VMS C doesn't allow symbols longer than 31 characters. We do the
automatic shortening with the library files, but not otherwise (to
make sure to work the VMS C magic).
For consistency, I shortened other similar symbols in the same manner.
Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit adds some session API tests, and in particular tests the
modified behaviour of SSL_set_session() introduced in the last commit. To
do this I have factored out some common code from the asynciotest into a
new ssltestlib.c file. I've also renamed getsettest to sslapitest as this
more closely matches what it now is!
Reviewed-by: Rich Salz <rsalz@openssl.org>
The SNI tests introduced a redundant "server2" section into every test
configuration. Copy this automatically from "server" unless testing SNI,
to reduce noise in the generated confs.
Also remove duplicate SSL_TEST_CTX_create (merge conflict error).
Reviewed-by: Rich Salz <rsalz@openssl.org>
Some Linux platforms have a suitably recent kernel to support AFALG, but
apparently you still can't actually create an afalg socket. This extends
the afalg_chk_platform() function to additionally check whether we can
create an AFALG socket. We also amend the afalgtest to not report a
failure to load the engine as a test failure. A failure to load is almost
certainly due to platform environmental issues, and not an OpenSSL problem.
RT 4434
Reviewed-by: Andy Polyakov <appro@openssl.org>
- Only send SNI in SNI tests. This allows us to test handshakes without
the SNI extension as well.
- Move all handshake-specific machinery to handshake_helper.c
- Use enum types to represent the enum everywhere
(Resorting to plain ints can end in sign mismatch when the enum is
represented by an unsigned type.)
Reviewed-by: Rich Salz <rsalz@openssl.org>
We already test in EC_POINT_oct2point that points are on the curve. To
be on the safe side, move this check to
EC_POINT_set_affine_coordinates_* so as to also check point coordinates
received through some other method.
We do not check projective coordinates, though, as
- it's unlikely that applications would be receiving this primarily
internal representation from untrusted sources, and
- it's possible that the projective setters are used in a setting where
performance matters.
Reviewed-by: Rich Salz <rsalz@openssl.org>
When session tickets are used, it's possible that SNI might swtich the
SSL_CTX on an SSL. Normally, this is not a problem, because the
initial_ctx/session_ctx are used for all session ticket/id processes.
However, when the SNI callback occurs, it's possible that the callback
may update the options in the SSL from the SSL_CTX, and this could
cause SSL_OP_NO_TICKET to be set. If this occurs, then two bad things
can happen:
1. The session ticket TLSEXT may not be written when the ticket expected
flag is set. The state machine transistions to writing the ticket, and
the client responds with an error as its not expecting a ticket.
2. When creating the session ticket, if the ticket key cb returns 0
the crypto/hmac contexts are not initialized, and the code crashes when
trying to encrypt the session ticket.
To fix 1, if the ticket TLSEXT is not written out, clear the expected
ticket flag.
To fix 2, consider a return of 0 from the ticket key cb a recoverable
error, and write a 0 length ticket and continue. The client-side code
can explicitly handle this case.
Fix these two cases, and add unit test code to validate ticket behavior.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1098)
Various fixes to get the following to compile:
./config no-asm -ansi -D_DEFAULT_SOURCE
RT4479
RT4480
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
The previous commit changed how we handle out-of-context empty records.
This commit adds some tests for the various scenarios. There are three
tests:
1: Check that if we inject an out-of-context empty record then we fail
2: Check that if we inject an in-context empty record then we succeed
3: Check that if we inject too many in-context empty records then we fail.
Reviewed-by: Andy Polyakov <appro@openssl.org>
The previous commit fixed a bug with BN_mod_word() which would have been
caught if we had a test for it. This commit adds one.
Reviewed-by: Andy Polyakov <appro@openssl.org>
If we're going to redirect STDERR and STDOUT, it's better to do it by
the book. This fix is a straight copy of examples in the perlfunc
manual.
Reviewed-by: Matt Caswell <matt@openssl.org>
The flags RSA_FLAG_NO_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME and
DH_FLAG_NO_EXP_CONSTTIME which previously provided the ability to switch
off the constant time implementation for RSA, DSA and DH have been made
no-ops and deprecated.
Reviewed-by: Richard Levitte <levitte@openssl.org>
In rare cases, the shell we run test programs in may have complaints.
Shut those up unless testing verbosely.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Since one generates files that the other depends on, there's no
real reason to keep them separate. Since they were both different
aspects of 'openssl req', the merge ends up in 25-test_req.t.
This also makes cleanup easier.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Generate small test programs to check that external programs can be
built with our stuff at a very basic level.
For now, they check that each of our header files can be included
individually without compile failure.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Port client auth tests to the new framework, add coverage. The old tests
were only testing success, and only for some protocol versions; the new
tests add all protocol versions and various failure modes.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Add copyright to missing assembler files.
Add copyrights to missing test/* files.
Add copyrights
Various source and misc files.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Trying to use normal perl conditions to conditionally 'use' a perl
module didn't quite work. Using the 'if' module to do so does work.
Reviewed-by: Andy Polyakov <appro@openssl.org>
As it turns out default glob's behaviour for quoted argument varies
from version to version, making it impossible to Configure or run
tests in some cases. The reason for quoting globs was to accommodate
source path with spaces in its name, which was treated by default glob
as multiple paths. File::Glob::glob on the other hand doesn't consider
spaces as delimiters and therefore works with unquoted patterns.
[Unfortunaltely File::Glob::glob, being too csh-ly, doesn't work
on VMS, hence the "pinning" is conditional.]
Reviewed-by: Richard Levitte <levitte@openssl.org>
If using the msys console then msys attempts to "fix" command line
arguments to convert them from Unix style to Windows style. One of the
things it does is to look for arguments seperated by colons. This it
assumes is a list of file paths, so it replaces the colon with a semi-colon.
This was causing one of our tests to fail when calling the "req" command
line app. We were attempting to create a new DSA key and passing the
argument "dsa:../apps/dsa1024.pem". This is exactly what we intended but
Msys mangles it to "dsa;../apps/dsa1024.pem" and the command fails.
There doesn't seem to be a way to suppress Msys name mangling. Fortunately
we can work around this issue by generating the DSA key in a separate step
by calling "gendsa".
RT#4255
Reviewed-by: Richard Levitte <levitte@openssl.org>
Clang was complaining about some variables possibly being uninitialized
when used. The warnings are bogus, but clang can't figure that out. This
silences the warnings.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Previous commits fixed the implementation of the %e and %g format
specifiers as well as other issues. This commit adds a test.
Reviewed-by: Richard Levitte <levitte@openssl.org>
This adds an async IO test. There are two test runs. The first one does
a normal handshake with lots of async IO events. The second one does the
same but this time breaks up all the written records into multiple records
of one byte in length. We do this all the way up until the CCS.
Reviewed-by: Andy Polyakov <appro@openssl.org>
The write BIO for handshake messages is bufferred so that we only write
out to the network when we have a complete flight. There was some
complexity in the buffering logic so that we switched buffering on and
off at various points through out the handshake. The only real reason to
do this was historically it complicated the state machine when you wanted
to flush because you had to traverse through the "flush" state (in order
to cope with NBIO). Where we knew up front that there was only going to
be one message in the flight we switched off buffering to avoid that.
In the new state machine there is no longer a need for a flush state so
it is simpler just to have buffering on for the whole handshake. This
also gives us the added benefit that we can simply call flush after every
flight even if it only has one message in it. This means that BIO authors
can implement their own buffering strategies and not have to be aware of
the state of the SSL object (previously they would have to switch off
their own buffering during the handshake because they could not rely on
a flush being received when they really needed to write data out). This
last point addresses GitHub Issue #322.
Reviewed-by: Andy Polyakov <appro@openssl.org>
In some cases, perl's glob() thinks it needs to return file names with
generation numbers, such as when a file name pattern includes two
periods. Constructing other file names by simple appending to file
names with generation numbers isn't a good idea, so for the VMS case,
just peal the generation numbers if they are there.
Fortunately, this is easy, as the returned generation number delimiter
will always be a semi-colon.
Reviewed-by: Rich Salz <rsalz@openssl.org>
If the server does not send a session ticket extension, it should not then
send the NewSessionTicket message.
If the server sends the session ticket extension, it MUST then send the
NewSessionTicket message.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
The old proxy tests test the implementation of an application proxy
policy callback defined in the test itself, which is not particularly
useful.
It is, however, useful to test cert verify overrides in
general. Therefore, replace these tests with tests for cert verify
callback behaviour.
Also glob the ssl test inputs on the .in files to catch missing
generated files.
Reviewed-by: Rich Salz <rsalz@openssl.org>
The old cipherlist test in ssltest.c only tests the internal order of
the cipher table, which is pretty useless.
Replace this test with a test that catches inadvertent changes to the
default cipherlist.
Fix run_tests.pl to correctly filter tests that have "list" in their name.
(Also includes a small drive-by fix in .gitignore.)
Reviewed-by: Rich Salz <rsalz@openssl.org>
