Commit Graph

61 Commits

Author SHA1 Message Date
Benjamin Kaduk
e7a8fecd0b Add more diagnostics to ossl_shim
We had several cases where the connection failed but we did not
have an error message to differentiate which failure condition had
been triggered.  Add some more messages to help clarify what is
going wrong.

[extended tests]

Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/13251)
2020-11-02 11:28:24 -08:00
Shane Lontis
823a113574 Fix API rename issue in shim layer that calls EVP_MAC_CTX_set_params
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12483)
2020-07-21 08:51:18 +10:00
Todd Short
8c2bfd2512 Add SSL_get[01]_peer_certificate()
Deprecate SSL_get_peer_certificte() and replace with
SSL_get1_peer_certificate().
Add SSL_get0_peer_certificate.

Reviewed-by: Paul Dale <paul.dale@oracle.com>
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/8730)
2020-07-16 09:08:21 +02:00
Pauli
5ea8afd368 Fix two additional instances of the old EVP_MAC_CTX_ functions being used.
[extended tests]

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/12121)
2020-06-13 09:18:17 +10:00
Matt Caswell
00c405b365 Update copyright year
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/12043)
2020-06-04 14:33:57 +01:00
Pauli
19d15f97b3 ossl_shim: const cast the param arguments to avoid errors
[extended tests]

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12022)
2020-06-03 21:17:18 +10:00
Pauli
5c01a133ec ossl_shim: include core_names.h to resolve undeclared symbols
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/12018)
2020-06-03 10:41:02 +10:00
Pauli
bac8d066a5 ossl_shim: use the correct ticket key call back.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11966)
2020-05-28 13:54:33 +10:00
Pauli
1bdd86fb1c ossl_shim: add deprecation guards around the -use-ticket-callback option.
The ticket callback is deprecated in 3.0 and can't be used in a no-deprecated
build.

[extended tests]

Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com>
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/11944)
2020-05-26 09:01:44 +10:00
Rich Salz
3d48457478 Replace BUF_ string function calls with OPENSSL_ ones
Deprecate the BUF_ string macros

Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10207)
2019-10-17 23:19:59 +02:00
Dr. Matthias St. Pierre
ae4186b004 Fix header file include guard names
Make the include guards consistent by renaming them systematically according
to the naming conventions below

For the public header files (in the 'include/openssl' directory), the guard
names try to match the path specified in the include directives, with
all letters converted to upper case and '/' and '.' replaced by '_'. For the
private header files files, an extra 'OSSL_' is added as prefix.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/9333)
2019-09-28 20:26:36 +02:00
Richard Levitte
ac6bba6f6e Build: Change all _NO_INST to use attributes instead.
This means that all PROGRAMS_NO_INST, LIBS_NO_INST, ENGINES_NO_INST
and SCRIPTS_NO_INST are changed to be PROGRAM, LIBS, ENGINES and
SCRIPTS with the associated attribute 'noinst'.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7581)
2019-01-22 12:35:39 +01:00
Richard Levitte
909f1a2e51 Following the license change, modify the boilerplates in test/
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7767)
2018-12-06 14:19:22 +01:00
Matt Caswell
2fe3e2b682 Fix BoringSSL external test failures
We recently turned on the TLSv1.3 downgrade sentinels by default.
Unfortunately we are using a very old version of the BoringSSL test
runner which uses an old draft implementation of TLSv1.3 that also
uses the downgrade sentinels by default. The two implementations do
not play well together and were causing spurious test failures. Until
such time as we update the BoringSSL test runner we disable the failing
tests:

SendFallbackSCSV

In this test the client is OpenSSL and the server is the boring test runner.
The client and server fail to negotiate TLSv1.3 because the test runner is
using an old draft TLSv1.3 version. The server does however add the
TLSv1.3->TLSv1.2 downgrade sentinel in the ServerHello random. Since we
recently turned on checking of the downgrade sentinels on the client side
this causes the connection to fail.

VersionNegotiationExtension-TLS11

In this test the test runner is the client and OpenSSL is the server. The
test modifies the supported_versions extension sent by the client to only
include TLSv1.1 (and some other spurious versions), even though the client
does actually support TLSv1.2. The server successfully selects TLSv1.1, but
adds the TLSv1.3->TLSv1.1 downgrade sentinel. This behaviour was recently
switched on by default. The test runner then checks the downgrade sentinel
and aborts the connection because it knows that it really supports TLSv1.2.

VersionNegotiationExtension-TLS1
VersionNegotiationExtension-SSL3

The same as VersionNegotiationExtension-TLS11 but for TLSv1 and SSLv3.

ConflictingVersionNegotiation

In this test the client is the test runner, and OpenSSL is the server. The
client offers TLSv1.2 in ClientHello.version, but also adds a
supported_versions extension that only offers TLSv1.1. The
supported_versions extension takes precedence and the server (correctly)
selects TLSv1.1. However it also adds the TLSv1.3->TLSv1.1 downgrade
sentinel. On the client side it knows it actually offered TLSv1.2 and so the
downgrade sentinel check fails.

[extended tests]

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/7013)
2018-08-22 15:15:19 +01:00
Benjamin Kaduk
45a2353056 Fix ossl_shim SNI handling
To start with, actually set an SNI callback (copied from bssl_shim); we
weren't actually testing much otherwise (and just happened to have been
passing due to buggy libssl behavior prior to
commit 1c4aa31d79).

Also use proper C++ code for handling C strings -- when a C API
(SSL_get_servername()) returns NULL instead of a string, special-case
that instead of blindly trying to compare NULL against a std::string,
and perform the comparsion using the std::string operators instead of
falling back to pointer comparison.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6792)
2018-07-26 15:06:53 -05:00
Matt Caswell
c3114a7732 Set the ossl_shim to auto retry if not running asynchronously
In certain circumstances in the DTLS code we have to drop a record (e.g. if
it is a stale retransmit). We then have to move on to try and read the next
record. Some applications using blocking sockets (e.g. s_server/s_client
will hang if there isn't actually any data to be read from the socket yet).
Others can tolerate this. Therefore SSL_read()/SSL_write() can sometimes
return SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE even when using blocking
sockets. Applications can use the mode SSL_MODE_AUTO_RETRY, to switch this
behaviour off so that we never return unless we have read the data we
wanted to.

Commit ad96225285 fixed a DTLS problem where we always retried even if
SSL_MODE_AUTO_RETRY was not set. However that fix caused the Boring
ossl_shim to fail in some tests because it was relying on the previous
(buggy) behaviour. The ossl_shim should be set into SSL_MODE_AUTO_RETRY if
it is not operating asynchronously to avoid this problem.

[extended tests]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6216)
2018-05-11 10:29:04 +01:00
Matt Caswell
aaaa6ac11b Don't negotiate TLSv1.3 with the ossl_shim
The ossl_shim doesn't know about TLSv1.3 so we should disable that
protocol version for all tests for now.

This fixes the current Travis failures.

[extended tests]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5593)
2018-03-12 15:08:15 +00:00
Ben Kaduk
9ad9794273 Attempt to fix boringssl tests
Commit abe256e795 changed the config target
element from 'cxx' to 'CXX'; catch up accordingly.
Also use a space to offset the template boundary, per convention.

[extended tests]

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5577)
2018-03-09 17:23:00 -06:00
Matt Caswell
fe93b010e7 Update tests for TLS Ed448
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/5470)
2018-03-05 11:39:44 +00:00
Matt Caswell
6738bf1417 Update copyright year
Reviewed-by: Richard Levitte <levitte@openssl.org>
2018-02-13 13:59:25 +00:00
Richard Levitte
0f5a775219 Get rid of a warning about unused results
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5181)
2018-01-28 16:22:40 +01:00
Richard Levitte
bbc92cd129 test/ossl_shim/packeted_bio.h: don't include e_os.h
That inclusion turned out to be completely unnecessary

[extended tests]

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
(Merged from https://github.com/openssl/openssl/pull/5136)
2018-01-22 21:06:50 +01:00
Bernd Edlinger
fce78bd4ed Fix invalid function type casts.
Rename bio_info_cb to BIO_info_cb.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4493)
2017-12-15 19:33:48 +01:00
Matt Caswell
8e02e73d80 Fix the Boring tests following the SSLfatal() changes
An error reason code has changed for one of the boring tests, so
ossl_config.json needed an update to take account of it.

[extended tests]

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4778)
2017-12-04 13:31:48 +00:00
Pauli
21c7942140 Fix an include location problem in the extrended tests.
[extended tests]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4327)
2017-09-04 06:38:16 +10:00
Benjamin Kaduk
de0dc006a5 Fixup include path in ossl_shim test after e_os.h work
The include search path was not picking up files in the root of
the tree.

[extended tests]

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4316)
2017-09-01 11:04:01 -05:00
Pauli
4cff10dcbf struct timeval include guards
Move struct timeval includes into e_os.h (where the Windows ones were).
Enaure that the include is guarded canonically.

Refer #4271

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4312)
2017-09-01 09:55:43 +10:00
Rich Salz
624265c60e Cleanup some copyright stuff
Remove some incorrect copyright references.
Move copyright to standard place
Add OpenSSL copyright where missing.
Remove copyrighted file that we don't use any more
Remove Itanium assembler for RC4 and MD5 (assembler versions of old and
weak algorithms for an old chip)
Standardize apps/rehash copyright comment; approved by Timo
Put dual-copyright notice on mkcert

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3691)
2017-06-30 21:56:44 -04:00
Paul Yang
bd91e3c870 Fix a bundle of trailing spaces in several files
Signed-off-by: Paul Yang <paulyang.inf@gmail.com>

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3622)
2017-06-09 12:04:10 -04:00
Matt Caswell
10a1ec4833 Fix BoringSSL alert related test failures
Commit bd990e2535 changed our handling of alerts. Some of the BoringSSl
tests were expecting specific errors to be created if bad alerts were sent.
Those errors have now changed as a result of that commit, so the BoringSSL
test config needs to be updated to match.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3549)
2017-05-25 15:38:22 +01:00
FdaSilvaYY
69687aa829 More typo fixes
Fix some comments too
[skip ci]

Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3069)
2017-03-29 07:14:29 +02:00
Matt Caswell
f81f279a73 Re-enable some BoringSSL tests
The previous 2 commits fixed some issues in the Boring tests. This
re-enables those tests.

[extended tests]

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2942)
2017-03-14 23:15:21 +00:00
Matt Caswell
162e120711 SSL_get_peer_cert_chain() does not work after a resumption
After a resumption it is documented that SSL_get_peer_cert_chain() will
return NULL. In BoringSSL it still returns the chain. We don't support that
so we should update the shim to call SSL_get_peer_certificate() instead
when checking whether a peer certificate is available.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2942)
2017-03-14 23:15:21 +00:00
Matt Caswell
e29d7cea33 Ensure we set the session id context in ossl_shim
OpenSSL requires that we set the session id context. BoringSSL apparently
does not require this, so wasn't setting it.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2942)
2017-03-14 23:15:21 +00:00
Matt Caswell
64e2b23ce3 Fix 12 Boring tests involving NULL-SHA ciphersuites
The Boring runner attempts to enable the NULL-SHA ciphersuite using the
cipherstring "DEFAULT:NULL-SHA". However in OpenSSL DEFAULT permanently
switches off NULL ciphersuites, so we fix this up to be "ALL:NULL-SHA"
instead. We can't change the runner so we have to change the shim to
detect this.

(Merged from https://github.com/openssl/openssl/pull/2933)
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2017-03-14 14:29:31 +00:00
Matt Caswell
4b5f7e7555 Update ossl_config.json for later BoringSSL commit
Update the list of suppressions so that we can run a later BoringSSL set
of tests. This also adds an ErrorMap to greatly reduce the number of
failing tests. The remaining tests that still fail are just disabled for
now.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2930)
2017-03-14 12:12:13 +00:00
Matt Caswell
2256f456bc Make the Boring tests pass
The boring tests are currently failing because they send a PSK extension
which isn't in the last place. This is not allowed in the latest TLS1.3
specs. However the Boring tests we have are based on an old commit that
pre-date when that rule first appeared.

The proper solution is to update the tests to a later commit. But for now
to get travis to go green we disable the failing tests.

Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2928)
2017-03-14 09:59:51 +00:00
Rich Salz
aff8c126fd Move extension data into sub-structs
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2052)
2017-01-09 22:26:47 -05:00
Matt Caswell
14d21b690a Suppress some BoringSSL test failures
The external BoringSSL tests had some failures as a result of
the extensions refactor. This was due to a deliberate relaxation
of the duplicate extensions checking code. We now only check
known extensions for duplicates. Unknown extensions are ignored.
This is allowed behaviour, so we suppress those BoringSSL tests.

Perl changes reviewed by Richard Levitte. Non-perl changes reviewed by Rich
Salz

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-12-08 17:20:45 +00:00
Matt Caswell
66889e4399 Fix some defines in ossl_shim
ossl_shim had some TLS1.3 defines that are now in ssl.h so need to be
removed.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-11-23 17:01:33 +00:00
Matt Caswell
a1ca39c02c Remove an unused field in ossl_shim
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-11-04 10:38:54 +00:00
Matt Caswell
e8585479a1 Add a wildcard exception for TLS13 tests
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-11-04 10:38:54 +00:00
Matt Caswell
92ab7db6f8 Swap header copyrights to standard OpenSSL
As per permission from Google (Emilia).

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-11-04 10:38:54 +00:00
Matt Caswell
bc708af4b0 Add missing bn.h include
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-11-04 10:38:54 +00:00
Matt Caswell
b289bff830 Update the BoringSSL suppressions file based on the latest shim
The updated shim has the ability to skip tests using unimplemented flags.
This should reduce the number of test failures.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-11-04 10:38:54 +00:00
Matt Caswell
1669b7b587 Rename BoringSSL style OPENSSL_WINDOWS to OPENSSL_SYS_WINDOWS
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-11-04 10:38:54 +00:00
Matt Caswell
1c8235c9b3 Fix a code inconsistency
Move from two ifs to a single one with an &&

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-11-04 10:38:54 +00:00
Matt Caswell
fc237de7ff Remove some #if 0'd out code
It was only a sanity check anyway, so isn't needed

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-11-04 10:38:54 +00:00
Matt Caswell
0abcaddfcb Removed scoped_types.h
It is no longer used (replaced with bssl:UniquePtr)

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-11-04 10:38:54 +00:00
Matt Caswell
aedf33aed5 Remove some flags that are unused in the shim
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-11-04 10:38:54 +00:00