Commit graph

49 commits

Author SHA1 Message Date
Dr. Matthias St. Pierre
fbbfd128c9 Fix header file include guard names
Make the include guards consistent by renaming them systematically according
to the naming conventions below

The public header files (in the 'include/openssl' directory) are not changed
in 1.1.1, because it is a stable release.

For the private header files files, the guard names try to match the path
specified in the include directives, with all letters converted to upper case
and '/' and '.' replaced by '_'. An extra 'OSSL_' is added as prefix.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9681)
2019-09-27 23:58:12 +02:00
Matt Caswell
2fe3e2b682 Fix BoringSSL external test failures
We recently turned on the TLSv1.3 downgrade sentinels by default.
Unfortunately we are using a very old version of the BoringSSL test
runner which uses an old draft implementation of TLSv1.3 that also
uses the downgrade sentinels by default. The two implementations do
not play well together and were causing spurious test failures. Until
such time as we update the BoringSSL test runner we disable the failing
tests:

SendFallbackSCSV

In this test the client is OpenSSL and the server is the boring test runner.
The client and server fail to negotiate TLSv1.3 because the test runner is
using an old draft TLSv1.3 version. The server does however add the
TLSv1.3->TLSv1.2 downgrade sentinel in the ServerHello random. Since we
recently turned on checking of the downgrade sentinels on the client side
this causes the connection to fail.

VersionNegotiationExtension-TLS11

In this test the test runner is the client and OpenSSL is the server. The
test modifies the supported_versions extension sent by the client to only
include TLSv1.1 (and some other spurious versions), even though the client
does actually support TLSv1.2. The server successfully selects TLSv1.1, but
adds the TLSv1.3->TLSv1.1 downgrade sentinel. This behaviour was recently
switched on by default. The test runner then checks the downgrade sentinel
and aborts the connection because it knows that it really supports TLSv1.2.

VersionNegotiationExtension-TLS1
VersionNegotiationExtension-SSL3

The same as VersionNegotiationExtension-TLS11 but for TLSv1 and SSLv3.

ConflictingVersionNegotiation

In this test the client is the test runner, and OpenSSL is the server. The
client offers TLSv1.2 in ClientHello.version, but also adds a
supported_versions extension that only offers TLSv1.1. The
supported_versions extension takes precedence and the server (correctly)
selects TLSv1.1. However it also adds the TLSv1.3->TLSv1.1 downgrade
sentinel. On the client side it knows it actually offered TLSv1.2 and so the
downgrade sentinel check fails.

[extended tests]

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7013)
2018-08-22 15:15:19 +01:00
Benjamin Kaduk
45a2353056 Fix ossl_shim SNI handling
To start with, actually set an SNI callback (copied from bssl_shim); we
weren't actually testing much otherwise (and just happened to have been
passing due to buggy libssl behavior prior to
commit 1c4aa31d79).

Also use proper C++ code for handling C strings -- when a C API
(SSL_get_servername()) returns NULL instead of a string, special-case
that instead of blindly trying to compare NULL against a std::string,
and perform the comparsion using the std::string operators instead of
falling back to pointer comparison.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6792)
2018-07-26 15:06:53 -05:00
Matt Caswell
c3114a7732 Set the ossl_shim to auto retry if not running asynchronously
In certain circumstances in the DTLS code we have to drop a record (e.g. if
it is a stale retransmit). We then have to move on to try and read the next
record. Some applications using blocking sockets (e.g. s_server/s_client
will hang if there isn't actually any data to be read from the socket yet).
Others can tolerate this. Therefore SSL_read()/SSL_write() can sometimes
return SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE even when using blocking
sockets. Applications can use the mode SSL_MODE_AUTO_RETRY, to switch this
behaviour off so that we never return unless we have read the data we
wanted to.

Commit ad96225285 fixed a DTLS problem where we always retried even if
SSL_MODE_AUTO_RETRY was not set. However that fix caused the Boring
ossl_shim to fail in some tests because it was relying on the previous
(buggy) behaviour. The ossl_shim should be set into SSL_MODE_AUTO_RETRY if
it is not operating asynchronously to avoid this problem.

[extended tests]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6216)
2018-05-11 10:29:04 +01:00
Matt Caswell
aaaa6ac11b Don't negotiate TLSv1.3 with the ossl_shim
The ossl_shim doesn't know about TLSv1.3 so we should disable that
protocol version for all tests for now.

This fixes the current Travis failures.

[extended tests]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5593)
2018-03-12 15:08:15 +00:00
Ben Kaduk
9ad9794273 Attempt to fix boringssl tests
Commit abe256e795 changed the config target
element from 'cxx' to 'CXX'; catch up accordingly.
Also use a space to offset the template boundary, per convention.

[extended tests]

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5577)
2018-03-09 17:23:00 -06:00
Matt Caswell
fe93b010e7 Update tests for TLS Ed448
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/5470)
2018-03-05 11:39:44 +00:00
Matt Caswell
6738bf1417 Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
2018-02-13 13:59:25 +00:00
Richard Levitte
0f5a775219 Get rid of a warning about unused results
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5181)
2018-01-28 16:22:40 +01:00
Richard Levitte
bbc92cd129 test/ossl_shim/packeted_bio.h: don't include e_os.h
That inclusion turned out to be completely unnecessary

[extended tests]

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5136)
2018-01-22 21:06:50 +01:00
Bernd Edlinger
fce78bd4ed Fix invalid function type casts.
Rename bio_info_cb to BIO_info_cb.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4493)
2017-12-15 19:33:48 +01:00
Matt Caswell
8e02e73d80 Fix the Boring tests following the SSLfatal() changes
An error reason code has changed for one of the boring tests, so
ossl_config.json needed an update to take account of it.

[extended tests]

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4778)
2017-12-04 13:31:48 +00:00
Pauli
21c7942140 Fix an include location problem in the extrended tests.
[extended tests]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4327)
2017-09-04 06:38:16 +10:00
Benjamin Kaduk
de0dc006a5 Fixup include path in ossl_shim test after e_os.h work
The include search path was not picking up files in the root of
the tree.

[extended tests]

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4316)
2017-09-01 11:04:01 -05:00
Pauli
4cff10dcbf struct timeval include guards
Move struct timeval includes into e_os.h (where the Windows ones were).
Enaure that the include is guarded canonically.

Refer #4271

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4312)
2017-09-01 09:55:43 +10:00
Rich Salz
624265c60e Cleanup some copyright stuff
Remove some incorrect copyright references.
Move copyright to standard place
Add OpenSSL copyright where missing.
Remove copyrighted file that we don't use any more
Remove Itanium assembler for RC4 and MD5 (assembler versions of old and
weak algorithms for an old chip)
Standardize apps/rehash copyright comment; approved by Timo
Put dual-copyright notice on mkcert

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3691)
2017-06-30 21:56:44 -04:00
Paul Yang
bd91e3c870 Fix a bundle of trailing spaces in several files
Signed-off-by: Paul Yang <paulyang.inf@gmail.com>

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3622)
2017-06-09 12:04:10 -04:00
Matt Caswell
10a1ec4833 Fix BoringSSL alert related test failures
Commit bd990e2535 changed our handling of alerts. Some of the BoringSSl
tests were expecting specific errors to be created if bad alerts were sent.
Those errors have now changed as a result of that commit, so the BoringSSL
test config needs to be updated to match.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3549)
2017-05-25 15:38:22 +01:00
FdaSilvaYY
69687aa829 More typo fixes
Fix some comments too
[skip ci]

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3069)
2017-03-29 07:14:29 +02:00
Matt Caswell
f81f279a73 Re-enable some BoringSSL tests
The previous 2 commits fixed some issues in the Boring tests. This
re-enables those tests.

[extended tests]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2942)
2017-03-14 23:15:21 +00:00
Matt Caswell
162e120711 SSL_get_peer_cert_chain() does not work after a resumption
After a resumption it is documented that SSL_get_peer_cert_chain() will
return NULL. In BoringSSL it still returns the chain. We don't support that
so we should update the shim to call SSL_get_peer_certificate() instead
when checking whether a peer certificate is available.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2942)
2017-03-14 23:15:21 +00:00
Matt Caswell
e29d7cea33 Ensure we set the session id context in ossl_shim
OpenSSL requires that we set the session id context. BoringSSL apparently
does not require this, so wasn't setting it.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2942)
2017-03-14 23:15:21 +00:00
Matt Caswell
64e2b23ce3 Fix 12 Boring tests involving NULL-SHA ciphersuites
The Boring runner attempts to enable the NULL-SHA ciphersuite using the
cipherstring "DEFAULT:NULL-SHA". However in OpenSSL DEFAULT permanently
switches off NULL ciphersuites, so we fix this up to be "ALL:NULL-SHA"
instead. We can't change the runner so we have to change the shim to
detect this.

(Merged from https://github.com/openssl/openssl/pull/2933)
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2017-03-14 14:29:31 +00:00
Matt Caswell
4b5f7e7555 Update ossl_config.json for later BoringSSL commit
Update the list of suppressions so that we can run a later BoringSSL set
of tests. This also adds an ErrorMap to greatly reduce the number of
failing tests. The remaining tests that still fail are just disabled for
now.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2930)
2017-03-14 12:12:13 +00:00
Matt Caswell
2256f456bc Make the Boring tests pass
The boring tests are currently failing because they send a PSK extension
which isn't in the last place. This is not allowed in the latest TLS1.3
specs. However the Boring tests we have are based on an old commit that
pre-date when that rule first appeared.

The proper solution is to update the tests to a later commit. But for now
to get travis to go green we disable the failing tests.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2928)
2017-03-14 09:59:51 +00:00
Rich Salz
aff8c126fd Move extension data into sub-structs
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2052)
2017-01-09 22:26:47 -05:00
Matt Caswell
14d21b690a Suppress some BoringSSL test failures
The external BoringSSL tests had some failures as a result of
the extensions refactor. This was due to a deliberate relaxation
of the duplicate extensions checking code. We now only check
known extensions for duplicates. Unknown extensions are ignored.
This is allowed behaviour, so we suppress those BoringSSL tests.

Perl changes reviewed by Richard Levitte. Non-perl changes reviewed by Rich
Salz

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-12-08 17:20:45 +00:00
Matt Caswell
66889e4399 Fix some defines in ossl_shim
ossl_shim had some TLS1.3 defines that are now in ssl.h so need to be
removed.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-11-23 17:01:33 +00:00
Matt Caswell
a1ca39c02c Remove an unused field in ossl_shim
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-11-04 10:38:54 +00:00
Matt Caswell
e8585479a1 Add a wildcard exception for TLS13 tests
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-11-04 10:38:54 +00:00
Matt Caswell
92ab7db6f8 Swap header copyrights to standard OpenSSL
As per permission from Google (Emilia).

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-11-04 10:38:54 +00:00
Matt Caswell
bc708af4b0 Add missing bn.h include
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-11-04 10:38:54 +00:00
Matt Caswell
b289bff830 Update the BoringSSL suppressions file based on the latest shim
The updated shim has the ability to skip tests using unimplemented flags.
This should reduce the number of test failures.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-11-04 10:38:54 +00:00
Matt Caswell
1669b7b587 Rename BoringSSL style OPENSSL_WINDOWS to OPENSSL_SYS_WINDOWS
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-11-04 10:38:54 +00:00
Matt Caswell
1c8235c9b3 Fix a code inconsistency
Move from two ifs to a single one with an &&

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-11-04 10:38:54 +00:00
Matt Caswell
fc237de7ff Remove some #if 0'd out code
It was only a sanity check anyway, so isn't needed

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-11-04 10:38:54 +00:00
Matt Caswell
0abcaddfcb Removed scoped_types.h
It is no longer used (replaced with bssl:UniquePtr)

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-11-04 10:38:54 +00:00
Matt Caswell
aedf33aed5 Remove some flags that are unused in the shim
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-11-04 10:38:54 +00:00
Matt Caswell
06e452fbc1 Use the -allow-unimplemented feature of the BoringSSL runner
That way we can remove flags that we don't support

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-11-04 10:38:54 +00:00
Matt Caswell
8beda2c12d Remove unused BoringSSL specific flags
We will rely on the -allow-unimplemented feature instead.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-11-04 10:38:54 +00:00
Matt Caswell
5b2d35c344 Remove some unreferenced fields from TestState
They were there for BoringSSL only features which are not relevant to us.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-11-04 10:38:54 +00:00
Matt Caswell
2fd0dfd9f6 Remove some #if 0'd out code
It was just a sanity check and isn't needed

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-11-04 10:38:54 +00:00
Matt Caswell
d664ff498c Remove test/ossl_shim/Makefile
This Makefile was temporary. Building ossl_shim has now been integrated into
to the build system.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-11-04 10:38:54 +00:00
Matt Caswell
4d040e283e Fix some unused variable warnings in ossl_shim
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-11-04 10:38:54 +00:00
Matt Caswell
ce2596d404 Control building of ossl_shim through Configure
Don't build ossl_shim by default. Switch it on through
enable-external-tests.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-11-04 10:38:54 +00:00
Richard Levitte
cfa7697986 Integrate ossl_shim into the build
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-11-04 10:38:54 +00:00
Matt Caswell
50b014e4c6 Add a shim config file
This just disables all tests that fail at the moment. Over time we will
want to go over these and figure out why they are failing (and fix them if
appropriate)

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-11-04 10:38:54 +00:00
Matt Caswell
7b73b7beda Rebase shim against latest boringssl code
Numerous conflicts resolved. rebase was against commit 490469f850.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-11-04 10:38:54 +00:00
Matt Caswell
eef977aa0e Integrate BoringSSL shim
The BoringSSL test suite contains numerous tests which OpenSSL does not.

The BoringSSL test runner uses a shim to launch the library and execute the
tests. This is a version of the BoringSSL shim converted to compile against
OpenSSL instead.

This is primarily based on the work of David Benjamin from the BoringSSL
project who did most of the necessary conversion. It also includes a few
other tweaks for opacity changes etc.

This is based on a *very* old version of BoringSSL from commit f277add6c.
That was the last commit known to work with this patched shim. Later
versions may also work but lots of merge conflicts occur when trying to
bring it up to date.

At the moment this has not been integrated into the build system. There is
a very simple standalone makefile in the ossl_shim directory which should
be executed directly before tyring to use the shim.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-11-04 10:38:54 +00:00