| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
Exception needed since the test expects an unexpected_message alert, while
we throw a decode_error.
|
| |
|
|
|
|
|
| |
This is a hack. The test is in rather poor shape and it is hard to tell
whether it still does what it is supposed to be doing. Hopefully somemone
will rewrite this in a style that doesn't make me squeal on opening this
file...
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
This test should either be extended or retired. As it is it is useless.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
An empty array cannot be initialized and it is an incomplete type, so the
sizeof() operator can't be applied to it. Therefore initialize it with a
zero byte and replace sizeof() use with lengths.
Slightly tweaked version of a patch by inoguchi in portable.
Discussed with bcook, beck, kettenis
|
| |
|
|
|
|
|
|
| |
Removing -tls1 moved some tests from the legacy stack to the TLSv1.3 stack.
On a HRR, the alpn callback would be called twice and allocate the global
twice, thereby leaking. So free it up front.
Joint suffering with bcook and beck
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Their time has long since past, and they should not be used.
This change restricts ssl to versions 1.2 and 1.3, and changes
the regression tests to understand we no longer speak the legacy
protocols.
For the moment the magical "golden" byte for byte comparison
tests of raw handshake values are disabled util jsing fixes them.
ok jsing@ tb@
|
| |
|
|
| |
until someone finds time and motivation to figure out how to use this.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Without this, hostflags set on the SSL_CTX would not propagate to newly
created SSL. This is surprising behavior that was changed in OpenSSL 1.1
by Christian Heimes after the issue was flagged by Quentin Pradet:
https://bugs.python.org/issue43522
This is a version of the fix that landed in OpenSSL.
There used to be a workaround in place in urllib3, but that was removed at
some point. We haven't fixed this earlier since it wasn't reported. It only
showed up after recent fallout of extraordinarily strict library checking
in urllib3 coming from their own interpretation of the implications of
PEP 644.
ok jsing
|
| |
|
|
| |
This is currently an expected failure that will be fixed shortly.
|
| |
|
|
| |
This will be needed for the ssl_verify_param test
|
| |
|
|
|
|
|
| |
This verifies that we put PSK always last and that the Apache 2 special
does what it is supposed to do. There is also some weak validation of
the Fisher-Yates shuffle that will likely catch errors introduced in
tlsext_randomize_build_order()
|
| |
|
|
|
| |
TLS extensions (this involves unrandomizing the extension order
for the tests that rely on golden numbers.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
A few years back beck introduced REGRESS_SKIP_SLOW dances with the idea
that this should speed up the interop tests for us devs because this also
checked interop between opensslX and opensslY, which we don't particularly
care about. This never really worked. On a mac m1 mini the result is this:
REGRESS_SKIP_SLOW unset
9m56.69s real 3m42.24s user 3m00.70s system
REGRESS_SKIP_SLOW=yes
11m04.61s real 7m29.61s user 1m40.29s system
The problem is that REGRESS_SKIP_SLOW simply wasn't designed to handle
the huge number of tests we have here. There are many nested .for loops
resulting in several thousand tests. Each test has a name of length ~80.
REGRESS_SKIP_SLOW concatenates them into a several hundred kilobytes
long string in REGRESS_SKIP_TARGETS, iterates over all regress targets and
tests with ".if ${REGRESS_SKIP_TARGETS:M${RT}}" if it should skip them.
This means that during a regress run, make spends a lot of time linearly
scanning a huge string.
I ran into this when I added OpenSSL 3.0 tests to the already existing
1.0.2 and 1.1 tests with the result that with REGRESS_SLOW_TARGTS set
it took the better part of an hour while without it it took about 15 min.
The hack here is simply to avoid using REGRESS_SLOW_TARGTES here and
handle the situation differently.
patch, REGRESS_SKIP_SLOW=yes
5m42.32s real 2m09.98s user 1m45.21s system
The real solution would be to fix this in bsd.regress.mk, which someone
who understands make well is very welcome to do. For now, I'm happy with
this.
Debugged with jsing a few months ago
|
| |
|
|
| |
Hopefully that is all. What an absolutely horrid mess.
|
| | |
|
| |
|
|
| |
SSL_set_session() should really be called SSL_set1_session()...
|
| | |
|
| |
|
|
| |
ok jsing@
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
for some reason.
|
| |
|
|
|
|
| |
Now that the OpenSSL 1.0.2 port is gone, there's no need to keep the
interop tests anymore. anton's and bluhm's regress tests will switch
to testing interoperability with OpenSSL 3.0.
|
| |
|
|
|
|
|
|
|
|
| |
The plan is to retire the 1.0.2 interop tests soon so as to be able to
drop the dead and dangerous OpenSSL 1.0.2 port.
The cert part is extremely slow on arm64: the whole interop test on an m1
is about 10x slower (~45 min!) than on a modern amd64 laptop, so people
running regress may want to wait a bit with adding OpenSSL 3 to their test
boxes until this is sorted out.
|
| |
|
|
| |
tests for TLSv1.3 since that's not currently handled.
|
| |
|
|
| |
32-bit systems.
|
| |
|
|
|
|
|
| |
A SSL_set_security_level() call was added to the cipher list regress, which
expects a failure - however, it should succeed and fails for a completely
unrelated reason. Rework this regress so that it actually passes and tests
for the expected behaviour.
|
| |
|
|
|
| |
For the test compilation using the CC crate, base clang is good enough,
so we don't need to pull in another heavy dependency just for this test.
|
| | |
|
| |
|
|
|
|
|
|
| |
The issue is likely that the build is trying to compile some generated
C code with the prehistoric gcc from base, so add a tentative workaround
for that. Since I don't currently have access to a sparc64 box where I
could validate this easily and check if the workaround is enough, let's
not waste lots of cycles on this.
|
| | |
|
| | |
|
| |
|
|
| |
Silence is good. On failure, the regress framework will make it clear.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names
used for internal headers. Move all these headers we inherited from
OpenSSL to *_local.h, reserving the name *_internal.h for our own code.
Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h.
constant_time_locl.h is moved to constant_time.h since it's special.
Adjust all .c files in libcrypto, libssl and regress.
The diff is mechanical with the exception of tls13_quic.c, where
#include <ssl_locl.h> was fixed manually.
discussed with jsing,
no objection bcook
|
| | |
|
| |
|
|
|
|
| |
a bit less flaky if the machine is otherwise under load.
from jsing
|
| | |
|
