summaryrefslogtreecommitdiff
path: root/src/regress/lib/libcrypto/x509 (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Add regress test for invalidation of DER cache in select X509 setter functionsjob2023-04-252-2/+200
|
* Exercise d2i_IPAddrBlocks() and X509v3_addr_subset() a little bittb2023-04-201-9/+34
|
* Clean up the x509 regress make file a littletb2023-03-021-27/+10
|
* Switch regress to using x509_verify.h from libcrypto instead of thetb2023-01-284-8/+12
| | | | one in /usr/include/openssl.
* Clean up makefiletb2022-12-031-8/+6
|
* Tweak x509_constraints_uri_host() regress to test for NULL deref intb2022-11-281-1/+3
| | | | fixed in x509_constraints.c r1.29.
* Fix sparc64 build/runkn2022-11-231-3/+2
| | | | | | constraints.c:269: warning: ISO C90 forbids mixed declarations and code from tb
* Start CBS-ifying the name constraints code.beck2022-11-112-34/+52
| | | | ok jsing@ tb@
* The previous commit message out to say this:kn2022-10-301-1/+1
| | | | | | | | | | | --- Fix sparc64 build cc1: warnings being treated as errors .../constraints.c: In function 'test_constraints1': .../constraints.c:451: warning: ISO C90 forbids mixed declarations and code Fix RCS ID while here.
* /* $OpenBSD: $ */kn2022-10-301-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | /* * Copyright (c) 2020 Bob Beck <beck@openbsd.org> * * Permission to use, copy, modify, and distribute this software for any * purpose with or without fee is hereby granted, provided that the above * copyright notice and this permission notice appear in all copies. * * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ #include <err.h> #include <string.h> #include <openssl/safestack.h> #include <openssl/x509.h> #include <openssl/x509v3.h> #include "x509_internal.h" #define FAIL(msg, ...) \ do { \ fprintf(stderr, "[%s:%d] FAIL: ", __FILE__, __LINE__); \ fprintf(stderr, msg, ##__VA_ARGS__); \ } while(0) unsigned char *valid_hostnames[] = { "openbsd.org", "op3nbsd.org", "org", "3openbsd.com", "3-0penb-d.c-m", "a", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", "open_bsd.org", /* because this is liberal */ NULL, }; unsigned char *valid_sandns_names[] = { "*.ca", "*.op3nbsd.org", "c*.openbsd.org", "foo.*.d*.c*.openbsd.org", NULL, }; unsigned char *valid_domain_constraints[] = { "", ".ca", ".op3nbsd.org", ".aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", "www.openbsd.org", NULL, }; unsigned char *valid_mbox_names[] = { "\"!#$%&\\\"*+-/=?\002^_`{|}~.\"@openbsd.org", "beck@openbsd.org", "beck@openbsd.org", "beck@op3nbsd.org", "beck@org", "beck@3openbsd.com", "beck@3-0penb-d.c-m", "bec@a", "beck@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com", "beck@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa", "beck@open_bsd.org", /* because this is liberal */ NULL, }; unsigned char *invalid_hostnames[] = { "openbsd.org.", "openbsd..org", "openbsd.org-", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com", "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.a", "-p3nbsd.org", "openbs-.org", "openbsd\n.org", "open\178bsd.org", "open\255bsd.org", "*.openbsd.org", NULL, }; unsigned char *invalid_sandns_names[] = { "", ".", "*.a", "*.", "*.aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com", ".aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.a", "*.-p3nbsd.org", "*.*..openbsd.org", "*..openbsd.org", ".openbsd.org", "c*c.openbsd.org", NULL, }; unsigned char *invalid_mbox_names[] = { "beck@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com", "beck@aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.a", "beck@.-openbsd.org", "beck@.openbsd.org.", "beck@.a", "beck@.", "beck@", "beck@.ca", "@openbsd.org", NULL, }; unsigned char *invalid_domain_constraints[] = { ".", ".a", "..", ".aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.com", ".aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa." "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa.a", ".-p3nbsd.org", "..openbsd.org", NULL, }; unsigned char *invaliduri[] = { "https://-www.openbsd.org", "https://.www.openbsd.org/", "https://www.ope|nbsd.org%", "https://www.openbsd.org.#", "///", "//", "/", "", NULL, }; static int test_valid_hostnames(void) { int i, failure = 0; for (i = 0; valid_hostnames[i] != NULL; i++) { if (!x509_constraints_valid_host(valid_hostnames[i], strlen(valid_hostnames[i]))) { FAIL("Valid hostname '%s' rejected\n", valid_hostnames[i]); failure = 1; goto done; } if (!x509_constraints_valid_sandns(valid_hostnames[i], strlen(valid_hostnames[i]))) { FAIL("Valid sandns '%s' rejected\n", valid_hostnames[i]); failure = 1; goto done; } } done: return failure; } static int test_valid_sandns_names(void) { int i, failure = 0; for (i = 0; valid_sandns_names[i] != NULL; i++) { if (!x509_constraints_valid_sandns(valid_sandns_names[i], strlen(valid_sandns_names[i]))) { FAIL("Valid dnsname '%s' rejected\n", valid_sandns_names[i]); failure = 1; goto done; } } done: return failure; } static int test_valid_domain_constraints(void) { int i, failure = 0; for (i = 0; valid_domain_constraints[i] != NULL; i++) { if (!x509_constraints_valid_domain_constraint(valid_domain_constraints[i], strlen(valid_domain_constraints[i]))) { FAIL("Valid dnsname '%s' rejected\n", valid_domain_constraints[i]); failure = 1; goto done; } } done: return failure; } static int test_valid_mbox_names(void) { struct x509_constraints_name name = {0}; int i, failure = 0; for (i = 0; valid_mbox_names[i] != NULL; i++) { if (!x509_constraints_parse_mailbox(valid_mbox_names[i], strlen(valid_mbox_names[i]), &name)) { FAIL("Valid mailbox name '%s' rejected\n", valid_mbox_names[i]); failure = 1; goto done; } free(name.name); name.name = NULL; free(name.local); name.local = NULL; } done: return failure; } static int test_invalid_hostnames(void) { int i, failure = 0; char *nulhost = "www.openbsd.org\0"; for (i = 0; invalid_hostnames[i] != NULL; i++) { if (x509_constraints_valid_host(invalid_hostnames[i], strlen(invalid_hostnames[i]))) { FAIL("Invalid hostname '%s' accepted\n", invalid_hostnames[i]); failure = 1; goto done; } } if (x509_constraints_valid_host(nulhost, strlen(nulhost) + 1)) { FAIL("hostname with NUL byte accepted\n"); failure = 1; goto done; } if (x509_constraints_valid_sandns(nulhost, strlen(nulhost) + 1)) { FAIL("sandns with NUL byte accepted\n"); failure = 1; goto done; } done: return failure; } static int test_invalid_sandns_names(void) { int i, failure = 0; for (i = 0; invalid_sandns_names[i] != NULL; i++) { if (x509_constraints_valid_sandns(invalid_sandns_names[i], strlen(invalid_sandns_names[i]))) { FAIL("Valid dnsname '%s' rejected\n", invalid_sandns_names[i]); failure = 1; goto done; } } done: return failure; } static int test_invalid_mbox_names(void) { int i, failure = 0; struct x509_constraints_name name = {0}; for (i = 0; invalid_mbox_names[i] != NULL; i++) { if (x509_constraints_parse_mailbox(invalid_mbox_names[i], strlen(invalid_mbox_names[i]), &name)) { FAIL("invalid mailbox name '%s' accepted\n", invalid_mbox_names[i]); failure = 1; goto done; } free(name.name); name.name = NULL; free(name.local); name.local = NULL; } done: return failure; } static int test_invalid_domain_constraints(void) { int i, failure = 0; for (i = 0; invalid_domain_constraints[i] != NULL; i++) { if (x509_constraints_valid_domain_constraint(invalid_domain_constraints[i], strlen(invalid_domain_constraints[i]))) { FAIL("invalid dnsname '%s' accepted\n", invalid_domain_constraints[i]); failure = 1; goto done; } } done: return failure; } static int test_invalid_uri(void) { int j, failure=0; char *hostpart = NULL; for (j = 0; invaliduri[j] != NULL; j++) { if (x509_constraints_uri_host(invaliduri[j], strlen(invaliduri[j]), &hostpart) != 0) { FAIL("invalid URI '%s' accepted\n", invaliduri[j]); failure = 1; goto done; } free(hostpart); hostpart = NULL; } done: return failure; } static int test_constraints1(void) { char *c; size_t cl; char *d; size_t dl; int failure = 0; int error = 0; int i, j; unsigned char *constraints[] = { ".org", ".openbsd.org", "www.openbsd.org", NULL, }; unsigned char *failing[] = { ".ca", "openbsd.ca", "org", NULL, }; unsigned char *matching[] = { "www.openbsd.org", NULL, }; unsigned char *matchinguri[] = { "https://www.openbsd.org", "https://www.openbsd.org/", "https://www.openbsd.org?", "https://www.openbsd.org#", "herp://beck@www.openbsd.org:", "spiffe://beck@www.openbsd.org/this/is/so/spiffe/", NULL, }; unsigned char *failinguri[] = { "https://www.openbsd.ca", "https://www.freebsd.com/", "https://www.openbsd.net?", "https://org#", "herp://beck@org:", "///", "//", "/", "", NULL, }; unsigned char *noauthority[] = { "urn:open62541.server.application", NULL, }; for (i = 0; constraints[i] != NULL; i++) { char *constraint = constraints[i]; size_t clen = strlen(constraints[i]); for (j = 0; matching[j] != NULL; j++) { if (!x509_constraints_domain(matching[j], strlen(matching[j]), constraint, clen)) { FAIL("constraint '%s' should have matched" " '%s'\n", constraint, matching[j]); failure = 1; goto done; } } for (j = 0; matchinguri[j] != NULL; j++) { error = 0; if (!x509_constraints_uri(matchinguri[j], strlen(matchinguri[j]), constraint, clen, &error)) { FAIL("constraint '%s' should have matched URI" " '%s' (error %d)\n", constraint, matchinguri[j], error); failure = 1; goto done; } } for (j = 0; failing[j] != NULL; j++) { if (x509_constraints_domain(failing[j], strlen(failing[j]), constraint, clen)) { FAIL("constraint '%s' should not have matched" " '%s'\n", constraint, failing[j]); failure = 1; goto done; } } for (j = 0; failinguri[j] != NULL; j++) { error = 0; if (x509_constraints_uri(failinguri[j], strlen(failinguri[j]), constraint, clen, &error)) { FAIL("constraint '%s' should not have matched URI" " '%s' (error %d)\n", constraint, failinguri[j], error); failure = 1; goto done; } } for (j = 0; noauthority[j] != NULL; j++) { char *hostpart = NULL; error = 0; if (!x509_constraints_uri_host(noauthority[j], strlen(noauthority[j]), &hostpart)) { FAIL("name '%s' should parse as a URI", noauthority[j]); failure = 1; free(hostpart); goto done; } free(hostpart); if (x509_constraints_uri(noauthority[j], strlen(noauthority[j]), constraint, clen, &error)) { FAIL("constraint '%s' should not have matched URI" " '%s' (error %d)\n", constraint, failinguri[j], error); failure = 1; goto done; } } } c = ".openbsd.org"; cl = strlen(".openbsd.org"); d = "*.openbsd.org"; dl = strlen("*.openbsd.org"); if (!x509_constraints_domain(d, dl, c, cl)) { FAIL("constraint '%s' should have matched '%s'\n", c, d); failure = 1; goto done; } c = "www.openbsd.org"; cl = strlen("www.openbsd.org"); if (x509_constraints_domain(d, dl, c, cl)) { FAIL("constraint '%s' should not have matched '%s'\n", c, d); failure = 1; goto done; } c = ""; cl = 0; if (!x509_constraints_domain(d, dl, c, cl)) { FAIL("constraint '%s' should have matched '%s'\n", c, d); failure = 1; goto done; } done: return failure; } int main(int argc, char **argv) { int failed = 0; failed |= test_valid_hostnames(); failed |= test_invalid_hostnames(); failed |= test_valid_sandns_names(); failed |= test_invalid_sandns_names(); failed |= test_valid_mbox_names(); failed |= test_invalid_mbox_names(); failed |= test_valid_domain_constraints(); failed |= test_invalid_domain_constraints(); failed |= test_invalid_uri(); failed |= test_constraints1(); return (failed); }
* Revise expire callback regress to use chains with expired certificates.jsing2022-10-171-25/+66
| | | | | | | | | | Rather than using X509_STORE_CTX_set_time() (which is resulting all certificates in the chain being treated as expired), use chains that have an expired leaf or expired intermediate. This triggers a different code path, which is currently mishandled (and hence failing). Also ensure that the resulting error and error depth match what we expect them to be.
* Ensure that verification results in the expected error and error depth.jsing2022-10-171-16/+113
| | | | | Improve verification regress and ensure that the legacy or modern verification completes with the expected error and error depth.
* Fix the legacy verifier callback behaviour for untrusted certs.beck2022-06-282-2/+303
| | | | | | | | | | | | | | | | | | The verifier callback is used by mutt to do a form of certificate pinning where the callback gets fired and depending on a cert saved to a file will decide to accept an untrusted cert. This corrects two problems that affected this. The callback was not getting the correct depth and chain for the error where mutt would save the certificate in the first place, and then the callback was not getting fired to allow it to override the failing certificate validation. thanks to Avon Robertson <avon.r@xtra.co.nz> for the report and sthen@ for analysis. "The callback is not an API, it's a gordian knot - tb@" ok jsing@
* Fix URI name constraints, allow for URI's with no host part.beck2022-06-261-0/+26
| | | | | | | | | | | Such uri's must be parsed and allowed, but then should fail if a name constraint is present. Adds regress testing for this same case. fixes https://github.com/libressl-portable/openbsd/issues/131 ok tb@
* Move leaf certificate checks to the last thing after chain validation.beck2022-06-252-1/+285
| | | | | | | | While seemingly illogical and not what is done in Go's validator, this mimics OpenSSL's behavior so that callback overrides for the expiry of a certificate will not "sticky" override a failure to build a chain. ok jsing@
* Use consistent spacing around assignmentstb2022-06-021-4/+4
|
* Only constraints and verify need static linking in here.tb2022-06-022-5/+9
|
* Enable X509v3_asid_subset() tests now that they no longer segfault.tb2022-05-121-7/+1
|
* Add a few more testcases for X509v3_asid_subset()tb2022-05-121-1/+144
|
* Add some workarounds to make build_addr_block_test_data const.tb2022-01-071-17/+26
|
* Revert previous accidental committb2022-01-071-2/+2
|
* Add a comment that explains why build_addr_block_tests isn't consttb2022-01-062-3/+8
|
* Fix a copy-paste error that led to an out-of-bounds access.tb2022-01-061-2/+2
| | | | Found via a crash on bluhm's i386 regress test box
* Remove bandaid to work around expected range_should_be_prefix() problem.tb2022-01-051-6/+2
|
* Plug memleaktb2021-12-291-2/+7
| | | | CID 345156
* The RFC 3779 test needs LIBRESSL_CRYPTO_INTERNAL as lon as the APItb2021-12-241-2/+2
| | | | isn't public.
* Style tweak in {d2i,i2d}_IPAddrBlocks()tb2021-12-241-5/+5
|
* Drop -g -O0 from CFLAGStb2021-12-241-2/+2
|
* link rfc3779 test to buildtb2021-12-241-2/+2
|
* Add initial test coverage for RFC 3779 code.tb2021-12-242-0/+1804
| | | | | | | | | | | | | | This exercises the code paths that are reached from the validator and also tests that the public API behaves as expected. There is a lot more that could be done here, but this test is already big enough. Missing are tests for X509v3_{addr,asid}_validate_{path,resource_set}() themselves. One test failure is ignored and will be fixed in the near future when a bad logic error in range_should_be_prefix() is fixed. A consequence of this bug is that we will currently accept and generate DER that doesn't conform to RFC 3779.
* Test adding extensions to certification requests.schwarze2021-11-032-2/+167
| | | | | Related to the bugfixes in x509_req.c rev. 1.25. OK tb@.
* Rework x509attribute regress test in such a way that it doesn't needtb2021-11-011-11/+7
| | | | to reach into opaque structs.
* Prepare regress for opaque structs in x509*.htb2021-10-314-25/+18
|
* Mark another test as failing with the legacy verifier.jsing2021-09-302-2/+4
| | | | | This test now fails with the legacy verifier, due to X509_V_FLAG_TRUSTED_FIRST being enabled by default.
* Call the callback on success in new verifier in a compatible waybeck2021-09-031-3/+1
| | | | | | | | | | | | | when we succeed with a chain, and ensure we do not call the callback twice when the caller doesn't expect it. A refactor of the end of the legacy verify code in x509_vfy is probably overdue, but this should be done based on a piece that works. the important bit here is this allows the perl regression tests in tree to pass. Changes the previously committed regress tests to test the success case callbacks to be known to pass. ok bluhm@ tb@
* Add a regression test to verify that we call the callback in the samebeck2021-09-013-4/+551
| | | | | | | | | order on success for both the legacy and the new verifier, This avoids problems as seen in perl's regression tests for some of the crazy things net:ssleay does. This is currently marked as expected to fail, it will be expected to succeed after a forthcoming commit from me.
* Only remove the directories if there's an obj/ or obj@tb2021-08-281-2/+4
|
* Add a pass using the modern vfy with by_dir roots, code by me, script tobeck2021-08-283-15/+106
| | | | | | generate certdirs by jsing, and make chicken sacrifies by tb. ok tb@ jsing@
* Add regress test testing having the root cert in the intermediate bundlebeck2021-08-271-1/+5
|
* Relax SAN DNSname validation and constraints to permit non leading *beck2021-04-271-8/+4
| | | | | | | | | | | wildcards. While we may choose not to support them the standards appear to permit them optionally so we can't declare a certificate containing them invalid. Noticed by jeremy@, and Steffan Ulrich and others. Modify the regression tests to test these cases and not check the SAN DNSnames as "hostnames" anymore (which don't support wildcards). ok jsing@, tb@
* Don't leak verify and store contexts.tb2020-11-181-1/+3
|
* catch unset error when validation fails.beck2020-10-262-2/+16
|
* Don't leak bundle_file and cert_file paths at the end.tb2020-10-101-1/+3
|
* Read cert.pem once and reuse it instead of reading it twice per test certtb2020-10-081-18/+10
| | | | | | | | chain. It only takes a few dozens of ms to read it, but doing this 7290 times adds up to a few minutes run time. This way, the test completes in a handful of seconds. Diagnosed by jsing, ok beck
* KNFtb2020-10-031-12/+11
|
* typotb2020-10-031-1/+1
|
* spelling, punctuation, whitespacetb2020-10-022-6/+6
|
* Add possibility to link and run this test against the OpenSSL 1.1.1 packagetb2020-10-021-1/+7
| | | | | | using the make variable EOPENSSL11. Suggested by jsing
* Use += and ?= and tidy up whitespacetb2020-10-021-8/+8
|
* Tidy up: no need to link statically against libcrypto and no needtb2020-10-021-4/+4
| | | | to look at its private headers either.
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-21 21:56:02 +0000