Commit graph

377 commits

Author SHA1 Message Date
Richard Levitte
fb68fba05f Encourage having external tests in multiple test recipes
This will make the individual external tests more easily selectable /
deselectable through the usual test selection mechanism.

This also moves external tests to group 95.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2902)
2017-03-10 22:13:04 +01:00
Richard Levitte
22cef4e1f1 Split test/recipes/03_test_internal.t into individual tests
This allows a finer granularity when selecting which tests to run, and
makes the tests more vidible.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2901)
2017-03-10 20:18:56 +01:00
Matt Caswell
717afd9337 Add a test to check that if a PSK extension is not last then we fail
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2896)
2017-03-10 15:29:24 +00:00
Pauli
777f1708a8 Limit the output of the enc -ciphers command to just the ciphers enc can
process.  This means no AEAD ciphers and no XTS mode.

Update the test script that uses this output to test cipher suites to not
filter out the now missing cipher modes.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2876)
2017-03-08 10:01:28 -05:00
Matt Caswell
75e314f2d5 Fix the number of tests to skip if TLSv1.3 is disabled
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2875)
2017-03-07 16:41:25 +00:00
Matt Caswell
774c909bc9 Add a test for records not on the record boundary
Test that we check that key change messages appear on a record boundary.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2875)
2017-03-07 16:41:25 +00:00
Andy Polyakov
ee6d9dfb39 test: add chacha_internal_test.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2017-03-07 10:56:07 +01:00
Matt Caswell
c1074ce096 Add a test to check that we correctly handle record overflows
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2861)
2017-03-06 20:07:40 +00:00
Rich Salz
697958313b Fix an endless loop in rsa_builtin_keygen.
And add a test case.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2757)
2017-03-06 09:54:17 -05:00
Matt Caswell
e498d95454 Fix no-ec
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2858)
2017-03-06 10:40:18 +00:00
Matt Caswell
548d0153cc Fix a test failure with no-tls1_1
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2857)
2017-03-06 10:34:42 +00:00
Matt Caswell
ee7002266c Add a test for TLSv1.3 cookies
We just check that if we insert a cookie into an HRR it gets echoed back
in the subsequent ClientHello.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2839)
2017-03-04 23:39:00 +00:00
Bernd Edlinger
d734582275 Reset executable bits on files where not needed.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2835)
2017-03-03 09:13:40 +01:00
Richard Levitte
51f5930ae6 -precert doesn't work when configured no-ct, don't try to test it then
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2827)
2017-03-02 18:27:17 +01:00
Richard Levitte
a4c5f8593c Fix the skip numbers in 80-test_ca.t
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2827)
2017-03-02 18:26:26 +01:00
Matt Caswell
439db0c97b Add compression tests
Check whether we negotiate compression in various scenarios.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2814)
2017-03-02 16:49:28 +00:00
Benjamin Kaduk
a00b9560f7 Add AGL's "beer mug" PEM file as another test input
AGL has a history of pointing out the idiosynchronies/laxness of the
openssl PEM parser in amusing ways.  If we want this functionality to
stay present, we should test that it works.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2756)
2017-02-28 21:23:26 +01:00
Benjamin Kaduk
e8cee55718 Add test corpus for PEM reading
Generate a fresh certificate and DSA private key in their respective PEM
files.  Modify the resulting ASCII in various ways so as to produce input
files that might be generated by non-openssl programs (openssl always
generates "standard" PEM files, with base64 data in 64-character lines
except for a possible shorter last line).

Exercise various combinations of line lengths, leading/trailing
whitespace, non-base64 characters, comments, and padding, for both
unencrypted and encrypted files.  (We do not have any other test coverage
that uses encrypted files, as far as I can see, and the parser enforces
different rules for the body of encrypted files.)

Add a recipe to parse these test files and verify that they contain the
expected string or are rejected, according to the expected status.
Some of the current behavior is perhaps suboptimal and could be revisited.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2756)
2017-02-28 21:23:26 +01:00
Rich Salz
629192c1b9 Exdata test was never enabled.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2787)
2017-02-28 13:50:40 -05:00
Matt Caswell
4d118fe007 Fix test_ssl_new when compiled with no-tls1_2 or no-dtls1_2
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2788)
2017-02-28 16:26:13 +00:00
Dr. Stephen Henson
c5055adf35 Revert rc4test removal, it performs additional tests not in evptests.txt
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2789)
2017-02-28 16:08:42 +00:00
Dr. Stephen Henson
816060d212 Remove more redundant tests: md4, md5, rmd, rc4, p5_crpt2
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2784)
2017-02-28 15:30:12 +00:00
Dr. Stephen Henson
a2121e1425 Remove wp_test.c: exactly the same tests are in evptests.txt
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2783)
2017-02-28 14:52:28 +00:00
Emilia Kasper
80770da39e X509 time: tighten validation per RFC 5280
- Reject fractional seconds
- Reject offsets
- Check that the date/time digits are in valid range.
- Add documentation for X509_cmp_time

GH issue 2620

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-02-24 17:37:08 +01:00
Benjamin Kaduk
0f82d2f584 Adopt test to changed behavior
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2279)
2017-02-23 19:40:26 +01:00
Benjamin Kaduk
6e3dac1995 Tests for SSL_bytes_to_cipher_list()
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2279)
2017-02-23 19:40:25 +01:00
Pauli
227a44b1f6 Add a test case that tests more of the cipher modes.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2715)
2017-02-23 02:24:51 +01:00
Rob Percival
505fb99964 Change CA.pl flag from --newprecert to --precert
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/843)
2017-02-22 10:40:30 -05:00
Rob Percival
caee75d2c6 Basic test for "openssl req -precert" via apps/CA.pl
TODO(robpercival): Should actually test that the output certificate
contains the poison extension.

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/843)
2017-02-22 10:40:30 -05:00
Richard Levitte
e4a3d0f968 Correct the no-dh and no-dsa fix
The condition wasn't quite right

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2702)
2017-02-22 01:49:50 +01:00
Dr. Stephen Henson
faadddc906 Add no siglags test for ECDSA certificate
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2679)
2017-02-21 17:41:43 +00:00
Todd Short
0837bd869b Internal siphash tests are not run.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2649)
2017-02-19 11:56:20 +01:00
Richard Levitte
d89f66412b VMS fix of test/recipes/80-test_ssl_new.t
On VMS, file names with more than one period get all but the last get
escaped with a ^, so 21-key-update.conf.in becomes 21-key-update^.conf.in
That means that %conf_dependent_tests and %skip become useless unless
we massage the file names that are used as indexes.

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2678)
2017-02-19 10:43:51 +01:00
Richard Levitte
7c98706e61 Fix no-dh and no-dsa
Since 20-cert-select.conf will vary depending in no-dh and no-dsa,
don't check it against original when those options are selected

Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2680)
2017-02-19 07:04:20 +01:00
Richard Levitte
73540f4729 Fix test_x509_store
Don't run this test unless 'openssl rehash' works properly.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2664)
2017-02-17 14:59:44 +01:00
Matt Caswell
9b92f16170 Add some KeyUpdate tests
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2609)
2017-02-17 10:28:01 +00:00
Richard Levitte
bb0f7eca75 Add a test of the X509_STORE / X509_LOOKUP API
Fortunately, "openssl verify" makes good use of that API

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2652)
2017-02-16 21:09:09 +01:00
Matt Caswell
b0bfd14085 Update the tls13messages test to add some HRR scenarios
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)
2017-02-14 13:14:25 +00:00
Matt Caswell
d542790b07 Update the kex modes tests to check various HRR scenarios
Make sure we get an HRR in the right circumstances based on kex mode.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)
2017-02-14 13:14:25 +00:00
Matt Caswell
38f5c30b31 Update the key_share tests for HelloRetryRequest
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2341)
2017-02-14 13:14:25 +00:00
Richard Levitte
4bbd8a5daa test_rehash does nothing, have it do something
test/recipes/40-test_rehash.t uses test files from certs/demo, which
doesn't exist any longer.  Have it use PEM files from test/ instead.

Because rehash wants only one certificate or CRL per file, we must
also filter those PEM files to produce test files with a single object
each.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2594)
2017-02-13 05:05:38 +01:00
Richard Levitte
01ede84d56 Add needed module in 25-test_sid.t
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2579)
2017-02-09 11:12:06 +01:00
Richard Levitte
68a55f3b45 Because our test sid file contains EC, don't try it when configured no-ec
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2564)
2017-02-08 23:10:28 +01:00
Andy Polyakov
e05a453f6a Rename 90-test_fuzz.t to 99-test_fuzz.t to ensure that it's executed last.
Idea is to keep it last for all eternity, so that if you find yourself
in time-pressed situation and deem that fuzz test can be temporarily
skipped, you can terminate the test suite with less hesitation about
following tests that you would have originally missed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2017-02-06 08:25:09 +01:00
Dr. Stephen Henson
53f0873714 Add TLS 1.3 certificate selection tests.
For TLS 1.3 we select certificates with signature algorithms extension
only. For ECDSA+SHA384 there is the additional restriction that the
curve must be P-384: since the test uses P-256 this should fail.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2339)
2017-02-02 14:45:11 +00:00
Matt Caswell
3ae6b5f800 Add a test for the PSK kex modes extension
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)
2017-01-30 10:18:24 +00:00
Matt Caswell
e463cb39d3 Enable wpacket test on shared builds
Now that we support internal tests properly, we can test wpacket even in
shared builds.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)
2017-01-30 10:18:24 +00:00
Matt Caswell
a23bb15abe Add testing of TLSv1.3 resumption in test_tls13messages
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)
2017-01-30 10:18:23 +00:00
Matt Caswell
b2f7e8c0fe Add support for the psk_key_exchange_modes extension
This is required for the later addition of resumption support.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)
2017-01-30 10:17:49 +00:00
Richard Levitte
929860d0e6 Add a couple of test to check CRL fingerprint
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2314)
2017-01-28 20:07:04 +01:00