summaryrefslogtreecommitdiffstats
path: root/regress/lib/libcrypto (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Run the CMAC tests through EVP_PKEY_new_CMAC_key().tb2021-04-031-10/+22
|
* Remove workaround for missing d2i_DSAPrivateKey_fp prototypetb2021-03-311-5/+1
|
* Don't leak ca in test_cms_sign_verify().tb2021-03-221-1/+2
| | | | Reported by Ilya Shipitsin
* Plug memory leak reported by Ilya Shipitsintb2021-03-211-3/+2
| | | | | Since r1.7, input in base64_decoding_test() is allocated unconditionally, so free it unconditionally.
* Make this test module aware so it passes with Go 1.16tb2021-02-231-0/+4
|
* Start each regress run from scratch with new keys and CA database.bluhm2020-12-261-12/+17
|
* Convert CA regress implementation from shell script to make file.bluhm2020-12-265-141/+100
| | | | Ensure that it works with obj directory and link regress to build.
* Remove echo headlines.bluhm2020-12-172-6/+2
|
* Don't leak verify and store contexts.tb2020-11-181-1/+3
|
* Skip test if web server cannot be pinged.bluhm2020-11-051-6/+14
|
* catch unset error when validation fails.beck2020-10-262-2/+16
|
* avoid two overlong lines and drop an unused printf argumenttb2020-10-121-4/+4
|
* Don't leak bundle_file and cert_file paths at the end.tb2020-10-101-1/+3
|
* Read cert.pem once and reuse it instead of reading it twice per test certtb2020-10-081-18/+10
| | | | | | | | chain. It only takes a few dozens of ms to read it, but doing this 7290 times adds up to a few minutes run time. This way, the test completes in a handful of seconds. Diagnosed by jsing, ok beck
* KNFtb2020-10-031-12/+11
|
* typotb2020-10-031-1/+1
|
* spelling, punctuation, whitespacetb2020-10-022-6/+6
|
* Add possibility to link and run this test against the OpenSSL 1.1.1 packagetb2020-10-021-1/+7
| | | | | | using the make variable EOPENSSL11. Suggested by jsing
* Use += and ?= and tidy up whitespacetb2020-10-021-8/+8
|
* Tidy up: no need to link statically against libcrypto and no needtb2020-10-021-4/+4
| | | | to look at its private headers either.
* Make this test compile against OpenSSL 1.1tb2020-10-021-11/+21
| | | | | | | The X509_STORE_CTX struct is opaque in OpenSSL 1.1. To avoid reaching inside it, reuse the trusted certificate store that was just assigned to it and use X509_STORE_CTX_get0_param(3) to access the verification parameters.
* move a misplaced 'goto done;' so that all invalid uris are testedtb2020-09-211-1/+1
|
* add a few short invalid URIs in test_constraints1() that cause earlytb2020-09-211-0/+4
| | | | failure of x509_constraints_uri_host() in x509_constraints_uri()
* Correct a 1 byte read overflow in x509_contraints_uri and addbeck2020-09-201-0/+4
| | | | | | | | regress to catch it in the future. found by Guido Vranken's cryptofuzzer ok tb@
* Move variable declaration to beginning of scope in order to make thistb2020-09-181-3/+4
| | | | test compile and pass on sparc64.
* make this test compile and pass on sparc64 by moving variable declarationstb2020-09-181-4/+9
| | | | to the beginning of the respective scopes (and out of for loops)
* move variable declaration up to top to make this compile and passtb2020-09-181-1/+1
| | | | on sparc64
* Use void function argument to appease gcc 4.2.1tb2020-09-181-1/+1
|
* fix "warning: value computed is not used"tb2020-09-181-2/+2
| | | | | Add a cast to tell gcc 4.2.1 that the return value is deliberately ignored. This makes the test compile and pass on sparc64.
* fix "warning: function declaration isn't a prototype"tb2020-09-181-3/+3
| | | | | Make tests compile and pass on sparc64 with gcc 4.2.1 by properly declaring "static int foo()" as "static int foo(void)".
* zap redundant linetb2020-09-181-2/+1
|
* hook symbols test to regresstb2020-09-181-1/+2
|
* Check availability of the symbols in Symbols.listtb2020-09-182-0/+182
| | | | | | | | | | | | | | This regress parses Symbols.list and pulls all public headers out of libcrypto's Makefile to generate a simple program that uses all public symbols. A number of symbols need to be declared extern since they are unavailable in public headers and a handful must be skipped since they are apparently architecture dependent. This would have caught the recent breakage due to the accidental removal of the NAME_CONSTRAINTS_check() function and points out a number of places where cleanup may happen in the future. discussed with beck
* Change the known output to be the expected output, so that webeck2020-09-141-1421/+1421
| | | | | | no longer ignore the expected failures from the legacy name constraints validation, and will have a regress failure if we regress.
* Use a fixed validation time in these tests so we neverbeck2020-09-141-2/+4
| | | | | have to re-generate these certificates and this should just keep working even if the certs get old
* Add new x509 certificate chain validator in x509_verify.cbeck2020-09-131-9/+90
| | | | | | | | | | | | | | | | | | | The new validator finds multiple validated chains to handle the modern PKI cases which may frequently have multiple paths via different intermediates to different roots. It is loosely based on golang's x509 validator This includes integration so that the new validator can be used via X509_verify_cert() as well as a new api x509_verify() which will return multiple chains (similar to go). The new validator is not enabled by default with this commit, this will be changed in a follow on commit. The new public API is not yet exposed, and will be finalized and exposed with a man page and a library minor bump later. ok tb@ inoguchi@ jsing@
* remove unused include that breaks regressbeck2020-09-121-1/+0
|
* Add x509_constraints.c - a new implementation of x509 name constraints, withbeck2020-09-112-5/+495
| | | | | | | regression tests. The use of the new name constraints is not yet activated in x509_vfy.c and will be activated in a follow on commit ok jsing@
* Fix a bug in PEM_X509_INFO_read_bio(3) that is very likely to causeschwarze2020-07-233-1/+194
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | use-after-free and double-free issues in calling programs. The bug was introduced in SSLeay-0.6.0 released on June 21, 1996 and has been present since OpenBSD 2.4. I found the bug while documenting the function. The bug could bite in two ways that looked quite different from the perspective of the calling code: * If a stack was passed in that already contained some X509_INFO objects and an error occurred, all the objects passed in would be freed, but without removing the freed pointers from the stack, so the calling code would probable continue to access the freed pointers and eventually free them a second time. * If the input BIO contained at least two valid PEM objects followed by at least one PEM object causing an error, at least one freed pointer would be put onto the stack, even though the function would return NULL rather than the stack. But the calling code would still have a pointer to the stack, so it would be likely to access the new bogus pointers sooner or later. Fix all this by remembering the size of the input stack on entry and cutting it back to exactly that size when exiting due to an error, but no further. While here, do some related cleanup: * Garbage collect the automatic variables "error" and "i" which were only used at one single place each. * Use NULL rather than 0 for pointers. I like bugfixes that make the code four lines shorter, reduce the number of variables by one, reduce the number of brace-blocks by one, reduce the number if if-statements by one, and reduce the number of else-clauses by one. Tweaks and OK tb@.
* Fix perl bugs that had me printing the wrong cert number for errorsbeck2020-07-161-8/+9
|
* The exit code from the perl matters herebeck2020-07-151-1/+3
|
* Don't leak the X509_STOREbeck2020-07-151-1/+3
|
* Add certificate validation tests generated using the tools frombeck2020-07-1510945-0/+444760
| | | | | | | | bettertls.com, and a verification suite to try each certificate in the same manner as the web based tests do using X509_verify. This includes the list of "known" failures today in our validaion code so we can move forward without moving back.
* Enter the certs regress directory.jsing2020-07-141-1/+2
|
* Add regress for X509_verify() using the new bundles.jsing2020-07-142-3/+369
| | | | | A number of these tests are known to fail due to bugs/incorrect verification implementation.
* Provide generated certificate bundles and roots for regress.jsing2020-07-1474-0/+3721
| | | | ok beck@ tb@
* Provide tools to build certificate changes for verify regress.jsing2020-07-144-0/+636
| | | | | | | | | | This provides a script that generates a variety of certificate chains and assembles them into bundles containing various permutations, which can be used to test our X.509 verification. A Go program is included to verify each of these bundles. ok beck@ tb@
* When X509_ATTRIBUTE_create() receives an invalid NID (e.g., -1), returnschwarze2020-06-042-5/+115
| | | | | | | | | | | failure rather than silently constructing a broken X509_ATTRIBUTE object that might cause NULL pointer accesses later on. This matters because X509_ATTRIBUTE_create() is used by documented API functions like PKCS7_add_attribute(3) and the NID comes straight from the user. This fixes a bug found while working on documentation. OK tb@ and "thanks" bluhm@
* go fmt whitespace nittb2020-05-141-3/+3
|
* reinstate an error check that was commented out while waiting for armtb2020-05-141-5/+4
| | | | packages to appear
Copyright © 1996 – 2023 Jason A. Donenfeld. All Rights Reverse Engineered.