13:52:59 +02:00
Andy Polyakov
70bf33d182 Add PKCS#12 UTF-8 interoperability test.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-22 13:52:51 +02:00
Andy Polyakov
e6ed2b9108 Add test/bio_enc_test.c.
RT#4628

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-21 23:34:26 +02:00
Matt Caswell
6fc1748ec6 Add a DTLS unprocesed records test
Add a test to inject a record from the next epoch during the handshake and
make sure it doesn't get processed immediately.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-19 13:52:40 +01:00
Emilia Kasper
15269e5654 Add more details on how to add a new SSL test
Reviewed-by: Stephen Henson <steve@openssl.org>
2016-08-19 14:50:25 +02:00
Emilia Kasper
6dc9974547 Port multi-buffer tests
Make maximum fragment length configurable and add various fragmentation
tests, in addition to the existing multi-buffer tests.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-18 12:46:00 +02:00
Matt Caswell
bb982ce753 Remove a stray unneeded line in 70-test_sslrecords.t
Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-08-15 23:14:30 +01:00
Matt Caswell
a2a0c86bb0 Add some SSLv2 ClientHello tests
Test that we handle a TLS ClientHello in an SSLv2 record correctly.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-08-15 23:14:30 +01:00
Richard Levitte
a0ef6bb687 Skip the SRP tests in 80-test_ssl_old.t if no TLS versions is enabled
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-15 17:16:47 +02:00
Emilia Kasper
be82f7b320 Don't attempt to load the CT log list with no-ec
In practice, CT isn't really functional without EC anyway, as most logs
use EC keys. So, skip loading the log list with no-ec, and skip CT tests
completely in that conf.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-10 18:46:06 +02:00
Emilia Kasper
da085d273c SSL tests: port CT tests, add a few more
This commit only ports existing tests, and adds some coverage for
resumption. We don't appear to have any handshake tests that cover SCT
validation success, and this commit doesn't change that.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-10 14:41:21 +02:00
Emilia Kasper
2ac6bdc029 NPN and ALPN: test resumption
In NPN and ALPN, the protocol is renegotiated upon resumption. Test that
resumption picks up changes to the extension.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-08 15:14:52 +02:00
Emilia Kasper
7b7cea6d71 Fix ALPN tests when NPN is off
OPENSSL_NO_NEXTPROTONEG only disables NPN, not ALPN

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-08 12:19:31 +02:00
klemens
6025001707 spelling fixes, just comments and readme.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1413)
2016-08-05 19:07:30 -04:00
David Woodhouse
16938284cf Add basic test for Cisco DTLS1_BAD_VER and record replay handling
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-04 20:56:24 +01:00
Richard Levitte
f37c159aed 80-test_ssl_new.t: only skip on $no_tls if no other skip conditions defined
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-02 13:27:39 +02:00
Richard Levitte
f4947bf10e In 80-test_ssl_new, more "plan tests" to a more useful position
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-02 11:37:38 +02:00
Matt Caswell
ee94aeee7d Fix tests for no-nextprotoneg
Fix the 80-test_ssl_test_ctx and 80-test_ssl_new tests when used with the
no-nextprotoneg option

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-02 10:19:56 +01:00
Matt Caswell
80f397e2c6 Fix no-tls1_2
Misc fixes impacting no-tls1_2. Also fixes no-dtls1_2.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-25 08:24:32 +01:00
Matt Caswell
3e82ae573a Fix no-dtls*
Also fixes some other options like no-dgram and no-sock.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-25 08:24:32 +01:00
Matt Caswell
49dadc1cb7 Fix no-ct
Ensure that we don't build/run the ct fuzzing code if no-ct is used.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-25 08:18:14 +01:00
Emilia Kasper
590ed3d7ea SSL test framework: port resumption tests
Systematically test every server-side version downgrade or upgrade.

Client version upgrade or downgrade could be tested analogously but will
be done in a later change.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-07-20 13:55:53 +02:00
Matt Caswell
df0aa7770e Fix building with no-cms
The new fuzzing code broke no-cms

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-07-19 14:01:33 +01:00
Emilia Kasper
ce2cdac278 SSL test framework: port NPN and ALPN tests
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-19 14:17:48 +02:00
Matt Caswell
1b5c44b810 Fix client auth test_ssl_new failures when enabling/disabling protocols
If configuring for anything other than the default TLS protocols then
test failures were occuring.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-07-18 14:30:14 +01:00
Dr. Stephen Henson
d83b7e1a58 Extend mkcert.sh to support nameConstraints generation and more complex
subject alternate names.

Add nameConstraints tests incluing DNS, IP and email tests both in
subject alt name extension and subject name.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-07-11 23:30:04 +01:00
Rich Salz
cc75cbc4ed Platform sanity test
Replace nptest with sanity test.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-07-08 15:56:55 -04:00
Kurt Roeckx
a05b0bcf87 Re-add x509 and crl fuzzer
Reviewed-by: Rich Salz <rsalz@openssl.org>

GH: #1276
2016-07-01 17:02:33 +02:00
Ben Laurie
90d28f0519 Run the fuzzing corpora as tests.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-01 13:45:45 +01:00
Emilia Kasper
d2b23cd2b0 SSL test framework: port SNI tests
Observe that the old tests were partly ill-defined:
setting sn_server1 but not sn_server2 in ssltest_old.c does not enable
the SNI callback.

Fix this, and also explicitly test both flavours of SNI mismatch (ignore
/ fatal alert). Tests still pass.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-28 17:26:24 +02:00
Matt Caswell
c3fd55d4a6 Add a test for fragmented alerts
The previous commit fixed a problem where fragmented alerts would cause an
infinite loop. This commit adds a test for these fragmented alerts.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-06-27 14:51:03 +01:00
Richard Levitte
aa951ef3d7 Add verification of proxy certs to 25-test_verify.t
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
2016-06-20 21:34:37 +02:00
Matt Caswell
b02b574317 Skip the TLSProxy tests if environmental problems are an issue
On some platforms we can't startup the TLSProxy due to environmental
problems (e.g. network set up on the build machine). These aren't OpenSSL
problems so we shouldn't treat them as test failures. Just visibly
indicate that we are skipping the test.

We only skip the first time we attempt to start up the proxy. If that works
then everything else should do...if not we should probably investigate and
so report as a failure.

This also removes test_networking...there is a danger that this turns into
a test of user's environmental set up rather than OpenSSL.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-06-16 16:32:14 +01:00
Matt Caswell
2cb4b5f63a Add some session API tests
This commit adds some session API tests, and in particular tests the
modified behaviour of SSL_set_session() introduced in the last commit. To
do this I have factored out some common code from the asynciotest into a
new ssltestlib.c file. I've also renamed getsettest to sslapitest as this
more closely matches what it now is!

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-13 17:35:18 +01:00
Emilia Kasper
74726750ef Port DTLS version negotiation tests
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-13 16:13:13 +02:00
Matt Caswell
73159f403e Fix no-dtls* builds
Most of the no-dtls* builds were failing due to one test which had an
incorrect "skip" condition.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-06-10 15:53:21 +01:00
Todd Short
5c753de668 Fix session ticket and SNI
When session tickets are used, it's possible that SNI might swtich the
SSL_CTX on an SSL. Normally, this is not a problem, because the
initial_ctx/session_ctx are used for all session ticket/id processes.

However, when the SNI callback occurs, it's possible that the callback
may update the options in the SSL from the SSL_CTX, and this could
cause SSL_OP_NO_TICKET to be set. If this occurs, then two bad things
can happen:

1. The session ticket TLSEXT may not be written when the ticket expected
flag is set. The state machine transistions to writing the ticket, and
the client responds with an error as its not expecting a ticket.
2. When creating the session ticket, if the ticket key cb returns 0
the crypto/hmac contexts are not initialized, and the code crashes when
trying to encrypt the session ticket.

To fix 1, if the ticket TLSEXT is not written out, clear the expected
ticket flag.
To fix 2, consider a return of 0 from the ticket key cb a recoverable
error, and write a 0 length ticket and continue. The client-side code
can explicitly handle this case.

Fix these two cases, and add unit test code to validate ticket behavior.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1098)
2016-06-09 13:07:51 -04:00
Rich Salz
e417070c9f Add some accessor API's
GH1098: Add X509_get_pathlen() (and a test)
GH1097:  Add SSL_is_dtls() function.

Documented.

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-06-08 11:37:06 -04:00
Matt Caswell
4f0c475719 Add empty record tests
The previous commit changed how we handle out-of-context empty records.
This commit adds some tests for the various scenarios. There are three
tests:
1: Check that if we inject an out-of-context empty record then we fail
2: Check that if we inject an in-context empty record then we succeed
3: Check that if we inject too many in-context empty records then we fail.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-06-07 22:07:36 +01:00
Matt Caswell
8f09ba471c Add an SSL get/set test
We just do the getters/setter for tlsext_status_type. This could be extended
for others in the future.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-07 17:05:52 +01:00
Richard Levitte
78e91586fb tests: Shut the shell up unless verbose
In rare cases, the shell we run test programs in may have complaints.
Shut those up unless testing verbosely.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-06-06 10:03:01 +02:00
Viktor Dukhovni
501d53c600 Silence misleading test_abort stderr output
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-05 12:06:02 -04:00
Richard Levitte
e2ec7332c4 Make 25-test_gen.t and 25-test_req.t into one
Since one generates files that the other depends on, there's no
real reason to keep them separate.  Since they were both different
aspects of 'openssl req', the merge ends up in 25-test_req.t.

This also makes cleanup easier.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-04 09:43:26 +02:00
Richard Levitte
c9d2437385 Have some more test recipes clean up after themselves
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-04 09:43:26 +02:00
Richard Levitte
b38c43f7bc tests: clean up temporary SSL session files.
RT#4557

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-03 15:31:16 +02:00
Emilia Kasper
63936115e8 Update client authentication tests
Port client auth tests to the new framework, add coverage. The old tests
were only testing success, and only for some protocol versions; the new
tests add all protocol versions and various failure modes.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-06-03 11:59:46 +02:00
Richard Levitte
a182e546c7 Testing symbol presence: also take note of small objects
The S symbol class wasn't checked.

Notified by Sebastian Andrzej Siewior

Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-06-02 03:12:04 +02:00
Rich Salz
44c8a5e2b9 Add final(?) set of copyrights.
Add copyright to missing assembler files.
Add copyrights to missing test/* files.
Add copyrights
Various source and misc files.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-06-01 11:27:25 -04:00
Richard Levitte
23049aa52e perl: use the 'if' module to conditionally load File::Glob
Trying to use normal perl conditions to conditionally 'use' a perl
module didn't quite work.  Using the 'if' module to do so does work.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-05-30 11:55:46 +02:00
Andy Polyakov
9785555616 Configure,test/recipes: "pin" glob to File::Glob::glob.
As it turns out default glob's behaviour for quoted argument varies
from version to version, making it impossible to Configure or run
tests in some cases. The reason for quoting globs was to accommodate
source path with spaces in its name, which was treated by default glob
as multiple paths. File::Glob::glob on the other hand doesn't consider
spaces as delimiters and therefore works with unquoted patterns.

[Unfortunaltely File::Glob::glob, being too csh-ly, doesn't work
on VMS, hence the "pinning" is conditional.]

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-29 14:12:35 +02:00
Richard Levitte
ac1a998d04 make sure to put quotes around -config argument, in case of spaces
RT#4486

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-05-27 17:41:32 +02:00
Richard Levitte
04b7805a86 perl glob: make sure to put quotes around the pattern, in case of spaces
RT#4486

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-05-27 17:41:32 +02:00
Matt Caswell
46ac07f545 Avoid msys name mangling
If using the msys console then msys attempts to "fix" command line
arguments to convert them from Unix style to Windows style. One of the
things it does is to look for arguments seperated by colons. This it
assumes is a list of file paths, so it replaces the colon with a semi-colon.
This was causing one of our tests to fail when calling the "req" command
line app. We were attempting to create a new DSA key and passing the
argument "dsa:../apps/dsa1024.pem". This is exactly what we intended but
Msys mangles it to "dsa;../apps/dsa1024.pem" and the command fails.
There doesn't seem to be a way to suppress Msys name mangling. Fortunately
we can work around this issue by generating the DSA key in a separate step
by calling "gendsa".

RT#4255

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-27 15:19:03 +01:00
Matt Caswell
f8f686ec1c Add a test for printing floating point format specifiers
Previous commits fixed the implementation of the %e and %g format
specifiers as well as other issues. This commit adds a test.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-27 10:25:31 +01:00
Matt Caswell
d7295cd6d2 Add an async io test
This adds an async IO test. There are two test runs. The first one does
a normal handshake with lots of async IO events. The second one does the
same but this time breaks up all the written records into multiple records
of one byte in length. We do this all the way up until the CCS.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-05-20 14:39:45 +01:00
Richard Levitte
1563102bbd VMS perl: Fix glob output
In some cases, perl's glob() thinks it needs to return file names with
generation numbers, such as when a file name pattern includes two
periods.  Constructing other file names by simple appending to file
names with generation numbers isn't a good idea, so for the VMS case,
just peal the generation numbers if they are there.
Fortunately, this is easy, as the returned generation number delimiter
will always be a semi-colon.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-13 14:33:41 +02:00
Matt Caswell
5f7267598d Add some additional NewSessionTicket tests
If the server does not send a session ticket extension, it should not then
send the NewSessionTicket message.

If the server sends the session ticket extension, it MUST then send the
NewSessionTicket message.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-05-13 13:04:46 +01:00
Emilia Kasper
a263f320eb Remove proxy tests. Add verify callback tests.
The old proxy tests test the implementation of an application proxy
policy callback defined in the test itself, which is not particularly
useful.

It is, however, useful to test cert verify overrides in
general. Therefore, replace these tests with tests for cert verify
callback behaviour.

Also glob the ssl test inputs on the .in files to catch missing
generated files.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-12 19:02:42 +02:00
Emilia Kasper
5a22cf96a0 Replace cipherlist test
The old cipherlist test in ssltest.c only tests the internal order of
the cipher table, which is pretty useless.

Replace this test with a test that catches inadvertent changes to the
default cipherlist.

Fix run_tests.pl to correctly filter tests that have "list" in their name.

(Also includes a small drive-by fix in .gitignore.)

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-05-11 18:59:46 +02:00
Viktor Dukhovni
fde2257f05 Fix i2d_X509_AUX, update docs and add tests
When *pp is NULL, don't write garbage, return an unexpected pointer
or leak memory on error.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-05-11 01:46:06 -04:00
Matt Caswell
b273fcc565 Fix the no-tls option
The TLSProxy based tests don't work when TLS is disabled so we shouldn't
run them.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-04 10:20:02 +01:00
Dr. Stephen Henson
2c7fe4dc9a Add ASN.1 INTEGER tests.
Add tests for ASN.1 INTEGER: invalid tag, valid 0, 1, -1 and 0, -1 with
illegal padding.

Also add ASN1_ANY tests for 0, 1 and -1.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-05-03 13:06:15 +01:00
Dr. Stephen Henson
106cb95057 Add test for CVE-2016-2018
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-05-03 13:06:15 +01:00
Dr. Stephen Henson
9f13d4dd5e add test for CVE-2016-2109
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-04-23 00:29:04 +01:00
Dr. Stephen Henson
48c1e15ceb Extensions to d2i_test.
Using ASN1_ITEM tables in d2i_test: this then uses consistent names and
makes it easier to extend.

Add bio, reencode and compare tests.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-04-22 15:00:36 +01:00
Rich Salz
596d6b7e1c Unified copyright for test recipes
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-04-22 07:58:47 -04:00
Richard Levitte
3f8f728278 Add a best effort test to check shared library consistency
Our main development platforms are of the Unix family, which doesn't
have the same strictness regarding a shared library being consistent
with the contents of the ld script (.map file, on Linux and Solaris)
as Windows is with the contents of the .def file or VMS is with the
linker symb_vector option.

To eliminate surprises, we therefore need to make sure to check that
the contents of the .map file is matched with the shared library, at
least to check that the shared library isn't missing any symbols that
should be present.

This test isn't absolutely perfect, as it will only check the symbols
that would be present on Linux / Solaris and will therefore miss those
that would only appear on Windows or VMS.  On the other hand, those
platform specific are few and far apart in time, so it's not likely
they will pose a problem.

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-04-22 12:55:48 +02:00
Rich Salz
e0a651945c Copyright consolidation: perl files
Add copyright to most .pl files
This does NOT cover any .pl file that has other copyright in it.
Most of those are Andy's but some are public domain.
Fix typo's in some existing files.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-04-20 09:45:40 -04:00
Matt Caswell
36d70ed519 Fix no-tls1_1 and no-tls1_2
The above config options were failing in test_ssl_old.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-04-13 09:03:56 +01:00
Matt Caswell
2af22b7dd5 Fix the no-tls option
The no-tls option was failing in the tests. This fixes it.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-04-11 14:29:02 +01:00
Matt Caswell
1595ca029c Fix the no-nextprotoneg option
Misc fixes to get no-nextprotoneg config option working again.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-04-11 14:22:43 +01:00
Richard Levitte
578a00048d Don't check the generated ssl-tests configs on VMS
The simple reason is that the pre-generated files are mainly for Unix.
The VMS variants look slightly different, so comparing will always fail.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-04-09 21:44:35 +02:00
Viktor Dukhovni
43341433a8 Suppress CT callback as appropriate
Suppress CT callbacks with aNULL or PSK ciphersuites that involve
no certificates.  Ditto when the certificate chain is validated via
DANE-TA(2) or DANE-EE(3) TLSA records.  Also skip SCT processing
when the chain is fails verification.

Move and consolidate CT callbacks from libcrypto to libssl.  We
also simplify the interface to SSL_{,CTX_}_enable_ct() which can
specify either a permissive mode that just collects information or
a strict mode that requires at least one valid SCT or else asks to
abort the connection.

Simplified SCT processing and options in s_client(1) which now has
just a simple pair of "-noct" vs. "-ct" options, the latter enables
the permissive callback so that we can complete the handshake and
report all relevant information.  When printing SCTs, print the
validation status if set and not valid.

Signed-off-by: Rob Percival <robpercival@google.com>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-04-07 14:41:34 -04:00
Emilia Kasper
1d352bb192 Allow generate_ssl_tests.pl to find testlib
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-04-07 14:48:50 +02:00
Matt Caswell
3e41ac3528 Fix no-ocsp
Misc fixes for no-ocsp

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-04-06 14:57:45 +01:00
Emilia Kasper
69853045e1 Rename ssltest -> ssltest_old
ssltest_old.c is deprecated. New tests should use ssl_test.c, and the
recipes in 80-test_ssl_new.t

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-04-05 17:07:09 +02:00
Emilia Kasper
453dfd8d5e New SSL test framework
Currently, SSL tests are configured via command-line switches to
ssltest.c. This results in a lot of duplication between ssltest.c and
apps, and a complex setup. ssltest.c is also simply old and needs
maintenance.

Instead, we already have a way to configure SSL servers and clients, so
we leverage that. SSL tests can now be configured from a configuration
file. Test servers and clients are configured using the standard
ssl_conf module. Additional test settings are configured via a test
configuration.

Moreover, since the CONF language involves unnecessary boilerplate, the
test conf itself is generated from a shorter Perl syntax.

The generated testcase files are checked in to the repo to make
it easier to verify that the intended test cases are in fact run; and to
simplify debugging failures.

To demonstrate the approach, min/max protocol tests are converted to the
new format. This change also fixes MinProtocol and MaxProtocol
handling. It was previously requested that an SSL_CTX have both the
server and client flags set for these commands; this clearly can never work.

Guide to this PR:
 - test/ssl_test.c - test framework
 - test/ssl_test_ctx.* - test configuration structure
 - test/handshake_helper.* - new SSL test handshaking code
 - test/ssl-tests/ - test configurations
 - test/generate_ssl_tests.pl - script for generating CONF-style test
   configurations from perl inputs

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-04-05 13:44:46 +02:00
Emilia Kasper
1400f013e1 Fix memory leaks in ASN.1
These leaks affect 1.1.0 dev branch only; introduced around commit
f93ad22f6a

Found with LibFuzzer

Reviewed-by: Ben Laurie <ben@openssl.org>
2016-04-04 13:26:06 +02:00
Viktor Dukhovni
fbb82a60dc Move peer chain security checks into x509_vfy.c
A new X509_VERIFY_PARAM_set_auth_level() function sets the
authentication security level.  For verification of SSL peers, this
is automatically set from the SSL security level.  Otherwise, for
now, the authentication security level remains at (effectively) 0
by default.

The new "-auth_level" verify(1) option is available in all the
command-line tools that support the standard verify(1) options.

New verify(1) tests added to check enforcement of chain signature
and public key security levels.  Also added new tests of enforcement
of the verify_depth limit.

Updated documentation.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-04-03 11:35:35 -04:00
Richard Levitte
25c78440d2 Adapt some test recipes to the newer cmdstr()
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-04-02 23:13:42 +02:00
Richard Levitte
7d9b2d53a2 Since OpenSSL::Test redirects stderr to /dev/null, don't do so in 80-test_ca.t
Since OpenSSL::Test only redirects stderr to /dev/null when being run
through non-verbose test harness, this change allows the stderr output
to be displayed when verbosity is requested.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-03-30 18:44:18 +02:00
Viktor Dukhovni
4d9e33acb2 Require intermediate CAs to have basicConstraints CA:true.
Previously, it was sufficient to have certSign in keyUsage when the
basicConstraints extension was missing.  That is still accepted in
a trust anchor, but is no longer accepted in an intermediate CA.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-29 20:54:34 -04:00
Kurt Roeckx
b7dffce017 Add session reuse tests.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #2452
2016-03-27 23:59:04 +02:00
Richard Levitte
ce84456ddf Math::BigInt does floored divs, BN_div does truncated div, compensate
According to documentation, perl's Math::BigInt does floored division,
i.e. the bdiv function does 1 / -4 = -1.  OpenSSL's BN_div, as well as
bc, do truncated division, i.e. 1 / -4 = 0.

We need to compensate for that difference in test/recipes/bc.pl to
make sure to verify the bntest results under its own conditions, by
dividing the absolute values of the given numbers and fixup the
result's negativity afterwards.

Closes RT#4485

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-03-27 21:39:23 +02:00
Matt Caswell
f9e5503412 Fix no-sock
Misc fixes for no-sock

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-21 16:33:59 +00:00
Matt Caswell
18cb0221b9 Skip the CMS tests if CMS is disabled
This fixes the no-cms compile time option.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-03-21 14:33:40 +00:00
Matt Caswell
83ae8124de Fix no-dsa
Misc fixes for no-dsa.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-21 14:28:56 +00:00
Todd Short
0351baae36 Fix ALPN - more fixes
* Clear proposed, along with selected, before looking at ClientHello
* Add test case for above
* Clear NPN seen after selecting ALPN on server
* Minor documentation updates

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-20 21:09:32 -04:00
Richard Levitte
bec5e4ae0d Don't perform tsa tests if configured "no-ts"
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-19 01:25:37 +01:00
Matt Caswell
96bea0002b Fix no-des
Numerous fixes for no-des.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-18 17:07:11 +00:00
Richard Levitte
ef33d13185 Add a test to see that signals are caught as failures
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-03-18 15:25:23 +01:00
Matt Caswell
bb4cc75b1e Fix no-rc2 in the CMS test
The CMS test uses some RC2 keys which should be skipped if the RC2 is
disabled.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-18 12:09:27 +00:00
Richard Levitte
a717738b45 Don't define OPENSSL_ENGINES in test recipes, do it in Makefiles instead
In most builds, we can assume that engines live in the build tree
subdirectory "engines".  This was hard coded into the tests that use
the engine ossltest.

However, that hard coding is tedious, it would need to be done in
every test recipe, and it's an incorrect assumption in some cases.

This change has us play it safe and let the build files tell the
testing framework where the engines are.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-03-17 10:10:59 +01:00
Matt Caswell
5427976d9e Fix a TLSProxy race condition
TLSProxy starts s_server and specifies the number of client connects
it should expect. After that s_server is supposed to close down
automatically. However, if another test is then run then TLSProxy
will start a new instance of s_server. If the previous instance
hasn't closed down yet then the new instance can fail to bind to
the socket.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-15 23:46:50 +00:00
fbroda
08538fc0a5 General verify options to openssl ts
This commit adds the general verify options of ocsp, verify,
cms, etc. to the openssl timestamping app as suggested by
Stephen N. Henson in [openssl.org #4287]. The conflicting
"-policy" option of "openssl ts" has been renamed to
"-tspolicy". Documentation and tests have been updated.

CAVE: This will break code, which currently uses the "-policy"
option.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-15 18:42:53 +01:00
Emilia Kasper
c91a0a8343 Disable afalg when engine is disabled.
Also make it possible to disable afalg separately.

we still need to update config again

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-14 17:03:53 +01:00
Richard Levitte
0a705cef0c When creating directory specs, use srctop_dir rather than srctop_file.
While insignificant on Unix like systems, this is significant on
systems like VMS.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-03-12 02:09:05 +01:00
Matt Caswell
ad87a3dc2c Suppress CT warnings in test_ssl
Running test_ssl with HARNESS_VERBOSE results in lots of spurious warnings
about an inability to load the CT config file. This fixes it.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-11 13:52:26 +00:00
Richard Levitte
1bee9d6b6c Fix ct_test to not assume it's in the source directory
ct_test assumed it's run in the source directory and failed when built
elsewhere.  It still defaults to that, but can be told another story
with the environment variables CT_DIR and CERTS_DIR.

Test recipe updated to match.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 11:35:18 -05:00
Richard Levitte
467bbe090b CT test can't run without EC, so skip it on that algo as well
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-03-09 17:13:23 +01:00
Richard Levitte
c469a9a81e Fix ct_test to not assume it's in the source directory
ct_test assumed it's run in the source directory and failed when built
elsewhere.  It still defaults to that, but can be told another story
with the environment variables CT_DIR and CERTS_DIR.

Test recipe updated to match.

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-03-09 17:13:23 +01:00
Richard Levitte
2d32d3be15 Don't run the TLSProxy based tests in native Windows
There are issues binding listening ports.  This may be analyzed more
thoroughly later on.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 11:22:07 +01:00
Todd Short
817cd0d52f GH787: Fix ALPN
* Perform ALPN after the SNI callback; the SSL_CTX may change due to
  that processing
* Add flags to indicate that we actually sent ALPN, to properly error
  out if unexpectedly received.
* clean up ssl3_free() no need to explicitly clear when doing memset
* document ALPN functions

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-03-08 09:03:05 -05:00
Matt Caswell
e2524943ce Fix minor errors in the afalg test
The new afalg test should have a copyright date of 2016. Also an
incorrect buffer was being sent to EVP_CipherFinal_ex when
decrypting.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-07 13:36:17 +00:00
clucey
d245844010 Adding afalg test
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-03-07 13:36:17 +00:00
Richard Levitte
6928b6171a Change names of ordinals and libs, libeay => libcrypto and ssleay => libssl
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-05 09:02:33 +01:00
Rob Percival
dd696a55a2 Extends s_client to allow a basic CT policy to be enabled
Reviewed-by: Ben Laurie <ben@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-04 10:50:10 -05:00
Emilia Kasper
062178678f Refactor ClientHello extension parsing
1) Simplify code with better PACKET methods.

2) Make broken SNI parsing explicit. SNI was intended to be extensible
to new name types but RFC 4366 defined the syntax inextensibly, and
OpenSSL has never parsed SNI in a way that would allow adding a new name
type. RFC 6066 fixed the definition but due to broken implementations
being widespread, it appears impossible to ever extend SNI.

3) Annotate resumption behaviour. OpenSSL doesn't currently handle all
extensions correctly upon resumption. Annotate for further clean-up.

4) Send an alert on ALPN protocol mismatch.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-03-03 13:53:26 +01:00
Rob Percival
7d054e5ab2 CT policy validation
Specifies a callback that will, in the future, be used by the SSL code to
decide whether to abort a connection on Certificate Transparency grounds.

Reviewed-by: Ben Laurie <ben@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-01 20:03:25 +00:00
FdaSilvaYY
b6453a68bb GH753: More spelling fix
Signed-off-by: Rich Salz <rsalz@akamai.com>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-02-27 10:58:16 -05:00
Alessandro Ghedini
71a04cfca0 Implement new multi-threading API
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-26 10:00:36 +00:00
Rob Percival
5dc312215f Tests for parsing and printing certificates containing SCTs
Reviewed-by: Ben Laurie <ben@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-25 13:59:11 -05:00
Andy Polyakov
e9fd82f624 test/recipes/80-test_ca.t: remove_tree->rmtree to make it work with Perl 5.10.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-23 21:16:30 +01:00
Richard Levitte
19ab579060 Use $disabled{"dynamic-engine"} internally
We were kinda sorta using a mix of $disabled{"static-engine" and
$disabled{"dynamic-engine"} in Configure.  Let's avoid confusion,
choose one of them and stick to it.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-22 14:38:31 +01:00
Richard Levitte
2dd400bd43 Run the TLSProxy based tests as long as dynamic engines are built.
They depend on this feature because they use the engine ossltest,
which is only available as a dynamic engine.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-20 16:51:31 +01:00
Emilia Kasper
aa474d1fb1 TLS: reject duplicate extensions
Adapted from BoringSSL. Added a test.

The extension parsing code is already attempting to already handle this for
some individual extensions, but it is doing so inconsistently. Duplicate
efforts in individual extension parsing will be cleaned up in a follow-up.

Reviewed-by: Stephen Henson <steve@openssl.org>
2016-02-19 17:24:44 +01:00
Rich Salz
dba3177745 Remove JPAKE
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-17 09:46:10 -05:00
Richard Levitte
0340edcf67 Remove 00-test_checkexes.t, as it has lost its relevance
In the early stages of creating the new test framework,
00-test_checkexes was a temporary check to ensure we had a recipe for
every test program in test/.  By now, this test has fulfilled its
purpose, and we've learned how to make recipes properly.  It's time
for this check to go away.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-13 14:00:22 +01:00
Richard Levitte
b44b935e39 Let all TLSProxy based tests display debug text conditionally
If the environment variable HARNESS_ACTIVE isn't defined or
HARNESS_VERBOSE is defined, it's probable that lots of output is
desired.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-12 20:56:46 +01:00
Rich Salz
22e3dcb780 Remove TLS heartbeat, disable DTLS heartbeat
To enable heartbeats for DTLS, configure with enable-heartbeats.
Heartbeats for TLS have been completely removed.

This addresses RT 3647

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-11 12:57:26 -05:00
Richard Levitte
bc66265da8 Fix 90-test_networking.t
The previous fix wasn't complete, it was missing a 'use OpenSSL::Test::Utils'

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-09 15:11:01 +01:00
Richard Levitte
920def7401 Update 90-test-networking.t to do the same checks as other TLSProxy tests
Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-02-09 12:18:12 +01:00
Richard Levitte
42e0ccdfe8 unified build scheme: adjust test framework for out of source build tree
To be able to run tests when we've built in a directory other than
the source tree, the testing framework needs a few adjustments.

test/testlib/OpenSSL/Test.pm needs to know where it can find
shlib_wrap.sh, and a number of other tests need to be told a different
place to find engines than what they may be able to figure out on
their own.  Relying to $TOP is not enough, $SRCTOP and $BLDTOP can be
used as an alternative.

As part of this change, top_file and top_dir are removed and
srctop_file, bldtop_file, srctop_dir and bldtop_dir take their place.

Reviewed-by: Ben Laurie <ben@openssl.org>
2016-02-09 11:43:20 +01:00
Matt Caswell
ce0865d8dc Add tests for DTLSv1_listen
Adds a set of tests for the newly rewritten DTLSv1_listen function.
The test pokes various packets at the function and then checks
the return value and the data written out to ensure it is what we
would have expected.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-05 20:47:36 +00:00
Richard Levitte
b7be6d2290 Add checks for IPv4 and IPv6 in OpenSSL::Test::Utils and use them
This uilds on the same way of checking for availability as we do in
TLSProxy.  We use all IP factories we know of, starting with those who
know both IPv6 and IPv4 and ending with the one that only knows IPv4
and cache their possible success as foundation for checking the
available of each IP domain.

80-test_ssl.t has bigger chances of working on platforms that do not
run both IP domains.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-04 23:45:03 +01:00
Richard Levitte
c02bcb6678 Have 70-test_clienthello.t be selective on when it can be run
The test program clienthello checks TLS extensions, so there's no
point running it when no TLS protocol is available.

Reviewed-by: Ben Laurie <ben@openssl.org>
2016-02-04 10:55:38 +01:00
Richard Levitte
72b65aa4cb Refactoring BIO: add a simple networking test of s_client and s_server
This makes use of TLSProxy, which was expanded to use IO::Socket::IP
(which is a core perl module) or IO::Socket::INET6 (which is said to
be more popular) instead IO::Socket::INET if one of them is installed.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-03 20:36:59 +01:00
Richard Levitte
75d5bd4e7d Refactoring BIO: add a test, using test/ssltest
This adds a couple of simple tests to see that SSL traffic using the
reimplemented BIO_s_accept() and BIO_s_connect() works as expected,
both on IPv4 and on IPv6.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-02-03 19:40:32 +01:00
Viktor Dukhovni
1d85277235 Add tests for non-ca trusted roots and intermediates
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-01-31 21:24:16 -05:00
Viktor Dukhovni
33cc5dde47 Compat self-signed trust with reject-only aux data
When auxiliary data contains only reject entries, continue to trust
self-signed objects just as when no auxiliary data is present.

This makes it possible to reject specific uses without changing
what's accepted (and thus overring the underlying EKU).

Added new supported certs and doubled test count from 38 to 76.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-01-31 21:24:12 -05:00
Viktor Dukhovni
0daccd4dc1 Check chain extensions also for trusted certificates
This includes basic constraints, key usages, issuer EKUs and auxiliary
trust OIDs (given a trust suitably related to the intended purpose).

Added tests and updated documentation.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-01-31 21:23:23 -05:00
Richard Levitte
9c626317a6 Fix test/recipes/25-test_verify.t
top_dir() are used to create directory names, top_file() should be
used for files.  In a Unixly environment, that doesn't matter, but...

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-30 17:10:38 +01:00
Richard Levitte
49dc5404df Skip all explicitely if the number of tests is 0
It seems that Test::More doesn't like 0 tests, a line like this raises
an error and stops the recipe entirely:

    plan tests => 0;

So we need to check for 0 tests beforehand and skip the subtest
explicitely in that case.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-27 18:41:34 +01:00
Viktor Dukhovni
f006217bb6 Fix Custom Extension tests skip count
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-26 21:19:57 -05:00
Todd Short
835894d138 RT4272: Unit tests fail when DTLS disabled
Missing SKIP: block in SSL unit tests for DTLS and TLS version tests.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-26 16:10:32 +01:00
Richard Levitte
aa50e2a39d 80-test_ca.t is made to use the new perlapp()
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-01-26 15:58:22 +01:00
Richard Levitte
90d48e5ea0 Use the new OpenSSL::Test::Utils routines.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-26 09:53:36 +01:00
Richard Levitte
3ea75c6328 For every test in 80-test_ssl.t, check that the protocol(s) used is enabled
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-25 18:34:06 +01:00
Richard Levitte
83365051f5 Make tests use configdata.pm rather than parsing Makefile
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-25 17:53:55 +01:00
Viktor Dukhovni
feb2f53edc Multiple -trusted/-untrusted/-CRLfile options in verify
It is sometimes useful (especially in automated tests) to supply
multiple trusted or untrusted certificates via separate files rather
than have to prepare a single file containing them all.

To that end, change verify(1) to accept these options zero or more
times.  Also automatically set -no-CAfile and -no-CApath when
-trusted is specified.

Improve verify(1) documentation, which could still use some work.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-20 19:04:33 -05:00
Viktor Dukhovni
6e8beabcd4 More X509_verify_cert() tests via verify(1).
Still need tests for trusted-first and tests that probe construction
of alternate chains.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-20 19:04:11 -05:00
Matt Caswell
a8eda4312d Remove the GOST engine
The GOST engine is now out of date and is removed by this commit. An up
to date GOST engine is now being maintained in an external repository.

See:
https://wiki.openssl.org/index.php/Binaries

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-19 22:29:32 +00:00
Viktor Dukhovni
6b01bed206 Support disabling any or all TLS or DTLS versions
Some users want to disable SSL 3.0/TLS 1.0/TLS 1.1, and enable just
TLS 1.2.  In the future they might want to disable TLS 1.2 and
enable just TLS 1.3, ...

This commit makes it possible to disable any or all of the TLS or
DTLS protocols.  It also considerably simplifies the SSL/TLS tests,
by auto-generating the min/max version tests based on the set of
supported protocols (425 explicitly written out tests got replaced
by two loops that generate all 425 tests if all protocols are
enabled, fewer otherwise).

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-19 09:57:15 -05:00
Richard Levitte
3f22ed2fcf The TLSProxy tests can't run if no-engine has been configured
Make sure they detect that.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-17 00:25:44 +01:00
Richard Levitte
9b56815d5f Do not use redirection on binary files
On some platforms, the shell will determine what attributes a file
will have, so while the program might think it's safely outputting
binary data, it's not always true.

For the sake of the tests, it's therefore safer to use -out than to
use redirection.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-14 13:15:45 +01:00
Viktor Dukhovni
d9e309a675 Fix verify(1) to report failure when verification fails
Regenerated expired test certificates, good for the next 100 years.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-01-13 17:55:17 -05:00
Matt Caswell
6b95a37833 Fix test_ordinals
This used to work but somewhere along the line it broke and was failing to
detect duplicate ordinals - which was the whole point of the test!

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-13 20:52:12 +00:00
Richard Levitte
60f9f1e1c8 VMS perl doesn't implement fork(), so don't run the TLSProxy tests there
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-13 19:00:14 +01:00
Richard Levitte
412a963c58 Pipes on VMS do not work well with binary data, use an intermediary file
VMS being a record oriented operating system, it's uncertain how the
'pipe' passes binary data from one process to another.  Experience
shows that we get in trouble, and it's probably due to the pipe in
itself being opened in text mode (variable length records).

It's safer to pass data via an intermediary file instead.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-13 17:27:06 +01:00
Richard Levitte
4034c38b25 Fix test/recipes/80-test_ca.t to work on VMS
VMS uses a variant of openssl.cnf named openssl-vms.cnf.

There's a Perl on VMS mystery where a open pipe will not SIGPIPE when
the child process exits, which means that a loop sending "y\n" to it
will never stop.  Adding a counter helps fix this (set to 10, we know
that none of the CA.pl commands will require more).

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-13 15:23:44 +01:00
Richard Levitte
74b31db68a Only run DANE tests when EC is supported
Since danetest is to test DANE rather than specific algorithms, it's
acceptable to require EC when testing it.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-11 17:32:17 +01:00
Viktor Dukhovni
c2e27310c7 Enable/disable crypto-mdebug just like other features
Also always abort() on leak failure.

Reviewed-by: Stephen Henson <steve@openssl.org>
2016-01-11 02:41:16 +00:00
Rich Salz
bbd86bf542 mem functions cleanup
Only two macros CRYPTO_MDEBUG and CRYPTO_MDEBUG_ABORT to control this.
If CRYPTO_MDEBUG is not set, #ifdef out the whole debug machinery.
        (Thanks to Jakob Bohm for the suggestion!)
Make the "change wrapper functions" be the only paradigm.
Wrote documentation!
Format the 'set func' functions so their paramlists are legible.
Format some multi-line comments.
Remove ability to get/set the "memory debug" functions at runtme.
Remove MemCheck_* and CRYPTO_malloc_debug_init macros.
Add CRYPTO_mem_debug(int flag) function.
Add test/memleaktest.
Rename CRYPTO_malloc_init to OPENSSL_malloc_init; remove needless calls.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-07 15:14:18 -05:00
Viktor Dukhovni
170b735820 DANE support for X509_verify_cert()
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-07 13:48:59 -05:00
Kurt Roeckx
7946ab33ce Add support for minimum and maximum protocol version
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-02 10:47:52 -05:00
Matt Caswell
ef96e4a28f Add test for missing CertificateStatus message
If the client sends a status_request extension in the ClientHello
and the server responds with a status_request extension in the
ServerHello then normally the server will also later send a
CertificateStatus message. However this message is *optional* even
if the extensions were sent. This adds a test to ensure that if
the extensions are sent then we can still omit the message.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-12-27 21:59:04 +00:00
Matt Caswell
e863d92010 Don't export internal symbols
On Linux when creating the .so file we were exporting all symbols. We should
only be exporting public symbols. This commit fixes the issue. It is only
applicable to linux currently although the same technique may work for other
platforms (e.g. Solaris should work the same way).

This also adds symbol version information to our exported symbols.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-15 16:46:48 +00:00
Richard Levitte
ea09088e17 Better splitting regexp for test_ordinals
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-15 17:02:34 +01:00
Ben Laurie
94d6151236 Make no-dh work, plus other no-dh problems found by Richard.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-12-11 18:38:38 +00:00
Dr. Stephen Henson
42a8b3f90a Extended master secret test script.
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-12-08 16:33:04 +00:00
Rich Salz
0aca86b313 Run test_ordinals after update
Catch a common 'make update' failure: conflicting ordinals.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-02 12:40:38 -05:00
Matt Caswell
5705e05037 Add ASYNC tests
Add a suite of tests for the ASYNC_* functions

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-20 23:34:35 +00:00
Rich Salz
b0700d2c8d Replace "SSLeay" in API with OpenSSL
All instances of SSLeay (any combination of case) were replaced with
the case-equivalent OpenSSL.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-30 17:21:42 -04:00
Andy Polyakov
85833408b4 Test suite: chomp->s/\R// to harmonize with mingw 'make test'.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-13 19:48:03 +02:00
Andy Polyakov
4ada8be2a6 Test suite: minimal required to get mingw 'make test' work under Linux.
(part by Alessandro Ghedini)

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-13 19:46:50 +02:00
Dr. Stephen Henson
71a64af331 Skip PSK tests for no-psk
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-10-11 13:38:01 +01:00
Matt Caswell
5530d5187c Add a test for duplicated ordinals
Occaisionally we have had problems where there are duplicated ordinals in
libeay.num or ssleay.num. This adds a test for this issue.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-09-30 15:36:41 +01:00
Emilia Kasper
cf7f85927c Empty NewSessionTicket: test session resumption
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-09-28 16:00:58 +02:00
Emilia Kasper
7f6d90ac75 Empty session ticket: add a test
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-09-28 16:00:47 +02:00
Matt Caswell
349b310742 Fix the OCSP test on Windows
The windows test uses the pseudo file "nul" to indicate no file for the
-CApath option. This does not work on all versions of Windows. Instead use
the new -no-CApath option.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-09-25 14:50:00 +01:00
Matt Caswell
1556d21850 Fix the rehash test on Windows
The openssl rehash command is not available on some platforms including
Windows. This change skips the associated tests if rehash is not available.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-09-22 23:27:33 +01:00
Dr. Stephen Henson
37f3a3b327 make no-dh work
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-09-20 12:50:55 +01:00
Richard Levitte
c9f6be4ead Correct srp test
There actually is a "srp" feature to check the availability on

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-09-20 02:06:51 +02:00
Richard Levitte
17979f5526 Correct jpake test
There actually is a "jpake" feature to check the availability on

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-09-20 02:06:51 +02:00
Richard Levitte
6ff4211781 Correct sha tests
These tests were checking for specific sha variants, when they should
just check if "sha" is disabled.

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-09-20 02:06:51 +02:00
Richard Levitte
7f990b0ee3 Correct whirlpool test
It depended on 'openssl no-wp', which always exited with code 0, so
this test would never be performed, and this, I never discovered that
the program it's supposed to run was misspellt.  Furthermore, the
feature to check is 'whirlpool', not 'wp'.

All corrected.

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-09-20 02:06:51 +02:00
Dr. Stephen Henson
340166a9da Change test recipes to use disabled()
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-09-20 00:04:16 +01:00
Richard Levitte
cc0b19a7fc Make sure to actually use @smime_cms_comp_test when testing it...
Obvious typo, and it took configuring with 'zlib' to discover it,
otherwise there was a previous skip that bypassed this section
entirely.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-19 22:55:55 +02:00
Richard Levitte
e008d1b267 Check if test_rehash is run as root
If test/recipes/40-test_rehash.t is executed as root, the last test
will fail, since the created directory will remain writable no matter
what.  Make sure it complains loudly about being run as root.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-18 21:32:29 +02:00
Richard Levitte
84d90cf335 Add a simple test for the new rehash command
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-09 19:12:09 +02:00
Richard Levitte
55b2258859 Fix a few tests that depended on the wrong algorithm check
test_ecdh and test_ecdsa are made to depend on no-ec being false.
test_hmac is made not to depend on algorithm at all.

Based on a contribution by Alessandro Ghedini <alessandro@ghedini.me>

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-08 02:47:30 +02:00
Richard Levitte
6b33d10686 Adjust the verify_extra test recipe to its executable
The verify_extra_test was recently changed to take its parameters as
arguments instead of having them hardcoded.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-08 00:54:49 +02:00
Richard Levitte
a351805733 Make sure that 80-test_ca.t finds all the config files
This recipe counted too much on being called with test/ as its current
working directory.  That's a mistake on, for example, Windows.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-07 16:10:59 +02:00
Richard Levitte
eb8cd5dec2 Add a recipe for the new null pointer test
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-07 16:10:59 +02:00
Richard Levitte
1c73c3bcf0 Change the 80-test_tsa recipe as per changes in testtsa
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-07 16:10:58 +02:00
Richard Levitte
ca5d7dff72 Add a recipe for the new pbelu test
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-07 16:10:58 +02:00
Richard Levitte
49b147f85b Remake the testsslproxy tests
The testsslproxy tests turned out to be useless as they were.  They
were really just for show and the results were ignore.  Now they are
changed into a more veerifiable test

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-07 16:10:58 +02:00
Richard Levitte
5beb63c41e Incorporate recent changes that were originally made in test/testssl
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-07 16:10:58 +02:00
Richard Levitte
24d794de25 Add a recipe for the new gmdiff test
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-07 16:10:58 +02:00
Richard Levitte
50f0a9b3dd Correct test name
Some tests were copied from test_jpake, but the title wasn't changed
accordingly.  This might seem like a small thing, but it does affect
the log file name...

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-07 16:10:58 +02:00
Richard Levitte
c27a404947 Remake test/sslsessionticktest.pl into a recipe
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-07 16:10:58 +02:00
Richard Levitte
25be5f44b8 Adapt the libssl test harness testing scripts to new testing framework
This involves adding $TOP/util as perl library in test/run_tests.pl.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-07 16:10:58 +02:00
Richard Levitte
53520ebe87 Check the validity of MINFO
MINFO may be an old file lying around, which might have
00-check_testexes.t produce incorrect results.  To make sure this
doesn't happen, check the variable VERSION in it against the same
variable in the top Makefile.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-07 16:10:58 +02:00
Richard Levitte
2511c12bf2 Better method of skipping all the tests in 00-check_testexes.t
Before trying to read MINFO, we have no idea how many to test for, and
because skip expects to get an exact number somehow, it's better to
use 'plan skip_all'.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-07 16:10:58 +02:00
Richard Levitte
8de4f3d3a6 Remove special x509 test conversions
Following the commit from July 2 that removed netscape formated certs,
it is no longer necessary to have conversion tests for it.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-07 16:10:58 +02:00
Richard Levitte
2a74b62e3a Add a few missing tests
test_clienthello
test_packet
test_verify_extra
test_secmem

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-07 16:10:58 +02:00
Richard Levitte
8368d46bca Rework 00-test_checkexes.t for VMS
Unfortunately, a file spec with character range globs interfere with
paths on VMS, and are therefore disabled.  Rework this test to collect
a list of expected tests and a list of all recipes and compare the two
using grep.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-07 16:10:58 +02:00
Richard Levitte
fd99c6b599 Change OpenSSL::Test to be an extension of Test::More
It became tedious as well as error prone to have all recipes use
Test::More as well as OpenSSL::Test.  The easier way is to make
OpenSSL::Test an extension of Test::More, thereby having all version
checks as well as future checks firmly there.  Additionally, that
allows us to extend existing Test::More functions if the need would
arise.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-07 16:10:58 +02:00
Richard Levitte
fb921436f3 Add version numbers on some modules we use.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-07 16:10:58 +02:00
Richard Levitte
204e41ed50 Tone down the requirements of a test that will go away.
00-check_testexes.t was a way for me to check that I didn't forget a
compiled test app.  The way it worked was to require MINFO to be present.
Considering the need for this test has diminished considerably at this
point, I might as well tone down the requirement, and have it skip the
test (and not fail it) if MINFO isn't present.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-07 16:10:58 +02:00
Richard Levitte
93de4f58ef Simplify very simple test recipes further.
Very simple test recipes easily become tedious, so they might benefit
from being made as simple as possible.  Therefore, OpenSSL::Test::Simple
is born.  It currently provides but one function, simple_test(), which
takes a minimum of two parameters (test name and program to run), with
the optional third, being the algorithm to be checked for before
running the test itself.

All recipes with that simple thing to do have been rewritten to be as
minimal as possible.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-07 16:10:58 +02:00
Richard Levitte
d11b43fdd3 Remove test targets from Makefile, have it use run_tests.pl
Also remove recipes/00-check_testalltests.t, since it will lack the
information from the now gone alltests target.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-07 16:10:58 +02:00
Richard Levitte
127d25903f Add recipes for misc other things we want to test
Note that this required a change in constant_time_test.c, as it says
"ok", which interferes with what Test::Harness expects to see.  I had
constant_time_test.c say "success" instead.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-07 16:10:57 +02:00
Richard Levitte
88b8a5279f Add recipes for the larger protocols
This covers the certificate authority commands, the cms and smime
commands, OCSP, SSL and TSA.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-07 16:10:57 +02:00
Richard Levitte
4fb35f8fcb Add engine and evp test recipes.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-07 16:10:57 +02:00
Richard Levitte
4650de3e43 Add recipes for tests related to certificates
Some of them make use of recipes/tconversion.pl.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-07 16:10:57 +02:00
Richard Levitte
0c85cc5069 Add asymetric cipher test recipes
Some of them make use of recipes/tconversion.pl.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-07 16:10:57 +02:00
Richard Levitte
904ae33426 Add a helper script for key file format conversion tests
As tests are done until now, there are a few scripts that look almost,
but not quite the same.  tkey, tx509, tcrl, tpkcs7, treq, tsid and
probably a few more.

recipes/tconversions.pl is a helper script that generalises the
function of each of those, and can then be used in a general manner
from test recipes.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-07 16:10:57 +02:00
Richard Levitte
13350a0c0e Add the encryption test recipe
This tests all available openssl cipher commands.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-07 16:10:57 +02:00
Richard Levitte
894025c642 Add recipes for individual block ciphers, stream ciphers and digests
These recipes all correspond to a compiled test program.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-07 16:10:57 +02:00
Richard Levitte
f3356b7f49 Add math tests recipes
The math recipes are among the heavier, but also quite important.
For the BN test, we have previously relied on bc to verify the numbers.
Unfortunately, bc doesn't exist everywhere, making tests on some platforms
rather painful.  With the new recipe (recipes/10-test_bn.t), we rely
on perl's Math::BigInt and a homegrown simple calculator (recipes/bc.pl)
that can do enough to cover for bc.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-07 16:10:57 +02:00
Richard Levitte
aec27d4d52 Groundwork for a perl based testing framework
The idea with this perl based testing framework is to make use of
what's delivered with perl and exists on all sorts of platforms.

The choice came to using Test::More and Test::Harness, as that seems
to be the most widely spread foundation, even if perl is aged.

The main runner of the show is run_tests.pl.  As it currently stands,
it's designed to run from inside Makefile, but it's absolutely
possible to run it from the command line as well, like so:

	cd test
	OPENSSL_SRCDIR=.. perl run_tests.pl

The tester scripts themselves are stored in the subdirectory recipes/,
and initially, we have two such scripts, recipes/00-check_testalltests.t
and recipes/00-check_testexes.t.  recipes/00-check_testalltests.t will
pick out the dependencies of "alltests" in test/Makefile, and check if
it can find recipes with corresponding names.  recipes/00-check_testexes.t
does something similar, but bases it on existing compiled test binaries.
They make it easy to figure out what's to be added, and will be
removed when this effort is finished.

Individual recipes can be run as well, of course, as they are perl
scripts in themselves.  For example, you can run only
recipes/00-check_testexes.t like so:

	cd test
	OPENSSL_SRCDIR=.. perl recipes/00-check_testexes.t

To make coding easier, there's a routine library OpenSSL::Test, which
is reachable in a perl script like so:

	use lib 'testlib';
	use OpenSSL::Test;

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-07 16:10:57 +02:00