Also, be less silent when installing, so possible errors are shown.
[extended tests]
Fixes#3005
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3007)
When using run() with capture => 1, there was no way to find out if
the command was successful or not. This change adds a statusvar
option, that must refer to a scalar variable, for example:
my $status = undef;
my @line = run(["whatever"], capture => 1, statusvar => \$status);
$status will be 1 if the command "whatever" was successful, 0
otherwise.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3004)
The code to do this incorrectly assumed that the protocol version
could be used as a valid cipher suite for the 'openssl cipher'
command. While this is true in some cases, that isn't something to be
trusted. Replace that assumption with code that takes the full
'openssl ciphers' command output and parses it to find the ciphers we
look for.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2956)
Fix a strict aliasing issue in ui_dup_method_data.
Add test coverage for CRYPTO_dup_ex_data, use OPENSSL_assert.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2988)
The internals tests for chacha, poly1305 and siphash were erroneously
made conditional on if mdc2 was enabled. Corrected to depend on the
correct algorithms being enabled instead.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2991)
Add a test recipe (test/recipes/15-test_ecparams.t) which uses 'openssl
ecparam' to check the test vectors.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2544)
This involves:
- A directory of valid and invalid PEM-encoded curves.
This is non-exhaustive and can be added to.
- A minor patch to 'openssl ecparam' to make it exit non-zero
when curve validation fails.
- A test recipe is added in a separate commit.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2544)
These were still generated by openssl, but with
the previous commit are corroborated by rustls.
(cherry picked from commit eae1982619e90c6b79a6ebc89603d81c13c81ce8)
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2989)
The documentation of this function states that the password parameter
can be NULL. However, the implementation returns an error in this case
due to the inner workings of the HMAC_Init_ex() function.
With this change, NULL password will be treated as an empty string and
PKCS5_PBKDF2_HMAC() no longer fails on this input.
I have also added two new test cases that tests the handling of the
special values NULL and -1 of the password and passlen parameters,
respectively.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1692)
At one point the stack was passing a pointer of the element *before* an
array which is undefined.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2971)
Add ExpectedClientCANames: for client auth this checks to see if the
list of certificate authorities supplied by the server matches the
expected value.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2969)
Check that we handle changes of ciphersuite between HRR and ServerHello
correctly.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2895)
Test that if the server selects a ciphersuite with a different hash from
the PSK in the original ClientHello, the second ClientHello does not
contain the PSK.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2895)
The end of early data is now indicated by a new handshake message rather
than an alert.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2895)
These are self-generated test vectors which gives us very little
confidence that we've got the implementation right. However until
we can get vectors from somewhere else (or ideally official vectors)
this is all we've got. At least it will tell us if we accidentally
break something at some point in the future.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2895)
Add python cryptography testing instructions too
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2885)
Import test data from:
ftp://ftp.rsasecurity.com/pub/pkcs/pkcs-1/pkcs-1v2-1-vec.zip
This is a set of RSA-PSS and RSA-OAEP test vectors including some edge cases
with unusual key sizes.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2944)
The previous 2 commits fixed some issues in the Boring tests. This
re-enables those tests.
[extended tests]
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2942)
After a resumption it is documented that SSL_get_peer_cert_chain() will
return NULL. In BoringSSL it still returns the chain. We don't support that
so we should update the shim to call SSL_get_peer_certificate() instead
when checking whether a peer certificate is available.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2942)
OpenSSL requires that we set the session id context. BoringSSL apparently
does not require this, so wasn't setting it.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2942)
Using a cert with Cyrillic characters, kindly supplied by Dmitry Belyavsky
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2943)
Found using various (old-ish) versions of gcc.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2940)
On some platforms, setting stdout to binary mode isn't quite enough,
which makes the result unusable. With -out, we have better control.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2939)
The Boring runner attempts to enable the NULL-SHA ciphersuite using the
cipherstring "DEFAULT:NULL-SHA". However in OpenSSL DEFAULT permanently
switches off NULL ciphersuites, so we fix this up to be "ALL:NULL-SHA"
instead. We can't change the runner so we have to change the shim to
detect this.
(Merged from https://github.com/openssl/openssl/pull/2933)
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
We already test DTLS protocol versions. For good measure, add some
DTLS tests with client auth to the new test framework, so that we can
remove the old tests without losing coverage.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Update the list of suppressions so that we can run a later BoringSSL set
of tests. This also adds an ErrorMap to greatly reduce the number of
failing tests. The remaining tests that still fail are just disabled for
now.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2930)
The boring tests are currently failing because they send a PSK extension
which isn't in the last place. This is not allowed in the latest TLS1.3
specs. However the Boring tests we have are based on an old commit that
pre-date when that rule first appeared.
The proper solution is to update the tests to a later commit. But for now
to get travis to go green we disable the failing tests.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2928)
This will make the individual external tests more easily selectable /
deselectable through the usual test selection mechanism.
This also moves external tests to group 95.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2902)
This allows a finer granularity when selecting which tests to run, and
makes the tests more vidible.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2901)
Examples of possible expressions (adapt to your platform):
make test TESTS=-99
make test TESTS=10
make test TESTS=-9?
make test TESTS=-[89]0
make test TESTS=[89]0
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2887)
process. This means no AEAD ciphers and no XTS mode.
Update the test script that uses this output to test cipher suites to not
filter out the now missing cipher modes.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2876)
The value of SSL3_RT_MAX_ENCRYPTED_LENGTH normally includes the compression
overhead (even if no compression is negotiated for a connection). Except in
a build where no-comp is used the value of SSL3_RT_MAX_ENCRYPTED_LENGTH does
not include the compression overhead.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2872)
We just check that if we insert a cookie into an HRR it gets echoed back
in the subsequent ClientHello.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2839)
Change the early data API so that the server must use
SSL_write_early_data() to write to an unauthenticated client.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
This is for consistency with the rest of the API where all the functions
are called *early_data*.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
This is for consistency with the rest of the API where all the functions
are called *early_data*.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
Don't create a custom boolean type for parsing CompressionExpected. Use
the existing one instead.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2814)
- FLAT_INC
- PKCS1_CHECK (the SSL_OP_PKCS1_CHECK options have been
no-oped)
- PKCS_TESTVECT (debugging leftovers)
- SSL_AD_MISSING_SRP_USERNAME (unfinished feature)
- DTLS_AD_MISSING_HANDSHAKE_MESSAGE (unfinished feature)
- USE_OBJ_MAC (note this removes a define from the public header but
very unlikely someone would be depending on it)
- SSL_FORBID_ENULL
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
AGL has a history of pointing out the idiosynchronies/laxness of the
openssl PEM parser in amusing ways. If we want this functionality to
stay present, we should test that it works.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2756)
Generate a fresh certificate and DSA private key in their respective PEM
files. Modify the resulting ASCII in various ways so as to produce input
files that might be generated by non-openssl programs (openssl always
generates "standard" PEM files, with base64 data in 64-character lines
except for a possible shorter last line).
Exercise various combinations of line lengths, leading/trailing
whitespace, non-base64 characters, comments, and padding, for both
unencrypted and encrypted files. (We do not have any other test coverage
that uses encrypted files, as far as I can see, and the parser enforces
different rules for the body of encrypted files.)
Add a recipe to parse these test files and verify that they contain the
expected string or are rejected, according to the expected status.
Some of the current behavior is perhaps suboptimal and could be revisited.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2756)
This removes the fips configure option. This option is broken as the
required FIPS code is not available.
FIPS_mode() and FIPS_mode_set() are retained for compatibility, but
FIPS_mode() always returns 0, and FIPS_mode_set() can only be used to
turn FIPS mode off.
Reviewed-by: Stephen Henson <steve@openssl.org>
The second loop in the remove_space function doesn't check for walking
back off of the start of the string while setting white space to 0.
This fix exits this loop once the pointer is before the (updated) beginning
of the string.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2752)
Avoid a -Wundef warning in refcount.h
Avoid a -Wundef warning in o_str.c
Avoid a -Wundef warning in testutil.h
Include internal/cryptlib.h before openssl/stack.h
to avoid use of undefined symbol OPENSSL_API_COMPAT.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2712)
Make sure that we can stop handshake processing and resume it later.
Also check that the cipher list and compression methods are sane.
Unfortunately, we don't have the client-side APIs needed to force
a specific (known) session ID to be sent in the ClientHello, so
that accessor cannot be tested here.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2279)
Certain callback APIs allow the callback to request async processing
by trickling a particular error value up the stack to the application
as an error return from the handshake function. In those cases,
SSL_want() returns a code specific to the type of async processing
needed.
The create_ssl_connection() helper function for the tests is very
helpful for several things, including creating API tests. However,
it does not currently let us test the async processing functionality
of these callback interfaces, because the special SSL error codes
are treated as generic errors and the helper continues to loop until
it reaches its maximum iteration count.
Add a new parameter, 'want', that indicates an expected/desired
special SSL error code, so that the helper will terminate when
either side reports that error, giving control back to the calling
function and allowing the test to proceed.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2279)
create_ssl_connection() prints out the results if SSL_accept() and/or
SSL_connect() fail, but was reusing the client return value when printing
about SSL_accept() failures.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2279)
Plumb things through in the same place as the SNI callback, since
we recommend that the early callback replace (and supplement) the
SNI callback, and add a few test cases.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2279)
TODO(robpercival): Should actually test that the output certificate
contains the poison extension.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/843)
This implementation is written in endian agnostic C code. No attempt
at providing machine specific assembly code has been made. This
implementation expands the evptests by including the test cases from
RFC 5794 and ARIA official site rather than providing an individual
test case. Support for ARIA has been integrated into the command line
applications, but not TLS. Implemented modes are CBC, CFB1, CFB8,
CFB128, CTR, ECB and OFB128.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2337)
On VMS, file names with more than one period get all but the last get
escaped with a ^, so 21-key-update.conf.in becomes 21-key-update^.conf.in
That means that %conf_dependent_tests and %skip become useless unless
we massage the file names that are used as indexes.
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2678)
Since 20-cert-select.conf will vary depending in no-dh and no-dsa,
don't check it against original when those options are selected
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2680)
We use an int instead. That means SSL_key_update() also should use an int.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2609)
In 1.1.0 changing the ciphersuite during a renegotiation can result in
a crash leading to a DoS attack. In master this does not occur with TLS
(instead you get an internal error, which is still wrong but not a security
issue) - but the problem still exists in the DTLS code.
The problem is caused by changing the flag indicating whether to use ETM
or not immediately on negotiation of ETM, rather than at CCS. Therefore,
during a renegotiation, if the ETM state is changing (usually due to a
change of ciphersuite), then an error/crash will occur.
Due to the fact that there are separate CCS messages for read and write
we actually now need two flags to determine whether to use ETM or not.
CVE-2017-3733
Reviewed-by: Richard Levitte <levitte@openssl.org>
In 1.1.0 changing the ciphersuite during a renegotiation can result in
a crash leading to a DoS attack. In master this does not occur with TLS
(instead you get an internal error, which is still wrong but not a security
issue) - but the problem still exists in the DTLS code.
This commit provides a test for the issue.
CVE-2017-3733
Reviewed-by: Richard Levitte <levitte@openssl.org>
Make sure we get an HRR in the right circumstances based on kex mode.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)
Previously counting the number of tests in checkhandshake.pm took an
initial guess and then modified it based on various known special
cases. That is becoming increasingly untenable, so this changes it to
properly calculate the number of tests we expect to run.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)
This happens when a fd is added and then immediately removed from the
ASYNC_WAIT_CTX before pausing the job.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2581)
test/recipes/40-test_rehash.t uses test files from certs/demo, which
doesn't exist any longer. Have it use PEM files from test/ instead.
Because rehash wants only one certificate or CRL per file, we must
also filter those PEM files to produce test files with a single object
each.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2594)
If s->s3->tmp.new_cipher is NULL then a crash can occur. This can happen
if an alert gets sent after version negotiation (i.e. we have selected
TLSv1.3 and ended up in tls13_enc), but before a ciphersuite has been
selected.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2575)
Idea is to keep it last for all eternity, so that if you find yourself
in time-pressed situation and deem that fuzz test can be temporarily
skipped, you can terminate the test suite with less hesitation about
following tests that you would have originally missed.
Reviewed-by: Rich Salz <rsalz@openssl.org>
For TLS 1.3 we select certificates with signature algorithms extension
only. For ECDSA+SHA384 there is the additional restriction that the
curve must be P-384: since the test uses P-256 this should fail.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2339)
The core SipHash supports either 8 or 16-byte output and a configurable
number of rounds.
The default behavior, as added to EVP, is to use 16-byte output and
2,4 rounds, which matches the behavior of most implementations.
There is an EVP_PKEY_CTRL that can control the output size.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2216)
Now that we support internal tests properly, we can test wpacket even in
shared builds.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)
In TLSv1.3 the connection will be created before the session is
established. In OpenSSL we send the NewSessionTicket message immediately
after the client finished has been received. Therefore we change
create_ssl_connection() to attempt a read of application data after the
handshake has completed. We expect this to fail but it will force the
reading of the NewSessionTicket and the session to be set up.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)
