openssl/test
Dr. David von Oheimb 0e7b1383e1 Fix issue 1418 by moving check of KU_KEY_CERT_SIGN and weakening check_issued()
Move check that cert signing is allowed from x509v3_cache_extensions() to
where it belongs: internal_verify(), generalize it for proxy cert signing.
Correct and simplify check_issued(), now checking self-issued (not: self-signed).
Add test case to 25-test_verify.t that demonstrates successful fix

Fixes #1418

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10587)
2020-07-01 11:14:54 +02:00
..
certs Fix issue 1418 by moving check of KU_KEY_CERT_SIGN and weakening check_issued() 2020-07-01 11:14:54 +02:00
ct Use .cnf for config files, not .conf 2020-03-06 18:25:13 +01:00
d2i-tests
ocsp-tests
ossl_shim Fix two additional instances of the old EVP_MAC_CTX_ functions being used. 2020-06-13 09:18:17 +10:00
recipes Fix issue 1418 by moving check of KU_KEY_CERT_SIGN and weakening check_issued() 2020-07-01 11:14:54 +02:00
smime-certs Remove RANDFILE settings from configuration files 2019-11-24 08:35:14 +01:00
ssl-tests Reduce the security bits for MD5 and SHA1 based signatures in TLS 2020-06-27 08:41:40 +02:00
testutil Update copyright year 2020-06-25 14:13:12 +01:00
aborttest.c
acvp_test.c Make EVP_PKEY_CTX_[get|set]_group_name work for DH too 2020-06-19 10:19:31 +01:00
acvp_test.inc Add ACVP fips module tests 2020-06-17 11:33:16 +10:00
aesgcmtest.c Update copyright year 2020-05-15 14:09:49 +01:00
afalgtest.c
asn1_decode_test.c Update source files for deprecation at 3.0 2019-11-07 11:37:25 +01:00
asn1_dsa_internal_test.c Reorganize private crypto header files 2019-09-28 20:26:34 +02:00
asn1_encode_test.c Update source files for deprecation at 3.0 2019-11-07 11:37:25 +01:00
asn1_internal_test.c Reorganize private crypto header files 2019-09-28 20:26:34 +02:00
asn1_string_table_test.c
asn1_time_test.c Update copyright year 2020-04-23 13:55:52 +01:00
asynciotest.c Update copyright year 2020-04-23 13:55:52 +01:00
asynctest.c Add a test to make sure ASYNC aware code gets the right default libctx 2020-06-28 10:55:52 +02:00
bad_dtls_test.c The EVP_MAC functions have been renamed for consistency. The EVP_MAC_CTX_* 2020-06-11 11:16:37 +10:00
bftest.c Update copyright year 2020-04-23 13:55:52 +01:00
bio_callback_test.c
bio_enc_test.c
bio_memleak_test.c Update copyright year 2020-05-15 14:09:49 +01:00
bio_prefix_text.c TEST: Add test recipe and help program to test BIO_f_prefix() 2019-12-18 19:42:44 +01:00
bioprinttest.c TEST: Adjust test/bioprinttest.c to behave like the testutil routines 2020-06-06 19:18:30 +02:00
bn_internal_test.c Update copyright year 2020-05-15 14:09:49 +01:00
bn_rand_range.h Test of uniformity of BN_rand_range output. 2019-05-29 09:54:29 +10:00
bntest.c Fix some typos 2019-12-11 19:04:01 +01:00
bntests.pl
build.info Add a test for d2i_AutoPrivateKey_ex with a non-default libctx 2020-06-19 10:34:58 +01:00
ca-and-certs.cnf Cleanup cert config files for tests 2020-06-03 09:56:56 +02:00
casttest.c Update copyright year 2020-04-23 13:55:52 +01:00
CAtsa.cnf Remove RANDFILE settings from configuration files 2019-11-24 08:35:14 +01:00
chacha_internal_test.c Reorganize private crypto header files 2019-09-28 20:26:34 +02:00
cipher_overhead_test.c Reorganize local header files 2019-09-28 20:26:35 +02:00
cipherbytes_test.c Update copyright year 2020-05-15 14:09:49 +01:00
cipherlist_test.c Update copyright year 2020-05-15 14:09:49 +01:00
ciphername_test.c In OpenSSL builds, declare STACK for datatypes ... 2020-04-24 16:42:46 +02:00
clienthellotest.c Update copyright year 2020-04-23 13:55:52 +01:00
cmactest.c Add a CMAC test 2020-06-10 12:58:26 +01:00
cmp_asn_test.c chunk 6 of CMP contribution to OpenSSL 2019-12-12 10:57:25 +00:00
cmp_client_test.c Improve ossl_cmp_msg_check_received() and rename to ossl_cmp_msg_check_update() 2020-06-13 15:13:21 +02:00
cmp_ctx_test.c Rename OSSL_CMP_CTX_set1_clCert() to OSSL_CMP_CTX_set1_cert() 2020-05-13 19:42:00 +02:00
cmp_hdr_test.c In OpenSSL builds, declare STACK for datatypes ... 2020-04-24 16:42:46 +02:00
cmp_msg_test.c Rename OSSL_CMP_CTX_set1_clCert() to OSSL_CMP_CTX_set1_cert() 2020-05-13 19:42:00 +02:00
cmp_protect_test.c Rename OSSL_CMP_CTX_set1_clCert() to OSSL_CMP_CTX_set1_cert() 2020-05-13 19:42:00 +02:00
cmp_server_test.c Chunk 8 of CMP contribution to OpenSSL: CMP server and cmp_mock_srv.c for testing 2020-03-10 16:09:44 +01:00
cmp_status_test.c In OpenSSL builds, declare STACK for datatypes ... 2020-04-24 16:42:46 +02:00
cmp_testlib.c In OpenSSL builds, declare STACK for datatypes ... 2020-04-24 16:42:46 +02:00
cmp_testlib.h Update copyright year 2020-04-23 13:55:52 +01:00
cmp_vfy_test.c Disable tests in cmp_vfy_test.c that make no sense if FUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION 2020-06-22 16:41:24 +02:00
cms-examples.pl
cmsapitest.c Amend references to "OpenSSL license" 2020-04-29 15:27:22 +02:00
conf_include_test.c Remove RANDFILE settings from configuration files 2019-11-24 08:35:14 +01:00
confdump.c Update copyright year 2020-05-15 14:09:49 +01:00
constant_time_test.c Reorganize local header files 2019-09-28 20:26:35 +02:00
context_internal_test.c Instead of global data store it in an OPENSSL_CTX 2019-05-02 22:42:09 +01:00
crltest.c Update copyright year 2020-05-15 14:09:49 +01:00
ct_test.c In OpenSSL builds, declare STACK for datatypes ... 2020-04-24 16:42:46 +02:00
ctype_internal_test.c Reorganize private crypto header files 2019-09-28 20:26:34 +02:00
curve448_internal_test.c Update copyright year 2020-04-23 13:55:52 +01:00
d2i_test.c Update copyright year 2020-04-23 13:55:52 +01:00
danetest.c In OpenSSL builds, declare STACK for datatypes ... 2020-04-24 16:42:46 +02:00
danetest.in
danetest.pem
default-and-fips.cnf Update some nits around the FIPS module 2020-04-24 13:19:16 +02:00
default-and-legacy.cnf test/recipes/30-test_evp.t: Modify to test with different providers 2019-07-26 18:14:41 +02:00
default.cnf test/recipes/30-test_evp.t: Modify to test with different providers 2019-07-26 18:14:41 +02:00
destest.c Update copyright year 2020-04-23 13:55:52 +01:00
dhtest.c Update copyright year 2020-04-23 13:55:52 +01:00
drbg_cavs_data_ctr.c
drbg_cavs_data_hash.c
drbg_cavs_data_hmac.c
drbg_cavs_data.h Fix header file include guard names 2019-09-28 20:26:36 +02:00
drbg_cavs_test.c Update copyright year 2020-05-15 14:09:49 +01:00
drbg_extra_test.c coverity 1462562 Dereference before null check 2020-04-30 20:21:32 +10:00
drbg_extra_test.h Amend references to "OpenSSL license" 2020-04-29 15:27:22 +02:00
drbgtest.c update drbgtest to the provider model 2020-06-24 20:05:42 +10:00
drbgtest.h
dsa_no_digest_size_test.c Update copyright year 2020-04-23 13:55:52 +01:00
dsatest.c Make EVP_PKEY_CTX_[get|set]_group_name work for DH too 2020-06-19 10:19:31 +01:00
dtls_mtu_test.c Update copyright year 2020-05-15 14:09:49 +01:00
dtlstest.c Update copyright year 2020-04-23 13:55:52 +01:00
dtlsv1listentest.c
ec_internal_test.c Update copyright year 2020-04-23 13:55:52 +01:00
ecdsatest.c Rename FIPS_MODE to FIPS_MODULE 2020-04-28 15:37:37 +02:00
ecdsatest.h Fix header file include guard names 2019-09-28 20:26:36 +02:00
ecstresstest.c Remove tab characters from C source files. 2019-07-16 20:24:10 +10:00
ectest.c Move EC_METHOD to internal-only 2020-06-02 11:17:24 +03:00
enginetest.c test/enginetest.c: Make sure no config file is loaded 2019-07-19 20:18:34 +02:00
errtest.c Update copyright year 2020-06-04 14:33:57 +01:00
evp_extra_test2.c TEST: Add test to exercise OPENSSL_CTX_set0_default() 2020-06-28 10:55:51 +02:00
evp_extra_test.c test: add test for generation of random data in chunks. 2020-06-24 20:07:46 +10:00
evp_fetch_prov_test.c Update copyright year 2020-04-23 13:55:52 +01:00
evp_kdf_test.c Update copyright year 2020-06-25 14:13:12 +01:00
evp_pkey_dparams_test.c EC only uses approved curves in FIPS mode. 2019-06-25 12:00:25 +10:00
evp_pkey_provided_test.c Make EVP_PKEY_CTX_[get|set]_group_name work for DH too 2020-06-19 10:19:31 +01:00
evp_test.c test: update EVP tests to include DRBG testing 2020-06-24 20:07:46 +10:00
evp_test.h
exdatatest.c Update copyright year 2020-06-04 14:33:57 +01:00
exptest.c
fatalerrtest.c Update copyright year 2020-04-23 13:55:52 +01:00
ffc_internal_test.c Add ACVP fips module tests 2020-06-17 11:33:16 +10:00
filterprov.c Make the naming scheme for dispatched functions more consistent 2020-06-24 22:01:22 +02:00
fips.cnf Update some nits around the FIPS module 2020-04-24 13:19:16 +02:00
generate_buildtest.pl
generate_ssl_tests.pl Update copyright year 2020-04-23 13:55:52 +01:00
gmdifftest.c
gosttest.c Use a non-default libctx in sslapitest 2020-04-19 14:40:55 +01:00
handshake_helper.c Silence gcc false positive warning on alpn_protos_len in test/handshake_helper.c 2020-06-10 10:43:48 +02:00
handshake_helper.h Fix header file include guard names 2019-09-28 20:26:36 +02:00
hexstr_test.c Fix ERR_print_errors so that it matches the documented format in doc/man3/ERR_error_string.pod 2020-05-26 12:44:36 +10:00
hmactest.c Update copyright year 2020-04-23 13:55:52 +01:00
http_test.c In OpenSSL builds, declare STACK for datatypes ... 2020-04-24 16:42:46 +02:00
ideatest.c Update copyright year 2020-04-23 13:55:52 +01:00
igetest.c Deprecate the AES_ige_*() functions 2019-12-04 17:46:38 +00:00
insta_ca.cert.pem Chunk 11 of CMP contribution to OpenSSL: CMP command-line interface 2020-05-13 19:42:00 +02:00
insta.priv.pem Chunk 11 of CMP contribution to OpenSSL: CMP command-line interface 2020-05-13 19:42:00 +02:00
keymgmt_internal_test.c Update copyright year 2020-04-23 13:55:52 +01:00
legacy.cnf test/recipes/30-test_evp.t: Modify to test with different providers 2019-07-26 18:14:41 +02:00
lhash_test.c
mdc2_internal_test.c Update copyright year 2020-04-23 13:55:52 +01:00
mdc2test.c Update copyright year 2020-04-23 13:55:52 +01:00
memleaktest.c test/memleaktest.c: Modify for use with address/leak sanitizer 2019-12-10 14:16:12 +01:00
modes_internal_test.c Update copyright year 2020-04-23 13:55:52 +01:00
namemap_internal_test.c namemap: change ossl_namemap_empty() to do what the documentation says. 2020-06-21 16:49:51 +10:00
ocspapitest.c In OpenSSL builds, declare STACK for datatypes ... 2020-04-24 16:42:46 +02:00
ossl_test_endian.h Fix header file include guard names 2019-09-28 20:26:36 +02:00
p_test.c Make the naming scheme for dispatched functions more consistent 2020-06-24 22:01:22 +02:00
packettest.c Make the PACKET/WPACKET code available to both libcrypto and libssl 2019-07-12 06:26:46 +10:00
param_build_test.c params: add OSSL_PARAM helpers for time_t. 2020-06-24 20:05:41 +10:00
params_api_test.c params: add OSSL_PARAM helpers for time_t. 2020-06-24 20:05:41 +10:00
params_conversion_test.c Update copyright year 2020-04-23 13:55:52 +01:00
params_test.c Update copyright year 2020-04-23 13:55:52 +01:00
pbelutest.c
pemtest.c
pkcs7-1.pem
pkcs7.pem
pkey_meth_kdf_test.c
pkey_meth_test.c
pkits-test.pl
poly1305_internal_test.c Add ChaCha related ciphers to default provider 2019-10-16 16:18:42 +10:00
property_test.c Update copyright year 2020-05-15 14:09:49 +01:00
provider_fallback_test.c TEST: Add provider_fallback_test, to test aspects of fallback providers 2020-06-04 16:42:45 +02:00
provider_internal_test.c Load the config file by default 2019-08-01 09:59:20 +01:00
provider_internal_test.cnf.in Use .cnf for config files, not .conf 2020-03-06 18:25:13 +01:00
provider_test.c Change OSSL_PARAM return size to not be a pointer. 2019-06-24 14:43:55 +10:00
proxy.cnf Cleanup cert config files for tests 2020-06-03 09:56:56 +02:00
rc2test.c Update copyright year 2020-04-23 13:55:52 +01:00
rc4test.c Update copyright year 2020-04-23 13:55:52 +01:00
rc5test.c Update copyright year 2020-04-23 13:55:52 +01:00
rdrand_sanitytest.c Remove extern declarations of OPENSSL_ia32cap_P 2019-09-01 15:41:58 +02:00
README Centralise Environment Variables for the tests 2020-05-06 11:40:53 +01:00
README.external GOST external tests 2020-05-23 22:04:21 +03:00
README.md Move test-related info from INSTALL.md to new test/README.md, updating references 2020-06-28 20:55:39 +02:00
README.ssltest.md Fix issues reported by markdownlint 2020-05-08 16:22:02 +02:00
recordlentest.c Update copyright year 2020-04-23 13:55:52 +01:00
rsa_complex.c
rsa_mp_test.c Update copyright year 2020-04-23 13:55:52 +01:00
rsa_sp800_56b_test.c Add ACVP fips module tests 2020-06-17 11:33:16 +10:00
rsa_test.c Update copyright year 2020-04-23 13:55:52 +01:00
run_tests.pl test/run_tests.pl: Improve indentation parsing workaround for VFO and VFP mode 2020-06-22 16:41:24 +02:00
sanitytest.c
secmemtest.c Update copyright year 2020-04-23 13:55:52 +01:00
serverinfo2.pem
serverinfo.pem
servername_test.c Update copyright year 2020-04-23 13:55:52 +01:00
session.pem
shibboleth.pfx
shlibloadtest.c Reorganize public header files (part 1) 2019-09-28 20:26:36 +02:00
siphash_internal_test.c Reorganize private crypto header files 2019-09-28 20:26:34 +02:00
sm2_internal_test.c Update copyright year 2020-04-23 13:55:52 +01:00
sm4_internal_test.c Reorganize private crypto header files 2019-09-28 20:26:34 +02:00
smcont.txt
sparse_array_test.c Reorganize private crypto header files 2019-09-28 20:26:34 +02:00
srptest.c
ssl_cert_table_internal_test.c Reorganize local header files 2019-09-28 20:26:35 +02:00
ssl_ctx_test.c Update copyright year 2020-05-15 14:09:49 +01:00
ssl_test_ctx_test.c Update copyright year 2020-04-23 13:55:52 +01:00
ssl_test_ctx_test.cnf Use .cnf for config files, not .conf 2020-03-06 18:25:13 +01:00
ssl_test_ctx.c Add a test for renegotiation with EXTMS dropped 2020-06-09 14:11:20 +02:00
ssl_test_ctx.h Update copyright year 2020-06-25 14:13:12 +01:00
ssl_test.c In OpenSSL builds, declare STACK for datatypes ... 2020-04-24 16:42:46 +02:00
ssl_test.tmpl
sslapitest.c Reduce the security bits for MD5 and SHA1 based signatures in TLS 2020-06-27 08:41:40 +02:00
sslbuffertest.c Update copyright year 2020-04-23 13:55:52 +01:00
sslcorrupttest.c In OpenSSL builds, declare STACK for datatypes ... 2020-04-24 16:42:46 +02:00
ssltest_old.c In OpenSSL builds, declare STACK for datatypes ... 2020-04-24 16:42:46 +02:00
ssltestlib.c Fix error path in int create_ssl_ctx_pair() 2020-06-05 10:31:58 +01:00
ssltestlib.h Update copyright year 2020-04-23 13:55:52 +01:00
stack_test.c
sysdefault.cnf
sysdefaulttest.c
test_test.c Fix --strict-warnings build 2019-08-18 21:45:16 +02:00
test.cnf Add -section option to 'req' command 2020-03-07 12:58:02 +03:00
testcrl.pem
testdsa.pem
testdsapub.pem
testec-p256.pem
testecpub-p256.pem
tested448.pem More testing for CLI usage of Ed25519 and Ed448 keys 2019-12-11 18:37:53 +01:00
tested448pub.pem More testing for CLI usage of Ed25519 and Ed448 keys 2019-12-11 18:37:53 +01:00
tested25519.pem More testing for CLI usage of Ed25519 and Ed448 keys 2019-12-11 18:37:53 +01:00
tested25519pub.pem More testing for CLI usage of Ed25519 and Ed448 keys 2019-12-11 18:37:53 +01:00
testp7.pem
testreq2.pem
testrsa.pem
testrsapub.pem
testsid.pem
testutil.h test: update EVP tests to include DRBG testing 2020-06-24 20:07:46 +10:00
testx509.pem
threadstest.c
time_offset_test.c
tls13ccstest.c Update copyright year 2020-04-23 13:55:52 +01:00
tls13encryptiontest.c Update copyright year 2020-06-25 14:13:12 +01:00
tls13secretstest.c Update copyright year 2020-04-23 13:55:52 +01:00
tls-provider.c Make the naming scheme for dispatched functions more consistent 2020-06-24 22:01:22 +02:00
uitest.c
v3_ca_exts.cnf Make x509 -force_pubkey test case with self-issued cert more realistic 2020-07-01 11:14:54 +02:00
v3-cert1.pem
v3-cert2.pem
v3ext.c Update copyright year 2020-04-23 13:55:52 +01:00
v3nametest.c Update copyright year 2020-05-15 14:09:49 +01:00
verify_extra_test.c In OpenSSL builds, declare STACK for datatypes ... 2020-04-24 16:42:46 +02:00
versions.c
wpackettest.c WPACKET: don't write DER length when we don't want to 2020-05-04 05:50:06 +02:00
x509_check_cert_pkey_test.c Update copyright year 2020-04-23 13:55:52 +01:00
x509_dup_cert_test.c Update copyright year 2020-04-23 13:55:52 +01:00
x509_internal_test.c Join the x509 and x509v3 directories 2019-05-29 09:32:50 +02:00
x509_time_test.c Update copyright year 2020-04-23 13:55:52 +01:00
x509aux.c Update copyright year 2020-04-23 13:55:52 +01:00

Test OpenSSL

After a successful build, and before installing, the libraries should be tested. Run:

$ make test                                      # Unix
$ mms test                                       ! OpenVMS
$ nmake test                                     # Windows

Warning: you MUST run the tests from an unprivileged account (or disable your privileges temporarily if your platform allows it).

If some tests fail, take a look at the section Test Failures below.

Test Failures

If some tests fail, look at the output. There may be reasons for the failure that isn't a problem in OpenSSL itself (like an OS malfunction or a Perl issue). You may want increased verbosity, that can be accomplished like this:

Full verbosity, showing full output of all successful and failed test cases (make macro VERBOSE or V):

$ make V=1 test                                  # Unix
$ mms /macro=(V=1) test                          ! OpenVMS
$ nmake V=1 test                                 # Windows

Verbosity on test failure (VERBOSE_FAILURE or VF, Unix example shown):

$ make test VF=1

Verbosity on failed (sub-)tests only (VERBOSE_FAILURES_ONLY or VFO):

$ make test VFO=1

Verbosity on failed (sub-)tests, in addition progress on succeeded (sub-)tests (VERBOSE_FAILURES_PROGRESS or VFP):

$ make test VFP=1

If you want to run just one or a few specific tests, you can use the make variable TESTS to specify them, like this:

$ make TESTS='test_rsa test_dsa' test            # Unix
$ mms/macro="TESTS=test_rsa test_dsa" test       ! OpenVMS
$ nmake TESTS='test_rsa test_dsa' test           # Windows

And of course, you can combine (Unix examples shown):

$ make test TESTS='test_rsa test_dsa' VF=1
$ make test TESTS="test_cmp_*" VFO=1

You can find the list of available tests like this:

$ make list-tests                                # Unix
$ mms list-tests                                 ! OpenVMS
$ nmake list-tests                               # Windows

Have a look at the manual for the perl module Test::Harness to see what other HARNESS_* variables there are.

To report a bug please open an issue on GitHub, at https://github.com/openssl/openssl/issues.

For more details on how the make variables TESTS can be used, see section Running Selected Tests below.

Running Selected Tests

The make variable TESTS supports a versatile set of space separated tokens with which you can specify a set of tests to be performed. With a "current set of tests" in mind, initially being empty, here are the possible tokens:

 alltests      The current set of tests becomes the whole set of available
               tests (as listed when you do 'make list-tests' or similar).

 xxx           Adds the test 'xxx' to the current set of tests.

-xxx           Removes 'xxx' from the current set of tests.  If this is the
               first token in the list, the current set of tests is first
               assigned the whole set of available tests, effectively making
               this token equivalent to TESTS="alltests -xxx".

 nn            Adds the test group 'nn' (which is a number) to the current
               set of tests.

-nn            Removes the test group 'nn' from the current set of tests.
               If this is the first token in the list, the current set of
               tests is first assigned the whole set of available tests,
               effectively making this token equivalent to
               TESTS="alltests -xxx".

Also, all tokens except for "alltests" may have wildcards, such as *. (on Unix and Windows, BSD style wildcards are supported, while on VMS, it's VMS style wildcards)

Examples

Run all tests except for the fuzz tests:

$ make TESTS=-test_fuzz test

or, if you want to be explicit:

$ make TESTS='alltests -test_fuzz' test

Run all tests that have a name starting with "test_ssl" but not those starting with "test_ssl_":

$ make TESTS='test_ssl* -test_ssl_*' test

Run only test group 10:

$ make TESTS='10'

Run all tests except the slow group (group 99):

$ make TESTS='-99'

Run all tests in test groups 80 to 99 except for tests in group 90:

$ make TESTS='[89]? -90'

To stochastically verify that the algorithm that produces uniformly distributed random numbers is operating correctly (with a false positive rate of 0.01%):

$ ./util/wrap.sh test/bntest -stochastic