However, when passing it through the OPENSSL_CONFIG environment
variable, we still need the quotes, just to make sure.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15823)
Some tests are designed to test UTF-8 on the command line.
We simply disable those on VMS.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15823)
Occasionally, we get an error code on VMS that doesn't translate
into POSIX, and the error string reflects that
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15823)
The providers have to call up_ref to keep the cbio pointer, just like
the internal bio_prov.c does.
OSSL_STORE_attach passes a cbio pointer to the provider and then calls
ossl_core_bio_free(cbio). If up_ref is not called, the cbio gets
freed way too early.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15163)
Previously, when locks were held while calling a provider init function,
then RAND_bytes_ex() would fail if called from the init function and
used in conjunction with a child lib ctx. We add an explicit test of that.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15854)
These 2 functions have become so close to each other that they may as well
be just one function.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15854)
Update use_fallbacks to zero when we add a provider to the store rather
than when we activate it. Its only at the point that we add it to the store
that it is actually usable and visible to other threads.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15854)
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15874)
Using File::Temp::tempfile() is admirable, but isn't necessary for the
sort of thing we use it for.
Furthermore, since tempfile() returns an opened file handle for
reading for the file in question, it may have effect that the file
becomes unwritable. This is the default on VMS, and since tempfile()
doesn't seem to have any option to affect this, it means that
test/shlibloadtest.c can't write the magic line to that file.
Also, if we consider forensics, to be able to see what a test produced
to determine what went wrong, it's better to use specific and known
file names.
Therefore, this test is modified to use well known file names, and to
open them for reading after the shlibloadtest program has been run
instead of before.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15872)
OpenSSL::Test::cmd() should be used with caution, as it is for special
cases only.
It's preferable to use OpenSSL::Test::app() or OpenSSL::Test::test().
Fixes#15833
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15846)
app_malloc() terminates execution if the allocation fails. The tests implement
their own app_malloc() in an attempt to reduce the amount of code pulled in.
This version also needs to terminate on failed allocation. The alternative
would be adding failed allocation checks pervasively throughout the apps's
commands.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15836)
This is a request from the lab that changes the AES_GCM test back to perform both a encrypt and
decrypt. (This makes no logical sense since this is not an inverse cipher).
I have left the AES_ECB decrypt test in (although it may not be needed)
since it is actually testing the inverse cipher case.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15844)
- Use SSL_set_ciphersuites for TLS 1.3 tests instead of using
SSL_set_cipher_list.
- Don't bother passing a sequence number size to KTLS test functions.
These functions always test TLS (and not DTLS) for which the
sequence size is always the same. In addition, even for DTLS the
check in question (verifying that the sequence number fields in SSL
do not change) should still pass when doing a before/after
comparison of the field.
- Define a helper structure to hold the TLS version and cipher name
for a single KTLS test.
- Define an array of such structures with valid KTLS ciphers and move
#ifdef's for TLS versions and supported ciphers out of test
functions and instead use them to define the valid members of this
array. This also permits using TLS 1.3 cipher suite names for
TLS 1.3 tests.
- Use separate tests per cipher for test_ktls to give more
fine-grained pass/fail results as is already done for
test_ktls_sendfile.
- While here, rename test_ktls_sendfile to execute_test_ktls_sendfile
and test_ktls_sendfile_anytls to test_ktls_sendfile. This is more
consistent with the naming used for test_ktls as well as other tests
in this file.
- Close the file descriptors used for temporary sockets in ktls tests.
- Don't assume that KTLS is supported for all compile-time supported
cipher suites at runtime. If the kernel fails to offload a given
cipher suite, skip the test rather than failing it. FreeBSD kernels
may not offload all of the cipher suites supported by its KTLS if a
suitable driver or KTLS backend is not present.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15814)
Depending on circumstances, something like this:
ok(run(app(['openssl', 'whatever', '-config', '""', ...])))
might end up with a command like this:
./util/wrap.pl apps/openssl whatever -config '""'
Simply use an empty string (i.e. '' instead of '""') and let the
command line fixup functions do their job.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15822)
To kill a subprocess with the KILL signal is pretty brutal. However,
it doesn't seem to be killed completely on some platforms, which makes
this test recipe hang indefinitely when (implicitly) closing the file
handle for this server ($server_fh). A brutal KILL resolves this
problem.
Fixes#15781
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15797)
The external GOST test is sufficient according @beldmit. This avoids having
to manually update and build the GOST engine when something changes.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15795)
The exit code for VMS is a bit tricky, and while perl translates the
VMS status code from a typical C program to posix terms, it doesn't
automatically translate its exit code into the typical C program VMS
status code. Perl scripts are recommended to do so explicitly.
Therefore, we make util/wrap.pl and test/run_tests.pl simulate the
typical C program VMS status code for all non-zero exit codes, except
we give them all the error severity (according to the VMS C library
reference manual, exit codes 2 and above are treated as success...).
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15787)
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15708)
We fetch an Encoder, Decoder and Loader.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15741)
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15681)
It renames symbols, so we can a false negative
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15776)
In test/recipes/01-test_symbol_presence.t
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15776)
Assuming ".so" as shared library ending is faulty on MacOS, where the
normal shared library extension is ".dylib".
We use the platform module to get the same extension as the build process.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15771)
If there is an error report, we want to get it printed too.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15604)
Move them from test_renegotiation to renegotiation in ssl_new
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15415)
The only reason(s) the DH private key length should be set are:
(1) The user sets it during key generation via EVP_PKEY_CTX_set_params
using OSSL_PKEY_PARAM_DH_PRIV_LEN.
(2) When loading a PKCS3 (DH) key the optional value
'privateValueLength' is set.
Now that the named groups contain a value for 'q' there is no reason to
automatically overwrite the private key length.
Issue detected by @davidmakepeace
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15695)
Fixes#5430
Added the configuration file option "date_opt" to the openssl applications ca,
crl and x509.
Added ASN1_TIME_print_ex which supports the new datetime format using the
flag ASN1_DTFLGS_ISO8601
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14384)
pkinit tests were disabled in cd0aca5320
Signed-off-by: Robbie Harwood <rharwood@redhat.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15444)
On most platforms the EXIT_FAILURE is 1 but on NonStop platform
the EXIT_FAILURE is -1 truncated to 255.
Fixes#15633
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15694)
Sort SSL_SESSION structures by timeout in the linked list.
Iterate over the linked list for timeout, stopping when no more
session can be flushed.
Do SSL_SESSION_free() outside of SSL_CTX lock
Update timeout upon use
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8687)
An attempt to clear an error with malloced data didn't clear the flags.
Now it clears all flags except the malloced flag.
Fixes#12530
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15667)
This has us switch from the 'structure' "pkcs8" to "PrivateKeyInfo",
which is sensible considering we already have "SubjectPublicKeyInfo".
We also add "EncryptedPrivateKeyInfo", and use it for a special decoder
that detects and decrypts an EncryptedPrivateKeyInfo structured DER
blob into a PrivateKeyInfo structured DER blob and passes that on to
the next decoder implementation.
The result of this change is that PKCS#8 decryption should only happen
once per decoding instead of once for every expected key type.
Furthermore, this new decoder implementation sets the data type to the
OID of the algorithmIdentifier field, thus reducing how many decoder
implementations are tentativaly run further down the call chain.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15498)
If we have an unsupported key type we may get a decode error and
therefore we should detect that.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
Two CMP tests were using the fips.cnf config file. However to
ensure that decoders are available the fips-and-base.cnf config
file needs to be used instead.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
Now that we actually load public keys from providers we need to mark some
key paris in the evp tests as only available there. Otherwise we get test
failures when only the FIPS Provider is loaded.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
The X509 test was looking for some specific errors when printing an SM2
X509 certificate when SM2 is disabled. In fact these errors appear in the
middle of the certificate printing which is quite odd. There is also a
separate error "Unable to load Public Key" which is more cleanly printed.
With the recent change to using provided keys in certs the old errors are
no longer output. However printing them in the middle of the cert is
probably not right anyway. So we just rely on the "Unable to load Public
Key" message.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
Now that we are using provided keys when loading a certificate the pretty
printing formatting is cosmetically different. We need to adjust expected
test output accordingly.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15504)
Allocate at least one byte to distinguish a zero length key
from an unset key.
Fixes#15632
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15643)
Fixes#15531
DES and TDES set this flag which could possibly be used by applications.
The gettable cipher param OSSL_CIPHER_PARAM_HAS_RAND_KEY has been added.
Note that EVP_CIPHER_CTX_rand_key() uses this flag.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15606)
Various EVP_CipherInit sequences including partial inits and initializations
with different "enc" flags caused problems on s390x. Similarly, cipher
reinitialization and especially GCM reinitialization with different tag length
led to wrong results. Add some unit tests to cover these rather exotic use
cases.
Signed-off-by: Juergen Christ <jchrist@linux.ibm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15521)
Fix the generate_ssl_tests.pl script so that it can be run standalone from
the command line according to the instructions in test/README.ssltest.md
Fixes#11430
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15617)
Even if $server_port isn't touched, it's still a number coming from
configuration. It's therefore not trustable as an indicator that the
ACCEPT line delivered a port number or an error indication.
$accept_msg is used instead to capture the port if there is one, and
be a better indicator of error.
Fixes#15557Fixes#15571
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15580)
test_cmp_http() made some assumptions about what values that exit_checker
could get that aren't quite right.
Furthermore, the expected result isn't about exit codes, but about
true or false. This is better served by getting the value from
OpenSSL::Test::run(), and checking that value against $expected_result
with Test::More::is().
Fixes#15557Fixes#15571
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
(Merged from https://github.com/openssl/openssl/pull/15580)
When we create via d2i or dup an X509_REQ we should ensure that the libctx
is properly propagated. We also ensure we create X509_REQ objects with the
proper libctx assigned in the CMP tests.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)
Make sure we pass the libctx/propq around everywhere that we need it to
ensure we get provider keys when needed.
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15591)
We add a verify test with a cert with a SAN and a bad SmtpUTF8Mailbox
entry, with an intermediate certificate with email name constraints.
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15611)
Remove negative test cases which simulate an attempt to write file contents to a directory
using a path ending in '/' as this is not compatible with fopen on all platforms, e.g., AIX.
Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15575)
To be reverted once key generation checks are added everywhere and a way to
disable them implemented.
Fixes#15502
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15560)
Fixes#15552
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15566)
And a few additional fixups to make the no-deprecated configuration
to build.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15466)
For functions that exist in 1.1.1 provide a simple aliases via #define.
Fixes#15236
Functions with OSSL_DECODER_, OSSL_ENCODER_, OSSL_STORE_LOADER_,
EVP_KEYEXCH_, EVP_KEM_, EVP_ASYM_CIPHER_, EVP_SIGNATURE_,
EVP_KEYMGMT_, EVP_RAND_, EVP_MAC_, EVP_KDF_, EVP_PKEY_,
EVP_MD_, and EVP_CIPHER_ prefixes are renamed.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15405)
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14587)
The code to handle the cipher operation was already in the provider.
It just needed a OSSL_PARAM in order to set this into the algorithm.
EVP_CIPHER_CTX_set_flags() has been modified to pass the OSSL_PARAM.
Issue reported by Mark Powers from Acumen.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15496)
Revert a change in behavior to BIO_write(). If a NULL BIO
is passed, no error is raised and the return value is 0. There are
many places where the return code from the write was not checked,
resulting in an error stack with no error status being returned.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15493)
