* Perform ALPN after the SNI callback; the SSL_CTX may change due to
that processing
* Add flags to indicate that we actually sent ALPN, to properly error
out if unexpectedly received.
* clean up ssl3_free() no need to explicitly clear when doing memset
* document ALPN functions
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
The new afalg test should have a copyright date of 2016. Also an
incorrect buffer was being sent to EVP_CipherFinal_ex when
decrypting.
Reviewed-by: Richard Levitte <levitte@openssl.org>
1) Simplify code with better PACKET methods.
2) Make broken SNI parsing explicit. SNI was intended to be extensible
to new name types but RFC 4366 defined the syntax inextensibly, and
OpenSSL has never parsed SNI in a way that would allow adding a new name
type. RFC 6066 fixed the definition but due to broken implementations
being widespread, it appears impossible to ever extend SNI.
3) Annotate resumption behaviour. OpenSSL doesn't currently handle all
extensions correctly upon resumption. Annotate for further clean-up.
4) Send an alert on ALPN protocol mismatch.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Specifies a callback that will, in the future, be used by the SSL code to
decide whether to abort a connection on Certificate Transparency grounds.
Reviewed-by: Ben Laurie <ben@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
We were kinda sorta using a mix of $disabled{"static-engine" and
$disabled{"dynamic-engine"} in Configure. Let's avoid confusion,
choose one of them and stick to it.
Reviewed-by: Rich Salz <rsalz@openssl.org>
They depend on this feature because they use the engine ossltest,
which is only available as a dynamic engine.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Adapted from BoringSSL. Added a test.
The extension parsing code is already attempting to already handle this for
some individual extensions, but it is doing so inconsistently. Duplicate
efforts in individual extension parsing will be cleaned up in a follow-up.
Reviewed-by: Stephen Henson <steve@openssl.org>
In the early stages of creating the new test framework,
00-test_checkexes was a temporary check to ensure we had a recipe for
every test program in test/. By now, this test has fulfilled its
purpose, and we've learned how to make recipes properly. It's time
for this check to go away.
Reviewed-by: Rich Salz <rsalz@openssl.org>
If the environment variable HARNESS_ACTIVE isn't defined or
HARNESS_VERBOSE is defined, it's probable that lots of output is
desired.
Reviewed-by: Rich Salz <rsalz@openssl.org>
To enable heartbeats for DTLS, configure with enable-heartbeats.
Heartbeats for TLS have been completely removed.
This addresses RT 3647
Reviewed-by: Richard Levitte <levitte@openssl.org>
To be able to run tests when we've built in a directory other than
the source tree, the testing framework needs a few adjustments.
test/testlib/OpenSSL/Test.pm needs to know where it can find
shlib_wrap.sh, and a number of other tests need to be told a different
place to find engines than what they may be able to figure out on
their own. Relying to $TOP is not enough, $SRCTOP and $BLDTOP can be
used as an alternative.
As part of this change, top_file and top_dir are removed and
srctop_file, bldtop_file, srctop_dir and bldtop_dir take their place.
Reviewed-by: Ben Laurie <ben@openssl.org>
Adds a set of tests for the newly rewritten DTLSv1_listen function.
The test pokes various packets at the function and then checks
the return value and the data written out to ensure it is what we
would have expected.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
This uilds on the same way of checking for availability as we do in
TLSProxy. We use all IP factories we know of, starting with those who
know both IPv6 and IPv4 and ending with the one that only knows IPv4
and cache their possible success as foundation for checking the
available of each IP domain.
80-test_ssl.t has bigger chances of working on platforms that do not
run both IP domains.
Reviewed-by: Rich Salz <rsalz@openssl.org>
The test program clienthello checks TLS extensions, so there's no
point running it when no TLS protocol is available.
Reviewed-by: Ben Laurie <ben@openssl.org>
This makes use of TLSProxy, which was expanded to use IO::Socket::IP
(which is a core perl module) or IO::Socket::INET6 (which is said to
be more popular) instead IO::Socket::INET if one of them is installed.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
This adds a couple of simple tests to see that SSL traffic using the
reimplemented BIO_s_accept() and BIO_s_connect() works as expected,
both on IPv4 and on IPv6.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
When auxiliary data contains only reject entries, continue to trust
self-signed objects just as when no auxiliary data is present.
This makes it possible to reject specific uses without changing
what's accepted (and thus overring the underlying EKU).
Added new supported certs and doubled test count from 38 to 76.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
This includes basic constraints, key usages, issuer EKUs and auxiliary
trust OIDs (given a trust suitably related to the intended purpose).
Added tests and updated documentation.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
top_dir() are used to create directory names, top_file() should be
used for files. In a Unixly environment, that doesn't matter, but...
Reviewed-by: Rich Salz <rsalz@openssl.org>
It seems that Test::More doesn't like 0 tests, a line like this raises
an error and stops the recipe entirely:
plan tests => 0;
So we need to check for 0 tests beforehand and skip the subtest
explicitely in that case.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Missing SKIP: block in SSL unit tests for DTLS and TLS version tests.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
It is sometimes useful (especially in automated tests) to supply
multiple trusted or untrusted certificates via separate files rather
than have to prepare a single file containing them all.
To that end, change verify(1) to accept these options zero or more
times. Also automatically set -no-CAfile and -no-CApath when
-trusted is specified.
Improve verify(1) documentation, which could still use some work.
Reviewed-by: Richard Levitte <levitte@openssl.org>
The GOST engine is now out of date and is removed by this commit. An up
to date GOST engine is now being maintained in an external repository.
See:
https://wiki.openssl.org/index.php/Binaries
Reviewed-by: Richard Levitte <levitte@openssl.org>
Some users want to disable SSL 3.0/TLS 1.0/TLS 1.1, and enable just
TLS 1.2. In the future they might want to disable TLS 1.2 and
enable just TLS 1.3, ...
This commit makes it possible to disable any or all of the TLS or
DTLS protocols. It also considerably simplifies the SSL/TLS tests,
by auto-generating the min/max version tests based on the set of
supported protocols (425 explicitly written out tests got replaced
by two loops that generate all 425 tests if all protocols are
enabled, fewer otherwise).
Reviewed-by: Richard Levitte <levitte@openssl.org>
On some platforms, the shell will determine what attributes a file
will have, so while the program might think it's safely outputting
binary data, it's not always true.
For the sake of the tests, it's therefore safer to use -out than to
use redirection.
Reviewed-by: Rich Salz <rsalz@openssl.org>
This used to work but somewhere along the line it broke and was failing to
detect duplicate ordinals - which was the whole point of the test!
Reviewed-by: Rich Salz <rsalz@openssl.org>
VMS being a record oriented operating system, it's uncertain how the
'pipe' passes binary data from one process to another. Experience
shows that we get in trouble, and it's probably due to the pipe in
itself being opened in text mode (variable length records).
It's safer to pass data via an intermediary file instead.
Reviewed-by: Rich Salz <rsalz@openssl.org>
VMS uses a variant of openssl.cnf named openssl-vms.cnf.
There's a Perl on VMS mystery where a open pipe will not SIGPIPE when
the child process exits, which means that a loop sending "y\n" to it
will never stop. Adding a counter helps fix this (set to 10, we know
that none of the CA.pl commands will require more).
Reviewed-by: Rich Salz <rsalz@openssl.org>
Since danetest is to test DANE rather than specific algorithms, it's
acceptable to require EC when testing it.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Only two macros CRYPTO_MDEBUG and CRYPTO_MDEBUG_ABORT to control this.
If CRYPTO_MDEBUG is not set, #ifdef out the whole debug machinery.
(Thanks to Jakob Bohm for the suggestion!)
Make the "change wrapper functions" be the only paradigm.
Wrote documentation!
Format the 'set func' functions so their paramlists are legible.
Format some multi-line comments.
Remove ability to get/set the "memory debug" functions at runtme.
Remove MemCheck_* and CRYPTO_malloc_debug_init macros.
Add CRYPTO_mem_debug(int flag) function.
Add test/memleaktest.
Rename CRYPTO_malloc_init to OPENSSL_malloc_init; remove needless calls.
Reviewed-by: Richard Levitte <levitte@openssl.org>
If the client sends a status_request extension in the ClientHello
and the server responds with a status_request extension in the
ServerHello then normally the server will also later send a
CertificateStatus message. However this message is *optional* even
if the extensions were sent. This adds a test to ensure that if
the extensions are sent then we can still omit the message.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
On Linux when creating the .so file we were exporting all symbols. We should
only be exporting public symbols. This commit fixes the issue. It is only
applicable to linux currently although the same technique may work for other
platforms (e.g. Solaris should work the same way).
This also adds symbol version information to our exported symbols.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Occaisionally we have had problems where there are duplicated ordinals in
libeay.num or ssleay.num. This adds a test for this issue.
Reviewed-by: Richard Levitte <levitte@openssl.org>
The windows test uses the pseudo file "nul" to indicate no file for the
-CApath option. This does not work on all versions of Windows. Instead use
the new -no-CApath option.
Reviewed-by: Andy Polyakov <appro@openssl.org>
The openssl rehash command is not available on some platforms including
Windows. This change skips the associated tests if rehash is not available.
Reviewed-by: Richard Levitte <levitte@openssl.org>
It depended on 'openssl no-wp', which always exited with code 0, so
this test would never be performed, and this, I never discovered that
the program it's supposed to run was misspellt. Furthermore, the
feature to check is 'whirlpool', not 'wp'.
All corrected.
Reviewed-by: Stephen Henson <steve@openssl.org>
Obvious typo, and it took configuring with 'zlib' to discover it,
otherwise there was a previous skip that bypassed this section
entirely.
Reviewed-by: Tim Hudson <tjh@openssl.org>
If test/recipes/40-test_rehash.t is executed as root, the last test
will fail, since the created directory will remain writable no matter
what. Make sure it complains loudly about being run as root.
Reviewed-by: Rich Salz <rsalz@openssl.org>
test_ecdh and test_ecdsa are made to depend on no-ec being false.
test_hmac is made not to depend on algorithm at all.
Based on a contribution by Alessandro Ghedini <alessandro@ghedini.me>
Reviewed-by: Rich Salz <rsalz@openssl.org>
The verify_extra_test was recently changed to take its parameters as
arguments instead of having them hardcoded.
Reviewed-by: Rich Salz <rsalz@openssl.org>
This recipe counted too much on being called with test/ as its current
working directory. That's a mistake on, for example, Windows.
Reviewed-by: Rich Salz <rsalz@openssl.org>
The testsslproxy tests turned out to be useless as they were. They
were really just for show and the results were ignore. Now they are
changed into a more veerifiable test
Reviewed-by: Rich Salz <rsalz@openssl.org>
Some tests were copied from test_jpake, but the title wasn't changed
accordingly. This might seem like a small thing, but it does affect
the log file name...
Reviewed-by: Rich Salz <rsalz@openssl.org>
MINFO may be an old file lying around, which might have
00-check_testexes.t produce incorrect results. To make sure this
doesn't happen, check the variable VERSION in it against the same
variable in the top Makefile.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Before trying to read MINFO, we have no idea how many to test for, and
because skip expects to get an exact number somehow, it's better to
use 'plan skip_all'.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Following the commit from July 2 that removed netscape formated certs,
it is no longer necessary to have conversion tests for it.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Unfortunately, a file spec with character range globs interfere with
paths on VMS, and are therefore disabled. Rework this test to collect
a list of expected tests and a list of all recipes and compare the two
using grep.
Reviewed-by: Rich Salz <rsalz@openssl.org>
It became tedious as well as error prone to have all recipes use
Test::More as well as OpenSSL::Test. The easier way is to make
OpenSSL::Test an extension of Test::More, thereby having all version
checks as well as future checks firmly there. Additionally, that
allows us to extend existing Test::More functions if the need would
arise.
Reviewed-by: Rich Salz <rsalz@openssl.org>
00-check_testexes.t was a way for me to check that I didn't forget a
compiled test app. The way it worked was to require MINFO to be present.
Considering the need for this test has diminished considerably at this
point, I might as well tone down the requirement, and have it skip the
test (and not fail it) if MINFO isn't present.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Very simple test recipes easily become tedious, so they might benefit
from being made as simple as possible. Therefore, OpenSSL::Test::Simple
is born. It currently provides but one function, simple_test(), which
takes a minimum of two parameters (test name and program to run), with
the optional third, being the algorithm to be checked for before
running the test itself.
All recipes with that simple thing to do have been rewritten to be as
minimal as possible.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Also remove recipes/00-check_testalltests.t, since it will lack the
information from the now gone alltests target.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Note that this required a change in constant_time_test.c, as it says
"ok", which interferes with what Test::Harness expects to see. I had
constant_time_test.c say "success" instead.
Reviewed-by: Rich Salz <rsalz@openssl.org>
As tests are done until now, there are a few scripts that look almost,
but not quite the same. tkey, tx509, tcrl, tpkcs7, treq, tsid and
probably a few more.
recipes/tconversions.pl is a helper script that generalises the
function of each of those, and can then be used in a general manner
from test recipes.
Reviewed-by: Rich Salz <rsalz@openssl.org>
The math recipes are among the heavier, but also quite important.
For the BN test, we have previously relied on bc to verify the numbers.
Unfortunately, bc doesn't exist everywhere, making tests on some platforms
rather painful. With the new recipe (recipes/10-test_bn.t), we rely
on perl's Math::BigInt and a homegrown simple calculator (recipes/bc.pl)
that can do enough to cover for bc.
Reviewed-by: Rich Salz <rsalz@openssl.org>
The idea with this perl based testing framework is to make use of
what's delivered with perl and exists on all sorts of platforms.
The choice came to using Test::More and Test::Harness, as that seems
to be the most widely spread foundation, even if perl is aged.
The main runner of the show is run_tests.pl. As it currently stands,
it's designed to run from inside Makefile, but it's absolutely
possible to run it from the command line as well, like so:
cd test
OPENSSL_SRCDIR=.. perl run_tests.pl
The tester scripts themselves are stored in the subdirectory recipes/,
and initially, we have two such scripts, recipes/00-check_testalltests.t
and recipes/00-check_testexes.t. recipes/00-check_testalltests.t will
pick out the dependencies of "alltests" in test/Makefile, and check if
it can find recipes with corresponding names. recipes/00-check_testexes.t
does something similar, but bases it on existing compiled test binaries.
They make it easy to figure out what's to be added, and will be
removed when this effort is finished.
Individual recipes can be run as well, of course, as they are perl
scripts in themselves. For example, you can run only
recipes/00-check_testexes.t like so:
cd test
OPENSSL_SRCDIR=.. perl recipes/00-check_testexes.t
To make coding easier, there's a routine library OpenSSL::Test, which
is reachable in a perl script like so:
use lib 'testlib';
use OpenSSL::Test;
Reviewed-by: Rich Salz <rsalz@openssl.org>