This should demonstrate that the atexit() handling is working properly (or
at least not crashing) on process exit.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Also we disable TLS1.3 by default (use enable-tls1_3 to re-enable). This is
because this is a WIP and will not be interoperable with any other TLS1.3
implementation.
Finally, we fix some tests that started failing when TLS1.3 was disabled by
default.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Includes addition of the various options to s_server/s_client. Also adds
one of the new TLS1.3 ciphersuites.
This isn't "real" TLS1.3!! It's identical to TLS1.2 apart from the protocol
and the ciphersuite...and the ciphersuite is just a renamed TLS1.2 one (not
a "real" TLS1.3 ciphersuite).
Reviewed-by: Rich Salz <rsalz@openssl.org>
A BIO_read() 0 return indicates that a failure occurred that may be
retryable. An SSL_read() 0 return indicates a non-retryable failure. Check
that if BIO_read() returns 0, SSL_read() returns <0. Same for SSL_write().
The asyncio test filter BIO already returns 0 on a retryable failure so we
build on that.
Reviewed-by: Richard Levitte <levitte@openssl.org>
So far, apps and test programs, were a bit rigidely accessible as
executables or perl scripts. But what about scripts in some other
language? Or what about running entirely external programs? The
answer is certainly not to add new functions to access scripts for
each language or wrapping all the external program calls in our magic!
Instead, this adds a new functions, cmd(), which is useful to access
executables and scripts in a more generalised manner. app(), test(),
fuzz(), perlapp() and perltest() are rewritten in terms of cmd(), and
serve as examples how to do something similar for other scripting
languages, or constrain the programs to certain directories.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1686)
The prevailing style seems to not have trailing whitespace, but a few
lines do. This is mostly in the perlasm files, but a few C files got
them after the reformat. This is the result of:
find . -name '*.pl' | xargs sed -E -i '' -e 's/( |'$'\t'')*$//'
find . -name '*.c' | xargs sed -E -i '' -e 's/( |'$'\t'')*$//'
find . -name '*.h' | xargs sed -E -i '' -e 's/( |'$'\t'')*$//'
Then bn_prime.h was excluded since this is a generated file.
Note mkerr.pl has some changes in a heredoc for some help output, but
other lines there lack trailing whitespace too.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Add update for testing renegotiation. Also change info on CTLOG_FILE
environment variable - which always seems to be required.
Reviewed-by: Rich Salz <rsalz@openssl.org>
The TLSProxy::Record->new call hard-codes a version, like
70-test_sslrecords.t.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
This is a regression test for
https://github.com/openssl/openssl/pull/1431. It tests a
maximally-padded record with each possible invalid offset.
This required fixing a bug in Message.pm where the client sending a
fatal alert followed by close_notify was still treated as success.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
A mem leak could occur on an error path. Also the mempacket BIO_METHOD
needs to be cleaned up, because of the newly added DTLS test.
Also fixed a double semi-colon in ssltestlib.c
Reviewed-by: Rich Salz <rsalz@openssl.org>
There are cases when argc is more trustable than proper argv termination.
Since we trust argc in all other test programs, we might as well treat it
the same way in this program.
Reviewed-by: Matt Caswell <matt@openssl.org>
All the other functions that take an argument for the number of bytes
use convenience macros for this purpose. We should do the same with
WPACKET_put_bytes().
Reviewed-by: Rich Salz <rsalz@openssl.org>
Updated the construction code to use the new function. Also added some
convenience macros for WPACKET_sub_memcpy().
Reviewed-by: Rich Salz <rsalz@openssl.org>
A few style tweaks here and there. The main change is that curr and
packet_len are now offsets into the buffer to account for the fact that
the pointers can change if the buffer grows. Also dropped support for the
WPACKET_set_packet_len() function. I thought that was going to be needed
but so far it hasn't been. It doesn't really work any more due to the
offsets change.
Reviewed-by: Rich Salz <rsalz@openssl.org>
The tests will only work in no-shared builds because WPACKET is an
internal only API that does not get exported by the shared library.
Reviewed-by: Rich Salz <rsalz@openssl.org>
So far, the test runner (test/run_tests.pl) could get a list of tests
to run, and if non were given, it assumes all available tests should
be performed.
However, that makes skipping just one or two tests a bit of a pain.
This change makes the possibilities more versatile, run_checker.pl
takes these arguments and will process them in the given order,
starting with an empty set of tests to perform:
alltests The current set becomes the whole set of
available tests.
test_xxx Adds 'test_xxx' to the current set.
-test_xxx Removes 'test_xxx' from the current set. If
nothing has been added to the set before this
argument, the current set is first initialised
to the whole set of available tests, then
'test_xxx' is removed from the current set.
list Display all available tests, then stop.
If no arguments are given, 'alltests' is assumed.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
These tests take a very long time on some platforms, and arent't
always strictly necessary. This makes it possible to turn them
off. The necessary binaries are still built, though, in case
someone still wants to do a manual run.
Reviewed-by: Andy Polyakov <appro@openssl.org>
The previous commit revealed a long standing problem where CertStatus
processing was broken in DTLS. This would have been revealed by better
testing - so add some!
Reviewed-by: Rich Salz <rsalz@openssl.org>
User can make Windows openssl.exe to treat command-line arguments
and console input as UTF-8 By setting OPENSSL_WIN32_UTF8 environment
variable (to any value). This is likely to be required for data
interchangeability with other OSes and PKCS#12 containers generated
with Windows CryptoAPI.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Test doesn't work on Windows with non-Greek locale, because of
Win32 perl[!] limitation, not OpenSSL. For example it passes on
Cygwin and MSYS...
Reviewed-by: Matt Caswell <matt@openssl.org>
There was a block of code at the start that used the Camellia cipher. The
original idea behind this was to fill the buffer with non-zero data so that
oversteps can be detected. However this block failed when using no-camellia.
This has been replaced with a RAND_bytes() call.
I also updated the the CTR test section, since it seems to be using a CBC
cipher instead of a CTR cipher.
Reviewed-by: Andy Polyakov <appro@openssl.org>
Also, re-organize RSA check to use goto err.
Add a test case.
Try all checks, not just stopping at first (via Richard Levitte)
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
The variable 'buffer', allocated by EC_POINT_point2buf(), isn't
free'd on the success path.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
In mempacket_test_read(), we've already fetched the top value of the
stack, so when we shift the stack, we don't care for the value. The
compiler needs to be told, or it will complain harshly when we tell it
to be picky.
Reviewed-by: Matt Caswell <matt@openssl.org>
Originally PKCS#12 subroutines treated password strings as ASCII.
It worked as long as they were pure ASCII, but if there were some
none-ASCII characters result was non-interoperable. But fixing it
poses problem accessing data protected with broken password. In
order to make asscess to old data possible add retry with old-style
password.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Clang was complaining about some unused functions. Moving the stack
declaration to the header seems to sort it. Also the certstatus variable
in dtlstest needed to be declared static.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Injects a record from epoch 1 during epoch 0 handshake, with a record
sequence number in the future, to test that the record replay protection
feature works as expected. This is described more fully in the next commit.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Add a test to inject a record from the next epoch during the handshake and
make sure it doesn't get processed immediately.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Split the create_ssl_connection() helper function into two steps: one to
create the SSL objects, and one to actually create the connection. This
provides the ability to make changes to the SSL object before the
connection is actually made.
Reviewed-by: Richard Levitte <levitte@openssl.org>
This adds a BIO similar to a normal mem BIO but with datagram awareness.
It also has the capability to inject additional packets at arbitrary
locations into the BIO, for testing purposes.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Dump out the records passed over the BIO. Only works for DTLS at the
moment but could easily be extended to TLS.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Make maximum fragment length configurable and add various fragmentation
tests, in addition to the existing multi-buffer tests.
Reviewed-by: Rich Salz <rsalz@openssl.org>
In practice, CT isn't really functional without EC anyway, as most logs
use EC keys. So, skip loading the log list with no-ec, and skip CT tests
completely in that conf.
Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit only ports existing tests, and adds some coverage for
resumption. We don't appear to have any handshake tests that cover SCT
validation success, and this commit doesn't change that.
Reviewed-by: Rich Salz <rsalz@openssl.org>
In NPN and ALPN, the protocol is renegotiated upon resumption. Test that
resumption picks up changes to the extension.
Reviewed-by: Rich Salz <rsalz@openssl.org>
