mirror of https://github.com/openssl/openssl.git
2fe3e2b682
We recently turned on the TLSv1.3 downgrade sentinels by default. Unfortunately we are using a very old version of the BoringSSL test runner which uses an old draft implementation of TLSv1.3 that also uses the downgrade sentinels by default. The two implementations do not play well together and were causing spurious test failures. Until such time as we update the BoringSSL test runner we disable the failing tests: SendFallbackSCSV In this test the client is OpenSSL and the server is the boring test runner. The client and server fail to negotiate TLSv1.3 because the test runner is using an old draft TLSv1.3 version. The server does however add the TLSv1.3->TLSv1.2 downgrade sentinel in the ServerHello random. Since we recently turned on checking of the downgrade sentinels on the client side this causes the connection to fail. VersionNegotiationExtension-TLS11 In this test the test runner is the client and OpenSSL is the server. The test modifies the supported_versions extension sent by the client to only include TLSv1.1 (and some other spurious versions), even though the client does actually support TLSv1.2. The server successfully selects TLSv1.1, but adds the TLSv1.3->TLSv1.1 downgrade sentinel. This behaviour was recently switched on by default. The test runner then checks the downgrade sentinel and aborts the connection because it knows that it really supports TLSv1.2. VersionNegotiationExtension-TLS1 VersionNegotiationExtension-SSL3 The same as VersionNegotiationExtension-TLS11 but for TLSv1 and SSLv3. ConflictingVersionNegotiation In this test the client is the test runner, and OpenSSL is the server. The client offers TLSv1.2 in ClientHello.version, but also adds a supported_versions extension that only offers TLSv1.1. The supported_versions extension takes precedence and the server (correctly) selects TLSv1.1. However it also adds the TLSv1.3->TLSv1.1 downgrade sentinel. On the client side it knows it actually offered TLSv1.2 and so the downgrade sentinel check fails. [extended tests] Reviewed-by: Viktor Dukhovni <viktor@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7013) |
||
|---|---|---|
| .. | ||
| certs | ||
| ct | ||
| d2i-tests | ||
| ocsp-tests | ||
| ossl_shim | ||
| recipes | ||
| smime-certs | ||
| ssl-tests | ||
| testutil | ||
| CAss.cnf | ||
| CAssdh.cnf | ||
| CAssdsa.cnf | ||
| CAssrsa.cnf | ||
| CAtsa.cnf | ||
| P1ss.cnf | ||
| P2ss.cnf | ||
| README | ||
| README.external | ||
| README.ssltest.md | ||
| Sssdsa.cnf | ||
| Sssrsa.cnf | ||
| Uss.cnf | ||
| aborttest.c | ||
| afalgtest.c | ||
| asn1_encode_test.c | ||
| asn1_internal_test.c | ||
| asn1_string_table_test.c | ||
| asn1_time_test.c | ||
| asynciotest.c | ||
| asynctest.c | ||
| bad_dtls_test.c | ||
| bftest.c | ||
| bio_callback_test.c | ||
| bio_enc_test.c | ||
| bioprinttest.c | ||
| bntest.c | ||
| bntests.pl | ||
| build.info | ||
| casttest.c | ||
| chacha_internal_test.c | ||
| cipher_overhead_test.c | ||
| cipherbytes_test.c | ||
| cipherlist_test.c | ||
| ciphername_test.c | ||
| clienthellotest.c | ||
| cms-examples.pl | ||
| cmsapitest.c | ||
| conf_include_test.c | ||
| constant_time_test.c | ||
| crltest.c | ||
| ct_test.c | ||
| ctype_internal_test.c | ||
| curve448_internal_test.c | ||
| d2i_test.c | ||
| danetest.c | ||
| danetest.in | ||
| danetest.pem | ||
| destest.c | ||
| dhtest.c | ||
| drbg_cavs_data.c | ||
| drbg_cavs_data.h | ||
| drbg_cavs_test.c | ||
| drbgtest.c | ||
| drbgtest.h | ||
| dsa_no_digest_size_test.c | ||
| dsatest.c | ||
| dtls_mtu_test.c | ||
| dtlstest.c | ||
| dtlsv1listentest.c | ||
| ecdsatest.c | ||
| ecstresstest.c | ||
| ectest.c | ||
| enginetest.c | ||
| errtest.c | ||
| evp_extra_test.c | ||
| evp_test.c | ||
| evp_test.h | ||
| exdatatest.c | ||
| exptest.c | ||
| fatalerrtest.c | ||
| generate_buildtest.pl | ||
| generate_ssl_tests.pl | ||
| gmdifftest.c | ||
| gosttest.c | ||
| handshake_helper.c | ||
| handshake_helper.h | ||
| hmactest.c | ||
| ideatest.c | ||
| igetest.c | ||
| lhash_test.c | ||
| md2test.c | ||
| mdc2_internal_test.c | ||
| mdc2test.c | ||
| memleaktest.c | ||
| modes_internal_test.c | ||
| ocspapitest.c | ||
| packettest.c | ||
| pbelutest.c | ||
| pemtest.c | ||
| pkcs7-1.pem | ||
| pkcs7.pem | ||
| pkey_meth_kdf_test.c | ||
| pkey_meth_test.c | ||
| pkits-test.pl | ||
| poly1305_internal_test.c | ||
| rc2test.c | ||
| rc4test.c | ||
| rc5test.c | ||
| rdrand_sanitytest.c | ||
| recordlentest.c | ||
| rsa_mp_test.c | ||
| rsa_test.c | ||
| run_tests.pl | ||
| sanitytest.c | ||
| secmemtest.c | ||
| serverinfo.pem | ||
| serverinfo2.pem | ||
| servername_test.c | ||
| session.pem | ||
| shibboleth.pfx | ||
| shlibloadtest.c | ||
| siphash_internal_test.c | ||
| sm2_internal_test.c | ||
| sm4_internal_test.c | ||
| smcont.txt | ||
| srptest.c | ||
| ssl_cert_table_internal_test.c | ||
| ssl_test.c | ||
| ssl_test.tmpl | ||
| ssl_test_ctx.c | ||
| ssl_test_ctx.h | ||
| ssl_test_ctx_test.c | ||
| ssl_test_ctx_test.conf | ||
| sslapitest.c | ||
| sslbuffertest.c | ||
| sslcorrupttest.c | ||
| ssltest_old.c | ||
| ssltestlib.c | ||
| ssltestlib.h | ||
| stack_test.c | ||
| sysdefault.cnf | ||
| sysdefaulttest.c | ||
| test.cnf | ||
| test_test.c | ||
| testcrl.pem | ||
| testdsa.pem | ||
| testdsapub.pem | ||
| testec-p256.pem | ||
| testecpub-p256.pem | ||
| testp7.pem | ||
| testreq2.pem | ||
| testrsa.pem | ||
| testrsapub.pem | ||
| testsid.pem | ||
| testutil.h | ||
| testx509.pem | ||
| threadstest.c | ||
| time_offset_test.c | ||
| tls13ccstest.c | ||
| tls13encryptiontest.c | ||
| tls13secretstest.c | ||
| uitest.c | ||
| v3-cert1.pem | ||
| v3-cert2.pem | ||
| v3ext.c | ||
| v3nametest.c | ||
| verify_extra_test.c | ||
| versions.c | ||
| wpackettest.c | ||
| x509_check_cert_pkey_test.c | ||
| x509_dup_cert_test.c | ||
| x509_internal_test.c | ||
| x509_time_test.c | ||
| x509aux.c | ||
README
How to add recipes
==================
For any test that you want to perform, you write a script located in
test/recipes/, named {nn}-test_{name}.t, where {nn} is a two digit number and
{name} is a unique name of your choice.
Please note that if a test involves a new testing executable, you will need to
do some additions in test/Makefile. More on this later.
Naming conventions
=================
A test executable is named test/{name}test.c
A test recipe is named test/recipes/{nn}-test_{name}.t, where {nn} is a two
digit number and {name} is a unique name of your choice.
The number {nn} is (somewhat loosely) grouped as follows:
00-04 sanity, internal and essential API tests
05-09 individual symmetric cipher algorithms
10-14 math (bignum)
15-19 individual asymmetric cipher algorithms
20-24 openssl commands (some otherwise not tested)
25-29 certificate forms, generation and verification
30-35 engine and evp
60-79 APIs
70 PACKET layer
80-89 "larger" protocols (CA, CMS, OCSP, SSL, TSA)
90-98 misc
99 most time consuming tests [such as test_fuzz]
A recipe that just runs a test executable
=========================================
A script that just runs a program looks like this:
#! /usr/bin/perl
use OpenSSL::Test::Simple;
simple_test("test_{name}", "{name}test", "{name}");
{name} is the unique name you have chosen for your test.
The second argument to `simple_test' is the test executable, and `simple_test'
expects it to be located in test/
For documentation on OpenSSL::Test::Simple, do
`perldoc util/perl/OpenSSL/Test/Simple.pm'.
A recipe that runs a more complex test
======================================
For more complex tests, you will need to read up on Test::More and
OpenSSL::Test. Test::More is normally preinstalled, do `man Test::More' for
documentation. For OpenSSL::Test, do `perldoc util/perl/OpenSSL/Test.pm'.
A script to start from could be this:
#! /usr/bin/perl
use strict;
use warnings;
use OpenSSL::Test;
setup("test_{name}");
plan tests => 2; # The number of tests being performed
ok(test1, "test1");
ok(test2, "test1");
sub test1
{
# test feature 1
}
sub test2
{
# test feature 2
}
Changes to test/build.info
==========================
Whenever a new test involves a new test executable you need to do the
following (at all times, replace {NAME} and {name} with the name of your
test):
* add {name} to the list of programs under PROGRAMS_NO_INST
* create a three line description of how to build the test, you will have
to modify the include paths and source files if you don't want to use the
basic test framework:
SOURCE[{name}]={name}.c
INCLUDE[{name}]=.. ../include
DEPEND[{name}]=../libcrypto libtestutil.a
Generic form of C test executables
==================================
#include "testutil.h"
static int my_test(void)
{
int testresult = 0; /* Assume the test will fail */
int observed;
observed = function(); /* Call the code under test */
if (!TEST_int_equal(observed, 2)) /* Check the result is correct */
goto end; /* Exit on failure - optional */
testresult = 1; /* Mark the test case a success */
end:
cleanup(); /* Any cleanup you require */
return testresult;
}
int setup_tests(void)
{
ADD_TEST(my_test); /* Add each test separately */
return 1; /* Indicate success */
}
You should use the TEST_xxx macros provided by testutil.h to test all failure
conditions. These macros produce an error message in a standard format if the
condition is not met (and nothing if the condition is met). Additional
information can be presented with the TEST_info macro that takes a printf
format string and arguments. TEST_error is useful for complicated conditions,
it also takes a printf format string and argument. In all cases the TEST_xxx
macros are guaranteed to evaluate their arguments exactly once. This means
that expressions with side effects are allowed as parameters. Thus,
if (!TEST_ptr(ptr = OPENSSL_malloc(..)))
works fine and can be used in place of:
ptr = OPENSSL_malloc(..);
if (!TEST_ptr(ptr))
The former produces a more meaningful message on failure than the latter.