diff options
Diffstat (limited to 'deps/openssl/openssl/test')
36 files changed, 1244 insertions, 232 deletions
diff --git a/deps/openssl/openssl/test/README.external b/deps/openssl/openssl/test/README.external index f836b1b499..2f5423cbc8 100644 --- a/deps/openssl/openssl/test/README.external +++ b/deps/openssl/openssl/test/README.external @@ -145,7 +145,7 @@ To update the commit for any of the above test suites: - Enter subdirectory and pull from the repository (use a specific branch/tag if required): - $ cd <submodule-dir> + $ cd <submodule-dir> $ git pull origin master - Go to root directory, there should be a new git status: diff --git a/deps/openssl/openssl/test/bntest.c b/deps/openssl/openssl/test/bntest.c index 0502497fe3..077f5e8d85 100644 --- a/deps/openssl/openssl/test/bntest.c +++ b/deps/openssl/openssl/test/bntest.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -123,7 +123,7 @@ static int getint(STANZA *s, int *out, const char *attribute) *out = (int)word; st = 1; -err: + err: BN_free(ret); return st; } @@ -138,7 +138,6 @@ static int equalBN(const char *op, const BIGNUM *expected, const BIGNUM *actual) return 0; } - /* * Return a "random" flag for if a BN should be negated. */ @@ -150,7 +149,6 @@ static int rand_neg(void) return sign[(neg++) % 8]; } - static int test_swap(void) { BIGNUM *a = NULL, *b = NULL, *c = NULL, *d = NULL; @@ -166,7 +164,7 @@ static int test_swap(void) BN_bntest_rand(b, 1024, 1, 0); BN_copy(c, a); BN_copy(d, b); - top = BN_num_bits(a)/BN_BITS2; + top = BN_num_bits(a) / BN_BITS2; /* regular swap */ BN_swap(a, b); @@ -252,14 +250,13 @@ static int test_sub(void) goto err; } st = 1; -err: + err: BN_free(a); BN_free(b); BN_free(c); return st; } - static int test_div_recip(void) { BIGNUM *a = NULL, *b = NULL, *c = NULL, *d = NULL, *e = NULL; @@ -293,7 +290,7 @@ static int test_div_recip(void) goto err; } st = 1; -err: + err: BN_free(a); BN_free(b); BN_free(c); @@ -303,7 +300,6 @@ err: return st; } - static int test_mod(void) { BIGNUM *a = NULL, *b = NULL, *c = NULL, *d = NULL, *e = NULL; @@ -328,7 +324,7 @@ static int test_mod(void) goto err; } st = 1; -err: + err: BN_free(a); BN_free(b); BN_free(c); @@ -519,6 +515,31 @@ static int test_modexp_mont5(void) if (!TEST_BN_eq(c, d)) goto err; + /* + * rsaz_1024_mul_avx2 expects fully-reduced inputs. + * BN_mod_exp_mont_consttime should reduce the input first. + */ + BN_hex2bn(&a, + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF2020202020DF"); + BN_hex2bn(&b, + "1FA53F26F8811C58BE0357897AA5E165693230BC9DF5F01DFA6A2D59229EC69D" + "9DE6A89C36E3B6957B22D6FAAD5A3C73AE587B710DBE92E83D3A9A3339A085CB" + "B58F508CA4F837924BB52CC1698B7FDC2FD74362456A595A5B58E38E38E38E38" + "E38E38E38E38E38E38E38E38E38E38E38E38E38E38E38E38E38E38E38E38E38E"); + BN_hex2bn(&n, + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF2020202020DF"); + BN_MONT_CTX_set(mont, n, ctx); + BN_mod_exp_mont_consttime(c, a, b, n, ctx, mont); + BN_zero(d); + if (!TEST_BN_eq(c, d)) + goto err; + /* Zero input */ BN_bntest_rand(p, 1024, 0, 0); BN_zero(a); @@ -548,7 +569,7 @@ static int test_modexp_mont5(void) st = 1; -err: + err: BN_MONT_CTX_free(mont); BN_free(a); BN_free(p); @@ -1116,7 +1137,7 @@ static int file_sum(STANZA *s) } st = 1; -err: + err: BN_free(a); BN_free(b); BN_free(sum); @@ -1165,7 +1186,7 @@ static int file_lshift1(STANZA *s) goto err; st = 1; -err: + err: BN_free(a); BN_free(lshift1); BN_free(zero); @@ -1194,7 +1215,7 @@ static int file_lshift(STANZA *s) goto err; st = 1; -err: + err: BN_free(a); BN_free(lshift); BN_free(ret); @@ -1224,7 +1245,7 @@ static int file_rshift(STANZA *s) } st = 1; -err: + err: BN_free(a); BN_free(rshift); BN_free(ret); @@ -1281,7 +1302,7 @@ static int file_square(STANZA *s) #endif st = 1; -err: + err: BN_free(a); BN_free(square); BN_free(zero); @@ -1318,7 +1339,7 @@ static int file_product(STANZA *s) goto err; st = 1; -err: + err: BN_free(a); BN_free(b); BN_free(product); @@ -1401,7 +1422,7 @@ static int file_quotient(STANZA *s) } st = 1; -err: + err: BN_free(a); BN_free(b); BN_free(quotient); @@ -1455,7 +1476,7 @@ static int file_modmul(STANZA *s) } st = 1; -err: + err: BN_free(a); BN_free(b); BN_free(m); @@ -1507,7 +1528,7 @@ static int file_modexp(STANZA *s) goto err; st = 1; -err: + err: BN_free(a); BN_free(b); BN_free(c); @@ -1535,7 +1556,7 @@ static int file_exp(STANZA *s) goto err; st = 1; -err: + err: BN_free(a); BN_free(e); BN_free(exp); @@ -1566,7 +1587,7 @@ static int file_modsqrt(STANZA *s) goto err; st = 1; -err: + err: BN_free(a); BN_free(p); BN_free(mod_sqrt); @@ -1596,8 +1617,8 @@ static int test_bn2padded(void) /* Test a random numbers at various byte lengths. */ for (size_t bytes = 128 - 7; bytes <= 128; bytes++) { -#define TOP_BIT_ON 0 -#define BOTTOM_BIT_NOTOUCH 0 +# define TOP_BIT_ON 0 +# define BOTTOM_BIT_NOTOUCH 0 if (!TEST_true(BN_rand(n, bytes * 8, TOP_BIT_ON, BOTTOM_BIT_NOTOUCH))) goto err; if (!TEST_int_eq(BN_num_bytes(n),A) bytes @@ -1628,7 +1649,7 @@ static int test_bn2padded(void) } st = 1; -err: + err: BN_free(n); return st; #else @@ -1700,7 +1721,7 @@ static int test_dec2bn(void) goto err; st = 1; -err: + err: BN_free(bn); return st; } @@ -1766,7 +1787,7 @@ static int test_hex2bn(void) goto err; st = 1; -err: + err: BN_free(bn); return st; } @@ -1820,7 +1841,7 @@ static int test_asc2bn(void) goto err; st = 1; -err: + err: BN_free(bn); return st; } @@ -1864,7 +1885,7 @@ static int test_mpi(int i) BN_free(bn2); st = 1; -err: + err: BN_free(bn); return st; } @@ -1890,7 +1911,7 @@ static int test_rand(void) goto err; st = 1; -err: + err: BN_free(bn); return st; } @@ -1954,7 +1975,7 @@ static int test_negzero(void) goto err; st = 1; -err: + err: BN_free(a); BN_free(b); BN_free(c); @@ -1995,7 +2016,7 @@ static int test_badmod(void) ERR_clear_error(); if (!TEST_false(BN_mod_exp_mont_consttime(a, BN_value_one(), BN_value_one(), - zero, ctx, NULL))) + zero, ctx, NULL))) goto err; ERR_clear_error(); @@ -2017,12 +2038,12 @@ static int test_badmod(void) ERR_clear_error(); if (!TEST_false(BN_mod_exp_mont_consttime(a, BN_value_one(), BN_value_one(), - b, ctx, NULL))) + b, ctx, NULL))) goto err; ERR_clear_error(); st = 1; -err: + err: BN_free(a); BN_free(b); BN_free(zero); @@ -2056,7 +2077,7 @@ static int test_expmodzero(void) goto err; st = 1; -err: + err: BN_free(zero); BN_free(a); BN_free(r); @@ -2102,7 +2123,7 @@ static int test_expmodone(void) } ret = 1; -err: + err: BN_free(r); BN_free(a); BN_free(p); @@ -2123,7 +2144,7 @@ static int test_smallprime(void) goto err; st = 1; -err: + err: BN_free(r); return st; } @@ -2147,7 +2168,7 @@ static int test_is_prime(int i) } ret = 1; -err: + err: BN_free(r); return ret; } @@ -2170,11 +2191,97 @@ static int test_not_prime(int i) } ret = 1; -err: + err: BN_free(r); return ret; } +static int test_ctx_set_ct_flag(BN_CTX *c) +{ + int st = 0; + size_t i; + BIGNUM *b[15]; + + BN_CTX_start(c); + for (i = 0; i < OSSL_NELEM(b); i++) { + if (!TEST_ptr(b[i] = BN_CTX_get(c))) + goto err; + if (i % 2 == 1) + BN_set_flags(b[i], BN_FLG_CONSTTIME); + } + + st = 1; + err: + BN_CTX_end(c); + return st; +} + +static int test_ctx_check_ct_flag(BN_CTX *c) +{ + int st = 0; + size_t i; + BIGNUM *b[30]; + + BN_CTX_start(c); + for (i = 0; i < OSSL_NELEM(b); i++) { + if (!TEST_ptr(b[i] = BN_CTX_get(c))) + goto err; + if (!TEST_false(BN_get_flags(b[i], BN_FLG_CONSTTIME))) + goto err; + } + + st = 1; + err: + BN_CTX_end(c); + return st; +} + +static int test_ctx_consttime_flag(void) +{ + /*- + * The constant-time flag should not "leak" among BN_CTX frames: + * + * - test_ctx_set_ct_flag() starts a frame in the given BN_CTX and + * sets the BN_FLG_CONSTTIME flag on some of the BIGNUMs obtained + * from the frame before ending it. + * - test_ctx_check_ct_flag() then starts a new frame and gets a + * number of BIGNUMs from it. In absence of leaks, none of the + * BIGNUMs in the new frame should have BN_FLG_CONSTTIME set. + * + * In actual BN_CTX usage inside libcrypto the leak could happen at + * any depth level in the BN_CTX stack, with varying results + * depending on the patterns of sibling trees of nested function + * calls sharing the same BN_CTX object, and the effect of + * unintended BN_FLG_CONSTTIME on the called BN_* functions. + * + * This simple unit test abstracts away this complexity and verifies + * that the leak does not happen between two sibling functions + * sharing the same BN_CTX object at the same level of nesting. + * + */ + BN_CTX *nctx = NULL; + BN_CTX *sctx = NULL; + size_t i = 0; + int st = 0; + + if (!TEST_ptr(nctx = BN_CTX_new()) + || !TEST_ptr(sctx = BN_CTX_secure_new())) + goto err; + + for (i = 0; i < 2; i++) { + BN_CTX *c = i == 0 ? nctx : sctx; + if (!TEST_true(test_ctx_set_ct_flag(c)) + || !TEST_true(test_ctx_check_ct_flag(c))) + goto err; + } + + st = 1; + err: + BN_CTX_free(nctx); + BN_CTX_free(sctx); + return st; +} + static int file_test_run(STANZA *s) { static const FILETEST filetests[] = { @@ -2262,6 +2369,7 @@ int setup_tests(void) ADD_TEST(test_expmodone); ADD_TEST(test_smallprime); ADD_TEST(test_swap); + ADD_TEST(test_ctx_consttime_flag); #ifndef OPENSSL_NO_EC2M ADD_TEST(test_gf2m_add); ADD_TEST(test_gf2m_mod); diff --git a/deps/openssl/openssl/test/build.info b/deps/openssl/openssl/test/build.info index b6bb711c8b..52d4ee7d3b 100644 --- a/deps/openssl/openssl/test/build.info +++ b/deps/openssl/openssl/test/build.info @@ -41,7 +41,7 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN packettest asynctest secmemtest srptest memleaktest stack_test \ dtlsv1listentest ct_test threadstest afalgtest d2i_test \ ssl_test_ctx_test ssl_test x509aux cipherlist_test asynciotest \ - bio_callback_test \ + bio_callback_test bio_memleak_test \ bioprinttest sslapitest dtlstest sslcorrupttest bio_enc_test \ pkey_meth_test pkey_meth_kdf_test uitest cipherbytes_test \ asn1_encode_test asn1_decode_test asn1_string_table_test \ @@ -299,6 +299,10 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN INCLUDE[bio_callback_test]=../include DEPEND[bio_callback_test]=../libcrypto libtestutil.a + SOURCE[bio_memleak_test]=bio_memleak_test.c + INCLUDE[bio_memleak_test]=../include + DEPEND[bio_memleak_test]=../libcrypto libtestutil.a + SOURCE[bioprinttest]=bioprinttest.c INCLUDE[bioprinttest]=../include DEPEND[bioprinttest]=../libcrypto libtestutil.a @@ -389,7 +393,6 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN PROGRAMS_NO_INST=shlibloadtest SOURCE[shlibloadtest]=shlibloadtest.c INCLUDE[shlibloadtest]=../include ../crypto/include - DEPEND[shlibloadtest]=libtestutil.a ENDIF IF[{- $disabled{shared} -}] @@ -455,7 +458,7 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN PROGRAMS_NO_INST=sm4_internal_test ENDIF IF[{- !$disabled{ec} -}] - PROGRAMS_NO_INST=curve448_internal_test + PROGRAMS_NO_INST=ec_internal_test curve448_internal_test ENDIF SOURCE[poly1305_internal_test]=poly1305_internal_test.c @@ -502,6 +505,10 @@ INCLUDE_MAIN___test_libtestutil_OLB = /INCLUDE=MAIN INCLUDE[sm4_internal_test]=.. ../include ../crypto/include DEPEND[sm4_internal_test]=../libcrypto.a libtestutil.a + SOURCE[ec_internal_test]=ec_internal_test.c + INCLUDE[ec_internal_test]=../include ../crypto/ec ../crypto/include + DEPEND[ec_internal_test]=../libcrypto.a libtestutil.a + SOURCE[curve448_internal_test]=curve448_internal_test.c INCLUDE[curve448_internal_test]=.. ../include ../crypto/ec/curve448 DEPEND[curve448_internal_test]=../libcrypto.a libtestutil.a diff --git a/deps/openssl/openssl/test/certs/root-cert-rsa2.pem b/deps/openssl/openssl/test/certs/root-cert-rsa2.pem new file mode 100644 index 0000000000..b817fdf3e5 --- /dev/null +++ b/deps/openssl/openssl/test/certs/root-cert-rsa2.pem @@ -0,0 +1,18 @@ +-----BEGIN CERTIFICATE----- +MIIC7DCCAdSgAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 +IENBMCAXDTE2MDExNTA4MTk0OVoYDzIxMTYwMTE2MDgxOTQ5WjASMRAwDgYDVQQD +DAdSb290IENBMIIBHTAIBgRVCAEBBQADggEPADCCAQoCggEBAOHmAPUGvKBGOHkP +Px5xGRNtAt8rm3Zr/KywIe3WkQhCO6VjNexSW6CiSsXWAJQDl1o9uWco0n3jIVyk +7cY8jY6E0Z1Uwz3ZdKKWdmdx+cYaUHez/XjuW+DjjIkjwpoi7D7UN54HzcArVREX +OjRCHGkNOhiw7RWUXsb9nofGHOeUGpLAXwXBc0PlA94JkckkztiOi34u4DFI0YYq +alUmeugLNk6XseCkydpcaUsDgAhWg6Mfsiq4wUz+xbFN1MABqu2+ziW97mmt9gfN +biuhiVT1aOuYCe3JYGbLM2JKA7Bo1g6rX8E1VX79Ru6669y2oqPthX9337VoIkN+ +ZiQjr8UCAwEAAaNQME4wHQYDVR0OBBYEFI71Ja8em2uEPXyAmslTnE1y96NSMB8G +A1UdIwQYMBaAFI71Ja8em2uEPXyAmslTnE1y96NSMAwGA1UdEwQFMAMBAf8wDQYJ +KoZIhvcNAQELBQADggEBAJ0OIdog3uQ1pmsjv1Qtf1w4If1geOn5uK0EOj2wYBHt +NxlFn7l8d9+51QMZFO+RlQJ0s3Webyo1ReuaL2dMn2LGJhWMoSBAwrMALAENU3lv +8jioRbfO2OamsdpJpKxQUyUJYudNe+BoKNX/ry3rxezmsFsRr9nDMiJZpmBCXiMm +mFFJOJkG0CheexBbMkua4kyStIOwO4rb5bSHszVso/9ucdGHBSC7oRcJXoWSDjBx +PdQPPBK5g4yqL8Lz26ehgsmhRKL9k32eVyjDKcIzgpmgcPTfTqNbd1KHQJKx4ssb +7nEpGKHalSo5Oq5L9s9qYrUv37kwBY4OpJFtmGaodoI= +-----END CERTIFICATE----- diff --git a/deps/openssl/openssl/test/cipherlist_test.c b/deps/openssl/openssl/test/cipherlist_test.c index 5023c1c487..8ee491091d 100644 --- a/deps/openssl/openssl/test/cipherlist_test.c +++ b/deps/openssl/openssl/test/cipherlist_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL licenses, (the "License"); * you may not use this file except in compliance with the License. @@ -215,9 +215,44 @@ static int test_default_cipherlist_explicit(void) return result; } +/* SSL_CTX_set_cipher_list() should fail if it clears all TLSv1.2 ciphers. */ +static int test_default_cipherlist_clear(void) +{ + SETUP_CIPHERLIST_TEST_FIXTURE(); + SSL *s = NULL; + + if (fixture == NULL) + return 0; + + if (!TEST_int_eq(SSL_CTX_set_cipher_list(fixture->server, "no-such"), 0)) + goto end; + + if (!TEST_int_eq(ERR_GET_REASON(ERR_get_error()), SSL_R_NO_CIPHER_MATCH)) + goto end; + + s = SSL_new(fixture->client); + + if (!TEST_ptr(s)) + goto end; + + if (!TEST_int_eq(SSL_set_cipher_list(s, "no-such"), 0)) + goto end; + + if (!TEST_int_eq(ERR_GET_REASON(ERR_get_error()), + SSL_R_NO_CIPHER_MATCH)) + goto end; + + result = 1; +end: + SSL_free(s); + tear_down(fixture); + return result; +} + int setup_tests(void) { ADD_TEST(test_default_cipherlist_implicit); ADD_TEST(test_default_cipherlist_explicit); + ADD_TEST(test_default_cipherlist_clear); return 1; } diff --git a/deps/openssl/openssl/test/clienthellotest.c b/deps/openssl/openssl/test/clienthellotest.c index 10e3b1b1b1..862ca9ff6c 100644 --- a/deps/openssl/openssl/test/clienthellotest.c +++ b/deps/openssl/openssl/test/clienthellotest.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -99,8 +99,9 @@ static int test_client_hello(int currtest) * ClientHello is already going to be quite long. To avoid getting one * that is too long for this test we use a restricted ciphersuite list */ - if (!TEST_true(SSL_CTX_set_cipher_list(ctx, ""))) + if (!TEST_false(SSL_CTX_set_cipher_list(ctx, ""))) goto end; + ERR_clear_error(); /* Fall through */ case TEST_ADD_PADDING: case TEST_PADDING_NOT_NEEDED: diff --git a/deps/openssl/openssl/test/crltest.c b/deps/openssl/openssl/test/crltest.c index 4d35fd4081..fe52282112 100644 --- a/deps/openssl/openssl/test/crltest.c +++ b/deps/openssl/openssl/test/crltest.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -357,6 +357,20 @@ static int test_unknown_critical_crl(int n) return r; } +static int test_reuse_crl(void) +{ + X509_CRL *reused_crl = CRL_from_strings(kBasicCRL); + char *p; + BIO *b = glue2bio(kRevokedCRL, &p); + + reused_crl = PEM_read_bio_X509_CRL(b, &reused_crl, NULL, NULL); + + OPENSSL_free(p); + BIO_free(b); + X509_CRL_free(reused_crl); + return 1; +} + int setup_tests(void) { if (!TEST_ptr(test_root = X509_from_strings(kCRLTestRoot)) @@ -368,6 +382,7 @@ int setup_tests(void) ADD_TEST(test_bad_issuer_crl); ADD_TEST(test_known_critical_crl); ADD_ALL_TESTS(test_unknown_critical_crl, OSSL_NELEM(unknown_critical_crls)); + ADD_TEST(test_reuse_crl); return 1; } diff --git a/deps/openssl/openssl/test/dtlstest.c b/deps/openssl/openssl/test/dtlstest.c index 772528febf..9e6ed44382 100644 --- a/deps/openssl/openssl/test/dtlstest.c +++ b/deps/openssl/openssl/test/dtlstest.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -87,17 +87,21 @@ static int test_dtls_unprocessed(int testidx) /* * Inject a dummy record from the next epoch. In test 0, this should never * get used because the message sequence number is too big. In test 1 we set - * the record sequence number to be way off in the future. This should not - * have an impact on the record replay protection because the record should - * be dropped before it is marked as arrived + * the record sequence number to be way off in the future. */ c_to_s_mempacket = SSL_get_wbio(clientssl1); c_to_s_mempacket = BIO_next(c_to_s_mempacket); mempacket_test_inject(c_to_s_mempacket, (char *)certstatus, sizeof(certstatus), 1, INJECT_PACKET_IGNORE_REC_SEQ); - if (!TEST_true(create_ssl_connection(serverssl1, clientssl1, - SSL_ERROR_NONE))) + /* + * Create the connection. We use "create_bare_ssl_connection" here so that + * we can force the connection to not do "SSL_read" once partly conencted. + * We don't want to accidentally read the dummy records we injected because + * they will fail to decrypt. + */ + if (!TEST_true(create_bare_ssl_connection(serverssl1, clientssl1, + SSL_ERROR_NONE, 0))) goto end; if (timer_cb_count == 0) { diff --git a/deps/openssl/openssl/test/ecdsatest.c b/deps/openssl/openssl/test/ecdsatest.c index 96939a5b72..531562ed68 100644 --- a/deps/openssl/openssl/test/ecdsatest.c +++ b/deps/openssl/openssl/test/ecdsatest.c @@ -1,5 +1,5 @@ /* - * Copyright 2002-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * * Licensed under the OpenSSL license (the "License"). You may not use @@ -223,7 +223,7 @@ static int test_builtin(void) const BIGNUM *sig_r, *sig_s; BIGNUM *modified_r = NULL, *modified_s = NULL; BIGNUM *unmodified_r = NULL, *unmodified_s = NULL; - unsigned int sig_len, degree, r_len, s_len, bn_len, buf_len; + unsigned int sig_len, order, r_len, s_len, bn_len, buf_len; int nid, ret = 0; /* fill digest values with some random data */ @@ -251,7 +251,7 @@ static int test_builtin(void) || !TEST_true(EC_KEY_set_group(eckey, group))) goto builtin_err; EC_GROUP_free(group); - degree = EC_GROUP_get_degree(EC_KEY_get0_group(eckey)); + order = EC_GROUP_order_bits(EC_KEY_get0_group(eckey)); TEST_info("testing %s", OBJ_nid2sn(nid)); @@ -316,7 +316,7 @@ static int test_builtin(void) /* Store the two BIGNUMs in raw_buf. */ r_len = BN_num_bytes(sig_r); s_len = BN_num_bytes(sig_s); - bn_len = (degree + 7) / 8; + bn_len = (order + 7) / 8; if (!TEST_false(r_len > bn_len) || !TEST_false(s_len > bn_len)) goto builtin_err; diff --git a/deps/openssl/openssl/test/evp_extra_test.c b/deps/openssl/openssl/test/evp_extra_test.c index e396b07f5f..918c320543 100644 --- a/deps/openssl/openssl/test/evp_extra_test.c +++ b/deps/openssl/openssl/test/evp_extra_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -299,6 +299,21 @@ static const unsigned char kExampleECPubKeyDER[] = { 0x56, 0x6a, 0xc6, 0xc8, 0xa5, 0x0b, 0xe5 }; +/* + * kExampleBadECKeyDER is a sample EC public key with a wrong OID + * 1.2.840.10045.2.2 instead of 1.2.840.10045.2.1 - EC Public Key + */ +static const unsigned char kExampleBadECPubKeyDER[] = { + 0x30, 0x59, 0x30, 0x13, 0x06, 0x07, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x02, + 0x02, 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07, 0x03, + 0x42, 0x00, 0x04, 0xba, 0xeb, 0x83, 0xfb, 0x3b, 0xb2, 0xff, 0x30, 0x53, + 0xdb, 0xce, 0x32, 0xf2, 0xac, 0xae, 0x44, 0x0d, 0x3d, 0x13, 0x53, 0xb8, + 0xd1, 0x68, 0x55, 0xde, 0x44, 0x46, 0x05, 0xa6, 0xc9, 0xd2, 0x04, 0xb7, + 0xe3, 0xa2, 0x96, 0xc8, 0xb2, 0x5e, 0x22, 0x03, 0xd7, 0x03, 0x7a, 0x8b, + 0x13, 0x5c, 0x42, 0x49, 0xc2, 0xab, 0x86, 0xd6, 0xac, 0x6b, 0x93, 0x20, + 0x56, 0x6a, 0xc6, 0xc8, 0xa5, 0x0b, 0xe5 +}; + static const unsigned char pExampleECParamDER[] = { 0x06, 0x08, 0x2a, 0x86, 0x48, 0xce, 0x3d, 0x03, 0x01, 0x07 }; @@ -963,6 +978,37 @@ static int test_HKDF(void) return ret; } +#ifndef OPENSSL_NO_EC +static int test_X509_PUBKEY_inplace(void) +{ + int ret = 0; + X509_PUBKEY *xp = NULL; + const unsigned char *p = kExampleECPubKeyDER; + size_t input_len = sizeof(kExampleECPubKeyDER); + + if (!TEST_ptr(xp = d2i_X509_PUBKEY(NULL, &p, input_len))) + goto done; + + if (!TEST_ptr(X509_PUBKEY_get0(xp))) + goto done; + + p = kExampleBadECPubKeyDER; + input_len = sizeof(kExampleBadECPubKeyDER); + + if (!TEST_ptr(xp = d2i_X509_PUBKEY(&xp, &p, input_len))) + goto done; + + if (!TEST_true(X509_PUBKEY_get0(xp) == NULL)) + goto done; + + ret = 1; + +done: + X509_PUBKEY_free(xp); + return ret; +} +#endif + int setup_tests(void) { ADD_TEST(test_EVP_DigestSignInit); @@ -987,5 +1033,8 @@ int setup_tests(void) return 0; ADD_ALL_TESTS(test_EVP_PKEY_check, OSSL_NELEM(keycheckdata)); ADD_TEST(test_HKDF); +#ifndef OPENSSL_NO_EC + ADD_TEST(test_X509_PUBKEY_inplace); +#endif return 1; } diff --git a/deps/openssl/openssl/test/evp_test.c b/deps/openssl/openssl/test/evp_test.c index e7e376e657..85c1552a7a 100644 --- a/deps/openssl/openssl/test/evp_test.c +++ b/deps/openssl/openssl/test/evp_test.c @@ -1,5 +1,5 @@ /* - * Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -1559,15 +1559,18 @@ static int encode_test_init(EVP_TEST *t, const char *encoding) } else if (strcmp(encoding, "invalid") == 0) { edata->encoding = BASE64_INVALID_ENCODING; if (!TEST_ptr(t->expected_err = OPENSSL_strdup("DECODE_ERROR"))) - return 0; + goto err; } else { TEST_error("Bad encoding: %s." " Should be one of {canonical, valid, invalid}", encoding); - return 0; + goto err; } t->data = edata; return 1; +err: + OPENSSL_free(edata); + return 0; } static void encode_test_cleanup(EVP_TEST *t) @@ -1596,7 +1599,7 @@ static int encode_test_run(EVP_TEST *t) ENCODE_DATA *expected = t->data; unsigned char *encode_out = NULL, *decode_out = NULL; int output_len, chunk_len; - EVP_ENCODE_CTX *decode_ctx; + EVP_ENCODE_CTX *decode_ctx = NULL, *encode_ctx = NULL; if (!TEST_ptr(decode_ctx = EVP_ENCODE_CTX_new())) { t->err = "INTERNAL_ERROR"; @@ -1604,7 +1607,6 @@ static int encode_test_run(EVP_TEST *t) } if (expected->encoding == BASE64_CANONICAL_ENCODING) { - EVP_ENCODE_CTX *encode_ctx; if (!TEST_ptr(encode_ctx = EVP_ENCODE_CTX_new()) || !TEST_ptr(encode_out = @@ -1612,15 +1614,15 @@ static int encode_test_run(EVP_TEST *t) goto err; EVP_EncodeInit(encode_ctx); - EVP_EncodeUpdate(encode_ctx, encode_out, &chunk_len, - expected->input, expected->input_len); + if (!TEST_true(EVP_EncodeUpdate(encode_ctx, encode_out, &chunk_len, + expected->input, expected->input_len))) + goto err; + output_len = chunk_len; EVP_EncodeFinal(encode_ctx, encode_out + chunk_len, &chunk_len); output_len += chunk_len; - EVP_ENCODE_CTX_free(encode_ctx); - if (!memory_err_compare(t, "BAD_ENCODING", expected->output, expected->output_len, encode_out, output_len)) @@ -1658,6 +1660,7 @@ static int encode_test_run(EVP_TEST *t) OPENSSL_free(encode_out); OPENSSL_free(decode_out); EVP_ENCODE_CTX_free(decode_ctx); + EVP_ENCODE_CTX_free(encode_ctx); return 1; } diff --git a/deps/openssl/openssl/test/handshake_helper.c b/deps/openssl/openssl/test/handshake_helper.c index 40bfd3ec26..27ff794014 100644 --- a/deps/openssl/openssl/test/handshake_helper.c +++ b/deps/openssl/openssl/test/handshake_helper.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -22,6 +22,10 @@ #include "handshake_helper.h" #include "testutil.h" +#if !defined(OPENSSL_NO_SCTP) && !defined(OPENSSL_NO_SOCK) +#include <netinet/sctp.h> +#endif + HANDSHAKE_RESULT *HANDSHAKE_RESULT_new(void) { HANDSHAKE_RESULT *ret; @@ -1282,13 +1286,33 @@ static int peer_pkey_type(SSL *s) #if !defined(OPENSSL_NO_SCTP) && !defined(OPENSSL_NO_SOCK) static int set_sock_as_sctp(int sock) { + struct sctp_assocparams assocparams; + struct sctp_rtoinfo rto_info; + BIO *tmpbio; + + /* + * To allow tests to fail fast (within a second or so), reduce the + * retransmission timeouts and the number of retransmissions. + */ + memset(&rto_info, 0, sizeof(struct sctp_rtoinfo)); + rto_info.srto_initial = 100; + rto_info.srto_max = 200; + rto_info.srto_min = 50; + (void)setsockopt(sock, IPPROTO_SCTP, SCTP_RTOINFO, + (const void *)&rto_info, sizeof(struct sctp_rtoinfo)); + memset(&assocparams, 0, sizeof(struct sctp_assocparams)); + assocparams.sasoc_asocmaxrxt = 2; + (void)setsockopt(sock, IPPROTO_SCTP, SCTP_ASSOCINFO, + (const void *)&assocparams, + sizeof(struct sctp_assocparams)); + /* * For SCTP we have to set various options on the socket prior to * connecting. This is done automatically by BIO_new_dgram_sctp(). * We don't actually need the created BIO though so we free it again * immediately. */ - BIO *tmpbio = BIO_new_dgram_sctp(sock, BIO_NOCLOSE); + tmpbio = BIO_new_dgram_sctp(sock, BIO_NOCLOSE); if (tmpbio == NULL) return 0; @@ -1438,6 +1462,13 @@ static HANDSHAKE_RESULT *do_handshake_internal( return NULL; } +#if !defined(OPENSSL_NO_SCTP) && !defined(OPENSSL_NO_SOCK) + if (test_ctx->enable_client_sctp_label_bug) + SSL_CTX_set_mode(client_ctx, SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG); + if (test_ctx->enable_server_sctp_label_bug) + SSL_CTX_set_mode(server_ctx, SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG); +#endif + /* Setup SSL and buffers; additional configuration happens below. */ if (!create_peer(&server, server_ctx)) { TEST_note("creating server context"); diff --git a/deps/openssl/openssl/test/recipes/02-test_errstr.t b/deps/openssl/openssl/test/recipes/02-test_errstr.t new file mode 100644 index 0000000000..3a04310e11 --- /dev/null +++ b/deps/openssl/openssl/test/recipes/02-test_errstr.t @@ -0,0 +1,121 @@ +#! /usr/bin/env perl +# Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; +no strict 'refs'; # To be able to use strings as function refs +use OpenSSL::Test; +use OpenSSL::Test::Utils; +use Errno qw(:POSIX); +use POSIX qw(strerror); + +# We actually have space for up to 4095 error messages, +# numerically speaking... but we're currently only using +# numbers 1 through 127. +# This constant should correspond to the same constant +# defined in crypto/err/err.c, or at least must not be +# assigned a greater number. +use constant NUM_SYS_STR_REASONS => 127; + +setup('test_errstr'); + +# In a cross compiled situation, there are chances that our +# application is linked against different C libraries than +# perl, and may thereby get different error messages for the +# same error. +# The safest is not to test under such circumstances. +plan skip_all => 'This is unsupported for cross compiled configurations' + if config('CROSS_COMPILE'); + +# The same can be said when compiling OpenSSL with mingw configuration +# on Windows when built with msys perl. Similar problems are also observed +# in MSVC builds, depending on the perl implementation used. +plan skip_all => 'This is unsupported on MSYS/MinGW or MSWin32' + if $^O eq 'msys' or $^O eq 'MSWin32'; + +plan skip_all => 'OpenSSL is configured "no-autoerrinit" or "no-err"' + if disabled('autoerrinit') || disabled('err'); + +# These are POSIX error names, which Errno implements as functions +# (this is documented) +my @posix_errors = @{$Errno::EXPORT_TAGS{POSIX}}; + +if ($^O eq 'MSWin32') { + # On Windows, these errors have been observed to not always be loaded by + # apps/openssl, while they are in perl, which causes a difference that we + # consider a false alarm. So we skip checking these errors. + # Because we can't know exactly what symbols exist in a perticular perl + # version, we resort to discovering them directly in the Errno package + # symbol table. + my @error_skiplist = qw( + ENETDOWN + ENETUNREACH + ENETRESET + ECONNABORTED + EISCONN + ENOTCONN + ESHUTDOWN + ETOOMANYREFS + ETIMEDOUT + EHOSTDOWN + EHOSTUNREACH + EALREADY + EINPROGRESS + ESTALE + EUCLEAN + ENOTNAM + ENAVAIL + ENOMEDIUM + ENOKEY + ); + @posix_errors = + grep { + my $x = $_; + ! grep { + exists $Errno::{$_} && $x == $Errno::{$_} + } @error_skiplist + } @posix_errors; +} + +plan tests => scalar @posix_errors + +1 # Checking that error 128 gives 'reason(128)' + +1 # Checking that error 0 gives the library name + ; + +foreach my $errname (@posix_errors) { + my $errnum = "Errno::$errname"->(); + + SKIP: { + skip "Error $errname ($errnum) isn't within our range", 1 + if $errnum > NUM_SYS_STR_REASONS; + + my $perr = eval { + # Set $! to the error number... + local $! = $errnum; + # ... and $! will give you the error string back + $! + }; + + # We know that the system reasons are in OpenSSL error library 2 + my @oerr = run(app([ qw(openssl errstr), sprintf("2%06x", $errnum) ]), + capture => 1); + $oerr[0] =~ s|\R$||; + $oerr[0] =~ s|.*system library:||g; # The actual message is last + + ok($oerr[0] eq $perr, "($errnum) '$oerr[0]' == '$perr'"); + } +} + +my @after = run(app([ qw(openssl errstr 2000080) ]), capture => 1); +$after[0] =~ s|\R$||; +$after[0] =~ s|.*system library:||g; +ok($after[0] eq "reason(128)", "(128) '$after[0]' == 'reason(128)'"); + +my @zero = run(app([ qw(openssl errstr 2000000) ]), capture => 1); +$zero[0] =~ s|\R$||; +$zero[0] =~ s|.*system library:||g; +ok($zero[0] eq "system library", "(0) '$zero[0]' == 'system library'"); diff --git a/deps/openssl/openssl/test/recipes/03-test_internal_ec.t b/deps/openssl/openssl/test/recipes/03-test_internal_ec.t new file mode 100644 index 0000000000..0d31d0ac07 --- /dev/null +++ b/deps/openssl/openssl/test/recipes/03-test_internal_ec.t @@ -0,0 +1,19 @@ +#! /usr/bin/env perl +# Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + +use strict; +use OpenSSL::Test; # get 'plan' +use OpenSSL::Test::Simple; +use OpenSSL::Test::Utils; + +setup("test_internal_ec"); + +plan skip_all => "This test is unsupported in a no-ec build" + if disabled("ec"); + +simple_test("test_internal_ec", "ec_internal_test"); diff --git a/deps/openssl/openssl/test/recipes/25-test_verify.t b/deps/openssl/openssl/test/recipes/25-test_verify.t index 6c3deab7c6..b80a1cde3e 100644 --- a/deps/openssl/openssl/test/recipes/25-test_verify.t +++ b/deps/openssl/openssl/test/recipes/25-test_verify.t @@ -27,7 +27,7 @@ sub verify { run(app([@args])); } -plan tests => 134; +plan tests => 135; # Canonical success ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), @@ -361,6 +361,8 @@ ok(verify("some-names2", "sslserver", ["many-constraints"], ["many-constraints"] "Not too many names and constraints to check (2)"); ok(verify("some-names2", "sslserver", ["many-constraints"], ["many-constraints"], ), "Not too many names and constraints to check (3)"); +ok(verify("root-cert-rsa2", "sslserver", ["root-cert-rsa2"], [], "-check_ss_sig"), + "Public Key Algorithm rsa instead of rsaEncryption"); SKIP: { skip "Ed25519 is not supported by this OpenSSL build", 1 diff --git a/deps/openssl/openssl/test/recipes/30-test_evp_data/evppkey.txt b/deps/openssl/openssl/test/recipes/30-test_evp_data/evppkey.txt index f4470ff46b..736e0ce4d3 100644 --- a/deps/openssl/openssl/test/recipes/30-test_evp_data/evppkey.txt +++ b/deps/openssl/openssl/test/recipes/30-test_evp_data/evppkey.txt @@ -17601,6 +17601,14 @@ Key = ED25519-1-PUBLIC-Raw Input = "" Output = e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901555fb8821590a33bacc61e39701cf9b46bd25bf5f0595bbe24655141438e7a100b +#Signature maleability test. +#Same as the verify operation above but with the order added to s +OneShotDigestVerify = NULL +Key = ED25519-1-PUBLIC-Raw +Input = "" +Output = e5564300c360ac729086e2cc806e828a84877f1eb8e5d974d873e065224901554c8c7872aa064e049dbb3013fbf29380d25bf5f0595bbe24655141438e7a101b +Result = VERIFY_ERROR + Title = ED448 tests from RFC8032 PrivateKey=ED448-1 @@ -17809,6 +17817,13 @@ Key = ED448-1-PUBLIC-Raw Input = "" Output = 533a37f6bbe457251f023c0d88f976ae2dfb504a843e34d2074fd823d41a591f2b233f034f628281f2fd7a22ddd47d7828c59bd0a21bfd3980ff0d2028d4b18a9df63e006c5d1c2d345b925d8dc00b4104852db99ac5c7cdda8530a113a0f4dbb61149f05a7363268c71d95808ff2e652600 +#Signature malelability test. +#Same as the verify operation above but with the order added to s +OneShotDigestVerify = NULL +Key = ED448-1-PUBLIC-Raw +Input = "" +Output = 533a37f6bbe457251f023c0d88f976ae2dfb504a843e34d2074fd823d41a591f2b233f034f628281f2fd7a22ddd47d7828c59bd0a21bfd3980f25278d3667403c14bcec5f9cfde9955ebc8333c0ae78fc86e518317c5c7cdda8530a113a0f4dbb61149f05a7363268c71d95808ff2e656600 +Result = VERIFY_ERROR # Key generation tests KeyGen = rsaEncryption diff --git a/deps/openssl/openssl/test/recipes/70-test_sslextension.t b/deps/openssl/openssl/test/recipes/70-test_sslextension.t index 20e1933f00..469567cb72 100644 --- a/deps/openssl/openssl/test/recipes/70-test_sslextension.t +++ b/deps/openssl/openssl/test/recipes/70-test_sslextension.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -88,9 +88,11 @@ sub inject_duplicate_extension foreach my $message (@{$proxy->message_list}) { if ($message->mt == $message_type) { my %extensions = %{$message->extension_data}; - # Add a duplicate (unknown) extension. - $message->set_extension(TLSProxy::Message::EXT_DUPLICATE_EXTENSION, ""); - $message->set_extension(TLSProxy::Message::EXT_DUPLICATE_EXTENSION, ""); + # Add a duplicate extension. We use cryptopro_bug since we never + # normally write that one, and it is allowed as unsolicited in the + # ServerHello + $message->set_extension(TLSProxy::Message::EXT_CRYPTOPRO_BUG_EXTENSION, ""); + $message->dupext(TLSProxy::Message::EXT_CRYPTOPRO_BUG_EXTENSION); $message->repack(); } } @@ -173,9 +175,23 @@ sub inject_unsolicited_extension $sent_unsolisited_extension = 1; } +sub inject_cryptopro_extension +{ + my $proxy = shift; + + # We're only interested in the initial ClientHello + if ($proxy->flight != 0) { + return; + } + + my $message = ${$proxy->message_list}[0]; + $message->set_extension(TLSProxy::Message::EXT_CRYPTOPRO_BUG_EXTENSION, ""); + $message->repack(); +} + # Test 1-2: Sending a duplicate extension should fail. $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; -plan tests => 7; +plan tests => 8; ok($fatal_alert, "Duplicate ClientHello extension"); $fatal_alert = 0; @@ -234,3 +250,11 @@ SKIP: { $proxy->start(); ok($fatal_alert, "Unsolicited server name extension (TLSv1.3)"); } + +#Test 8: Send the cryptopro extension in a ClientHello. Normally this is an +# unsolicited extension only ever seen in the ServerHello. We should +# ignore it in a ClientHello +$proxy->clear(); +$proxy->filter(\&inject_cryptopro_extension); +$proxy->start(); +ok(TLSProxy::Message->success(), "Cryptopro extension in ClientHello"); diff --git a/deps/openssl/openssl/test/recipes/70-test_sslrecords.t b/deps/openssl/openssl/test/recipes/70-test_sslrecords.t index 1233028386..bb4e3543af 100644 --- a/deps/openssl/openssl/test/recipes/70-test_sslrecords.t +++ b/deps/openssl/openssl/test/recipes/70-test_sslrecords.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -44,7 +44,7 @@ my $content_type = TLSProxy::Record::RT_APPLICATION_DATA; my $inject_recs_num = 1; $proxy->serverflags("-tls1_2"); $proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; -plan tests => 18; +plan tests => 20; ok($fatal_alert, "Out of context empty records test"); #Test 2: Injecting in context empty records should succeed @@ -155,7 +155,7 @@ ok($fatal_alert, "Changed record version in TLS1.2"); #TLS1.3 specific tests SKIP: { - skip "TLSv1.3 disabled", 6 if disabled("tls1_3"); + skip "TLSv1.3 disabled", 8 if disabled("tls1_3"); #Test 13: Sending a different record version in TLS1.3 should fail $proxy->clear(); @@ -181,7 +181,9 @@ SKIP: { use constant { DATA_AFTER_SERVER_HELLO => 0, DATA_AFTER_FINISHED => 1, - DATA_AFTER_KEY_UPDATE => 2 + DATA_AFTER_KEY_UPDATE => 2, + DATA_BETWEEN_KEY_UPDATE => 3, + NO_DATA_BETWEEN_KEY_UPDATE => 4, }; #Test 16: Sending a ServerHello which doesn't end on a record boundary @@ -198,7 +200,6 @@ SKIP: { $fatal_alert = 0; $proxy->clear(); $boundary_test_type = DATA_AFTER_FINISHED; - $proxy->filter(\¬_on_record_boundary); $proxy->start(); ok($fatal_alert, "Record not on boundary in TLS1.3 (Finished)"); @@ -207,9 +208,24 @@ SKIP: { $fatal_alert = 0; $proxy->clear(); $boundary_test_type = DATA_AFTER_KEY_UPDATE; - $proxy->filter(\¬_on_record_boundary); $proxy->start(); ok($fatal_alert, "Record not on boundary in TLS1.3 (KeyUpdate)"); + + #Test 19: Sending application data in the middle of a fragmented KeyUpdate + # should fail. Strictly speaking this is not a record boundary test + # but we use the same filter. + $fatal_alert = 0; + $proxy->clear(); + $boundary_test_type = DATA_BETWEEN_KEY_UPDATE; + $proxy->start(); + ok($fatal_alert, "Data between KeyUpdate"); + + #Test 20: Fragmented KeyUpdate. This should succeed. Strictly speaking this + # is not a record boundary test but we use the same filter. + $proxy->clear(); + $boundary_test_type = NO_DATA_BETWEEN_KEY_UPDATE; + $proxy->start(); + ok(TLSProxy::Message->success(), "No data between KeyUpdate"); } @@ -573,7 +589,7 @@ sub not_on_record_boundary #Update the record $last_record->data($data); $last_record->len(length $data); - } else { + } elsif ($boundary_test_type == DATA_AFTER_KEY_UPDATE) { return if @{$proxy->{message_list}}[-1]->{mt} != TLSProxy::Message::MT_FINISHED; @@ -605,5 +621,79 @@ sub not_on_record_boundary $record->data($data); $record->len(length $data); push @{$records}, $record; + } else { + return if @{$proxy->{message_list}}[-1]->{mt} + != TLSProxy::Message::MT_FINISHED; + + my $record = TLSProxy::Record->new( + 1, + TLSProxy::Record::RT_APPLICATION_DATA, + TLSProxy::Record::VERS_TLS_1_2, + 0, + 0, + 0, + 0, + "", + "" + ); + + #Add a partial KeyUpdate message into the record + $data = pack "C1", + 0x18; # KeyUpdate message type. Omit the rest of the message header + + #Add content type and tag + $data .= pack("C", TLSProxy::Record::RT_HANDSHAKE).("\0"x16); + + $record->data($data); + $record->len(length $data); + push @{$records}, $record; + + if ($boundary_test_type == DATA_BETWEEN_KEY_UPDATE) { + #Now add an app data record + $record = TLSProxy::Record->new( + 1, + TLSProxy::Record::RT_APPLICATION_DATA, + TLSProxy::Record::VERS_TLS_1_2, + 0, + 0, + 0, + 0, + "", + "" + ); + + #Add an empty app data record (just content type and tag) + $data = pack("C", TLSProxy::Record::RT_APPLICATION_DATA).("\0"x16); + + $record->data($data); + $record->len(length $data); + push @{$records}, $record; + } + + #Now add the rest of the KeyUpdate message + $record = TLSProxy::Record->new( + 1, + TLSProxy::Record::RT_APPLICATION_DATA, + TLSProxy::Record::VERS_TLS_1_2, + 0, + 0, + 0, + 0, + "", + "" + ); + + #Add the last 4 bytes of the KeyUpdate record + $data = pack "C4", + 0x00, 0x00, 0x01, # Message length + 0x00; # Update not requested + + #Add content type and tag + $data .= pack("C", TLSProxy::Record::RT_HANDSHAKE).("\0"x16); + + $record->data($data); + $record->len(length $data); + push @{$records}, $record; + } } diff --git a/deps/openssl/openssl/test/recipes/80-test_ssl_new.t b/deps/openssl/openssl/test/recipes/80-test_ssl_new.t index db2271c388..81d8f59a70 100644 --- a/deps/openssl/openssl/test/recipes/80-test_ssl_new.t +++ b/deps/openssl/openssl/test/recipes/80-test_ssl_new.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2015-2019 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -28,7 +28,7 @@ map { s/\^// } @conf_files if $^O eq "VMS"; # We hard-code the number of tests to double-check that the globbing above # finds all files as expected. -plan tests => 28; # = scalar @conf_srcs +plan tests => 29; # = scalar @conf_srcs # Some test results depend on the configuration of enabled protocols. We only # verify generated sources in the default configuration. @@ -102,6 +102,7 @@ my %skip = ( "24-padding.conf" => disabled("tls1_3"), "25-cipher.conf" => disabled("ec") || disabled("tls1_2"), "26-tls13_client_auth.conf" => disabled("tls1_3"), + "29-dtls-sctp-label-bug.conf" => disabled("sctp") || disabled("sock"), ); foreach my $conf (@conf_files) { diff --git a/deps/openssl/openssl/test/recipes/90-test_bio_memleak.t b/deps/openssl/openssl/test/recipes/90-test_bio_memleak.t new file mode 100644 index 0000000000..1e063ed03d --- /dev/null +++ b/deps/openssl/openssl/test/recipes/90-test_bio_memleak.t @@ -0,0 +1,12 @@ +#! /usr/bin/env perl +# Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the OpenSSL license (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +use OpenSSL::Test::Simple; + +simple_test("test_bio_memleak", "bio_memleak_test"); diff --git a/deps/openssl/openssl/test/recipes/90-test_gost.t b/deps/openssl/openssl/test/recipes/90-test_gost.t index c7bbb4edd8..de9b0bfa04 100644 --- a/deps/openssl/openssl/test/recipes/90-test_gost.t +++ b/deps/openssl/openssl/test/recipes/90-test_gost.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -12,11 +12,11 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/; setup("test_gost"); # The GOST ciphers are dynamically loaded via the GOST engine, so we must be -# able to support that. The engine also uses DSA and CMS symbols, so we skip -# this test on no-dsa or no-cms. +# able to support that. The engine also uses DSA, CMS and CMAC symbols, so we +# skip this test on no-dsa, no-cms or no-cmac. plan skip_all => "GOST support is disabled in this OpenSSL build" if disabled("gost") || disabled("engine") || disabled("dynamic-engine") - || disabled("dsa") || disabled("cms"); + || disabled("dsa") || disabled("cms") || disabled("cmac"); plan skip_all => "TLSv1.3 or TLSv1.2 are disabled in this OpenSSL build" if disabled("tls1_3") || disabled("tls1_2"); diff --git a/deps/openssl/openssl/test/recipes/90-test_includes.t b/deps/openssl/openssl/test/recipes/90-test_includes.t index 5169700c4c..c6a86fc009 100644 --- a/deps/openssl/openssl/test/recipes/90-test_includes.t +++ b/deps/openssl/openssl/test/recipes/90-test_includes.t @@ -11,11 +11,13 @@ plan skip_all => "test_includes doesn't work without posix-io" if disabled("posix-io"); plan tests => # The number of tests being performed - 3 + 5 + ($^O eq "VMS" ? 2 : 0); ok(run(test(["conf_include_test", data_file("includes.cnf")])), "test directory includes"); ok(run(test(["conf_include_test", data_file("includes-file.cnf")])), "test file includes"); +ok(run(test(["conf_include_test", data_file("includes-eq.cnf")])), "test includes with equal character"); +ok(run(test(["conf_include_test", data_file("includes-eq-ws.cnf")])), "test includes with equal and whitespaces"); if ($^O eq "VMS") { ok(run(test(["conf_include_test", data_file("vms-includes.cnf")])), "test directory includes, VMS syntax"); diff --git a/deps/openssl/openssl/test/recipes/90-test_includes_data/includes-eq-ws.cnf b/deps/openssl/openssl/test/recipes/90-test_includes_data/includes-eq-ws.cnf new file mode 100644 index 0000000000..38109a7ab3 --- /dev/null +++ b/deps/openssl/openssl/test/recipes/90-test_includes_data/includes-eq-ws.cnf @@ -0,0 +1,5 @@ +# +# Example configuration file using includes. +# + +.include = conf-includes diff --git a/deps/openssl/openssl/test/recipes/90-test_includes_data/includes-eq.cnf b/deps/openssl/openssl/test/recipes/90-test_includes_data/includes-eq.cnf new file mode 100644 index 0000000000..9d3715854b --- /dev/null +++ b/deps/openssl/openssl/test/recipes/90-test_includes_data/includes-eq.cnf @@ -0,0 +1,5 @@ +# +# Example configuration file using includes. +# + +.include=conf-includes diff --git a/deps/openssl/openssl/test/recipes/90-test_shlibload.t b/deps/openssl/openssl/test/recipes/90-test_shlibload.t index 2761d58502..8372a61e88 100644 --- a/deps/openssl/openssl/test/recipes/90-test_shlibload.t +++ b/deps/openssl/openssl/test/recipes/90-test_shlibload.t @@ -1,5 +1,5 @@ #! /usr/bin/env perl -# Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. +# Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. # # Licensed under the OpenSSL license (the "License"). You may not use # this file except in compliance with the License. You can obtain a copy @@ -8,6 +8,7 @@ use OpenSSL::Test qw/:DEFAULT bldtop_dir bldtop_file/; use OpenSSL::Test::Utils; +use File::Temp qw(tempfile); #Load configdata.pm @@ -19,8 +20,10 @@ use configdata; plan skip_all => "Test only supported in a shared build" if disabled("shared"); plan skip_all => "Test is disabled on AIX" if config('target') =~ m|^aix|; +plan skip_all => "Test is disabled on VMS" if config('target') =~ m|^vms|; +plan skip_all => "Test only supported in a dso build" if disabled("dso"); -plan tests => 4; +plan tests => 10; # When libssl and libcrypto are compiled on Linux with "-rpath", but not # "--enable-new-dtags", the RPATH takes precedence over LD_LIBRARY_PATH, @@ -30,14 +33,31 @@ plan tests => 4; my $libcrypto = bldtop_file(shlib('libcrypto')); my $libssl = bldtop_file(shlib('libssl')); -ok(run(test(["shlibloadtest", "-crypto_first", $libcrypto, $libssl])), - "running shlibloadtest -crypto_first"); -ok(run(test(["shlibloadtest", "-ssl_first", $libcrypto, $libssl])), - "running shlibloadtest -ssl_first"); -ok(run(test(["shlibloadtest", "-just_crypto", $libcrypto, $libssl])), - "running shlibloadtest -just_crypto"); -ok(run(test(["shlibloadtest", "-dso_ref", $libcrypto, $libssl])), - "running shlibloadtest -dso_ref"); +(my $fh, my $filename) = tempfile(); +ok(run(test(["shlibloadtest", "-crypto_first", $libcrypto, $libssl, $filename])), + "running shlibloadtest -crypto_first $filename"); +ok(check_atexit($fh)); +unlink $filename; +($fh, $filename) = tempfile(); +ok(run(test(["shlibloadtest", "-ssl_first", $libcrypto, $libssl, $filename])), + "running shlibloadtest -ssl_first $filename"); +ok(check_atexit($fh)); +unlink $filename; +($fh, $filename) = tempfile(); +ok(run(test(["shlibloadtest", "-just_crypto", $libcrypto, $libssl, $filename])), + "running shlibloadtest -just_crypto $filename"); +ok(check_atexit($fh)); +unlink $filename; +($fh, $filename) = tempfile(); +ok(run(test(["shlibloadtest", "-dso_ref", $libcrypto, $libssl, $filename])), + "running shlibloadtest -dso_ref $filename"); +ok(check_atexit($fh)); +unlink $filename; +($fh, $filename) = tempfile(); +ok(run(test(["shlibloadtest", "-no_atexit", $libcrypto, $libssl, $filename])), + "running shlibloadtest -no_atexit $filename"); +ok(!check_atexit($fh)); +unlink $filename; sub shlib { my $lib = shift; @@ -50,3 +70,12 @@ sub shlib { |.$config{shlib_version_number}|x; return $lib; } + +sub check_atexit { + my $fh = shift; + my $data = <$fh>; + + return 1 if (defined $data && $data =~ m/atexit\(\) run/); + + return 0; +} diff --git a/deps/openssl/openssl/test/shlibloadtest.c b/deps/openssl/openssl/test/shlibloadtest.c index 53714aa125..86bbfcd849 100644 --- a/deps/openssl/openssl/test/shlibloadtest.c +++ b/deps/openssl/openssl/test/shlibloadtest.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -14,13 +14,14 @@ #include <openssl/ssl.h> #include <openssl/ossl_typ.h> #include "internal/dso_conf.h" -#include "testutil.h" typedef void DSO; typedef const SSL_METHOD * (*TLS_method_t)(void); typedef SSL_CTX * (*SSL_CTX_new_t)(const SSL_METHOD *meth); typedef void (*SSL_CTX_free_t)(SSL_CTX *); +typedef int (*OPENSSL_init_crypto_t)(uint64_t, void *); +typedef int (*OPENSSL_atexit_t)(void (*handler)(void)); typedef unsigned long (*ERR_get_error_t)(void); typedef unsigned long (*OpenSSL_version_num_t)(void); typedef DSO * (*DSO_dsobyaddr_t)(void (*addr)(void), int flags); @@ -30,12 +31,14 @@ typedef enum test_types_en { CRYPTO_FIRST, SSL_FIRST, JUST_CRYPTO, - DSO_REFTEST + DSO_REFTEST, + NO_ATEXIT } TEST_TYPE; static TEST_TYPE test_type; static const char *path_crypto; static const char *path_ssl; +static const char *path_atexit; #ifdef DSO_DLFCN @@ -99,6 +102,20 @@ static int shlib_close(SHLIB lib) #if defined(DSO_DLFCN) || defined(DSO_WIN32) +static int atexit_handler_done = 0; + +static void atexit_handler(void) +{ + FILE *atexit_file = fopen(path_atexit, "w"); + + if (atexit_file == NULL) + return; + + fprintf(atexit_file, "atexit() run\n"); + fclose(atexit_file); + atexit_handler_done++; +} + static int test_lib(void) { SHLIB ssllib = SHLIB_INIT; @@ -113,64 +130,93 @@ static int test_lib(void) SSL_CTX_free_t mySSL_CTX_free; ERR_get_error_t myERR_get_error; OpenSSL_version_num_t myOpenSSL_version_num; + OPENSSL_atexit_t myOPENSSL_atexit; int result = 0; switch (test_type) { case JUST_CRYPTO: - if (!TEST_true(shlib_load(path_crypto, &cryptolib))) - goto end; - break; + case DSO_REFTEST: + case NO_ATEXIT: case CRYPTO_FIRST: - if (!TEST_true(shlib_load(path_crypto, &cryptolib)) - || !TEST_true(shlib_load(path_ssl, &ssllib))) + if (!shlib_load(path_crypto, &cryptolib)) { + fprintf(stderr, "Failed to load libcrypto\n"); goto end; - break; + } + if (test_type != CRYPTO_FIRST) + break; + /* Fall through */ + case SSL_FIRST: - if (!TEST_true(shlib_load(path_ssl, &ssllib)) - || !TEST_true(shlib_load(path_crypto, &cryptolib))) + if (!shlib_load(path_ssl, &ssllib)) { + fprintf(stderr, "Failed to load libssl\n"); goto end; - break; - case DSO_REFTEST: - if (!TEST_true(shlib_load(path_crypto, &cryptolib))) + } + if (test_type != SSL_FIRST) + break; + if (!shlib_load(path_crypto, &cryptolib)) { + fprintf(stderr, "Failed to load libcrypto\n"); goto end; + } break; } - if (test_type != JUST_CRYPTO && test_type != DSO_REFTEST) { - if (!TEST_true(shlib_sym(ssllib, "TLS_method", &symbols[0].sym)) - || !TEST_true(shlib_sym(ssllib, "SSL_CTX_new", &symbols[1].sym)) - || !TEST_true(shlib_sym(ssllib, "SSL_CTX_free", &symbols[2].sym))) + if (test_type == NO_ATEXIT) { + OPENSSL_init_crypto_t myOPENSSL_init_crypto; + + if (!shlib_sym(cryptolib, "OPENSSL_init_crypto", &symbols[0].sym)) { + fprintf(stderr, "Failed to load OPENSSL_init_crypto symbol\n"); + goto end; + } + myOPENSSL_init_crypto = (OPENSSL_init_crypto_t)symbols[0].func; + if (!myOPENSSL_init_crypto(OPENSSL_INIT_NO_ATEXIT, NULL)) { + fprintf(stderr, "Failed to initialise libcrypto\n"); + goto end; + } + } + + if (test_type != JUST_CRYPTO + && test_type != DSO_REFTEST + && test_type != NO_ATEXIT) { + if (!shlib_sym(ssllib, "TLS_method", &symbols[0].sym) + || !shlib_sym(ssllib, "SSL_CTX_new", &symbols[1].sym) + || !shlib_sym(ssllib, "SSL_CTX_free", &symbols[2].sym)) { + fprintf(stderr, "Failed to load libssl symbols\n"); goto end; + } myTLS_method = (TLS_method_t)symbols[0].func; mySSL_CTX_new = (SSL_CTX_new_t)symbols[1].func; mySSL_CTX_free = (SSL_CTX_free_t)symbols[2].func; - if (!TEST_ptr(ctx = mySSL_CTX_new(myTLS_method()))) + ctx = mySSL_CTX_new(myTLS_method()); + if (ctx == NULL) { + fprintf(stderr, "Failed to create SSL_CTX\n"); goto end; + } mySSL_CTX_free(ctx); } - if (!TEST_true(shlib_sym(cryptolib, "ERR_get_error", &symbols[0].sym)) - || !TEST_true(shlib_sym(cryptolib, "OpenSSL_version_num", - &symbols[1].sym))) + if (!shlib_sym(cryptolib, "ERR_get_error", &symbols[0].sym) + || !shlib_sym(cryptolib, "OpenSSL_version_num", &symbols[1].sym) + || !shlib_sym(cryptolib, "OPENSSL_atexit", &symbols[2].sym)) { + fprintf(stderr, "Failed to load libcrypto symbols\n"); goto end; + } myERR_get_error = (ERR_get_error_t)symbols[0].func; - if (!TEST_int_eq(myERR_get_error(), 0)) + if (myERR_get_error() != 0) { + fprintf(stderr, "Unexpected ERR_get_error() response\n"); goto end; + } - /* - * The bits that COMPATIBILITY_MASK lets through MUST be the same in - * the library and in the application. - * The bits that are masked away MUST be a larger or equal number in - * the library compared to the application. - */ -# define COMPATIBILITY_MASK 0xfff00000L myOpenSSL_version_num = (OpenSSL_version_num_t)symbols[1].func; - if (!TEST_int_eq(myOpenSSL_version_num() & COMPATIBILITY_MASK, - OPENSSL_VERSION_NUMBER & COMPATIBILITY_MASK)) + if (myOpenSSL_version_num() != OPENSSL_VERSION_NUMBER) { + fprintf(stderr, "Invalid library version number\n"); goto end; - if (!TEST_int_ge(myOpenSSL_version_num() & ~COMPATIBILITY_MASK, - OPENSSL_VERSION_NUMBER & ~COMPATIBILITY_MASK)) + } + + myOPENSSL_atexit = (OPENSSL_atexit_t)symbols[2].func; + if (!myOPENSSL_atexit(atexit_handler)) { + fprintf(stderr, "Failed to register atexit handler\n"); goto end; + } if (test_type == DSO_REFTEST) { # ifdef DSO_DLFCN @@ -185,10 +231,11 @@ static int test_lib(void) * will always return an error, because DSO_pathbyaddr() is not * implemented there. */ - if (!TEST_true(shlib_sym(cryptolib, "DSO_dsobyaddr", &symbols[0].sym)) - || !TEST_true(shlib_sym(cryptolib, "DSO_free", - &symbols[1].sym))) + if (!shlib_sym(cryptolib, "DSO_dsobyaddr", &symbols[0].sym) + || !shlib_sym(cryptolib, "DSO_free", &symbols[1].sym)) { + fprintf(stderr, "Unable to load DSO symbols\n"); goto end; + } myDSO_dsobyaddr = (DSO_dsobyaddr_t)symbols[0].func; myDSO_free = (DSO_free_t)symbols[1].func; @@ -196,33 +243,44 @@ static int test_lib(void) { DSO *hndl; /* use known symbol from crypto module */ - if (!TEST_ptr(hndl = myDSO_dsobyaddr((void (*)(void))ERR_get_error, 0))) + hndl = myDSO_dsobyaddr((void (*)(void))myERR_get_error, 0); + if (hndl == NULL) { + fprintf(stderr, "DSO_dsobyaddr() failed\n"); goto end; + } myDSO_free(hndl); } # endif /* DSO_DLFCN */ } - switch (test_type) { - case JUST_CRYPTO: - if (!TEST_true(shlib_close(cryptolib))) - goto end; - break; - case CRYPTO_FIRST: - if (!TEST_true(shlib_close(cryptolib)) - || !TEST_true(shlib_close(ssllib))) - goto end; - break; - case SSL_FIRST: - if (!TEST_true(shlib_close(ssllib)) - || !TEST_true(shlib_close(cryptolib))) - goto end; - break; - case DSO_REFTEST: - if (!TEST_true(shlib_close(cryptolib))) + if (!shlib_close(cryptolib)) { + fprintf(stderr, "Failed to close libcrypto\n"); + goto end; + } + + if (test_type == CRYPTO_FIRST || test_type == SSL_FIRST) { + if (!shlib_close(ssllib)) { + fprintf(stderr, "Failed to close libssl\n"); goto end; - break; + } + } + +# if defined(OPENSSL_NO_PINSHARED) \ + && defined(__GLIBC__) \ + && defined(__GLIBC_PREREQ) \ + && defined(OPENSSL_SYS_LINUX) +# if __GLIBC_PREREQ(2, 3) + /* + * If we didn't pin the so then we are hopefully on a platform that supports + * running atexit() on so unload. If not we might crash. We know this is + * true on linux since glibc 2.2.3 + */ + if (test_type != NO_ATEXIT && atexit_handler_done != 1) { + fprintf(stderr, "atexit() handler did not run\n"); + goto end; } +# endif +# endif result = 1; end: @@ -231,9 +289,21 @@ end: #endif -int setup_tests(void) +/* + * shlibloadtest should not use the normal test framework because we don't want + * it to link against libcrypto (which the framework uses). The point of the + * test is to check dynamic loading and unloading of libcrypto/libssl. + */ +int main(int argc, char *argv[]) { - const char *p = test_get_argument(0); + const char *p; + + if (argc != 5) { + fprintf(stderr, "Incorrect number of arguments\n"); + return 1; + } + + p = argv[1]; if (strcmp(p, "-crypto_first") == 0) { test_type = CRYPTO_FIRST; @@ -242,17 +312,24 @@ int setup_tests(void) } else if (strcmp(p, "-just_crypto") == 0) { test_type = JUST_CRYPTO; } else if (strcmp(p, "-dso_ref") == 0) { - test_type = JUST_CRYPTO; + test_type = DSO_REFTEST; + } else if (strcmp(p, "-no_atexit") == 0) { + test_type = NO_ATEXIT; } else { - TEST_error("Unrecognised argument"); - return 0; + fprintf(stderr, "Unrecognised argument\n"); + return 1; + } + path_crypto = argv[2]; + path_ssl = argv[3]; + path_atexit = argv[4]; + if (path_crypto == NULL || path_ssl == NULL) { + fprintf(stderr, "Invalid libcrypto/libssl path\n"); + return 1; } - if (!TEST_ptr(path_crypto = test_get_argument(1)) - || !TEST_ptr(path_ssl = test_get_argument(2))) - return 0; #if defined(DSO_DLFCN) || defined(DSO_WIN32) - ADD_TEST(test_lib); + if (!test_lib()) + return 1; #endif - return 1; + return 0; } diff --git a/deps/openssl/openssl/test/ssl-tests/29-dtls-sctp-label-bug.conf b/deps/openssl/openssl/test/ssl-tests/29-dtls-sctp-label-bug.conf new file mode 100644 index 0000000000..2cd9bb1389 --- /dev/null +++ b/deps/openssl/openssl/test/ssl-tests/29-dtls-sctp-label-bug.conf @@ -0,0 +1,114 @@ +# Generated with generate_ssl_tests.pl + +num_tests = 4 + +test-0 = 0-SCTPLabelBug-good1 +test-1 = 1-SCTPLabelBug-good2 +test-2 = 2-SCTPLabelBug-bad1 +test-3 = 3-SCTPLabelBug-bad2 +# =========================================================== + +[0-SCTPLabelBug-good1] +ssl_conf = 0-SCTPLabelBug-good1-ssl + +[0-SCTPLabelBug-good1-ssl] +server = 0-SCTPLabelBug-good1-server +client = 0-SCTPLabelBug-good1-client + +[0-SCTPLabelBug-good1-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[0-SCTPLabelBug-good1-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-0] +EnableClientSCTPLabelBug = No +EnableServerSCTPLabelBug = No +ExpectedResult = Success +Method = DTLS +UseSCTP = Yes + + +# =========================================================== + +[1-SCTPLabelBug-good2] +ssl_conf = 1-SCTPLabelBug-good2-ssl + +[1-SCTPLabelBug-good2-ssl] +server = 1-SCTPLabelBug-good2-server +client = 1-SCTPLabelBug-good2-client + +[1-SCTPLabelBug-good2-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[1-SCTPLabelBug-good2-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-1] +EnableClientSCTPLabelBug = Yes +EnableServerSCTPLabelBug = Yes +ExpectedResult = Success +Method = DTLS +UseSCTP = Yes + + +# =========================================================== + +[2-SCTPLabelBug-bad1] +ssl_conf = 2-SCTPLabelBug-bad1-ssl + +[2-SCTPLabelBug-bad1-ssl] +server = 2-SCTPLabelBug-bad1-server +client = 2-SCTPLabelBug-bad1-client + +[2-SCTPLabelBug-bad1-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[2-SCTPLabelBug-bad1-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-2] +EnableClientSCTPLabelBug = Yes +EnableServerSCTPLabelBug = No +ExpectedResult = ClientFail +Method = DTLS +UseSCTP = Yes + + +# =========================================================== + +[3-SCTPLabelBug-bad2] +ssl_conf = 3-SCTPLabelBug-bad2-ssl + +[3-SCTPLabelBug-bad2-ssl] +server = 3-SCTPLabelBug-bad2-server +client = 3-SCTPLabelBug-bad2-client + +[3-SCTPLabelBug-bad2-server] +Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem +CipherString = DEFAULT +PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +[3-SCTPLabelBug-bad2-client] +CipherString = DEFAULT +VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem +VerifyMode = Peer + +[test-3] +EnableClientSCTPLabelBug = No +EnableServerSCTPLabelBug = Yes +ExpectedResult = ClientFail +Method = DTLS +UseSCTP = Yes diff --git a/deps/openssl/openssl/test/ssl-tests/29-dtls-sctp-label-bug.conf.in b/deps/openssl/openssl/test/ssl-tests/29-dtls-sctp-label-bug.conf.in new file mode 100644 index 0000000000..97476999b8 --- /dev/null +++ b/deps/openssl/openssl/test/ssl-tests/29-dtls-sctp-label-bug.conf.in @@ -0,0 +1,67 @@ +# -*- mode: perl; -*- +# Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. +# +# Licensed under the Apache License 2.0 (the "License"). You may not use +# this file except in compliance with the License. You can obtain a copy +# in the file LICENSE in the source distribution or at +# https://www.openssl.org/source/license.html + + +## Test SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG handling + +use strict; +use warnings; + +package ssltests; +use OpenSSL::Test::Utils; + +our @tests = ( + { + name => "SCTPLabelBug-good1", + server => {}, + client => {}, + test => { + "Method" => "DTLS", + "UseSCTP" => "Yes", + "EnableClientSCTPLabelBug" => "No", + "EnableServerSCTPLabelBug" => "No", + "ExpectedResult" => "Success" + } + }, + { + name => "SCTPLabelBug-good2", + server => {}, + client => {}, + test => { + "Method" => "DTLS", + "UseSCTP" => "Yes", + "EnableClientSCTPLabelBug" => "Yes", + "EnableServerSCTPLabelBug" => "Yes", + "ExpectedResult" => "Success" + } + }, + { + name => "SCTPLabelBug-bad1", + server => {}, + client => {}, + test => { + "Method" => "DTLS", + "UseSCTP" => "Yes", + "EnableClientSCTPLabelBug" => "Yes", + "EnableServerSCTPLabelBug" => "No", + "ExpectedResult" => "ClientFail" + } + }, + { + name => "SCTPLabelBug-bad2", + server => {}, + client => {}, + test => { + "Method" => "DTLS", + "UseSCTP" => "Yes", + "EnableClientSCTPLabelBug" => "No", + "EnableServerSCTPLabelBug" => "Yes", + "ExpectedResult" => "ClientFail" + } + }, +); diff --git a/deps/openssl/openssl/test/ssl_test_ctx.c b/deps/openssl/openssl/test/ssl_test_ctx.c index 753338530d..6cdced5a16 100644 --- a/deps/openssl/openssl/test/ssl_test_ctx.c +++ b/deps/openssl/openssl/test/ssl_test_ctx.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -446,6 +446,8 @@ const char *ssl_ct_validation_name(ssl_ct_validation_t mode) IMPLEMENT_SSL_TEST_BOOL_OPTION(SSL_TEST_CTX, test, resumption_expected) IMPLEMENT_SSL_TEST_BOOL_OPTION(SSL_TEST_SERVER_CONF, server, broken_session_ticket) IMPLEMENT_SSL_TEST_BOOL_OPTION(SSL_TEST_CTX, test, use_sctp) +IMPLEMENT_SSL_TEST_BOOL_OPTION(SSL_TEST_CTX, test, enable_client_sctp_label_bug) +IMPLEMENT_SSL_TEST_BOOL_OPTION(SSL_TEST_CTX, test, enable_server_sctp_label_bug) /* CertStatus */ @@ -669,6 +671,8 @@ static const ssl_test_ctx_option ssl_test_ctx_options[] = { { "ExpectedClientSignType", &parse_expected_client_sign_type }, { "ExpectedClientCANames", &parse_expected_client_ca_names }, { "UseSCTP", &parse_test_use_sctp }, + { "EnableClientSCTPLabelBug", &parse_test_enable_client_sctp_label_bug }, + { "EnableServerSCTPLabelBug", &parse_test_enable_server_sctp_label_bug }, { "ExpectedCipher", &parse_test_expected_cipher }, { "ExpectedSessionTicketAppData", &parse_test_expected_session_ticket_app_data }, }; diff --git a/deps/openssl/openssl/test/ssl_test_ctx.h b/deps/openssl/openssl/test/ssl_test_ctx.h index 86d227d865..36d73f752c 100644 --- a/deps/openssl/openssl/test/ssl_test_ctx.h +++ b/deps/openssl/openssl/test/ssl_test_ctx.h @@ -1,5 +1,5 @@ /* - * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -214,6 +214,10 @@ typedef struct { STACK_OF(X509_NAME) *expected_client_ca_names; /* Whether to use SCTP for the transport */ int use_sctp; + /* Enable SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG on client side */ + int enable_client_sctp_label_bug; + /* Enable SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG on server side */ + int enable_server_sctp_label_bug; /* Whether to expect a session id from the server */ ssl_session_id_t session_id_expected; char *expected_cipher; diff --git a/deps/openssl/openssl/test/sslapitest.c b/deps/openssl/openssl/test/sslapitest.c index 108d57e478..2261fe4a7a 100644 --- a/deps/openssl/openssl/test/sslapitest.c +++ b/deps/openssl/openssl/test/sslapitest.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -4028,20 +4028,25 @@ static int test_serverinfo(int tst) * no test vectors so all we do is test that both sides of the communication * produce the same results for different protocol versions. */ +#define SMALL_LABEL_LEN 10 +#define LONG_LABEL_LEN 249 static int test_export_key_mat(int tst) { int testresult = 0; SSL_CTX *cctx = NULL, *sctx = NULL, *sctx2 = NULL; SSL *clientssl = NULL, *serverssl = NULL; - const char label[] = "test label"; + const char label[LONG_LABEL_LEN + 1] = "test label"; const unsigned char context[] = "context"; const unsigned char *emptycontext = NULL; unsigned char ckeymat1[80], ckeymat2[80], ckeymat3[80]; unsigned char skeymat1[80], skeymat2[80], skeymat3[80]; + size_t labellen; const int protocols[] = { TLS1_VERSION, TLS1_1_VERSION, TLS1_2_VERSION, + TLS1_3_VERSION, + TLS1_3_VERSION, TLS1_3_VERSION }; @@ -4058,7 +4063,7 @@ static int test_export_key_mat(int tst) return 1; #endif #ifdef OPENSSL_NO_TLS1_3 - if (tst == 3) + if (tst >= 3) return 1; #endif if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), TLS_client_method(), @@ -4076,33 +4081,52 @@ static int test_export_key_mat(int tst) SSL_ERROR_NONE))) goto end; + if (tst == 5) { + /* + * TLSv1.3 imposes a maximum label len of 249 bytes. Check we fail if we + * go over that. + */ + if (!TEST_int_le(SSL_export_keying_material(clientssl, ckeymat1, + sizeof(ckeymat1), label, + LONG_LABEL_LEN + 1, context, + sizeof(context) - 1, 1), 0)) + goto end; + + testresult = 1; + goto end; + } else if (tst == 4) { + labellen = LONG_LABEL_LEN; + } else { + labellen = SMALL_LABEL_LEN; + } + if (!TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat1, sizeof(ckeymat1), label, - sizeof(label) - 1, context, + labellen, context, sizeof(context) - 1, 1), 1) || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat2, sizeof(ckeymat2), label, - sizeof(label) - 1, + labellen, emptycontext, 0, 1), 1) || !TEST_int_eq(SSL_export_keying_material(clientssl, ckeymat3, sizeof(ckeymat3), label, - sizeof(label) - 1, + labellen, NULL, 0, 0), 1) || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat1, sizeof(skeymat1), label, - sizeof(label) - 1, + labellen, context, sizeof(context) -1, 1), 1) || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat2, sizeof(skeymat2), label, - sizeof(label) - 1, + labellen, emptycontext, 0, 1), 1) || !TEST_int_eq(SSL_export_keying_material(serverssl, skeymat3, sizeof(skeymat3), label, - sizeof(label) - 1, + labellen, NULL, 0, 0), 1) /* * Check that both sides created the same key material with the @@ -4131,10 +4155,10 @@ static int test_export_key_mat(int tst) * Check that an empty context and no context produce different results in * protocols less than TLSv1.3. In TLSv1.3 they should be the same. */ - if ((tst != 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3, + if ((tst < 3 && !TEST_mem_ne(ckeymat2, sizeof(ckeymat2), ckeymat3, sizeof(ckeymat3))) - || (tst ==3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3, - sizeof(ckeymat3)))) + || (tst >= 3 && !TEST_mem_eq(ckeymat2, sizeof(ckeymat2), ckeymat3, + sizeof(ckeymat3)))) goto end; testresult = 1; @@ -4226,6 +4250,58 @@ static int test_export_key_mat_early(int idx) return testresult; } + +#define NUM_KEY_UPDATE_MESSAGES 40 +/* + * Test KeyUpdate. + */ +static int test_key_update(void) +{ + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; + int testresult = 0, i, j; + char buf[20]; + static char *mess = "A test message"; + + if (!TEST_true(create_ssl_ctx_pair(TLS_server_method(), + TLS_client_method(), + TLS1_3_VERSION, + 0, + &sctx, &cctx, cert, privkey)) + || !TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, + NULL, NULL)) + || !TEST_true(create_ssl_connection(serverssl, clientssl, + SSL_ERROR_NONE))) + goto end; + + for (j = 0; j < 2; j++) { + /* Send lots of KeyUpdate messages */ + for (i = 0; i < NUM_KEY_UPDATE_MESSAGES; i++) { + if (!TEST_true(SSL_key_update(clientssl, + (j == 0) + ? SSL_KEY_UPDATE_NOT_REQUESTED + : SSL_KEY_UPDATE_REQUESTED)) + || !TEST_true(SSL_do_handshake(clientssl))) + goto end; + } + + /* Check that sending and receiving app data is ok */ + if (!TEST_int_eq(SSL_write(clientssl, mess, strlen(mess)), strlen(mess)) + || !TEST_int_eq(SSL_read(serverssl, buf, sizeof(buf)), + strlen(mess))) + goto end; + } + + testresult = 1; + + end: + SSL_free(serverssl); + SSL_free(clientssl); + SSL_CTX_free(sctx); + SSL_CTX_free(cctx); + + return testresult; +} #endif /* OPENSSL_NO_TLS1_3 */ static int test_ssl_clear(int idx) @@ -4710,18 +4786,14 @@ static struct info_cb_states_st { {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWSC"}, {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"}, - {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL}, - {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL}, - {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TWST"}, - {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, - {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL}, - {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, - {SSL_CB_LOOP, "TWSH"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, - {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, - {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRFIN"}, - {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL}, - {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL}, - {SSL_CB_EXIT, NULL}, {0, NULL}, + {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"}, + {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL}, + {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "}, + {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TRCH"}, {SSL_CB_LOOP, "TWSH"}, + {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWEE"}, {SSL_CB_LOOP, "TWFIN"}, + {SSL_CB_LOOP, "TED"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TED"}, + {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL}, + {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL}, }, { /* TLSv1.3 client followed by resumption */ {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "}, @@ -4729,20 +4801,16 @@ static struct info_cb_states_st { {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRSC"}, {SSL_CB_LOOP, "TRSCV"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL}, - {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL}, - {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, - {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, - {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "}, - {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, - {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, + {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, + {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, + {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {SSL_CB_ALERT, NULL}, {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "TWCH"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TWCCS"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, - {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "SSLOK "}, - {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, - {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL}, + {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, + {SSL_CB_EXIT, NULL}, {0, NULL}, }, { /* TLSv1.3 server, early_data */ {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "PINIT "}, @@ -4751,8 +4819,7 @@ static struct info_cb_states_st { {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TRFIN"}, - {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_HANDSHAKE_START, NULL}, - {SSL_CB_LOOP, "TWST"}, {SSL_CB_HANDSHAKE_DONE, NULL}, + {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_LOOP, "TWST"}, {SSL_CB_EXIT, NULL}, {0, NULL}, }, { /* TLSv1.3 client, early_data */ @@ -4763,9 +4830,8 @@ static struct info_cb_states_st { {SSL_CB_LOOP, "TED"}, {SSL_CB_LOOP, "TRSH"}, {SSL_CB_LOOP, "TREE"}, {SSL_CB_LOOP, "TRFIN"}, {SSL_CB_LOOP, "TPEDE"}, {SSL_CB_LOOP, "TWEOED"}, {SSL_CB_LOOP, "TWFIN"}, {SSL_CB_HANDSHAKE_DONE, NULL}, - {SSL_CB_EXIT, NULL}, {SSL_CB_HANDSHAKE_START, NULL}, - {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "TRST"}, - {SSL_CB_HANDSHAKE_DONE, NULL}, {SSL_CB_EXIT, NULL}, {0, NULL}, + {SSL_CB_EXIT, NULL}, {SSL_CB_LOOP, "SSLOK "}, {SSL_CB_LOOP, "SSLOK "}, + {SSL_CB_LOOP, "TRST"}, {SSL_CB_EXIT, NULL}, {0, NULL}, }, { {0, NULL}, } @@ -4804,8 +4870,11 @@ static void sslapi_info_callback(const SSL *s, int where, int ret) return; } - /* Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init */ - if ((where & SSL_CB_HANDSHAKE_DONE) && SSL_in_init((SSL *)s) != 0) { + /* + * Check that, if we've got SSL_CB_HANDSHAKE_DONE we are not in init + */ + if ((where & SSL_CB_HANDSHAKE_DONE) + && SSL_in_init((SSL *)s) != 0) { info_cb_failed = 1; return; } @@ -5384,7 +5453,7 @@ static int test_shutdown(int tst) if (tst == 3) { if (!TEST_true(create_bare_ssl_connection(serverssl, clientssl, - SSL_ERROR_NONE)) + SSL_ERROR_NONE, 1)) || !TEST_ptr_ne(sess = SSL_get_session(clientssl), NULL) || !TEST_false(SSL_SESSION_is_resumable(sess))) goto end; @@ -5909,9 +5978,10 @@ int setup_tests(void) ADD_ALL_TESTS(test_custom_exts, 3); #endif ADD_ALL_TESTS(test_serverinfo, 8); - ADD_ALL_TESTS(test_export_key_mat, 4); + ADD_ALL_TESTS(test_export_key_mat, 6); #ifndef OPENSSL_NO_TLS1_3 ADD_ALL_TESTS(test_export_key_mat_early, 3); + ADD_TEST(test_key_update); #endif ADD_ALL_TESTS(test_ssl_clear, 2); ADD_ALL_TESTS(test_max_fragment_len_ext, OSSL_NELEM(max_fragment_len_test)); diff --git a/deps/openssl/openssl/test/ssltest_old.c b/deps/openssl/openssl/test/ssltest_old.c index 92970776fd..36e6031f3a 100644 --- a/deps/openssl/openssl/test/ssltest_old.c +++ b/deps/openssl/openssl/test/ssltest_old.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved * Copyright 2005 Nokia. All rights reserved. * @@ -1382,11 +1382,52 @@ int main(int argc, char *argv[]) goto end; if (cipher != NULL) { - if (!SSL_CTX_set_cipher_list(c_ctx, cipher) - || !SSL_CTX_set_cipher_list(s_ctx, cipher) - || !SSL_CTX_set_cipher_list(s_ctx2, cipher)) { - ERR_print_errors(bio_err); - goto end; + if (strcmp(cipher, "") == 0) { + if (!SSL_CTX_set_cipher_list(c_ctx, cipher)) { + if (ERR_GET_REASON(ERR_peek_error()) == SSL_R_NO_CIPHER_MATCH) { + ERR_clear_error(); + } else { + ERR_print_errors(bio_err); + goto end; + } + } else { + /* Should have failed when clearing all TLSv1.2 ciphers. */ + fprintf(stderr, "CLEARING ALL TLSv1.2 CIPHERS SHOULD FAIL\n"); + goto end; + } + + if (!SSL_CTX_set_cipher_list(s_ctx, cipher)) { + if (ERR_GET_REASON(ERR_peek_error()) == SSL_R_NO_CIPHER_MATCH) { + ERR_clear_error(); + } else { + ERR_print_errors(bio_err); + goto end; + } + } else { + /* Should have failed when clearing all TLSv1.2 ciphers. */ + fprintf(stderr, "CLEARING ALL TLSv1.2 CIPHERS SHOULD FAIL\n"); + goto end; + } + + if (!SSL_CTX_set_cipher_list(s_ctx2, cipher)) { + if (ERR_GET_REASON(ERR_peek_error()) == SSL_R_NO_CIPHER_MATCH) { + ERR_clear_error(); + } else { + ERR_print_errors(bio_err); + goto end; + } + } else { + /* Should have failed when clearing all TLSv1.2 ciphers. */ + fprintf(stderr, "CLEARING ALL TLSv1.2 CIPHERS SHOULD FAIL\n"); + goto end; + } + } else { + if (!SSL_CTX_set_cipher_list(c_ctx, cipher) + || !SSL_CTX_set_cipher_list(s_ctx, cipher) + || !SSL_CTX_set_cipher_list(s_ctx2, cipher)) { + ERR_print_errors(bio_err); + goto end; + } } } if (ciphersuites != NULL) { diff --git a/deps/openssl/openssl/test/ssltestlib.c b/deps/openssl/openssl/test/ssltestlib.c index eafac3cc42..05139be750 100644 --- a/deps/openssl/openssl/test/ssltestlib.c +++ b/deps/openssl/openssl/test/ssltestlib.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -17,18 +17,28 @@ #ifdef OPENSSL_SYS_UNIX # include <unistd.h> -static ossl_inline void ossl_sleep(unsigned int millis) { +static ossl_inline void ossl_sleep(unsigned int millis) +{ +# ifdef OPENSSL_SYS_VXWORKS + struct timespec ts; + ts.tv_sec = (long int) (millis / 1000); + ts.tv_nsec = (long int) (millis % 1000) * 1000000ul; + nanosleep(&ts, NULL); +# else usleep(millis * 1000); +# endif } #elif defined(_WIN32) # include <windows.h> -static ossl_inline void ossl_sleep(unsigned int millis) { +static ossl_inline void ossl_sleep(unsigned int millis) +{ Sleep(millis); } #else /* Fallback to a busy wait */ -static ossl_inline void ossl_sleep(unsigned int millis) { +static ossl_inline void ossl_sleep(unsigned int millis) +{ struct timeval start, now; unsigned int elapsedms; @@ -428,7 +438,7 @@ int mempacket_test_inject(BIO *bio, const char *in, int inl, int pktnum, { MEMPACKET_TEST_CTX *ctx = BIO_get_data(bio); MEMPACKET *thispkt = NULL, *looppkt, *nextpkt, *allpkts[3]; - int i, duprec = ctx->duprec > 0; + int i, duprec; const unsigned char *inu = (const unsigned char *)in; size_t len = ((inu[RECORD_LEN_HI] << 8) | inu[RECORD_LEN_LO]) + DTLS1_RT_HEADER_LENGTH; @@ -441,6 +451,8 @@ int mempacket_test_inject(BIO *bio, const char *in, int inl, int pktnum, if ((size_t)inl == len) duprec = 0; + else + duprec = ctx->duprec > 0; /* We don't support arbitrary injection when duplicating records */ if (duprec && pktnum != -1) @@ -717,8 +729,12 @@ int create_ssl_objects(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl, /* * Create an SSL connection, but does not ready any post-handshake * NewSessionTicket messages. + * If |read| is set and we're using DTLS then we will attempt to SSL_read on + * the connection once we've completed one half of it, to ensure any retransmits + * get triggered. */ -int create_bare_ssl_connection(SSL *serverssl, SSL *clientssl, int want) +int create_bare_ssl_connection(SSL *serverssl, SSL *clientssl, int want, + int read) { int retc = -1, rets = -1, err, abortctr = 0; int clienterr = 0, servererr = 0; @@ -756,11 +772,24 @@ int create_bare_ssl_connection(SSL *serverssl, SSL *clientssl, int want) return 0; if (clienterr && servererr) return 0; - if (isdtls) { - if (rets > 0 && retc <= 0) - DTLSv1_handle_timeout(serverssl); - if (retc > 0 && rets <= 0) - DTLSv1_handle_timeout(clientssl); + if (isdtls && read) { + unsigned char buf[20]; + + /* Trigger any retransmits that may be appropriate */ + if (rets > 0 && retc <= 0) { + if (SSL_read(serverssl, buf, sizeof(buf)) > 0) { + /* We don't expect this to succeed! */ + TEST_info("Unexpected SSL_read() success!"); + return 0; + } + } + if (retc > 0 && rets <= 0) { + if (SSL_read(clientssl, buf, sizeof(buf)) > 0) { + /* We don't expect this to succeed! */ + TEST_info("Unexpected SSL_read() success!"); + return 0; + } + } } if (++abortctr == MAXLOOPS) { TEST_info("No progress made"); @@ -789,7 +818,7 @@ int create_ssl_connection(SSL *serverssl, SSL *clientssl, int want) unsigned char buf; size_t readbytes; - if (!create_bare_ssl_connection(serverssl, clientssl, want)) + if (!create_bare_ssl_connection(serverssl, clientssl, want, 1)) return 0; /* diff --git a/deps/openssl/openssl/test/ssltestlib.h b/deps/openssl/openssl/test/ssltestlib.h index 27b040c3cf..fa19e7d80d 100644 --- a/deps/openssl/openssl/test/ssltestlib.h +++ b/deps/openssl/openssl/test/ssltestlib.h @@ -1,5 +1,5 @@ /* - * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -18,7 +18,8 @@ int create_ssl_ctx_pair(const SSL_METHOD *sm, const SSL_METHOD *cm, char *privkeyfile); int create_ssl_objects(SSL_CTX *serverctx, SSL_CTX *clientctx, SSL **sssl, SSL **cssl, BIO *s_to_c_fbio, BIO *c_to_s_fbio); -int create_bare_ssl_connection(SSL *serverssl, SSL *clientssl, int want); +int create_bare_ssl_connection(SSL *serverssl, SSL *clientssl, int want, + int read); int create_ssl_connection(SSL *serverssl, SSL *clientssl, int want); void shutdown_ssl_connection(SSL *serverssl, SSL *clientssl); diff --git a/deps/openssl/openssl/test/testutil/main.c b/deps/openssl/openssl/test/testutil/main.c index 6781a5245a..d3ccdda391 100644 --- a/deps/openssl/openssl/test/testutil/main.c +++ b/deps/openssl/openssl/test/testutil/main.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2017 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -54,7 +54,7 @@ int main(int argc, char *argv[]) ret = pulldown_test_framework(ret); test_close_streams(); - return ret; + return ret; } const char *test_get_program_name(void) diff --git a/deps/openssl/openssl/test/x509aux.c b/deps/openssl/openssl/test/x509aux.c index c8bef0094d..e41f1f6809 100644 --- a/deps/openssl/openssl/test/x509aux.c +++ b/deps/openssl/openssl/test/x509aux.c @@ -1,5 +1,5 @@ /* - * Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL licenses, (the "License"); * you may not use this file except in compliance with the License. @@ -30,6 +30,7 @@ static int test_certs(int num) typedef int (*i2d_X509_t)(X509 *, unsigned char **); int err = 0; BIO *fp = BIO_new_file(test_get_argument(num), "r"); + X509 *reuse = NULL; if (!TEST_ptr(fp)) return 0; @@ -91,6 +92,13 @@ static int test_certs(int num) err = 1; goto next; } + p = buf; + reuse = d2i(&reuse, &p, enclen); + if (reuse == NULL || X509_cmp (reuse, cert)) { + TEST_error("X509_cmp does not work with %s", name); + err = 1; + goto next; + } OPENSSL_free(buf); buf = NULL; @@ -139,6 +147,7 @@ static int test_certs(int num) OPENSSL_free(data); } BIO_free(fp); + X509_free(reuse); if (ERR_GET_REASON(ERR_peek_last_error()) == PEM_R_NO_START_LINE) { /* Reached end of PEM file */ |