| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
| |
Add a test to inject a record from the next epoch during the handshake and
make sure it doesn't get processed immediately.
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
|
|
| |
Reviewed-by: Stephen Henson <steve@openssl.org>
|
|
|
|
|
|
|
| |
Make maximum fragment length configurable and add various fragmentation
tests, in addition to the existing multi-buffer tests.
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
|
|
| |
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
|
|
|
|
| |
Test that we handle a TLS ClientHello in an SSLv2 record correctly.
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
|
|
| |
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
|
|
|
|
|
|
| |
In practice, CT isn't really functional without EC anyway, as most logs
use EC keys. So, skip loading the log list with no-ec, and skip CT tests
completely in that conf.
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
|
|
|
|
|
|
| |
This commit only ports existing tests, and adds some coverage for
resumption. We don't appear to have any handshake tests that cover SCT
validation success, and this commit doesn't change that.
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
|
|
|
|
|
| |
In NPN and ALPN, the protocol is renegotiated upon resumption. Test that
resumption picks up changes to the extension.
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
|
|
|
|
| |
OPENSSL_NO_NEXTPROTONEG only disables NPN, not ALPN
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
|
|
|
| |
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1413)
|
|
|
|
|
| |
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
|
|
| |
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
|
|
| |
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
|
|
|
|
|
| |
Fix the 80-test_ssl_test_ctx and 80-test_ssl_new tests when used with the
no-nextprotoneg option
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
|
|
|
|
| |
Misc fixes impacting no-tls1_2. Also fixes no-dtls1_2.
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
|
|
|
|
| |
Also fixes some other options like no-dgram and no-sock.
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
|
|
|
|
| |
Ensure that we don't build/run the ct fuzzing code if no-ct is used.
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
|
|
|
|
|
|
|
|
| |
Systematically test every server-side version downgrade or upgrade.
Client version upgrade or downgrade could be tested analogously but will
be done in a later change.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
|
|
|
|
| |
The new fuzzing code broke no-cms
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
|
|
| |
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
|
|
|
|
|
| |
If configuring for anything other than the default TLS protocols then
test failures were occuring.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
|
|
|
|
|
|
|
|
|
| |
subject alternate names.
Add nameConstraints tests incluing DNS, IP and email tests both in
subject alt name extension and subject name.
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
|
|
|
|
| |
Replace nptest with sanity test.
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
|
|
|
|
| |
Reviewed-by: Rich Salz <rsalz@openssl.org>
GH: #1276
|
|
|
|
|
| |
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
|
|
|
|
|
|
|
|
|
| |
Observe that the old tests were partly ill-defined:
setting sn_server1 but not sn_server2 in ssltest_old.c does not enable
the SNI callback.
Fix this, and also explicitly test both flavours of SNI mismatch (ignore
/ fatal alert). Tests still pass.
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
|
|
|
|
|
| |
The previous commit fixed a problem where fragmented alerts would cause an
infinite loop. This commit adds a test for these fragmented alerts.
Reviewed-by: Andy Polyakov <appro@openssl.org>
|
|
|
|
|
| |
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Stephen Henson <steve@openssl.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On some platforms we can't startup the TLSProxy due to environmental
problems (e.g. network set up on the build machine). These aren't OpenSSL
problems so we shouldn't treat them as test failures. Just visibly
indicate that we are skipping the test.
We only skip the first time we attempt to start up the proxy. If that works
then everything else should do...if not we should probably investigate and
so report as a failure.
This also removes test_networking...there is a danger that this turns into
a test of user's environmental set up rather than OpenSSL.
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
|
|
|
|
|
|
|
|
| |
This commit adds some session API tests, and in particular tests the
modified behaviour of SSL_set_session() introduced in the last commit. To
do this I have factored out some common code from the asynciotest into a
new ssltestlib.c file. I've also renamed getsettest to sslapitest as this
more closely matches what it now is!
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
|
|
| |
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
|
|
|
|
|
| |
Most of the no-dtls* builds were failing due to one test which had an
incorrect "skip" condition.
Reviewed-by: Andy Polyakov <appro@openssl.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When session tickets are used, it's possible that SNI might swtich the
SSL_CTX on an SSL. Normally, this is not a problem, because the
initial_ctx/session_ctx are used for all session ticket/id processes.
However, when the SNI callback occurs, it's possible that the callback
may update the options in the SSL from the SSL_CTX, and this could
cause SSL_OP_NO_TICKET to be set. If this occurs, then two bad things
can happen:
1. The session ticket TLSEXT may not be written when the ticket expected
flag is set. The state machine transistions to writing the ticket, and
the client responds with an error as its not expecting a ticket.
2. When creating the session ticket, if the ticket key cb returns 0
the crypto/hmac contexts are not initialized, and the code crashes when
trying to encrypt the session ticket.
To fix 1, if the ticket TLSEXT is not written out, clear the expected
ticket flag.
To fix 2, consider a return of 0 from the ticket key cb a recoverable
error, and write a 0 length ticket and continue. The client-side code
can explicitly handle this case.
Fix these two cases, and add unit test code to validate ticket behavior.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1098)
|
|
|
|
|
|
|
|
|
| |
GH1098: Add X509_get_pathlen() (and a test)
GH1097: Add SSL_is_dtls() function.
Documented.
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
|
|
|
|
|
|
|
|
|
| |
The previous commit changed how we handle out-of-context empty records.
This commit adds some tests for the various scenarios. There are three
tests:
1: Check that if we inject an out-of-context empty record then we fail
2: Check that if we inject an in-context empty record then we succeed
3: Check that if we inject too many in-context empty records then we fail.
Reviewed-by: Andy Polyakov <appro@openssl.org>
|
|
|
|
|
|
|
| |
We just do the getters/setter for tlsext_status_type. This could be extended
for others in the future.
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
|
|
|
|
|
| |
In rare cases, the shell we run test programs in may have complaints.
Shut those up unless testing verbosely.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
|
|
|
|
| |
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
|
|
|
|
|
|
|
|
| |
Since one generates files that the other depends on, there's no
real reason to keep them separate. Since they were both different
aspects of 'openssl req', the merge ends up in 25-test_req.t.
This also makes cleanup easier.
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
|
|
| |
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
|
|
|
|
| |
RT#4557
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
|
|
|
|
|
|
| |
Port client auth tests to the new framework, add coverage. The old tests
were only testing success, and only for some protocol versions; the new
tests add all protocol versions and various failure modes.
Reviewed-by: Rich Salz <rsalz@openssl.org>
|
|
|
|
|
|
|
|
| |
The S symbol class wasn't checked.
Notified by Sebastian Andrzej Siewior
Reviewed-by: Tim Hudson <tjh@openssl.org>
|
|
|
|
|
|
|
|
|
| |
Add copyright to missing assembler files.
Add copyrights to missing test/* files.
Add copyrights
Various source and misc files.
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
|
|
|
|
|
| |
Trying to use normal perl conditions to conditionally 'use' a perl
module didn't quite work. Using the 'if' module to do so does work.
Reviewed-by: Andy Polyakov <appro@openssl.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
As it turns out default glob's behaviour for quoted argument varies
from version to version, making it impossible to Configure or run
tests in some cases. The reason for quoting globs was to accommodate
source path with spaces in its name, which was treated by default glob
as multiple paths. File::Glob::glob on the other hand doesn't consider
spaces as delimiters and therefore works with unquoted patterns.
[Unfortunaltely File::Glob::glob, being too csh-ly, doesn't work
on VMS, hence the "pinning" is conditional.]
Reviewed-by: Richard Levitte <levitte@openssl.org>
|
|
|
|
|
|
| |
RT#4486
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
|
|
|
|
| |
RT#4486
Reviewed-by: Matt Caswell <matt@openssl.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If using the msys console then msys attempts to "fix" command line
arguments to convert them from Unix style to Windows style. One of the
things it does is to look for arguments seperated by colons. This it
assumes is a list of file paths, so it replaces the colon with a semi-colon.
This was causing one of our tests to fail when calling the "req" command
line app. We were attempting to create a new DSA key and passing the
argument "dsa:../apps/dsa1024.pem". This is exactly what we intended but
Msys mangles it to "dsa;../apps/dsa1024.pem" and the command fails.
There doesn't seem to be a way to suppress Msys name mangling. Fortunately
we can work around this issue by generating the DSA key in a separate step
by calling "gendsa".
RT#4255
Reviewed-by: Richard Levitte <levitte@openssl.org>
|