* Clear proposed, along with selected, before looking at ClientHello
* Add test case for above
* Clear NPN seen after selecting ALPN on server
* Minor documentation updates
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
In most builds, we can assume that engines live in the build tree
subdirectory "engines". This was hard coded into the tests that use
the engine ossltest.
However, that hard coding is tedious, it would need to be done in
every test recipe, and it's an incorrect assumption in some cases.
This change has us play it safe and let the build files tell the
testing framework where the engines are.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
TLSProxy starts s_server and specifies the number of client connects
it should expect. After that s_server is supposed to close down
automatically. However, if another test is then run then TLSProxy
will start a new instance of s_server. If the previous instance
hasn't closed down yet then the new instance can fail to bind to
the socket.
Reviewed-by: Richard Levitte <levitte@openssl.org>
This commit adds the general verify options of ocsp, verify,
cms, etc. to the openssl timestamping app as suggested by
Stephen N. Henson in [openssl.org #4287]. The conflicting
"-policy" option of "openssl ts" has been renamed to
"-tspolicy". Documentation and tests have been updated.
CAVE: This will break code, which currently uses the "-policy"
option.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
While insignificant on Unix like systems, this is significant on
systems like VMS.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Running test_ssl with HARNESS_VERBOSE results in lots of spurious warnings
about an inability to load the CT config file. This fixes it.
Reviewed-by: Richard Levitte <levitte@openssl.org>
ct_test assumed it's run in the source directory and failed when built
elsewhere. It still defaults to that, but can be told another story
with the environment variables CT_DIR and CERTS_DIR.
Test recipe updated to match.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
ct_test assumed it's run in the source directory and failed when built
elsewhere. It still defaults to that, but can be told another story
with the environment variables CT_DIR and CERTS_DIR.
Test recipe updated to match.
Reviewed-by: Matt Caswell <matt@openssl.org>
* Perform ALPN after the SNI callback; the SSL_CTX may change due to
that processing
* Add flags to indicate that we actually sent ALPN, to properly error
out if unexpectedly received.
* clean up ssl3_free() no need to explicitly clear when doing memset
* document ALPN functions
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
The new afalg test should have a copyright date of 2016. Also an
incorrect buffer was being sent to EVP_CipherFinal_ex when
decrypting.
Reviewed-by: Richard Levitte <levitte@openssl.org>
1) Simplify code with better PACKET methods.
2) Make broken SNI parsing explicit. SNI was intended to be extensible
to new name types but RFC 4366 defined the syntax inextensibly, and
OpenSSL has never parsed SNI in a way that would allow adding a new name
type. RFC 6066 fixed the definition but due to broken implementations
being widespread, it appears impossible to ever extend SNI.
3) Annotate resumption behaviour. OpenSSL doesn't currently handle all
extensions correctly upon resumption. Annotate for further clean-up.
4) Send an alert on ALPN protocol mismatch.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Specifies a callback that will, in the future, be used by the SSL code to
decide whether to abort a connection on Certificate Transparency grounds.
Reviewed-by: Ben Laurie <ben@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
We were kinda sorta using a mix of $disabled{"static-engine" and
$disabled{"dynamic-engine"} in Configure. Let's avoid confusion,
choose one of them and stick to it.
Reviewed-by: Rich Salz <rsalz@openssl.org>
They depend on this feature because they use the engine ossltest,
which is only available as a dynamic engine.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Adapted from BoringSSL. Added a test.
The extension parsing code is already attempting to already handle this for
some individual extensions, but it is doing so inconsistently. Duplicate
efforts in individual extension parsing will be cleaned up in a follow-up.
Reviewed-by: Stephen Henson <steve@openssl.org>
In the early stages of creating the new test framework,
00-test_checkexes was a temporary check to ensure we had a recipe for
every test program in test/. By now, this test has fulfilled its
purpose, and we've learned how to make recipes properly. It's time
for this check to go away.
Reviewed-by: Rich Salz <rsalz@openssl.org>
If the environment variable HARNESS_ACTIVE isn't defined or
HARNESS_VERBOSE is defined, it's probable that lots of output is
desired.
Reviewed-by: Rich Salz <rsalz@openssl.org>
To enable heartbeats for DTLS, configure with enable-heartbeats.
Heartbeats for TLS have been completely removed.
This addresses RT 3647
Reviewed-by: Richard Levitte <levitte@openssl.org>
To be able to run tests when we've built in a directory other than
the source tree, the testing framework needs a few adjustments.
test/testlib/OpenSSL/Test.pm needs to know where it can find
shlib_wrap.sh, and a number of other tests need to be told a different
place to find engines than what they may be able to figure out on
their own. Relying to $TOP is not enough, $SRCTOP and $BLDTOP can be
used as an alternative.
As part of this change, top_file and top_dir are removed and
srctop_file, bldtop_file, srctop_dir and bldtop_dir take their place.
Reviewed-by: Ben Laurie <ben@openssl.org>
Adds a set of tests for the newly rewritten DTLSv1_listen function.
The test pokes various packets at the function and then checks
the return value and the data written out to ensure it is what we
would have expected.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
This uilds on the same way of checking for availability as we do in
TLSProxy. We use all IP factories we know of, starting with those who
know both IPv6 and IPv4 and ending with the one that only knows IPv4
and cache their possible success as foundation for checking the
available of each IP domain.
80-test_ssl.t has bigger chances of working on platforms that do not
run both IP domains.
Reviewed-by: Rich Salz <rsalz@openssl.org>
The test program clienthello checks TLS extensions, so there's no
point running it when no TLS protocol is available.
Reviewed-by: Ben Laurie <ben@openssl.org>
This makes use of TLSProxy, which was expanded to use IO::Socket::IP
(which is a core perl module) or IO::Socket::INET6 (which is said to
be more popular) instead IO::Socket::INET if one of them is installed.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
This adds a couple of simple tests to see that SSL traffic using the
reimplemented BIO_s_accept() and BIO_s_connect() works as expected,
both on IPv4 and on IPv6.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
When auxiliary data contains only reject entries, continue to trust
self-signed objects just as when no auxiliary data is present.
This makes it possible to reject specific uses without changing
what's accepted (and thus overring the underlying EKU).
Added new supported certs and doubled test count from 38 to 76.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
This includes basic constraints, key usages, issuer EKUs and auxiliary
trust OIDs (given a trust suitably related to the intended purpose).
Added tests and updated documentation.
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
top_dir() are used to create directory names, top_file() should be
used for files. In a Unixly environment, that doesn't matter, but...
Reviewed-by: Rich Salz <rsalz@openssl.org>
It seems that Test::More doesn't like 0 tests, a line like this raises
an error and stops the recipe entirely:
plan tests => 0;
So we need to check for 0 tests beforehand and skip the subtest
explicitely in that case.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Missing SKIP: block in SSL unit tests for DTLS and TLS version tests.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
