0e7b1383e1
Move check that cert signing is allowed from x509v3_cache_extensions() to where it belongs: internal_verify(), generalize it for proxy cert signing. Correct and simplify check_issued(), now checking self-issued (not: self-signed). Add test case to 25-test_verify.t that demonstrates successful fix Fixes #1418 Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10587) |
||
---|---|---|
.. | ||
certs | ||
ct | ||
d2i-tests | ||
ocsp-tests | ||
ossl_shim | ||
recipes | ||
smime-certs | ||
ssl-tests | ||
testutil | ||
aborttest.c | ||
acvp_test.c | ||
acvp_test.inc | ||
aesgcmtest.c | ||
afalgtest.c | ||
asn1_decode_test.c | ||
asn1_dsa_internal_test.c | ||
asn1_encode_test.c | ||
asn1_internal_test.c | ||
asn1_string_table_test.c | ||
asn1_time_test.c | ||
asynciotest.c | ||
asynctest.c | ||
bad_dtls_test.c | ||
bftest.c | ||
bio_callback_test.c | ||
bio_enc_test.c | ||
bio_memleak_test.c | ||
bio_prefix_text.c | ||
bioprinttest.c | ||
bn_internal_test.c | ||
bn_rand_range.h | ||
bntest.c | ||
bntests.pl | ||
build.info | ||
ca-and-certs.cnf | ||
casttest.c | ||
CAtsa.cnf | ||
chacha_internal_test.c | ||
cipher_overhead_test.c | ||
cipherbytes_test.c | ||
cipherlist_test.c | ||
ciphername_test.c | ||
clienthellotest.c | ||
cmactest.c | ||
cmp_asn_test.c | ||
cmp_client_test.c | ||
cmp_ctx_test.c | ||
cmp_hdr_test.c | ||
cmp_msg_test.c | ||
cmp_protect_test.c | ||
cmp_server_test.c | ||
cmp_status_test.c | ||
cmp_testlib.c | ||
cmp_testlib.h | ||
cmp_vfy_test.c | ||
cms-examples.pl | ||
cmsapitest.c | ||
conf_include_test.c | ||
confdump.c | ||
constant_time_test.c | ||
context_internal_test.c | ||
crltest.c | ||
ct_test.c | ||
ctype_internal_test.c | ||
curve448_internal_test.c | ||
d2i_test.c | ||
danetest.c | ||
danetest.in | ||
danetest.pem | ||
default-and-fips.cnf | ||
default-and-legacy.cnf | ||
default.cnf | ||
destest.c | ||
dhtest.c | ||
drbg_cavs_data_ctr.c | ||
drbg_cavs_data_hash.c | ||
drbg_cavs_data_hmac.c | ||
drbg_cavs_data.h | ||
drbg_cavs_test.c | ||
drbg_extra_test.c | ||
drbg_extra_test.h | ||
drbgtest.c | ||
drbgtest.h | ||
dsa_no_digest_size_test.c | ||
dsatest.c | ||
dtls_mtu_test.c | ||
dtlstest.c | ||
dtlsv1listentest.c | ||
ec_internal_test.c | ||
ecdsatest.c | ||
ecdsatest.h | ||
ecstresstest.c | ||
ectest.c | ||
enginetest.c | ||
errtest.c | ||
evp_extra_test2.c | ||
evp_extra_test.c | ||
evp_fetch_prov_test.c | ||
evp_kdf_test.c | ||
evp_pkey_dparams_test.c | ||
evp_pkey_provided_test.c | ||
evp_test.c | ||
evp_test.h | ||
exdatatest.c | ||
exptest.c | ||
fatalerrtest.c | ||
ffc_internal_test.c | ||
filterprov.c | ||
fips.cnf | ||
generate_buildtest.pl | ||
generate_ssl_tests.pl | ||
gmdifftest.c | ||
gosttest.c | ||
handshake_helper.c | ||
handshake_helper.h | ||
hexstr_test.c | ||
hmactest.c | ||
http_test.c | ||
ideatest.c | ||
igetest.c | ||
insta_ca.cert.pem | ||
insta.priv.pem | ||
keymgmt_internal_test.c | ||
legacy.cnf | ||
lhash_test.c | ||
mdc2_internal_test.c | ||
mdc2test.c | ||
memleaktest.c | ||
modes_internal_test.c | ||
namemap_internal_test.c | ||
ocspapitest.c | ||
ossl_test_endian.h | ||
p_test.c | ||
packettest.c | ||
param_build_test.c | ||
params_api_test.c | ||
params_conversion_test.c | ||
params_test.c | ||
pbelutest.c | ||
pemtest.c | ||
pkcs7-1.pem | ||
pkcs7.pem | ||
pkey_meth_kdf_test.c | ||
pkey_meth_test.c | ||
pkits-test.pl | ||
poly1305_internal_test.c | ||
property_test.c | ||
provider_fallback_test.c | ||
provider_internal_test.c | ||
provider_internal_test.cnf.in | ||
provider_test.c | ||
proxy.cnf | ||
rc2test.c | ||
rc4test.c | ||
rc5test.c | ||
rdrand_sanitytest.c | ||
README | ||
README.external | ||
README.md | ||
README.ssltest.md | ||
recordlentest.c | ||
rsa_complex.c | ||
rsa_mp_test.c | ||
rsa_sp800_56b_test.c | ||
rsa_test.c | ||
run_tests.pl | ||
sanitytest.c | ||
secmemtest.c | ||
serverinfo2.pem | ||
serverinfo.pem | ||
servername_test.c | ||
session.pem | ||
shibboleth.pfx | ||
shlibloadtest.c | ||
siphash_internal_test.c | ||
sm2_internal_test.c | ||
sm4_internal_test.c | ||
smcont.txt | ||
sparse_array_test.c | ||
srptest.c | ||
ssl_cert_table_internal_test.c | ||
ssl_ctx_test.c | ||
ssl_test_ctx_test.c | ||
ssl_test_ctx_test.cnf | ||
ssl_test_ctx.c | ||
ssl_test_ctx.h | ||
ssl_test.c | ||
ssl_test.tmpl | ||
sslapitest.c | ||
sslbuffertest.c | ||
sslcorrupttest.c | ||
ssltest_old.c | ||
ssltestlib.c | ||
ssltestlib.h | ||
stack_test.c | ||
sysdefault.cnf | ||
sysdefaulttest.c | ||
test_test.c | ||
test.cnf | ||
testcrl.pem | ||
testdsa.pem | ||
testdsapub.pem | ||
testec-p256.pem | ||
testecpub-p256.pem | ||
tested448.pem | ||
tested448pub.pem | ||
tested25519.pem | ||
tested25519pub.pem | ||
testp7.pem | ||
testreq2.pem | ||
testrsa.pem | ||
testrsapub.pem | ||
testsid.pem | ||
testutil.h | ||
testx509.pem | ||
threadstest.c | ||
time_offset_test.c | ||
tls13ccstest.c | ||
tls13encryptiontest.c | ||
tls13secretstest.c | ||
tls-provider.c | ||
uitest.c | ||
v3_ca_exts.cnf | ||
v3-cert1.pem | ||
v3-cert2.pem | ||
v3ext.c | ||
v3nametest.c | ||
verify_extra_test.c | ||
versions.c | ||
wpackettest.c | ||
x509_check_cert_pkey_test.c | ||
x509_dup_cert_test.c | ||
x509_internal_test.c | ||
x509_time_test.c | ||
x509aux.c |
Test OpenSSL
After a successful build, and before installing, the libraries should be tested. Run:
$ make test # Unix
$ mms test ! OpenVMS
$ nmake test # Windows
Warning: you MUST run the tests from an unprivileged account (or disable your privileges temporarily if your platform allows it).
If some tests fail, take a look at the section Test Failures below.
Test Failures
If some tests fail, look at the output. There may be reasons for the failure that isn't a problem in OpenSSL itself (like an OS malfunction or a Perl issue). You may want increased verbosity, that can be accomplished like this:
Full verbosity, showing full output of all successful and failed test cases
(make
macro VERBOSE
or V
):
$ make V=1 test # Unix
$ mms /macro=(V=1) test ! OpenVMS
$ nmake V=1 test # Windows
Verbosity on test failure (VERBOSE_FAILURE
or VF
, Unix example shown):
$ make test VF=1
Verbosity on failed (sub-)tests only (VERBOSE_FAILURES_ONLY
or VFO
):
$ make test VFO=1
Verbosity on failed (sub-)tests, in addition progress on succeeded (sub-)tests
(VERBOSE_FAILURES_PROGRESS
or VFP
):
$ make test VFP=1
If you want to run just one or a few specific tests, you can use
the make
variable TESTS
to specify them, like this:
$ make TESTS='test_rsa test_dsa' test # Unix
$ mms/macro="TESTS=test_rsa test_dsa" test ! OpenVMS
$ nmake TESTS='test_rsa test_dsa' test # Windows
And of course, you can combine (Unix examples shown):
$ make test TESTS='test_rsa test_dsa' VF=1
$ make test TESTS="test_cmp_*" VFO=1
You can find the list of available tests like this:
$ make list-tests # Unix
$ mms list-tests ! OpenVMS
$ nmake list-tests # Windows
Have a look at the manual for the perl module Test::Harness to see what other HARNESS_* variables there are.
To report a bug please open an issue on GitHub, at https://github.com/openssl/openssl/issues.
For more details on how the make
variables TESTS
can be used,
see section Running Selected Tests below.
Running Selected Tests
The make
variable TESTS
supports a versatile set of space separated tokens
with which you can specify a set of tests to be performed. With a "current
set of tests" in mind, initially being empty, here are the possible tokens:
alltests The current set of tests becomes the whole set of available
tests (as listed when you do 'make list-tests' or similar).
xxx Adds the test 'xxx' to the current set of tests.
-xxx Removes 'xxx' from the current set of tests. If this is the
first token in the list, the current set of tests is first
assigned the whole set of available tests, effectively making
this token equivalent to TESTS="alltests -xxx".
nn Adds the test group 'nn' (which is a number) to the current
set of tests.
-nn Removes the test group 'nn' from the current set of tests.
If this is the first token in the list, the current set of
tests is first assigned the whole set of available tests,
effectively making this token equivalent to
TESTS="alltests -xxx".
Also, all tokens except for "alltests" may have wildcards, such as *. (on Unix and Windows, BSD style wildcards are supported, while on VMS, it's VMS style wildcards)
Examples
Run all tests except for the fuzz tests:
$ make TESTS=-test_fuzz test
or, if you want to be explicit:
$ make TESTS='alltests -test_fuzz' test
Run all tests that have a name starting with "test_ssl" but not those starting with "test_ssl_":
$ make TESTS='test_ssl* -test_ssl_*' test
Run only test group 10:
$ make TESTS='10'
Run all tests except the slow group (group 99):
$ make TESTS='-99'
Run all tests in test groups 80 to 99 except for tests in group 90:
$ make TESTS='[89]? -90'
To stochastically verify that the algorithm that produces uniformly distributed random numbers is operating correctly (with a false positive rate of 0.01%):
$ ./util/wrap.sh test/bntest -stochastic