Commit Graph

1123 Commits

Author SHA1 Message Date
Matt Caswell
61884b8140 Fix bio_enc_test
There was a block of code at the start that used the Camellia cipher. The
original idea behind this was to fill the buffer with non-zero data so that
oversteps can be detected. However this block failed when using no-camellia.
This has been replaced with a RAND_bytes() call.

I also updated the the CTR test section, since it seems to be using a CBC
cipher instead of a CTR cipher.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-08-23 09:24:29 +01:00
Kurt Roeckx
b1b22b0b77 Test the support curves in tls
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #1472
2016-08-22 22:13:04 +02:00
Matt Caswell
1c55e372b9 Fix no-des
The PKCS12 command line utility is not available if no-des is used.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-22 16:39:28 +01:00
Rich Salz
464d59a5bb RT2676: Reject RSA eponent if even or 1
Also, re-organize RSA check to use goto err.
Add a test case.
Try all checks, not just stopping at first (via Richard Levitte)

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-22 11:25:12 -04:00
Kazuki Yamaguchi
0110a47036 Fix a memory leak in EC_GROUP_get_ecparameters()
The variable 'buffer', allocated by EC_POINT_point2buf(), isn't
free'd on the success path.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-22 15:10:03 +01:00
Matt Caswell
fe34735c19 Choose a ciphersuite for testing that won't be affected by "no-*" options
The previous ciphersuite broke in no-ec builds.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-22 13:52:02 +01:00
Richard Levitte
1c288878af ssltestlib: Tell compiler we don't care about the value when we don't
In mempacket_test_read(), we've already fetched the top value of the
stack, so when we shift the stack, we don't care for the value.  The
compiler needs to be told, or it will complain harshly when we tell it
to be picky.

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-22 14:02:31 +02:00
Andy Polyakov
1194ea8dc3 crypto/pkcs12: facilitate accessing data with non-interoperable password.
Originally PKCS#12 subroutines treated password strings as ASCII.
It worked as long as they were pure ASCII, but if there were some
none-ASCII characters result was non-interoperable. But fixing it
poses problem accessing data protected with broken password. In
order to make asscess to old data possible add retry with old-style
password.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-22 13:52:59 +02:00
Andy Polyakov
70bf33d182 Add PKCS#12 UTF-8 interoperability test.
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-22 13:52:51 +02:00
Andy Polyakov
e6ed2b9108 Add test/bio_enc_test.c.
RT#4628

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-21 23:34:26 +02:00
Richard Levitte
0556f2aa43 MEMPACKET is typedef'd in ssltestlib.h, don't do so again in ssltestlib.c
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-19 17:17:20 +02:00
Matt Caswell
52a03d2a5e Fix some clang warnings
Clang was complaining about some unused functions. Moving the stack
declaration to the header seems to sort it. Also the certstatus variable
in dtlstest needed to be declared static.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-19 13:52:40 +01:00
Matt Caswell
ac9fc67a48 Add DTLS replay protection test
Injects a record from epoch 1 during epoch 0 handshake, with a record
sequence number in the future, to test that the record replay protection
feature works as expected. This is described more fully in the next commit.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-19 13:52:40 +01:00
Matt Caswell
6fc1748ec6 Add a DTLS unprocesed records test
Add a test to inject a record from the next epoch during the handshake and
make sure it doesn't get processed immediately.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-19 13:52:40 +01:00
Matt Caswell
b4982125e6 Split create_ssl_connection()
Split the create_ssl_connection() helper function into two steps: one to
create the SSL objects, and one to actually create the connection. This
provides the ability to make changes to the SSL object before the
connection is actually made.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-19 13:52:40 +01:00
Matt Caswell
d82dec40ba Add a DTLS packet mem BIO
This adds a BIO similar to a normal mem BIO but with datagram awareness.
It also has the capability to inject additional packets at arbitrary
locations into the BIO, for testing purposes.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-19 13:52:40 +01:00
Matt Caswell
d9a2e90bce Add a (D)TLS dumper BIO
Dump out the records passed over the BIO. Only works for DTLS at the
moment but could easily be extended to TLS.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-19 13:52:40 +01:00
Emilia Kasper
15269e5654 Add more details on how to add a new SSL test
Reviewed-by: Stephen Henson <steve@openssl.org>
2016-08-19 14:50:25 +02:00
Emilia Kasper
dd8e5a5732 Test that the peers send at most one fatal alert
Duplicate alerts have happened, see
70c22888c1

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-18 12:49:32 +02:00
Emilia Kasper
6dc9974547 Port multi-buffer tests
Make maximum fragment length configurable and add various fragmentation
tests, in addition to the existing multi-buffer tests.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-18 12:46:00 +02:00
FdaSilvaYY
cc69629626 Constify char* input parameters in apps code
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-17 17:09:19 +01:00
Matt Caswell
48593cb12a Convert SSL_SESSION* functions to use const getters
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
2016-08-16 23:36:28 +01:00
FdaSilvaYY
69b86d4b98 two typo fixes
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1461)
2016-08-16 15:51:58 -04:00
Andy Polyakov
f4941736a9 test/ssl_test.tmpl: make it work with elderly perl.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-16 12:43:44 +02:00
Emilia Kasper
e0421bd8b2 SSL tests: send some application data
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-16 11:00:15 +02:00
Matt Caswell
bb982ce753 Remove a stray unneeded line in 70-test_sslrecords.t
Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-08-15 23:14:30 +01:00
Matt Caswell
a2a0c86bb0 Add some SSLv2 ClientHello tests
Test that we handle a TLS ClientHello in an SSLv2 record correctly.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-08-15 23:14:30 +01:00
Rob Percival
a1bb7708ce Improves CTLOG_STORE setters
Changes them to have clearer ownership semantics, as suggested in
https://github.com/openssl/openssl/pull/1372#discussion_r73232196.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1408)
2016-08-15 12:56:47 -04:00
Richard Levitte
a0ef6bb687 Skip the SRP tests in 80-test_ssl_old.t if no TLS versions is enabled
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-15 17:16:47 +02:00
Dr. Stephen Henson
10f8d0eaa5 Update X25519 key format in evptests.txt
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-13 14:11:05 +01:00
Rich Salz
ce7a2232f8 Check for bad filename in evp_test
Thanks to Brian Carpter for reporting this.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2016-08-12 14:04:53 -04:00
Emilia Kasper
be82f7b320 Don't attempt to load the CT log list with no-ec
In practice, CT isn't really functional without EC anyway, as most logs
use EC keys. So, skip loading the log list with no-ec, and skip CT tests
completely in that conf.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-10 18:46:06 +02:00
Rich Salz
2301d91dd5 Change callers to use the new constants.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1429)
2016-08-10 10:07:37 -04:00
Emilia Kasper
2f35e6a3eb Gracefully free a NULL HANDSHAKE_RESULT
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-10 14:41:21 +02:00
Emilia Kasper
d61f00780a Add TEST_check
Like OPENSSL_assert, but also prints the error stack before exiting.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-10 14:41:21 +02:00
Emilia Kasper
da085d273c SSL tests: port CT tests, add a few more
This commit only ports existing tests, and adds some coverage for
resumption. We don't appear to have any handshake tests that cover SCT
validation success, and this commit doesn't change that.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-10 14:41:21 +02:00
Emilia Kasper
6bd3379a58 SSL test ctx: fix tests
Some failure tests were failing for the wrong reason after the CTX
refactoring. Update those tests.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-10 14:41:21 +02:00
David Woodhouse
eb633d03fe Kill PACKET_starts() from bad_dtls_test
As discussed in PR#1409 it can be done differently.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-10 12:50:51 +01:00
David Woodhouse
c14e790d6c Fix clienthellotest to use PACKET functions
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-10 12:50:51 +01:00
Emilia Kasper
2ac6bdc029 NPN and ALPN: test resumption
In NPN and ALPN, the protocol is renegotiated upon resumption. Test that
resumption picks up changes to the extension.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-08 15:14:52 +02:00
Emilia Kasper
7b7cea6d71 Fix ALPN tests when NPN is off
OPENSSL_NO_NEXTPROTONEG only disables NPN, not ALPN

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-08 12:19:31 +02:00
Emilia Kasper
9f48bbacd8 Reorganize SSL test structures
Move custom server and client options from the test dictionary to an
"extra" section of each server/client. Rename test expectations to say
"Expected".

This is a big but straightforward change. Primarily, this allows us to
specify multiple server and client contexts without redefining the
custom options for each of them. For example, instead of
"ServerNPNProtocols", "Server2NPNProtocols", "ResumeServerNPNProtocols",
we now have, "NPNProtocols".

This simplifies writing resumption and SNI tests. The first application
will be resumption tests for NPN and ALPN.

Regrouping the options also makes it clearer which options apply to the
server, which apply to the client, which configure the test, and which
are test expectations.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-08 12:06:26 +02:00
klemens
6025001707 spelling fixes, just comments and readme.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1413)
2016-08-05 19:07:30 -04:00
Richard Levitte
5cdad22f3e Move the building of test/buildtest_*. to be done unconditionally
These were guarded by $disabled{tests}.  However, 'tests' is disabled
if we configure 'no-stdio', which means that we don't detect the lack
of OPENSSL_NO_STDIO guards in our public header files.  So we move the
generation and build of test/buildtest_*.c to be unconditional.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-05 21:17:05 +02:00
Richard Levitte
9cc76cc40a VMS: Fix building of bad_dtls_test
Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-08-05 10:14:56 +02:00
David Woodhouse
16938284cf Add basic test for Cisco DTLS1_BAD_VER and record replay handling
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-04 20:56:24 +01:00
Richard Levitte
f37c159aed 80-test_ssl_new.t: only skip on $no_tls if no other skip conditions defined
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-02 13:27:39 +02:00
Richard Levitte
f4947bf10e In 80-test_ssl_new, more "plan tests" to a more useful position
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-02 11:37:38 +02:00
Matt Caswell
ee94aeee7d Fix tests for no-nextprotoneg
Fix the 80-test_ssl_test_ctx and 80-test_ssl_new tests when used with the
no-nextprotoneg option

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-02 10:19:56 +01:00
Ben Laurie
620c6ad312 Fix various no-*s.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-01 11:30:33 +01:00