summaryrefslogtreecommitdiff
path: root/src/regress/lib/libtls (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Fix previoustb2024-08-021-5/+3
| | | | | Arguably the want_protocol entries in various of these tests are incorrect but I'll leave that for another day.
* Adjust tls regress for protocol parsing fixestb2024-08-023-16/+22
| | | | | This mostly reverts what was done by beck in Tallinn and adjust tlstest to add new test cases and now failing connection tests.
* Use the new certificates/chains in regress.jsing2024-03-203-10/+10
| | | | | | | | | | The new certificates are more representative of the real world. The old certificates use weak algorithms and expire in the very near future. Most of our regress has already been switched over, this changes the remainder. Thanks to Bernhard M. Wiedemann for reminding us of the upcoming expiry. ok tb@
* Remove the ability to do tls 1.0 and 1.1 from libtls.beck2023-07-023-20/+13
| | | | | | | | With this change any requests from configurations to request versions of tls before tls 1.2 will use tls 1.2. This prepares us to deprecate tls 1.0 and tls 1.1 support from libssl. ok tb@
* Refactor tls_check_common_name to use lower level API.beck2023-05-281-2/+4
| | | | | | | | | | | | | | | | | | | | X509_NAME_get_text_by_NID is kind of a bad interface that we wish to make safer, and does not give us the visibility we really want here to detect hostile things. Instead call the lower level functions to do some better checking that should be done by X509_NAME_get_text_by_NID, but is not in the OpenSSL version. Specifically we will treat the input as hostile and fail if: 1) The certificate contains more than one CN in the subject. 2) The CN does not decode as UTF-8 3) The CN is of invalid length (must be between 1 and 64 bytes) 4) The CN contains a 0 byte 4) matches the existing logic, 1 and 2, and 3 are new checks. ok tb@
* Make the signertest work better with the portable test frameworktb2023-04-142-14/+12
|
* Revert previous. The added includes were already there. Duh.tb2022-07-161-4/+1
|
* Explicitly include fcntl.h and unistd.h for pipe2tb2022-06-221-1/+4
|
* Switch to using TLS_INT instead of handrolling ittb2022-06-151-3/+2
|
* Adjust the signer test to link statically and work with hidden tls_signertb2022-03-242-3/+7
| | | | API.
* Garbage collect the unused hash and print kp->pubkey_hash instead of NULL.tb2022-02-081-7/+4
| | | | | | Make sure kp is freed also on error. ok jsing
* Use TLS_PADDING_* defines.jsing2022-02-011-4/+6
|
* Revise/simplify for signer interface change.jsing2022-02-011-20/+10
|
* Add test coverage for tls_signer when used with a TLS server.jsing2022-01-301-2/+189
| | | | | | In this configuration the tls_signer is provided with the server certificate and private key, while the TLS server is configured with a sign callback and is only provided with the certificate.
* Add initial regress for tls_signer.jsing2022-01-303-1/+305
|
* Free cert, key and ocsp_staple on exit of do_keypair_test().tb2021-12-041-1/+4
| | | | Reported by Ilya Shipitsine, discussed with jsing
* Clean up client and server tls{,_config} contexts in tls_test().tb2021-04-041-2/+11
| | | | Leaks reported by Ilya Shipitsin.
* Make this test module aware so it passes with Go 1.16tb2021-02-231-0/+4
|
* Add a missing circular_init() call in the TLS ordering test.jsing2020-07-041-1/+3
| | | | | | | This makes the regress work correctly again - this was previously masked by the fact that tls_close() (and hence SSL_shutdown()) was draining the circular buffer, whereas now we're leaving data behind from a previous test, resulting in the ordering test failing.
* Add TLS versioning tests.jsing2020-05-131-2/+96
| | | | | This ensures that a TLSv1.0, TLSv1.1, TLSv1.2 or TLSv1.3 client can talk with an appropriately configured server and vice versa.
* Use a larger (2048 bit) RSA test key.jsing2020-05-041-1/+63
| | | | Otherwise we fail to do PSS signatures since the key size is too small.
* Update protocol version test to include TLSv1.3.jsing2020-02-162-0/+3
|
* Update libtls config regress to include TLSv1.3.jsing2020-01-201-9/+16
|
* Add tls_conn_cipher_strength() to gotls regress.jsing2019-11-022-2/+20
|
* Do not check for working go executable during make clean cleandir obj.bluhm2019-04-241-1/+3
| | | | reminded by jsing@
* Add subdirectires with SUBDIR += instead of a single assignment withtb2018-11-091-7/+6
| | | | line continuations.
* Revise regress to match tls_keypair_clear() removal.jsing2018-04-071-18/+3
|
* Remove the now unnecessary tls_init() call.jsing2018-03-191-4/+1
|
* Fix a format string issue that Go 1.10 complains about.jsing2018-03-151-1/+1
|
* Update keypair regress to match revised keypair hash handling.jsing2018-02-141-11/+10
| | | | Apparently I failed to commit this when I committed the libtls change...
* Update regress to match change to tls_keypair_pubkey_hash().jsing2018-02-081-3/+4
|
* Add a regress test that covers libtls keypairs.jsing2018-02-083-1/+248
|
* Tweak compiler flags to include -DLIBRESSL_INTERNAL and make more warningsjsing2018-02-081-2/+2
| | | | fatal.
* Add a regress test for tls_config_parse_protocols().jsing2017-12-093-1/+183
|
* Add a (currently failing) call to tls_handshake() on a client context thatjsing2017-05-071-1/+8
| | | | | has not yet been connected. We expect this to fail, but it should fail gracefully.
* Also test calling tls_handshake() on a server connection context that hasjsing2017-05-071-1/+7
| | | | already completed a TLS handshake.
* Add a test that calls tls_handshake() on a connection that has alreadyjsing2017-05-071-1/+7
| | | | | completed a TLS handshake. This should return a failure, but currently succeeds (hence the regress currently fails).
* An an initial sequencing/ordering test for libtls.jsing2017-05-071-1/+61
|
* Split TLS client/server handshake and close code into separate functionsjsing2017-05-061-4/+27
| | | | so that it can be reused.
* Move TLS test code into a function that is called from main, making itjsing2017-05-062-17/+33
| | | | easier for new tests to be added.
* Free tls_configs earlier now that we have refcounting.jsing2017-05-061-4/+4
|
* Add missing tls_init() and tls_free() calls.jsing2017-04-301-1/+4
|
* Rework and significantly extend TLS name verification tests to matchjsing2017-04-101-99/+377
| | | | changes in libtls.
* Improve unknown protocol version handling.jsing2017-04-091-2/+3
|
* In ssl.h TLS 1.0 is called TLSv1. Adapt name in test to make it pass.bluhm2017-04-071-1/+1
| | | | OK jsing@
* Add a test that covers a libtls client talking to a Go TLS server withjsing2017-03-071-5/+107
| | | | | varying minimum and maximum protocol versions. This gives us protocol version test coverage against an independent TLS stack.
* Allow ciphers to be set on the TLS config.jsing2017-03-071-0/+10
|
* Provide support for libtls protocols and allow for protocols to be set onjsing2017-03-071-3/+47
| | | | | a TLS config. The ConnVersion function now also returns a protocol version instead of a string.
* Add handling for errors on the TLS config and properly check/handlejsing2017-03-072-6/+23
| | | | failures when setting the CA file.
* libtls errors are much more descriptive these days - return them directlyjsing2017-03-071-9/+8
| | | | and avoid adding redundant/duplicate information.
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-20 06:50:50 +0000