Add a test for the recently added function OSSL_ERR_STATE_save_to_mark().
We can just modify the existing test_save_restore() to add this in.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Hugo Landau <hlandau@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22368)
Creating JDK compatible pkcs12 files requires a bit more than just
adding the Trusted Key Usage OID to a certbag in the pkcs12 file.
Additionally the JDK currently requires that pkcs12 files setting this
oid _not_ contain any additional keys, and in response will produce
unpredictable results.
This could be solved by implying --nokeys when the pkcs12 utility is run
and the config option is set, but thatcould confuse users who didn't
specify nokeys on the command line. As such, remove the config file
setting for this feature, and replace it with a -jdktrust command line
option, that is documented to assert nokeys when a users specifies the
new command line option.
Fixes#22215
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22422)
Return SSL_SENT_SHUTDOWN and SSL_RECEIVED_SHUTDOWN with semantics
similar to TLS connections.
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22408)
Fixes#22225
In OBJ_nid2obj(), if the NID does not have an OID, then a pointer to
the special "undefined" ASN1_OBJECT is returned. Check for the
undefined-ASN1_OBJECT and return an error. Also, add a test for this
in 80-test_cms.t.
Testing:
#!/bin/bash -x
shopt -s expand_aliases
alias openssl="LD_LIBRARY_PATH=~/git/openssl ~/git/openssl/apps/openssl"
echo "This is a confidential message. It should be encrypted." > msg.txt
## this should fail b/c there is no OID for aes-256-ctr
openssl cms -encrypt -in msg.txt -aes-256-ctr -out msg.txt.cms -recip demos/cms/signer.pem
echo $?
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22392)
According to the manual page, EVP_PKEY_CTX_set0_rsa_oaep_label()
should accept NULL as the label argument, though the function
currently rejects it while setting the corresponding octet string
parameter with OSSL_PARAM_construct_octet_string, which expects
non-NULL input. This adds a workaround to the caller for backward
compatibility.
Signed-off-by: Daiki Ueno <dueno@redhat.com>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22397)
problem reported by: 2ourc3
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22355)
The semantics of ossl_ffc_validate_public_key() and
ossl_ffc_validate_public_key_partial() needs to be changed
to not return error on non-fatal problems.
Fixes#22287
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22291)
The lower priority 'and' seems to have some "interesting" interactions with
function argument parsing in some perl versions (presumably because 'and' is
lower priority than the comma).
For the lines that are changed here, perl v5.20.1 says this:
Useless use of string eq in void context at [.test.recipes]05-test_rand.t line 33.
Useless use of numeric eq (==) in void context at [.test.recipes]05-test_rand.t line 39.
Replacing 'and' with '&&' in these two cases fixes the problem.
Replacing
Reviewed-by: Hugo Landau <hlandau@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22331)
The BIO_addr test is failing on non-stop. The length of the data is larger
than the size we have allocated for it. We dynamically allocate instead.
Fixes#22218
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22294)
When running the tserver test we bail out if a timeout expires. We
shouldn't use fake time for that timeout, because fake time might never
actually get incremented.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22284)
If we wait for 100ms 600 times - then the test takes a minute to complete
which is far too long. The purpose of the wait is to give the assistance
thread a chance to catch up. We only do that if the event timeout has
actually expired - otherwise we are waiting for no reason.
Fixes#22156
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22284)
The test server cannot really cope with modifications
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22267)
A new type of noise is introduced in the noisy dgram bio
filter.
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22267)
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Tom Cosgrove <tom.cosgrove@arm.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22281)
ossl_property_list_to_string() didn't quote strings correctly which
could result in a generated property string being unparsable.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22182)
This commit adds `test_EVP_PKEY_sign_with_app_method`, a regression
test for the bug fix in commit 1acc3e8cc3 (pull request #22163).
It is analogous to `test_EVP_PKEY_sign`, only with a fake app method
based key. (The EC key test case was omitted, because there is no
`EC_KEY_METHOD_dup` method.)
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22185)
If either endpoint issues a PING frame while we are introducing noise
into the communication then there is a danger that the connection itself
will fail. We detect the PING and then back off on generating noise for a
short while. It should be sufficient to just ensure that the next datagram
does not get dropped for each endpoint.
Fixes#22199
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22243)
To improve Coverage mapping in Coveralls make it
possible to run test_ssl_trace() with enable-zlib
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22222)
Script 13 is a stress test which can timeout on some low powered platforms
or with some options that significantly slow performance.
We increase the timeout.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22214)
Signed-off-by: Mathieu Tortuyaux <mathieu.tortuyaux@gmail.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22147)
Ensure we use OPENSSL_NO_SSL_TRACE guards where appropriate.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22193)
Fixes: #22178
Signed-of-by: Randall S. Becker <randall.becker@nexbridge.ca>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22179)
Until the cipher dupctx is properly implemented in 3.1 and 3.0 the check is
wrong. This should be reverted once the implemenation has been done.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21964)
Signed-off-by: Jonathan M. Wilbur <jonathan@wilbur.space>
Reviewed-by: Todd Short <todd.short@me.com>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/21342)
We also add a test for BIO_ADDR_dup() which was also added in 3.2
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22164)
We now have a public function for BIO_ADDR_copy() which can be used in
preference to the test code's private implementation.
Reviewed-by: Tomas Mraz <tomas@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22164)
The previous terminology was quite confusing. We try to use drop, duplicate
and delay more consistently and introduce the "reinject" terminology as a
mechanism for implementing duplicates and delays.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22157)
An application may pass in a whole BIO chain via SSL_set_bio(). When we
free the BIO we should be using BIO_free_all() not BIO_free() like we do
with TLS.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22157)
We are actually passing two references to sbio: one as part of a BIO chain
and one stand alone. Therefore we need two references.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22157)
So far we've only applied noise to the server to client datagrams. Do the
same thing the other way around.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22157)
We add a new flag QTEST_FLAG_CLIENT_TRACE to get debug tracing output if
required.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22157)
Where multiple packets are in a single datagram we split them so that all
packets can be affected by the noise
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22157)
Provide a BIO filter that can split QUIC datagrams containing multiple
packets, such that each packet is in its own datagram.
Reviewed-by: Tim Hudson <tjh@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/22157)
Tomas Mraz
Matt Caswell
Hugo Landau
Neil Horman
James Muir
Daiki Ueno
Pauli
Richard Levitte
Dr. David von Oheimb
Vladimir Kotal
Matthias St. Pierre
Mathieu Tortuyaux
Randall S. Becker
Jonathan M. Wilbur
Michael Baentsch