summaryrefslogtreecommitdiff
path: root/test
Commit message (Collapse)AuthorAgeFilesLines
* SSL object refactoring using SSL_CONNECTION objectTomas Mraz2022-07-285-42/+71
| | | | | | | | | | | | | | Make the SSL object polymorphic based on whether this is a traditional SSL connection, QUIC connection, or later to be implemented a QUIC stream. It requires adding if after every SSL_CONNECTION_FROM_SSL() call which itself has to be added to almost every public SSL_ API call. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18612)
* Add a test for BIO_s_mem() when using datagramsMatt Caswell2022-07-283-1/+140
| | | | | | | | | The previous commit added support to BIO_s_mem() for using datagrams. We now add tests for that functionality. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18596)
* 80-test_cmp_http.t: fix adaption of plan on 'certstatus' aspect of Mock serverDr. David von Oheimb2022-07-261-1/+1
| | | | | | | Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/18858)
* Fix no-dtls1_2Matt Caswell2022-07-251-0/+6
| | | | | | | | | | | dtlstest.c needs some adjusting to handle no-dtls1_2 since commit 7bf2e4d7f0c banned DTLSv1 at the default security level - causing the test to fail. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18848)
* Add test from "Fix re-signing certificates with different key sizes"Todd Short2022-07-221-1/+56
| | | | | | | | Tests for #16080 and #18836 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18841)
* Fix a crash in v2i_IPAddrBlocks()Matt Caswell2022-07-221-0/+99
| | | | | | | | | | | | If an IP address prefix value is supplied that is too large then a crash can result. v2i_IPAddrBlocks() should sanity check the prefix value, as should X509v3_addr_add_prefix(). Reported by Theo Buehler (@botovq) Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/18523)
* Add OSSL_CMP_CTX_get0_validatedSrvCert(), correcting OSSL_CMP_validate_msg()Dr. David von Oheimb2022-07-202-6/+18
| | | | | | | | | | Also change ossl_cmp_ctx_set0_validatedSrvCert() to ossl_cmp_ctx_set1_validatedSrvCert(), and add respective tests as well as the -srvcertout CLI option using the new function. Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/18656)
* Coverity 1507372: explicit null dereferencePauli2022-07-201-3/+2
| | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/18822)
* libcrypto and test: rename asn1_string_to_time_t to ossl_asn1_string_to_time_tDr. David von Oheimb2022-07-192-3/+3
| | | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/18668)
* ossl_ffc_params_copy: Copy the keylength tooTomas Mraz2022-07-181-0/+34
| | | | | | | Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18480)
* Test that we generate a short private key for known DH primeTomas Mraz2022-07-181-0/+10
| | | | | | | Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18480)
* dhparam_test: Test that we add private key length on generation and print itTomas Mraz2022-07-181-8/+16
| | | | | | | Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18480)
* dh_to_text: Print the dh->length if setTomas Mraz2022-07-182-0/+2
| | | | | | | Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18480)
* Use as small dh key size as possible to support the securityTomas Mraz2022-07-181-3/+8
| | | | | | | | | | | | | | | | | | | | | | Longer private key sizes unnecessarily raise the cycles needed to compute the shared secret without any increase of the real security. We use minimum key sizes as defined in RFC7919. For arbitrary parameters we cannot know whether they are safe primes (we could test but that would be too inefficient) we have to keep generating large keys. However we now set a small dh->length when we are generating safe prime parameters because we know it is safe to use small keys with them. That means users need to regenerate the parameters if they want to take the performance advantage of small private key. Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Hugo Landau <hlandau@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18480)
* cmsapitest.c: add test case for CMS_EnvelopedData_decrypt()Dr. David von Oheimb2022-07-161-1/+9
| | | | | | | | Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/18667)
* CMS: add CMS_SignedData_verify(), a variant of CMS_verify() with extensionsDr. David von Oheimb2022-07-161-4/+9
| | | | | | | | Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/18667)
* ocspapitest: use TEST_true to report the exact failurexkernel2022-07-141-4/+5
| | | | | | Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18774)
* ocspapitest: properly check the return of memory-allocating functionsxkernel2022-07-141-1/+4
| | | | | | | Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Kurt Roeckx <kurt@roeckx.be> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18774)
* test/certs/setup.sh: add missing comment on CA cert variant without basic ↵Dr. David von Oheimb2022-07-121-2/+2
| | | | | | | | | | constraints Reviewed-by: Viktor Dukhovni <viktor@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> (Merged from https://github.com/openssl/openssl/pull/18758)
* feat: add hmac-sm3 test cases from GM/T 0042-2015 Appendix D.3Mingjun.Yang2022-07-113-1/+39
| | | | | | Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18714)
* Make evp_test skip mac tests if digest or ciphers are disabled.slontis2022-07-111-6/+20
| | | | | | | | | Fixes test error in #18714 This only happens currently during minimal builds. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18737)
* Add missing header for memcmpGregor Jasny2022-07-061-0/+1
| | | | | | | | | | CLA: trivial Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18719)
* Add unit test for event queuePauli2022-07-062-2/+107
| | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18345)
* AES OCB test vectorsAlex Chernyakhovsky2022-07-051-0/+50
| | | | | | | | | | Add test vectors for AES OCB for x86 AES-NI multiple of 96 byte issue. Co-authored-by: Alejandro Sedeño <asedeno@google.com> Co-authored-by: David Benjamin <davidben@google.com> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org>
* APPS: dsaparam, gendsa: Support setting propertiesClemens Lang2022-07-011-1/+45
| | | | | | | | | | | | | | | | | The -provider and -propquery options did not work on dsaparam and gendsa. Fix this and add tests that check that operations that are not supported by the FIPS provider work when run with | -provider default -propquery '?fips!=yes' See also https://bugzilla.redhat.com/show_bug.cgi?id=2094956, where this was initially reported. Signed-off-by: Clemens Lang <cllang@redhat.com> Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18576)
* fix Coverity 1506709: error handlingPauli2022-07-011-1/+2
| | | | | | Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18679)
* Add test for try_key_ref() fallback handlingTomas Mraz2022-06-282-0/+194
| | | | | | Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17554)
* Fix range_should_be_prefix() to actually return the correct resultMatt Caswell2022-06-281-0/+111
| | | | | | | | | | | | | | | | | | range_should_be_prefix() was misidentifying whether an IP address range should in fact be represented as a prefix. This was due to a bug introduced in commit 42d7d7dd which made this incorrect change: - OPENSSL_assert(memcmp(min, max, length) <= 0); + if (memcmp(min, max, length) <= 0) + return -1; This error leads to incorrect DER being encoded/accepted. Reported by Theo Buehler (@botovq) Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18524)
* Add a DTLS next epoch testMatt Caswell2022-06-283-0/+159
| | | | | | | | | Test that if we receive a packet from the next epoch, we can buffer it and still use it. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18601)
* Add a test for an all 0 RSA keyMatt Caswell2022-06-281-0/+12
| | | | | | | | | Testing a key with all values set to 0. Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18651)
* Add checks for saltlen and trailerfield to rsa key writer.Daniel Fiala2022-06-272-2/+35
| | | | | | | | Fixes openssl#18168. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18615)
* test: placate Clang's --Wbitwise-instead-of-logicalSam James2022-06-271-198/+198
| | | | | | | | | | | | | | ``` test/test_test.c:58:9: note: cast one or both operands to int to silence this warning test/test_test.c:58:9: error: use of bitwise '|' with boolean operands [-Werror,-Wbitwise-instead-of-logical] if (!TEST(1, TEST_uint_eq(3u, 3u)) ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ test/test_test.c:58:9: note: cast one or both operands to int to silence this warning ``` Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18639)
* Fix compile issues in test/v3ext.c with no-rfc3779Bernd Edlinger2022-06-231-0/+4
| | | | | | | | | | There are no ASIdentifiers if OPENSSL_NO_RFC3779 is defined, therefore the test cannot be compiled. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18634)
* Test whether decoded-from-explicit survives import/exportTomas Mraz2022-06-231-2/+25
| | | | | | Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> (Merged from https://github.com/openssl/openssl/pull/18609)
* Add deprecation macro for 3.1 and deprecate OPENSSL_LH_statsHugo Landau2022-06-221-11/+1
| | | | | | Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/17937)
* test/v3nametest.c: Add check for OPENSSL_mallocJiasheng Jiang2022-06-221-0/+2
| | | | | | | | | | | | As the potential failure of the OPENSSL_malloc(), it should be better to add the check and return error if fails. Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18573)
* test/evp_test.c: Add check for OPENSSL_strdupJiasheng Jiang2022-06-221-4/+8
| | | | | | | | | | | | As the potential failure of the OPENSSL_strdup(), it should be better to check the return value and return error if fails. Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18592)
* Add test cases for verification of time stamping certificatesLutz Jaenicke2022-06-2211-1/+203
| | | | | | | | | | | | Test makes sure, that both time stamping certificate according to rfc3161 (no requirements for keyUsage extension) and according to CAB forum (keyUsage extension must be digitalSignature and be set critical) are accepted. Misuse cases as stated in CAB forum are rejected, only exeption is a missing "critial" flag on keyUsage. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18597)
* test: add priority queue unit testPauli2022-06-223-0/+200
| | | | | | Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18274)
* Have set_dateopt() return 1 on success to make -dateopt workHartmut Holzgraefe2022-06-161-1/+12
| | | | | | | | | | Fixes #18553 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18554) (cherry picked from commit 67e1b558e67a3bee1f20f8a9e067211b440404f8)
* test/recipes/*.t: setup() doesn't play well with spaces in the argumentRichard Levitte2022-06-161-1/+1
| | | | | | | | | | The argument translates into a directory name, and there are platforms that don't allow spaces (at least not easily), which makes the test fail. This modifies it to conform a bit better to the usual form for that arg. Reviewed-by: Todd Short <todd.short@me.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18531)
* Add an extra reduction step to RSAZ mod_exp implementationsTomas Mraz2022-06-161-6/+4
| | | | | | | | Inspired by BoringSSL fix by David Benjamin. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18510)
* Always end BN_mod_exp_mont_consttime with normal Montgomery reduction.Tomas Mraz2022-06-161-0/+67
| | | | | | | | | | | | | | | | | | | | | | | | | This partially fixes a bug where, on x86_64, BN_mod_exp_mont_consttime would sometimes return m, the modulus, when it should have returned zero. Thanks to Guido Vranken for reporting it. It is only a partial fix because the same bug also exists in the "rsaz" codepath. The bug only affects zero outputs (with non-zero inputs), so we believe it has no security impact on our cryptographic functions. The fx is to delete lowercase bn_from_montgomery altogether, and have the mont5 path use the same BN_from_montgomery ending as the non-mont5 path. This only impacts the final step of the whole exponentiation and has no measurable perf impact. See the original BoringSSL commit https://boringssl.googlesource.com/boringssl/+/13c9d5c69d04485a7a8840c12185c832026c8315 for further analysis. Original-author: David Benjamin <davidben@google.com> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18510)
* test/ssl_old_test.c: Add check for OPENSSL_mallocJiasheng Jiang2022-06-161-0/+5
| | | | | | | | | | | | As the potential failure of the OPENSSL_malloc(), it should be better to add the check and return error if fails. Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18555)
* test/ssl_old_test.c: Add check for OPENSSL_zallocJiasheng Jiang2022-06-151-0/+2
| | | | | | | | | | | | | As the potential failure of the OPENSSL_zalloc(), it should be better to add the check and return error if fails. Signed-off-by: Jiasheng Jiang <jiasheng@iscas.ac.cn> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Yang <kaishen.yy@antfin.com> Reviewed-by: Todd Short <todd.short@me.com> (Merged from https://github.com/openssl/openssl/pull/18552)
* Fix a mem leak in evp_pkey_export_to_providerK12022-06-152-3/+72
| | | | | | | | | If keymgmt is NULL, tmp_keymgmt is allocated and will not be freed. Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Yang <kaishen.yy@antfin.com> Reviewed-by: Todd Short <todd.short@me.com> (Merged from https://github.com/openssl/openssl/pull/18499)
* Fix a crash in X509v3_asid_subset()Matt Caswell2022-06-151-0/+78
| | | | | | | | | | | | | If the asnum or rdi fields are NULL and the ASIdentifiers are otherwise subsets then this will result in a crash. Of note is that rdi will usually be NULL. Reported by Theo Buehler (@botovq) Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Paul Yang <kaishen.yy@antfin.com> Reviewed-by: Todd Short <todd.short@me.com> (Merged from https://github.com/openssl/openssl/pull/18514)
* test/evp_test.c: Check too big output buffer sizes in PKEYKDF testsRichard Levitte2022-06-151-1/+17
| | | | | | | | | | | | | | | | | | EVP_PKEY_derive() should be able to cope with a too big buffer for fixed size outputs. However, we don't test that. This change modifies the PKEYKDF tests to ask EVP_PKEY_derive() what the desired output buffer size is, and as long as the returned value isn't absurd (indicating that anything goes), the output buffer is made to be twice as big as what is expected. Tests #18517 Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18533) (cherry picked from commit a0587aaeff7391b8cf4ee4c6a233d0f4dca7d62f)
* test_pkey_check: Positive testcase for private key with unknown parametersTomas Mraz2022-06-152-11/+44
| | | | | | Reviewed-by: Shane Lontis <shane.lontis@oracle.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18099)
* Testcase for regression by PPC64 fixed length montgomery multiplicationTomas Mraz2022-06-151-0/+12
| | | | | | Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/18512)
View Lorry Controller Status