| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
| |
Add a cast to tell gcc 4.2.1 that the return value is deliberately
ignored. This makes the test compile and pass on sparc64.
|
| |
|
|
|
| |
Make tests compile and pass on sparc64 with gcc 4.2.1 by properly
declaring "static int foo()" as "static int foo(void)".
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This regress parses Symbols.list and pulls all public headers out of
libcrypto's Makefile to generate a simple program that uses all public
symbols. A number of symbols need to be declared extern since they are
unavailable in public headers and a handful must be skipped since they
are apparently architecture dependent.
This would have caught the recent breakage due to the accidental removal
of the NAME_CONSTRAINTS_check() function and points out a number of
places where cleanup may happen in the future.
discussed with beck
|
| | |
|
| |
|
|
| |
Noted by bcook@ and inoguchi@ while working on portable.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
no longer ignore the expected failures from the legacy name
constraints validation, and will have a regress failure if
we regress.
|
| |
|
|
|
| |
have to re-generate these certificates and this should
just keep working even if the certs get old
|
| |
|
|
|
|
|
| |
openssl 1.0.2, or openssl 1.1. Pin client or server to a fixed TLS
version number. Incompatible versions must fail. Check that client
and server have used correct version by grepping in their session
print out.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The new validator finds multiple validated chains to handle the modern
PKI cases which may frequently have multiple paths via different
intermediates to different roots. It is loosely based on golang's x509
validator
This includes integration so that the new validator can be used via
X509_verify_cert() as well as a new api x509_verify() which will
return multiple chains (similar to go).
The new validator is not enabled by default with this commit, this
will be changed in a follow on commit.
The new public API is not yet exposed, and will be finalized and
exposed with a man page and a library minor bump later.
ok tb@ inoguchi@ jsing@
|
| |
|
|
| |
chacha-poly over aes-gcm. Expect both fallbacks for non 1.3 ciphers.
|
| | |
|
| |
|
|
|
|
|
|
| |
been fixed to work with libressl TLS 1.3. Both libressl and openssl11
replace obsolete TLS 1.2 ciphers with AEAD-AES256-GCM-SHA384 or
TLS_AES_256_GCM_SHA384 in TLS 1.3 respectively. The test expects
that now. Currently GOST does not work with libressl and TLS 1.3
and is disabled.
|
| |
|
|
|
|
|
| |
regression tests. The use of the new name constraints is not yet activated
in x509_vfy.c and will be activated in a follow on commit
ok jsing@
|
| |
|
|
|
|
| |
Skip sending an empty ECPF extension for now: we don't accept it since
according to RFC 4492 and 8422 it needs to advertise uncompressed point
formats.
|
| |
|
|
| |
OK deraadt@ martijn@
|
| | |
|
| |
|
|
|
| |
Indicate missing test scripts prominently in the result but do not
count them as an error.
|
| | |
|
| |
|
|
| |
Restore them to their previous values.
|
| | |
|
| | |
|
| |
|
|
| |
Diff from tb@
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
use-after-free and double-free issues in calling programs.
The bug was introduced in SSLeay-0.6.0 released on June 21, 1996
and has been present since OpenBSD 2.4.
I found the bug while documenting the function.
The bug could bite in two ways that looked quite different from the
perspective of the calling code:
* If a stack was passed in that already contained some X509_INFO
objects and an error occurred, all the objects passed in would be
freed, but without removing the freed pointers from the stack,
so the calling code would probable continue to access the freed
pointers and eventually free them a second time.
* If the input BIO contained at least two valid PEM objects followed by
at least one PEM object causing an error, at least one freed pointer
would be put onto the stack, even though the function would return NULL
rather than the stack. But the calling code would still have a pointer
to the stack, so it would be likely to access the new bogus pointers
sooner or later.
Fix all this by remembering the size of the input stack on entry
and cutting it back to exactly that size when exiting due to an
error, but no further.
While here, do some related cleanup:
* Garbage collect the automatic variables "error" and "i"
which were only used at one single place each.
* Use NULL rather than 0 for pointers.
I like bugfixes that make the code four lines shorter, reduce the
number of variables by one, reduce the number of brace-blocks by
one, reduce the number if if-statements by one, and reduce the
number of else-clauses by one.
Tweaks and OK tb@.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
bettertls.com, and a verification suite to try each certificate
in the same manner as the web based tests do using X509_verify.
This includes the list of "known" failures today in our validaion
code so we can move forward without moving back.
|
| | |
|
| |
|
|
|
| |
A number of these tests are known to fail due to bugs/incorrect
verification implementation.
|
| |
|
|
| |
ok beck@ tb@
|
| |
|
|
|
|
|
|
|
|
| |
This provides a script that generates a variety of certificate chains
and assembles them into bundles containing various permutations, which
can be used to test our X.509 verification.
A Go program is included to verify each of these bundles.
ok beck@ tb@
|
| |
|
|
| |
Otherwise we end up switching to TLSv1.3 and using a TLSv1.3 cipher suite.
|
| | |
|
| |
|
|
|
|
| |
Makes the test work on architectures where char is unsigned.
ok deraadt@, millert@
|
| |
|
|
| |
and for their modifiers, written from scratch.
|
| |
|
|
| |
and for their modifiers, written from scratch.
|
| |
|
|
| |
This was removed from libssl a very long time ago...
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This diff exposes parts of clock_gettime(2) and gettimeofday(2) to
userland via libc eliberating processes from the need for a context
switch everytime they want to count the passage of time.
If a timecounter clock can be exposed to userland than it needs to set
its tc_user member to a non-zero value. Tested with one or multiple
counters per architecture.
The timing data is shared through a pointer found in the new ELF
auxiliary vector AUX_openbsd_timekeep containing timehands information
that is frequently updated by the kernel.
Timing differences between the last kernel update and the current time
are adjusted in userland by the tc_get_timecount() function inside the
MD usertc.c file.
This permits a much more responsive environment, quite visible in
browsers, office programs and gaming (apparently one is are able to fly
in Minecraft now).
Tested by robert@, sthen@, naddy@, kmos@, phessler@, and many others!
OK from at least kettenis@, cheloha@, naddy@, sthen@
|
| |
|
|
|
|
|
| |
This makes the regress work correctly again - this was previously masked
by the fact that tls_close() (and hence SSL_shutdown()) was draining the
circular buffer, whereas now we're leaving data behind from a previous
test, resulting in the ordering test failing.
|
| |
|
|
| |
ok beck jsing
|
| | |
|
