Commit Graph

790 Commits

Author SHA1 Message Date
Billy Brumley
b438f0ed8f GH587: Extend ECDH tests to more curves. Add more ECDH KATs.
squelch sign-compare warning

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-02-06 10:59:26 -05:00
Richard Levitte
04949088bd Add build.info lines for dtlsv1listentest
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-02-06 13:11:27 +01:00
Kurt Roeckx
7ee0ccec37 Don't include sys/socket.h
It's not available on all OSs, e_os.h already does the right thing

Reviewed-by: Richard Levitte <levitte@openssl.org>

MR: #1870
2016-02-06 12:28:13 +01:00
Viktor Dukhovni
8143aa6f34 Add missing static declarations in dtlsv1listentest.c
Clang rightly does not like extern symbols that are not declared
in any header file, as typically these are not intended for global
visibility and are exposed in error.  This was indeed the case with
various file-scope objects in dtlsv1listentest.c.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-05 23:22:02 -05:00
Matt Caswell
ce0865d8dc Add tests for DTLSv1_listen
Adds a set of tests for the newly rewritten DTLSv1_listen function.
The test pokes various packets at the function and then checks
the return value and the data written out to ensure it is what we
would have expected.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-05 20:47:36 +00:00
Dr. Stephen Henson
e51511ce49 enable leak checking for danetest
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-05 16:02:21 +00:00
Dr. Stephen Henson
541e9565bb If memory debugging enabled return error on leaks.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-05 16:02:21 +00:00
Richard Levitte
c4cbf9b344 Initialise with -1 rather than 1
A small typo crept in.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-02-05 00:03:53 +01:00
Richard Levitte
b7be6d2290 Add checks for IPv4 and IPv6 in OpenSSL::Test::Utils and use them
This uilds on the same way of checking for availability as we do in
TLSProxy.  We use all IP factories we know of, starting with those who
know both IPv6 and IPv4 and ending with the one that only knows IPv4
and cache their possible success as foundation for checking the
available of each IP domain.

80-test_ssl.t has bigger chances of working on platforms that do not
run both IP domains.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-04 23:45:03 +01:00
Emilia Kasper
b1413d9bd9 RT3095: allow NULL key for single-shot HMAC
In HMAC_Init_ex, NULL key signals reuse, but in single-shot HMAC,
we can allow it to signal an empty key for convenience.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-04 13:01:32 +01:00
Richard Levitte
47c1a0e06e Only use TLS1.2 when it's available
Reviewed-by: Ben Laurie <ben@openssl.org>
2016-02-04 10:55:38 +01:00
Richard Levitte
c02bcb6678 Have 70-test_clienthello.t be selective on when it can be run
The test program clienthello checks TLS extensions, so there's no
point running it when no TLS protocol is available.

Reviewed-by: Ben Laurie <ben@openssl.org>
2016-02-04 10:55:38 +01:00
Richard Levitte
1fff160bc0 Have OpenSSL::Test::Utils::available_protocols load configdata as well
Otherwise, it could typically always return an empty list, since it's
often called first if at all.

Reviewed-by: Ben Laurie <ben@openssl.org>
2016-02-04 10:55:38 +01:00
Richard Levitte
6339ece1d8 Use BIO_snprintf() rather than snprintf()
Some platforms do not have the latter.

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-02-03 22:41:14 +01:00
Richard Levitte
72b65aa4cb Refactoring BIO: add a simple networking test of s_client and s_server
This makes use of TLSProxy, which was expanded to use IO::Socket::IP
(which is a core perl module) or IO::Socket::INET6 (which is said to
be more popular) instead IO::Socket::INET if one of them is installed.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-03 20:36:59 +01:00
Richard Levitte
75d5bd4e7d Refactoring BIO: add a test, using test/ssltest
This adds a couple of simple tests to see that SSL traffic using the
reimplemented BIO_s_accept() and BIO_s_connect() works as expected,
both on IPv4 and on IPv6.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-02-03 19:40:32 +01:00
Emilia Kasper
b698174493 constify PACKET
PACKET contents should be read-only. To achieve this, also
- constify two user callbacks
- constify BUF_reverse.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-01 16:21:57 +01:00
Dr. Stephen Henson
995197ab84 Use PKCS#8 format EC key so test is skipped with no-ec
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-01 13:18:19 +00:00
Richard Levitte
777a288270 unified build scheme: add build.info files
Now that we have the foundation for the "unified" build scheme in
place, we add build.info files.  They have been generated from the
Makefiles in the same directories.  Things that are platform specific
will appear in later commits.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-02-01 12:46:58 +01:00
Viktor Dukhovni
1d85277235 Add tests for non-ca trusted roots and intermediates
Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-01-31 21:24:16 -05:00
Viktor Dukhovni
33cc5dde47 Compat self-signed trust with reject-only aux data
When auxiliary data contains only reject entries, continue to trust
self-signed objects just as when no auxiliary data is present.

This makes it possible to reject specific uses without changing
what's accepted (and thus overring the underlying EKU).

Added new supported certs and doubled test count from 38 to 76.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-01-31 21:24:12 -05:00
Viktor Dukhovni
0daccd4dc1 Check chain extensions also for trusted certificates
This includes basic constraints, key usages, issuer EKUs and auxiliary
trust OIDs (given a trust suitably related to the intended purpose).

Added tests and updated documentation.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-01-31 21:23:23 -05:00
Rich Salz
94af0cd7f3 Move more BN internals to bn_lcl.h
There was an unused macro in ssl_locl.h that used an internal
type, so I removed it.
Move bio_st from bio.h to ossl_type.h

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-01-30 16:54:35 -05:00
Richard Levitte
c10d1bc81c When checking if there's a VMS directory spec, don't forget the possible device
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-30 17:11:48 +01:00
Richard Levitte
9c626317a6 Fix test/recipes/25-test_verify.t
top_dir() are used to create directory names, top_file() should be
used for files.  In a Unixly environment, that doesn't matter, but...

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-30 17:10:38 +01:00
Dr. Stephen Henson
4ddd5acecc handle "Ctrl" in separate function
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-30 16:02:48 +00:00
Dr. Stephen Henson
404cc933b7 Add test data for ECDH
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-30 16:02:48 +00:00
Dr. Stephen Henson
d4ad48d7bd Add support for EVP_PKEY_derive in evp_test
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-30 16:02:48 +00:00
Dr. Stephen Henson
bc9d9ce27a fix warning
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-30 16:02:48 +00:00
Rich Salz
ced2c2c598 Templatize util/domd
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-29 16:56:07 -05:00
Richard Levitte
1740c16265 Configure et al: split up the lflags configuration item into two
The lflags configuration had a weird syntax with a % as separator.  If
it was present, whatever came before ended up as PEX_LIBS in Makefile
(usually, this is LDFLAGS), while whatever came after ended up as
EX_LIBS.

This change splits that item into lflags and ex_libs, making their use
more explicit.

Also, PEX_LIBS in all the Makefiles are renamed to LDFLAGS.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-29 18:36:57 +01:00
Matt Caswell
8ce4e7e605 Add have_precompute_mult tests
Add tests for have_precompute_mult for the optimised curves (nistp224,
nistp256 and nistp521) if present

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-29 12:56:58 +00:00
Matt Caswell
e729aac19d Add a test for small subgroup attacks on DH/DHE
Following on from the previous commit, add a test to ensure that
DH_compute_key correctly fails if passed a bad y such that:

y^q (mod p) != 1

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-28 14:41:19 +00:00
Billy Brumley
920ed8c81d Test all built-in curves and let the library choose the EC_METHOD
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-27 18:49:09 +01:00
Richard Levitte
49dc5404df Skip all explicitely if the number of tests is 0
It seems that Test::More doesn't like 0 tests, a line like this raises
an error and stops the recipe entirely:

    plan tests => 0;

So we need to check for 0 tests beforehand and skip the subtest
explicitely in that case.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-27 18:41:34 +01:00
Richard Levitte
ec307bcc36 Be careful when applying EXE_SHELL
$EXE_SHELL should only be used with out own programs, not with
surrounding programs such as the perl interpreter.

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-01-27 12:11:52 +01:00
Viktor Dukhovni
f006217bb6 Fix Custom Extension tests skip count
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-26 21:19:57 -05:00
Rich Salz
349807608f Remove /* foo.c */ comments
This was done by the following
        find . -name '*.[ch]' | /tmp/pl
where /tmp/pl is the following three-line script:
        print unless $. == 1 && m@/\* .*\.[ch] \*/@;
        close ARGV if eof; # Close file to reset $.

And then some hand-editing of other files.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-26 16:40:43 -05:00
Todd Short
835894d138 RT4272: Unit tests fail when DTLS disabled
Missing SKIP: block in SSL unit tests for DTLS and TLS version tests.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-26 16:10:32 +01:00
Richard Levitte
aa50e2a39d 80-test_ca.t is made to use the new perlapp()
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-01-26 15:58:22 +01:00
Richard Levitte
a00c84f6c6 Have OpenSSL::Test handle perl scripts like any program
Since we're building some of our perl scripts and the result might not
end up in apps/ (*), we may need to treat them like the compile
programs we use for testing.

This introduces perlapp() and perltest(), which behave like app() and
test(), but will add the perl executable in the command line.

-----

(*) For example, with a mk1mf build, the result will end up in $(BIN_D)

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-01-26 15:58:22 +01:00
Richard Levitte
90d48e5ea0 Use the new OpenSSL::Test::Utils routines.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-26 09:53:36 +01:00
Richard Levitte
96d2d7bc71 Use Configure's @disablables and %disabled through configdata.pm
Enhances the routines in OpenSSL::Test::Utils for checking disabled
stuff to get their information directly from Configure instead of
'openssl list -disabled'.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-26 09:53:36 +01:00
Richard Levitte
3ea75c6328 For every test in 80-test_ssl.t, check that the protocol(s) used is enabled
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-25 18:34:06 +01:00
Richard Levitte
83365051f5 Make tests use configdata.pm rather than parsing Makefile
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-01-25 17:53:55 +01:00
Richard Levitte
2dc4be513b Fix OpenSSL::Test::Simple to take more than one algorithm
Some test programs may depend on more than just one TLS version, for
example.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-25 01:55:11 +01:00
Marcus Meissner
70c9f1c878 dsatest: use the correct BIO to print the test error
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-01-22 11:48:51 -05:00
FdaSilvaYY
df7421ccb4 few typo fixes
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-01-22 11:47:24 -05:00
Rich Salz
a76f302c42 Remove outdated conftest.c
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-01-22 11:33:16 -05:00
Viktor Dukhovni
feb2f53edc Multiple -trusted/-untrusted/-CRLfile options in verify
It is sometimes useful (especially in automated tests) to supply
multiple trusted or untrusted certificates via separate files rather
than have to prepare a single file containing them all.

To that end, change verify(1) to accept these options zero or more
times.  Also automatically set -no-CAfile and -no-CApath when
-trusted is specified.

Improve verify(1) documentation, which could still use some work.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-20 19:04:33 -05:00