We were kinda sorta using a mix of $disabled{"static-engine" and
$disabled{"dynamic-engine"} in Configure. Let's avoid confusion,
choose one of them and stick to it.
Reviewed-by: Rich Salz <rsalz@openssl.org>
They depend on this feature because they use the engine ossltest,
which is only available as a dynamic engine.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Adapted from BoringSSL. Added a test.
The extension parsing code is already attempting to already handle this for
some individual extensions, but it is doing so inconsistently. Duplicate
efforts in individual extension parsing will be cleaned up in a follow-up.
Reviewed-by: Stephen Henson <steve@openssl.org>
All those flags existed because we had all the dependencies versioned
in the repository, and wanted to have it be consistent, no matter what
the local configuration was. Now that the dependencies are gone from
the versioned Makefile.ins, it makes much more sense to use the exact
same flags as when compiling the object files.
Reviewed-by: Rich Salz <rsalz@openssl.org>
On some platforms, the implementation is such that a signed char
triggers a warning when used with is*() functions. On others, the
behavior is outright buggy when presented with a char that happens
to get promoted to a negative integer.
The safest thing is to cast the char that's used to an unsigned char.
Reviewed-by: Andy Polyakov <appro@openssl.org>
In the early stages of creating the new test framework,
00-test_checkexes was a temporary check to ensure we had a recipe for
every test program in test/. By now, this test has fulfilled its
purpose, and we've learned how to make recipes properly. It's time
for this check to go away.
Reviewed-by: Rich Salz <rsalz@openssl.org>
If the environment variable HARNESS_ACTIVE isn't defined or
HARNESS_VERBOSE is defined, it's probable that lots of output is
desired.
Reviewed-by: Rich Salz <rsalz@openssl.org>
The logging that was performed in OpenSSL::Test was initially set up
as a means not to let messages that test programs write to STDERR get
displayed when a test isn't running in verbose mode. However, the way
it was implemented, it meant that those messages were never displayed,
and you had to look in a test log. This also meant that output to
STDERR and output to STDOUT got broken apart, which isn't optimal.
So, we remove the whole test log file implementation, and instead,
we're sending STDERR to the null device unless one of these conditions
apply:
- the test recipe already redirects stderr. Just let it.
- the environment variable HARNESS_ACTIVE is undefined, meaning the
recipe is run directly as a perl script instead of being harnessed
by Test::Harness
- the environment variable HARNESS_VERBOSE is set.
Getting a full log of the tests now becomes as simple as this:
HARNESS_VERBOSE=yes make test 2>&1 | tee tests.log
Reviewed-by: Rich Salz <rsalz@openssl.org>
To enable heartbeats for DTLS, configure with enable-heartbeats.
Heartbeats for TLS have been completely removed.
This addresses RT 3647
Reviewed-by: Richard Levitte <levitte@openssl.org>
Some files in crypto/bn depend on internal/bn_conf.h, and so does
test/bntest. Therefore, we add another inclusion directory.
Reviewed-by: Rich Salz <rsalz@openssl.org>
The functions that have been deprecated by the auto init changes are
now guarded with deprecation checks, so it's fairly easy to see if
they can be used.
In test/dtlsv1listentest, we simply remove all init and cleanup code,
as they are call automatically when needed.
Reviewed-by: Matt Caswell <matt@openssl.org>
The old building scripts get removed, they are hopelessly gone in bit
rot by now.
Also remove the old symbol hacks. They were needed needed to shorten
some names to 31 characters, and to resolve other symbol clashes.
Because we now compile with /NAMES=(AS_IS,SHORTENED), this is no
longer required.
Reviewed-by: Rich Salz <rsalz@openssl.org>
In build.info files, make the include directory in the build directory
absolute, or Configure will think it should be added to the source
directory top. Configure will turn it into a relative path if
possible.
Reviewed-by: Rich Salz <rsalz@openssl.org>
To be able to run tests when we've built in a directory other than
the source tree, the testing framework needs a few adjustments.
test/testlib/OpenSSL/Test.pm needs to know where it can find
shlib_wrap.sh, and a number of other tests need to be told a different
place to find engines than what they may be able to figure out on
their own. Relying to $TOP is not enough, $SRCTOP and $BLDTOP can be
used as an alternative.
As part of this change, top_file and top_dir are removed and
srctop_file, bldtop_file, srctop_dir and bldtop_dir take their place.
Reviewed-by: Ben Laurie <ben@openssl.org>
As documented both SSL_get0_dane_authority() and SSL_get0_dane_tlsa()
are expected to return a negative match depth and nothing else when
verification fails. However, this only happened when verification
failed during chain construction. Errors in verification of the
constructed chain did not have the intended effect on these functions.
This commit updates the functions to check for verify_result ==
X509_V_OK, and no longer erases any accumulated match information
when chain construction fails. Sophisticated developers can, with
care, use SSL_set_verify_result(ssl, X509_V_OK) to "peek" at TLSA
info even when verification fail. They must of course first check
and save the real error, and restore the original error as quickly
as possible. Hiding by default seems to be the safer interface.
Introduced X509_V_ERR_DANE_NO_MATCH code to signal failure to find
matching TLSA records. Previously reported via X509_V_ERR_CERT_UNTRUSTED.
This also changes the "-brief" output from s_client to include
verification results and TLSA match information.
Mentioned session resumption in code example in SSL_CTX_dane_enable(3).
Also mentioned that depths returned are relative to the verified chain
which is now available via SSL_get0_verified_chain(3).
Added a few more test-cases to danetest, that exercise the new
code.
Resolved thread safety issue in use of static buffer in
X509_verify_cert_error_string().
Fixed long-stating issue in apps/s_cb.c which always sets verify_error
to either X509_V_OK or "chain to long", code elsewhere (e.g.
s_time.c), seems to expect the actual error. [ The new chain
construction code is expected to correctly generate "chain
too long" errors, so at some point we need to drop the
work-arounds, once SSL_set_verify_depth() is also fixed to
propagate the depth to X509_STORE_CTX reliably. ]
Reviewed-by: Rich Salz <rsalz@openssl.org>
Just like File::Path::make_path, File::Path::remove_tree didn't show
up before File::Path 2.06 / perl v5.10.1, so we prefer the legacy
function here as well.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Some time ago, we had a ex_libs configuration setting that could be
divided into lflags and ex_libs. These got divided in two settings,
lflags and ex_libs, and the former was interpreted to be general
linking flags.
Unfortunately, that conclusion wasn't entirely accurate. Most of
those linking were meant to end up in a very precise position on the
linking command line, just before the spec of libraries the linking
depends on.
Back to the drawing board, we're diving things further, now having
lflags, which are linking flags that aren't depending on command line
position, plib_lflags, which are linking flags that should show up just
before the spec of libraries to depend on, and finally ex_libs, which
is the spec of extra libraries to depend on.
Also, documentation is changed in Configurations/README. This was
previously forgotten.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Clang rightly does not like extern symbols that are not declared
in any header file, as typically these are not intended for global
visibility and are exposed in error. This was indeed the case with
various file-scope objects in dtlsv1listentest.c.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Adds a set of tests for the newly rewritten DTLSv1_listen function.
The test pokes various packets at the function and then checks
the return value and the data written out to ensure it is what we
would have expected.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
This uilds on the same way of checking for availability as we do in
TLSProxy. We use all IP factories we know of, starting with those who
know both IPv6 and IPv4 and ending with the one that only knows IPv4
and cache their possible success as foundation for checking the
available of each IP domain.
80-test_ssl.t has bigger chances of working on platforms that do not
run both IP domains.
Reviewed-by: Rich Salz <rsalz@openssl.org>
In HMAC_Init_ex, NULL key signals reuse, but in single-shot HMAC,
we can allow it to signal an empty key for convenience.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
The test program clienthello checks TLS extensions, so there's no
point running it when no TLS protocol is available.
Reviewed-by: Ben Laurie <ben@openssl.org>
This makes use of TLSProxy, which was expanded to use IO::Socket::IP
(which is a core perl module) or IO::Socket::INET6 (which is said to
be more popular) instead IO::Socket::INET if one of them is installed.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
This adds a couple of simple tests to see that SSL traffic using the
reimplemented BIO_s_accept() and BIO_s_connect() works as expected,
both on IPv4 and on IPv6.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
PACKET contents should be read-only. To achieve this, also
- constify two user callbacks
- constify BUF_reverse.
Reviewed-by: Rich Salz <rsalz@openssl.org>