Commit graph

2256 commits

Author SHA1 Message Date
Pauli
a9f3f1ccbb Tests for MD5-SHA1 combined digest.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6642)
2018-07-04 08:07:02 +10:00
Matt Caswell
4cb004573a Remove TLSv1.3 tickets from the client cache as we use them
Tickets are supposed to be single use so we remove them from the cache on
use.

Fixes #6377

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6601)
2018-07-03 09:44:46 +01:00
Pauli
c36b39b5cd Check for NULL conf in NCONF_get_number
The problematic case falls back to a NULL conf which returns the result
of getenv(2).  If this returns NULL, everything was good.  If this returns
a string an attempt to convert it to a number is made using the function
pointers from conf.

This fix uses the strtol(3) function instead, we don't have the
configuration settings and this behaves as the default would.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6632)
2018-07-03 13:14:17 +10:00
Matt Caswell
3bb5e5b09e Add the ability to configure anti-replay via SSL_CONF
This also adds the ability to control this through s_server

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6469)
2018-07-02 15:06:12 +01:00
Matt Caswell
5a42141565 Add a test for the new early data callback
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6469)
2018-07-02 15:06:12 +01:00
Billy Brumley
249330de02 More EVP ECC testing: positive and negative
1. For every named curve, two "golden" keypair positive tests.
2. Also two "golden" stock ECDH positive tests.
3. For named curves with non-trivial cofactors, additionally two "golden"
   ECC CDH positive tests.
4. For named curves with non-trivial cofactors, additionally two negative
   tests.

There is some overlap with existing EVP tests, especially for the NIST
curves (for example, positive testing ECC CDH KATs for NIST curves).

"Golden" here means all the values are independent from OpenSSL's ECC
code. I used sage to calculate them. What comes from OpenSSL is:

1. The OIDs (parsed by tooling)
2. The curve parameters (parsing ecparam output with tooling)

The values inside the PEMs (private keys, public keys) and shared keys
are from sage. The PEMs themselves are the output of asn1parse, with
input taken from sage.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6608)
2018-06-29 12:29:12 +02:00
Matt Caswell
358ffa05cd Return a fatal error if application data is encountered during shutdown
Currently if you encounter application data while waiting for a
close_notify from the peer, and you have called SSL_shutdown() then
you will get a -1 return (fatal error) and SSL_ERROR_SYSCALL from
SSL_get_error(). This isn't accurate (it should be SSL_ERROR_SSL) and
isn't persistent (you can call SSL_shutdown() again and it might then work).

We change this into a proper fatal error that is persistent.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6340)
2018-06-27 10:03:37 +01:00
Matt Caswell
ba70904949 Return SSL_ERROR_WANT_READ if SSL_shutdown() encounters handshake data
In the case where we are shutdown for writing and awaiting a close_notify
back from a subsequent SSL_shutdown() call we skip over handshake data
that is received. This should not be treated as an error - instead it
should be signalled with SSL_ERROR_WANT_READ.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6340)
2018-06-27 10:03:20 +01:00
Matt Caswell
c748834ff7 Add a bi-directional shutdown test
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6340)
2018-06-27 10:03:20 +01:00
Matt Caswell
6cc0b3c217 Respect SSL_OP_NO_TICKET in TLSv1.3
Implement support for stateful TLSv1.3 tickets, and use them if
SSL_OP_NO_TICKET is set.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6563)
2018-06-26 18:09:46 +01:00
Bernd Edlinger
09fb65d5e4 Fix negative test result in sm2 test
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/6548)
2018-06-22 14:55:28 +02:00
Andy Polyakov
bd3d8c1260 recipes/90-test_shlibload.t: disable tests on AIX till further notice.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6487)
2018-06-22 10:58:00 +02:00
Nicola Tuveri
3f5abab941 enable-ec_nistp_64_gcc_128: Fix function prototype warning [-Wstrict-prototypes]
Fix prototype warnings triggered by -Wstrict-prototypes when configuring
with `enable-ec_nistp_64_gcc_128`

Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
(Merged from https://github.com/openssl/openssl/pull/6556)
2018-06-22 08:08:01 +02:00
Dr. Matthias St. Pierre
12bd4e141e testutil/driver.c: Fix function prototype warning [-Wstrict-prototypes]
(introduced by commit 9186016582, which added -Wstrict-prototypes)

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6555)
2018-06-22 01:04:34 +02:00
Shane Lontis
7d79d13a56 Fixed range of random produced in BN_is_prime_fasttest_ex() to be 1 < rand < w-1. It was using 1<= rand < w (which is wrong by 1 on both ends)
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6547)
2018-06-22 07:07:20 +10:00
Bernd Edlinger
9186016582 Add -Wstrict-prototypes option to --strict-warnings
[extended tests]

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6542)
2018-06-21 19:04:19 +02:00
Billy Brumley
a766aab93a [crypto/ec] don't assume points are of order group->order
Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6535)
2018-06-21 13:33:42 +02:00
Matt Caswell
fd38836ba8 Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6538)
2018-06-20 15:29:23 +01:00
Matt Caswell
c86acc9f83 Fix no-sm2
Fixes #6525

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6531)
2018-06-20 14:29:31 +01:00
Bernd Edlinger
f73164ca1e Fix test sm2 test failure with ec blinding
[extended tests]

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6529)
2018-06-20 14:22:59 +01:00
Jack Lloyd
ddb634fe6f Move SM2 algos to SM2 specific PKEY method
Use EVP_PKEY_set_alias_type to access

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6443)
2018-06-19 11:29:44 +01:00
David von Oheimb
8263e6cb98 add cast in test/x509aux.c preventing compiler warning for VC-WIN64A architecture
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6217)
2018-06-18 10:45:35 +01:00
Matt Caswell
896dcb8065 Fix no-ec
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6437)
2018-06-08 16:45:04 +01:00
Matt Caswell
bb5f281ad0 Add a test for the raw private/public key getters
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6394)
2018-06-08 10:04:09 +01:00
Matt Caswell
6cf2dbd9fa Don't store the ticket nonce in the session
We generate the secrets based on the nonce immediately so there is no
need to keep the nonce.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6415)
2018-06-07 10:58:35 +01:00
Matt Caswell
2167239aba Use lowercase for internal SM2 symbols
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6386)
2018-06-04 11:59:56 +01:00
Matt Caswell
e14d6cf691 Improve use of the test framework in the SM2 internal tests
Also general clean up of those tests

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6386)
2018-06-04 11:59:56 +01:00
Matt Caswell
266291aa8d Add test recipes for internal SM2 tests
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6386)
2018-06-04 11:59:40 +01:00
Jack Lloyd
e425f90fff Make SM2 functions private
Address issue #5670

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6386)
2018-06-04 11:59:40 +01:00
Richard Levitte
1e8d5ea5df OSSL_STORE: don't test file: URIs on Mingw
Under a mingw shell, the command line path conversion either mangles
file: URIs to something useless (file;C:\...) or not at all (which
can't be opened by the Windows C RTL unless we're really lucky), so we
simply skip testing them in that environment.

Fixes #6369

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6376)
2018-05-30 16:10:42 +02:00
Matt Caswell
adf652436a Test that a ^ 0 mod -1 is always 0
Check all functions that do this.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6355)
2018-05-29 16:43:18 +01:00
Matt Caswell
83cf7abf8e Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6371)
2018-05-29 13:16:04 +01:00
David Benjamin
2de108dfa3 Save and restore the Windows error around TlsGetValue.
TlsGetValue clears the last error even on success, so that callers may
distinguish it successfully returning NULL or failing. This error-mangling
behavior interferes with the caller's use of GetLastError. In particular
SSL_get_error queries the error queue to determine whether the caller should
look at the OS's errors. To avoid destroying state, save and restore the
Windows error.

Fixes #6299.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6316)
2018-05-23 17:34:54 -04:00
David Benjamin
fc6f579a9e Fix explicit EC curve encoding.
Per SEC 1, the curve coefficients must be padded up to size. See C.2's
definition of Curve, C.1's definition of FieldElement, and 2.3.5's definition
of how to encode the field elements in http://www.secg.org/sec1-v2.pdf.

This comes up for P-521, where b needs a leading zero.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6314)
2018-05-23 17:32:41 -04:00
Viktor Dukhovni
d02d80b2e8 Limit scope of CN name constraints
Don't apply DNS name constraints to the subject CN when there's a
least one DNS-ID subjectAlternativeName.

Don't apply DNS name constraints to subject CN's that are sufficiently
unlike DNS names.  Checked name must have at least two labels, with
all labels non-empty, no trailing '.' and all hyphens must be
internal in each label.  In addition to the usual LDH characters,
we also allow "_", since some sites use these for hostnames despite
all the standards.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2018-05-23 11:12:13 -04:00
Matt Caswell
0422591573 Fix no-ec, no-tls1_3 and no-tls
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6321)
2018-05-23 10:44:04 +01:00
Kurt Roeckx
693cf80c6f Enable SSL_MODE_AUTO_RETRY by default
Because TLS 1.3 sends more non-application data records some clients run
into problems because they don't expect SSL_read() to return and set
SSL_ERROR_WANT_READ after processing it.

This can cause problems for clients that use blocking I/O and use
select() to see if data is available. It can be cleared using
SSL_CTX_clear_mode().

Reviewed-by: Matt Caswell <matt@openssl.org>
GH: #6260
2018-05-22 22:45:28 +02:00
Matt Caswell
1aac20f509 Fix no-ec in combination with no-dh
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6321)
2018-05-22 13:21:24 +01:00
Matt Caswell
ee94ec2ef8 Don't cache stateless tickets in TLSv1.3
In TLSv1.2 and below we always cache new sessions by default on the server
side in the internal cache (even when we're using session tickets). This is
in order to support resumption from a session id.

In TLSv1.3 there is no session id. It is only possible to resume using the
ticket. Therefore, in the default case,  there is no point in caching the
session in the internal store.

There is still a reason to call the external cache new session callback
because applications may be using the callbacks just to know about when
sessions are created (and not necessarily implementing a full cache). If
the application also implements the remove session callback then we are
forced to also store it in the internal cache so that we can create
timeout events. Otherwise the external cache could just fill up
indefinitely.

This mostly addresses the issue described in #5628. That issue also proposes
having an option to not create full stateless tickets when using the
internal cache. That aspect hasn't been addressed yet.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/6293)
2018-05-21 10:36:03 +01:00
Dr. Matthias St. Pierre
8a59c08583 DH: add some basic tests (and comments)
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6273)
2018-05-18 08:53:48 +02:00
Matt Caswell
c22365b399 Improve testing of tickets with post-handshake auth
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5227)
2018-05-17 16:48:25 +01:00
Matt Caswell
36ff232cf2 Change the default number of NewSessionTickets we send to 2
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5227)
2018-05-17 16:48:25 +01:00
Matt Caswell
73cc84a132 Suport TLSv1.3 draft 28
Also retains support for drafts 27 and 26

Fixes #6257

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6258)
2018-05-15 10:02:59 +01:00
Matt Caswell
ba8b48e98d Fix no-tls1_2
Also fixes no-tls1_2-method, no-tls1_3, no-tls, no-ec

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6253)
2018-05-14 17:43:19 +01:00
Matt Caswell
61fb59238d Rework the decrypt ticket callback
Don't call the decrypt ticket callback if we've already encountered a
fatal error. Do call it if we have an empty ticket present.

Change the return code to have 5 distinct returns codes and separate it
from the input status value.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6198)
2018-05-11 14:51:09 +01:00
Matt Caswell
c20e3b282c Fix mem leak in sslapi test
The recent change in behaviour where you do not get a NewSessionTicket
message sent if you established the connection using a PSK caused a mem
leak to be triggered in sslapitest. It was actually a latent bug and we
were just lucky we never hit it before. The problem is due to complexity
with the way PSK sessions were set up in the early_data tests. PSK session
reference counting was handled differently to normal session reference
counting. This meant there were lots of special cases in the code where
we don't free a session if it is a PSK. It makes things easier if we just
handle PSK reference counts in the same way as other session reference
counts, and then we can remove all of the special case code.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6198)
2018-05-11 14:51:08 +01:00
Matt Caswell
d0191fe059 Add a test for the ticket callbacks
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6198)
2018-05-11 14:51:08 +01:00
Matt Caswell
c0638adeec Fix ticket callbacks in TLSv1.3
The return value from the ticket_key callback was not properly handled in
TLSv1.3, so that a ticket was *always* renewed even if the callback
requested that it should not be.

Also the ticket decrypt callback was not being called at all in TLSv1.3.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6198)
2018-05-11 14:51:08 +01:00
Matt Caswell
e825109236 Add some more SSL_pending() and SSL_has_pending() tests
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6159)
2018-05-11 14:20:57 +01:00
Matt Caswell
0d8da77908 Test an old style PSK callback with no cert will prefer SHA-256
If using an old style PSK callback and no certificate is configured for
the server, we should prefer ciphersuites based on SHA-256, because that
is the default hash for those callbacks as specified in the TLSv1.3 spec.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6215)
2018-05-11 13:47:13 +01:00
Kurt Roeckx
3cb7c5cfef Use void in all function definitions that do not take any arguments
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #6208
2018-05-11 14:37:48 +02:00
Matt Caswell
c3114a7732 Set the ossl_shim to auto retry if not running asynchronously
In certain circumstances in the DTLS code we have to drop a record (e.g. if
it is a stale retransmit). We then have to move on to try and read the next
record. Some applications using blocking sockets (e.g. s_server/s_client
will hang if there isn't actually any data to be read from the socket yet).
Others can tolerate this. Therefore SSL_read()/SSL_write() can sometimes
return SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE even when using blocking
sockets. Applications can use the mode SSL_MODE_AUTO_RETRY, to switch this
behaviour off so that we never return unless we have read the data we
wanted to.

Commit ad96225285 fixed a DTLS problem where we always retried even if
SSL_MODE_AUTO_RETRY was not set. However that fix caused the Boring
ossl_shim to fail in some tests because it was relying on the previous
(buggy) behaviour. The ossl_shim should be set into SSL_MODE_AUTO_RETRY if
it is not operating asynchronously to avoid this problem.

[extended tests]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6216)
2018-05-11 10:29:04 +01:00
Matt Caswell
a01b9cd5a7 Fix no-cms
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6205)
2018-05-09 23:22:11 +01:00
Matt Caswell
60155b9ae1 Fix no-tls1_2, no-tls1_2-method, no-chacha and no-poly1305
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6205)
2018-05-09 23:22:11 +01:00
Matt Caswell
61e96557f9 Add a DTLS test for dropped records
Drop a record from a handshake and check that we can still complete the
handshake. Repeat for all records in the handshake.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6170)
2018-05-08 09:40:17 +01:00
Matt Caswell
e15e92dbd5 Add a CMS API test
Previous tests only invoked CMS via the command line app. This test uses
the CMS API directly to do and encrypt and decrypt operation. This test
would have caught the memory leak fixed by the previous commit (when
building with enable-crypto-mdebug).

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6142)
2018-05-08 08:43:39 +01:00
Matt Caswell
e401389a0c Add a test for SSL_get_shared_ciphers()
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6113)
2018-05-02 23:30:47 +01:00
Matt Caswell
6021d8ec5a Fix a bug in create_ssl_ctx_pair()
The max protocol version was only being set on the server side. It should
have been done on both the client and the server.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6113)
2018-05-02 23:30:47 +01:00
FdaSilvaYY
c7e10755fa opensslconf.h inclusion cleanup
No need to buildtest on opensslconf.h

Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6149)
2018-05-02 23:42:21 +02:00
Matt Caswell
6ec5fce25e Update copyright year
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6145)
2018-05-01 13:34:30 +01:00
Kurt Roeckx
d1ae34e92d Use the config file from the source not the host for the tests
Fixes: #6046

Reviewed-by: Rich Salz <rsalz@openssl.org>

GH: #6125
2018-04-30 12:00:51 +02:00
Billy Brumley
9e5b50b54d fix: BN_swap mishandles flags
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6099)
2018-04-27 09:54:37 +01:00
Richard Levitte
6fb7b08987 15-test_out_option: Refactor and don't test directory write on VMS
To my surprise, it turns out that on OpenVMS, opening './' (which
is translated to '[]') for writing actually creates a file, '[].'.
On OpenVMS, this is a perfectly valid file with no name or extension,
just the delimiter between the two.

Because of the mess the exception would generate in the test recipe,
it gets refactored again, to clearly separate each test inside it,
and use skips to avoid some of them (that makes it clear that they are
skipped and why, when running the recipe).

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6100)
2018-04-26 21:19:49 +02:00
Richard Levitte
39e32be1cc test/recipes/15-test_out_option.t: refine tests
Test writing to the null device.  This should be successful.

Also, refactor so the planned number of tests is calculated.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6033)
2018-04-25 11:44:25 +02:00
Nicola Tuveri
22f0c72b92 [SM2_sign] add minimal EVP_PKEY functionality testing
The actual functionality of generating signatures through the `EVP_PKEY`
API is completely untested.
Current tests under the `EVP_PKEY` API
(`test/recipes/30-test_evp_data/evppkey.txt`) only cover `Verify` and
`Decrypt`, while encryption and signature generation are tested with
ad-hoc clients (`test/sm2crypttest.c`, `test/sm2signtest.c`) that do not
call the `EVP_PKEY` interface at all but soon-to-be private functions
that bypass it (cf. PR#5895 ).

It is my opinion that an ideal solution for the future would consist on
enhancing the `test/evp_pkey` facility and syntax to allow tests to take
control of the PRNG to inject known nonces and validate the results of
`EVP_PKEY` implementations against deterministic known answer tests, but
it is probably too late to work on this feature in time for next release.

Given that commit b5a85f70d8 highlights some critical bugs in the hook
between the `EVP_PKEY` interface and SM2 signature generation and that
these defects escaped testing and code review, I think that at least for
now it is beneficial to at least add the kind of "bogus" testing
provided by this patch:
this is a "fake" test as it does only verify that the SM2 `EVP_PKEY`
interface is capable of creating a signature without failing, but it
does not say anything about the generated signature being valid, nor
does it test the functional correctness of the cryptosystem.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6066)
2018-04-25 10:24:43 +01:00
Matt Caswell
6862de63d4 Add a test to verify the ClientHello version is the same in a reneg
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6059)
2018-04-24 09:54:31 +01:00
Matt Caswell
7500bc337a Allow TLSv1.3 EC certs to use compressed points
The spec does not prohib certs form using compressed points. It only
requires that points in a key share are uncompressed. It says nothing
about point compression for certs, so we should not fail if a cert uses a
compressed point.

Fixes #5743

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/6055)
2018-04-24 09:28:17 +01:00
Matt Caswell
4a432af895 Add a test for SSL_pending()
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6020)
2018-04-20 11:51:57 +01:00
Matt Caswell
033c181ba6 Test the state of SSL_in_init() from the info_callback
Check that in a handshake done event SSL_in_init() is 0 (see #4574)

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6019)
2018-04-20 11:46:12 +01:00
Matt Caswell
7f6dfa19df Add a test for a NULL X509_STORE in X509_STORE_CTX_init
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6001)
2018-04-19 08:53:40 +01:00
Matt Caswell
6e07834ca0 Fix no-ec
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5997)
2018-04-19 08:36:45 +01:00
Andy Polyakov
c4220c0f9a recipes/70-test_ssl{cbcpadding,extension,records}: make it work w/fragmentation.
This fixes only those tests that were failing when network data was
fragmented. Remaining ones might succeed for "wrong reasons". Bunch
of tests have to fail to be considered successful and when data is
fragmented they might fail for reasons other than originally intended.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5975)
2018-04-18 19:57:54 +02:00
Peter Wu
d4da95a773 test: Remove redundant SSL_CTX_set_max_early_data
Client can only send early data if the PSK allows for it, the
max_early_data_size field can only be configured for the server side.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5702)
2018-04-18 08:15:00 +01:00
Peter Wu
01a2a65488 Add support for logging early exporter secret
This will be necessary to enable Wireshark to decrypt QUIC 0-RTT data.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5702)
2018-04-18 08:15:00 +01:00
Peter Wu
cffe973c45 Add test for CLIENT_EARLY_TRAFFIC_SECRET key logging
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5702)
2018-04-18 08:15:00 +01:00
Peter Wu
6329ce8fd8 Add support for logging TLS 1.3 exporter secret
NSS 3.34 and boringssl have support for "EXPORTER_SECRET"
(https://bugzilla.mozilla.org/show_bug.cgi?id=1287711) which is needed
for QUIC 1-RTT decryption support in Wireshark.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5702)
2018-04-18 08:15:00 +01:00
Matt Caswell
7d4488bbd7 Extend the SSL_set_bio() tests
The SSL_set_bio() tests only did standalone testing without being in the
context of an actual connection. We extend this to do additional tests
following a successful or failed connection attempt. This would have
caught the issue fixed in the previous commit.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5966)
2018-04-17 17:02:33 +01:00
Matt Caswell
5718fe4560 Add a test for the info callback
Make sure the info callback gets called in all the places we expect it to.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5874)
2018-04-17 16:51:03 +01:00
Dr. Matthias St. Pierre
43687d685f DRBG: fix coverity issues
- drbg_lib.c: Silence coverity warning: the comment preceding the
  RAND_DRBG_instantiate() call explicitely states that the error
  is ignored and explains the reason why.

- drbgtest: Add checks for the return values of RAND_bytes() and
  RAND_priv_bytes() to run_multi_thread_test().

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5976)
2018-04-17 17:24:50 +02:00
Bernd Edlinger
dbabc86296 Add a config option to disable automatic config loading
./config no-autoload-config

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5959)
2018-04-17 16:33:15 +02:00
Richard Levitte
28428130db Update copyright year
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5990)
2018-04-17 15:18:40 +02:00
Andy Polyakov
de5b3a8645 TLSProxy/Proxy.pm: bind s_server to loopback interface.
Bind even test/ssltest_old.c to loopback interface. This allows to avoid
unnecessary alerts from Windows and Mac OS X firewalls.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5933)
2018-04-14 19:59:02 +02:00
Richard Levitte
1b9f41a0df test/recipes/test_genrsa.t : don't fail because of size limit changes
There is a test to check that 'genrsa' doesn't accept absurdly low
number of bits.  Apart from that, this test is designed to check the
working functionality of 'openssl genrsa', so instead of having a hard
coded lower limit on the size key, let's figure out what it is.

Partially fixes #5751

Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/5754)

(cherry picked from commit ec46830f8a)
2018-04-13 17:45:22 +02:00
Matt Caswell
76fd7a1d61 Add a test for SRP
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5925)
2018-04-13 09:37:39 +01:00
Andy Polyakov
f5e3115361 test/asn1_time_test.c: make it work on 64-bit HP-UX.
HP-UX gmtime fails with ERANGE past 19011213204552Z, so skip some tests.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5742)
2018-04-08 11:17:44 +02:00
Matt Caswell
a53b5be6a0 Fix configuration of TLSv1.3 ciphersuites
Configuration of TLSv1.3 ciphersuites wasn't working in some cases.

Fixes #5740

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5855)
2018-04-04 16:17:26 +01:00
Matt Caswell
034cb87b6c Add some tests for configuring the TLSv1.3 ciphersuites
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5855)
2018-04-04 16:17:26 +01:00
David Benjamin
dc55e4f70f Fix a bug in ecp_nistp224.c.
felem_neg does not produce an output within the tight bounds suitable
for felem_contract. This affects build configurations which set
enable-ec_nistp_64_gcc_128.

point_double and point_add, in the non-z*_is_zero cases, tolerate and
fix up the wider bounds, so this only affects point_add calls where the
other point is infinity. Thus it only affects the final addition in
arbitrary-point multiplication, giving the wrong y-coordinate. This is a
no-op for ECDH and ECDSA, which only use the x-coordinate of
arbitrary-point operations.

Note: ecp_nistp521.c has the same issue in that the documented
preconditions are violated by the test case. I have not addressed this
in this PR. ecp_nistp521.c does not immediately produce the wrong
answer; felem_contract there appears to be a bit more tolerant than its
documented preconditions. However, I haven't checked the point_add
property above holds. ecp_nistp521.c should either get this same fix, to
be conservative, or have the bounds analysis and comments reworked for
the wider bounds.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5779)
2018-04-03 16:09:20 -04:00
Matt Caswell
c4d3c19b4c Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5851)
2018-04-03 13:57:12 +01:00
Kurt Roeckx
2a70d65b99 Make sure we use a nonce when a nonce is required
If a nonce is required and the get_nonce callback is NULL, request 50%
more entropy following NIST SP800-90Ar1 section 9.1.

Reviewed-by: Dr. Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
GH: #5503
2018-04-01 21:11:26 +02:00
Bernd Edlinger
26db32469f Fix a gcc-8 warning -Wcast-function-type
Casting to the generic function type "void (*)(void)"
prevents the warning.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/5816)
2018-03-31 16:58:06 +02:00
Richard Levitte
efe749c840 Refuse to run test_cipherlist unless shared library matches build
test/cipherlist_test.c is an internal consistency check, and therefore
requires that the shared library it runs against matches what it was
built for.  test/recipes/test_cipherlist.t is made to refuse running
unless library version and build version match.

This adds a helper program test/versions.c, that simply displays the
library and the build version.

Partially fixes #5751

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5753)

(cherry picked from commit cde87deafa)
2018-03-31 16:40:07 +02:00
Bernd Edlinger
f91e026e38 Fix a possible crash in BN_from_montgomery_word
Thanks to Darovskikh Andrei for for reporting this issue.

Fixes: #5785

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5793)
2018-03-31 16:31:37 +02:00
Richard Levitte
9d74090959 Faster fuzz test: teach the fuzz test programs to handle directories
Instead of invoking the fuzz test programs once for every corpora
file, we invoke them once for each directory of corpora files.  This
dramatically reduces the number of program invikations, as well as the
time 99-test_fuzz.t takes to complete.

fuzz/test-corpus.c was enhanced to handle directories as well as
regular files.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5776)
2018-03-29 09:24:56 +02:00
Matt Caswell
dcf8b01f44 Tolerate a Certificate using a non-supported group on server side
If a server has been configured to use an ECDSA certificate, we should
allow it regardless of whether the server's own supported groups list
includes the certificate's group.

Fixes #2033

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5601)
2018-03-28 15:08:09 +01:00
Matt Caswell
7814cdf3eb Revert "Temporarily disable some tests that hang"
This reverts commit 37a3859564.

These tests should now be fixed by commit e6e9170d6.

Reviewed-by: Ben Kaduk <kaduk@mit.edu>
(Merged from https://github.com/openssl/openssl/pull/5765)
2018-03-28 14:59:16 +01:00
Matt Caswell
37a3859564 Temporarily disable some tests that hang
The previous commit causes some tests to hang so we temporarily disable them.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5757)
2018-03-27 17:15:24 +01:00
Andy Polyakov
75a8f1eff0 test/test_test.c: add CRYPTO_memcmp regression test.
Reviewed-by: Matt Caswell <matt@openssl.org>
2018-03-27 10:22:49 +01:00
Richard Levitte
84e68a1bba test/shlibloadtest.c: make some variables block local
myDSO_dsobyaddr and myDSO_free are only used in a narrow block of
code, and can therefore be made local to that block.  Otherwise, some
compilers may warn that they are unused.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5733)
2018-03-23 14:18:16 +01:00
Richard Levitte
cfaad1713e test/shlibloadtest.c: fix various errors
These errors were hidden because compiling this file didn't get the
macros derived from the dso_scheme attribute, and therefore, some code
never got compiled.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5733)
2018-03-23 01:05:41 +01:00