summaryrefslogtreecommitdiff
path: root/src/regress (follow)
Commit message (Collapse)AuthorAgeFilesLines
...
* Update golden values to match P-521 being enabled by default in the client.jsing2020-08-091-10/+11
|
* Session resumption is not currently supported for TLSv1.3.tb2020-08-081-4/+4
|
* Enable P-521 and run the tests that use it.tb2020-08-081-5/+3
|
* Replace hostname underscore with hyphen in appstest.shinoguchi2020-08-011-28/+28
|
* Fix a bug in PEM_X509_INFO_read_bio(3) that is very likely to causeschwarze2020-07-233-1/+194
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | use-after-free and double-free issues in calling programs. The bug was introduced in SSLeay-0.6.0 released on June 21, 1996 and has been present since OpenBSD 2.4. I found the bug while documenting the function. The bug could bite in two ways that looked quite different from the perspective of the calling code: * If a stack was passed in that already contained some X509_INFO objects and an error occurred, all the objects passed in would be freed, but without removing the freed pointers from the stack, so the calling code would probable continue to access the freed pointers and eventually free them a second time. * If the input BIO contained at least two valid PEM objects followed by at least one PEM object causing an error, at least one freed pointer would be put onto the stack, even though the function would return NULL rather than the stack. But the calling code would still have a pointer to the stack, so it would be likely to access the new bogus pointers sooner or later. Fix all this by remembering the size of the input stack on entry and cutting it back to exactly that size when exiting due to an error, but no further. While here, do some related cleanup: * Garbage collect the automatic variables "error" and "i" which were only used at one single place each. * Use NULL rather than 0 for pointers. I like bugfixes that make the code four lines shorter, reduce the number of variables by one, reduce the number of brace-blocks by one, reduce the number if if-statements by one, and reduce the number of else-clauses by one. Tweaks and OK tb@.
* Fix perl bugs that had me printing the wrong cert number for errorsbeck2020-07-161-8/+9
|
* The exit code from the perl matters herebeck2020-07-151-1/+3
|
* Don't leak the X509_STOREbeck2020-07-151-1/+3
|
* Add certificate validation tests generated using the tools frombeck2020-07-1510945-0/+444760
| | | | | | | | bettertls.com, and a verification suite to try each certificate in the same manner as the web based tests do using X509_verify. This includes the list of "known" failures today in our validaion code so we can move forward without moving back.
* Enter the certs regress directory.jsing2020-07-141-1/+2
|
* Add regress for X509_verify() using the new bundles.jsing2020-07-142-3/+369
| | | | | A number of these tests are known to fail due to bugs/incorrect verification implementation.
* Provide generated certificate bundles and roots for regress.jsing2020-07-1474-0/+3721
| | | | ok beck@ tb@
* Provide tools to build certificate changes for verify regress.jsing2020-07-144-0/+636
| | | | | | | | | | This provides a script that generates a variety of certificate chains and assembles them into bundles containing various permutations, which can be used to test our X.509 verification. A Go program is included to verify each of these bundles. ok beck@ tb@
* Force TLSv1.2 when testing SSLv3/TLSv1.2 cipher suites.jsing2020-07-141-1/+1
| | | | Otherwise we end up switching to TLSv1.3 and using a TLSv1.3 cipher suite.
* Add a -tls1_2 option so we can force TLSv1.2 for testing.jsing2020-07-141-5/+9
|
* getopt(3) returns an int so don't use a char to store its return value.kettenis2020-07-142-4/+4
| | | | | | Makes the test work on architectures where char is unsigned. ok deraadt@, millert@
* New regression tests for integral type conversionsschwarze2020-07-092-2/+378
| | | | and for their modifiers, written from scratch.
* New regression tests for character and string conversionsschwarze2020-07-082-2/+445
| | | | and for their modifiers, written from scratch.
* Remove temporary RSA keys/callbacks code.jsing2020-07-071-43/+0
| | | | This was removed from libssl a very long time ago...
* Test TLSv1.3 ciphersuites now that TLS_method() supports TLSv1.3.jsing2020-07-071-0/+12
|
* Add support for timeconting in userland.pirofti2020-07-064-0/+140
| | | | | | | | | | | | | | | | | | | | | | | | | | This diff exposes parts of clock_gettime(2) and gettimeofday(2) to userland via libc eliberating processes from the need for a context switch everytime they want to count the passage of time. If a timecounter clock can be exposed to userland than it needs to set its tc_user member to a non-zero value. Tested with one or multiple counters per architecture. The timing data is shared through a pointer found in the new ELF auxiliary vector AUX_openbsd_timekeep containing timehands information that is frequently updated by the kernel. Timing differences between the last kernel update and the current time are adjusted in userland by the tc_get_timecount() function inside the MD usertc.c file. This permits a much more responsive environment, quite visible in browsers, office programs and gaming (apparently one is are able to fly in Minecraft now). Tested by robert@, sthen@, naddy@, kmos@, phessler@, and many others! OK from at least kettenis@, cheloha@, naddy@, sthen@
* Add a missing circular_init() call in the TLS ordering test.jsing2020-07-041-1/+3
| | | | | | | This makes the regress work correctly again - this was previously masked by the fact that tls_close() (and hence SSL_shutdown()) was draining the circular buffer, whereas now we're leaving data behind from a previous test, resulting in the ordering test failing.
* tlsexttest: pass message type to the extension functionstb2020-07-031-144/+144
| | | | ok beck jsing
* adjust alpn extension test to new argument ordertb2020-07-031-3/+3
|
* adjust tlsexttest to new argument ordertb2020-07-031-5/+5
|
* Provide an optimized implementation of ffs(3) in libc onnaddy2020-06-263-2/+26
| | | | | | aarch64/powerpc/powerpc64, making use of the count leading zeros instruction. Also add a brief regression test. ok deraadt@ kettenis@
* enable test-tls13-keyshare-omitted.pytb2020-06-241-5/+2
|
* Add test-ffdhe-expected-params.pytb2020-06-241-1/+2
|
* Enable lucky 13 test.tb2020-06-191-5/+2
|
* Add lucky13 and bleichenbacher-timing teststb2020-06-101-1/+7
|
* Implement a rolling hash of the ClientHello message, Enforce RFC 8446beck2020-06-061-2/+2
| | | | | | | | section 4.1.2 to ensure subsequent ClientHello messages after a HelloRetryRequest messages must be unchanged from the initial ClientHello. ok tb@ jsing@
* When X509_ATTRIBUTE_create() receives an invalid NID (e.g., -1), returnschwarze2020-06-042-5/+115
| | | | | | | | | | | failure rather than silently constructing a broken X509_ATTRIBUTE object that might cause NULL pointer accesses later on. This matters because X509_ATTRIBUTE_create() is used by documented API functions like PKCS7_add_attribute(3) and the NID comes straight from the user. This fixes a bug found while working on documentation. OK tb@ and "thanks" bluhm@
* Enable the record layer limits test and mark two finished test cases astb2020-06-031-5/+8
| | | | | xfail for now. Arguably, the expected decode_error is more appropriate than the decrypt_error that we send at the moment.
* Enable the test-tls13-zero-length-data.py test, skipping thetb2020-06-011-8/+10
| | | | three tests that fail due to a BIO_gets() bug.
* Enable test-dhe-rsa-key-exchange-with-bad-messages.pytb2020-06-011-4/+2
|
* Fix printing long doubles on architectures with hm and lm bits.mortimer2020-05-311-1/+9
| | | | | | Issue reported with initial patch by enh@google.com. ok deraadt@
* Add checks for SH downgrade sentinel and HRR hash in appstest.shinoguchi2020-05-291-1/+27
|
* more tests after getopt_long.c rev. 1.32;schwarze2020-05-271-10/+43
| | | | OK martijn@
* Previous commit caught a few errx() cases by accident. undo them.tb2020-05-241-25/+25
|
* include newlines in FAIL messagestb2020-05-241-108/+108
|
* address some nits from jsingtb2020-05-241-7/+11
|
* The version detection doesn't work on bluhm's test machine, causingtb2020-05-241-3/+3
| | | | | | | the test to fail. Neuter it for now and just assume we do TLSv1.3. I have been intending to purge this version detection hack once I'm sure we can leave the 1.3 server enabled but I'll leave it here for now.
* Define REGRESS_TARGETS explicitly.tb2020-05-231-2/+4
|
* Enforce that SNI hostnames be correct as per rfc 6066 and 5980.beck2020-05-231-1/+79
| | | | | | | Correct SNI alerts to differentiate between illegal parameter and an unknown name. ok tb@`
* beck fixed most of the keyupdate tests. update annotationtb2020-05-211-3/+8
|
* hook tlsfuzzer to regresstb2020-05-211-1/+2
|
* Add a harness that runs tests from tlsfuzzertb2020-05-212-0/+781
| | | | | | | | | | | | | This currently runs 54 tests from the tlsfuzzer suite against the TLSv1.3 server which exercise a large portion of the code. They already found a number of bugs and misbehaviors and also inspired a few diffs currently in the pipeline. This regress requires the py3-tlsfuzzer package to be installed, otherwise the tests are skipped. Many thanks to kmos for helping with the ports side and to beck for his positive feedback. ok beck
* Add -status and -servername test for s_server and s_client in appstest.shinoguchi2020-05-191-1/+3
|
* Add -groups test for s_server and s_client in appstest.shinoguchi2020-05-191-3/+17
|
* Add client certificate test in appstest.shinoguchi2020-05-181-2/+89
|
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-19 21:43:17 +0000