subject alternate names.
Add nameConstraints tests incluing DNS, IP and email tests both in
subject alt name extension and subject name.
Reviewed-by: Richard Levitte <levitte@openssl.org>
If application uses any of Windows-specific interfaces, make it
application developer's respondibility to include <windows.h>.
Rationale is that <windows.h> is quite "toxic" and is sensitive
to inclusion order (most notably in relation to <winsock2.h>).
It's only natural to give complete control to the application developer.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Now that INCLUDE considers both the source and build trees, no need
for the rel2abs perl fragment hacks any more.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1264)
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1264)
Observe that the old tests were partly ill-defined:
setting sn_server1 but not sn_server2 in ssltest_old.c does not enable
the SNI callback.
Fix this, and also explicitly test both flavours of SNI mismatch (ignore
/ fatal alert). Tests still pass.
Reviewed-by: Rich Salz <rsalz@openssl.org>
The previous commit fixed a problem where fragmented alerts would cause an
infinite loop. This commit adds a test for these fragmented alerts.
Reviewed-by: Andy Polyakov <appro@openssl.org>
The previous fix contained a mistake, where any absolute path in
%directories would be cleared away instead of just being left alone.
Reviewed-by: Rich Salz <rsalz@openssl.org>
We recalculate the location of the directories we keep track of.
However, we did so after having moved to the new directory already, so
the data we did the calculations from were possibly not quite correct.
This change moves the calculations to happen before moving to the new
directory.
This issue is sporadic, and possibly dependent on the platform.
Reviewed-by: Matt Caswell <matt@openssl.org>
This extends 'req' to take more than one DN component, and to take
them as full DN components and not just CN values. All other commands
are changed to pass "CN = $cn" instead of just a CN value.
This adds 'genpc', which differs from the other 'gen*' commands by not
calling 'req', and expect the result from 'req' to come through stdin.
Finally, test/certs/setup.sh gets the commands needed to generate a
few proxy certificates.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
Reorder arguments to follow convention.
Also allow r/s to be NULL in DSA_SIG_get0, similarly to ECDSA_SIG_get0.
This complements GH1193 which adds non-const setters.
Reviewed-by: Rich Salz <rsalz@openssl.org>
On some platforms we can't startup the TLSProxy due to environmental
problems (e.g. network set up on the build machine). These aren't OpenSSL
problems so we shouldn't treat them as test failures. Just visibly
indicate that we are skipping the test.
We only skip the first time we attempt to start up the proxy. If that works
then everything else should do...if not we should probably investigate and
so report as a failure.
This also removes test_networking...there is a danger that this turns into
a test of user's environmental set up rather than OpenSSL.
Reviewed-by: Richard Levitte <levitte@openssl.org>
VMS C doesn't allow symbols longer than 31 characters. We do the
automatic shortening with the library files, but not otherwise (to
make sure to work the VMS C magic).
For consistency, I shortened other similar symbols in the same manner.
Reviewed-by: Rich Salz <rsalz@openssl.org>
This commit adds some session API tests, and in particular tests the
modified behaviour of SSL_set_session() introduced in the last commit. To
do this I have factored out some common code from the asynciotest into a
new ssltestlib.c file. I've also renamed getsettest to sslapitest as this
more closely matches what it now is!
Reviewed-by: Rich Salz <rsalz@openssl.org>
The SNI tests introduced a redundant "server2" section into every test
configuration. Copy this automatically from "server" unless testing SNI,
to reduce noise in the generated confs.
Also remove duplicate SSL_TEST_CTX_create (merge conflict error).
Reviewed-by: Rich Salz <rsalz@openssl.org>
Some Linux platforms have a suitably recent kernel to support AFALG, but
apparently you still can't actually create an afalg socket. This extends
the afalg_chk_platform() function to additionally check whether we can
create an AFALG socket. We also amend the afalgtest to not report a
failure to load the engine as a test failure. A failure to load is almost
certainly due to platform environmental issues, and not an OpenSSL problem.
RT 4434
Reviewed-by: Andy Polyakov <appro@openssl.org>
- Only send SNI in SNI tests. This allows us to test handshakes without
the SNI extension as well.
- Move all handshake-specific machinery to handshake_helper.c
- Use enum types to represent the enum everywhere
(Resorting to plain ints can end in sign mismatch when the enum is
represented by an unsigned type.)
Reviewed-by: Rich Salz <rsalz@openssl.org>
We already test in EC_POINT_oct2point that points are on the curve. To
be on the safe side, move this check to
EC_POINT_set_affine_coordinates_* so as to also check point coordinates
received through some other method.
We do not check projective coordinates, though, as
- it's unlikely that applications would be receiving this primarily
internal representation from untrusted sources, and
- it's possible that the projective setters are used in a setting where
performance matters.
Reviewed-by: Rich Salz <rsalz@openssl.org>
When session tickets are used, it's possible that SNI might swtich the
SSL_CTX on an SSL. Normally, this is not a problem, because the
initial_ctx/session_ctx are used for all session ticket/id processes.
However, when the SNI callback occurs, it's possible that the callback
may update the options in the SSL from the SSL_CTX, and this could
cause SSL_OP_NO_TICKET to be set. If this occurs, then two bad things
can happen:
1. The session ticket TLSEXT may not be written when the ticket expected
flag is set. The state machine transistions to writing the ticket, and
the client responds with an error as its not expecting a ticket.
2. When creating the session ticket, if the ticket key cb returns 0
the crypto/hmac contexts are not initialized, and the code crashes when
trying to encrypt the session ticket.
To fix 1, if the ticket TLSEXT is not written out, clear the expected
ticket flag.
To fix 2, consider a return of 0 from the ticket key cb a recoverable
error, and write a 0 length ticket and continue. The client-side code
can explicitly handle this case.
Fix these two cases, and add unit test code to validate ticket behavior.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1098)
Various fixes to get the following to compile:
./config no-asm -ansi -D_DEFAULT_SOURCE
RT4479
RT4480
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
The previous commit changed how we handle out-of-context empty records.
This commit adds some tests for the various scenarios. There are three
tests:
1: Check that if we inject an out-of-context empty record then we fail
2: Check that if we inject an in-context empty record then we succeed
3: Check that if we inject too many in-context empty records then we fail.
Reviewed-by: Andy Polyakov <appro@openssl.org>
The previous commit fixed a bug with BN_mod_word() which would have been
caught if we had a test for it. This commit adds one.
Reviewed-by: Andy Polyakov <appro@openssl.org>
If we're going to redirect STDERR and STDOUT, it's better to do it by
the book. This fix is a straight copy of examples in the perlfunc
manual.
Reviewed-by: Matt Caswell <matt@openssl.org>
The flags RSA_FLAG_NO_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME and
DH_FLAG_NO_EXP_CONSTTIME which previously provided the ability to switch
off the constant time implementation for RSA, DSA and DH have been made
no-ops and deprecated.
Reviewed-by: Richard Levitte <levitte@openssl.org>
In rare cases, the shell we run test programs in may have complaints.
Shut those up unless testing verbosely.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>