summaryrefslogtreecommitdiff
path: root/test/ssl_test.c
Commit message (Collapse)AuthorAgeFilesLines
* test: update ssl_new tests in line with pedantic FIPS policyPauli2023-04-211-0/+7
| | | | | | | | | | | | | | | | Add a new option to the `test' section of SSL test data structure. This contains a space separated list of version checks, all of which must pass. Note that the version checks are as they as because: - 3.1.0 doesn't have mandatory EMS support, so it can run the old tests. - 3.1.1 (& later) will have mandatory EMS support, so they can't run them. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20762)
* Add a test_ssl_new testcaseTomas Mraz2022-06-031-0/+25
| | | | | | | | | This requires some code being pulled into the empty protocol implementation so the state machinery works. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18307)
* Add SSL_OP_ALLOW_CLIENT_RENEGOTIATIONRich Salz2021-05-171-6/+18
| | | | | | | | | | | | | | | | | | | Add -client_renegotiation flag support. The -client_renegotiation flag is equivalent to SSL_OP_ALLOW_CLIENT_RENEGOTIATION. Add support to the app, the config code, and the documentation. Add SSL_OP_ALLOW_CLIENT_RENEGOTIATION to the SSL tests. We don't need to always enable it, but there are so many tests so this is the easiest thing to do. Add a test where client tries to renegotiate and it fails as expected. Add a test where server tries to renegotiate and it succeeds. The second test is supported by a new flag, -immediate_renegotiation, which is ignored on the client. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15184)
* Update copyright yearMatt Caswell2021-02-181-1/+1
| | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14235)
* Stop disabling TLSv1.3 if ec and dh are disabledMatt Caswell2021-02-051-5/+17
| | | | | | | | | | Even if EC and DH are disabled then we may still be able to use TLSv1.3 if we have groups that have been plugged in by an external provider. Fixes #13767 Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13916)
* Use adapted test_get_libctx() for simpler test setup and better error reportingDr. David von Oheimb2020-12-101-1/+1
| | | | | Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/13001)
* test cleanup: move helper .c and .h files to test/helpers/Dr. David von Oheimb2020-12-011-2/+2
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/13568)
* Rename OPENSSL_CTX prefix to OSSL_LIB_CTXDr. Matthias St. Pierre2020-10-151-2/+2
| | | | | | | | | | | | Many of the new types introduced by OpenSSL 3.0 have an OSSL_ prefix, e.g., OSSL_CALLBACK, OSSL_PARAM, OSSL_ALGORITHM, OSSL_SERIALIZER. The OPENSSL_CTX type stands out a little by using a different prefix. For consistency reasons, this type is renamed to OSSL_LIB_CTX. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12621)
* Run the withlibctx.pl scriptMatt Caswell2020-10-011-16/+14
| | | | | | | | Automatically rename all instances of _with_libctx() to _ex() as per our coding style. Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12970)
* Fix safestack issues in x509.hMatt Caswell2020-09-131-2/+0
| | | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/12781)
* testutil: Add provider.c with test_get_libctx(), to use at least for SSL and CMPDr. David von Oheimb2020-08-211-21/+6
| | | | | Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11808)
* Add X509 related libctx changes.Shane Lontis2020-07-241-1/+1
| | | | | | | | | | | | | - In order to not add many X509_XXXX_with_libctx() functions the libctx and propq may be stored in the X509 object via a call to X509_new_with_libctx(). - Loading via PEM_read_bio_X509() or d2i_X509() should pass in a created cert using X509_new_with_libctx(). - Renamed some XXXX_ex() to XXX_with_libctx() for X509 API's. - Removed the extra parameters in check_purpose.. - X509_digest() has been modified so that it expects a const EVP_MD object() and then internally it does the fetch when it needs to (via ASN1_item_digest_with_libctx()). - Added API's that set the libctx when they load such as X509_STORE_new_with_libctx() so that the cert chains can be verified. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/12153)
* In OpenSSL builds, declare STACK for datatypes ...Rich Salz2020-04-241-0/+2
| | | | | | | | | | | | | | | | | | | | | | ... and only *define* them in the source files that need them. Use DEFINE_OR_DECLARE which is set appropriately for internal builds and not non-deprecated builds. Deprecate stack-of-block Better documentation Move some ASN1 struct typedefs to types.h Update ParseC to handle this. Most of all, ParseC needed to be more consistent. The handlers are "recursive", in so far that they are called again and again until they terminate, which depends entirely on what the "massager" returns. There's a comment at the beginning of ParseC that explains how that works. {Richard Levtte} Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/10669)
* Update copyright yearMatt Caswell2020-04-231-1/+1
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11616)
* Teach ssl_test_new how to test the FIPS moduleMatt Caswell2020-04-201-1/+7
| | | | | | | | We load the FIPS module and make sure it is configured before running the ssl_test_new tests. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11511)
* Teach ssl_test_new to have different tests for different loaded providersMatt Caswell2020-04-201-7/+9
| | | | | | | | | | | | We now run the tests twice: Once with no specific providers loaded and just using the default libctx, and a second time with a non-default libctx and the default provider. In the second run we disable tests which use a PSS cert/key because we don't yet have support for that. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11511)
* Run ssl_test_new with a non-default library contextMatt Caswell2020-04-201-10/+37
| | | | | | | | We also prepare the way for a future commit to run ssl_test_new with just the FIPS provider loaded. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11511)
* Fix common test framework optionsMatt Caswell2020-02-031-0/+5
| | | | | | | | | | | | | | | | | | | | | PR#6975 added the ability to our test framework to have common options to all tests. For example providing the option "-test 5" to one of our test programs will just run test number 5. This can be useful when debugging tests. Unforuntately this does not work well for a number of tests. In particular those tests that call test_get_argument() without first skipping over these common test options will not get the expected value. Some tests did this correctly but a large number did not. A helper function is introduced, test_skip_common_options(), to make this easier for those tests which do not have their own specialised test option handling, but yet still need to call test_get_argument(). This function call is then added to all those tests that need it. Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/10975)
* Updated test command line parsing to support commmon commandsShane Lontis2019-02-111-0/+2
| | | | | | Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/6975)
* Use (D)TLS_MAX_VERSION_INTERNAL internallyKurt Roeckx2018-12-151-18/+9
| | | | | | | Use 0 if we don't want to set a minimum or maximum version Reviewed-by: Matt Caswell <matt@openssl.org> GH: #7260
* Following the license change, modify the boilerplates in test/Richard Levitte2018-12-061-1/+1
| | | | | Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7767)
* Add a config option to disable automatic config loadingBernd Edlinger2018-04-171-0/+5
| | | | | | | ./config no-autoload-config Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5959)
* Update copyright yearMatt Caswell2018-03-201-1/+1
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5689)
* Enhance ssltestlib's create_ssl_ctx_pair to take min and max proto versionRichard Levitte2018-03-191-0/+27
| | | | | | | | | Have all test programs using that function specify those versions. Additionally, have the remaining test programs that use SSL_CTX_new directly specify at least the maximum protocol version. Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5663)
* Session Ticket app dataTodd Short2018-03-121-0/+22
| | | | | | | | Adds application data into the encrypted session ticket Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3802)
* Use ChaCha only if prioritized by clntTodd Short2017-11-301-0/+13
| | | | | | | | | | | | | IFF the client has ChaCha first, and server cipher priority is used, and the new SSL_OP_PRIORITIZE_CHACHA_FOR_MOBILE option is used, then reprioritize ChaCha above everything else. This way, A matching ChaCha cipher will be selected if there is a match. If no ChaCha ciphers match, then the other ciphers are used. Reviewed-by: Paul Dale <paul.dale@oracle.com> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/4436)
* Session resume broken switching contextsTodd Short2017-10-041-0/+14
| | | | | | | | | | | | | | | | | | | | | | | | | | | | When an SSL's context is swtiched from a ticket-enabled context to a ticket-disabled context in the servername callback, no session-id is generated, so the session can't be resumed. If a servername callback changes the SSL_OP_NO_TICKET option, check to see if it's changed to disable, and whether a session ticket is expected (i.e. the client indicated ticket support and the SSL had tickets enabled at the time), and whether we already have a previous session (i.e. s->hit is set). In this case, clear the ticket-expected flag, remove any ticket data and generate a session-id in the session. If the SSL hit (resumed) and switched to a ticket-disabled context, assume that the resumption was via session-id, and don't bother to update the session. Before this fix, the updated unit-tests in 06-sni-ticket.conf would fail test #4 (server1 = SNI, server2 = no SNI). Reviewed-by: Rich Salz <rsalz@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <paul.dale@oracle.com> (Merged from https://github.com/openssl/openssl/pull/1529)
* Update the test framework so that the need for test_main is removed. EverythingPauli2017-07-271-10/+9
| | | | | | | | | | | | | | | | | | | | that needed test_main now works using the same infrastructure as tests that used register_tests. This meant: * renaming register_tests to setup_tests and giving it a success/failure return. * renaming the init_test function to setup_test_framework. * renaming the finish_test function to pulldown_test_framework. * adding a user provided global_init function that runs before the test frame work is initialised. It returns a failure indication that stops the stest. * adding helper functions that permit tests to access their command line args. * spliting the BIO initialisation and finalisation out from the test setup and teardown. * hiding some of the now test internal functions. * fix the comments in testutil.h Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3953)
* Remove the TEST_check macro.Pauli2017-07-051-1/+2
| | | | | | | This macro aborted the process which stopped any later tests from running. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3838)
* Remove uses of the TEST_check macro.Pauli2017-06-231-23/+23
| | | | | | | | This macro aborts the test which prevents later tests from executing. It also bypasses the test framework output functionality. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3750)
* Update tests to avoid printf to stdout/stderr when running as test cases.Pauli2017-06-191-13/+12
| | | | | Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3710)
* Adapt all test programsRichard Levitte2017-04-241-1/+0
| | | | | Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3243)
* Add ExpectedServerCANamesDr. Stephen Henson2017-04-031-48/+57
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3015)
* Test infrastructure additions.Pauli2017-03-291-71/+59
| | | | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Emilia Käsper <emilia@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3011)
* Add ExpectedClientCANamesDr. Stephen Henson2017-03-161-0/+57
| | | | | | | | Add ExpectedClientCANames: for client auth this checks to see if the list of certificate authorities supplied by the server matches the expected value. Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2969)
* Use the built in boolean type for CompressionExpectedMatt Caswell2017-03-021-3/+3
| | | | | | | Don't create a custom boolean type for parsing CompressionExpected. Use the existing one instead. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2814)
* Add compression testsMatt Caswell2017-03-021-0/+11
| | | | | | Check whether we negotiate compression in various scenarios. Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2814)
* Add test support for TLS signature types.Dr. Stephen Henson2017-01-301-0/+16
| | | | | Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2301)
* Add options to check TLS signing hashesDr. Stephen Henson2017-01-201-12/+26
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2235)
* add ECDSA test server certificateDr. Stephen Henson2017-01-151-1/+1
| | | | Reviewed-by: Emilia Käsper <emilia@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2224)
* Add options to check certificate types.Dr. Stephen Henson2017-01-151-6/+29
| | | | Reviewed-by: Emilia Käsper <emilia@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2224)
* Add new ssl_test option.Dr. Stephen Henson2017-01-081-0/+12
| | | | | | | | Add option ExpectedTmpKeyType to test the temporary key the server sends is of the correct type. Reviewed-by: Kurt Roeckx <kurt@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2191)
* Add main() test methods to reduce test boilerplate.Emilia Kasper2016-11-091-1/+3
| | | | | | | | | | | | | | | | | | Simple tests only need to implement register_tests(). Tests that need a custom main() should implement test_main(). This will be wrapped in a main() that performs common setup/teardown (currently crypto-mdebug). Note that for normal development, enable-asan is usually sufficient for detecting leaks, and more versatile. enable-crypto-mdebug is stricter as it will also insist that all static variables be freed. This is useful for debugging library init/deinit; however, it also means that test_main() must free everything it allocates. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org>
* Simplify tests part 2Emilia Kasper2016-11-071-32/+6
| | | | | | | | | | | | | | | 1) Remove some unnecessary fixtures 2) Add EXECUTE_TEST_NO_TEARDOWN shorthand when a fixture exists but has no teardown. 3) Fix return values in ct_test.c (introduced by an earlier refactoring, oops) Note that for parameterized tests, the index (test vector) usually holds all the customization, and there should be no need for a separate test fixture. The CTS test is an exception: it demonstrates how to combine customization with parameterization. Reviewed-by: Richard Levitte <levitte@openssl.org>
* testutil: always print errors on failureEmilia Kasper2016-11-041-2/+0
| | | | Reviewed-by: Richard Levitte <levitte@openssl.org>
* Test that the peers send at most one fatal alertEmilia Kasper2016-08-181-0/+10
| | | | | | | Duplicate alerts have happened, see 70c22888c1648fe8652e77107f3c74bf2212de36 Reviewed-by: Rich Salz <rsalz@openssl.org>
* Add TEST_checkEmilia Kasper2016-08-101-12/+12
| | | | | | Like OPENSSL_assert, but also prints the error stack before exiting. Reviewed-by: Rich Salz <rsalz@openssl.org>
* Fix ALPN tests when NPN is offEmilia Kasper2016-08-081-2/+2
| | | | | | OPENSSL_NO_NEXTPROTONEG only disables NPN, not ALPN Reviewed-by: Richard Levitte <levitte@openssl.org>
* Reorganize SSL test structuresEmilia Kasper2016-08-081-14/+14
| | | | | | | | | | | | | | | | | | | | | Move custom server and client options from the test dictionary to an "extra" section of each server/client. Rename test expectations to say "Expected". This is a big but straightforward change. Primarily, this allows us to specify multiple server and client contexts without redefining the custom options for each of them. For example, instead of "ServerNPNProtocols", "Server2NPNProtocols", "ResumeServerNPNProtocols", we now have, "NPNProtocols". This simplifies writing resumption and SNI tests. The first application will be resumption tests for NPN and ALPN. Regrouping the options also makes it clearer which options apply to the server, which apply to the client, which configure the test, and which are test expectations. Reviewed-by: Richard Levitte <levitte@openssl.org>
* Fix various no-*s.Ben Laurie2016-08-011-0/+4
| | | | Reviewed-by: Rich Salz <rsalz@openssl.org>