aboutsummaryrefslogtreecommitdiffstats
path: root/test/recipes
Commit message (Collapse)AuthorAgeFilesLines
* Make -provider_name and -section_name optionalRich Salz2020-07-156-18/+10
| | | | | | Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12311)
* Add AES_CBC_CTS ciphers to providersShane Lontis2020-07-152-1/+364
| | | | | | | | | | | | | | Added Algorithm names AES-128-CBC-CTS, AES-192-CBC-CTS and AES-256-CBC-CTS. CS1, CS2 and CS3 variants are supported. Only single shot updates are supported. The cipher returns the mode EVP_CIPH_CBC_MODE (Internally it shares the aes_cbc cipher code). This would allow existing code that uses AES_CBC to switch to the CTS variant without breaking code that tests for this mode. Because it shares the aes_cbc code the cts128.c functions could not be used directly. The cipher returns the flag EVP_CIPH_FLAG_CTS. EVP_CIPH_FLAG_FIPS & EVP_CIPH_FLAG_NON_FIPS_ALLOW have been deprecated. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12094)
* Fix wrong fipsinstall key used in testShane Lontis2020-07-091-1/+0
| | | | | | Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12402)
* Add multiple fixes for ffc key generation using invalid p,q,g parameters.Shane Lontis2020-07-091-0/+46
| | | | | | | | | | | | | | | Fixes #11864 - The dsa keygen assumed valid p, q, g values were being passed. If this is not correct then it is possible that dsa keygen can either hang or segfault. The fix was to do a partial validation of p, q, and g inside the keygen. - Fixed a potential double free in the dsa keypair test in the case when in failed (It should never fail!). It freed internal object members without setting them to NULL. - Changed the FFC key validation to accept 1024 bit keys in non fips mode. - Added tests that use both the default provider & fips provider to test these cases. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/12176)
* [test][15-test_genec] Improve EC tests with genpkeyNicola Tuveri2020-07-061-14/+119
| | | | | | | | | | | | | | Test separately EC parameters and EC key generation. Some curves only support explicit params encoding. For some curves we have had cases in which generating the parameters under certain conditions failed, while generating and serializing a key under the same conditions did not. See <https://github.com/openssl/openssl/issues/12306> for more details. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12307)
* TEST: update 02-test_errstr.t to have better testsRichard Levitte2020-07-051-78/+79
| | | | | | | | | | | | We now check that if libcrypto hasn't loaded the string for some particular system error, it gives us "reason(nnn)" instead, where 'nnn' is the system error number in decimal. We go through all possible error macros that perl serves us, not only the POSIX ones. Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/12343)
* Rename NOTES*, README*, VERSION, HACKING, LICENSE to .md or .txtDr. David von Oheimb2020-07-054-5/+5
| | | | | Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12109)
* Don't run the cmp_cli tests if using FUZZING_BUILD_MODEMatt Caswell2020-07-031-3/+8
| | | | | | | | [extended tests] Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12275)
* 81-test_cmp_cli.t: Correct subroutine quote_spc_empty and its useDr. David von Oheimb2020-07-031-2/+2
| | | | | Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12280)
* 81-test_cmp_cli.t: Streamline {start,stop}_mock_server and improve port settingDr. David von Oheimb2020-07-031-12/+13
| | | | | Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12280)
* Add X509_self_signed(), extending and improving documenation and testsDr. David von Oheimb2020-07-011-0/+1
| | | | | Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10587)
* Fix issue 1418 by moving check of KU_KEY_CERT_SIGN and weakening check_issued()Dr. David von Oheimb2020-07-011-1/+4
| | | | | | | | | | | | Move check that cert signing is allowed from x509v3_cache_extensions() to where it belongs: internal_verify(), generalize it for proxy cert signing. Correct and simplify check_issued(), now checking self-issued (not: self-signed). Add test case to 25-test_verify.t that demonstrates successful fix Fixes #1418 Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10587)
* Add four more verify test cases on the self-signed Ed25519 and self-issed ↵Dr. David von Oheimb2020-07-011-2/+14
| | | | | | | X25519 certs Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10587)
* Make x509 -force_pubkey test case with self-issued cert more realisticDr. David von Oheimb2020-07-011-2/+6
| | | | | | | | by adding CA basic constraints, CA key usage, and key IDs to the cert and by add -partial_chain to the verify call that trusts this cert Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10587)
* Improve documentation, layout, and code comments regarding self-issued certs ↵Dr. David von Oheimb2020-07-011-1/+1
| | | | | | | etc. Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10587)
* Add --fips-key configuration parameter to fipsinstall application.Rich Salz2020-06-297-24/+19
| | | | | | | | | | | | | | Change default FIPS HMAC KEY from all-zero's Use default FIPSKEY if not given on command line. Make all -macopt in fipsinstall optional Make all tests, except fipsinstall, use the default -macopt and -mac_name flags. Define and use FIPSDIR variable on VMS/MMS. Also use SRCDIR/BLDDIR in SRCTOP/BLDTOP. Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12235)
* Reduce the security bits for MD5 and SHA1 based signatures in TLSKurt Roeckx2020-06-276-21/+39
| | | | | | | | | | This has as effect that SHA1 and MD5+SHA1 are no longer supported at security level 1, and that TLS < 1.2 is no longer supported at the default security level of 1, and that you need to set the security level to 0 to use TLS < 1.2. Reviewed-by: Tim Hudson <tjh@openssl.org> GH: #10787
* Fix syntax of cipher stringKurt Roeckx2020-06-271-6/+6
| | | | | Reviewed-by: Tim Hudson <tjh@openssl.org> GH: #10787
* TEST: Add TODO segments in test/recipes/15-test_genec.tRichard Levitte2020-06-261-17/+47
| | | | | | | | | | | | | There currently do not support 'ec_param_enc:explicit' with provider side key generation. Reflect that by encoding the expected failure with a Test::More TODO section for those particular tests. Because the tests in this recipe are data driven, we implement this mechanism with two functions, one for stuff that's supported and one for stuff that isn't. Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/12080)
* Test genpkey app for EC keygen with various argsNicola Tuveri2020-06-261-0/+179
| | | | | | | | | | | | | | | | This commit adds a new recipe to test EC key generation with the `genpkey` CLI app. For each built-in curve, it tests key generation with text output, in PEM and in DER format, using `explicit` and `named_curve` for parameters encoding. The list of built-in curves is static at the moment, as this allows to differentiate between prime curves and binary curves to avoid failing when ec2m is disabled. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12080)
* Update copyright yearMatt Caswell2020-06-255-5/+5
| | | | | Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/12273)
* test: update EVP tests to include DRBG testingPauli2020-06-241-1/+2
| | | | | | | [extended tests] Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/11682)
* NIST DRBG set dataPauli2020-06-241-0/+79522
| | | | | Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> (Merged from https://github.com/openssl/openssl/pull/11682)
* TEST: Pass -no-CAstore in 80-test_ocsp.tSebastian Andrzej Siewior2020-06-231-1/+1
| | | | | | | | | | | | | | Without passing -no-CAstore the default CAstore will be used and the testsuite will fail the system has certificates installed. Fixes: #11645 Signed-off-by: Sebastian Andrzej Siewior <sebastian@breakpoint.cc> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12171)
* Speed-up for tests in 81-test_cmp_cli_data/test_connection.csvDr. David von Oheimb2020-06-221-7/+4
| | | | | Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/12175)
* 81-test_cmp_cli.t: Disable CLI-based tests in case fuzzing is enabledDr. David von Oheimb2020-06-221-2/+4
| | | | | Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/12175)
* 81-test_cmp_cli.t: Do connections to 127.0.0.1 (e.g., Mock server) without proxyDr. David von Oheimb2020-06-221-4/+14
| | | | | | | Fixes #12156 Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/12175)
* Fix CMP -days option range checking and test failing with enable-ubsanDr. David von Oheimb2020-06-221-1/+1
| | | | | Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> (Merged from https://github.com/openssl/openssl/pull/12175)
* Add a test for d2i_AutoPrivateKey_ex with a non-default libctxMatt Caswell2020-06-191-1/+2
| | | | | | | | | Really this test should go in evp_extra_test. However that doesn't currently support a non-default libctx (with the "null" provider in the default libctx). So (for now) we create evp_extra_test2.c Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12159)
* Fix segfault in openssl app called with no args.Shane Lontis2020-06-181-0/+25
| | | | | | | | This is a result of removal of interactive mode. Redirected it to now use 'openssl help'. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12164)
* Add ACVP fips module testsShane Lontis2020-06-171-0/+41
| | | | | | | | | | | | | | | | | | | | | | | | For FIPS validation purposes - Automated Cryptographic Validation Protocol (ACVP) tests need to be performed. (See https://github.com/usnistgov/ACVP). These tests are very similiar to the old CAVS tests. This PR uses a hardwired subset of these test vectors to perform similiar operations, to show the usage and prove that the API's are able to perform the required operations. It may also help with communication with the lab (i.e- The lab could add a test here to show a unworking use case - which we can then address). The EVP layer performs these tests instead of calling lower level API's as was done in the old FOM. Some of these tests require access to internals that are not normally allowed/required. The config option 'acvp_tests' (enabled by default) has been added so that this access may be removed. The mechanism has been implemented as additional OSSL_PARAM values that can be set and get. A callback mechanism did not seem to add any additional benefit. These params will not be added to the gettables lists. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11572)
* Chunk 12 of CMP contribution to OpenSSL: CLI-based high-level testsDr. David von Oheimb2020-06-1328-0/+7359
| | | | | | | | | | Certificate Management Protocol (CMP, RFC 4210) extension to OpenSSL Also includes CRMF (RFC 4211) and HTTP transfer (RFC 6712). Adds the CMP and CRMF API to libcrypto and the "cmp" app to the CLI. Adds extensive documentation and tests. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11998)
* Add a CMAC testMatt Caswell2020-06-101-0/+12
| | | | | | | | We did not have a test of the low level CMAC APIs so we add one. This is heavily based on the HMAC test. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11972)
* Update RSA keygen to use sp800-56b by defaultShane Lontis2020-06-101-4/+19
| | | | | | | | | | | | | Fixes #11742 Fixes #11764 The newer RSA sp800-56b algorithm is being used for the normal case of a non multiprime key of at least length 2048. Insecure key lengths and mutltiprime RSA will use the old method. Bad public exponents are no longer allowed (i.e values less than 65537 or even). Values such as 2 that would cause a infinite loop now result in an error. The value of 3 has been marked as deprecated but is still allowed for legacy purposes. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11765)
* Fix 90-test_store.t for latest config, limits, providers, and disabled algosDr. David von Oheimb2020-06-085-104/+99
| | | | | | | | | Also make sure that the test do not 'pass' if their initialization fails. Leave out the expensive parts of DSA key gen and RSA keygen for efficiency. Fix use of the new CA configuration file test/ca-and-certs.cnf. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11733)
* Add chain to PKCS#12 test file generation in 90-test_store.tDr. David von Oheimb2020-06-081-0/+1
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11733)
* fips: add additional algorithms to the FIPS provider.Pauli2020-06-051-11/+0
| | | | | | | | Discussions are ongoing but the OMC has approved the in-principle addition of these algorithms to the upcoming FIPS validation. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12020)
* TEST: Add provider_fallback_test, to test aspects of fallback providersRichard Levitte2020-06-041-0/+18
| | | | | | | | | | | | | | | | | | There are cases where the fallback providers aren't treated right. For example, the following calls, in that order, will end up with a failed EVP_KEYMGMT_fetch(), even thought the default provider does supply an implementation of the "RSA" keytype. EVP_KEYMGMT *rsameth = NULL; OSSL_PROVIDER_available(NULL, "default"); rsameth = EVP_KEYMGMT_fetch(NULL, "RSA", NULL); For good measure, this also tests that explicit loading of the default provider won't fail. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11926)
* Update copyright yearMatt Caswell2020-06-043-3/+3
| | | | | Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/12043)
* Update manpage to fix examples, other minor tweaksRich Salz2020-06-033-4/+4
| | | | | | Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11347)
* Cleanup cert config files for testsRich Salz2020-06-034-50/+45
| | | | | | | | | | Merge test/P[12]ss.cnf into one config file Merge CAss.cnf and Uss.cnf into ca-and-certs.cnf Remove Netscape cert extensions, add keyUsage comment from some cnf files Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11347)
* fips: add AES OFB mode ciphers to FIPS provider.Pauli2020-05-281-24/+0
| | | | | Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11908)
* fips: add AES CFB mode ciphers to FIPS provider.Pauli2020-05-281-24/+0
| | | | | Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11908)
* crypto/cms: add CAdES-BES signed attributes validationFdaSilvaYY2020-05-271-23/+114
| | | | | | | | | | | | | | | | for signing certificate V2 and signing certificate extensions. CAdES: lowercase name for now internal methods. crypto/cms: generated file changes. Add some CHANGES entries. [extended tests] Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/8098)
* Fix ERR_print_errors so that it matches the documented format in ↵Shane Lontis2020-05-261-0/+15
| | | | | | | | | | | | | | | | | | | doc/man3/ERR_error_string.pod Fixes #11743 The ouput format had 2 issues that caused it not to match the expected documented format: (1) At some point the thread id printing was changed to use the OPENSSL_hex2str method which puts ':' between hex bytes. An internal function that skips the seperator has been added. (2) The error code no longer exists. So this was completely removed from the string. It is now replaced by :: As an example: 00:77:6E:52:14:7F:00:00:error:asn1 encoding routines:asn1_check_tlen:wrong tag:crypto/asn1/tasn_dec.c:1135: Is now: 00776E52147F0000:error::asn1 encoding routines:asn1_check_tlen:wrong tag:crypto/asn1/tasn_dec.c:1135: Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11789)
* GOST external testsDmitry Belyavskiy2020-05-232-0/+71
| | | | | | | | [extended tests] Reviewed-by: Nicola Tuveri <nic.tuv@gmail.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11792)
* Delete the sslprovider testMatt Caswell2020-05-181-50/+0
| | | | | | | | | | | | This was added before the changes to the sslap/ssl_new/ssl_old tests which run those tests with a non-default library context. It no longer adds anything that those tests don't already do, so it can be deleted. This also fixes a number of run-checker build failures which were failing in this test if TLSv1.2 was disabled. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11832)
* Update copyright yearMatt Caswell2020-05-158-8/+8
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11839)
* test/recipes/15-test_rsapss.t: Add test with unrestricted signatureRichard Levitte2020-05-141-8/+26
| | | | | Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11710)
* Fix PEM certificate loading that sometimes failsMaximilian Blenk2020-05-084-0/+17
| | | | | | | | | | | | | | | | | As described in https://github.com/openssl/openssl/issues/9187, the loading of PEM certificates sometimes fails if a line of base64 content has the length of a multiple of 254. The problem is in get_header_and_data(). When such a line with a length of 254 (or a multiple) has been read, the next read will only read a newline. Due to this get_header_and_data() expects to be in the header not in the data area. This commit fixes that by checking if lines have been read completely or only partially. In case of a previous partial read, a newline will be ignored. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> Reviewed-by: Ben Kaduk <kaduk@mit.edu> (Merged from https://github.com/openssl/openssl/pull/11741)
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-16 19:57:35 +0000